Update to a later NSS version.

CLOBBER

@@ -23,3 +23,4 @@
 # don't change CLOBBER for WebIDL changes any more.
 
 Clobber for NSS update
+

config/external/nss/Makefile.in

@@ -174,6 +174,13 @@ DEFAULT_GMAKE_FLAGS += NSS_SSL_ENABLE_ZLIB=
 # Disable building of the test programs in security/nss/lib/zlib
 DEFAULT_GMAKE_FLAGS += PROGRAMS=
 
+# Disable AVX2 for poly1305
+DEFAULT_GMAKE_FLAGS += NSS_DISABLE_AVX2=1
+
+# Disable obsolete ciphers
+DEFAULT_GMAKE_FLAGS += NSS_DISABLE_DEPRECATED_SEED=1
+DEFAULT_GMAKE_FLAGS += NSS_DISABLE_DEPRECATED_RC2=1
+
 # Disable creating .chk files. They will be generated from packager.mk
 # When bug 681624 lands, we can replace CHECKLOC= with SKIP_SHLIBSIGN=1
 DEFAULT_GMAKE_FLAGS += CHECKLOC=

nsprpub/automation/release/nspr-release-helper.py

@@ -17,7 +17,7 @@ f_conf = "configure"
 f_conf_in = "configure.in"
 
 def check_call_noisy(cmd, *args, **kwargs):
-    print "Executing command:", cmd
+    print("Executing command:", cmd)
     check_call(cmd, *args, **kwargs)
 
 o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | set_version_to_minor_release | set_version_to_patch_release | create_nspr_release_archive")
@@ -30,7 +30,7 @@ except IndexError:
     sys.exit(2)
 
 def exit_with_failure(what):
-    print "failure: ", what
+    print("failure: ", what)
     sys.exit(2)
 
 def check_files_exist():
@@ -45,31 +45,31 @@ def sed_inplace(sed_expression, filename):
 def toggle_beta_status(is_beta):
     check_files_exist()
     if (is_beta):
-        print "adding Beta status to version numbers"
+        print("adding Beta status to version numbers")
         sed_inplace('s/^\(#define *PR_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', prinit_h)
         sed_inplace('s/^\(#define *PR_BETA *\)PR_FALSE *$/\\1PR_TRUE/', prinit_h)
 
     else:
-        print "removing Beta status from version numbers"
+        print("removing Beta status from version numbers")
         sed_inplace('s/^\(#define *PR_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', prinit_h)
         sed_inplace('s/^\(#define *PR_BETA *\)PR_TRUE *$/\\1PR_FALSE/', prinit_h)
-    print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly"
+    print("please run 'hg stat' and 'hg diff' to verify the files have been verified correctly")
 
 def print_beta_versions():
     check_call_noisy(["egrep", "#define *PR_VERSION|#define *PR_BETA", prinit_h])
 
 def remove_beta_status():
-    print "--- removing beta flags. Existing versions were:"
+    print("--- removing beta flags. Existing versions were:")
     print_beta_versions()
     toggle_beta_status(False)
-    print "--- finished modifications, new versions are:"
+    print("--- finished modifications, new versions are:")
     print_beta_versions()
 
 def set_beta_status():
-    print "--- adding beta flags. Existing versions were:"
+    print("--- adding beta flags. Existing versions were:")
     print_beta_versions()
     toggle_beta_status(True)
-    print "--- finished modifications, new versions are:"
+    print("--- finished modifications, new versions are:")
     print_beta_versions()
 
 def print_library_versions():
@@ -103,17 +103,17 @@ def set_all_lib_versions(version, major, minor, patch):
     set_major_versions(major)
     set_minor_versions(minor)
     set_patch_versions(patch)
-    print
-    print "==========================="
-    print "======== ATTENTION ========"
-    print
-    print "You *MUST* manually edit file pr/tests/vercheck.c"
-    print
-    print "Edit two arrays, named compatible_version and incompatible_version"
-    print "according to the new version you're adding."
-    print
-    print "======== ATTENTION ========"
-    print "==========================="
+    print()
+    print("===========================")
+    print("======== ATTENTION ========")
+    print()
+    print("You *MUST* manually edit file pr/tests/vercheck.c")
+    print()
+    print("Edit two arrays, named compatible_version and incompatible_version")
+    print("according to the new version you're adding.")
+    print()
+    print("======== ATTENTION ========")
+    print("===========================")
 
 def set_version_to_minor_release():
     ensure_arguments_after_action(2, "major_version  minor_version")
@@ -144,12 +144,12 @@ def create_nspr_release_archive():
     check_call_noisy(["mkdir", "-p", nspr_stagedir])
     check_call_noisy(["hg", "archive", "-r", nsprreltag, "--prefix=nspr-" + nsprrel + "/nspr",
                       "../stage/v" + nsprrel + "/src/" + nspr_tar, "-X", ".hgtags"])
-    print "changing to directory " + nspr_stagedir
+    print("changing to directory " + nspr_stagedir)
     os.chdir(nspr_stagedir)
 
     check_call("sha1sum " + nspr_tar + " > SHA1SUMS", shell=True)
     check_call("sha256sum " + nspr_tar + " > SHA256SUMS", shell=True)
-    print "created directory " + nspr_stagedir + " with files:"
+    print("created directory " + nspr_stagedir + " with files:")
     check_call_noisy(["ls", "-l"])
 
 if action in ('remove_beta'):

nsprpub/build/autoconf/README

@@ -1,5 +1,3 @@
 The config.guess and config.sub scripts were downloaded from
-http://git.savannah.gnu.org/cgit/config.git/tree/config.guess?id=6947a35648e577c2e3a12d5c88d488c6ea94e1c0
-http://git.savannah.gnu.org/cgit/config.git/tree/config.sub?id=6947a35648e577c2e3a12d5c88d488c6ea94e1c0
-
-Our private patches are in the patches/ directory.
+http://git.savannah.gnu.org/cgit/config.git/tree/config.guess?id=2593751ef276497e312d7c4ce7fd049614c7bf80
+http://git.savannah.gnu.org/cgit/config.git/tree/config.sub?id=2593751ef276497e312d7c4ce7fd049614c7bf80

nsprpub/build/autoconf/patches/config.sub.patch

@@ -1,51 +0,0 @@
---- config.sub.orig	2014-03-09 18:34:03 -0700
-+++ config.sub	2014-03-14 19:49:48 -0700
-@@ -115,7 +115,7 @@
- # Here we must recognize all the valid KERNEL-OS combinations.
- maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
- case $maybe_os in
--  nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
-+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | \
-   linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
-   knetbsd*-gnu* | netbsd*-gnu* | \
-   kopensolaris*-gnu* | \
-@@ -123,10 +123,6 @@
-     os=-$maybe_os
-     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-     ;;
--  android-linux)
--    os=-linux-android
--    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
--    ;;
-   *)
-     basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-     if [ $basic_machine != $1 ]
-@@ -1367,7 +1363,7 @@
- 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
- 	      | -chorusos* | -chorusrdb* | -cegcc* \
- 	      | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
--	      | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
-+	      | -mingw32* | -mingw64* | -linux-gnu* \
- 	      | -linux-newlib* | -linux-musl* | -linux-uclibc* \
- 	      | -uxpv* | -beos* | -mpeix* | -udk* \
- 	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-@@ -1508,6 +1504,9 @@
- 		;;
- 	-nacl*)
- 		;;
-+	-android*)
-+		os=-android
-+		;;
- 	-none)
- 		;;
- 	*)
-@@ -1777,6 +1776,9 @@
- 			-vos*)
- 				vendor=stratus
- 				;;
-+			*-android*|*-linuxandroid*)
-+				vendor=linux-
-+				;;
- 		esac
- 		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
- 		;;

nsprpub/configure

@@ -1467,7 +1467,7 @@ Optional Features:
   --enable-cplus          Enable some c++ api routines
   --enable-macos-target=VER
                           Set the minimum MacOS version needed at runtime
-                          10.2 for ppc, 10.4 for x86
+                          10.3 for ppc, 10.4 for x86
   --disable-os2-high-mem  Disable high-memory support on OS/2
 
   --enable-strip          Enable stripping of shared libs and programs
@@ -2486,7 +2486,7 @@ test -n "$target_alias" &&
   program_prefix=${target_alias}-
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=24
+MOD_MINOR_VERSION=29
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
@@ -5587,6 +5587,7 @@ if test -n "$CROSS_COMPILE"; then
         linux*)       OS_ARCH=Linux ;;
         solaris*)     OS_ARCH=SunOS OS_RELEASE=5 ;;
         mingw*)       OS_ARCH=WINNT CPU_ARCH=x86 ;;
+        cygwin*)      OS_ARCH=WINNT ;;
         darwin*)      OS_ARCH=Darwin ;;
         riscos*)      OS_ARCH=RISCOS ;;
     esac
@@ -6457,12 +6458,22 @@ fi
                 CPU_ARCH=i386
             fi
             ;;
+        aarch64)
+            CPU_ARCH=aarch64
+            ;;
         *)
             CPU_ARCH=ppc
             ;;
     esac
     if test "`echo $CC | grep -c '\-arch '`" = "0"; then
-        CC="$CC -arch $CPU_ARCH"
+        case "$CPU_ARCH" in
+        aarch64)
+            CC="$CC -arch arm64"
+            ;;
+        *)
+            CC="$CC -arch $CPU_ARCH"
+            ;;
+        esac
     fi
     ac_fn_c_check_header_mongrel "$LINENO" "crt_externs.h" "ac_cv_header_crt_externs_h" "$ac_includes_default"
 if test "x$ac_cv_header_crt_externs_h" = xyes; then :
@@ -6482,78 +6493,71 @@ fi
     PR_MD_CSRCS=darwin.c
     PR_MD_ASFILES=os_Darwin.s
 
-    # Add Mac OS X support for loading CFM & CFBundle plugins
-    if test -f "${MACOS_SDK_DIR}/System/Library/Frameworks/Carbon.framework/Carbon"; then
-        $as_echo "#define XP_MACOSX 1" >>confdefs.h
+    if test -n "$_MACOSX_DEPLOYMENT_TARGET" ; then
+                export MACOSX_DEPLOYMENT_TARGET=$_MACOSX_DEPLOYMENT_TARGET
+    elif test -z "$MACOSX_DEPLOYMENT_TARGET" ; then
+                                case "${target_cpu}" in
+            powerpc*)
+                                export MACOSX_DEPLOYMENT_TARGET=10.3
+                ;;
+            i*86*)
+                                export MACOSX_DEPLOYMENT_TARGET=10.4
+                ;;
+        esac
+    fi
 
-        OS_TARGET=MacOSX
 
-        if test -n "$_MACOSX_DEPLOYMENT_TARGET" ; then
-                        export MACOSX_DEPLOYMENT_TARGET=$_MACOSX_DEPLOYMENT_TARGET
-        elif test -z "$MACOSX_DEPLOYMENT_TARGET" ; then
-                                                case "${target_cpu}" in
-                powerpc*)
-                                        export MACOSX_DEPLOYMENT_TARGET=10.2
-                    ;;
-                i*86*)
-                                        export MACOSX_DEPLOYMENT_TARGET=10.4
-                    ;;
-            esac
+    if test "$MACOS_SDK_DIR"; then
+
+        if test ! -d "$MACOS_SDK_DIR"; then
+            as_fn_error $? "SDK not found.  When using --with-macos-sdk, you must
+specify a valid SDK.  SDKs are installed when the optional cross-development
+tools are selected during the Xcode/Developer Tools installation." "$LINENO" 5
         fi
 
 
-        if test "$MACOS_SDK_DIR"; then
+        CC_VERSION=`$CC -v 2>&1 | grep 'gcc version'`
+        GCC_VERSION_FULL=`echo $CC_VERSION | $PERL -pe 's/^.*gcc version ([^ ]*).*/$1/'`
+        GCC_VERSION=`echo $GCC_VERSION_FULL | $PERL -pe '(split(/\./))[0]>=4&&s/(^\d*\.\d*).*/$1/;'`
 
-            if test ! -d "$MACOS_SDK_DIR"; then
-                as_fn_error $? "SDK not found.  When using --with-macos-sdk, you must
-specify a valid SDK.  SDKs are installed when the optional cross-development
-tools are selected during the Xcode/Developer Tools installation." "$LINENO" 5
+        GCC_VERSION_MAJOR=`echo $GCC_VERSION_FULL | $PERL -pe 's/(^\d*).*/$1/;'`
+        if test "$GCC_VERSION_MAJOR" -lt "4" ; then
+            SDK_C_FRAMEWORK="-F${MACOS_SDK_DIR}/System/Library/Frameworks"
+            if test -d "${MACOS_SDK_DIR}/Library/Frameworks" ; then
+                SDK_C_FRAMEWORK="$SDK_C_FRAMEWORK -F${MACOS_SDK_DIR}/Library/Frameworks"
             fi
 
+            SDK_C_INCLUDE="-isystem ${MACOS_SDK_DIR}/usr/include/gcc/darwin/${GCC_VERSION} -isystem ${MACOS_SDK_DIR}/usr/include ${SDK_C_FRAMEWORK}"
 
-            CC_VERSION=`$CC -v 2>&1 | grep 'gcc version'`
-            GCC_VERSION_FULL=`echo $CC_VERSION | $PERL -pe 's/^.*gcc version ([^ ]*).*/$1/'`
-            GCC_VERSION=`echo $GCC_VERSION_FULL | $PERL -pe '(split(/\./))[0]>=4&&s/(^\d*\.\d*).*/$1/;'`
+            CFLAGS="$CFLAGS -nostdinc ${SDK_C_INCLUDE}"
 
-            GCC_VERSION_MAJOR=`echo $GCC_VERSION_FULL | $PERL -pe 's/(^\d*).*/$1/;'`
-            if test "$GCC_VERSION_MAJOR" -lt "4" ; then
-                SDK_C_FRAMEWORK="-F${MACOS_SDK_DIR}/System/Library/Frameworks"
-                if test -d "${MACOS_SDK_DIR}/Library/Frameworks" ; then
-                    SDK_C_FRAMEWORK="$SDK_C_FRAMEWORK -F${MACOS_SDK_DIR}/Library/Frameworks"
-                fi
-
-                SDK_C_INCLUDE="-isystem ${MACOS_SDK_DIR}/usr/include/gcc/darwin/${GCC_VERSION} -isystem ${MACOS_SDK_DIR}/usr/include ${SDK_C_FRAMEWORK}"
-
-                CFLAGS="$CFLAGS -nostdinc ${SDK_C_INCLUDE}"
-
-                                CPP="$CPP -nostdinc ${SDK_C_INCLUDE}"
+                        CPP="$CPP -nostdinc ${SDK_C_INCLUDE}"
 
 
-                HOST_DARWIN_MAJOR=`echo "$build_os" | sed -E -e 's/^darwin([0-9]+).*$/\1/'`
+            HOST_DARWIN_MAJOR=`echo "$build_os" | sed -E -e 's/^darwin([0-9]+).*$/\1/'`
 
-                if test "$HOST_DARWIN_MAJOR" -lt 9 ; then
-                                                                                                                        MACOS_SDK_LIBS="-L${MACOS_SDK_DIR}/usr/lib/gcc/darwin -L${MACOS_SDK_DIR}/usr/lib/gcc/darwin/${GCC_VERSION_FULL} -L${MACOS_SDK_DIR}/usr/lib ${SDK_C_FRAMEWORK}"
-                else
-                                                                                                                                                                                                        MACOS_SDK_LIBS="-Wl,-syslibroot,${MACOS_SDK_DIR}"
-                fi
-
-                LDFLAGS="${MACOS_SDK_LIBS} $LDFLAGS"
-                export NEXT_ROOT=$MACOS_SDK_DIR
-
-                if test -n "$CROSS_COMPILE" ; then
-                                                                                HOST_CC="NEXT_ROOT= $HOST_CC"
-                    HOST_CXX="NEXT_ROOT= $HOST_CXX"
-                fi
+            if test "$HOST_DARWIN_MAJOR" -lt 9 ; then
+                                                                                                MACOS_SDK_LIBS="-L${MACOS_SDK_DIR}/usr/lib/gcc/darwin -L${MACOS_SDK_DIR}/usr/lib/gcc/darwin/${GCC_VERSION_FULL} -L${MACOS_SDK_DIR}/usr/lib ${SDK_C_FRAMEWORK}"
             else
-                                                CFLAGS="$CFLAGS -isysroot ${MACOS_SDK_DIR}"
+                                                                                                                                                                MACOS_SDK_LIBS="-Wl,-syslibroot,${MACOS_SDK_DIR}"
+            fi
 
-                                CPP="$CPP -isysroot ${MACOS_SDK_DIR}"
+            LDFLAGS="${MACOS_SDK_LIBS} $LDFLAGS"
+            export NEXT_ROOT=$MACOS_SDK_DIR
 
-                                                                                if test "$GCC_VERSION_FULL" != "4.0.0" ; then
-                                                            LDFLAGS="$LDFLAGS -isysroot ${MACOS_SDK_DIR}"
-                else
-                                                            LDFLAGS="$LDFLAGS -Wl,-syslibroot,${MACOS_SDK_DIR}"
-                fi
+            if test -n "$CROSS_COMPILE" ; then
+                                                                HOST_CC="NEXT_ROOT= $HOST_CC"
+                HOST_CXX="NEXT_ROOT= $HOST_CXX"
+            fi
+        else
+                                    CFLAGS="$CFLAGS -isysroot ${MACOS_SDK_DIR}"
+
+                        CPP="$CPP -isysroot ${MACOS_SDK_DIR}"
+
+                                                            if test "$GCC_VERSION_FULL" != "4.0.0" ; then
+                                                LDFLAGS="$LDFLAGS -isysroot ${MACOS_SDK_DIR}"
+            else
+                                                LDFLAGS="$LDFLAGS -Wl,-syslibroot,${MACOS_SDK_DIR}"
             fi
         fi
     fi

nsprpub/configure.in

@@ -15,7 +15,7 @@ dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=24
+MOD_MINOR_VERSION=29
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
@@ -398,7 +398,7 @@ AC_ARG_WITH(macos-sdk,
 AC_ARG_ENABLE(macos-target,
              [  --enable-macos-target=VER
                           Set the minimum MacOS version needed at runtime
-                          [10.2 for ppc, 10.4 for x86]],
+                          [10.3 for ppc, 10.4 for x86]],
              [_MACOSX_DEPLOYMENT_TARGET=$enableval])
 
 dnl ========================================================
@@ -821,6 +821,7 @@ if test -n "$CROSS_COMPILE"; then
         linux*)       OS_ARCH=Linux ;;
         solaris*)     OS_ARCH=SunOS OS_RELEASE=5 ;;
         mingw*)       OS_ARCH=WINNT CPU_ARCH=x86 ;;
+        cygwin*)      OS_ARCH=WINNT ;;
         darwin*)      OS_ARCH=Darwin ;;
         riscos*)      OS_ARCH=RISCOS ;;
     esac
@@ -1326,12 +1327,22 @@ case "$target" in
                 CPU_ARCH=i386
             fi
             ;;
+        aarch64)
+            CPU_ARCH=aarch64
+            ;;
         *)
             CPU_ARCH=ppc
             ;;
     esac
     if test "`echo $CC | grep -c '\-arch '`" = "0"; then
-        CC="$CC -arch $CPU_ARCH"
+        case "$CPU_ARCH" in
+        aarch64)
+            CC="$CC -arch arm64"
+            ;;
+        *)
+            CC="$CC -arch $CPU_ARCH"
+            ;;
+        esac
     fi
     AC_CHECK_HEADER(crt_externs.h, AC_DEFINE(HAVE_CRT_EXTERNS_H))
     DSO_CFLAGS=-fPIC
@@ -1345,116 +1356,110 @@ case "$target" in
     PR_MD_CSRCS=darwin.c
     PR_MD_ASFILES=os_Darwin.s
 
-    # Add Mac OS X support for loading CFM & CFBundle plugins
-    if test -f "${MACOS_SDK_DIR}/System/Library/Frameworks/Carbon.framework/Carbon"; then
-        AC_DEFINE(XP_MACOSX)
-        OS_TARGET=MacOSX
+    if test -n "$_MACOSX_DEPLOYMENT_TARGET" ; then
+        dnl Use the specified value
+        export MACOSX_DEPLOYMENT_TARGET=$_MACOSX_DEPLOYMENT_TARGET
+    elif test -z "$MACOSX_DEPLOYMENT_TARGET" ; then
+        dnl No value specified on the command line or in the environment,
+        dnl use the lesser of the library's minimum or the architecture's
+        dnl minimum.
+        case "${target_cpu}" in
+            powerpc*)
+                dnl Architecture minimum 10.3
+                export MACOSX_DEPLOYMENT_TARGET=10.3
+                ;;
+            i*86*)
+                dnl Architecture minimum 10.4
+                export MACOSX_DEPLOYMENT_TARGET=10.4
+                ;;
+        esac
+    fi
 
-        if test -n "$_MACOSX_DEPLOYMENT_TARGET" ; then
-            dnl Use the specified value
-            export MACOSX_DEPLOYMENT_TARGET=$_MACOSX_DEPLOYMENT_TARGET
-        elif test -z "$MACOSX_DEPLOYMENT_TARGET" ; then
-            dnl No value specified on the command line or in the environment,
-            dnl use the lesser of the library's minimum or the architecture's
-            dnl minimum.
-            case "${target_cpu}" in
-                powerpc*)
-                    dnl Architecture minimum 10.2
-                    export MACOSX_DEPLOYMENT_TARGET=10.2
-                    ;;
-                i*86*)
-                    dnl Architecture minimum 10.4
-                    export MACOSX_DEPLOYMENT_TARGET=10.4
-                    ;;
-            esac
-        fi
+    dnl MACOS_SDK_DIR will be set to the SDK location whenever one is
+    dnl in use.  NEXT_ROOT will be set and exported if it's needed for
+    dnl ld.
 
-        dnl MACOS_SDK_DIR will be set to the SDK location whenever one is
-        dnl in use.  NEXT_ROOT will be set and exported if it's needed for
-        dnl ld.
+    if test "$MACOS_SDK_DIR"; then
+        dnl Sync this section with the one in Mozilla's top level.
 
