[seamonkey/el6] update to ESR 24.3.0
Dmitry Butskoy
buc at fedoraproject.org
Mon Feb 10 01:30:35 UTC 2014
commit d9070f6429d0a15962de2e82cd4542e86f63d124
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Mon Feb 10 05:30:30 2014 +0400
update to ESR 24.3.0
seamonkey-2.21-ESR_24.3.0-c++0x.patch | 12 +
seamonkey-2.21-ESR_24.3.0-nss_3_15_3.patch | 12 +
seamonkey-2.21-esr2.0-3.0.patch |35448 ++++++++++++++++++++++++++++
seamonkey.spec | 21 +-
4 files changed, 35489 insertions(+), 4 deletions(-)
---
diff --git a/seamonkey-2.21-ESR_24.3.0-c++0x.patch b/seamonkey-2.21-ESR_24.3.0-c++0x.patch
new file mode 100644
index 0000000..40128be
--- /dev/null
+++ b/seamonkey-2.21-ESR_24.3.0-c++0x.patch
@@ -0,0 +1,12 @@
+diff -Nrbu seamonkey-2.21/comm-release/mozilla/image/src/imgStatusTracker.h seamonkey-2.21-OK/comm-release/mozilla/image/src/imgStatusTracker.h
+--- seamonkey-2.21/comm-release/mozilla/image/src/imgStatusTracker.h 2014-02-10 04:30:33.301298527 +0400
++++ seamonkey-2.21-OK/comm-release/mozilla/image/src/imgStatusTracker.h 2014-02-10 04:47:24.556892436 +0400
+@@ -212,7 +212,7 @@
+
+ nsIntRect GetInvalidRect() const { return mInvalidRect; }
+
+- typedef nsTObserverArray<mozilla::WeakPtr<imgRequestProxy>> ProxyArray;
++ typedef nsTObserverArray<mozilla::WeakPtr<imgRequestProxy> > ProxyArray;
+ private:
+ friend class imgStatusNotifyRunnable;
+ friend class imgRequestNotifyRunnable;
diff --git a/seamonkey-2.21-ESR_24.3.0-nss_3_15_3.patch b/seamonkey-2.21-ESR_24.3.0-nss_3_15_3.patch
new file mode 100644
index 0000000..6707590
--- /dev/null
+++ b/seamonkey-2.21-ESR_24.3.0-nss_3_15_3.patch
@@ -0,0 +1,12 @@
+diff -Nrbu seamonkey-2.21/comm-release/mozilla/configure seamonkey-2.21-OK/comm-release/mozilla/configure
+--- seamonkey-2.21/comm-release/mozilla/configure 2014-02-10 02:07:36.364884000 +0400
++++ seamonkey-2.21-OK/comm-release/mozilla/configure 2014-02-10 02:08:34.795560415 +0400
+@@ -15224,7 +15224,7 @@
+ echo "$ac_t""no" 1>&6
+ fi
+
+- min_nss_version=3.15.4
++ min_nss_version=3.15.3
+ echo $ac_n "checking for NSS - version >= $min_nss_version""... $ac_c" 1>&6
+ echo "configure:15230: checking for NSS - version >= $min_nss_version" >&5
+
diff --git a/seamonkey-2.21-esr2.0-3.0.patch b/seamonkey-2.21-esr2.0-3.0.patch
new file mode 100644
index 0000000..b0f6ddc
--- /dev/null
+++ b/seamonkey-2.21-esr2.0-3.0.patch
@@ -0,0 +1,35448 @@
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/base/test/unit/test_viewWrapper_logic.js seamonkey-2.21-esr3.0/comm-release/mail/base/test/unit/test_viewWrapper_logic.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/base/test/unit/test_viewWrapper_logic.js 2013-09-16 22:20:08.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/base/test/unit/test_viewWrapper_logic.js 2014-02-10 01:13:30.537563303 +0400
+@@ -1,5 +1,6 @@
+ load("../../../../mailnews/resources/logHelper.js");
+ load("../../../../mailnews/resources/asyncTestUtils.js");
++load("../../../../mailnews/resources/abSetup.js");
+
+ load("../../../../mailnews/resources/messageGenerator.js");
+ load("../../../../mailnews/resources/messageModifier.js");
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/config/version.txt seamonkey-2.21-esr3.0/comm-release/mail/config/version.txt
+--- seamonkey-2.21-esr2.0/comm-release/mail/config/version.txt 2014-02-10 01:12:11.780950257 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/config/version.txt 2014-02-10 01:13:30.543563200 +0400
+@@ -1 +1 @@
+-24.2.0
++24.3.0
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-ab-whitelist.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-ab-whitelist.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-ab-whitelist.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-ab-whitelist.js 2014-02-10 01:13:30.544563182 +0400
+@@ -29,7 +29,7 @@
+ amh.installInto(module);
+
+ let server = MailServices.accounts
+- .FindServer("tinderbox", "tinderbox", "pop3");
++ .FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ gAccount = MailServices.accounts.FindAccountForServer(server);
+ let serverKey = server.key;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-account-port-setting.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-account-port-setting.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-account-port-setting.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-account-port-setting.js 2014-02-10 01:13:30.544563182 +0400
+@@ -29,7 +29,7 @@
+ // This test expects the following POP account to exist by default
+ // with port number 110 and no security.
+ let server = MailServices.accounts
+- .FindServer("tinderbox", "tinderbox", "pop3");
++ .FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ let account = MailServices.accounts.FindAccountForServer(server);
+
+ let accountRow = get_account_tree_row(account.key, "am-server.xul", amc);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-account-settings-infrastructure.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-account-settings-infrastructure.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/account/test-account-settings-infrastructure.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/account/test-account-settings-infrastructure.js 2014-02-10 01:13:30.544563182 +0400
+@@ -343,7 +343,7 @@
+ // This test expects the following POP account to exist by default
+ // in the test profile with port number 110 and no security.
+ let firstServer = MailServices.accounts
+- .FindServer("tinderbox", "tinderbox", "pop3");
++ .FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ let firstAccount = MailServices.accounts.FindAccountForServer(firstServer);
+
+ accountRow = get_account_tree_row(firstAccount.key, null, amc);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/cloudfile/test-cloudfile-attachment-urls.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/cloudfile/test-cloudfile-attachment-urls.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/cloudfile/test-cloudfile-attachment-urls.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/cloudfile/test-cloudfile-attachment-urls.js 2014-02-10 01:13:30.544563182 +0400
+@@ -38,10 +38,11 @@
+ function setupModule(module) {
+ let fdh = collector.getModule('folder-display-helpers');
+ fdh.installInto(module);
++ collector.getModule('window-helpers').installInto(module);
+
+ // For replies and forwards, we'll work off a message in the Inbox folder
+ // of the fake "tinderbox" account.
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox",
++ let server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME,
+ "pop3");
+ gFolder = server.rootFolder.getChildNamed("Inbox");
+ fdh.add_message_to_folder(gFolder, create_message());
+@@ -57,7 +58,6 @@
+ cfh.gMockCloudfileManager.register();
+
+ collector.getModule('dom-helpers').installInto(module);
+- collector.getModule('window-helpers').installInto(module);
+
+ // These tests assume that we default to writing mail in HTML. We'll
+ // save the current preference, force defaulting to HTML, and restore the
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-address-widgets.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-address-widgets.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-address-widgets.js 2014-02-10 01:12:09.662987526 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-address-widgets.js 2014-02-10 01:13:30.544563182 +0400
+@@ -23,7 +23,7 @@
+
+ // Ensure we're in the tinderbox account as that has the right identities set
+ // up for this test.
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ accountPOP3 = MailServices.accounts.FindAccountForServer(server);
+ };
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-reply-addresses.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-reply-addresses.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-reply-addresses.js 2014-02-10 01:12:09.664987535 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-reply-addresses.js 2014-02-10 01:13:30.544563182 +0400
+@@ -625,7 +625,8 @@
+ cc: "Lisa <lisa at example.com>",
+ subject: "testReplyToSelfReply - reply to self",
+ clobberHeaders: {
+- "Bcc": "Moe <moe at example.com>"
++ "Bcc": "Moe <moe at example.com>",
++ "Reply-To": "Flanders <flanders at example.com>"
+ }
+ });
+ add_message_to_folder(folder, msg0);
+@@ -638,8 +639,10 @@
+ checkReply(
+ open_compose_with_reply,
+ // To: original To
++ // Reply-To: original Reply-To
+ {
+- "addr_to": ["Bart <bart at example.com>", "Maggie <maggie at example.com>"]
++ "addr_to": ["Bart <bart at example.com>", "Maggie <maggie at example.com>"],
++ "addr_reply": ["Flanders <flanders at example.com>"]
+ }
+ );
+
+@@ -648,9 +651,11 @@
+ open_compose_with_reply,
+ // To: original To
+ // Cc: auto-Ccs
++ // Reply-To: original Reply-To
+ {
+ "addr_to": ["Bart <bart at example.com>", "Maggie <maggie at example.com>"],
+- "addr_cc": [myEmail, "smithers at example.com"]
++ "addr_cc": [myEmail, "smithers at example.com"],
++ "addr_reply": ["Flanders <flanders at example.com>"]
+ }
+ );
+ stopUsingAutoCc(identity);
+@@ -667,7 +672,8 @@
+ cc: "Lisa <lisa at example.com>",
+ subject: "testReplyToSelfReplyAll - reply to self",
+ clobberHeaders: {
+- "Bcc": "Moe <moe at example.com>"
++ "Bcc": "Moe <moe at example.com>",
++ "Reply-To": "Flanders <flanders at example.com>"
+ }
+ });
+ add_message_to_folder(folder, msg0);
+@@ -696,11 +702,13 @@
+ // To: original To
+ // Cc: original Cc (auto-Ccs would have been included here already)
+ // Bcc: original Bcc
++ // Reply-To: original Reply-To
+ {
+ "addr_to": ["Bart <bart at example.com>",
+ "Maggie <maggie at example.com>"],
+ "addr_cc": ["Lisa <lisa at example.com>"],
+- "addr_bcc": ["Moe <moe at example.com>"]
++ "addr_bcc": ["Moe <moe at example.com>"],
++ "addr_reply": ["Flanders <flanders at example.com>"]
+ }
+ );
+ stopUsingAutoCc(identity);
+@@ -715,7 +723,10 @@
+ from: myEmail,
+ to: myEmail2 + ", barney at example.com",
+ cc: "Lisa <lisa at example.com>",
+- subject: "testReplyToOtherIdentity - reply to other identity"
++ subject: "testReplyToOtherIdentity - reply to other identity",
++ clobberHeaders: {
++ "Reply-To": "secretary at example.com"
++ }
+ });
+ add_message_to_folder(folder, msg0);
+
+@@ -726,11 +737,11 @@
+ ensureNoAutoCc(identity);
+ checkReply(
+ open_compose_with_reply_to_all,
+- // To: from + to (except me)
++ // To: from + to (except me2)
+ // Cc: original Cc
+ //
+ {
+- "addr_to": [myEmail, "barney at example.com"],
++ "addr_to": ["secretary at example.com", "barney at example.com"],
+ "addr_cc": ["Lisa <lisa at example.com>"]
+ }
+ );
+@@ -825,3 +836,28 @@
+ stopUsingAutoCc(identity);
+ }
+
++/**
++ * Tests that addresses get set properly when doing a reply where To=From
++ * and a Reply-To exists.