-        if test "$MACOS_SDK_DIR"; then
-            dnl Sync this section with the one in Mozilla's top level.
-
-            if test ! -d "$MACOS_SDK_DIR"; then
-                AC_MSG_ERROR([SDK not found.  When using --with-macos-sdk, you must
+        if test ! -d "$MACOS_SDK_DIR"; then
+            AC_MSG_ERROR([SDK not found.  When using --with-macos-sdk, you must
 specify a valid SDK.  SDKs are installed when the optional cross-development
 tools are selected during the Xcode/Developer Tools installation.])
+        fi
+
+        changequote(,)
+        CC_VERSION=`$CC -v 2>&1 | grep 'gcc version'`
+        GCC_VERSION_FULL=`echo $CC_VERSION | $PERL -pe 's/^.*gcc version ([^ ]*).*/$1/'`
+        GCC_VERSION=`echo $GCC_VERSION_FULL | $PERL -pe '(split(/\./))[0]>=4&&s/(^\d*\.\d*).*/$1/;'`
+        changequote([,])
+        GCC_VERSION_MAJOR=`echo $GCC_VERSION_FULL | $PERL -pe 's/(^\d*).*/$1/;'`
+        if test "$GCC_VERSION_MAJOR" -lt "4" ; then
+            SDK_C_FRAMEWORK="-F${MACOS_SDK_DIR}/System/Library/Frameworks"
+            if test -d "${MACOS_SDK_DIR}/Library/Frameworks" ; then
+                SDK_C_FRAMEWORK="$SDK_C_FRAMEWORK -F${MACOS_SDK_DIR}/Library/Frameworks"
             fi
 
+            SDK_C_INCLUDE="-isystem ${MACOS_SDK_DIR}/usr/include/gcc/darwin/${GCC_VERSION} -isystem ${MACOS_SDK_DIR}/usr/include ${SDK_C_FRAMEWORK}"
+
+            CFLAGS="$CFLAGS -nostdinc ${SDK_C_INCLUDE}"
+
+            dnl CPP needs to be set for AC_CHECK_HEADER.
+            CPP="$CPP -nostdinc ${SDK_C_INCLUDE}"
+
             changequote(,)
-            CC_VERSION=`$CC -v 2>&1 | grep 'gcc version'`
-            GCC_VERSION_FULL=`echo $CC_VERSION | $PERL -pe 's/^.*gcc version ([^ ]*).*/$1/'`
-            GCC_VERSION=`echo $GCC_VERSION_FULL | $PERL -pe '(split(/\./))[0]>=4&&s/(^\d*\.\d*).*/$1/;'`
+            HOST_DARWIN_MAJOR=`echo "$build_os" | sed -E -e 's/^darwin([0-9]+).*$/\1/'`
             changequote([,])
-            GCC_VERSION_MAJOR=`echo $GCC_VERSION_FULL | $PERL -pe 's/(^\d*).*/$1/;'`
-            if test "$GCC_VERSION_MAJOR" -lt "4" ; then
-                SDK_C_FRAMEWORK="-F${MACOS_SDK_DIR}/System/Library/Frameworks"
-                if test -d "${MACOS_SDK_DIR}/Library/Frameworks" ; then
-                    SDK_C_FRAMEWORK="$SDK_C_FRAMEWORK -F${MACOS_SDK_DIR}/Library/Frameworks"
-                fi
-
-                SDK_C_INCLUDE="-isystem ${MACOS_SDK_DIR}/usr/include/gcc/darwin/${GCC_VERSION} -isystem ${MACOS_SDK_DIR}/usr/include ${SDK_C_FRAMEWORK}"
-
-                CFLAGS="$CFLAGS -nostdinc ${SDK_C_INCLUDE}"
-
-                dnl CPP needs to be set for AC_CHECK_HEADER.
-                CPP="$CPP -nostdinc ${SDK_C_INCLUDE}"
-
-                changequote(,)
-                HOST_DARWIN_MAJOR=`echo "$build_os" | sed -E -e 's/^darwin([0-9]+).*$/\1/'`
-                changequote([,])
-                if test "$HOST_DARWIN_MAJOR" -lt 9 ; then
-                    dnl The build host is running Tiger (10.4) or earlier.
-                    dnl ld support for -syslibroot is compiler-agnostic, but
-                    dnl only available on Tiger and later.  On Tiger and
-                    dnl earlier build hosts, just rely on NEXT_ROOT, because
-                    dnl it's not been shown to cause any problems.
-                    MACOS_SDK_LIBS="-L${MACOS_SDK_DIR}/usr/lib/gcc/darwin -L${MACOS_SDK_DIR}/usr/lib/gcc/darwin/${GCC_VERSION_FULL} -L${MACOS_SDK_DIR}/usr/lib ${SDK_C_FRAMEWORK}"
-                else
-                    dnl The build host is running Leopard (10.5) or later.
-                    dnl With NEXT_ROOT set, the linker will still not apply
-                    dnl it when resolving dependencies.  This causes problems
-                    dnl on Leopard, where an SDK depends on frameworks which
-                    dnl were present in earlier OS releases (and the associated
-                    dnl SDK) but not in Leopard.  -syslibroot does not have
-                    dnl this problem, but it results in harmless warnings when
-                    dnl NEXT_ROOT is set.  NEXT_ROOT needs to remain set even
-                    dnl on Leopard because the compiler uses it too.
-                    MACOS_SDK_LIBS="-Wl,-syslibroot,${MACOS_SDK_DIR}"
-                fi
-
-                LDFLAGS="${MACOS_SDK_LIBS} $LDFLAGS"
-                export NEXT_ROOT=$MACOS_SDK_DIR
-
-                if test -n "$CROSS_COMPILE" ; then
-                    dnl NEXT_ROOT will be in the environment, but it
-                    dnl shouldn't be set for the build host.  HOST_CXX is
-                    dnl presently unused.
-                    HOST_CC="NEXT_ROOT= $HOST_CC"
-                    HOST_CXX="NEXT_ROOT= $HOST_CXX"
-                fi
+            if test "$HOST_DARWIN_MAJOR" -lt 9 ; then
+                dnl The build host is running Tiger (10.4) or earlier.
+                dnl ld support for -syslibroot is compiler-agnostic, but
+                dnl only available on Tiger and later.  On Tiger and
+                dnl earlier build hosts, just rely on NEXT_ROOT, because
+                dnl it's not been shown to cause any problems.
+                MACOS_SDK_LIBS="-L${MACOS_SDK_DIR}/usr/lib/gcc/darwin -L${MACOS_SDK_DIR}/usr/lib/gcc/darwin/${GCC_VERSION_FULL} -L${MACOS_SDK_DIR}/usr/lib ${SDK_C_FRAMEWORK}"
             else
-                dnl gcc >= 4.0 uses different paths than above, but knows
-                dnl how to find them itself.
-                CFLAGS="$CFLAGS -isysroot ${MACOS_SDK_DIR}"
+                dnl The build host is running Leopard (10.5) or later.
+                dnl With NEXT_ROOT set, the linker will still not apply
+                dnl it when resolving dependencies.  This causes problems
+                dnl on Leopard, where an SDK depends on frameworks which
+                dnl were present in earlier OS releases (and the associated
+                dnl SDK) but not in Leopard.  -syslibroot does not have
+                dnl this problem, but it results in harmless warnings when
+                dnl NEXT_ROOT is set.  NEXT_ROOT needs to remain set even
+                dnl on Leopard because the compiler uses it too.
+                MACOS_SDK_LIBS="-Wl,-syslibroot,${MACOS_SDK_DIR}"
+            fi
 
-                dnl CPP needs to be set for AC_CHECK_HEADER.
-                CPP="$CPP -isysroot ${MACOS_SDK_DIR}"
+            LDFLAGS="${MACOS_SDK_LIBS} $LDFLAGS"
+            export NEXT_ROOT=$MACOS_SDK_DIR
 
-                dnl If gcc >= 4.0.0, we're guaranteed to be on Tiger, which
-                dnl has an ld that supports -syslibroot.  Don't set
-                dnl NEXT_ROOT because it will be ignored and cause
-                dnl warnings when -syslibroot is specified.
-                if test "$GCC_VERSION_FULL" != "4.0.0" ; then
-                    dnl gcc > 4.0.0 will pass -syslibroot to ld automatically
-                    dnl based on the -isysroot it receives.
-                    LDFLAGS="$LDFLAGS -isysroot ${MACOS_SDK_DIR}"
-                else
-                    dnl gcc 4.0.0 doesn't pass -syslibroot to ld, it needs
-                    dnl to be explicit.
-                    LDFLAGS="$LDFLAGS -Wl,-syslibroot,${MACOS_SDK_DIR}"
-                fi
+            if test -n "$CROSS_COMPILE" ; then
+                dnl NEXT_ROOT will be in the environment, but it
+                dnl shouldn't be set for the build host.  HOST_CXX is
+                dnl presently unused.
+                HOST_CC="NEXT_ROOT= $HOST_CC"
+                HOST_CXX="NEXT_ROOT= $HOST_CXX"
+            fi
+        else
+            dnl gcc >= 4.0 uses different paths than above, but knows
+            dnl how to find them itself.
+            CFLAGS="$CFLAGS -isysroot ${MACOS_SDK_DIR}"
+
+            dnl CPP needs to be set for AC_CHECK_HEADER.
+            CPP="$CPP -isysroot ${MACOS_SDK_DIR}"
+
+            dnl If gcc >= 4.0.0, we're guaranteed to be on Tiger, which
+            dnl has an ld that supports -syslibroot.  Don't set
+            dnl NEXT_ROOT because it will be ignored and cause
+            dnl warnings when -syslibroot is specified.
+            if test "$GCC_VERSION_FULL" != "4.0.0" ; then
+                dnl gcc > 4.0.0 will pass -syslibroot to ld automatically
+                dnl based on the -isysroot it receives.
+                LDFLAGS="$LDFLAGS -isysroot ${MACOS_SDK_DIR}"
+            else
+                dnl gcc 4.0.0 doesn't pass -syslibroot to ld, it needs
+                dnl to be explicit.
+                LDFLAGS="$LDFLAGS -Wl,-syslibroot,${MACOS_SDK_DIR}"
             fi
         fi
     fi

nsprpub/pr/include/md/_darwin.h

@@ -40,11 +40,7 @@
 
 #undef  HAVE_STACK_GROWING_UP
 #define HAVE_DLL
-#if defined(__x86_64__) || TARGET_OS_IPHONE
 #define USE_DLFCN
-#else
-#define USE_MACH_DYLD
-#endif
 #define _PR_HAVE_SOCKADDR_LEN
 #define _PR_STAT_HAS_ST_ATIMESPEC
 #define _PR_HAVE_LARGE_OFF_T
@@ -124,7 +120,16 @@ extern PRInt32 _PR_Darwin_x86_64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
 #define _MD_ATOMIC_ADD(ptr, val)    _PR_Darwin_x86_64_AtomicAdd(ptr, val)
 #endif /* __x86_64__ */
 
-#if defined(__arm__) || defined(__aarch64__)
+#ifdef __aarch64__
+#define _PR_HAVE_ATOMIC_OPS
+#define _MD_INIT_ATOMIC()
+#define _MD_ATOMIC_INCREMENT(val)   __sync_add_and_fetch(val, 1)
+#define _MD_ATOMIC_DECREMENT(val)   __sync_sub_and_fetch(val, 1)
+#define _MD_ATOMIC_SET(val, newval) __sync_lock_test_and_set(val, newval)
+#define _MD_ATOMIC_ADD(ptr, val)    __sync_add_and_fetch(ptr, val)
+#endif /* __aarch64__ */
+
+#if defined(__arm__)
 #define _PR_HAVE_ATOMIC_OPS
 #define _MD_INIT_ATOMIC()
 #define _MD_ATOMIC_INCREMENT(val)   OSAtomicIncrement32(val)
@@ -138,7 +143,7 @@ static inline PRInt32 _MD_ATOMIC_SET(PRInt32 *val, PRInt32 newval)
     return oldval;
 }
 #define _MD_ATOMIC_ADD(ptr, val)    OSAtomicAdd32(val, ptr)
-#endif /* __arm__ || __aarch64__ */
+#endif /* __arm__ */
 
 #define USE_SETJMP
 

nsprpub/pr/include/md/_linux.cfg

@@ -1157,7 +1157,8 @@
 #define PR_BYTES_PER_WORD_LOG2   2
 #define PR_BYTES_PER_DWORD_LOG2  3
 
-#elif defined(__nios2__) || defined(__microblaze__) || defined(__nds32__)
+#elif defined(__nios2__) || defined(__microblaze__) || defined(__nds32__) || \
+      defined(__xtensa__)
 
 #if defined(__microblaze__) && defined(__BIG_ENDIAN__)
 #define IS_BIG_ENDIAN 1
@@ -1207,6 +1208,53 @@
 #define PR_BYTES_PER_WORD_LOG2   2
 #define PR_BYTES_PER_DWORD_LOG2  3
 
+#elif defined(__e2k__)
+
+#define IS_LITTLE_ENDIAN 1
+#undef  IS_BIG_ENDIAN
+
+#define IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  4
+#define PR_BYTES_PER_LONG   8
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_DOUBLE 8
+#define PR_BYTES_PER_WORD   8
+#define PR_BYTES_PER_DWORD  8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   32
+#define PR_BITS_PER_LONG    64
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_DOUBLE  64
+#define PR_BITS_PER_WORD    64
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  5
+#define PR_BITS_PER_LONG_LOG2   6
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_DOUBLE_LOG2 6
+#define PR_BITS_PER_WORD_LOG2   6
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    8
+#define PR_ALIGN_OF_INT64   4
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 8
+#define PR_ALIGN_OF_WORD    8
+
+#define PR_BYTES_PER_WORD_LOG2  3
+#define PR_BYTES_PER_DWORD_LOG2 3
+
 #else
 
 #error "Unknown CPU architecture"

nsprpub/pr/include/md/_linux.h

@@ -37,8 +37,6 @@
 #define _PR_SI_ARCHITECTURE "sparc"
 #elif defined(__i386__)
 #define _PR_SI_ARCHITECTURE "x86"
-#elif defined(__mips64__)
-#define _PR_SI_ARCHITECTURE "mips64"
 #elif defined(__mips__)
 #define _PR_SI_ARCHITECTURE "mips"
 #elif defined(__arm__)
@@ -63,6 +61,8 @@
 #define _PR_SI_ARCHITECTURE "riscv32"
 #elif defined(__riscv) && (__riscv_xlen == 64)
 #define _PR_SI_ARCHITECTURE "riscv64"
+#elif defined(__e2k__)
+#define _PR_SI_ARCHITECTURE "e2k"
 #elif defined(__arc__)
 #define _PR_SI_ARCHITECTURE "arc"
 #elif defined(__nios2__)
@@ -71,6 +71,8 @@
 #define _PR_SI_ARCHITECTURE "microblaze"
 #elif defined(__nds32__)
 #define _PR_SI_ARCHITECTURE "nds32"
+#elif defined(__xtensa__)
+#define _PR_SI_ARCHITECTURE "xtensa"
 #else
 #error "Unknown CPU architecture"
 #endif

nsprpub/pr/include/md/_netbsd.h

@@ -25,8 +25,6 @@
 #define _PR_SI_ARCHITECTURE "sparc64"
 #elif defined(__sparc__)
 #define _PR_SI_ARCHITECTURE "sparc"
-#elif defined(__mips64__)
-#define _PR_SI_ARCHITECTURE "mips64"
 #elif defined(__mips__)
 #define _PR_SI_ARCHITECTURE "mips"
 #elif defined(__arm32__) || defined(__arm__) || defined(__armel__) \

nsprpub/pr/include/prinit.h

@@ -31,9 +31,9 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.24"
+#define PR_VERSION  "4.29"
 #define PR_VMAJOR   4
-#define PR_VMINOR   24
+#define PR_VMINOR   29
 #define PR_VPATCH   0
 #define PR_BETA     PR_FALSE
 

nsprpub/pr/include/prsystem.h

@@ -43,8 +43,9 @@ typedef enum {
     PR_SI_SYSNAME,
     PR_SI_RELEASE,
     PR_SI_ARCHITECTURE,
-    PR_SI_HOSTNAME_UNTRUNCATED  /* the hostname exactly as configured
+    PR_SI_HOSTNAME_UNTRUNCATED, /* the hostname exactly as configured
                                  * on the system */
+    PR_SI_RELEASE_BUILD
 } PRSysInfo;
 
 

nsprpub/pr/src/Makefile.in

@@ -159,10 +159,6 @@ ifeq ($(OS_TARGET),Android)
 OS_LIBS		+= -llog
 endif
 
-ifeq ($(OS_TARGET),MacOSX)
-OS_LIBS		= -framework CoreServices -framework CoreFoundation
-endif
-
 EXTRA_LIBS += $(OS_LIBS)
 
 #

nsprpub/pr/src/linking/prlink.c

@@ -7,11 +7,6 @@
 
 #include <string.h>
 
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-#include <Carbon/Carbon.h>
-#include <CoreFoundation/CoreFoundation.h>
-#endif
-
 #ifdef XP_UNIX
 #ifdef USE_DLFCN
 #include <dlfcn.h>
@@ -36,8 +31,6 @@
 #endif
 #elif defined(USE_HPSHL)
 #include <dl.h>
-#elif defined(USE_MACH_DYLD)
-#include <mach-o/dyld.h>
 #endif
 #endif /* XP_UNIX */
 
@@ -46,8 +39,7 @@
 /*
  * On these platforms, symbols have a leading '_'.
  */
-#if (defined(DARWIN) && defined(USE_MACH_DYLD)) \
-    || defined(XP_OS2) \
+#if defined(XP_OS2) \
     || ((defined(OPENBSD) || defined(NETBSD)) && !defined(__ELF__))
 #define NEED_LEADING_UNDERSCORE
 #endif
@@ -70,19 +62,9 @@ struct PRLibrary {
 #endif
 #endif
 
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-    CFragConnectionID           connection;
-    CFBundleRef                 bundle;
-    Ptr                         main;
-    CFMutableDictionaryRef      wrappers;
-    const struct mach_header*   image;
-#endif
-
 #ifdef XP_UNIX
 #if defined(USE_HPSHL)
     shl_t                       dlh;
-#elif defined(USE_MACH_DYLD)
-    NSModule                    dlh;
 #else
     void*                       dlh;
 #endif
@@ -170,7 +152,7 @@ void _PR_InitLinker(void)
 #elif defined(USE_HPSHL)
     h = NULL;
     /* don't abort with this NULL */
-#elif defined(USE_MACH_DYLD) || defined(NO_DLOPEN_NULL)
+#elif defined(NO_DLOPEN_NULL)
     h = NULL; /* XXXX  toshok */ /* XXXX  vlad */
 #else
 #error no dll strategy
@@ -270,7 +252,7 @@ PR_GetLibraryPath(void)
 #endif
 
 #if defined(XP_UNIX)
-#if defined(USE_DLFCN) || defined(USE_MACH_DYLD)
+#if defined(USE_DLFCN)
     {
         char *p=NULL;
         int len;
@@ -428,203 +410,6 @@ PR_LoadLibrary(const char *name)
     return PR_LoadLibraryWithFlags(libSpec, 0);
 }
 
-#if defined(USE_MACH_DYLD)
-static NSModule
-pr_LoadMachDyldModule(const char *name)
-{
-    NSObjectFileImage ofi;
-    NSModule h = NULL;
-    if (NSCreateObjectFileImageFromFile(name, &ofi)
-        == NSObjectFileImageSuccess) {
-        h = NSLinkModule(ofi, name, NSLINKMODULE_OPTION_PRIVATE
-                         | NSLINKMODULE_OPTION_RETURN_ON_ERROR);
-        if (h == NULL) {
-            NSLinkEditErrors linkEditError;
-            int errorNum;
-            const char *fileName;
-            const char *errorString;
-            NSLinkEditError(&linkEditError, &errorNum, &fileName, &errorString);
-            PR_LOG(_pr_linker_lm, PR_LOG_MIN,
-                   ("LoadMachDyldModule error %d:%d for file %s:\n%s",
-                    linkEditError, errorNum, fileName, errorString));
-        }
-        if (NSDestroyObjectFileImage(ofi) == FALSE) {
-            if (h) {
-                (void)NSUnLinkModule(h, NSUNLINKMODULE_OPTION_NONE);
-                h = NULL;
-            }
-        }
-    }
-    return h;
-}
-#endif
-
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-
-/*
-** macLibraryLoadProc is a function definition for a Mac shared library
-** loading method. The "name" param is the same full or partial pathname
-** that was passed to pr_LoadLibraryByPathName. The function must fill
-** in the fields of "lm" which apply to its library type. Returns
-** PR_SUCCESS if successful.
-*/
-
-typedef PRStatus (*macLibraryLoadProc)(const char *name, PRLibrary *lm);
-
-#ifdef __ppc__
-
-/*
-** CFM and its TVectors only exist on PowerPC.  Other OS X architectures
-** only use Mach-O as a native binary format.
-*/
-
-static void* TV2FP(CFMutableDictionaryRef dict, const char* name, void *tvp)
-{
-    static uint32 glue[6] = { 0x3D800000, 0x618C0000, 0x800C0000, 0x804C0004, 0x7C0903A6, 0x4E800420 };
-    uint32* newGlue = NULL;
-
-    if (tvp != NULL) {
-        CFStringRef nameRef = CFStringCreateWithCString(NULL, name, kCFStringEncodingASCII);
-        if (nameRef) {
-            CFMutableDataRef glueData = (CFMutableDataRef) CFDictionaryGetValue(dict, nameRef);
-            if (glueData == NULL) {
-                glueData = CFDataCreateMutable(NULL, sizeof(glue));
-                if (glueData != NULL) {
-                    newGlue = (uint32*) CFDataGetMutableBytePtr(glueData);
-                    memcpy(newGlue, glue, sizeof(glue));
-                    newGlue[0] |= ((UInt32)tvp >> 16);
-                    newGlue[1] |= ((UInt32)tvp & 0xFFFF);
-                    MakeDataExecutable(newGlue, sizeof(glue));
-                    CFDictionaryAddValue(dict, nameRef, glueData);
-                    CFRelease(glueData);
-
-                    PR_LOG(_pr_linker_lm, PR_LOG_MIN, ("TV2FP: created wrapper for CFM function %s().", name));
-                }
-            } else {
-                PR_LOG(_pr_linker_lm, PR_LOG_MIN, ("TV2FP: found wrapper for CFM function %s().", name));
-
-                newGlue = (uint32*) CFDataGetMutableBytePtr(glueData);
-            }
-            CFRelease(nameRef);
-        }
-    }
-
-    return newGlue;
-}
-
-static PRStatus
-pr_LoadViaCFM(const char *name, PRLibrary *lm)
-{
-    OSErr err;
-    Str255 errName;
-    FSRef ref;
-    FSSpec fileSpec;
-    Boolean tempUnusedBool;
-
-    /*
-     * Make an FSSpec from the path name and call GetDiskFragment.
-     */
-
-    /* Use direct conversion of POSIX path to FSRef to FSSpec. */
-    err = FSPathMakeRef((const UInt8*)name, &ref, NULL);
-    if (err != noErr) {
-        return PR_FAILURE;
-    }
-    err = FSGetCatalogInfo(&ref, kFSCatInfoNone, NULL, NULL,
-                           &fileSpec, NULL);
-    if (err != noErr) {
-        return PR_FAILURE;
-    }
-
-    /* Resolve an alias if this was one */
-    err = ResolveAliasFile(&fileSpec, true, &tempUnusedBool,
-                           &tempUnusedBool);
-    if (err != noErr) {
-        return PR_FAILURE;
-    }
-
-    /* Finally, try to load the library */
-    err = GetDiskFragment(&fileSpec, 0, kCFragGoesToEOF, fileSpec.name,
-                          kLoadCFrag, &lm->connection, &lm->main, errName);
-
-    if (err == noErr && lm->connection) {
-        /*
-         * if we're a mach-o binary, need to wrap all CFM function
-         * pointers. need a hash-table of already seen function
-         * pointers, etc.
-         */
-        lm->wrappers = CFDictionaryCreateMutable(NULL, 16,
-                       &kCFTypeDictionaryKeyCallBacks,
-                       &kCFTypeDictionaryValueCallBacks);
-        if (lm->wrappers) {
-            lm->main = TV2FP(lm->wrappers, "main", lm->main);
-        } else {
-            err = memFullErr;
-        }
-    }
-    return (err == noErr) ? PR_SUCCESS : PR_FAILURE;
-}
-#endif /* __ppc__ */
-
-/*
-** Creates a CFBundleRef if the pathname refers to a Mac OS X bundle
-** directory. The caller is responsible for calling CFRelease() to
-** deallocate.
-*/
-
-static PRStatus
-pr_LoadCFBundle(const char *name, PRLibrary *lm)
-{
-    CFURLRef bundleURL;
-    CFBundleRef bundle = NULL;
-    char pathBuf[PATH_MAX];
-    const char *resolvedPath;
-    CFStringRef pathRef;
-
-    /* Takes care of relative paths and symlinks */
-    resolvedPath = realpath(name, pathBuf);
-    if (!resolvedPath) {
-        return PR_FAILURE;
-    }
-
-    pathRef = CFStringCreateWithCString(NULL, pathBuf, kCFStringEncodingUTF8);
-    if (pathRef) {
-        bundleURL = CFURLCreateWithFileSystemPath(NULL, pathRef,
-                    kCFURLPOSIXPathStyle, true);
-        if (bundleURL) {
-            bundle = CFBundleCreate(NULL, bundleURL);
-            CFRelease(bundleURL);
-        }
-        CFRelease(pathRef);
-    }
-
-    lm->bundle = bundle;
-    return (bundle != NULL) ? PR_SUCCESS : PR_FAILURE;
-}
-
-static PRStatus
-pr_LoadViaDyld(const char *name, PRLibrary *lm)
-{
-    lm->dlh = pr_LoadMachDyldModule(name);
-    if (lm->dlh == NULL) {
-        lm->image = NSAddImage(name, NSADDIMAGE_OPTION_RETURN_ON_ERROR
-                               | NSADDIMAGE_OPTION_WITH_SEARCHING);
-        if (lm->image == NULL) {
-            NSLinkEditErrors linkEditError;
-            int errorNum;
-            const char *fileName;
-            const char *errorString;
-            NSLinkEditError(&linkEditError, &errorNum, &fileName, &errorString);
-            PR_LOG(_pr_linker_lm, PR_LOG_MIN,
-                   ("LoadMachDyldModule error %d:%d for file %s:\n%s",
-                    linkEditError, errorNum, fileName, errorString));
-        }
-    }
-    return (lm->dlh != NULL || lm->image != NULL) ? PR_SUCCESS : PR_FAILURE;
-}
-
-#endif /* XP_MACOSX && USE_MACH_DYLD */
-
 /*
 ** Dynamically load a library. Only load libraries once, so scan the load
 ** map first.
@@ -733,36 +518,7 @@ pr_LoadLibraryByPathname(const char *name, PRIntn flags)
     }
 #endif /* WIN32 */
 
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-    {
-        int     i;
-        PRStatus status;
-
-        static const macLibraryLoadProc loadProcs[] = {
-#ifdef __ppc__
-            pr_LoadViaDyld, pr_LoadCFBundle, pr_LoadViaCFM
-#else  /* __ppc__ */
-            pr_LoadViaDyld, pr_LoadCFBundle
-#endif /* __ppc__ */
-        };
-
-        for (i = 0; i < sizeof(loadProcs) / sizeof(loadProcs[0]); i++) {
-            if ((status = loadProcs[i](name, lm)) == PR_SUCCESS) {
-                break;
-            }
-        }
-        if (status != PR_SUCCESS) {
-            oserr = cfragNoLibraryErr;
-            PR_DELETE(lm);
-            goto unlock;
-        }
-        lm->name = strdup(name);
-        lm->next = pr_loadmap;
-        pr_loadmap = lm;
-    }
-#endif
-
-#if defined(XP_UNIX) && !(defined(XP_MACOSX) && defined(USE_MACH_DYLD))
+#if defined(XP_UNIX)
 #ifdef HAVE_DLL
     {
 #if defined(USE_DLFCN)
@@ -807,7 +563,7 @@ pr_LoadLibraryByPathname(const char *name, PRIntn flags)
           const size_t systemPrefixLen1 = strlen(systemPrefix1);
           const char systemPrefix2[] = "/usr/lib/";
           const size_t systemPrefixLen2 = strlen(systemPrefix2);
-          const name_len = strlen(name);
+          const size_t name_len = strlen(name);
           if (((name_len > systemPrefixLen1) &&
                (strncmp(name, systemPrefix1, systemPrefixLen1) == 0)) ||
              ((name_len > systemPrefixLen2) &&
@@ -847,8 +603,6 @@ pr_LoadLibraryByPathname(const char *name, PRIntn flags)
         }
         /* No equivalent of PR_LD_GLOBAL and PR_LD_LOCAL. */
         h = shl_load(name, shl_flags, 0L);
-#elif defined(USE_MACH_DYLD)
-        NSModule h = pr_LoadMachDyldModule(name);
 #else
 #error Configuration error
 #endif
@@ -863,7 +617,7 @@ pr_LoadLibraryByPathname(const char *name, PRIntn flags)
         pr_loadmap = lm;
     }
 #endif /* HAVE_DLL */
-#endif /* XP_UNIX && !(XP_MACOSX && USE_MACH_DYLD) */
+#endif /* XP_UNIX */
 
     lm->refCount = 1;
 
@@ -922,10 +676,6 @@ PR_UnloadLibrary(PRLibrary *lib)
     result = dlclose(lib->dlh);
 #elif defined(USE_HPSHL)
     result = shl_unload(lib->dlh);
-#elif defined(USE_MACH_DYLD)
-    if (lib->dlh) {
-        result = NSUnLinkModule(lib->dlh, NSUNLINKMODULE_OPTION_NONE) ? 0 : -1;
-    }
 #else
 #error Configuration error
 #endif
@@ -938,20 +688,6 @@ PR_UnloadLibrary(PRLibrary *lib)
     }
 #endif  /* XP_PC */
 
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-    /* Close the connection */
-    if (lib->connection) {
-        CloseConnection(&(lib->connection));
-    }
-    if (lib->bundle) {
-        CFRelease(lib->bundle);
-    }
-    if (lib->wrappers) {
-        CFRelease(lib->wrappers);
-    }
-    /* No way to unload an image (lib->image) */
-#endif
-
     /* unlink from library search list */
     if (pr_loadmap == lib) {
         pr_loadmap = pr_loadmap->next;
@@ -1041,53 +777,6 @@ pr_FindSymbolInLib(PRLibrary *lm, const char *name)
     f = GetProcAddress(lm->dlh, name);
 #endif  /* WIN32 */
 
-#if defined(XP_MACOSX) && defined(USE_MACH_DYLD)
-    /* add this offset to skip the leading underscore in name */
-#define SYM_OFFSET 1
-    if (lm->bundle) {
-        CFStringRef nameRef = CFStringCreateWithCString(NULL, name + SYM_OFFSET, kCFStringEncodingASCII);
-        if (nameRef) {
-            f = CFBundleGetFunctionPointerForName(lm->bundle, nameRef);
-            CFRelease(nameRef);
-        }
-    }
-    if (lm->connection) {
-        Ptr                 symAddr;
-        CFragSymbolClass    symClass;
-        Str255              pName;
-
-        PR_LOG(_pr_linker_lm, PR_LOG_MIN, ("Looking up symbol: %s", name + SYM_OFFSET));
-
-        c2pstrcpy(pName, name + SYM_OFFSET);
-
-        f = (FindSymbol(lm->connection, pName, &symAddr, &symClass) == noErr) ? symAddr : NULL;
-
-#ifdef __ppc__
-        /* callers expect mach-o function pointers, so must wrap tvectors with glue. */
-        if (f && symClass == kTVectorCFragSymbol) {
-            f = TV2FP(lm->wrappers, name + SYM_OFFSET, f);
-        }
-#endif /* __ppc__ */
-
-        if (f == NULL && strcmp(name + SYM_OFFSET, "main") == 0) {
-            f = lm->main;
-        }
-    }
-    if (lm->image) {
-        NSSymbol symbol;
-        symbol = NSLookupSymbolInImage(lm->image, name,
-                                       NSLOOKUPSYMBOLINIMAGE_OPTION_BIND
-                                       | NSLOOKUPSYMBOLINIMAGE_OPTION_RETURN_ON_ERROR);
-        if (symbol != NULL) {
-            f = NSAddressOfSymbol(symbol);
-        }
-        else {
-            f = NULL;
-        }
-    }
-#undef SYM_OFFSET
-#endif /* XP_MACOSX && USE_MACH_DYLD */
-
 #ifdef XP_UNIX
 #ifdef HAVE_DLL
 #ifdef USE_DLFCN
@@ -1096,17 +785,6 @@ pr_FindSymbolInLib(PRLibrary *lm, const char *name)
     if (shl_findsym(&lm->dlh, name, TYPE_PROCEDURE, &f) == -1) {
         f = NULL;
     }
-#elif defined(USE_MACH_DYLD)
-    if (lm->dlh) {
-        NSSymbol symbol;
-        symbol = NSLookupSymbolInModule(lm->dlh, name);
-        if (symbol != NULL) {
-            f = NSAddressOfSymbol(symbol);
-        }
-        else {
-            f = NULL;
-        }
-    }
 #endif
 #endif /* HAVE_DLL */
 #endif /* XP_UNIX */
@@ -1289,23 +967,6 @@ PR_GetLibraryFilePathname(const char *name, PRFuncPtr addr)
         strcpy(result, dli.dli_fname);
     }
     return result;
-#elif defined(USE_MACH_DYLD)
-    char *result;
-    const char *image_name;
-    int i, count = _dyld_image_count();
-
-    for (i = 0; i < count; i++) {
-        image_name = _dyld_get_image_name(i);
-        if (strstr(image_name, name) != NULL) {
-            result = PR_Malloc(strlen(image_name)+1);
-            if (result != NULL) {
-                strcpy(result, image_name);
-            }
-            return result;
-        }
-    }
-    PR_SetError(PR_LIBRARY_NOT_LOADED_ERROR, 0);
-    return NULL;
 #elif defined(AIX)
     char *result;
 #define LD_INFO_INCREMENT 64

nsprpub/pr/src/md/unix/os_Linux_ia64.s

@@ -68,4 +68,4 @@ _PR_ia64_AtomicSet:
         .endp _PR_ia64_AtomicSet#
 
 // Magic indicating no need for an executable stack
-.section .note.GNU-stack, "", @progbits ; .previous
+.section .note.GNU-stack, "", @progbits

nsprpub/pr/src/md/unix/os_Linux_ppc.s

@@ -72,4 +72,4 @@ _PR_ppc_AtomicAdd:
 .Lfe4:  .size _PR_ppc_AtomicAdd,.Lfe4-_PR_ppc_AtomicAdd
 
 # Magic indicating no need for an executable stack
-.section .note.GNU-stack, "", @progbits ; .previous
+.section .note.GNU-stack, "", @progbits

nsprpub/pr/src/md/unix/os_Linux_x86.s

@@ -82,4 +82,4 @@ _PR_x86_AtomicAdd:
     ret
 
 // Magic indicating no need for an executable stack
-.section .note.GNU-stack, "", @progbits ; .previous
+.section .note.GNU-stack, "", @progbits

nsprpub/pr/src/md/unix/os_Linux_x86_64.s

@@ -71,4 +71,4 @@ _PR_x86_64_AtomicAdd:
     .size _PR_x86_64_AtomicAdd, .-_PR_x86_64_AtomicAdd
 
 // Magic indicating no need for an executable stack
-.section .note.GNU-stack, "", @progbits ; .previous
+.section .note.GNU-stack, "", @progbits

nsprpub/pr/src/md/unix/unix.c

@@ -3481,7 +3481,8 @@ PRStatus _MD_getsysinfo(PRSysInfo cmd, char *name, PRUint32 namelen)
 {
     struct utsname info;
 
-    PR_ASSERT((cmd == PR_SI_SYSNAME) || (cmd == PR_SI_RELEASE));
+    PR_ASSERT((cmd == PR_SI_SYSNAME) || (cmd == PR_SI_RELEASE) ||
+              (cmd == PR_SI_RELEASE_BUILD));
 
     if (uname(&info) == -1) {
         _PR_MD_MAP_DEFAULT_ERROR(errno);
@@ -3493,6 +3494,9 @@ PRStatus _MD_getsysinfo(PRSysInfo cmd, char *name, PRUint32 namelen)
     else if (PR_SI_RELEASE == cmd) {
         (void)PR_snprintf(name, namelen, info.release);
     }
+    else if (PR_SI_RELEASE_BUILD == cmd) {
+        (void)PR_snprintf(name, namelen, info.version);
+    }
     else {
         return PR_FAILURE;
     }

nsprpub/pr/src/md/windows/ntio.c

@@ -2252,6 +2252,7 @@ _PR_MD_READ(PRFileDesc *fd, void *buf, PRInt32 len)
     int rv, err;
     LONG hiOffset = 0;
     LONG loOffset;
+    LARGE_INTEGER offset; /* use for a normalized add of len to offset */
 
     if (!fd->secret->md.sync_file_io) {
         PRThread *me = _PR_MD_CURRENT_THREAD();
@@ -2368,7 +2369,14 @@ _PR_MD_READ(PRFileDesc *fd, void *buf, PRInt32 len)
                 return -1;
             }
 
-            SetFilePointer((HANDLE)f, me->md.blocked_io_bytes, 0, FILE_CURRENT);
+            /* Apply the workaround from bug 70765 (see _PR_MD_WRITE)
+             * to the reading code, too. */
+
+            offset.LowPart = me->md.overlapped.overlapped.Offset;
+            offset.HighPart = me->md.overlapped.overlapped.OffsetHigh;
+            offset.QuadPart += me->md.blocked_io_bytes;
+
+            SetFilePointer((HANDLE)f, offset.LowPart, &offset.HighPart, FILE_BEGIN);
 
             PR_ASSERT(me->io_pending == PR_FALSE);
 

nsprpub/pr/src/md/windows/ntmisc.c

@@ -812,7 +812,8 @@ PRStatus _MD_WindowsGetSysInfo(PRSysInfo cmd, char *name, PRUint32 namelen)
 {
     OSVERSIONINFO osvi;
 
-    PR_ASSERT((cmd == PR_SI_SYSNAME) || (cmd == PR_SI_RELEASE));
+    PR_ASSERT((cmd == PR_SI_SYSNAME) || (cmd == PR_SI_RELEASE) ||
+              (cmd == PR_SI_RELEASE_BUILD));
 
     ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
     osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
@@ -827,9 +828,13 @@ PRStatus _MD_WindowsGetSysInfo(PRSysInfo cmd, char *name, PRUint32 namelen)
             if (PR_SI_SYSNAME == cmd) {
                 (void)PR_snprintf(name, namelen, "Windows_NT");
             }
-            else if (PR_SI_RELEASE == cmd)
+            else if (PR_SI_RELEASE == cmd) {
                 (void)PR_snprintf(name, namelen, "%d.%d",osvi.dwMajorVersion,
                                   osvi.dwMinorVersion);
+            }
+            else if (PR_SI_RELEASE_BUILD == cmd) {
+                (void)PR_snprintf(name, namelen, "%d", osvi.dwBuildNumber);
+            }
             break;
         case VER_PLATFORM_WIN32_WINDOWS:
             if (PR_SI_SYSNAME == cmd) {
@@ -843,6 +848,8 @@ PRStatus _MD_WindowsGetSysInfo(PRSysInfo cmd, char *name, PRUint32 namelen)
             } else if (PR_SI_RELEASE == cmd) {
                 (void)PR_snprintf(name, namelen, "%d.%d",osvi.dwMajorVersion,
                                   osvi.dwMinorVersion);
+            } else if (PR_SI_RELEASE_BUILD == cmd) {
+                (void)PR_snprintf(name, namelen, "%d", osvi.dwBuildNumber);
             }
             break;
 #ifdef VER_PLATFORM_WIN32_CE
@@ -850,9 +857,15 @@ PRStatus _MD_WindowsGetSysInfo(PRSysInfo cmd, char *name, PRUint32 namelen)
             if (PR_SI_SYSNAME == cmd) {
                 (void)PR_snprintf(name, namelen, "Windows_CE");
             }
-            else if (PR_SI_RELEASE == cmd)
+            else if (PR_SI_RELEASE == cmd) {
                 (void)PR_snprintf(name, namelen, "%d.%d",osvi.dwMajorVersion,
                                   osvi.dwMinorVersion);
+            }
+            else if (PR_SI_RELEASE_BUILD == cmd) {
+              if (namelen) {
+                *name = 0;
+              }
+            }
             break;
 #endif
         default:
@@ -862,6 +875,11 @@ PRStatus _MD_WindowsGetSysInfo(PRSysInfo cmd, char *name, PRUint32 namelen)
             else if (PR_SI_RELEASE == cmd) {
                 (void)PR_snprintf(name, namelen, "%d.%d",0,0);
             }
+            else if (PR_SI_RELEASE_BUILD == cmd) {
+              if (namelen) {
+                *name = 0;
+              }
+            }
             break;
     }
     return PR_SUCCESS;

nsprpub/pr/src/md/windows/w95sock.c

@@ -7,6 +7,9 @@
  *
  */
 
+#if defined(_WIN64)
+#include <winsock2.h>
+#endif
 #include "primpl.h"
 
 #define READ_FD     1

nsprpub/pr/src/misc/prdtoa.c

@@ -304,17 +304,6 @@ static double private_mem[PRIVATE_mem], *pmem_next = private_mem;
 
 #else /* ifndef Bad_float_h */
 #include "float.h"
-/*
- * MacOS 10.2 defines the macro FLT_ROUNDS to an internal function
- * which does not exist on 10.1.  We can safely #define it to 1 here
- * to allow 10.2 builds to run on 10.1, since we can't use fesetround()
- * (which does not exist on 10.1 either).
- */
-#if defined(XP_MACOSX) && (!defined(MAC_OS_X_VERSION_10_2) || \
-    MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_2)
-#undef FLT_ROUNDS
-#define FLT_ROUNDS 1
-#endif /* DT < 10.2 */
 #endif /* Bad_float_h */
 
 #ifndef __MATH_H__

nsprpub/pr/src/misc/prnetdb.c

@@ -166,9 +166,7 @@ static PRBool _pr_have_inet6_if = PR_FALSE;
 #undef DEBUG_QUERY_IFS
 
 #if defined(AIX) \
-    || (defined(DARWIN) && (!defined(HAVE_GETIFADDRS) \
-        || (defined(XP_MACOSX) && (!defined(MAC_OS_X_VERSION_10_2) || \
-        MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_2))))
+    || (defined(DARWIN) && !defined(HAVE_GETIFADDRS))
 
 /*
  * Use SIOCGIFCONF ioctl on platforms that don't have routing

nsprpub/pr/src/misc/prsystem.c

@@ -152,6 +152,19 @@ PR_IMPLEMENT(PRStatus) PR_GetSystemInfo(PRSysInfo cmd, char *buf, PRUint32 bufle
 #endif /* OS2 */
             break;
 
+        case PR_SI_RELEASE_BUILD:
+          /* Return the version of the operating system */
+#if defined(XP_UNIX) || defined(WIN32)
+            if (PR_FAILURE == _PR_MD_GETSYSINFO(cmd, buf, (PRUintn)buflen)) {
+              return PR_FAILURE;
+            }
+#else
+            if (buflen) {
+                *buf = 0;
+            }
+#endif /* XP_UNIX || WIN32 */
+            break;
+
         case PR_SI_ARCHITECTURE:
             /* Return the architecture of the machine (ie. x86, mips, alpha, ...)*/
             (void)PR_snprintf(buf, buflen, _PR_SI_ARCHITECTURE);

nsprpub/pr/tests/Makefile.in

@@ -211,6 +211,7 @@ ifdef NS_USE_GCC
 else
   EXTRA_LIBS += ws2_32.lib
   LDOPTS = -NOLOGO -DEBUG -DEBUGTYPE:CV -INCREMENTAL:NO
+  CFLAGS += -Fd$(@:.$(OBJ_SUFFIX)=.pdb)
   ifdef PROFILE
     LDOPTS += -PROFILE -MAP
   endif # profile
@@ -442,17 +443,4 @@ endif
 ALWAYS:
 
 runtests:: $(PROGS) ALWAYS
-	@$(ECHO) "\nNSPR Test Results - $(OBJDIR)\n"
-	@$(ECHO) "BEGIN\t\t\t`date`"
-	@$(ECHO) "NSPR_TEST_LOGFILE\t$(LOGFILE)\n"
-	@$(ECHO) "Test\t\t\tResult\n"
-	@cd $(OBJDIR); for i in $(PROGRAMS); do					\
-	$(ECHO) "$$i\c";										\
-	./$$i >> $(LOGFILE) 2>&1 ;								\
-	if  [ 0 = $$? ] ; then									\
-		$(ECHO) "\t\t\tPassed";								\
-	else													\
-		$(ECHO) "\t\t\tFAILED";								\
-	fi;														\
-	done
-	@$(ECHO) "\nEND\t\t`date`\n"
+	$(topsrcdir)/pr/tests/runtests.sh $(DIST)

nsprpub/pr/tests/acceptread.c

@@ -14,7 +14,18 @@
 
 #include <stdlib.h>
 
-#define DEFAULT_PORT 12273
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define DEFAULT_PORT 12273 PORT_INC_DO PORT_INC_3264
 #define GET "GET / HTTP/1.0\n\n"
 static PRFileDesc *std_out, *err_out;
 static PRIntervalTime write_dally, accept_timeout;

nsprpub/pr/tests/acceptreademu.c

@@ -20,7 +20,18 @@
 
 #include <stdlib.h>
 
-#define DEFAULT_PORT 12273
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define DEFAULT_PORT 12273 PORT_INC_DO PORT_INC_3264
 #define GET "GET / HTTP/1.0\n\n"
 static PRFileDesc *std_out, *err_out;
 static PRIntervalTime write_dally, accept_timeout;

nsprpub/pr/tests/append.c

@@ -62,7 +62,7 @@ int main(int argc, char **argv)
         PL_DestroyOptState(opt);
     } /* end block "Get command line options" */
     /* ---------------------------------------------------------------------- */
-    fd = PR_Open( "/tmp/nsprAppend", (PR_APPEND | PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY), 0666 );
+    fd = PR_Open( "./tmp-nsprAppend", (PR_APPEND | PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY), 0666 );
     if ( NULL == fd )  {
         if (debug) {
             printf("PR_Open() failed for writing: %d\n", PR_GetError());
@@ -98,7 +98,7 @@ int main(int argc, char **argv)
         goto Finished;
     }
     /* ---------------------------------------------------------------------- */
-    fd = PR_Open( "/tmp/nsprAppend", PR_RDONLY, 0 );
+    fd = PR_Open( "./tmp-nsprAppend", PR_RDONLY, 0 );
     if ( NULL == fd )  {
         if (debug) {
             printf("PR_Open() failed for reading: %d\n", PR_GetError());

nsprpub/pr/tests/cltsrv.c

@@ -64,7 +64,20 @@
 #define DEFAULT_HIGH 0
 #define BUFFER_SIZE 1024
 #define DEFAULT_BACKLOG 5
-#define DEFAULT_PORT 12849
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define DEFAULT_PORT 12849 PORT_INC_DO PORT_INC_3264
+
 #define DEFAULT_CLIENTS 1
 #define ALLOWED_IN_ACCEPT 1
 #define DEFAULT_CLIPPING 1000
@@ -792,11 +805,16 @@ static void PR_CALLBACK Server(void *arg)
 
     memset(&serverAddress, 0, sizeof(serverAddress));
     if (PR_AF_INET6 != domain) {
+        TEST_LOG(cltsrv_log_file, TEST_LOG_ALWAYS,
+                 ("server binding to ip port %s\n", DEFAULT_PORT));
         rv = PR_InitializeNetAddr(PR_IpAddrAny, DEFAULT_PORT, &serverAddress);
     }
-    else
+    else {
+        TEST_LOG(cltsrv_log_file, TEST_LOG_ALWAYS,
+                 ("server binding to ipv6 port %s\n", DEFAULT_PORT));
         rv = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, DEFAULT_PORT,
                            &serverAddress);
+    }
     rv = PR_Bind(server->listener, &serverAddress);
     TEST_ASSERT(PR_SUCCESS == rv);
 
@@ -1131,16 +1149,24 @@ int main(int argc, char** argv)
             client[index].ml = PR_NewLock();
             if (serverIsLocal)
             {
-                if (PR_AF_INET6 != domain)
+                if (PR_AF_INET6 != domain) {
+                    TEST_LOG(cltsrv_log_file, TEST_LOG_ALWAYS,
+                             ("loopback client ip port %s\n", DEFAULT_PORT));
                     (void)PR_InitializeNetAddr(
                         PR_IpAddrLoopback, DEFAULT_PORT,
                         &client[index].serverAddress);
-                else
+                }
+                else {
+                    TEST_LOG(cltsrv_log_file, TEST_LOG_ALWAYS,
+                             ("loopback client ipv6 port %s\n", DEFAULT_PORT));
                     rv = PR_SetNetAddr(PR_IpAddrLoopback, PR_AF_INET6,
                                        DEFAULT_PORT, &client[index].serverAddress);
+                }
             }
             else
             {
+                TEST_LOG(cltsrv_log_file, TEST_LOG_ALWAYS,
+                         ("client enumerate port %s\n", DEFAULT_PORT));
                 (void)PR_EnumerateHostEnt(
                     0, &host, DEFAULT_PORT, &client[index].serverAddress);
             }

nsprpub/pr/tests/fdcach.c

@@ -6,7 +6,7 @@
 /*
  * File: fdcach.c
  * Description:
- *   This test verifies that the fd cache and stack are working
+ *   This test verifies that the fd cache is working
  *   correctly.
  */
 
@@ -18,7 +18,7 @@
 /*
  * Define ORDER_PRESERVED if the implementation of PR_SetFDCacheSize
  * preserves the ordering of the fd's when moving them between the
- * cache and the stack.
+ * cache.
  */
 #define ORDER_PRESERVED 1
 
@@ -35,12 +35,6 @@ int main(int argc, char **argv)
     PRFileDesc *savefds[NUM_FDS];
     int numfds = sizeof(fds)/sizeof(fds[0]);
 
-    /*
-     * Switch between cache and stack when they are empty.
-     * Then start with the fd cache.
-     */
-    PR_SetFDCacheSize(0, FD_CACHE_SIZE);
-    PR_SetFDCacheSize(0, 0);
     PR_SetFDCacheSize(0, FD_CACHE_SIZE);
 
     /* Add some fd's to the fd cache. */
@@ -82,59 +76,6 @@ int main(int argc, char **argv)
         }
     }
 
-    /* Switch to the fd stack. */
-    PR_SetFDCacheSize(0, 0);
-
-    /*
-     * Create some fd's.  These fd's should come from
-     * the fd stack.
-     */
-    for (i = 0; i < numfds; i++) {
-        fds[i] = PR_NewTCPSocket();
-        if (NULL == fds[i]) {
-            fprintf(stderr, "PR_NewTCPSocket failed\n");
-            exit(1);
-        }
-#ifdef ORDER_PRESERVED
-        if (fds[i] != savefds[numfds-1-i]) {
-            fprintf(stderr, "fd stack malfunctioned\n");
-            exit(1);
-        }
-#else
-        savefds[numfds-1-i] = fds[i];
-#endif
-    }
-    /* Put the fd's back to the fd stack. */
-    for (i = 0; i < numfds; i++) {
-        if (PR_Close(savefds[i]) == PR_FAILURE) {
-            fprintf(stderr, "PR_Close failed\n");
-            exit(1);
-        }
-    }
-
-    /*
-     * Now create some fd's and verify the LIFO ordering of
-     * the fd stack.
-     */
-    for (i = 0; i < numfds; i++) {
-        fds[i] = PR_NewTCPSocket();
-        if (NULL == fds[i]) {
-            fprintf(stderr, "PR_NewTCPSocket failed\n");
-            exit(1);
-        }
-        if (fds[i] != savefds[numfds-1-i]) {
-            fprintf(stderr, "fd stack malfunctioned\n");
-            exit(1);
-        }
-    }
-    /* Put the fd's back to the fd stack. */
-    for (i = 0; i < numfds; i++) {
-        if (PR_Close(savefds[i]) == PR_FAILURE) {
-            fprintf(stderr, "PR_Close failed\n");
-            exit(1);
-        }
-    }
-
     /* Switch to the fd cache. */
     PR_SetFDCacheSize(0, FD_CACHE_SIZE);
 