++ */
++function testToFromWithReplyTo() {
++ let msg0 = create_message({
++ from: myEmail,
++ to: myEmail,
++ subject: "testToFromWithReplyTo - To=From w/ Reply-To set",
++ clobberHeaders: { "Reply-To": "Flanders <flanders at example.com>" }
++ });
++ add_message_to_folder(folder, msg0);
++
++ be_in_folder(folder);
++ let msg = select_click_row(i++);
++ assert_selected_and_displayed(mc, msg);
++
++ ensureNoAutoCc(identity);
++ checkReply(
++ open_compose_with_reply,
++ // To: Reply-To
++ {"addr_to": ["Flanders <flanders at example.com>"]}
++ );
++}
++
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-send-button.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-send-button.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-send-button.js 2014-02-10 01:12:11.780950257 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-send-button.js 2014-02-10 01:13:30.544563182 +0400
+@@ -25,7 +25,7 @@
+
+ // Ensure we're in the tinderbox account as that has the right identities set
+ // up for this test.
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ account = MailServices.accounts.FindAccountForServer(server);
+ let inbox = server.rootFolder.getChildNamed("Inbox");
+ be_in_folder(inbox);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-signature-updating.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-signature-updating.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/composition/test-signature-updating.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/composition/test-signature-updating.js 2014-02-10 01:13:30.545563164 +0400
+@@ -37,7 +37,7 @@
+
+ // Ensure we're in the tinderbox account as that has the right identities set
+ // up for this test.
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ let inbox = server.rootFolder.getChildNamed("Inbox");
+ be_in_folder(inbox);
+ };
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-pane/test-folder-pane.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-pane/test-folder-pane.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-pane/test-folder-pane.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-pane/test-folder-pane.js 2014-02-10 01:13:30.545563164 +0400
+@@ -44,7 +44,7 @@
+ // creating the folder object via RDF, setting the flag, and then
+ // creating the storage, which sends the notification.
+ let pop3Server = MailServices.accounts
+- .FindServer("tinderbox", "tinderbox", "pop3");
++ .FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ let rdfService = Cc['@mozilla.org/rdf/rdf-service;1']
+ .getService(Ci.nsIRDFService);
+ folder = rdfService.GetResource(pop3Server.rootFolder.URI + "/Archives").
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-custom-folder-tree-mode.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-custom-folder-tree-mode.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-custom-folder-tree-mode.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-custom-folder-tree-mode.js 2014-02-10 01:13:30.545563164 +0400
+@@ -29,7 +29,7 @@
+ * Switch to the mode and verify that it displays correctly.
+ */
+ function test_switch_to_test_mode() {
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ folder = server.rootFolder.getChildNamed("Inbox");
+
+ mc.folderTreeView.mode = kTestModeID;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-extension/chrome/content/overlay.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-extension/chrome/content/overlay.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-extension/chrome/content/overlay.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-extension/chrome/content/overlay.js 2014-02-10 01:13:30.545563164 +0400
+@@ -9,7 +9,7 @@
+ __proto__: IFolderTreeMode,
+ generateMap: function testFolderTreeMode_generateMap(aFTV) {
+ // Pick the tinderbox at foo.invalid inbox and use it as the only folder
+- let server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let server = MailServices.accounts.FindServer("tinderbox", "tinderbox123", "pop3");
+ let item = new ftvItem(server.rootFolder.getChildNamed("Inbox"));
+ item.__defineGetter__("children", function () []);
+ return [item];
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-smart-folders.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-smart-folders.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/folder-tree-modes/test-smart-folders.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/folder-tree-modes/test-smart-folders.js 2014-02-10 01:13:30.545563164 +0400
+@@ -154,7 +154,7 @@
+ // create a smart Archives folder.
+ select_click_row(0);
+ archive_selected_messages();
+- let pop3Server = MailServices.accounts.FindServer("tinderbox", "tinderbox", "pop3");
++ let pop3Server = MailServices.accounts.FindServer("tinderbox", FAKE_SERVER_HOSTNAME, "pop3");
+ let pop3Inbox = pop3Server.rootFolder.getChildNamed("Inbox");
+ make_new_sets_in_folder(pop3Inbox, [{count: 1}]);
+ mc.folderTreeView.selectFolder(pop3Inbox);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/runtest.py seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/runtest.py
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/runtest.py 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/runtest.py 2014-02-10 01:13:30.565562815 +0400
+@@ -173,7 +173,7 @@
+ 'mail.server.server2.check_new_mail' : False,
+ 'mail.server.server2.directory-rel' : "[ProfD]Mail/tinderbox",
+ 'mail.server.server2.download_on_biff' : True,
+- 'mail.server.server2.hostname' : "tinderbox",
++ 'mail.server.server2.hostname' : "tinderbox123",
+ 'mail.server.server2.login_at_startup' : False,
+ 'mail.server.server2.name' : "tinderbox at foo.invalid",
+ 'mail.server.server2.type' : "pop3",
+@@ -184,7 +184,7 @@
+ 'mail.server.server3.type' : "im",
+ 'mail.server.server3.userName' : "mozmilltest at irc.mozilla.invalid",
+ 'mail.smtp.defaultserver' : "smtp1",
+- 'mail.smtpserver.smtp1.hostname' : "tinderbox",
++ 'mail.smtpserver.smtp1.hostname' : "tinderbox123",
+ 'mail.smtpserver.smtp1.username' : "tinderbox",
+ 'mail.smtpservers' : "smtp1",
+ 'messenger.account.account1.autoLogin' : False,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/shared-modules/test-folder-display-helpers.js seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/shared-modules/test-folder-display-helpers.js
+--- seamonkey-2.21-esr2.0/comm-release/mail/test/mozmill/shared-modules/test-folder-display-helpers.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/test/mozmill/shared-modules/test-folder-display-helpers.js 2014-02-10 01:13:30.565562815 +0400
+@@ -44,6 +44,11 @@
+ ];
+
+ /**
++ * Server hostname as set in runtest.py
++ */
++const FAKE_SERVER_HOSTNAME = 'tinderbox123';
++
++/**
+ * List of keys not to export via installInto; values do not matter, we just
+ * use true.
+ */
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/testsuite-targets.mk seamonkey-2.21-esr3.0/comm-release/mail/testsuite-targets.mk
+--- seamonkey-2.21-esr2.0/comm-release/mail/testsuite-targets.mk 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/testsuite-targets.mk 2014-02-10 01:13:30.565562815 +0400
+@@ -66,9 +66,6 @@
+ @rm -f "$(DIST)/$(PKG_PATH)$(TEST_PACKAGE)"
+ ifndef UNIVERSAL_BINARY
+ $(NSINSTALL) -D $(DIST)/$(PKG_PATH)
+-else
+- #building tests.jar (bug 543800) fails on unify, so we build tests.jar after unify is run
+- $(MAKE) -C $(DEPTH)/mozilla/testing/mochitest stage-chromejar PKG_STAGE=$(DIST)/universal
+ endif
+ cd $(PKG_STAGE) && \
+ zip -r9D "$(call core_abspath,$(DIST)/$(PKG_PATH)$(TEST_PACKAGE))" \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/accountCreation.css seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/accountCreation.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/accountCreation.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/accountCreation.css 2014-02-10 01:13:30.565562816 +0400
+@@ -211,7 +211,7 @@
+ }
+
+ #status_area[status=loading] #status_img_after {
+- background: url("chrome://global/skin/icons/loading_16.png") no-repeat;
++ background: url("chrome://messenger/skin/icons/loading.png") no-repeat;
+ width: 16px;
+ height: 16px;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/browserRequest.css seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/browserRequest.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/browserRequest.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/browserRequest.css 2014-02-10 01:13:30.565562816 +0400
+@@ -19,7 +19,7 @@
+ }
+
+ #security-button[loading="true"] {
+- background-image: url("chrome://global/skin/icons/loading_16.png");
++ background-image: url("chrome://messenger/skin/icons/loading.png");
+ background-position: 4px 2px;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/messenger.css seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/messenger.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/messenger.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/messenger.css 2014-02-10 01:13:30.565562816 +0400
+@@ -79,7 +79,7 @@
+ }
+
+ #throbber-box[busy="true"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
+ }
+
+ #throbber-box,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/preferences/applications.css seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/preferences/applications.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/preferences/applications.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/preferences/applications.css 2014-02-10 01:13:30.565562816 +0400
+@@ -73,7 +73,7 @@
+ */
+ .cloudfileAccount[state="connecting"],
+ .cloudfileAccount[state="waiting-to-connect"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ }
+
+ .cloudfileAccount[state="auth-error"],
+@@ -106,5 +106,5 @@
+ #cloudFileLoadingSpinner {
+ width: 16px;
+ height: 16px;
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/tabmail.css seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/tabmail.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/linux/mail/tabmail.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/linux/mail/tabmail.css 2014-02-10 01:13:30.565562816 +0400
+@@ -171,7 +171,7 @@
+ }
+
+ .tab-throbber {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ -moz-image-region: auto !important;
+ }
+
+@@ -264,7 +264,7 @@
+ }
+
+ .alltabs-item[busy] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ -moz-image-region: auto !important;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/jar.mn seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/jar.mn
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/jar.mn 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/jar.mn 2014-02-10 01:13:30.596562272 +0400
+@@ -242,6 +242,7 @@
+ skin/classic/messenger/icons/status-small at 2x.png (mail/icons/status-small at 2x.png)
+ skin/classic/messenger/icons/connecting.png (mail/icons/connecting.png)
+ skin/classic/messenger/icons/loading.png (mail/icons/loading.png)
++ skin/classic/messenger/icons/loading at 2x.png (mail/icons/loading at 2x.png)
+ skin/classic/messenger/tabs/alltabs-box-bkgnd-icon.png (mail/tabs/alltabs-box-bkgnd-icon.png)
+ skin/classic/messenger/tabs/alltabs-box-bkgnd-icon at 2x.png (mail/tabs/alltabs-box-bkgnd-icon at 2x.png)
+ skin/classic/messenger/tabs/alltabs-box-overflow-bkgnd-animate.png (mail/tabs/alltabs-box-overflow-bkgnd-animate.png)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/accountCreation.css seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/accountCreation.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/accountCreation.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/accountCreation.css 2014-02-10 01:13:30.596562272 +0400
+@@ -204,11 +204,16 @@
+ }
+
+ #status_area[status=loading] #status_img_after {
+- background: url("chrome://global/skin/icons/loading_16.png") no-repeat;
++ background: url("chrome://messenger/skin/icons/loading.png") no-repeat;
+ width: 16px;
+ height: 16px;
+ }
+
++ at media (min-resolution: 2dppx) {
++ #status_area[status=loading] #status_img_after {
++ background: url("chrome://messenger/skin/icons/loading@2x.png") no-repeat;
++ }
++}
+
+ /* Missing:
+ * .menulist-dropmarker[disabled="true"]
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/browserRequest.css seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/browserRequest.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/browserRequest.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/browserRequest.css 2014-02-10 01:13:30.596562272 +0400
+@@ -19,9 +19,16 @@
+ }
+
+ #security-button[loading="true"] {
+- background-image: url("chrome://global/skin/icons/loading_16.png");
++ background-image: url("chrome://messenger/skin/icons/loading.png");
+ background-position: 4px 3px;
+ }
++
++ at media (min-resolution: 2ddpx) {
++ #security-button[loading="true"] {
++ background-image: url("chrome://messenger/skin/icons/loading@2x.png");