@@ -178,49 +119,6 @@ int main(int argc, char **argv)
         }
     }
 
-    /* Switch to the fd stack. */
-    PR_SetFDCacheSize(0, 0);
-
-    for (i = 0; i < numfds; i++) {
-        fds[i] = PR_NewTCPSocket();
-        if (NULL == fds[i]) {
-            fprintf(stderr, "PR_NewTCPSocket failed\n");
-            exit(1);
-        }
-#ifdef ORDER_PRESERVED
-        if (fds[i] != savefds[numfds-1-i]) {
-            fprintf(stderr, "fd stack malfunctioned\n");
-            exit(1);
-        }
-#else
-        savefds[numfds-1-i];
-#endif
-    }
-    for (i = 0; i < numfds; i++) {
-        if (PR_Close(savefds[i]) == PR_FAILURE) {
-            fprintf(stderr, "PR_Close failed\n");
-            exit(1);
-        }
-    }
-
-    for (i = 0; i < numfds; i++) {
-        fds[i] = PR_NewTCPSocket();
-        if (NULL == fds[i]) {
-            fprintf(stderr, "PR_NewTCPSocket failed\n");
-            exit(1);
-        }
-        if (fds[i] != savefds[numfds-1-i]) {
-            fprintf(stderr, "fd stack malfunctioned\n");
-            exit(1);
-        }
-    }
-    for (i = 0; i < numfds; i++) {
-        if (PR_Close(savefds[i]) == PR_FAILURE) {
-            fprintf(stderr, "PR_Close failed\n");
-            exit(1);
-        }
-    }
-
     PR_Cleanup();
     printf("PASS\n");
     return 0;

nsprpub/pr/tests/foreign.c

@@ -223,7 +223,8 @@ static void OneShot(void *arg)
                 break;
 
             case 6:
-#define TEMP_DIR "/tmp/"
+#define TEMP_DIR "./tmp"
+                PR_MkDir(TEMP_DIR, 0700);
                 dir = PR_OpenDir(TEMP_DIR);
                 DPRINTF((output,"Thread[0x%x] called PR_OpenDir\n",
                          PR_GetCurrentThread()));

nsprpub/pr/tests/fsync.c

@@ -19,7 +19,7 @@ static void Help(void)
     PR_fprintf(err, "\t-c   Nuber of iterations     (default: 10)\n");
     PR_fprintf(err, "\t-S   Sync the file           (default: FALSE)\n");
     PR_fprintf(err, "\t-K   Size of file (K bytes)  (default: 10)\n");
-    PR_fprintf(err, "\t     Name of file to write   (default: /usr/tmp/sync.dat)\n");
+    PR_fprintf(err, "\t     Name of file to write   (default: ./tmp-sync.dat)\n");
     PR_fprintf(err, "\t-h   This message and nothing else\n");
 }  /* Help */
 

nsprpub/pr/tests/gethost.c

@@ -18,7 +18,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#define DEFAULT_HOST_NAME "mcom.com"
+#define DEFAULT_HOST_NAME "mozilla.org"
 
 static void Help(void)
 {

nsprpub/pr/tests/layer.c

@@ -40,7 +40,19 @@ typedef enum Verbosity {silent, quiet, chatty, noisy} Verbosity;
 static PRIntn minor_iterations = 5;
 static PRIntn major_iterations = 1;
 static Verbosity verbosity = quiet;
-static PRUint16 default_port = 12273;
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+static PRUint16 default_port = 12273 PORT_INC_DO PORT_INC_3264;
 
 static PRFileDesc *PushLayer(PRFileDesc *stack)
 {

nsprpub/pr/tests/lazyinit.c

@@ -70,7 +70,7 @@ int main(int argc, char **argv)
                                  PR_LOCAL_THREAD, PR_JOINABLE_THREAD, 0);
             break;
 
-        case 3: file = PR_Open("/usr/tmp/", PR_RDONLY, 0);
+        case 3: file = PR_Open("./tmp-", PR_RDONLY, 0);
             break;
 
         case 4: udp = PR_NewUDPSocket();
@@ -79,7 +79,7 @@ int main(int argc, char **argv)
         case 5: tcp = PR_NewTCPSocket();
             break;
 
-        case 6: dir = PR_OpenDir("/usr/tmp/");
+        case 6: dir = PR_OpenDir("./tmp-");
             break;
 
         case 7: (void)PR_NewThreadPrivateIndex(&pdkey, NULL);

nsprpub/pr/tests/multiwait.c

@@ -32,9 +32,20 @@ typedef struct Shared
 
 typedef enum Verbosity {silent, quiet, chatty, noisy} Verbosity;
 
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
 static PRFileDesc *debug = NULL;
 static PRInt32 desc_allocated = 0;
-static PRUint16 default_port = 12273;
+static PRUint16 default_port = 12273 PORT_INC_DO PORT_INC_3264;
 static enum Verbosity verbosity = quiet;
 static PRInt32 ops_required = 1000, ops_done = 0;
 static PRThreadScope thread_scope = PR_LOCAL_THREAD;

nsprpub/pr/tests/nameshm1.c

@@ -72,9 +72,20 @@
 #include <string.h>
 #include <private/primpl.h>
 
-#define SEM_NAME1 "/tmp/nameshmSEM1"
-#define SEM_NAME2 "/tmp/nameshmSEM2"
-#define OPT_NAME "/tmp/xxxNSPRshm"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define SEM_NAME1 "/tmp/nameshmSEM1" SEM_D SEM_64
+#define SEM_NAME2 "/tmp/nameshmSEM2" SEM_D SEM_64
+#define OPT_NAME "/tmp/xxxNSPRshm" SEM_D SEM_64
 #define EXE_NAME "nameshm1"
 #define SEM_MODE  0666
 #define SHM_MODE  0666

nsprpub/pr/tests/nblayer.c

@@ -53,7 +53,19 @@ typedef enum Verbosity {silent, quiet, chatty, noisy} Verbosity;
 static PRIntn minor_iterations = 5;
 static PRIntn major_iterations = 1;
 static Verbosity verbosity = quiet;
-static PRUint16 default_port = 12273;
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+static PRUint16 default_port = 12273 PORT_INC_DO PORT_INC_3264;
 
 static PRFileDesc *PushLayer(PRFileDesc *stack)
 {

nsprpub/pr/tests/ntioto.c

@@ -57,7 +57,19 @@ PRUint32  failed_already = 0;
 
 /* JITTER_DEFAULT: the number of times AcceptThread() and JitterThread() ping-pong */
 #define JITTER_DEFAULT  100000
-#define BASE_PORT 9867
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define BASE_PORT 9867 PORT_INC_DO PORT_INC_3264
 
 PRIntervalTime timeout;
 PRNetAddr   listenAddr;

nsprpub/pr/tests/op_filnf.c

@@ -31,7 +31,7 @@ PRIntn error_code;
 int main(int argc, char **argv)
 {
     PR_STDIO_INIT();
-    t1 = PR_Open("/usr/tmp/ttools/err03.tmp", PR_TRUNCATE | PR_RDWR, 0666);
+    t1 = PR_Open("./tmp-ttools/err03.tmp", PR_TRUNCATE | PR_RDWR, 0666);
     if (t1 == NULL) {
         if (PR_GetError() == PR_FILE_NOT_FOUND_ERROR) {
             printf ("error code is %d \n", PR_GetError());

nsprpub/pr/tests/provider.c

@@ -58,11 +58,22 @@
 ** This is the beginning of the test
 */
 
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
 #define RECV_FLAGS 0
 #define SEND_FLAGS 0
 #define BUFFER_SIZE 1024
 #define DEFAULT_BACKLOG 5
-#define DEFAULT_PORT 13000
+#define DEFAULT_PORT 13000 PORT_INC_DO PORT_INC_3264
 #define DEFAULT_CLIENTS 1
 #define ALLOWED_IN_ACCEPT 1
 #define DEFAULT_CLIPPING 1000

nsprpub/pr/tests/runtests.pl

@@ -289,7 +289,6 @@ $prog = shift;  # Program to test
 "logfile",
 "logger",
 "many_cv",
-"multiwait",
 "nameshm1",
 "nblayer",
 "nonblock",

nsprpub/pr/tests/runtests.sh

@@ -4,6 +4,20 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+if test -z $1
+then
+  echo "usage: $0 <path-to-dist>"
+  exit 1
+fi
+
+cd $1/lib
+ABS_LIB=$PWD
+cd -
+
+export DYLD_LIBRARY_PATH=${ABS_LIB}:${DYLD_LIBRARY_PATH}
+export LD_LIBRARY_PATH=${ABS_LIB}:${LD_LIBRARY_PATH}
+export PATH=${ABS_LIB}:${PATH}
+
 #
 # runtests.sh
 #	Bourne shell script for nspr tests
@@ -57,12 +71,35 @@ fi
 #
 
 #forktest (failed on IRIX)
+#multiwait - fails on Linux 64bit since NSPR v 4.4 from 2004.
 #nbconn - fails on some platforms 
 #poll_er - fails on some platforms? limited use?
 #prpoll -  the bad-FD test needs to be moved to a different test
 #sleep	-  specific to OS/2
+#
+# all of the following were disabled in 2019 when reenabling CI tests,
+# because they failed on at least one of the platforms:
+#
+# cltsrv
+# cvar
+# gethost
+# getproto
+# layer
+# logfile
+# nameshm1
+# nblayer
+# nonblock
+# ntioto
+# op_2long
+# parent
+# provider
+# ranfile
+# socket
+# sockopt
+# vercheck
 
-LOGFILE=${NSPR_TEST_LOGFILE:-$NULL_DEVICE}
+#LOGFILE=${NSPR_TEST_LOGFILE:-$NULL_DEVICE}
+LOGFILE=nspr-test.log
 
 #
 # Tests run on all platforms
@@ -80,9 +117,7 @@ atomic
 attach
 bigfile
 cleanup
-cltsrv
 concur
-cvar
 cvar2
 dlltest
 dtoa
@@ -93,8 +128,6 @@ fileio
 foreign
 formattm
 fsync
-gethost
-getproto
 i2l
 initclk
 inrval
@@ -108,27 +141,18 @@ joinkk
 joinku
 joinuk
 joinuu
-layer
 lazyinit
 libfilename
 lltest
 lock
 lockfile
-logfile
 logger
 many_cv
-multiwait
-nameshm1
-nblayer
-nonblock
-ntioto
 ntoh
-op_2long
 op_excl
 op_filnf
 op_filok
 op_nofil
-parent
 parsetm
 peek
 perf
@@ -141,10 +165,8 @@ pollable
 prftest
 prfz
 primblok
-provider
 prpollml
 pushtop
-ranfile
 randseed
 reinit
 rwlocktest
@@ -164,8 +186,6 @@ servr_ku
 servr_uu
 short_thread
 sigpipe
-socket
-sockopt
 sockping
 sprintf
 stack
@@ -181,7 +201,6 @@ timemac
 timetest
 tpd
 udpsrv
-vercheck
 version
 writev
 xnotify
@@ -211,7 +230,7 @@ printf "Test\t\t\tResult\n\n"
 if [ $OS_PLATFORM = "Windows_95" ] || [ $OS_PLATFORM = "Windows_98" ] || [ $OS_PLATFORM = "Windows_NT" ] || [ $OS_PLATFORM = "OS/2" ] ; then
 	for prog in $TESTS
 	do
-		printf "$prog"
+		printf "$prog (`date +%T`)"
 		printf "\nBEGIN TEST: $prog\n\n" >> ${LOGFILE} 2>&1
 		./$prog >> ${LOGFILE} 2>&1
 		if [ 0 = $? ] ; then
@@ -225,7 +244,7 @@ if [ $OS_PLATFORM = "Windows_95" ] || [ $OS_PLATFORM = "Windows_98" ] || [ $OS_P
 else
 	for prog in $TESTS
 	do
-		printf "$prog"
+		printf "$prog (`date +%T`)"
 		printf "\nBEGIN TEST: $prog\n\n" >> ${LOGFILE} 2>&1
 		export test_rval
 		./$prog >> ${LOGFILE} 2>&1 &
@@ -249,22 +268,10 @@ else
 	done
 fi;
 
+if [ $rval -ne 0 ]; then
+  cat ${LOGFILE}
+fi
+
 printf "END\t\t\t`date`\n"
 exit $rval
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

nsprpub/pr/tests/sel_spd.c

@@ -16,7 +16,22 @@
 #include <errno.h>
 #include <string.h>
 
-#define PORT_BASE 19000
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define PORT_BASE 19000 PORT_INC_DO PORT_INC_3264
 
 typedef struct timer_slot_t {
     unsigned long d_connect;

nsprpub/pr/tests/sema.c

@@ -8,8 +8,19 @@
 
 #include <stdio.h>
 
-#define SEM_NAME1 "/tmp/foo.sem"
-#define SEM_NAME2 "/tmp/bar.sem"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define SEM_NAME1 "/tmp/foo.sem" SEM_D SEM_64
+#define SEM_NAME2 "/tmp/bar.sem" SEM_D SEM_64
 #define SEM_MODE  0666
 #define ITERATIONS 1000
 

nsprpub/pr/tests/semaerr.c

@@ -8,8 +8,19 @@
 
 #include <stdio.h>
 
-#define NO_SUCH_SEM_NAME "/tmp/nosuchsem.sem"
-#define SEM_NAME1 "/tmp/foo.sem"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define NO_SUCH_SEM_NAME "/tmp/nosuchsem.sem" SEM_D SEM_64
+#define SEM_NAME1 "/tmp/foo.sem" SEM_D SEM_64
 #define EXE_NAME "semaerr1"
 #define SEM_MODE  0666
 

nsprpub/pr/tests/semaerr1.c

@@ -8,8 +8,19 @@
 
 #include <stdio.h>
 
-#define SEM_NAME1 "/tmp/foo.sem"
-#define SEM_NAME2 "/tmp/bar.sem"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define SEM_NAME1 "/tmp/foo.sem" SEM_D SEM_64
+#define SEM_NAME2 "/tmp/bar.sem" SEM_D SEM_64
 #define SEM_MODE  0666
 
 static PRBool debug_mode = PR_FALSE;

nsprpub/pr/tests/semaping.c

@@ -8,9 +8,20 @@
 
 #include <stdio.h>
 
-#define SHM_NAME "/tmp/counter"
-#define SEM_NAME1 "/tmp/foo.sem"
-#define SEM_NAME2 "/tmp/bar.sem"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define SHM_NAME "/tmp/counter" SEM_D SEM_64
+#define SEM_NAME1 "/tmp/foo.sem" SEM_D SEM_64
+#define SEM_NAME2 "/tmp/bar.sem" SEM_D SEM_64
 #define EXE_NAME "semapong"
 #define SEM_MODE  0666
 #define SHM_MODE  0666

nsprpub/pr/tests/semapong.c

@@ -8,9 +8,20 @@
 
 #include <stdio.h>
 
-#define SHM_NAME "/tmp/counter"
-#define SEM_NAME1 "/tmp/foo.sem"
-#define SEM_NAME2 "/tmp/bar.sem"
+#ifdef DEBUG
+#define SEM_D "D"
+#else
+#define SEM_D
+#endif
+#ifdef IS_64
+#define SEM_64 "64"
+#else
+#define SEM_64
+#endif
+
+#define SHM_NAME "/tmp/counter" SEM_D SEM_64
+#define SEM_NAME1 "/tmp/foo.sem" SEM_D SEM_64
+#define SEM_NAME2 "/tmp/bar.sem" SEM_D SEM_64
 #define ITERATIONS 1000
 
 static PRBool debug_mode = PR_FALSE;

nsprpub/pr/tests/socket.c

@@ -45,9 +45,9 @@ char *TEST_DIR = "prdir";
 char *SMALL_FILE_NAME = "prsmallf";
 char *LARGE_FILE_NAME = "prlargef";
 #else
-char *TEST_DIR = "/tmp/prsocket_test_dir";
-char *SMALL_FILE_NAME = "/tmp/prsocket_test_dir/small_file";
-char *LARGE_FILE_NAME = "/tmp/prsocket_test_dir/large_file";
+char *TEST_DIR = "./tmp-prsocket_test_dir";
+char *SMALL_FILE_NAME = "./tmp-prsocket_test_dir/small_file";
+char *LARGE_FILE_NAME = "./tmp-prsocket_test_dir/large_file";
 #endif
 #define SMALL_FILE_SIZE             (3 * 1024)        /* 3 KB        */
 #define SMALL_FILE_OFFSET_1         (512)

nsprpub/pr/tests/testfile.c

@@ -17,6 +17,10 @@
 #include <pthread.h>
 #endif
 
+#if defined(XP_UNIX)
+#include <unistd.h>
+#endif
+
 #if defined(XP_OS2)
 #define INCL_DOSFILEMGR
 #include <os2.h>
@@ -71,7 +75,7 @@ char *TEST_DIR = "C:\\temp\\prdir";
 char *FILE_NAME = "pr_testfile";
 char *HIDDEN_FILE_NAME = "hidden_pr_testfile";
 #else
-char *TEST_DIR = "/tmp/testfile_dir";
+char *TEST_DIR = "./tmp-testfile_dir";
 char *FILE_NAME = "pr_testfile";
 char *HIDDEN_FILE_NAME = ".hidden_pr_testfile";
 #endif

nsprpub/pr/tests/thruput.c

@@ -27,7 +27,20 @@
 #include "plgetopt.h"
 
 #define ADDR_BUFFER 100
-#define PORT_NUMBER 51877
+
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define PORT_NUMBER 51877 PORT_INC_DO PORT_INC_3264
+
 #define SAMPLING_INTERVAL 10
 #define BUFFER_SIZE (32 * 1024)
 

nsprpub/pr/tests/tmoacc.c

@@ -11,7 +11,18 @@
 #include "plerror.h"
 #include "plgetopt.h"
 
-#define BASE_PORT 9867
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define BASE_PORT 9867 PORT_INC_DO PORT_INC_3264
 #define DEFAULT_THREADS 1
 #define DEFAULT_BACKLOG 10
 #define DEFAULT_TIMEOUT 10

nsprpub/pr/tests/tmocon.c

@@ -50,7 +50,18 @@ char *getcwd(char *buf, size_t size)
 }
 #endif
 
-#define BASE_PORT 9867
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define BASE_PORT 9867 PORT_INC_DO PORT_INC_3264
 
 #define DEFAULT_DALLY 1
 #define DEFAULT_THREADS 1

nsprpub/pr/tests/vercheck.c

@@ -41,7 +41,7 @@ static char *compatible_version[] = {
     "4.10.5", "4.10.6", "4.10.7", "4.10.8", "4.10.9",
     "4.10.10", "4.11", "4.12", "4.13", "4.14", "4.15",
     "4.16", "4.17", "4.18", "4.19", "4.20", "4.21", "4.22",
-    "4.23",
+    "4.23", "4.24", "4.25", "4,26", "4.27", "4.28",
     PR_VERSION
 };
 
@@ -57,8 +57,8 @@ static char *incompatible_version[] = {
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
-    "4.24.1",
-    "4.25", "4.25.1",
+    "4.29.1",
+    "4.30", "4.30.1",
     "10.0", "11.1", "12.14.20"
 };
 

nsprpub/pr/tests/writev.c

@@ -15,7 +15,18 @@
 #define IOV_MAX 16
 #endif
 
-#define BASE_PORT 9867
+#ifdef DEBUG
+#define PORT_INC_DO +100
+#else
+#define PORT_INC_DO
+#endif
+#ifdef IS_64
+#define PORT_INC_3264 +200
+#else
+#define PORT_INC_3264
+#endif
+
+#define BASE_PORT 9867 PORT_INC_DO PORT_INC_3264
 
 int PR_CALLBACK Writev(int argc, char **argv)
 {

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,8 @@
+
+4 Added functions:
+
+  [A] 'function SECStatus CERT_AddCertToListHeadWithData(CERTCertList*, CERTCertificate*, void*)'    {CERT_AddCertToListHeadWithData@@NSS_3.59}
+  [A] 'function SECStatus CERT_AddCertToListTailWithData(CERTCertList*, CERTCertificate*, void*)'    {CERT_AddCertToListTailWithData@@NSS_3.59}
+  [A] 'function PK11SymKey* PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey*, CK_MECHANISM_TYPE, SECItem*, SECItem*, CK_MECHANISM_TYPE, CK_ATTRIBUTE_TYPE, int)'    {PK11_PubUnwrapSymKeyWithMechanism@@NSS_3.59}
+  [A] 'function SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey*, CK_MECHANISM_TYPE, SECItem*, PK11SymKey*, SECItem*)'    {PK11_PubWrapSymKeyWithMechanism@@NSS_3.59}
+

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -0,0 +1,6 @@
+
+2 Added functions:
+
+  [A] 'function PRBool NSS_IsPolicyLocked()'    {NSS_IsPolicyLocked@@NSSUTIL_3.59}
+  [A] 'function void NSS_LockPolicy()'    {NSS_LockPolicy@@NSSUTIL_3.59}
+

security/nss/automation/abi-check/expected-report-libssl3.so.txt

@@ -1,13 +0,0 @@
-
-1 function with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:113:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:424:1:
-        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:373:1 changed:
-          type size changed from 192 to 288 (in bits)
-          3 data member insertions:
-            'PRBool SSLPreliminaryChannelInfoStr::peerDelegCred', at offset 192 (in bits) at sslt.h:418:1
-            'PRUint32 SSLPreliminaryChannelInfoStr::authKeyBits', at offset 224 (in bits) at sslt.h:419:1
-            'SSLSignatureScheme SSLPreliminaryChannelInfoStr::signatureScheme', at offset 256 (in bits) at sslt.h:420:1
-

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_47_BRANCH
+NSS_3_58_BRANCH

security/nss/automation/buildbot-slave/bbenv-example.sh

@@ -1,67 +0,0 @@
-#! /bin/bash
-
-# Each buildbot-slave requires a bbenv.sh file that defines
-# machine specific variables. This is an example file.
-
-
-HOST=$(hostname | cut -d. -f1)
-export HOST
-
-# if your machine's IP isn't registered in DNS,
-# you must set appropriate environment variables
-# that can be resolved locally.
-# For example, if localhost.localdomain works on your system, set:
-#HOST=localhost
-#DOMSUF=localdomain
-#export DOMSUF
-
-ARCH=$(uname -s)
-
-ulimit -c unlimited 2> /dev/null
-
-export NSPR_LOG_MODULES="pkix:1"
-
-#export JAVA_HOME_32=
-#export JAVA_HOME_64=
-
-#enable if you have PKITS data
-#export PKITS_DATA=$HOME/pkits/data/
-
-NSS_BUILD_TARGET="clean nss_build_all"
-JSS_BUILD_TARGET="clean all"
-
-MAKE=gmake
-AWK=awk
-PATCH=patch
-
-if [ "${ARCH}" = "SunOS" ]; then
-    AWK=nawk
-    PATCH=gpatch
-    ARCH=SunOS/$(uname -p)
-fi
-
-if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then
-   VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release`
-   ARCH=Linux/${VERSION}
-   echo ${ARCH}
-fi
-
-PROCESSOR=$(uname -p)
-if [ "${PROCESSOR}" = "ppc64" ]; then
-    ARCH="${ARCH}/ppc64"
-fi
-if [ "${PROCESSOR}" = "powerpc" ]; then
-    ARCH="${ARCH}/ppc"
-fi
-
-PORT_64_DBG=8543
-PORT_64_OPT=8544
-PORT_32_DBG=8545
-PORT_32_OPT=8546
-
-if [ "${NSS_TESTS}" = "memleak" ]; then
-    PORT_64_DBG=8547
-    PORT_64_OPT=8548
-    PORT_32_DBG=8549
-    PORT_32_OPT=8550
-fi

security/nss/automation/buildbot-slave/build.sh

@@ -1,548 +0,0 @@
-#! /bin/bash
-
-# Ensure a failure of the first command inside a pipe
-# won't be hidden by commands later in the pipe.
-# (e.g. as in ./dosomething | grep)
-
-set -o pipefail
-
-proc_args()
-{
-    while [ -n "$1" ]; do
-        OPT=$(echo $1 | cut -d= -f1)
-        VAL=$(echo $1 | cut -d= -f2)
-
-        case $OPT in
-            "--build-nss")
-                BUILD_NSS=1
-                ;;
-            "--test-nss")
-                TEST_NSS=1
-                ;;
-            "--check-abi")
-                CHECK_ABI=1
-                ;;
-            "--build-jss")
-                BUILD_JSS=1
-                ;;
-            "--test-jss")
-                TEST_JSS=1
-                ;;
-            "--memtest")
-                NSS_TESTS="memleak"
-                export NSS_TESTS
-                ;;
-            "--nojsssign")
-                NO_JSS_SIGN=1
-                ;;
-            *)
-                echo "Usage: $0 ..."
-                echo "    --memtest   - run the memory leak tests"
-                echo "    --nojsssign - try to sign jss"
-                echo "    --build-nss"
-                echo "    --build-jss"
-                echo "    --test-nss"
-                echo "    --test-jss"
-                echo "    --check-abi"
-                exit 1
-                ;;
-        esac 
-
-        shift
-    done
-}
-
-set_env()
-{
-    TOPDIR=$(pwd)
-    HGDIR=$(pwd)$(echo "/hg")
-    OUTPUTDIR=$(pwd)$(echo "/output")
-    LOG_ALL="${OUTPUTDIR}/all.log"
-    LOG_TMP="${OUTPUTDIR}/tmp.log"
-
-    echo "hello" |grep --line-buffered hello >/dev/null 2>&1
-    [ $? -eq 0 ] && GREP_BUFFER="--line-buffered"
-}
-
-print_log()
-{
-    DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
-    echo "${DATE} $*"
-    echo "${DATE} $*" >> ${LOG_ALL}
-}
-
-print_result()
-{
-    TESTNAME=$1
-    RET=$2
-    EXP=$3
-
-    if [ ${RET} -eq ${EXP} ]; then
-        print_log "${TESTNAME} PASSED"
-    else
-        print_log "${TESTNAME} FAILED"
-    fi
-}
-
-print_env()
-{
-    print_log "######## Environment variables ########"
-
-    uname -a | tee -a ${LOG_ALL}
-    if [ -e "/etc/redhat-release" ]; then
-        cat "/etc/redhat-release" | tee -a ${LOG_ALL}
-    fi
-    # don't print the MAIL command, it might contain a password    
-    env | grep -v "^MAIL=" | tee -a ${LOG_ALL}
-}
-
-set_cycle()
-{
-    BITS=$1
-    OPT=$2
-
-    if [ "${BITS}" = "64" ]; then
-        USE_64=1
-        JAVA_HOME=${JAVA_HOME_64} 
-        PORT_DBG=${PORT_64_DBG}
-        PORT_OPT=${PORT_64_OPT}
-    else
-        USE_64=
-        JAVA_HOME=${JAVA_HOME_32} 
-        PORT_DBG=${PORT_32_DBG}
-        PORT_OPT=${PORT_32_OPT}
-    fi
-    export USE_64
-    export JAVA_HOME
-
-    BUILD_OPT=
-    if [ "${OPT}" = "OPT" ]; then
-        BUILD_OPT=1
-        XPCLASS=xpclass.jar
-        PORT=${PORT_OPT}
-    else
-        BUILD_OPT=
-        XPCLASS=xpclass_dbg.jar
-        PORT=${PORT_DBG}
-    fi
-    export BUILD_OPT
-
-    PORT_JSS_SERVER=$(expr ${PORT} + 20)
-    PORT_JSSE_SERVER=$(expr ${PORT} + 40)
-
-    export PORT
-    export PORT_JSS_SERVER
-    export PORT_JSSE_SERVER
-}
-
-build_nss()
-{
-    print_log "######## NSS - build - ${BITS} bits - ${OPT} ########"
-
-    print_log "$ cd ${HGDIR}/nss"
-    cd ${HGDIR}/nss
-
-    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
-    #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
-    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
-    RET=$?
-    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
-
-    if [ ${RET} -eq 0 ]; then
-        return 0
-    else
-        tail -100 ${LOG_ALL}
-        return ${RET}
-    fi
-}
-
-build_jss()
-{
-    print_log "######## JSS - build - ${BITS} bits - ${OPT} ########"
-
-    print_log "$ cd ${HGDIR}/jss"
-    cd ${HGDIR}/jss
-
-    print_log "$ ${MAKE} ${JSS_BUILD_TARGET}"
-    #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
-    ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
-    RET=$?
-    print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0
-    [ ${RET} -eq 0 ] || return ${RET}
-
-    print_log "$ cd ${HGDIR}/dist"
-    cd ${HGDIR}/dist
-
-    if [ -z "${NO_JSS_SIGN}" ]; then
-	print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa"
-	cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1
-	RET=$?
-	print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0
-	[ ${RET} -eq 0 ] || return ${RET}
-    fi
-    print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}"
-    ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1
-    RET=$?
-    print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0
-    [ ${RET} -eq 0 ] || return ${RET}
-
-    return 0
-}
-
-test_nss()
-{
-    print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########"
-
-    if [ "${OS_TARGET}" = "Android" ]; then
-	print_log "$ cd ${HGDIR}/nss/tests/remote"
-	cd ${HGDIR}/nss/tests/remote
-	print_log "$ make test_android"
-	make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
-	OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log
-    else
-	print_log "$ cd ${HGDIR}/nss/tests"
-	cd ${HGDIR}/nss/tests
-	print_log "$ ./all.sh"
-	./all.sh 2>&1 | tee ${LOG_TMP} | egrep ${GREP_BUFFER} ": #|^\[.{10}\] "
-	OUTPUTFILE=${LOG_TMP}
-    fi
-
-    cat ${LOG_TMP} >> ${LOG_ALL}
-    tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL}
-    RET=$?
-
-    print_log "######## details of detected failures (if any) ########"
-    grep -B50 -w FAILED ${OUTPUTFILE}
-    [ $? -eq 1 ] || RET=1
-
-    print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
-    return ${RET}
-}
-
-check_abi()
-{
-    print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########"
-    print_log "######## creating temporary HG clones ########"
-
-    rm -rf ${HGDIR}/baseline
-    mkdir ${HGDIR}/baseline
-    BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release`
-    hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss"
-    if [ $? -ne 0 ]; then
-        echo "invalid tag in automation/abi-check/previous-nss-release"
-        return 1
-    fi
-
-    BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH
-    hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr"
-    if [ $? -ne 0 ]; then
-        echo "nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt"
-        # Assume that version hasn't been released yet, fall back to trunk
-        pushd "${HGDIR}/baseline/nspr"
-        hg update default
-        popd
-    fi
-
-    print_log "######## building baseline NSPR/NSS ########"
-    pushd ${HGDIR}/baseline/nss
-
-    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
-    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
-    RET=$?
-    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
-    if [ ${RET} -ne 0 ]; then
-        tail -100 ${LOG_ALL}
-        return ${RET}
-    fi
-    popd
-
-    ABI_PROBLEM_FOUND=0
-    ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
-    rm -f ${ABI_REPORT}
-    PREVDIST=${HGDIR}/baseline/dist
-    NEWDIST=${HGDIR}/dist
-    ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
-    for SO in ${ALL_SOs}; do
-        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
-            touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
-        fi
-        abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
-            $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
-            > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
-        RET=$?
-        cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \
-            | grep -v "^Functions changes summary:" \
-            | grep -v "^Variables changes summary:" \
-            > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
-        rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
-        ABIDIFF_ERROR=$((($RET & 0x01) != 0))
-        ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0))
-        ABIDIFF_ABI_CHANGE=$((($RET & 0x04) != 0))
-        ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$((($RET & 0x08) != 0))
-        ABIDIFF_UNKNOWN_BIT_SET=$((($RET & 0xf0) != 0))
-
-        # If abidiff reports an error, or a usage error, or if it sets a result
-        # bit value this script doesn't know yet about, we'll report failure.
-        # For ABI changes, we don't yet report an error. We'll compare the
-        # result report with our whitelist. This allows us to silence changes
-        # that we're already aware of and have been declared acceptable.
-
-        REPORT_RET_AS_FAILURE=0
-        if [ $ABIDIFF_ERROR -ne 0 ]; then
-            print_log "abidiff reported ABIDIFF_ERROR."
-            REPORT_RET_AS_FAILURE=1
-        fi
-        if [ $ABIDIFF_USAGE_ERROR -ne 0 ]; then
-            print_log "abidiff reported ABIDIFF_USAGE_ERROR."
-            REPORT_RET_AS_FAILURE=1
-        fi
-        if [ $ABIDIFF_UNKNOWN_BIT_SET -ne 0 ]; then
-            print_log "abidiff reported ABIDIFF_UNKNOWN_BIT_SET."
-            REPORT_RET_AS_FAILURE=1
-        fi
-
-        if [ $ABIDIFF_ABI_CHANGE -ne 0 ]; then
-            print_log "Ignoring abidiff result ABI_CHANGE, instead we'll check for non-whitelisted differences."
-        fi
-        if [ $ABIDIFF_ABI_INCOMPATIBLE_CHANGE -ne 0 ]; then
-            print_log "Ignoring abidiff result ABIDIFF_ABI_INCOMPATIBLE_CHANGE, instead we'll check for non-whitelisted differences."
-        fi
-
-        if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then
-            ABI_PROBLEM_FOUND=1
-            print_log "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
-        fi
-        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
-            ABI_PROBLEM_FOUND=1
-            print_log "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt"
-        fi
-
-        diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
-                ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
-        if [ ! -f ${ABI_REPORT} ]; then
-            ABI_PROBLEM_FOUND=1
-            print_log "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
-        fi
-    done
-
-    if [ -s ${ABI_REPORT} ]; then
-        print_log "FAILED: there are new unexpected ABI changes"
-        cat ${ABI_REPORT}
-        return 1
-    elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then
-        print_log "FAILED: failure executing the ABI checks"
-        cat ${ABI_REPORT}
-        return 1
-    fi
-
-    return 0
-}
-
-test_jss()
-{
-    print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
-
-    print_log "$ cd ${HGDIR}/jss"
-    cd ${HGDIR}/jss
-
-    print_log "$ ${MAKE} platform"
-    PLATFORM=$(${MAKE} platform)
-    print_log "PLATFORM=${PLATFORM}"
-
-    print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests"
-    cd ${HGDIR}/jss/org/mozilla/jss/tests
-
-    print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}"
-    perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP}
-    cat ${LOG_TMP} >> ${LOG_ALL}
-
-    tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null
-    RET=$?
-
-    grep FAIL ${LOG_TMP} 
-    [ $? -eq 1 ] || RET=1
-
-    print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
-    return ${RET}
-}
-
-create_objdir_dist_link()
-{
-    # compute relevant 'dist' OBJDIR_NAME subdirectory names for JSS and NSS
-    OS_TARGET=`uname -s`
-    OS_RELEASE=`uname -r | sed 's/-.*//' | sed 's/-.*//' | cut -d . -f1,2`
-    CPU_TAG=_`uname -m`
-    # OBJDIR_NAME_COMPILER appears to be defined for NSS but not JSS
-    OBJDIR_NAME_COMPILER=_cc
-    LIBC_TAG=_glibc
-    IMPL_STRATEGY=_PTH
-    if [ "${RUN_BITS}" = "64" ]; then
-        OBJDIR_TAG=_${RUN_BITS}_${RUN_OPT}.OBJ
-    else
-        OBJDIR_TAG=_${RUN_OPT}.OBJ
-    fi
-
-    # define NSS_OBJDIR_NAME
-    NSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}${OBJDIR_NAME_COMPILER}
-    NSS_OBJDIR_NAME=${NSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
-    print_log "create_objdir_dist_link(): NSS_OBJDIR_NAME='${NSS_OBJDIR_NAME}'"
-
-    # define JSS_OBJDIR_NAME
-    JSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}
-    JSS_OBJDIR_NAME=${JSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
-    print_log "create_objdir_dist_link(): JSS_OBJDIR_NAME='${JSS_OBJDIR_NAME}'"
-
-    if [ -e "${HGDIR}/dist/${NSS_OBJDIR_NAME}" ]; then
-        SOURCE=${HGDIR}/dist/${NSS_OBJDIR_NAME}
-        TARGET=${HGDIR}/dist/${JSS_OBJDIR_NAME}
-        ln -s ${SOURCE} ${TARGET} >/dev/null 2>&1
-    fi
-}
-
-build_and_test()
-{
-    if [ -n "${BUILD_NSS}" ]; then
-        build_nss
-        [ $? -eq 0 ] || return 1
-    fi
-
-    if [ -n "${TEST_NSS}" ]; then
-        test_nss
-        [ $? -eq 0 ] || return 1
-    fi
-
-    if [ -n "${CHECK_ABI}" ]; then
-        check_abi
-        [ $? -eq 0 ] || return 1
-    fi
-
-    if [ -n "${BUILD_JSS}" ]; then
-        create_objdir_dist_link
-        build_jss
-        [ $? -eq 0 ] || return 1
-    fi
-
-    if [ -n "${TEST_JSS}" ]; then
-        test_jss
-        [ $? -eq 0 ] || return 1
-    fi
-
-    return 0
-}
-
-run_cycle()
-{
-    print_env
-    build_and_test
-    RET=$?
-
-    grep ^TinderboxPrint ${LOG_ALL}
-
-    return ${RET}
-}
-
-prepare()
-{
-    rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
-    mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
-    mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
-    mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
-    mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
-    mkdir -p ${OUTPUTDIR}
-
-    # Remove temporary test files from previous jobs, that weren't cleaned up
-    # by move_results(), e.g. caused by unexpected interruptions.
-    rm -rf ${HGDIR}/tests_results/
-
-    cd ${HGDIR}/nss
-
-    if [ -n "${FEWER_STRESS_ITERATIONS}" ]; then
-        sed -i 's/-c_1000_/-c_500_/g' tests/ssl/sslstress.txt
-    fi
-
-    return 0
-}
-
-move_results()
-{
-    cd ${HGDIR}
-    if [ -n "${TEST_NSS}" ]; then
-	mv -f tests_results ${OUTPUTDIR}
-    fi
-    tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist
-    rm -rf dist
-}
-
-run_all()
-{
-    set_cycle ${BITS} ${OPT}
-    prepare
-    run_cycle
-    RESULT=$?
-    print_log "### result of run_cycle is ${RESULT}"
-    move_results
-    return ${RESULT}
-}
-
-main()
-{
-    VALID=0
-    RET=1
-    FAIL=0
-
-    for BITS in 32 64; do
-        echo ${RUN_BITS} | grep ${BITS} > /dev/null
-        [ $? -eq 0 ] || continue
-        for OPT in DBG OPT; do
-            echo ${RUN_OPT} | grep ${OPT} > /dev/null
-            [ $? -eq 0 ] || continue
-
-            VALID=1
-            set_env
-            run_all
-            RET=$?
-            print_log "### result of run_all is ${RET}"
-            if [ ${RET} -ne 0 ]; then
-                FAIL=${RET}
-            fi
-        done
-    done
-
-    if [ ${VALID} -ne 1 ]; then
-        echo "Need to set valid bits/opt values."
-        return 1
-    fi
-
-    return ${FAIL}
-}
-
-#function killallsub()
-#{
-#    FINAL_RET=$?
-#    for proc in `jobs -p`
-#    do
-#        kill -9 $proc
-#    done
-#    return ${FINAL_RET}
-#}
-#trap killallsub EXIT
-
-#IS_RUNNING_FILE="./build-is-running"
-
-#if [ -a $IS_RUNNING_FILE ]; then
-#    echo "exiting, because old job is still running"
-#    exit 1
-#fi
-
-#touch $IS_RUNNING_FILE
-
-echo "tinderbox args: $0 $@"
-. ${ENVVARS}
-proc_args "$@"
-main
-
-RET=$?
-print_log "### result of main is ${RET}"
-
-#rm $IS_RUNNING_FILE
-exit ${RET}

security/nss/automation/buildbot-slave/reboot.bat

@@ -1,6 +0,0 @@
-IF EXIST ..\buildbot-is-building (
-    del ..\buildbot-is-building
-    shutdown /r /t 0
-
-    timeout /t 120
-)

security/nss/automation/buildbot-slave/startbuild.bat

@@ -1,14 +0,0 @@
-echo running > ..\buildbot-is-building
-
-echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
-"%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
-
-if %errorlevel% neq 0 (
-  set EXITCODE=1
-) else (
-  set EXITCODE=0
-)
-
-del ..\buildbot-is-building
-
-exit /b %EXITCODE%

security/nss/automation/release/nspr-version.txt

@@ -1,4 +1,4 @@
-4.24
+4.29
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR

security/nss/automation/release/nss-release-helper.py

@@ -5,9 +5,9 @@
 
 import os
 import sys
-import datetime
 import shutil
-import glob
+import re
+import tempfile
 from optparse import OptionParser
 from subprocess import check_call
 from subprocess import check_output
@@ -32,136 +32,203 @@ abi_report_files = ['automation/abi-check/expected-report-libfreebl3.so.txt',
                     'automation/abi-check/expected-report-libsoftokn3.so.txt',
                     'automation/abi-check/expected-report-libssl3.so.txt']
 
+
 def check_call_noisy(cmd, *args, **kwargs):
-    print "Executing command:", cmd
+    print("Executing command: {}".format(cmd))
     check_call(cmd, *args, **kwargs)
 
-o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | print_root_ca_version | set_root_ca_version | set_version_to_minor_release | set_version_to_patch_release | set_release_candidate_number | set_4_digit_release_number | create_nss_release_archive")
-
-try:
-    options, args = o.parse_args()
-    action = args[0]
-except IndexError:
-    o.print_help()
-    sys.exit(2)
 
 def exit_with_failure(what):
-    print "failure: ", what
+    print("failure: {}".format(what))
     sys.exit(2)
 
+
 def check_files_exist():
     if (not os.path.exists(nssutil_h) or not os.path.exists(softkver_h)
-        or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)):
+            or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)):
         exit_with_failure("cannot find expected header files, must run from inside NSS hg directory")
 
-def sed_inplace(sed_expression, filename):
-    backup_file = filename + '.tmp'
-    check_call_noisy(["sed", "-i.tmp", sed_expression, filename])
-    os.remove(backup_file)
+
+class Replacement():
+    def __init__(self, regex="", repl=""):
+        self.regex = regex
+        self.repl = repl
+        self.matcher = re.compile(self.regex)
+
+    def replace(self, line):
+        return self.matcher.sub(self.repl, line)
+
+
+def inplace_replace(replacements=[], filename=""):
+    for r in replacements:
+        if not isinstance(r, Replacement):
+            raise TypeError("Expecting a list of Replacement objects")
+
+    with tempfile.NamedTemporaryFile(mode="w", delete=False) as tmp_file:
+        with open(filename) as in_file:
+            for line in in_file:
+                for r in replacements:
+                    line = r.replace(line)
+                tmp_file.write(line)
+
+        shutil.copystat(filename, tmp_file.name)
+        shutil.move(tmp_file.name, filename)
+
 
 def toggle_beta_status(is_beta):
     check_files_exist()
     if (is_beta):
-        print "adding Beta status to version numbers"
-        sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', nssutil_h)
-        sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nssutil_h)
-        sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *$/\\1 \" Beta"/', softkver_h)
-        sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_FALSE *$/\\1PR_TRUE/', softkver_h)
-        sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *$/\\1 \" Beta"/', nss_h)
-        sed_inplace('s/^\(#define *NSS_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nss_h)
+        print("adding Beta status to version numbers")
+        inplace_replace(filename=nssutil_h, replacements=[
+            Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+)\" *$',
+                        repl=r'\g<1> Beta"'),
+            Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_FALSE *$',
+                        repl=r'\g<1>PR_TRUE')])
+        inplace_replace(filename=softkver_h, replacements=[
+            Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *$',
+                        repl=r'\g<1> " Beta"'),
+            Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_FALSE *$',
+                        repl=r'\g<1>PR_TRUE')])
+        inplace_replace(filename=nss_h, replacements=[
+            Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *$',
+                        repl=r'\g<1> " Beta"'),
+            Replacement(regex=r'^(#define *NSS_BETA *)PR_FALSE *$',
+                        repl=r'\g<1>PR_TRUE')])
     else:
-        print "removing Beta status from version numbers"
-        sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', nssutil_h)
-        sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nssutil_h)
-        sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *\" *Beta\" *$/\\1/', softkver_h)
-        sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_TRUE *$/\\1PR_FALSE/', softkver_h)
-        sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *\" *Beta\" *$/\\1/', nss_h)
-        sed_inplace('s/^\(#define *NSS_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nss_h)
-    print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly"
+        print("removing Beta status from version numbers")
+        inplace_replace(filename=nssutil_h, replacements=[
+            Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+) *Beta\" *$',
+                        repl=r'\g<1>"'),
+            Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_TRUE *$',
+                        repl=r'\g<1>PR_FALSE')])
+        inplace_replace(filename=softkver_h, replacements=[
+            Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *\" *Beta\" *$',
+                        repl=r'\g<1>'),
+            Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_TRUE *$',
+                        repl=r'\g<1>PR_FALSE')])
+        inplace_replace(filename=nss_h, replacements=[
+            Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *\" *Beta\" *$',
+                        repl=r'\g<1>'),
+            Replacement(regex=r'^(#define *NSS_BETA *)PR_TRUE *$',
+                        repl=r'\g<1>PR_FALSE')])
+
+    print("please run 'hg stat' and 'hg diff' to verify the files have been verified correctly")
+
 
 def print_beta_versions():
     check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define *NSSUTIL_BETA", nssutil_h])
     check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define *SOFTOKEN_BETA", softkver_h])
     check_call_noisy(["egrep", "#define *NSS_VERSION|#define *NSS_BETA", nss_h])
 
+
 def remove_beta_status():
-    print "--- removing beta flags. Existing versions were:"
+    print("--- removing beta flags. Existing versions were:")
     print_beta_versions()
     toggle_beta_status(False)
-    print "--- finished modifications, new versions are:"
+    print("--- finished modifications, new versions are:")
     print_beta_versions()
 
+
 def set_beta_status():
-    print "--- adding beta flags. Existing versions were:"
+    print("--- adding beta flags. Existing versions were:")
     print_beta_versions()
     toggle_beta_status(True)
-    print "--- finished modifications, new versions are:"
+    print("--- finished modifications, new versions are:")
     print_beta_versions()
 
+
 def print_library_versions():
     check_files_exist()
     check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define NSSUTIL_VMAJOR|#define *NSSUTIL_VMINOR|#define *NSSUTIL_VPATCH|#define *NSSUTIL_VBUILD|#define *NSSUTIL_BETA", nssutil_h])
     check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define SOFTOKEN_VMAJOR|#define *SOFTOKEN_VMINOR|#define *SOFTOKEN_VPATCH|#define *SOFTOKEN_VBUILD|#define *SOFTOKEN_BETA", softkver_h])
     check_call_noisy(["egrep", "#define *NSS_VERSION|#define NSS_VMAJOR|#define *NSS_VMINOR|#define *NSS_VPATCH|#define *NSS_VBUILD|#define *NSS_BETA", nss_h])
 
+
 def print_root_ca_version():
     check_files_exist()
     check_call_noisy(["grep", "define *NSS_BUILTINS_LIBRARY_VERSION", nssckbi_h])
 
 
 def ensure_arguments_after_action(how_many, usage):
-    if (len(sys.argv) != (2+how_many)):
+    if (len(sys.argv) != (2 + how_many)):
         exit_with_failure("incorrect number of arguments, expected parameters are:\n" + usage)
 
+
 def set_major_versions(major):
-    sed_inplace('s/^\(#define *NSSUTIL_VMAJOR *\).*$/\\1' + major + '/', nssutil_h)
-    sed_inplace('s/^\(#define *SOFTOKEN_VMAJOR *\).*$/\\1' + major + '/', softkver_h)
-    sed_inplace('s/^\(#define *NSS_VMAJOR *\).*$/\\1' + major + '/', nss_h)
+    for name, file in [["NSSUTIL_VMAJOR", nssutil_h],
+                       ["SOFTOKEN_VMAJOR", softkver_h],
+                       ["NSS_VMAJOR", nss_h]]:
+        inplace_replace(filename=file, replacements=[
+            Replacement(regex=r'^(#define *{} ?).*$'.format(name),
+                        repl=r'\g<1>{}'.format(major))])
+
 
 def set_minor_versions(minor):
-    sed_inplace('s/^\(#define *NSSUTIL_VMINOR *\).*$/\\1' + minor + '/', nssutil_h)
-    sed_inplace('s/^\(#define *SOFTOKEN_VMINOR *\).*$/\\1' + minor + '/', softkver_h)
-    sed_inplace('s/^\(#define *NSS_VMINOR *\).*$/\\1' + minor + '/', nss_h)
+    for name, file in [["NSSUTIL_VMINOR", nssutil_h],
+                       ["SOFTOKEN_VMINOR", softkver_h],
+                       ["NSS_VMINOR", nss_h]]:
+        inplace_replace(filename=file, replacements=[
+            Replacement(regex=r'^(#define *{} ?).*$'.format(name),
+                        repl=r'\g<1>{}'.format(minor))])
+
 
 def set_patch_versions(patch):
-    sed_inplace('s/^\(#define *NSSUTIL_VPATCH *\).*$/\\1' + patch + '/', nssutil_h)
-    sed_inplace('s/^\(#define *SOFTOKEN_VPATCH *\).*$/\\1' + patch + '/', softkver_h)
-    sed_inplace('s/^\(#define *NSS_VPATCH *\).*$/\\1' + patch + '/', nss_h)
+    for name, file in [["NSSUTIL_VPATCH", nssutil_h],
+                       ["SOFTOKEN_VPATCH", softkver_h],
+                       ["NSS_VPATCH", nss_h]]:
+        inplace_replace(filename=file, replacements=[
+            Replacement(regex=r'^(#define *{} ?).*$'.format(name),
+                        repl=r'\g<1>{}'.format(patch))])
+
 
 def set_build_versions(build):
-    sed_inplace('s/^\(#define *NSSUTIL_VBUILD *\).*$/\\1' + build + '/', nssutil_h)
-    sed_inplace('s/^\(#define *SOFTOKEN_VBUILD *\).*$/\\1' + build + '/', softkver_h)
-    sed_inplace('s/^\(#define *NSS_VBUILD *\).*$/\\1' + build + '/', nss_h)
+    for name, file in [["NSSUTIL_VBUILD", nssutil_h],
+                       ["SOFTOKEN_VBUILD", softkver_h],
+                       ["NSS_VBUILD", nss_h]]:
+        inplace_replace(filename=file, replacements=[
+            Replacement(regex=r'^(#define *{} ?).*$'.format(name),
+                        repl=r'\g<1>{}'.format(build))])
+
 
 def set_full_lib_versions(version):
-    sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nssutil_h)
-    sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', softkver_h)
-    sed_inplace('s/^\(#define *NSS_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nss_h)
+    for name, file in [["NSSUTIL_VERSION", nssutil_h],
+                       ["SOFTOKEN_VERSION", softkver_h],
+                       ["NSS_VERSION", nss_h]]:
+        inplace_replace(filename=file, replacements=[
+            Replacement(regex=r'^(#define *{} *\")([0-9.]+)(.*)$'.format(name),
+                        repl=r'\g<1>{}\g<3>'.format(version))])
+
 
 def set_root_ca_version():
     ensure_arguments_after_action(2, "major_version  minor_version")
     major = args[1].strip()
     minor = args[2].strip()
     version = major + '.' + minor
-    sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION *\"\).*$/\\1' + version + '/', nssckbi_h)
-    sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR *\).*$/\\1' + major + '/', nssckbi_h)
-    sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h)
+
+    inplace_replace(filename=nssckbi_h, replacements=[
+        Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION *\").*$',
+                    repl=r'\g<1>{}"'.format(version)),
+        Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR ?).*$',
+                    repl=r'\g<1>{}'.format(major)),
+        Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR ?).*$',
+                    repl=r'\g<1>{}'.format(minor))])
+
 
 def set_all_lib_versions(version, major, minor, patch, build):
     grep_major = check_output(['grep', 'define.*NSS_VMAJOR', nss_h])
     grep_minor = check_output(['grep', 'define.*NSS_VMINOR', nss_h])
 