++ }
++}
++
+ /*
+ #header {
+ overflow: hidden;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/messenger.css seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/messenger.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/messenger.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/messenger.css 2014-02-10 01:13:30.596562272 +0400
+@@ -57,13 +57,19 @@
+ }
+
+ #throbber-box[busy="true"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
+ }
+
+ #wrapper-throbber-box > #throbber-box {
+ list-style-image: url("chrome://global/skin/icons/notloading_16.png");
+ }
+
++ at media (min-resolution: 2dppx) {
++ #wrapper-throbber-box > #throbber-box {
++ list-style-image: url("chrome://messenger/skin/icons/loading@2x.png");
++ }
++}
++
+ /* ::::: online/offline icons ::::: */
+
+ #offline-status[offline="true"] {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/preferences/applications.css seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/preferences/applications.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/preferences/applications.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/preferences/applications.css 2014-02-10 01:13:30.596562272 +0400
+@@ -75,7 +75,7 @@
+ */
+ .cloudfileAccount[state="connecting"],
+ .cloudfileAccount[state="waiting-to-connect"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ }
+
+ .cloudfileAccount[state="auth-error"],
+@@ -108,5 +108,13 @@
+ #cloudFileLoadingSpinner {
+ width: 16px;
+ height: 16px;
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
++}
++
++ at media (min-resolution: 2dppx) {
++ .cloudfileAccount[state="connecting"],
++ .cloudfileAccount[state="waiting-to-connect"],
++ #cloudFileLoadingSpinner {
++ list-style-image: url("chrome://messenger/skin/icons/loading@2x.png") !important;
++ }
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/tabmail.css seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/tabmail.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/osx/mail/tabmail.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/osx/mail/tabmail.css 2014-02-10 01:13:30.596562272 +0400
+@@ -20,7 +20,8 @@
+ }
+
+ .tab-throbber {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
++ -moz-image-region: auto !important;
+ }
+
+ .tabmail-tab:not(:hover):not([selected="true"]) > .tab-stack > .tab-content > .tab-icon-image {
+@@ -105,6 +106,10 @@
+ }
+
+ @media (min-resolution: 2dppx) {
++ .tab-throbber {
++ list-style-image: url("chrome://messenger/skin/icons/loading@2x.png") !important;
++ }
++
+ .tabmail-tab:hover > .tab-stack > .tab-background:not([selected=true]) {
+ background-image: url(tabs/tabHoverStart at 2x.png),
+ url(tabs/tabHoverMiddle at 2x.png),
+@@ -414,7 +419,8 @@
+ }
+
+ .alltabs-item[busy] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
++ -moz-image-region: auto !important;
+ }
+
+ .tabs-closebutton {
+@@ -444,6 +450,10 @@
+ height: 16px;
+ }
+
++ alltabs-item[busy] {
++ list-style-image: url("chrome://messenger/skin/icons/loading@2x.png") !important;
++ }
++
+ .tab-close-button,
+ .tabs-closebutton {
+ list-style-image: url("chrome://global/skin/icons/close@2x.png") !important;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/accountCreation.css seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/accountCreation.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/accountCreation.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/accountCreation.css 2014-02-10 01:13:30.851557810 +0400
+@@ -224,7 +224,7 @@
+ }
+
+ #status_area[status=loading] #status_img_after {
+- background: url("chrome://global/skin/icons/loading_16.png") no-repeat;
++ background: url("chrome://messenger/skin/icons/loading.png") no-repeat;
+ width: 16px;
+ height: 16px;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/browserRequest.css seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/browserRequest.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/browserRequest.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/browserRequest.css 2014-02-10 01:13:30.851557810 +0400
+@@ -18,7 +18,7 @@
+ }
+
+ #security-button[loading="true"] {
+- background-image: url("chrome://global/skin/icons/loading_16.png");
++ background-image: url("chrome://messenger/skin/icons/loading.png");
+ background-position: 4px 2px;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/messenger.css seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/messenger.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/messenger.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/messenger.css 2014-02-10 01:13:30.851557810 +0400
+@@ -60,7 +60,7 @@
+ }
+
+ #throbber-box[busy="true"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
+ }
+
+ #throbber-box,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/preferences/applications.css seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/preferences/applications.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/preferences/applications.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/preferences/applications.css 2014-02-10 01:13:30.851557810 +0400
+@@ -72,7 +72,7 @@
+
+ .cloudfileAccount[state="connecting"],
+ .cloudfileAccount[state="waiting-to-connect"] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ }
+
+ .cloudfileAccount[state="auth-error"],
+@@ -105,5 +105,5 @@
+ #cloudFileLoadingSpinner {
+ width: 16px;
+ height: 16px;
+- list-style-image: url("chrome://global/skin/icons/loading_16.png");
++ list-style-image: url("chrome://messenger/skin/icons/loading.png");
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/tabmail.css seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/tabmail.css
+--- seamonkey-2.21-esr2.0/comm-release/mail/themes/windows/mail/tabmail.css 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mail/themes/windows/mail/tabmail.css 2014-02-10 01:13:30.851557810 +0400
+@@ -146,7 +146,7 @@
+
+ .tabmail-tab[busy],
+ .tabmail-tab[thinking] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ -moz-image-region: auto !important;
+ }
+
+@@ -390,7 +390,7 @@
+ }
+
+ .alltabs-item[busy] {
+- list-style-image: url("chrome://global/skin/icons/loading_16.png") !important;
++ list-style-image: url("chrome://messenger/skin/icons/loading.png") !important;
+ }
+
+ /* Content Tabs */
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_basic_nsIAbDirectory.js seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_basic_nsIAbDirectory.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_basic_nsIAbDirectory.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_basic_nsIAbDirectory.js 2014-02-10 01:13:30.851557810 +0400
+@@ -107,9 +107,4 @@
+
+ // Check the default collected address book
+ check_ab(kCABData);
+-
+- // Check the OS X Address Book if available
+- if ("@mozilla.org/rdf/resource-factory;1?name=moz-abosxdirectory" in
+- Components.classes)
+- check_ab(kOSXData);
+ };
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_bug534822.js seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_bug534822.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_bug534822.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_bug534822.js 2014-02-10 01:13:30.851557810 +0400
+@@ -27,10 +27,6 @@
+ { name: kCABData.dirName, result: false }
+ ];
+
+- // Check the OS X Address Book if available
+- if ("@mozilla.org/rdf/resource-factory;1?name=moz-abosxdirectory" in Cc)
+- results.push({ name: kOSXData.dirName, result: false });
+-
+ while (dirs.hasMoreElements()) {
+ let dir = dirs.getNext().QueryInterface(Ci.nsIAbDirectory);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_nsAbManager2.js seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_nsAbManager2.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/addrbook/test/unit/test_nsAbManager2.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/addrbook/test/unit/test_nsAbManager2.js 2014-02-10 01:13:31.072553949 +0400
+@@ -116,11 +116,6 @@
+
+ var expectedABs = [kPABData.URI, kCABData.URI];
+
+- // Check the OS X Address Book if available
+- if ("@mozilla.org/addressbook/directory;1?type=moz-abosxdirectory" in
+- Components.classes)
+- expectedABs.push(kOSXData.URI);
+-
+ // Test - Check initial directories
+
+ checkDirs(MailServices.ab.directories, expectedABs);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/base/content/retention.js seamonkey-2.21-esr3.0/comm-release/mailnews/base/content/retention.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/base/content/retention.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/base/content/retention.js 2014-02-10 01:13:31.072553949 +0400
+@@ -9,7 +9,6 @@
+ {
+ document.getElementById("retention.keepUnread").checked = retentionSettings.keepUnreadMessagesOnly;
+ document.getElementById("retention.keepMsg").value = retentionSettings.retainByPreference;
+- if(retentionSettings.daysToKeepHdrs > 0)
+ document.getElementById("retention.keepOldMsgMin").value =
+ (retentionSettings.daysToKeepHdrs > 0) ? retentionSettings.daysToKeepHdrs : 30;
+ document.getElementById("retention.keepNewMsgMin").value =
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/base/prefs/content/am-offline.js seamonkey-2.21-esr3.0/comm-release/mailnews/base/prefs/content/am-offline.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/base/prefs/content/am-offline.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/base/prefs/content/am-offline.js 2014-02-10 01:13:31.072553949 +0400
+@@ -50,26 +50,22 @@
+
+ function initRetentionSettings()
+ {
+- var retentionSettings = gIncomingServer.retentionSettings;
++ let retentionSettings = gIncomingServer.retentionSettings;
+ initCommonRetentionSettings(retentionSettings);
+
+ document.getElementById("nntp.removeBody").checked = retentionSettings.cleanupBodiesByDays;
+- if(retentionSettings.daysToKeepBodies > 0)
+- document.getElementById("nntp.removeBodyMin").setAttribute("value", retentionSettings.daysToKeepBodies);
+- else
+- document.getElementById("nntp.removeBodyMin").setAttribute("value", "30");
++ document.getElementById("nntp.removeBodyMin").value =
++ (retentionSettings.daysToKeepBodies > 0) ? retentionSettings.daysToKeepBodies : 30;
+ }
+
+-
+ function initDownloadSettings()
+ {
+- var downloadSettings = gIncomingServer.downloadSettings;
++ let downloadSettings = gIncomingServer.downloadSettings;
+ document.getElementById("nntp.downloadMsg").checked = downloadSettings.downloadByDate;
+ document.getElementById("nntp.notDownloadRead").checked = downloadSettings.downloadUnreadOnly;
+- if(downloadSettings.ageLimitOfMsgsToDownload > 0)
+- document.getElementById("nntp.downloadMsgMin").setAttribute("value", downloadSettings.ageLimitOfMsgsToDownload);
+- else
+- document.getElementById("nntp.downloadMsgMin").setAttribute("value", "30");
++ document.getElementById("nntp.downloadMsgMin").value =
++ (downloadSettings.ageLimitOfMsgsToDownload > 0) ?
++ downloadSettings.ageLimitOfMsgsToDownload : 30;
+
+ // Figure out what the most natural division of the autosync pref into
+ // a value and an interval is.
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/base/test/unit/test_nsMsgDBView.js seamonkey-2.21-esr3.0/comm-release/mailnews/base/test/unit/test_nsMsgDBView.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/base/test/unit/test_nsMsgDBView.js 2013-09-16 22:20:09.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/base/test/unit/test_nsMsgDBView.js 2014-02-10 01:13:31.073553930 +0400
+@@ -11,6 +11,7 @@
+
+ load("../../../resources/logHelper.js");
+ load("../../../resources/asyncTestUtils.js");
++load("../../../resources/abSetup.js");
+
+ load("../../../resources/messageGenerator.js");
+ load("../../../resources/messageModifier.js");
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/compose/src/nsMsgCompose.cpp seamonkey-2.21-esr3.0/comm-release/mailnews/compose/src/nsMsgCompose.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/compose/src/nsMsgCompose.cpp 2014-02-10 01:12:09.666987560 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/compose/src/nsMsgCompose.cpp 2014-02-10 01:25:45.340431543 +0400
+@@ -2452,6 +2452,7 @@
+ nsAutoString from;
+ nsAutoString to;
+ nsAutoString cc;
++ nsAutoString bcc;
+ nsAutoString replyTo;
+ nsAutoString mailReplyTo;
+ nsAutoString mailFollowupTo;
+@@ -2481,6 +2482,9 @@
+ mHeaders->ExtractHeader(HEADER_CC, true, outCString);
+ ConvertRawBytesToUTF16(outCString, charset.get(), cc);
+
++ mHeaders->ExtractHeader(HEADER_BCC, true, outCString);
++ ConvertRawBytesToUTF16(outCString, charset.get(), bcc);
++
+ mHeaders->ExtractHeader(HEADER_MAIL_FOLLOWUP_TO, true, outCString);
+ ConvertRawBytesToUTF16(outCString, charset.get(), mailFollowupTo);
+
+@@ -2596,8 +2600,10 @@
+ if (curIdentityEmail.Equals(fromEmailAddress))
+ {
+ isReplyToSelf = true;
+- // For a true reply-to-self, none of your OTHER identities are
+- // in To or CC.
++ // For a true reply-to-self, NONE of your identities are normally in
++ // To or CC. If you auto-Cc yourself it could be in Cc - but we
++ // can't detect this case 100%, so lets just treat it like a normal
++ // reply.
+ for (uint32_t j = 0; j < count; j++)
+ {
+ nsCOMPtr<nsIMsgIdentity> lookupIdentity2;
+@@ -2606,9 +2612,6 @@
+ if (NS_FAILED(rv))
+ continue;
+
+- if (lookupIdentity == lookupIdentity2)
+- continue;
+-
+ nsCString curIdentityEmail2;
+ lookupIdentity2->GetEmail(curIdentityEmail2);
+ if (toEmailAddresses.Find(curIdentityEmail2) != kNotFound ||
+@@ -2629,6 +2632,7 @@
+ if (isReplyToSelf)
+ {
+ compFields->SetTo(to);
++ compFields->SetReplyTo(replyTo);
+ }
+ else if (!mailReplyTo.IsEmpty())
+ {
+@@ -2652,6 +2656,8 @@
+ {
+ compFields->SetTo(to);
+ compFields->SetCc(cc);
++ compFields->SetBcc(bcc);
++ compFields->SetReplyTo(replyTo);
+ }
+ else if (mailFollowupTo.IsEmpty()) {
+ // default behaviour for messages without Mail-Followup-To
+@@ -2689,24 +2695,9 @@
+
+ // If Cc is set a this point it's auto-Ccs, so we'll just keep those.
+ }
+-
+- // Preserve BCC for the reply-to-self case (can be known if replying
+- // from the Sent folder).
+- mHeaders->ExtractHeader(HEADER_BCC, true, outCString);
+- if (!outCString.IsEmpty())
+- {
+- nsAutoString bcc;
+- ConvertRawBytesToUTF16(outCString, charset.get(), bcc);
+- compFields->SetBcc(bcc);
+- }
+ }
+ else if (type == nsIMsgCompType::ReplyToList)
+ {
+- if (isReplyToSelf)
+- {
+- compFields->SetTo(to);
+- }
+- else {
+ mHeaders->ExtractHeader(HEADER_LIST_POST, true, outCString);
+ if (!outCString.IsEmpty())
+ mMimeConverter->DecodeMimeHeader(outCString.get(), charset.get(),
+@@ -2725,7 +2716,6 @@
+ }
+ }
+ }
+- }
+
+ if (!newgroups.IsEmpty())
+ {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mailnews/test/resources/abSetup.js seamonkey-2.21-esr3.0/comm-release/mailnews/test/resources/abSetup.js
+--- seamonkey-2.21-esr2.0/comm-release/mailnews/test/resources/abSetup.js 2013-09-16 22:20:10.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mailnews/test/resources/abSetup.js 2014-02-10 01:13:31.074553910 +0400
+@@ -37,21 +37,12 @@
+ position: 2
+ };
+
+-// Mac OSX Address Book configurations items
+-var kOSXData =
+-{
+- URI: "moz-abosxdirectory:///",
+- fileName: "",
+- dirName: "Mac OS X Address Book",
+- dirType: 3,
+- dirPrefID: "ldap_2.servers.osx",
+- readOnly: true,
+- position: 1
+-};
+-
+ // Windows (Outlook Express) Address Book deactivation. (Bug 448859)
+ Services.prefs.deleteBranch("ldap_2.servers.oe.");
+
++// OSX Address Book deactivation (Bug 955842)
++Services.prefs.deleteBranch("ldap_2.servers.osx.");
++
+ // This currently applies to all address books of local type.
+ const kNormalPropertiesURI =
+ "chrome://messenger/content/addressbook/abAddressBookNameDialog.xul";
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/app/blocklist.xml seamonkey-2.21-esr3.0/comm-release/mozilla/browser/app/blocklist.xml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/app/blocklist.xml 2014-02-10 01:12:11.784950186 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/app/blocklist.xml 2014-02-10 01:37:18.758169768 +0400
+@@ -1,91 +1,147 @@
+ <?xml version="1.0"?>
+-<blocklist xmlns="http://www.mozilla.org/2006/addons-blocklist" lastupdate="1385765544000">
++<blocklist xmlns="http://www.mozilla.org/2006/addons-blocklist" lastupdate="1390521109000">
+ <emItems>
+ <emItem blockID="i454" id="sqlmoz at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i58" id="webmaster at buzzzzvideos.info">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i402" id="{99079a25-328f-4bd4-be04-00955acaa0a7}">
+ <versionRange minVersion="0.1" maxVersion="4.3.1.00" severity="1">
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i71" id="youtube at 2youtube.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i404" id="{a9bb9fa0-4122-4c75-bd9a-bc27db3f9155}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i8" id="{B13721C7-F507-4982-B2E5-502A71474FED}">
+ <versionRange minVersion=" " severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i107" os="WINNT" id="{ABDE892B-13A8-4d1b-88E6-365A6E755758}">
+ <versionRange minVersion="0" maxVersion="15.0.5" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i88" id="anttoolbar at ant.com">
+ <versionRange minVersion="2.4.6.4" maxVersion="2.4.6.4" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i484" id="plugin at getwebcake.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i433" id="{c95a4e8e-816d-4655-8c79-d736da1adb6d}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i65" id="activity at facebook.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i66" id="youtubeer at youtuber.com">
+- <versionRange minVersion="0" maxVersion="*">
++ <emItem blockID="i527" id="/^({bfec236d-e122-4102-864f-f5f19d897f5e}|{3f842035-47f4-4f10-846b-6199b07f09b8}|{92ed4bbd-83f2-4c70-bb4e-f8d3716143fe})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i224" id="{336D0C35-8A85-403a-B9D2-65C292C39087}">
++ <emItem blockID="i535" id="/^ext at WebexpEnhancedV1alpha[0-9]+\.net$/">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i105" id="{95ff02bc-ffc6-45f0-a5c8-619b8226a9de}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i117" id="{ce7e73df-6a44-4028-8079-5927a588c948}">
+- <versionRange minVersion="0" maxVersion="1.0.8" severity="1">
++ <emItem blockID="i506" id="/^ext at bettersurfplus/">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i400" id="{dd6b651f-dfb9-4142-b0bd-09912ad22674}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i488" id="jid1-4P0kohSJxU1qGg at jetpack">
+ <versionRange minVersion="1.2.50" maxVersion="1.2.50" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i529" id="/^(torntv at torntv\.com|trtv3 at trtv\.com|torntv2 at torntv\.com|e2fd07a6-e282-4f2e-8965-85565fcb6384 at b69158e6-3c3b-476c-9d98-ae5838c5b707\.com)$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i486" id="xz123 at ya456.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i392" id="{EEE6C361-6118-11DC-9C72-001320C79847}">
+ <versionRange minVersion="0" maxVersion="1.7.999" severity="1">
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i406" id="{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i10" id="{8CE11043-9A15-4207-A565-0C94C42D590D}">
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i492" id="{af95cc15-3b9b-45ae-8d9b-98d08eda3111}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i24" id="{6E19037A-12E3-4295-8915-ED48BC341614}">
+ <versionRange minVersion="0.1" maxVersion="1.3.328.4" severity="1">
+@@ -93,34 +149,62 @@
+ <versionRange minVersion="3.7a1pre" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i64" id="royal at facebook.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i72" os="WINNT" id="{4ED1F68A-5463-4931-9384-8FFF5ED91D92}">
+ <versionRange minVersion="3.4.1" maxVersion="3.4.1.194" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i100" id="{394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}">
+ <versionRange minVersion="2.5.0" maxVersion="2.5.0" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i40" id="{28387537-e3f9-4ed7-860c-11e69af4a8a0}">
+ <versionRange minVersion="0.1" maxVersion="4.3.1.00" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i20" id="{AB2CE124-6272-4b12-94A9-7303C7397BD1}">
+ <versionRange minVersion="0.1" maxVersion="5.2.0.7164" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i498" id="hoverst at facebook.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i127" id="plugin at youtubeplayer.com">
++ <versionRange minVersion="0" maxVersion="*">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i430" id="1chtw at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i78" id="socialnetworktools at mozilla.doslash.org">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i238" id="/^pink at .*\.info$/">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+@@ -128,54 +212,104 @@
+ <versionRange minVersion="18.0" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i516" id="/^({3f3cddf8-f74d-430c-bd19-d2c9147aed3d}|{515b2424-5911-40bd-8a2c-bdb20286d8f5}|{17464f93-137e-4646-a0c6-0dc13faf0113}|{d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc}|{aad50c91-b136-49d9-8b30-0e8d3ead63d0})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i77" id="{fa277cfc-1d75-4949-a1f9-4ac8e41b2dfd}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i174" id="info at thebflix.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i478" id="{7e8a1050-cf67-4575-92df-dcc60e7d952d}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i84" id="pink at rosaplugin.info">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i172" id="info at bflix.info">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i140" id="mozillahmpg at mozilla.org">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i500" id="{2aab351c-ad56-444c-b935-38bffe18ad26}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i494" id="/^({e9df9360-97f8-4690-afe6-996c80790da4}|{687578b9-7132-4a7a-80e4-30ee31099e03}|{46a3135d-3683-48cf-b94c-82655cbc0e8a}|{49c795c2-604a-4d18-aeb1-b3eba27e5ea2}|{7473b6bd-4691-4744-a82b-7854eb3d70b6}|{96f454ea-9d38-474f-b504-56193e00c1a5})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i467" id="plugin at analytic-s.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i496" id="{ACAA314B-EEBA-48e4-AD47-84E31C44796C}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i360" id="ytd at mybrowserbar.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i5" id="support at daemon-tools.cc">
+ <versionRange minVersion=" " maxVersion="1.0.0.5">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i436" id="/(\{7aeae561-714b-45f6-ace3-4a8aed6e227b\})|(\{01e86e69-a2f8-48a0-b068-83869bdba3d0\})|(\{77f5fe49-12e3-4cf5-abb4-d993a0164d9e\})/">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i97" id="support3_en at adobe122.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i382" id="{6926c7f7-6006-42d1-b046-eba1b3010315}">
++ <emItem blockID="i342" id="lbmsrvfvxcblvpane at lpaezhjez.org">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i481" id="{B40794A0-7477-4335-95C5-8CB9BBC5C4A5}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+@@ -184,6 +318,8 @@
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i11" id="yslow at yahoo-inc.com">
+ <versionRange minVersion="2.0.5" maxVersion="2.0.5">
+@@ -191,111 +327,207 @@
+ <versionRange minVersion="3.5.7" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i62" id="jid0-EcdqvFOgWLKHNJPuqAnawlykCGZ at jetpack">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i472" id="linksicle at linksicle.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i99" id="pfzPXmnzQRXX6 at 2iABkVe.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i19" id="{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}">
+- <versionRange minVersion="1.1b1" maxVersion="1.1b1">
++ <emItem blockID="i66" id="youtubeer at youtuber.com">
++ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i438" id="{02edb56b-9b33-435b-b7df-b2843273a694}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i450" id="{dff137ae-1ffd-11e3-8277-b8ac6f996f26}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i521" id="/^({66b103a7-d772-4fcd-ace4-16f79a9056e0}|{6926c7f7-6006-42d1-b046-eba1b3010315}|{72cabc40-64b2-46ed-8648-26d831761150}|{73ee2cf2-7b76-4c49-b659-c3d8cf30825d}|{ca6446a5-73d5-4c35-8aa1-c71dc1024a18}|{5373a31d-9410-45e2-b299-4f61428f0be4})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i499" id="{babb9931-ad56-444c-b935-38bffe18ad26}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i111" os="WINNT" id="{C3949AC2-4B17-43ee-B4F1-D26B9D42404D}">
+ <versionRange minVersion="0" maxVersion="15.0.5" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i136" id="Adobe at flash.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i447" id="{B18B1E5C-4D81-11E1-9C00-AFEB4824019B}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i519" id="703db0db-5fe9-44b6-9f53-c6a91a0ad5bd at 7314bc82-969e-4d2a-921b-e5edd0b02cf1.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i537" id="rally_toolbar_ff at bulletmedia.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i526" id="/^({83a8ce1b-683c-4784-b86d-9eb601b59f38}|{ef1feedd-d8da-4930-96f1-0a1a598375c6}|{79ff1aae-701f-4ca5-aea3-74b3eac6f01b}|{8a184644-a171-4b05-bc9a-28d75ffc9505}|{bc09c55d-0375-4dcc-836e-0e3c8addfbda}|{cef81415-2059-4dd5-9829-1aef3cf27f4f})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i532" id="249911bc-d1bd-4d66-8c17-df533609e6d8 at c76f3de9-939e-4922-b73c-5d7a3139375d.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i466" id="afext at anchorfree.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i98" id="youtubeeing at youtuberie.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i442" id="pennerdu at faceobooks.ws">