-    old_major = int(grep_major.split()[2]);
-    old_minor = int(grep_minor.split()[2]);
+    old_major = int(grep_major.split()[2])
+    old_minor = int(grep_minor.split()[2])
 
     new_major = int(major)
     new_minor = int(minor)
 
     if (old_major < new_major or (old_major == new_major and old_minor < new_minor)):
-        print "You're increasing the minor (or major) version:"
-        print "- erasing ABI comparison expectations"
+        print("You're increasing the minor (or major) version:")
+        print("- erasing ABI comparison expectations")
         new_branch = "NSS_" + str(old_major) + "_" + str(old_minor) + "_BRANCH"
-        print "- setting reference branch to the branch of the previous version: " + new_branch
+        print("- setting reference branch to the branch of the previous version: " + new_branch)
         with open(abi_base_version_file, "w") as abi_base:
             abi_base.write("%s\n" % new_branch)
         for report_file in abi_report_files:
@@ -174,6 +241,7 @@ def set_all_lib_versions(version, major, minor, patch, build):
     set_patch_versions(patch)
     set_build_versions(build)
 
+
 def set_version_to_minor_release():
     ensure_arguments_after_action(2, "major_version  minor_version")
     major = args[1].strip()
@@ -183,6 +251,7 @@ def set_version_to_minor_release():
     build = "0"
     set_all_lib_versions(version, major, minor, patch, build)
 
+
 def set_version_to_patch_release():
     ensure_arguments_after_action(3, "major_version  minor_version  patch_release")
     major = args[1].strip()
@@ -192,11 +261,13 @@ def set_version_to_patch_release():
     build = "0"
     set_all_lib_versions(version, major, minor, patch, build)
 
+
 def set_release_candidate_number():
     ensure_arguments_after_action(1, "release_candidate_number")
     build = args[1].strip()
     set_build_versions(build)
 
+
 def set_4_digit_release_number():
     ensure_arguments_after_action(4, "major_version  minor_version  patch_release  4th_digit_release_number")
     major = args[1].strip()
@@ -206,21 +277,22 @@ def set_4_digit_release_number():
     version = major + '.' + minor + '.' + patch + '.' + build
     set_all_lib_versions(version, major, minor, patch, build)
 
+
 def create_nss_release_archive():
     ensure_arguments_after_action(3, "nss_release_version  nss_hg_release_tag  path_to_stage_directory")
-    nssrel = args[1].strip() #e.g. 3.19.3
-    nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM
-    stagedir = args[3].strip() #e.g. ../stage
+    nssrel = args[1].strip()  # e.g. 3.19.3
+    nssreltag = args[2].strip()  # e.g. NSS_3_19_3_RTM
+    stagedir = args[3].strip()  # e.g. ../stage
 
     with open('automation/release/nspr-version.txt') as nspr_version_file:
         nsprrel = next(nspr_version_file).strip()
 
     nspr_tar = "nspr-" + nsprrel + ".tar.gz"
-    nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar
+    nsprtar_with_path = stagedir + "/v" + nsprrel + "/src/" + nspr_tar
     if (not os.path.exists(nsprtar_with_path)):
         exit_with_failure("cannot find nspr archive at expected location " + nsprtar_with_path)
 
-    nss_stagedir= stagedir + "/" + nssreltag + "/src"
+    nss_stagedir = stagedir + "/" + nssreltag + "/src"
     if (os.path.exists(nss_stagedir)):
         exit_with_failure("nss stage directory already exists: " + nss_stagedir)
 
@@ -230,7 +302,7 @@ def create_nss_release_archive():
     check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss",
                       stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"])
     check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path])
-    print "changing to directory " + nss_stagedir
+    print("changing to directory " + nss_stagedir)
     os.chdir(nss_stagedir)
     check_call_noisy(["tar", "-xz", "-f", nss_tar])
     check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"])
@@ -241,9 +313,23 @@ def create_nss_release_archive():
     check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel])
     check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True)
     check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True)
-    print "created directory " + nss_stagedir + " with files:"
+    print("created directory " + nss_stagedir + " with files:")
     check_call_noisy(["ls", "-l"])
 
+
+o = OptionParser(usage="client.py [options] " + " | ".join([
+    "remove_beta", "set_beta", "print_library_versions", "print_root_ca_version",
+    "set_root_ca_version", "set_version_to_minor_release",
+    "set_version_to_patch_release", "set_release_candidate_number",
+    "set_4_digit_release_number", "create_nss_release_archive"]))
+
+try:
+    options, args = o.parse_args()
+    action = args[0]
+except IndexError:
+    o.print_help()
+    sys.exit(2)
+
 if action in ('remove_beta'):
     remove_beta_status()
 

security/nss/automation/saw/chacha20.saw

@@ -34,7 +34,7 @@ let SpecChaCha20 n = do {
 };
 
 print "Proving equality for a single block...";
-time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 64));
+time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 64));
 
 print "Proving equality for multiple blocks...";
-time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 256));
+time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 256));

security/nss/automation/taskcluster/docker-builds/Dockerfile

@@ -34,9 +34,13 @@ RUN apt-get update \
     pkg-config \
     valgrind \
     zlib1g-dev \
+    clang-format-3.9 \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y
 
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
+
 # Latest version of abigail-tools
 RUN apt-get update \
  && apt-get install -y --no-install-recommends automake libtool libxml2-dev \

security/nss/automation/taskcluster/docker-fuzz32/Dockerfile

@@ -10,6 +10,8 @@ LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 RUN dpkg --add-architecture i386
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
+    apt-transport-https \
+    apt-utils \
     build-essential \
     ca-certificates \
     curl \

security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc

@@ -1,143 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM
-5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+
-LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe
-V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT
-pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr
-RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo
-OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz
-atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W
-l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB
-P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx
-OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB
-tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2
-MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW
-ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7
-INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox
-51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK
-djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj
-u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m
-NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6
-DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42
-brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu
-m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7
-3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p
-Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV
-TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK
-CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa
-zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m
-MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7
-ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh
-/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv
-aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6
-4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF
-TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb
-o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV
-/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0
-8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh
-lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq
-pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q
-yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03
-KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5
-rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq
-FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc
-g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO
-Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0
-+gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn
-RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU
-zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM
-1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+
-r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ
-+rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI
-T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG
-P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd
-ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2
-Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw
-F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a
-u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I
-BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX
-8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B
-2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB
-X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD
-xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2
-b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl
-REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq
-akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh
-3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7
-gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB
-4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b
-gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ
-Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7
-dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3
-SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR
-wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg
-qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o
-nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd
-nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/
-ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt
-FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY
-JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66
-DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME
-EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM
-D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0
-zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL
-CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5
-Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC
-nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i
-8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv
-QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj
-Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY
-xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46
-XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g
-5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V
-IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m
-RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD
-WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY
-TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp
-WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy
-MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni
-COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv
-ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo
-or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x
-F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep
-2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A
-N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG
-CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F
-Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR
-M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ
-bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N
-xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem
-d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX
-vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T
-jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa
-JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92
-xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv
-dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ
-bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn
-suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC
-898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy
-+UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr
-m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap
-2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+
-xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ
-DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak
-EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E
-cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q
-5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas
-Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh
-EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC
-Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT
-eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB
-fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y
-2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9
-pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui
-+TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X
-l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR
-dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc
-KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr
-m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w
-V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1
-67H2IH//2sf8dw==
-=fTDu
------END PGP PUBLIC KEY BLOCK-----

security/nss/automation/taskcluster/docker-hacl/Dockerfile

@@ -1,31 +0,0 @@
-FROM ubuntu:xenial
-
-MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
-# Based on the HACL* image from Benjamin Beurdouche and
-# the original F* formula with Daniel Fabian
-
-# Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
-ENV haclrepo https://github.com/mitls/hacl-star.git
-
-# Define versions of dependencies
-ENV opamv 4.05.0
-ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e
-
-# Install required packages and set versions
-ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Create user, add scripts.
-RUN useradd -ms /bin/bash worker
-WORKDIR /home/worker
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-USER worker
-
-# Build F*, HACL*, verify. Install a few more dependencies.
-ENV OPAMYES true
-ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH"
-ADD setup-user.sh /tmp/setup-user.sh
-ADD license.txt /tmp/license.txt
-RUN bash /tmp/setup-user.sh

security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-if [ $(id -u) = 0 ]; then
-    # Drop privileges by re-running this script.
-    exec su worker $0
-fi
-
-# Default values for testing.
-REVISION=${NSS_HEAD_REVISION:-default}
-REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
-
-# Clone NSS.
-for i in 0 2 5; do
-    sleep $i
-    hg clone -r $REVISION $REPOSITORY nss && exit 0
-    rm -rf nss
-done
-exit 1

security/nss/automation/taskcluster/docker-hacl/license.txt

@@ -1,15 +0,0 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-

security/nss/automation/taskcluster/docker-hacl/setup-user.sh

@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Prepare build (OCaml packages)
-opam init
-echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc
-opam switch -v ${opamv}
-opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint
-
-# Get the HACL* code
-git clone ${haclrepo} hacl-star
-git -C hacl-star checkout ${haclversion}
-
-# Prepare submodules, and build, verify, test, and extract c code
-# This caches the extracted c code (pins the HACL* version). All we need to do
-# on CI now is comparing the code in this docker image with the one in NSS.
-opam config exec -- make -C hacl-star prepare -j$(nproc)
-make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
-KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
-make -C hacl-star/code/salsa-family test -j$(nproc)
-make -C hacl-star/code/poly1305 test -j$(nproc)
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache

security/nss/automation/taskcluster/docker-hacl/setup.sh

@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -qq update
-apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales
-update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
-update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
-
-# Get clang-format-3.9
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-
-# Verify the signature. The key used for verification was fetched via:
-#    gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-# Use a local copy to workaround bug 1565013.
-gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
-gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-# Cleanup.
-rm *.tar.xz*
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean

security/nss/automation/taskcluster/graph/src/extend.js

@@ -41,11 +41,6 @@ const FUZZ_IMAGE_32 = {
   path: "automation/taskcluster/docker-fuzz32"
 };
 
-const HACL_GEN_IMAGE = {
-  name: "hacl",
-  path: "automation/taskcluster/docker-hacl"
-};
-
 const SAW_IMAGE = {
   name: "saw",
   path: "automation/taskcluster/docker-saw"
@@ -105,8 +100,20 @@ queue.filter(task => {
 
   // Don't run all additional hardware tests on ARM.
   if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
-      (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
-       || task.env.NSS_DISABLE_AVX == "1")) {
+      (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_SSE4_1 == "1"
+       || task.env.NSS_DISABLE_AVX == "1" || task.env.NSS_DISABLE_AVX2 == "1")) {
+    return false;
+  }
+
+  // Don't run ARM specific hardware tests on non-ARM.
+  // TODO: our server that runs task cluster doesn't support Intel SHA extensions.
+  if (task.group == "Cipher" && task.platform != "aarch64" && task.env &&
+      (task.env.NSS_DISABLE_HW_SHA1 == "1" || task.env.NSS_DISABLE_HW_SHA2 == "1")) {
+    return false;
+  }
+
+  // Don't run DBM builds on aarch64.
+  if (task.group == "DBM" && task.platform == "aarch64") {
     return false;
   }
 
@@ -500,7 +507,7 @@ async function scheduleLinux(name, overrides, args = "") {
   }
 
   // The task that generates certificates.
-  let task_cert = queue.scheduleTask(merge(build_base, {
+  let cert_base = merge(build_base, {
     name: "Certificates",
     command: [
       "/bin/bash",
@@ -509,7 +516,8 @@ async function scheduleLinux(name, overrides, args = "") {
     ],
     parent: task_build,
     symbol: "Certs"
-  }));
+  });
+  let task_cert = queue.scheduleTask(cert_base);
 
   // Schedule tests.
   scheduleTests(task_build, task_cert, merge(base, {
@@ -592,6 +600,25 @@ async function scheduleLinux(name, overrides, args = "") {
     symbol: "modular"
   }));
 
+  if (base.collection != "make") {
+    let task_build_dbm = queue.scheduleTask(merge(extra_base, {
+      name: `${name} w/ legacy-db`,
+      command: [
+        "/bin/bash",
+        "-c",
+        checkout_and_gyp + "--enable-legacy-db"
+      ],
+      symbol: "B",
+      group: "DBM",
+    }));
+
+    let task_cert_dbm = queue.scheduleTask(merge(cert_base, {
+      parent: task_build_dbm,
+      group: "DBM",
+      symbol: "Certs"
+    }));
+  }
+
   return queue.submit();
 }
 
@@ -830,11 +857,11 @@ async function scheduleWindows(name, base, build_script) {
     workerType: "win2012r2",
     env: {
       PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
-	    "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
-	    "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
-	    "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
-	    "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
-	    "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
+           "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
+           "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
+           "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
+           "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
+           "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
       DOMSUF: "localdomain",
       HOST: "localhost",
     },
@@ -983,9 +1010,16 @@ function scheduleTests(task_build, task_cert, test_base) {
     name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher"
   }));
   queue.scheduleTask(merge(cert_base_long, {
-    name: "Cipher tests", symbol: "NoAESNI", tests: "cipher",
+    name: "Cipher tests", symbol: "NoAES", tests: "cipher",
     env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher"
   }));
+  queue.scheduleTask(merge(cert_base_long, {
+    name: "Cipher tests", symbol: "NoSHA", tests: "cipher",
+    env: {
+      NSS_DISABLE_HW_SHA1: "1",
+      NSS_DISABLE_HW_SHA2: "1"
+    }, group: "Cipher"
+  }));
   queue.scheduleTask(merge(cert_base_long, {
     name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher",
     env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher"
@@ -994,6 +1028,10 @@ function scheduleTests(task_build, task_cert, test_base) {
     name: "Cipher tests", symbol: "NoAVX", tests: "cipher",
     env: {NSS_DISABLE_AVX: "1"}, group: "Cipher"
   }));
+  queue.scheduleTask(merge(cert_base_long, {
+    name: "Cipher tests", symbol: "NoAVX2", tests: "cipher",
+    env: {NSS_DISABLE_AVX2: "1"}, group: "Cipher"
+  }));
   queue.scheduleTask(merge(cert_base_long, {
     name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher",
     env: {
@@ -1001,6 +1039,10 @@ function scheduleTests(task_build, task_cert, test_base) {
       NSS_DISABLE_SSSE3: "1"
     }, group: "Cipher"
   }));
+  queue.scheduleTask(merge(cert_base_long, {
+    name: "Cipher tests", symbol: "NoSSE4.1", tests: "cipher",
+    env: {NSS_DISABLE_SSE4_1: "1"}, group: "Cipher"
+  }));
   queue.scheduleTask(merge(cert_base, {
     name: "EC tests", symbol: "EC", tests: "ec"
   }));
@@ -1039,12 +1081,6 @@ function scheduleTests(task_build, task_cert, test_base) {
   queue.scheduleTask(merge(ssl_base, {
     name: "SSL tests (pkix)", symbol: "pkix", cycle: "pkix"
   }));
-  queue.scheduleTask(merge(ssl_base, {
-    name: "SSL tests (sharedb)", symbol: "sharedb", cycle: "sharedb"
-  }));
-  queue.scheduleTask(merge(ssl_base, {
-    name: "SSL tests (upgradedb)", symbol: "upgradedb", cycle: "upgradedb"
-  }));
   queue.scheduleTask(merge(ssl_base, {
     name: "SSL tests (stress)", symbol: "stress", cycle: "sharedb",
     env: {NSS_SSL_RUN: "stress"}
@@ -1135,7 +1171,7 @@ async function scheduleTools() {
   queue.scheduleTask(merge(base, {
     symbol: "hacl",
     name: "hacl",
-    image: HACL_GEN_IMAGE,
+    image: LINUX_BUILDS_IMAGE,
     command: [
       "/bin/bash",
       "-c",
@@ -1181,18 +1217,22 @@ async function scheduleTools() {
     ]
   }));
 
-  queue.scheduleTask(merge(base, {
-    parent: task_saw,
-    symbol: "ChaCha20",
-    group: "SAW",
-    name: "chacha20.saw",
-    image: SAW_IMAGE,
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20"
-    ]
-  }));
+  // TODO: The ChaCha20 saw verification is currently disabled because the new
+  //       HACL 32-bit code can't be verified by saw right now to the best of
+  //       my knowledge.
+  //       Bug 1604130
+  // queue.scheduleTask(merge(base, {
+  //   parent: task_saw,
+  //   symbol: "ChaCha20",
+  //   group: "SAW",
+  //   name: "chacha20.saw",
+  //   image: SAW_IMAGE,
+  //   command: [
+  //     "/bin/bash",
+  //     "-c",
+  //     "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20"
+  //   ]
+  // }));
 
   queue.scheduleTask(merge(base, {
     parent: task_saw,
@@ -1211,7 +1251,15 @@ async function scheduleTools() {
     symbol: "Coverage",
     name: "Coverage",
     image: FUZZ_IMAGE,
+    type: "other",
     features: ["allowPtrace"],
+    artifacts: {
+      public: {
+        expires: 24 * 7,
+        type: "directory",
+        path: "/home/worker/artifacts"
+      }
+    },
     command: [
       "/bin/bash",
       "-c",

security/nss/automation/taskcluster/graph/src/queue.js

@@ -220,6 +220,9 @@ export async function submit() {
     maps.forEach(map => { task = map(merge({}, task)) });
 
     let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`;
+    if (task.group) {
+      log_id = `${task.group}::${log_id}`;
+    }
     console.log(`+ Submitting ${log_id}.`);
 
     // Index that task for each tag specified

security/nss/automation/taskcluster/scripts/build_gyp.sh

@@ -12,7 +12,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
 fi
 
 # Build.
-nss/build.sh -g -v --enable-libpkix "$@"
+nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@"
 
 # Package.
 if [[ $(uname) = "Darwin" ]]; then

security/nss/automation/taskcluster/scripts/check_abi.sh

@@ -97,7 +97,8 @@ abi_diff()
   rm -f ${ABI_REPORT}
   PREVDIST=${HGDIR}/baseline/dist
   NEWDIST=${HGDIR}/dist
-  ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
+  # libnssdbm3.so isn't built by default anymore, skip it.
+  ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
   for SO in ${ALL_SOs}; do
       if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
           touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt

security/nss/automation/taskcluster/scripts/run_hacl.sh

@@ -8,33 +8,25 @@ fi
 
 set -e -x -v
 
-# The docker image this is running in has the HACL* and NSS sources.
-# The extracted C code from HACL* is already generated and the HACL* tests were
-# successfully executed.
+# The docker image this is running in has NSS sources.
+# Get the HACL* source, containing a snapshot of the C code, extracted on the
+# HACL CI.
+# When bug 1593647 is resolved, extract the code on CI again.
+git clone -q "https://github.com/project-everest/hacl-star" ~/hacl-star
+git -C ~/hacl-star checkout -q e4311991b1526734f99f4e3a0058895a46c63e5c
 
-# Verify HACL*. Taskcluster fails when we do this in the image build.
-make -C hacl-star verify-nss -j$(nproc)
-
-# Add license header to specs
-spec_files=($(find ~/hacl-star/specs -type f -name '*.fst'))
-for f in "${spec_files[@]}"; do
-    cat /tmp/license.txt "$f" > /tmp/tmpfile && mv /tmp/tmpfile "$f"
-done
-
-# Format the extracted C code.
-cd ~/hacl-star/snapshots/nss
+# Format the C snapshot.
+cd ~/hacl-star/dist/mozilla
+cp ~/nss/.clang-format .
+find . -type f -name '*.[ch]' -exec clang-format -i {} \+
+cd ~/hacl-star/dist/kremlin
 cp ~/nss/.clang-format .
 find . -type f -name '*.[ch]' -exec clang-format -i {} \+
 
 # These diff commands will return 1 if there are differences and stop the script.
 files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]'))
 for f in "${files[@]}"; do
-    diff $f $(basename "$f")
-done
-
-# Check that the specs didn't change either.
-cd ~/hacl-star/specs
-files=($(find ~/nss/lib/freebl/verified/specs -type f))
-for f in "${files[@]}"; do
-    diff $f $(basename "$f")
+    file_name=$(basename "$f")
+    hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/kremlin/ -type f -name $file_name))
+    diff $hacl_file $f
 done

security/nss/automation/taskcluster/windows/build_gyp.sh

@@ -19,7 +19,7 @@ pushd gyp
 python -m virtualenv test-env
 test-env/Scripts/python setup.py install
 test-env/Scripts/python -m pip install --upgrade pip
-test-env/Scripts/pip install --upgrade setuptools
+test-env/Scripts/pip install --upgrade 'setuptools<45.0.0'
 # Fool GYP.
 touch "${VSPATH}/VC/vcvarsall.bat"
 export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
@@ -38,7 +38,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
 fi
 
 # Build with gyp.
-./nss/build.sh -g -v --enable-libpkix "$@"
+./nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@"
 
 # Package.
 7z a public/build/dist.7z dist

security/nss/build.sh

@@ -113,8 +113,8 @@ while [ $# -gt 0 ]; do
         --fuzz) fuzz=1 ;;
         --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
         --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
-        --sancov) enable_sancov ;;
-        --sancov=?*) enable_sancov "${1#*=}" ;;
+        --sancov) enable_sancov; gyp_params+=(-Dcoverage=1) ;;
+        --sancov=?*) enable_sancov "${1#*=}"; gyp_params+=(-Dcoverage=1) ;;
         --emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
         --no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
         --static) gyp_params+=(-Dstatic_libs=1) ;;
@@ -130,6 +130,7 @@ while [ $# -gt 0 ]; do
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         --disable-keylog) sslkeylogfile=0 ;;
+        --enable-legacy-db) gyp_params+=(-Ddisable_dbm=0) ;;
         -D*) gyp_params+=("$1") ;;
         *) show_help; exit 2 ;;
     esac

security/nss/cmd/bltest/blapitest.c

@@ -608,9 +608,11 @@ typedef enum {
     bltestDES_CBC,     /* .            */
     bltestDES_EDE_ECB, /* .            */
     bltestDES_EDE_CBC, /* .            */
-    bltestRC2_ECB,     /* .            */
-    bltestRC2_CBC,     /* .            */
-    bltestRC4,         /* .            */
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+    bltestRC2_ECB, /* .            */
+    bltestRC2_CBC, /* .            */
+#endif
+    bltestRC4, /* .            */
 #ifdef NSS_SOFTOKEN_DOES_RC5
     bltestRC5_ECB, /* .            */
     bltestRC5_CBC, /* .            */
@@ -622,21 +624,23 @@ typedef enum {
     bltestAES_GCM,      /* .                     */
     bltestCAMELLIA_ECB, /* .                     */
     bltestCAMELLIA_CBC, /* .                     */
-    bltestSEED_ECB,     /* SEED algorithm      */
-    bltestSEED_CBC,     /* SEED algorithm      */
-    bltestCHACHA20,     /* ChaCha20 + Poly1305   */
-    bltestRSA,          /* Public Key Ciphers    */
-    bltestRSA_OAEP,     /* . (Public Key Enc.)   */
-    bltestRSA_PSS,      /* . (Public Key Sig.)   */
-    bltestECDSA,        /* . (Public Key Sig.)   */
-    bltestDSA,          /* . (Public Key Sig.)   */
-    bltestMD2,          /* Hash algorithms       */
-    bltestMD5,          /* .             */
-    bltestSHA1,         /* .             */
-    bltestSHA224,       /* .             */
-    bltestSHA256,       /* .             */
-    bltestSHA384,       /* .             */
-    bltestSHA512,       /* .             */
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+    bltestSEED_ECB, /* SEED algorithm      */
+    bltestSEED_CBC, /* SEED algorithm      */
+#endif
+    bltestCHACHA20, /* ChaCha20 + Poly1305   */
+    bltestRSA,      /* Public Key Ciphers    */
+    bltestRSA_OAEP, /* . (Public Key Enc.)   */
+    bltestRSA_PSS,  /* . (Public Key Sig.)   */
+    bltestECDSA,    /* . (Public Key Sig.)   */
+    bltestDSA,      /* . (Public Key Sig.)   */
+    bltestMD2,      /* Hash algorithms       */
+    bltestMD5,      /* .             */
+    bltestSHA1,     /* .             */
+    bltestSHA224,   /* .             */
+    bltestSHA256,   /* .             */
+    bltestSHA384,   /* .             */
+    bltestSHA512,   /* .             */
     NUMMODES
 } bltestCipherMode;
 