+- <versionRange minVersion="0" maxVersion="*" severity="3">
++ <emItem blockID="i515" id="/^({bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}|{61a83e16-7198-49c6-8874-3e4e8faeb4f3}|{f0af464e-5167-45cf-9cf0-66b396d1918c}|{5d9968c3-101c-4944-ba71-72d77393322d}|{01e86e69-a2f8-48a0-b068-83869bdba3d0})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i46" id="{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}">
++ <versionRange minVersion="0.1" maxVersion="*">
++ <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
++ <versionRange minVersion="9.0a1" maxVersion="9.0" />
++ </targetApplication>
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i168" id="flashX at adobe.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i39" id="{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}">
+ <versionRange minVersion="0.1" maxVersion="4.3.1.00" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i42" id="{D19CA586-DD6C-4a0a-96F8-14644F340D60}">
+ <versionRange minVersion="0.1" maxVersion="14.4.0" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i449" id="gystqfr at ylgga.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i487" id="{df6bb2ec-333b-4267-8c4f-3f27dc8c6e07}">
++ <emItem blockID="i502" id="{df6bb2ec-333b-4267-8c4f-3f27dc8c6e07}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i142" id="{a3a5c777-f583-4fef-9380-ab4add1bc2a8}">
+ <versionRange minVersion="2.0.3" maxVersion="2.0.3">
+ </versionRange>
+ <versionRange minVersion="4.2" maxVersion="4.2" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i306" id="{ADFA33FD-16F5-4355-8504-DF4D664CFE10}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i63" id="youtube at youtuber.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i46" id="{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}">
+- <versionRange minVersion="0.1" maxVersion="*">
+- <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
+- <versionRange minVersion="9.0a1" maxVersion="9.0" />
+- </targetApplication>
++ <emItem blockID="i398" id="{377e5d4d-77e5-476a-8716-7e70a9272da0}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i18" id="msntoolbar at msn.com">
+ <versionRange minVersion=" " maxVersion="6.*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i358" id="lfind at nijadsoft.net">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i228" id="crossriderapp5060 at crossrider.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i465" id="trtv3 at trtv.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i4" id="{4B3803EA-5230-4DC3-A7FC-33638F3D3542}">
+ <versionRange minVersion="1.2" maxVersion="1.2">
+@@ -303,6 +535,8 @@
+ <versionRange minVersion="3.0a1" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i75" os="Darwin,Linux" id="firebug at software.joehewitt.com">
+ <versionRange minVersion="1.9.0" maxVersion="1.9.0" severity="1">
+@@ -310,170 +544,310 @@
+ <versionRange minVersion="9.0a1" maxVersion="9.*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i127" id="plugin at youtubeplayer.com">
+- <versionRange minVersion="0" maxVersion="*">
++ <emItem blockID="i514" id="/^(67314b39-24e6-4f05-99f3-3f88c7cddd17 at 6c5fa560-13a3-4d42-8e90-53d9930111f9\.com|ffxtlbr at visualbee\.com|{7aeae561-714b-45f6-ace3-4a8aed6e227b}|{7093ee04-f2e4-4637-a667-0f730797b3a0}|{53c4024f-5a2e-4f2a-b33e-e8784d730938})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i348" id="{13c9f1f9-2322-4d5c-81df-6d4bf8476ba4}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i338" id="{1FD91A9C-410C-4090-BBCC-55D3450EF433}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i364" id="{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i59" id="ghostviewer at youtube2.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i222" id="dealcabby at jetpack">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i51" id="admin at youtubeplayer.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i352" id="vpyekkifgv at vpyekkifgv.org">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i258" id="helperbar at helperbar.com">
+ <versionRange minVersion="0" maxVersion="1.0" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i468" id="05dd836e-2cbd-4204-9ff3-2f8a8665967d at a8876730-fb0c-4057-a2fc-f9c09d438e81.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i398" id="{377e5d4d-77e5-476a-8716-7e70a9272da0}">
++ <emItem blockID="i522" id="/^({976cd962-e0ca-4337-aea7-d93fae63a79c}|{525ba996-1ce4-4677-91c5-9fc4ead2d245}|{91659dab-9117-42d1-a09f-13ec28037717}|{c1211069-1163-4ba8-b8b3-32fc724766be})$/">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i479" id="mbrsepone at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i256" id="/^[0-9a-f]+@[0-9a-f]+\.info/">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i370" id="happylyrics at hpyproductions.net">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i440" id="{2d069a16-fca1-4e81-81ea-5d5086dcbd0c}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i396" id="/@(ft|putlocker|clickmovie|m2k|sharerepo|smarter-?)downloader\.com$/">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i22" id="ShopperReports at ShopperReports.com">
+ <versionRange minVersion="3.1.22.0" maxVersion="3.1.22.0">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i376" id="{9e09ac65-43c0-4b9d-970f-11e2e9616c55}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i44" id="sigma at labs.mozilla">
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i501" id="xivars at aol.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i482" id="brasilescapeeight at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i226" id="{462be121-2b54-4218-bf00-b9bf8135b23f}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i246" id="support at vide1flash2.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i48" id="admin at youtubespeedup.com">
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i218" id="ffxtlbr at claro.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i79" id="GifBlock at facebook.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i69" id="{977f3b97-5461-4346-92c8-a14c749b77c9}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i17" id="{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}">
+ <versionRange minVersion="2.2" maxVersion="2.2">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i115" id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i477" id="mbrnovone at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i13" id="{E8E88AB0-7182-11DF-904E-6045E0D72085}">
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i446" id="{E90FA778-C2B7-41D0-9FA9-3FEC1CA54D66}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i507" id="4zffxtbr-bs at VideoDownloadConverter_4z.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i7" id="{2224e955-00e9-4613-a844-ce69fccaae91}">
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i525" id="/^({65f9f6b7-2dae-46fc-bfaf-f88e4af1beca}|{9ed31f84-c8b3-4926-b950-dff74047ff79}|{0134af61-7a0c-4649-aeca-90d776060cb3}|{02edb56b-9b33-435b-b7df-b2843273a694}|{da51d4f6-3e7e-4ef8-b400-9198e0874606}|{b24577db-155e-4077-bb37-3fdd3c302bb5})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i485" id="/^brasilescape.*\@facebook\.com$//">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i52" id="ff-ext at youtube">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i471" id="firefox at luckyleap.net">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i495" id="kallow at facebook.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i483" id="brasilescapefive at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i442" id="pennerdu at faceobooks.ws">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i43" id="supportaccessplugin at gmail.com">
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i340" id="chiang at programmer.net">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i54" id="applebeegifts at mozilla.doslash.org">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i16" id="{27182e60-b5f3-411c-b545-b44205977502}">
+ <versionRange minVersion="1.0" maxVersion="1.0">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i504" id="aytac at abc.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i92" id="play5 at vide04flash.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i117" id="{ce7e73df-6a44-4028-8079-5927a588c948}">
++ <versionRange minVersion="0" maxVersion="1.0.8" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i474" id="{906000a4-88d9-4d52-b209-7a772970d91f}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i453" id="/^brasilescape.*\@facebook\.com$/">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i109" id="{392e123b-b691-4a5e-b52f-c4c1027e749c}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i286" id="{58bd07eb-0ee0-4df0-8121-dc9b693373df}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i1" id="mozilla_cc at internetdownloadmanager.com">
+ <versionRange minVersion="2.1" maxVersion="3.3">
+@@ -486,68 +860,130 @@
+ <versionRange minVersion="3.7a1pre" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i308" id="9518042e-7ad6-4dac-b377-056e28d00c8f at f1cc0a13-4df1-4d66-938f-088db8838882.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i13" id="{E8E88AB0-7182-11DF-904E-6045E0D72085}">
++ <emItem blockID="i461" id="{8E9E3331-D360-4f87-8803-52DE43566502}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i394" id="{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i493" id="12x3q at 3244516.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i344" id="lrcsTube at hansanddeta.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i461" id="{8E9E3331-D360-4f87-8803-52DE43566502}">
+- <versionRange minVersion="0" maxVersion="*" severity="1">
++ <emItem blockID="i536" id="{25D77636-38B1-1260-887C-2D4AFA92D6A4}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i426" id="addlyrics at addlyrics.net">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i448" id="{0134af61-7a0c-4649-aeca-90d776060cb3}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i83" id="flash at adobee.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i104" id="yasd at youasdr3.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i10" id="{8CE11043-9A15-4207-A565-0C94C42D590D}">
++ <emItem blockID="i530" id="{739df940-c5ee-4bab-9d7e-270894ae687a}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i524" id="/^({4e988b08-8c51-45c1-8d74-73e0c8724579}|{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}|{aed63b38-7428-4003-a052-ca6834d8bad3}|{0b5130a9-cc50-4ced-99d5-cda8cc12ae48}|{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i76" id="crossriderapp3924 at crossrider.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i382" id="{6926c7f7-6006-42d1-b046-eba1b3010315}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i432" id="lugcla21 at gmail.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i91" id="crossriderapp4926 at crossrider.com">
+ <versionRange minVersion="0" maxVersion="0.81.43" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i480" id="pluggets at gmail.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i67" id="youtube2 at youtube2.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i520" id="/^({7316e43a-3ebd-4bb4-95c1-9caf6756c97f}|{0cc09160-108c-4759-bab1-5c12c216e005}|{ef03e721-f564-4333-a331-d4062cee6f2b}|{465fcfbb-47a4-4866-a5d5-d12f9a77da00}|{7557724b-30a9-42a4-98eb-77fcb0fd1be3}|{b7c7d4b0-7a84-4b73-a7ef-48ef59a52c3b})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i460" id="{845cab51-d8d2-472f-8bd9-2b44642d97c2}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i38" id="{B7082FAA-CB62-4872-9106-E42DD88EDE45}">
+ <versionRange minVersion="0.1" maxVersion="3.3.0.*">
+@@ -560,18 +996,26 @@
+ <versionRange minVersion="5.0a1" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i6" id="{3f963a5b-e555-4543-90e2-c3908898db71}">
+ <versionRange minVersion=" " maxVersion="8.5">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i56" id="flash at adobe.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i451" id="{e44a1809-4d10-4ab8-b343-3326b64c7cdd}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i216" id="fdm_ffext at freedownloadmanager.org">
+ <versionRange minVersion="1.0" maxVersion="1.3.1">
+@@ -581,32 +1025,60 @@
+ </versionRange>
+ <versionRange minVersion="1.5.7.5" maxVersion="1.5.7.5" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i533" id="extension at Fast_Free_Converter.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i362" id="addon at defaulttab.com">
+ <versionRange minVersion="0" maxVersion="1.4.4" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i12" id="masterfiler at gmail.com">
+ <versionRange severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i491" id="{515b2424-5911-40bd-8a2c-bdb20286d8f5}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i444" id="fplayer at adobe.flash">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i334" id="{0F827075-B026-42F3-885D-98981EE7B1AE}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i47" id="youtube at youtube2.com">
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i342" id="lbmsrvfvxcblvpane at lpaezhjez.org">
++ <emItem blockID="i518" id="/^({d6e79525-4524-4707-9b97-1d70df8e7e59}|{ddb4644d-1a37-4e6d-8b6e-8e35e2a8ea6c}|{e55007f4-80c5-418e-ac33-10c4d60db01e}|{e77d8ca6-3a60-4ae9-8461-53b22fa3125b}|{e89a62b7-248e-492f-9715-43bf8c507a2f}|{5ce3e0cb-aa83-45cb-a7da-a2684f05b8f3})$/">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i196" id="info at wxdownloadmanager.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i424" id="{C7AE725D-FA5C-4027-BB4C-787EF9F8248A}">
+ <versionRange minVersion="0" maxVersion="1.0.0.2" severity="1">
+@@ -614,42 +1086,68 @@
+ <versionRange minVersion="23.0a1" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i336" id="CortonExt at ext.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i103" id="kdrgun at gmail.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i476" id="mbroctone at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i3" id="langpack-vi-VN at firefox.mozilla.org">
+ <versionRange minVersion="2.0" maxVersion="2.0">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i326" id="/^((support2_en at adobe14\.com)|(XN4Xgjw7n4 at yUWgc\.com)|(C7yFVpIP at WeolS3acxgS\.com)|(Kbeu4h0z at yNb7QAz7jrYKiiTQ3\.com)|(aWQzX at a6z4gWdPu8FF\.com)|(CBSoqAJLYpCbjTP90 at JoV0VMywCjsm75Y0toAd\.com)|(zZ2jWZ1H22Jb5NdELHS at o0jQVWZkY1gx1\.com))$/">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i470" id="extension at FastFreeConverter.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i162" id="{EB7508CA-C7B2-46E0-8C04-3E94A035BD49}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i354" id="{c0c2693d-2ee8-47b4-9df7-b67a0ee31988}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i106" os="WINNT" id="{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}">
+ <versionRange minVersion="0" maxVersion="15.0.5" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i505" id="extacylife at a.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i15" id="personas at christopher.beard">
+ <versionRange minVersion="1.6" maxVersion="1.6">
+@@ -657,116 +1155,214 @@
+ <versionRange minVersion="3.6" maxVersion="3.6.*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i304" id="{f0e59437-6148-4a98-b0a6-60d557ef57f4}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i86" id="{45147e67-4020-47e2-8f7a-55464fb535aa}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i19" id="{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}">
++ <versionRange minVersion="1.1b1" maxVersion="1.1b1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i318" id="ffxtlbr at incredibar.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i531" id="/^(4cb61367-efbf-4aa1-8e3a-7f776c9d5763 at cdece6e9-b2ef-40a9-b178-291da9870c59\.com|0efc9c38-1ec7-49ed-8915-53a48b6b7600 at e7f17679-2a42-4659-83c5-7ba961fdf75a\.com|6be3335b-ef79-4b0b-a0ba-b87afbc6f4ad at 6bbb4d2e-e33e-4fa5-9b37-934f4fb50182\.com)$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i490" id="now.msn.com at services.mozilla.org">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i523" id="/^({7e8a1050-cf67-4575-92df-dcc60e7d952d}|{b3420a9c-a397-4409-b90d-bcf22da1a08a}|{eca6641f-2176-42ba-bdbe-f3e327f8e0af}|{707dca12-3f99-4d94-afea-06dcc0ae0108}|{aea20431-87fc-40be-bc5b-18066fe2819c}|{30ee6676-1ba6-455a-a7e8-298fa863a546})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i312" id="extension21804 at extension21804.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i324" id="/^((34qEOefiyYtRJT at IM5Munavn\.com)|(Mro5Fm1Qgrmq7B at ByrE69VQfZvZdeg\.com)|(KtoY3KGxrCe5ie at yITPUzbBtsHWeCdPmGe\.com)|(9NgIdLK5Dq4ZMwmRo6zk at FNt2GCCLGyUuOD\.com)|(NNux7bWWW at RBWyXdnl6VGls3WAwi\.com)|(E3wI2n at PEHTuuNVu\.com)|(2d3VuWrG6JHBXbQdbr at 3BmSnQL\.com))$/">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i503" id="{9CE11043-9A15-4207-A565-0C94C42D590D}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i431" id="chinaescapeone at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i108" id="{28bfb930-7620-11e1-b0c4-0800200c9a66}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i262" id="{167d9323-f7cc-48f5-948a-6f012831a69f}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i320" id="torntv at torntv.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i196" id="info at wxdownloadmanager.com">
+- <versionRange minVersion="0" maxVersion="*" severity="3">
++ <emItem blockID="i528" id="008abed2-b43a-46c9-9a5b-a771c87b82da at 1ad61d53-2bdc-4484-a26b-b888ecae1906.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i469" id="OKitSpace at OKitSpace.es">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i167" id="{b64982b1-d112-42b5-b1e4-d3867c4533f8}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i101" id="{3a12052a-66ef-49db-8c39-e5b0bd5c83fa}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i93" id="{68b8676b-99a5-46d1-b390-22411d8bcd61}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i439" id="{d2cf9842-af95-48cd-b873-bfbb48cd7f5e}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i346" id="{a6e67e6f-8615-4fe0-a599-34a73fc3fba5}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i220" id="pricepeep at getpricepeep.com">
+ <versionRange minVersion="0" maxVersion="2.1.0.19.99" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i226" id="{462be121-2b54-4218-bf00-b9bf8135b23f}">
++ <emItem blockID="i224" id="{336D0C35-8A85-403a-B9D2-65C292C39087}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i61" id="youtube at youtube3.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i517" id="/^({16e193c8-1706-40bf-b6f3-91403a9a22be}|{284fed43-2e13-4afe-8aeb-50827d510e20}|{5e3cc5d8-ed11-4bed-bc47-35b4c4bc1033}|{7429e64a-1fd4-4112-a186-2b5630816b91}|{8c9980d7-0f09-4459-9197-99b3e559660c}|{8f1d9545-0bb9-4583-bb3c-5e1ac1e2920c})$/">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i509" id="contato at facefollow.net">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i372" id="5nc3QHFgcb at r06Ws9gvNNVRfH.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i356" id="{341f4dac-1966-47ff-aacf-0ce175f1498a}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i70" id="psid-vhvxQHMZBOzUZA at jetpack">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i473" id="{81b13b5d-fba1-49fd-9a6b-189483ac548a}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i437" id="{4933189D-C7F7-4C6E-834B-A29F087BFD23}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i165" id="{EEF73632-A085-4fd3-A778-ECD82C8CB297}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i60" id="youtb3 at youtb3.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i510" id="{3c9a72a0-b849-40f3-8c84-219109c27554}">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i23" id="firefox at bandoo.com">
+ <versionRange minVersion="5.0" maxVersion="5.0" severity="1">
+@@ -774,42 +1370,74 @@
+ <versionRange minVersion="3.7a1pre" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i55" id="youtube at youtube7.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i434" id="afurladvisor at anchorfree.com">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i90" id="videoplugin at player.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i489" id="astrovia at facebook.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i497" id="{872b5b88-9db5-4310-bdd0-ac189557e5f5}">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i68" id="flashupdate at adobe.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i445" id="firefoxaddon at youtubeenhancer.com">
+ <versionRange minVersion="208.7.0" maxVersion="208.7.0" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i441" id="{49c53dce-afa0-49a1-a08b-2eb8e8444128}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
++ </emItem>
++ <emItem blockID="i508" id="advance at windowsclient.com">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
++ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i282" id="{33e0daa6-3af3-d8b5-6752-10e949c61516}">
+ <versionRange minVersion="0" maxVersion="1.1.999" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i452" id="{77beece6-3997-403a-92fa-0055bfcf88e5}">
+ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i45" id="{22119944-ED35-4ab1-910B-E619EA06A115}">
+ <versionRange minVersion="0.1" maxVersion="7.6.1">
+@@ -817,48 +1445,72 @@
+ <versionRange minVersion="8.0a1" maxVersion="*" />
+ </targetApplication>
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i82" id="{8f42fb8b-b6f6-45de-81c0-d6d39f54f971}">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i380" id="{cc8f597b-0765-404e-a575-82aefbd81daf}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i314" id="crossriderapp8812 at crossrider.com">
+- <versionRange minVersion="0" maxVersion="*" severity="1">
++ <emItem blockID="i322" id="jid0-Y6TVIzs0r7r4xkOogmJPNAGFGBw at jetpack">
++ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i378" id="{a7aae4f0-bc2e-a0dd-fb8d-68ce32c9261f}">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i73" id="a1g0a9g219d at a1.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i96" id="youtubeee at youtuber3.com">
+ <versionRange minVersion="0" maxVersion="*">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i163" id="info at allpremiumplay.info">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i455" id="7d51fb17-b199-4d8f-894e-decaff4fc36a at a298838b-7f50-4c7c-9277-df6abbd42a0c.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i374" id="update at firefox.com">
+ <versionRange minVersion="0" maxVersion="*" severity="3">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+- <emItem blockID="i322" id="jid0-Y6TVIzs0r7r4xkOogmJPNAGFGBw at jetpack">
+- <versionRange minVersion="0" maxVersion="*" severity="3">
++ <emItem blockID="i314" id="crossriderapp8812 at crossrider.com">
++ <versionRange minVersion="0" maxVersion="*" severity="1">
+ </versionRange>
++ <prefs>
++ </prefs>
+ </emItem>
+ <emItem blockID="i21" id="support at update-firefox.com">
++ <prefs>
++ </prefs>
+ </emItem>
+ </emItems>
+
+@@ -1338,6 +1990,7 @@
+ <device>0x9807</device>
+ </devices>
+ <feature>DIRECT3D_9_LAYERS</feature> <featureStatus>BLOCKED_DEVICE</featureStatus> </gfxBlacklistEntry>
++ <gfxBlacklistEntry blockID="g511"> <os>WINNT 5.1</os> <vendor>0x8086</vendor> <feature>DIRECT3D_9_LAYERS, WEBGL_ANGLE</feature> <featureStatus>BLOCKED_DRIVER_VERSION</featureStatus> <driverVersion>6.14.10.5218</driverVersion> <driverVersionComparator>LESS_THAN</driverVersionComparator> </gfxBlacklistEntry>
+ </gfxItems>
+
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/Makefile.in 2013-09-16 22:26:25.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/Makefile.in 2014-02-10 01:13:31.077553855 +0400
+@@ -292,7 +292,6 @@
+ dummy_page.html \
+ file_bug550565_popup.html \
+ file_bug550565_favicon.ico \
+- browser_aboutHome.js \
+ app_bug575561.html \
+ app_subframe_bug575561.html \
+ browser_contentAreaClick.js \
+@@ -330,7 +329,6 @@
+ pluginCrashCommentAndURL.html \
+ browser_private_no_prompt.js \
+ browser_blob-channelname.js \
+- browser_aboutHealthReport.js \
+ healthreport_testRemoteCommands.html \
+ browser_offlineQuotaNotification.js \
+ offlineQuotaNotification.html \
+@@ -361,9 +359,13 @@
+ $(NULL)
+ endif
+
++# browser_aboutHealthReport.js disabled for frequent failures on Linux (bug 924307)
++# browser_aboutHome.js disabled for frequent failures on Linux (bug 945667)