@@ -646,8 +650,10 @@ static char *mode_strings[] =
       "des_cbc",
       "des3_ecb",
       "des3_cbc",
+#ifndef NSS_DISABLE_DEPRECATED_RC2
       "rc2_ecb",
       "rc2_cbc",
+#endif
       "rc4",
 #ifdef NSS_SOFTOKEN_DOES_RC5
       "rc5_ecb",
@@ -660,8 +666,10 @@ static char *mode_strings[] =
       "aes_gcm",
       "camellia_ecb",
       "camellia_cbc",
+#ifndef NSS_DISABLE_DEPRECATED_SEED
       "seed_ecb",
       "seed_cbc",
+#endif
       "chacha20_poly1305",
       "rsa",
       "rsa_oaep",
@@ -792,8 +800,12 @@ struct bltestCipherInfoStr {
 PRBool
 is_symmkeyCipher(bltestCipherMode mode)
 {
-    /* change as needed! */
+/* change as needed! */
+#ifndef NSS_DISABLE_DEPRECATED_SEED
     if (mode >= bltestDES_ECB && mode <= bltestSEED_CBC)
+#else
+    if (mode >= bltestDES_ECB && mode <= bltestCAMELLIA_CBC)
+#endif
         return PR_TRUE;
     return PR_FALSE;
 }
@@ -871,7 +883,9 @@ cipher_requires_IV(bltestCipherMode mode)
     switch (mode) {
         case bltestDES_CBC:
         case bltestDES_EDE_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_CBC:
+#endif
 #ifdef NSS_SOFTOKEN_DOES_RC5
         case bltestRC5_CBC:
 #endif
@@ -880,7 +894,9 @@ cipher_requires_IV(bltestCipherMode mode)
         case bltestAES_CTR:
         case bltestAES_GCM:
         case bltestCAMELLIA_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_CBC:
+#endif
         case bltestCHACHA20:
             return PR_TRUE;
         default:
@@ -1078,6 +1094,7 @@ des_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
                        input, inputLen);
 }
 
+#ifndef NSS_DISABLE_DEPRECATED_RC2
 SECStatus
 rc2_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
             unsigned int maxOutputLen, const unsigned char *input,
@@ -1095,6 +1112,7 @@ rc2_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
     return RC2_Decrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
                        input, inputLen);
 }
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
 
 SECStatus
 rc4_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
@@ -1176,6 +1194,7 @@ camellia_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
                             input, inputLen);
 }
 
+#ifndef NSS_DISABLE_DEPRECATED_SEED
 SECStatus
 seed_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
              unsigned int maxOutputLen, const unsigned char *input,
@@ -1193,6 +1212,7 @@ seed_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
     return SEED_Decrypt((SEEDContext *)cx, output, outputLen, maxOutputLen,
                         input, inputLen);
 }
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
 
 SECStatus
 rsa_PublicKeyOp(void *cx, SECItem *output, const SECItem *input)
@@ -1361,6 +1381,7 @@ bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
     return SECSuccess;
 }
 
+#ifndef NSS_DISABLE_DEPRECATED_RC2
 SECStatus
 bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
@@ -1406,6 +1427,7 @@ bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
         cipherInfo->cipher.symmkeyCipher = rc2_Decrypt;
     return SECSuccess;
 }
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
 
 SECStatus
 bltest_rc4_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
@@ -1481,7 +1503,7 @@ bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
     unsigned char *params;
     int len;
     CK_AES_CTR_PARAMS ctrParams;
-    CK_GCM_PARAMS gcmParams;
+    CK_NSS_GCM_PARAMS gcmParams;
 
     params = aesp->iv.buf.data;
     switch (cipherInfo->mode) {
@@ -1587,6 +1609,7 @@ bltest_camellia_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
     return SECSuccess;
 }
 
+#ifndef NSS_DISABLE_DEPRECATED_SEED
 SECStatus
 bltest_seed_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
@@ -1630,6 +1653,7 @@ bltest_seed_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 
     return SECSuccess;
 }
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
 
 SECStatus
 bltest_chacha20_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
@@ -2245,12 +2269,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
                               cipherInfo->input.pBuf.len);
             return bltest_des_init(cipherInfo, encrypt);
             break;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_ECB:
         case bltestRC2_CBC:
             SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                               cipherInfo->input.pBuf.len);
             return bltest_rc2_init(cipherInfo, encrypt);
             break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
         case bltestRC4:
             SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                               cipherInfo->input.pBuf.len);
@@ -2282,12 +2308,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
                               cipherInfo->input.pBuf.len);
             return bltest_camellia_init(cipherInfo, encrypt);
             break;
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_ECB:
         case bltestSEED_CBC:
             SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                               cipherInfo->input.pBuf.len);
             return bltest_seed_init(cipherInfo, encrypt);
             break;
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
         case bltestCHACHA20:
             outlen = cipherInfo->input.pBuf.len + (encrypt ? 16 : 0);
             SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, outlen);
@@ -2586,19 +2614,23 @@ cipherFinish(bltestCipherInfo *cipherInfo)
         case bltestCAMELLIA_CBC:
             Camellia_DestroyContext((CamelliaContext *)cipherInfo->cx, PR_TRUE);
             break;
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_ECB:
         case bltestSEED_CBC:
             SEED_DestroyContext((SEEDContext *)cipherInfo->cx, PR_TRUE);
             break;
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
         case bltestCHACHA20:
             ChaCha20Poly1305_DestroyContext((ChaCha20Poly1305Context *)
                                                 cipherInfo->cx,
                                             PR_TRUE);
             break;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_ECB:
         case bltestRC2_CBC:
             RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE);
             break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
         case bltestRC4:
             RC4_DestroyContext((RC4Context *)cipherInfo->cx, PR_TRUE);
             break;
@@ -2747,10 +2779,14 @@ print_td:
         case bltestAES_GCM:
         case bltestCAMELLIA_ECB:
         case bltestCAMELLIA_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_ECB:
         case bltestSEED_CBC:
+#endif
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_ECB:
         case bltestRC2_CBC:
+#endif
         case bltestRC4:
             if (td)
                 fprintf(stdout, "%8s", "symmkey");
@@ -2934,21 +2970,29 @@ get_params(PLArenaPool *arena, bltestParams *params,
             load_file_data(arena, &params->ask.aad, filename, bltestBinary);
         case bltestDES_CBC:
         case bltestDES_EDE_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_CBC:
+#endif
         case bltestAES_CBC:
         case bltestAES_CTS:
         case bltestAES_CTR:
         case bltestCAMELLIA_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_CBC:
+#endif
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j);
             load_file_data(arena, &params->sk.iv, filename, bltestBinary);
         case bltestDES_ECB:
         case bltestDES_EDE_ECB:
+#ifndef NSS_DISABLE_DEPRECATED_RC2
         case bltestRC2_ECB:
+#endif
         case bltestRC4:
         case bltestAES_ECB:
         case bltestCAMELLIA_ECB:
+#ifndef NSS_DISABLE_DEPRECATED_SEED
         case bltestSEED_ECB:
+#endif
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
             load_file_data(arena, &params->sk.key, filename, bltestBinary);
             break;

security/nss/cmd/fipstest/fipstest.c

@@ -1027,7 +1027,7 @@ aes_gcm(char *reqfn, int encrypt)
     unsigned int tagbits;
     unsigned int taglen = 0;
     unsigned int ivlen;
-    CK_GCM_PARAMS params;
+    CK_NSS_GCM_PARAMS params;
     SECStatus rv;
 
     aesreq = fopen(reqfn, "r");
@@ -8231,6 +8231,527 @@ loser:
         fclose(ikereq);
 }
 
+void
+kbkdf(char *path)
+{
+    /* == Parser data == */
+    char buf[610]; /* holds one line from the input REQUEST file. Needs to
+                    * be large enough to hold the longest line:
+                    * "KO = <600 hex digits>\n". */
+    CK_ULONG L;
+    unsigned char KI[64];
+    unsigned int KI_len = 64;
+    unsigned char KO[300];
+    unsigned int KO_len = 300;
+    /* This is used only with feedback mode. */
+    unsigned char IV[64];
+    unsigned int IV_len = 64;
+    /* These are only used in counter mode with counter location as
+     * MIDDLE_FIXED. */
+    unsigned char BeforeFixedInputData[50];
+    unsigned int BeforeFixedInputData_len = 50;
+    unsigned char AfterFixedInputData[10];
+    unsigned int AfterFixedInputData_len = 10;
+    /* These are used with every KDF type. */
+    unsigned char FixedInputData[60];
+    unsigned int FixedInputData_len = 60;
+
+    /* Counter locations:
+     *
+     * 0: not used
+     * 1: beginning
+     * 2: middle
+     * 3: end */
+    int ctr_location = 0;
+    CK_ULONG counter_bitlen = 0;
+
+    size_t buf_offset;
+    size_t offset;
+
+    FILE *kbkdf_req = NULL;
+    FILE *kbkdf_resp = NULL;
+
+    /* == PKCS#11 data == */
+    CK_RV crv;
+
+    CK_SLOT_ID slotList[10];
+    CK_SLOT_ID slotID;
+    CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]);
+    CK_ULONG slotCount = 0;
+
+    CK_MECHANISM kdf = { 0 };
+
+    CK_MECHANISM_TYPE prf_mech = 0;
+    CK_BBOOL ck_true = CK_TRUE;
+
+    /* We never need more than 3 data parameters. */
+    CK_PRF_DATA_PARAM dataParams[3];
+    CK_ULONG dataParams_len = 3;
+
+    CK_SP800_108_COUNTER_FORMAT iterator = { CK_FALSE, 0 };
+
+    CK_SP800_108_KDF_PARAMS kdfParams = { 0 };
+    CK_SP800_108_FEEDBACK_KDF_PARAMS feedbackParams = { 0 };
+
+    CK_OBJECT_CLASS ck_secret_key = CKO_SECRET_KEY;
+    CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET;
+
+    CK_ATTRIBUTE prf_template[] = {
+        { CKA_VALUE, &KI, sizeof(KI) },
+        { CKA_CLASS, &ck_secret_key, sizeof(ck_secret_key) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) }
+    };
+    CK_ULONG prf_template_count = sizeof(prf_template) / sizeof(prf_template[0]);
+
+    CK_ATTRIBUTE derive_template[] = {
+        { CKA_CLASS, &ck_secret_key, sizeof(ck_secret_key) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+        { CKA_VALUE_LEN, &L, sizeof(L) }
+    };
+    CK_ULONG derive_template_count = sizeof(derive_template) / sizeof(derive_template[0]);
+
+    CK_ATTRIBUTE output_key = { CKA_VALUE, KO, KO_len };
+
+    const CK_C_INITIALIZE_ARGS pk11args = {
+        NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS,
+        (void *)"flags=readOnly,noCertDB,noModDB", NULL
+    };
+
+    /* == Start up PKCS#11 == */
+    crv = NSC_Initialize((CK_VOID_PTR)&pk11args);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv);
+        goto done;
+    }
+
+    slotCount = slotListCount;
+    crv = NSC_GetSlotList(PR_TRUE, slotList, &slotCount);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv);
+        goto done;
+    }
+    if ((slotCount > slotListCount) || slotCount < 1) {
+        fprintf(stderr,
+                "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n",
+                (int)slotCount, (int)slotListCount);
+        goto done;
+    }
+    slotID = slotList[0];
+
+    /* == Start parsing the file == */
+    kbkdf_req = fopen(path, "r");
+    kbkdf_resp = stdout;
+
+    while (fgets(buf, sizeof buf, kbkdf_req) != NULL) {
+        /* If we have a comment, check if it tells us the type of KDF to use.
+         * This differs per-file, so we have to parse it. */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            if (strncmp(buf, "# KDF Mode Supported: Counter Mode", 34) == 0) {
+                kdf.mechanism = CKM_SP800_108_COUNTER_KDF;
+            }
+            if (strncmp(buf, "# KDF Mode Supported: Feedback Mode", 35) == 0) {
+                kdf.mechanism = CKM_SP800_108_FEEDBACK_KDF;
+            }
+            if (strncmp(buf, "# KDF Mode Supported: DblPipeline Mode", 38) == 0) {
+                kdf.mechanism = CKM_SP800_108_DOUBLE_PIPELINE_KDF;
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* [....] - context directive */
+        if (buf[0] == '[') {
+            /* PRF begins each new section. */
+            if (strncmp(buf, "[PRF=CMAC_AES128]", 17) == 0) {
+                prf_mech = CKM_AES_CMAC;
+                KI_len = 16;
+            } else if (strncmp(buf, "[PRF=CMAC_AES192]", 17) == 0) {
+                prf_mech = CKM_AES_CMAC;
+                KI_len = 24;
+            } else if (strncmp(buf, "[PRF=CMAC_AES256]", 17) == 0) {
+                prf_mech = CKM_AES_CMAC;
+                KI_len = 32;
+            } else if (strncmp(buf, "[PRF=HMAC_SHA1]", 15) == 0) {
+                prf_mech = CKM_SHA_1_HMAC;
+                KI_len = 20;
+            } else if (strncmp(buf, "[PRF=HMAC_SHA224]", 17) == 0) {
+                prf_mech = CKM_SHA224_HMAC;
+                KI_len = 28;
+            } else if (strncmp(buf, "[PRF=HMAC_SHA256]", 17) == 0) {
+                prf_mech = CKM_SHA256_HMAC;
+                KI_len = 32;
+            } else if (strncmp(buf, "[PRF=HMAC_SHA384]", 17) == 0) {
+                prf_mech = CKM_SHA384_HMAC;
+                KI_len = 48;
+            } else if (strncmp(buf, "[PRF=HMAC_SHA512]", 17) == 0) {
+                prf_mech = CKM_SHA512_HMAC;
+                KI_len = 64;
+            } else if (strncmp(buf, "[PRF=", 5) == 0) {
+                fprintf(stderr, "Invalid or unsupported PRF mechanism: %s\n", buf);
+                goto done;
+            }
+
+            /* Then comes counter, if present. */
+            if (strncmp(buf, "[CTRLOCATION=BEFORE_FIXED]", 26) == 0 ||
+                strncmp(buf, "[CTRLOCATION=BEFORE_ITER]", 24) == 0) {
+                ctr_location = 1;
+            }
+            if (strncmp(buf, "[CTRLOCATION=MIDDLE_FIXED]", 26) == 0 ||
+                strncmp(buf, "[CTRLOCATION=AFTER_ITER]", 24) == 0) {
+                ctr_location = 2;
+            }
+            if (strncmp(buf, "[CTRLOCATION=AFTER_FIXED]", 25) == 0) {
+                ctr_location = 3;
+            }
+
+            /* If counter is present, then we need to know its size. */
+            if (strncmp(buf, "[RLEN=", 6) == 0) {
+                if (sscanf(buf, "[RLEN=%lu_BITS]", &counter_bitlen) != 1) {
+                    goto done;
+                }
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Each test contains a counter, an output length L, an input key KI,
+         * maybe an initialization vector IV, one of a couple of fixed data
+         * buffers, and finally the output key KO. */
+
+        /* First comes COUNT. */
+        if (strncmp(buf, "COUNT=", 6) == 0) {
+            /* Clear all out data fields on each test. */
+            memset(KI, 0, sizeof KI);
+            memset(KO, 0, sizeof KO);
+            memset(IV, 0, sizeof IV);
+            memset(BeforeFixedInputData, 0, sizeof BeforeFixedInputData);
+            memset(AfterFixedInputData, 0, sizeof AfterFixedInputData);
+            memset(FixedInputData, 0, sizeof FixedInputData);
+
+            /* Then reset lengths except KI: it was determined by PRF
+             * selection above. */
+            KO_len = 0;
+            IV_len = 0;
+            BeforeFixedInputData_len = 0;
+            AfterFixedInputData_len = 0;
+            FixedInputData_len = 0;
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Then comes L. */
+        if (strncmp(buf, "L = ", 4) == 0) {
+            if (sscanf(buf, "L = %lu", &L) != 1) {
+                goto done;
+            }
+
+            if ((L % 8) != 0) {
+                fprintf(stderr, "Assumption that L was length in bits incorrect: %lu - %s", L, buf);
+                fprintf(stderr, "Note that NSS only supports byte-aligned outputs and not bit-aligned outputs.\n");
+                goto done;
+            }
+
+            L = L / 8;
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Then comes KI. */
+        if (strncmp(buf, "KI = ", 5) == 0) {
+            buf_offset = 5;
+
+            for (offset = 0; offset < KI_len; offset++, buf_offset += 2) {
+                hex_to_byteval(buf + buf_offset, KI + offset);
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Then comes IVlen and IV, if present. */
+        if (strncmp(buf, "IVlen = ", 8) == 0) {
+            if (sscanf(buf, "IVlen = %u", &IV_len) != 1) {
+                goto done;
+            }
+
+            if ((IV_len % 8) != 0) {
+                fprintf(stderr, "Assumption that IV_len was length in bits incorrect: %u - %s. ", IV_len, buf);
+                fprintf(stderr, "Note that NSS only supports byte-aligned inputs and not bit-aligned inputs.\n");
+                goto done;
+            }
+
+            /* Need the IV length in bytes, not bits. */
+            IV_len = IV_len / 8;
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+        if (strncmp(buf, "IV = ", 5) == 0) {
+            buf_offset = 5;
+
+            for (offset = 0; offset < IV_len; offset++, buf_offset += 2) {
+                hex_to_byteval(buf + buf_offset, IV + offset);
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* We might have DataBeforeCtr and DataAfterCtr if present. */
+        if (strncmp(buf, "DataBeforeCtrLen = ", 19) == 0) {
+            if (sscanf(buf, "DataBeforeCtrLen = %u", &BeforeFixedInputData_len) != 1) {
+                goto done;
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+        if (strncmp(buf, "DataBeforeCtrData = ", 20) == 0) {
+            buf_offset = 20;
+
+            for (offset = 0; offset < BeforeFixedInputData_len; offset++, buf_offset += 2) {
+                hex_to_byteval(buf + buf_offset, BeforeFixedInputData + offset);
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+        if (strncmp(buf, "DataAfterCtrLen = ", 18) == 0) {
+            if (sscanf(buf, "DataAfterCtrLen = %u", &AfterFixedInputData_len) != 1) {
+                goto done;
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+        if (strncmp(buf, "DataAfterCtrData = ", 19) == 0) {
+            buf_offset = 19;
+
+            for (offset = 0; offset < AfterFixedInputData_len; offset++, buf_offset += 2) {
+                hex_to_byteval(buf + buf_offset, AfterFixedInputData + offset);
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Otherwise, we might have FixedInputData, if present. */
+        if (strncmp(buf, "FixedInputDataByteLen = ", 24) == 0) {
+            if (sscanf(buf, "FixedInputDataByteLen = %u", &FixedInputData_len) != 1) {
+                goto done;
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+        if (strncmp(buf, "FixedInputData = ", 17) == 0) {
+            buf_offset = 17;
+
+            for (offset = 0; offset < FixedInputData_len; offset++, buf_offset += 2) {
+                hex_to_byteval(buf + buf_offset, FixedInputData + offset);
+            }
+
+            fputs(buf, kbkdf_resp);
+            continue;
+        }
+
+        /* Finally, run the KBKDF calculation when KO is passed. */
+        if (strncmp(buf, "KO = ", 5) == 0) {
+            CK_SESSION_HANDLE session;
+            CK_OBJECT_HANDLE prf_key;
+            CK_OBJECT_HANDLE derived_key;
+
+            /* Open the session. */
+            crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n", (unsigned int)crv);
+                goto done;
+            }
+
+            /* Create the PRF key object. */
+            prf_template[0].ulValueLen = KI_len;
+            crv = NSC_CreateObject(session, prf_template, prf_template_count, &prf_key);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject (prf_key) failed crv=0x%x\n", (unsigned int)crv);
+                goto done;
+            }
+
+            /* Set up the KDF parameters. */
+            if (kdf.mechanism == CKM_SP800_108_COUNTER_KDF) {
+                /* Counter operates in one of three ways: counter before fixed
+                 * input data, counter between fixed input data, and counter
+                 * after fixed input data. In all cases, we have an iterator.
+                 */
+                iterator.ulWidthInBits = counter_bitlen;
+
+                if (ctr_location == 0 || ctr_location > 3) {
+                    fprintf(stderr, "Expected ctr_location != 0 for Counter Mode KDF but got 0.\n");
+                    goto done;
+                } else if (ctr_location == 1) {
+                    /* Counter before */
+                    dataParams[0].type = CK_SP800_108_ITERATION_VARIABLE;
+                    dataParams[0].pValue = &iterator;
+                    dataParams[0].ulValueLen = sizeof(iterator);
+
+                    dataParams[1].type = CK_SP800_108_BYTE_ARRAY;
+                    dataParams[1].pValue = FixedInputData;
+                    dataParams[1].ulValueLen = FixedInputData_len;
+
+                    dataParams_len = 2;
+                } else if (ctr_location == 2) {
+                    /* Counter between */
+                    dataParams[0].type = CK_SP800_108_BYTE_ARRAY;
+                    dataParams[0].pValue = BeforeFixedInputData;
+                    dataParams[0].ulValueLen = BeforeFixedInputData_len;
+
+                    dataParams[1].type = CK_SP800_108_ITERATION_VARIABLE;
+                    dataParams[1].pValue = &iterator;
+                    dataParams[1].ulValueLen = sizeof(iterator);
+
+                    dataParams[2].type = CK_SP800_108_BYTE_ARRAY;
+                    dataParams[2].pValue = AfterFixedInputData;
+                    dataParams[2].ulValueLen = AfterFixedInputData_len;
+
+                    dataParams_len = 3;
+                } else {
+                    /* Counter after */
+                    dataParams[0].type = CK_SP800_108_BYTE_ARRAY;
+                    dataParams[0].pValue = FixedInputData;
+                    dataParams[0].ulValueLen = FixedInputData_len;
+
+                    dataParams[1].type = CK_SP800_108_ITERATION_VARIABLE;
+                    dataParams[1].pValue = &iterator;
+                    dataParams[1].ulValueLen = sizeof(iterator);
+
+                    dataParams_len = 2;
+                }
+            } else if (kdf.mechanism == CKM_SP800_108_FEEDBACK_KDF || kdf.mechanism == CKM_SP800_108_DOUBLE_PIPELINE_KDF) {
+                /* When counter_bitlen != 0, we have an optional counter. */
+                if (counter_bitlen != 0) {
+                    iterator.ulWidthInBits = counter_bitlen;
+
+                    if (ctr_location == 0 || ctr_location > 3) {
+                        fprintf(stderr, "Expected ctr_location != 0 for Counter Mode KDF but got 0.\n");
+                        goto done;
+                    } else if (ctr_location == 1) {
+                        /* Counter before */
+                        dataParams[0].type = CK_SP800_108_OPTIONAL_COUNTER;
+                        dataParams[0].pValue = &iterator;
+                        dataParams[0].ulValueLen = sizeof(iterator);
+
+                        dataParams[1].type = CK_SP800_108_ITERATION_VARIABLE;
+                        dataParams[1].pValue = NULL;
+                        dataParams[1].ulValueLen = 0;
+
+                        dataParams[2].type = CK_SP800_108_BYTE_ARRAY;
+                        dataParams[2].pValue = FixedInputData;
+                        dataParams[2].ulValueLen = FixedInputData_len;
+
+                        dataParams_len = 3;
+                    } else if (ctr_location == 2) {
+                        /* Counter between */
+                        dataParams[0].type = CK_SP800_108_ITERATION_VARIABLE;
+                        dataParams[0].pValue = NULL;
+                        dataParams[0].ulValueLen = 0;
+
+                        dataParams[1].type = CK_SP800_108_OPTIONAL_COUNTER;
+                        dataParams[1].pValue = &iterator;
+                        dataParams[1].ulValueLen = sizeof(iterator);
+
+                        dataParams[2].type = CK_SP800_108_BYTE_ARRAY;
+                        dataParams[2].pValue = FixedInputData;
+                        dataParams[2].ulValueLen = FixedInputData_len;
+
+                        dataParams_len = 3;
+                    } else {
+                        /* Counter after */
+                        dataParams[0].type = CK_SP800_108_ITERATION_VARIABLE;
+                        dataParams[0].pValue = NULL;
+                        dataParams[0].ulValueLen = 0;
+
+                        dataParams[1].type = CK_SP800_108_BYTE_ARRAY;
+                        dataParams[1].pValue = FixedInputData;
+                        dataParams[1].ulValueLen = FixedInputData_len;
+
+                        dataParams[2].type = CK_SP800_108_OPTIONAL_COUNTER;
+                        dataParams[2].pValue = &iterator;
+                        dataParams[2].ulValueLen = sizeof(iterator);
+
+                        dataParams_len = 3;
+                    }
+                } else {
+                    dataParams[0].type = CK_SP800_108_ITERATION_VARIABLE;
+                    dataParams[0].pValue = NULL;
+                    dataParams[0].ulValueLen = 0;
+
+                    dataParams[1].type = CK_SP800_108_BYTE_ARRAY;
+                    dataParams[1].pValue = FixedInputData;
+                    dataParams[1].ulValueLen = FixedInputData_len;
+
+                    dataParams_len = 2;
+                }
+            }
+
+            if (kdf.mechanism != CKM_SP800_108_FEEDBACK_KDF) {
+                kdfParams.prfType = prf_mech;
+                kdfParams.ulNumberOfDataParams = dataParams_len;
+                kdfParams.pDataParams = dataParams;
+
+                kdf.pParameter = &kdfParams;
+                kdf.ulParameterLen = sizeof(kdfParams);
+            } else {
+                feedbackParams.prfType = prf_mech;
+                feedbackParams.ulNumberOfDataParams = dataParams_len;
+                feedbackParams.pDataParams = dataParams;
+                feedbackParams.ulIVLen = IV_len;
+                if (IV_len == 0) {
+                    feedbackParams.pIV = NULL;
+                } else {
+                    feedbackParams.pIV = IV;
+                }
+
+                kdf.pParameter = &feedbackParams;
+                kdf.ulParameterLen = sizeof(feedbackParams);
+            }
+
+            crv = NSC_DeriveKey(session, &kdf, prf_key, derive_template, derive_template_count, &derived_key);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(derived_key) failed crv=0x%x\n", (unsigned int)crv);
+                goto done;
+            }
+
+            crv = NSC_GetAttributeValue(session, derived_key, &output_key, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(derived_value) failed crv=0x%x\n", (unsigned int)crv);
+                goto done;
+            }
+
+            fputs("KO = ", kbkdf_resp);
+            to_hex_str(buf, KO, output_key.ulValueLen);
+            fputs(buf, kbkdf_resp);
+            fputs("\r\n", kbkdf_resp);
+
+            continue;
+        }
+    }
+
+done:
+    if (kbkdf_req != NULL) {
+        fclose(kbkdf_req);
+    }
+    if (kbkdf_resp != stdout && kbkdf_resp != NULL) {
+        fclose(kbkdf_resp);
+    }
+
+    return;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -8410,6 +8931,8 @@ main(int argc, char **argv)
         ikev1_psk(argv[2]);
     } else if (strcmp(argv[1], "ikev2") == 0) {
         ikev2(argv[2]);
+    } else if (strcmp(argv[1], "kbkdf") == 0) {
+        kbkdf(argv[2]);
     }
     return 0;
 }

security/nss/cmd/lib/basicutil.c

@@ -17,6 +17,7 @@
 
 #include "basicutil.h"
 #include <stdarg.h>
+#include <stddef.h>
 #include <sys/stat.h>
 #include <errno.h>
 