+ # browser_CTP_context_menu.js fails intermittently on Linux (bug 909342)
+ ifndef MOZ_WIDGET_GTK
+ MOCHITEST_BROWSER_FILES += \
++ browser_aboutHealthReport.js \
++ browser_aboutHome.js \
+ browser_CTP_context_menu.js \
+ $(NULL)
+ endif
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/browser_bug609700.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/browser_bug609700.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/browser_bug609700.js 2013-09-16 22:26:25.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/browser_bug609700.js 2014-02-10 01:13:31.317549660 +0400
+@@ -7,8 +7,7 @@
+
+ ok(true, "duplicateTabIn opened a new window");
+
+- aSubject.addEventListener("load", function () {
+- aSubject.removeEventListener("load", arguments.callee, false);
++ whenDelayedStartupFinished(aSubject, function () {
+ executeSoon(function () {
+ aSubject.close();
+ finish();
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/social/browser_blocklist.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/social/browser_blocklist.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/social/browser_blocklist.js 2013-09-16 22:26:25.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/social/browser_blocklist.js 2014-02-10 01:13:31.317549660 +0400
+@@ -7,7 +7,7 @@
+ let SocialService = Cu.import("resource://gre/modules/SocialService.jsm", {}).SocialService;
+
+ const URI_EXTENSION_BLOCKLIST_DIALOG = "chrome://mozapps/content/extensions/blocklist.xul";
+-let blocklistURL = "http://test:80/browser/browser/base/content/test/social/blocklist.xml";
++let blocklistURL = "http://example.org/browser/browser/base/content/test/social/blocklist.xml";
+
+ let manifest = { // normal provider
+ name: "provider ok",
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/social/head.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/social/head.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/base/content/test/social/head.js 2013-09-16 22:26:25.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/base/content/test/social/head.js 2014-02-10 01:13:31.317549660 +0400
+@@ -481,12 +481,24 @@
+ resizeWindowToChatAreaWidth(width, function(sizedOk) {
+ checkPopup();
+ ok(sizedOk, count+": window resized correctly");
+- if (sizedOk) {
+- let numVisible = [first, second, third].filter(function(item) !item.collapsed).length;
+- is(numVisible, numExpectedVisible, count + ": " + "correct number of chats visible");
++ function collapsedObserver(r, m) {
++ if ([first, second, third].filter(function(item) !item.collapsed).length == numExpectedVisible) {
++ if (m) {
++ m.disconnect();
+ }
++ ok(true, count + ": " + "correct number of chats visible");
+ info(">> Check " + count);
+ resizeAndCheckWidths(first, second, third, checks, cb);
++ return true;
++ }
++ return false;
++ }
++ if (!collapsedObserver()) {
++ let m = new MutationObserver(collapsedObserver);
++ m.observe(first, {attributes: true });
++ m.observe(second, {attributes: true });
++ m.observe(third, {attributes: true });
++ }
+ }, count);
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutHomeButtonAfterWindowClose.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutHomeButtonAfterWindowClose.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutHomeButtonAfterWindowClose.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutHomeButtonAfterWindowClose.js 2014-02-10 01:13:31.317549661 +0400
+@@ -14,10 +14,14 @@
+ win.removeEventListener("load", onLoad, false);
+ executeSoon(function() {
+ info("The second private window got loaded");
+- let newTab = win.gBrowser.addTab("about:home");
++ let newTab = win.gBrowser.addTab();
+ win.gBrowser.selectedTab = newTab;
+ let tabBrowser = win.gBrowser.getBrowserForTab(newTab);
+ tabBrowser.addEventListener("load", function tabLoadListener() {
++ if (win.content.location != "about:home") {
++ win.content.location = "about:home";
++ return;
++ }
+ tabBrowser.removeEventListener("load", tabLoadListener, true);
+ executeSoon(function() {
+ info("about:home got loaded");
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutSessionRestore.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutSessionRestore.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutSessionRestore.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_aboutSessionRestore.js 2014-02-10 01:13:31.317549661 +0400
+@@ -18,6 +18,10 @@
+ win.gBrowser.selectedTab = newTab;
+ let tabBrowser = win.gBrowser.getBrowserForTab(newTab);
+ tabBrowser.addEventListener("load", function tabLoadListener() {
++ if (win.gBrowser.contentWindow.location != "about:sessionrestore") {
++ win.gBrowser.selectedBrowser.loadURI("about:sessionrestore");
++ return;
++ }
+ tabBrowser.removeEventListener("load", tabLoadListener, true);
+ executeSoon(function() {
+ info("about:sessionrestore got loaded");
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_geoprompt.js 2014-02-10 01:13:31.317549661 +0400
+@@ -14,6 +14,10 @@
+ executeSoon(function() {
+ aWindow.gBrowser.selectedTab = aWindow.gBrowser.addTab();
+ aWindow.gBrowser.selectedBrowser.addEventListener("load", function () {
++ if (aWindow.content.location != testPageURL) {
++ aWindow.content.location = testPageURL;
++ return;
++ }
+ aWindow.gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
+
+ function runTest() {
+@@ -36,7 +40,6 @@
+ }
+ runTest();
+ }, true);
+- aWindow.content.location = testPageURL;
+ });
+ };
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_localStorage.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_localStorage.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_localStorage.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_localStorage.js 2014-02-10 01:13:31.317549661 +0400
+@@ -5,11 +5,18 @@
+ function test() {
+ waitForExplicitFinish();
+
++ const page1 = 'http://mochi.test:8888/browser/browser/components/privatebrowsing/test/browser/' +
++ 'browser_privatebrowsing_localStorage_page1.html'
++
+ function checkLocalStorage(aWindow, aCallback) {
+ executeSoon(function() {
+ let tab = aWindow.gBrowser.selectedTab = aWindow.gBrowser.addTab();
+ let browser = aWindow.gBrowser.selectedBrowser;
+ browser.addEventListener('load', function() {
++ if (browser.contentWindow.location != page1) {
++ browser.loadURI(page1);
++ return;
++ }
+ browser.removeEventListener('load', arguments.callee, true);
+ let tab2 = aWindow.gBrowser.selectedTab = aWindow.gBrowser.addTab();
+ browser.contentWindow.location = 'http://mochi.test:8888/browser/browser/components/privatebrowsing/test/browser/' +
+@@ -20,9 +27,6 @@
+ aCallback();
+ }, true);
+ }, true);
+-
+- browser.loadURI('http://mochi.test:8888/browser/browser/components/privatebrowsing/test/browser/' +
+- 'browser_privatebrowsing_localStorage_page1.html');
+ });
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/safebrowsing/content/test/browser_bug415846.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/safebrowsing/content/test/browser_bug415846.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/safebrowsing/content/test/browser_bug415846.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/safebrowsing/content/test/browser_bug415846.js 2014-02-10 01:13:31.317549661 +0400
+@@ -37,11 +37,13 @@
+
+ // Now launch the phishing test. Can't use onload here because error pages don't
+ // fire normal load events.
++ window.addEventListener("DOMContentLoaded", testPhishing, true);
+ content.location = "http://www.mozilla.org/firefox/its-a-trap.html";
+- setTimeout(testPhishing, 2000);
+ }
+
+ function testPhishing() {
++ window.removeEventListener("DOMContentLoaded", testPhishing, true);
++
+ menu.addEventListener("popupshown", testPhishing_PopupListener, false);
+ menu.openPopup(null, "", 0, 0, false, null);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/tabview/test/browser_tabview_bug625269.js seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/tabview/test/browser_tabview_bug625269.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/components/tabview/test/browser_tabview_bug625269.js 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/components/tabview/test/browser_tabview_bug625269.js 2014-02-10 01:13:31.317549661 +0400
+@@ -64,14 +64,13 @@
+ let targetWidth = win.outerWidth + diffX;
+ let targetHeight = win.outerHeight + diffY;
+
+- win.addEventListener("resize", function onResize() {
++ (function tryResize() {
+ let {outerWidth: width, outerHeight: height} = win;
+- if (width != targetWidth || height != targetHeight)
+- return;
+-
+- win.removeEventListener("resize", onResize, false);
+- executeSoon(callback);
+- }, false);
+-
+- win.resizeBy(diffX, diffY);
++ if (width != targetWidth || height != targetHeight) {
++ win.resizeTo(targetWidth, targetHeight);
++ executeSoon(tryResize);
++ } else {
++ callback();
++ }
++ })();
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/config/version.txt seamonkey-2.21-esr3.0/comm-release/mozilla/browser/config/version.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/config/version.txt 2014-02-10 01:12:12.828931792 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/config/version.txt 2014-02-10 01:13:31.317549661 +0400
+@@ -1 +1 @@
+-24.2.0esrpre
++24.3.0esrpre
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/browser/metro/shell/testing/metrotestharness.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/browser/metro/shell/testing/metrotestharness.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/browser/metro/shell/testing/metrotestharness.cpp 2013-09-16 22:26:26.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/browser/metro/shell/testing/metrotestharness.cpp 2014-02-10 01:13:31.318549643 +0400
+@@ -198,6 +198,7 @@
+ numBytesRead) {
+ buffer[numBytesRead] = '\0';
+ printf("%s", buffer);
++ fflush(stdout);
+ }
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/caps/src/nsScriptSecurityManager.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/caps/src/nsScriptSecurityManager.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/caps/src/nsScriptSecurityManager.cpp 2013-09-16 22:26:27.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/caps/src/nsScriptSecurityManager.cpp 2014-02-10 01:13:31.318549643 +0400
+@@ -2074,6 +2074,12 @@
+ return NS_OK;
+ }
+
++ // We give remote-XUL whitelisted domains a free pass here. See bug 932906.
++ if (!xpc::AllowXBLScope(js::GetContextCompartment(cx)))
++ {
++ return NS_OK;
++ }
++
+ //--See if the object advertises a non-default level of access
+ // using nsISecurityCheckedComponent
+ nsCOMPtr<nsISecurityCheckedComponent> checkedComponent =
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/config/milestone.txt seamonkey-2.21-esr3.0/comm-release/mozilla/config/milestone.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/config/milestone.txt 2014-02-10 01:12:13.546918961 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/config/milestone.txt 2014-02-10 01:13:31.318549643 +0400
+@@ -10,4 +10,4 @@
+ # hardcoded milestones in the tree from these two files.
+ #--------------------------------------------------------
+
+-24.2.0
++24.3.0
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/configure.in seamonkey-2.21-esr3.0/comm-release/mozilla/configure.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/configure.in 2014-02-10 01:12:13.547918943 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/configure.in 2014-02-10 01:13:31.432547637 +0400
+@@ -1302,7 +1302,12 @@
+ if test "$GNU_CC"; then
+ # Per bug 719659 comment 2, some of the headers on ancient build machines
+ # may require gnu89 inline semantics. But otherwise, we use C99.
+- CFLAGS="$CFLAGS -std=gnu99 -fgnu89-inline"
++ # But on OS X we just use C99 plus GNU extensions, in order to fix
++ # bug 917526.
++ CFLAGS="$CFLAGS -std=gnu99"
++ if test "${OS_ARCH}" != Darwin; then
++ CFLAGS="$CFLAGS -fgnu89-inline"
++ fi
+ # FIXME: Let us build with strict aliasing. bug 414641.
+ CFLAGS="$CFLAGS -fno-strict-aliasing"
+ MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+@@ -3939,7 +3944,7 @@
+ _USE_SYSTEM_NSS=1 )
+
+ if test -n "$_USE_SYSTEM_NSS"; then
+- AM_PATH_NSS(3.15.3.1, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
++ AM_PATH_NSS(3.15.4, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+ fi
+
+ if test -n "$MOZ_NATIVE_NSS"; then
+@@ -8776,13 +8781,13 @@
+
+ # For extensions and langpacks, we require a max version that is compatible
+ # across security releases. MOZ_APP_MAXVERSION is our method for doing that.