@@ -632,7 +633,8 @@ void
 SECU_PrintPRandOSError(const char *progName)
 {
     char buffer[513];
-    PRInt32 errLen = PR_GetErrorTextLength();
+    PRInt32 errLenInt = PR_GetErrorTextLength();
+    size_t errLen = errLenInt < 0 ? 0 : (size_t)errLenInt;
     if (errLen > 0 && errLen < sizeof buffer) {
         PR_GetErrorText(buffer);
     }
@@ -739,7 +741,6 @@ SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
     int byteval = 0;
     int tmp = PORT_Strlen(str);
 
-    PORT_Assert(arena);
     PORT_Assert(item);
 
     if ((tmp % 2) != 0) {
@@ -760,7 +761,9 @@ SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
         } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
             tmp = str[i] - 'A' + 10;
         } else {
-            /* item is in arena and gets freed by the caller */
+            if (!arena) {
+                SECITEM_FreeItem(item, PR_FALSE);
+            }
             return NULL;
         }
 

security/nss/cmd/lib/pk11table.c

@@ -102,7 +102,7 @@ const Constant _consts[] = {
     mkEntry(CKF_WRAP, MechanismFlags),
     mkEntry(CKF_UNWRAP, MechanismFlags),
     mkEntry(CKF_DERIVE, MechanismFlags),
-    mkEntry(CKF_EC_FP, MechanismFlags),
+    mkEntry(CKF_EC_F_P, MechanismFlags),
     mkEntry(CKF_EC_F_2M, MechanismFlags),
     mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags),
     mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags),
@@ -128,7 +128,6 @@ const Constant _consts[] = {
     mkEntry(CKO_SECRET_KEY, Object),
     mkEntry(CKO_HW_FEATURE, Object),
     mkEntry(CKO_DOMAIN_PARAMETERS, Object),
-    mkEntry(CKO_KG_PARAMETERS, Object),
     mkEntry(CKO_NSS_CRL, Object),
     mkEntry(CKO_NSS_SMIME, Object),
     mkEntry(CKO_NSS_TRUST, Object),
@@ -255,8 +254,8 @@ const Constant _consts[] = {
     mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust),
     mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None),
     mkEntry2(CKA_CERT_MD5_HASH, Attribute, None),
-    mkEntry2(CKA_NETSCAPE_DB, Attribute, None),
-    mkEntry2(CKA_NETSCAPE_TRUST, Attribute, Trust),
+    mkEntry2(CKA_NSS_DB, Attribute, None),
+    mkEntry2(CKA_NSS_TRUST, Attribute, Trust),
 
     mkEntry(CKM_RSA_PKCS, Mechanism),
     mkEntry(CKM_RSA_9796, Mechanism),
@@ -473,16 +472,16 @@ const Constant _consts[] = {
     mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
     mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
     mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, Mechanism),
-    mkEntry(CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC4, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC4, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, Mechanism),
+    mkEntry(CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_MD5_HMAC_KEY_GEN, Mechanism),
+    mkEntry(CKM_NSS_PBE_MD2_HMAC_KEY_GEN, Mechanism),
     mkEntry(CKM_TLS_PRF_GENERAL, Mechanism),
     mkEntry(CKM_NSS_TLS_PRF_GENERAL_SHA256, Mechanism),
 
@@ -520,7 +519,6 @@ const Constant _consts[] = {
     mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result),
     mkEntry(CKR_KEY_NOT_WRAPPABLE, Result),
     mkEntry(CKR_KEY_UNEXTRACTABLE, Result),
-    mkEntry(CKR_KEY_PARAMS_INVALID, Result),
     mkEntry(CKR_MECHANISM_INVALID, Result),
     mkEntry(CKR_MECHANISM_PARAM_INVALID, Result),
     mkEntry(CKR_OBJECT_HANDLE_INVALID, Result),

security/nss/cmd/lib/secutil.c

@@ -494,23 +494,30 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
     if (ascii) {
         /* First convert ascii to binary */
         SECItem filedata;
-        char *asc, *body;
 
         /* Read in ascii data */
         rv = SECU_FileToItem(&filedata, inFile);
         if (rv != SECSuccess)
             return rv;
-        asc = (char *)filedata.data;
-        if (!asc) {
+        if (!filedata.data) {
             fprintf(stderr, "unable to read data from input file\n");
             return SECFailure;
         }
+        /* need one additional byte for zero terminator */
+        rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1);
+        if (rv != SECSuccess) {
+            PORT_Free(filedata.data);
+            return rv;
+        }
+        char *asc = (char *)filedata.data;
+        asc[filedata.len - 1] = '\0';
 
         if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) {
             fprintf(stderr, "Warning: ignoring private key. Consider to use "
                             "pk12util.\n");
         }
 
+        char *body;
         /* check for headers and trailers and remove them */
         if ((body = strstr(asc, "-----BEGIN")) != NULL) {
             char *trailer = NULL;
@@ -528,14 +535,7 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
                 return SECFailure;
             }
         } else {
-            /* need one additional byte for zero terminator */
-            rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1);
-            if (rv != SECSuccess) {
-                PORT_Free(filedata.data);
-                return rv;
-            }
-            body = (char *)filedata.data;
-            body[filedata.len - 1] = '\0';
+            body = asc;
         }
 
         /* Convert to binary */
@@ -4159,3 +4159,57 @@ exportKeyingMaterials(PRFileDesc *fd,
 
     return SECSuccess;
 }
+
+SECStatus
+readPSK(const char *arg, SECItem *psk, SECItem *label)
+{
+    SECStatus rv = SECFailure;
+    char *str = PORT_Strdup(arg);
+    if (!str) {
+        goto cleanup;
+    }
+
+    char *pskBytes = strtok(str, ":");
+    if (!pskBytes) {
+        goto cleanup;
+    }
+    if (PORT_Strncasecmp(pskBytes, "0x", 2) != 0) {
+        goto cleanup;
+    }
+
+    psk = SECU_HexString2SECItem(NULL, psk, &pskBytes[2]);
+    if (!psk || !psk->data || psk->len != strlen(&str[2]) / 2) {
+        goto cleanup;
+    }
+
+    SECItem labelItem = { siBuffer, NULL, 0 };
+    char *inLabel = strtok(NULL, ":");
+    if (inLabel) {
+        labelItem.data = (unsigned char *)PORT_Strdup(inLabel);
+        if (!labelItem.data) {
+            goto cleanup;
+        }
+        labelItem.len = strlen(inLabel);
+
+        if (PORT_Strncasecmp(inLabel, "0x", 2) == 0) {
+            rv = SECU_SECItemHexStringToBinary(&labelItem);
+            if (rv != SECSuccess) {
+                SECITEM_FreeItem(&labelItem, PR_FALSE);
+                goto cleanup;
+            }
+        }
+        rv = SECSuccess;
+    } else {
+        PRUint8 defaultLabel[] = { 'C', 'l', 'i', 'e', 'n', 't', '_',
+                                   'i', 'd', 'e', 'n', 't', 'i', 't', 'y' };
+        SECItem src = { siBuffer, defaultLabel, sizeof(defaultLabel) };
+        rv = SECITEM_CopyItem(NULL, &labelItem, &src);
+    }
+    if (rv == SECSuccess) {
+        *label = labelItem;
+    }
+
+cleanup:
+    PORT_Free(str);
+    return rv;
+}

security/nss/cmd/lib/secutil.h

@@ -424,6 +424,8 @@ SECStatus exportKeyingMaterials(PRFileDesc *fd,
                                 const secuExporter *exporters,
                                 unsigned int exporterCount);
 
+SECStatus readPSK(const char *arg, SECItem *psk, SECItem *label);
+
 /*
  *
  *  Error messaging

security/nss/cmd/lowhashtest/lowhashtest.c

@@ -415,7 +415,7 @@ main(int argc, char **argv)
         return 1;
     }
 
-    if (argc || !argv[1] || strlen(argv[1]) == 0) {
+    if (argc < 2 || !argv[1] || strlen(argv[1]) == 0) {
         rv += testMD5(initCtx);
         rv += testSHA1(initCtx);
         rv += testSHA224(initCtx);
@@ -428,7 +428,7 @@ main(int argc, char **argv)
         rv += testSHA1(initCtx);
     } else if (strcmp(argv[1], "SHA224") == 0) {
         rv += testSHA224(initCtx);
-    } else if (strcmp(argv[1], "SHA226") == 0) {
+    } else if (strcmp(argv[1], "SHA256") == 0) {
         rv += testSHA256(initCtx);
     } else if (strcmp(argv[1], "SHA384") == 0) {
         rv += testSHA384(initCtx);

security/nss/cmd/modutil/install-ds.c

@@ -889,8 +889,6 @@ Pk11Install_Platform_Generate(Pk11Install_Platform* _this,
                 errStr = Pk11Install_PlatformName_Generate(&_this->equivName,
                                                            subval->string);
                 if (errStr) {
-                    tmp = PR_smprintf("%s: %s",
-                                      Pk11Install_PlatformName_GetString(&_this->name), errStr);
                     tmp = PR_smprintf("%s: %s",
                                       Pk11Install_PlatformName_GetString(&_this->name), errStr);
                     PR_smprintf_free(errStr);

security/nss/cmd/pk11gcmtest/pk11gcmtest.c

@@ -45,7 +45,7 @@ aes_encrypt_buf(
     SECItem key_item;
     PK11SlotInfo *slot = NULL;
     PK11SymKey *symKey = NULL;
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
     SECItem param;
 
     /* Import key into NSS. */
@@ -102,7 +102,7 @@ aes_decrypt_buf(
     SECItem key_item;
     PK11SlotInfo *slot = NULL;
     PK11SymKey *symKey = NULL;
-    CK_GCM_PARAMS gcm_params;
+    CK_NSS_GCM_PARAMS gcm_params;
     SECItem param;
 
     if (inputlen + tagsize > sizeof(concatenated)) {

security/nss/cmd/pk11mode/pk11mode.c

@@ -16,7 +16,7 @@
 #include <string.h>
 #include <stdarg.h>
 
-#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
+#if defined(XP_UNIX) && defined(DO_FORK_CHECK)
 #include <unistd.h>
 #include <sys/wait.h>
 #else

security/nss/cmd/selfserv/selfserv.c

@@ -138,6 +138,8 @@ static SECItem bigBuf;
 static int configureDHE = -1;        /* -1: don't configure, 0 disable, >=1 enable*/
 static int configureReuseECDHE = -1; /* -1: don't configure, 0 refresh, >=1 reuse*/
 static int configureWeakDHE = -1;    /* -1: don't configure, 0 disable, >=1 enable*/
+SECItem psk = { siBuffer, NULL, 0 };
+SECItem pskLabel = { siBuffer, NULL, 0 };
 
 static PRThread *acceptorThread;
 
@@ -167,7 +169,7 @@ PrintUsageHeader(const char *progName)
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
             "         [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
             "         [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
-            "         -U [0|1] -H [0|1|2] -W [0|1]\n"
+            "         -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk]\n"
             "\n",
             progName);
 }
@@ -241,7 +243,11 @@ PrintParameterUsage()
         "     LABEL[:OUTPUT-LENGTH[:CONTEXT]]\n"
         "   where LABEL and CONTEXT can be either a free-form string or\n"
         "   a hex string if it is preceded by \"0x\"; OUTPUT-LENGTH\n"
-        "   is a decimal integer.\n",
+        "   is a decimal integer.\n"
+        "-z Configure a TLS 1.3 External PSK with the given hex string for a key.\n"
+        "   To specify a label, use ':' as a delimiter. For example:\n"
+        "   0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n"
+        "  'Client_identity' will be used.\n",
         stderr);
 }
 
@@ -1841,6 +1847,32 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
     }
 }
 
+static SECStatus
+importPsk(PRFileDesc *model_sock)
+{
+    SECU_PrintAsHex(stdout, &psk, "Using External PSK", 0);
+    PK11SlotInfo *slot = NULL;
+    PK11SymKey *symKey = NULL;
+    slot = PK11_GetInternalSlot();
+    if (!slot) {
+        errWarn("PK11_GetInternalSlot failed");
+        return SECFailure;
+    }
+    symKey = PK11_ImportSymKey(slot, CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
+                               CKA_DERIVE, &psk, NULL);
+    PK11_FreeSlot(slot);
+    if (!symKey) {
+        errWarn("PK11_ImportSymKey failed\n");
+        return SECFailure;
+    }
+
+    SECStatus rv = SSL_AddExternalPsk(model_sock, symKey,
+                                      (const PRUint8 *)pskLabel.data,
+                                      pskLabel.len, ssl_hash_sha256);
+    PK11_FreeSymKey(symKey);
+    return rv;
+}
+
 void
 server_main(
     PRFileDesc *listen_sock,
@@ -2050,6 +2082,13 @@ server_main(
         }
     }
 
+    if (psk.data) {
+        rv = importPsk(model_sock);
+        if (rv != SECSuccess) {
+            errExit("importPsk failed");
+        }
+    }
+
     if (MakeCertOK)
         SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
 
@@ -2125,6 +2164,20 @@ haveAChild(int argc, char **argv, PRProcessAttr *attr)
     return newProcess;
 }
 
+#ifdef XP_UNIX
+void
+sigusr1_parent_handler(int sig)
+{
+    PRProcess *process;
+    int i;
+    fprintf(stderr, "SIG_USER: Parent got sig_user, killing children (%d).\n", numChildren);
+    for (i = 0; i < numChildren; i++) {
+        process = child[i];
+        PR_KillProcess(process); /* it would be nice to kill with a sigusr signal */
+    }
+}
+#endif
+
 void
 beAGoodParent(int argc, char **argv, int maxProcs, PRFileDesc *listen_sock)
 {
@@ -2134,6 +2187,19 @@ beAGoodParent(int argc, char **argv, int maxProcs, PRFileDesc *listen_sock)
     PRInt32 exitCode;
     PRStatus rv;
 
+#ifdef XP_UNIX
+    struct sigaction act;
+
+    /* set up the signal handler */
+    act.sa_handler = sigusr1_parent_handler;
+    sigemptyset(&act.sa_mask);
+    act.sa_flags = 0;
+    if (sigaction(SIGUSR1, &act, NULL)) {
+        fprintf(stderr, "Error installing signal handler.\n");
+        exit(1);
+    }
+#endif
+
     rv = PR_SetFDInheritable(listen_sock, PR_TRUE);
     if (rv != PR_SUCCESS)
         errExit("PR_SetFDInheritable");
@@ -2264,10 +2330,9 @@ main(int argc, char **argv)
     /* please keep this list of options in ASCII collating sequence.
     ** numbers, then capital letters, then lower case, alphabetical.
     ** XXX: 'B', and 'q' were used in the past but removed
-    **      in 3.28, please leave some time before resuing those.
-    **      'z' was removed in 3.39. */
+    **      in 3.28, please leave some time before resuing those. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:y");
+                                 "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:yz:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         ++optionsFound;
         switch (optstate->option) {
@@ -2489,6 +2554,16 @@ main(int argc, char **argv)
                 zeroRTT = PR_TRUE;
                 break;
 
+            case 'z':
+                rv = readPSK(optstate->value, &psk, &pskLabel);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad PSK specified.\n");
+                    Usage(progName);
+                    exit(1);
+                }
+                break;
+
             case 'Q':
                 enableALPN = PR_TRUE;
                 break;
@@ -2588,7 +2663,8 @@ main(int argc, char **argv)
         exit(14);
     }
 
-    if (pidFile) {
+    envString = PR_GetEnvSecure(envVarName);
+    if (!envString && pidFile) {
         FILE *tmpfile = fopen(pidFile, "w+");
 
         if (tmpfile) {
@@ -2613,13 +2689,6 @@ main(int argc, char **argv)
     if (!tmp)
         tmp = PR_GetEnvSecure("TEMP");
 
-    /* Call the NSS initialization routines */
-    rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
-    if (rv != SECSuccess) {
-        fputs("NSS_Init failed.\n", stderr);
-        exit(8);
-    }
-
     if (envString) {
         /* we're one of the children in a multi-process server. */
         listen_sock = PR_GetInheritedFD(inheritableSockName);
@@ -2642,6 +2711,12 @@ main(int argc, char **argv)
         if (rv != SECSuccess)
             errExit("SSL_InheritMPServerSIDCache");
         hasSidCache = PR_TRUE;
+        /* Call the NSS initialization routines */
+        rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+        if (rv != SECSuccess) {
+            fputs("NSS_Init failed.\n", stderr);
+            exit(8);
+        }
     } else if (maxProcs > 1) {
         /* we're going to be the parent in a multi-process server.  */
         listen_sock = getBoundListenSocket(port);
@@ -2652,6 +2727,12 @@ main(int argc, char **argv)
         beAGoodParent(argc, argv, maxProcs, listen_sock);
         exit(99); /* should never get here */
     } else {
+        /* Call the NSS initialization routines */
+        rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+        if (rv != SECSuccess) {
+            fputs("NSS_Init failed.\n", stderr);
+            exit(8);
+        }
         /* we're an ordinary single process server. */
         listen_sock = getBoundListenSocket(port);
         prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
@@ -2838,6 +2919,8 @@ cleanup:
     if (antiReplay) {
         SSL_ReleaseAntiReplayContext(antiReplay);
     }
+    SECITEM_ZfreeItem(&psk, PR_FALSE);
+    SECITEM_ZfreeItem(&pskLabel, PR_FALSE);
     if (NSS_Shutdown() != SECSuccess) {
         SECU_PrintError(progName, "NSS_Shutdown");
         if (loggerThread) {

security/nss/cmd/shlibsign/shlibsign.c

@@ -483,8 +483,8 @@ static const tuple_str errStrings[] = {
     { CKR_MUTEX_NOT_LOCKED, "CKR_MUTEX_NOT_LOCKED                " },
     { CKR_FUNCTION_REJECTED, "CKR_FUNCTION_REJECTED               " },
     { CKR_VENDOR_DEFINED, "CKR_VENDOR_DEFINED                  " },
-    { 0xCE534351, "CKR_NETSCAPE_CERTDB_FAILED          " },
-    { 0xCE534352, "CKR_NETSCAPE_KEYDB_FAILED           " }
+    { 0xCE534351, "CKR_NSS_CERTDB_FAILED          " },
+    { 0xCE534352, "CKR_NSS_KEYDB_FAILED           " }
 
 };
 

security/nss/cmd/signtool/manifest.mn

@@ -6,6 +6,10 @@ CORE_DEPTH = ../..
 
 MODULE = nss
 
+ifdef ZLIB_INCLUDE_DIR
+INCLUDES += -I$(ZLIB_INCLUDE_DIR)
+endif
+
 EXPORTS = 
 
 CSRCS = signtool.c		\

security/nss/cmd/tstclnt/tstclnt.c

@@ -109,6 +109,8 @@ SSLNamedGroup *enabledGroups = NULL;
 unsigned int enabledGroupsCount = 0;
 const SSLSignatureScheme *enabledSigSchemes = NULL;
 unsigned int enabledSigSchemeCount = 0;
+SECItem psk = { siBuffer, NULL, 0 };
+SECItem pskLabel = { siBuffer, NULL, 0 };
 
 const char *
 signatureSchemeName(SSLSignatureScheme scheme)
@@ -229,7 +231,7 @@ PrintUsageHeader()
             "  [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n"
             "  [-I groups] [-J signatureschemes]\n"
             "  [-A requestfile] [-L totalconnections] [-P {client,server}]\n"
-            "  [-N encryptedSniKeys] [-Q]\n"
+            "  [-N encryptedSniKeys] [-Q] [-z externalPsk]\n"
             "\n",
             progName);
 }
@@ -325,6 +327,12 @@ PrintParameterUsage()
                     "%-20s a hex string if it is preceded by \"0x\"; OUTPUT-LENGTH\n"
                     "%-20s is a decimal integer.\n",
             "-x", "", "", "", "", "");
+    fprintf(stderr,
+            "%-20s Configure a TLS 1.3 External PSK with the given hex string for a key\n"
+            "%-20s To specify a label, use ':' as a delimiter. For example\n"
+            "%-20s 0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n"
+            "%-20s 'Client_identity' will be used.\n",
+            "-z externalPsk", "", "", "");
 }
 
 static void
@@ -1230,6 +1238,31 @@ connectToServer(PRFileDesc *s, PRPollDesc *pollset)
     return SECSuccess;
 }
 
+static SECStatus
+importPsk(PRFileDesc *s)
+{
+    SECU_PrintAsHex(stdout, &psk, "Using External PSK", 0);
+    PK11SlotInfo *slot = NULL;
+    PK11SymKey *symKey = NULL;
+    slot = PK11_GetInternalSlot();
+    if (!slot) {
+        SECU_PrintError(progName, "PK11_GetInternalSlot failed");
+        return SECFailure;
+    }
+    symKey = PK11_ImportSymKey(slot, CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
+                               CKA_DERIVE, &psk, NULL);
+    PK11_FreeSlot(slot);
+    if (!symKey) {
+        SECU_PrintError(progName, "PK11_ImportSymKey failed");
+        return SECFailure;
+    }
+
+    SECStatus rv = SSL_AddExternalPsk(s, symKey, (const PRUint8 *)pskLabel.data,
+                                      pskLabel.len, ssl_hash_sha256);
+    PK11_FreeSymKey(symKey);
+    return rv;
+}
+
 static int
 run()
 {
@@ -1498,6 +1531,15 @@ run()
         }
     }
 
+    if (psk.data) {
+        rv = importPsk(s);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "importPsk failed");
+            error = 1;
+            goto done;
+        }
+    }
+
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@@ -1752,11 +1794,8 @@ main(int argc, char **argv)
         }
     }
 
-    /* Note: 'z' was removed in 3.39
-     * Please leave some time before reusing these.
-     */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:x:");
+                                 "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:x:z:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -2015,6 +2054,15 @@ main(int argc, char **argv)
                     Usage();
                 }
                 break;
+
+            case 'z':
+                rv = readPSK(optstate->value, &psk, &pskLabel);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad PSK specified.\n");
+                    Usage();
+                }
+                break;
         }
     }
     PL_DestroyOptState(optstate);
@@ -2210,6 +2258,8 @@ done:
     PORT_Free(host);
     PORT_Free(zeroRttData);
     PORT_Free(encryptedSNIKeys);
+    SECITEM_ZfreeItem(&psk, PR_FALSE);
+    SECITEM_ZfreeItem(&pskLabel, PR_FALSE);
 
     if (enabledGroups) {
         PORT_Free(enabledGroups);