+-# 10.0a1 and 10.0a2 aren't affected
+-# 10.0 becomes 10.0.*
+-# 10.0.1 becomes 10.0.*
++# 24.0a1 and 24.0a2 aren't affected
++# 24.0 becomes 24.*
++# 24.1.1 becomes 24.*
+ IS_ALPHA=`echo $MOZ_APP_VERSION | grep a`
+ if test -z "$IS_ALPHA"; then
+ changequote(,)
+- MOZ_APP_MAXVERSION=`echo $MOZ_APP_VERSION | sed "s|\(^[0-9]*.[0-9]*\).*|\1|"`.*
++ MOZ_APP_MAXVERSION=`echo $MOZ_APP_VERSION | sed "s|\(^[0-9]*\).*|\1|"`.*
+ changequote([,])
+ else
+ MOZ_APP_MAXVERSION=$MOZ_APP_VERSION
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/configure seamonkey-2.21-esr3.0/comm-release/mozilla/configure
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/configure 2014-02-10 01:12:13.550918889 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/configure 2014-02-10 01:13:31.326549501 +0400
+@@ -7002,7 +7002,12 @@
+ if test "$GNU_CC"; then
+ # Per bug 719659 comment 2, some of the headers on ancient build machines
+ # may require gnu89 inline semantics. But otherwise, we use C99.
+- CFLAGS="$CFLAGS -std=gnu99 -fgnu89-inline"
++ # But on OS X we just use C99 plus GNU extensions, in order to fix
++ # bug 917526.
++ CFLAGS="$CFLAGS -std=gnu99"
++ if test "${OS_ARCH}" != Darwin; then
++ CFLAGS="$CFLAGS -fgnu89-inline"
++ fi
+ # FIXME: Let us build with strict aliasing. bug 414641.
+ CFLAGS="$CFLAGS -fno-strict-aliasing"
+ MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+@@ -7027,18 +7032,18 @@
+ DSO_PIC_CFLAGS='-fPIC'
+ ASFLAGS="$ASFLAGS -fPIC"
+ echo $ac_n "checking for --noexecstack option to as""... $ac_c" 1>&6
+-echo "configure:7031: checking for --noexecstack option to as" >&5
++echo "configure:7036: checking for --noexecstack option to as" >&5
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS -Wa,--noexecstack"
+ cat > conftest.$ac_ext <<EOF
+-#line 7035 "configure"
++#line 7040 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7042: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7047: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ ASFLAGS="$ASFLAGS -Wa,--noexecstack"
+@@ -7051,18 +7056,18 @@
+ rm -f conftest*
+ CFLAGS=$_SAVE_CFLAGS
+ echo $ac_n "checking for -z noexecstack option to ld""... $ac_c" 1>&6
+-echo "configure:7055: checking for -z noexecstack option to ld" >&5
++echo "configure:7060: checking for -z noexecstack option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-z,noexecstack"
+ cat > conftest.$ac_ext <<EOF
+-#line 7059 "configure"
++#line 7064 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7066: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:7071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ else
+@@ -7074,18 +7079,18 @@
+ fi
+ rm -f conftest*
+ echo $ac_n "checking for --build-id option to ld""... $ac_c" 1>&6
+-echo "configure:7078: checking for --build-id option to ld" >&5
++echo "configure:7083: checking for --build-id option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,--build-id"
+ cat > conftest.$ac_ext <<EOF
+-#line 7082 "configure"
++#line 7087 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7089: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:7094: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ NSPR_LDFLAGS="$NSPR_LDFLAGS -Wl,--build-id"
+@@ -7101,19 +7106,19 @@
+
+ # Check for -mssse3 on $CC
+ echo $ac_n "checking if toolchain supports -mssse3 option""... $ac_c" 1>&6
+-echo "configure:7105: checking if toolchain supports -mssse3 option" >&5
++echo "configure:7110: checking if toolchain supports -mssse3 option" >&5
+ HAVE_TOOLCHAIN_SUPPORT_MSSSE3=
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS -mssse3"
+ cat > conftest.$ac_ext <<EOF
+-#line 7110 "configure"
++#line 7115 "configure"
+ #include "confdefs.h"
+ asm ("pmaddubsw %xmm2,%xmm3");
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7117: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7122: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ HAVE_TOOLCHAIN_SUPPORT_MSSSE3=1
+@@ -7129,19 +7134,19 @@
+
+ # Check for -msse4.1 on $CC
+ echo $ac_n "checking if toolchain supports -msse4.1 option""... $ac_c" 1>&6
+-echo "configure:7133: checking if toolchain supports -msse4.1 option" >&5
++echo "configure:7138: checking if toolchain supports -msse4.1 option" >&5
+ HAVE_TOOLCHAIN_SUPPORT_MSSE4_1=
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS -msse4.1"
+ cat > conftest.$ac_ext <<EOF
+-#line 7138 "configure"
++#line 7143 "configure"
+ #include "confdefs.h"
+ asm ("pmulld %xmm6,%xmm0");
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7145: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7150: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ HAVE_TOOLCHAIN_SUPPORT_MSSE4_1=1
+@@ -7167,7 +7172,7 @@
+ _WARNINGS_CFLAGS="${_WARNINGS_CFLAGS} -Wall -Wpointer-arith -Wdeclaration-after-statement"
+
+ echo $ac_n "checking whether the C compiler supports -Werror=return-type""... $ac_c" 1>&6
+-echo "configure:7171: checking whether the C compiler supports -Werror=return-type" >&5
++echo "configure:7176: checking whether the C compiler supports -Werror=return-type" >&5
+ if eval "test \"`echo '$''{'ac_c_has_werror_return_type'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7183,14 +7188,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Werror=return-type"
+ cat > conftest.$ac_ext <<EOF
+-#line 7187 "configure"
++#line 7192 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7194: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7199: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_werror_return_type="yes"
+ else
+@@ -7218,7 +7223,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wtype-limits""... $ac_c" 1>&6
+-echo "configure:7222: checking whether the C compiler supports -Wtype-limits" >&5
++echo "configure:7227: checking whether the C compiler supports -Wtype-limits" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wtype_limits'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7234,14 +7239,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wtype-limits"
+ cat > conftest.$ac_ext <<EOF
+-#line 7238 "configure"
++#line 7243 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7245: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7250: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wtype_limits="yes"
+ else
+@@ -7269,7 +7274,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wempty-body""... $ac_c" 1>&6
+-echo "configure:7273: checking whether the C compiler supports -Wempty-body" >&5
++echo "configure:7278: checking whether the C compiler supports -Wempty-body" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wempty_body'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7285,14 +7290,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wempty-body"
+ cat > conftest.$ac_ext <<EOF
+-#line 7289 "configure"
++#line 7294 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7296: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7301: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wempty_body="yes"
+ else
+@@ -7320,7 +7325,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wsign-compare""... $ac_c" 1>&6
+-echo "configure:7324: checking whether the C compiler supports -Wsign-compare" >&5
++echo "configure:7329: checking whether the C compiler supports -Wsign-compare" >&5
+ if eval "test \"`echo '$''{'ac_c_has_sign_compare'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7336,14 +7341,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wsign-compare"
+ cat > conftest.$ac_ext <<EOF
+-#line 7340 "configure"
++#line 7345 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7347: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7352: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_sign_compare="yes"
+ else
+@@ -7431,7 +7436,7 @@
+ _WARNINGS_CXXFLAGS="${_WARNINGS_CXXFLAGS} -Wall -Wpointer-arith -Woverloaded-virtual"
+
+ echo $ac_n "checking whether the C++ compiler supports -Werror=return-type""... $ac_c" 1>&6
+-echo "configure:7435: checking whether the C++ compiler supports -Werror=return-type" >&5
++echo "configure:7440: checking whether the C++ compiler supports -Werror=return-type" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_werror_return_type'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7447,14 +7452,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Werror=return-type"
+ cat > conftest.$ac_ext <<EOF
+-#line 7451 "configure"
++#line 7456 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7458: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7463: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_werror_return_type="yes"
+ else
+@@ -7482,7 +7487,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wtype-limits""... $ac_c" 1>&6
+-echo "configure:7486: checking whether the C++ compiler supports -Wtype-limits" >&5
++echo "configure:7491: checking whether the C++ compiler supports -Wtype-limits" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wtype_limits'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7498,14 +7503,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wtype-limits"
+ cat > conftest.$ac_ext <<EOF
+-#line 7502 "configure"
++#line 7507 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7514: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wtype_limits="yes"
+ else
+@@ -7533,7 +7538,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wempty-body""... $ac_c" 1>&6
+-echo "configure:7537: checking whether the C++ compiler supports -Wempty-body" >&5
++echo "configure:7542: checking whether the C++ compiler supports -Wempty-body" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wempty_body'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7549,14 +7554,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wempty-body"
+ cat > conftest.$ac_ext <<EOF
+-#line 7553 "configure"
++#line 7558 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7560: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7565: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wempty_body="yes"
+ else
+@@ -7584,7 +7589,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wsign-compare""... $ac_c" 1>&6
+-echo "configure:7588: checking whether the C++ compiler supports -Wsign-compare" >&5
++echo "configure:7593: checking whether the C++ compiler supports -Wsign-compare" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_sign_compare'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7600,14 +7605,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wsign-compare"
+ cat > conftest.$ac_ext <<EOF
+-#line 7604 "configure"
++#line 7609 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7611: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7616: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_sign_compare="yes"
+ else
+@@ -7639,7 +7644,7 @@
+ #
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-invalid-offsetof""... $ac_c" 1>&6
+-echo "configure:7643: checking whether the C++ compiler supports -Wno-invalid-offsetof" >&5
++echo "configure:7648: checking whether the C++ compiler supports -Wno-invalid-offsetof" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_invalid_offsetof'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7655,14 +7660,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Winvalid-offsetof"
+ cat > conftest.$ac_ext <<EOF
+-#line 7659 "configure"
++#line 7664 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7666: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7671: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_invalid_offsetof="yes"
+ else
+@@ -7714,7 +7719,7 @@
+ _WARNINGS_CXXFLAGS="${_WARNINGS_CXXFLAGS} -Wno-c++0x-extensions"
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-extended-offsetof""... $ac_c" 1>&6
+-echo "configure:7718: checking whether the C++ compiler supports -Wno-extended-offsetof" >&5
++echo "configure:7723: checking whether the C++ compiler supports -Wno-extended-offsetof" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_extended_offsetof'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7730,14 +7735,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wextended-offsetof"
+ cat > conftest.$ac_ext <<EOF
+-#line 7734 "configure"
++#line 7739 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7741: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7746: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_extended_offsetof="yes"
+ else
+@@ -7775,7 +7780,7 @@
+ if test "$COMPILE_ENVIRONMENT"; then
+ if test "$GNU_CC"; then
+ echo $ac_n "checking whether ld has archive extraction flags""... $ac_c" 1>&6
+-echo "configure:7779: checking whether ld has archive extraction flags" >&5
++echo "configure:7784: checking whether ld has archive extraction flags" >&5
+ if eval "test \"`echo '$''{'ac_cv_mkshlib_force_and_unforce'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7792,14 +7797,14 @@
+ LDFLAGS=$force
+ LIBS=$unforce
+ cat > conftest.$ac_ext <<EOF
+-#line 7796 "configure"
++#line 7801 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7803: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:7808: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_mkshlib_force_and_unforce=$line; break
+ else
+@@ -7834,16 +7839,16 @@
+ cross_compiling=$ac_cv_prog_cc_cross
+
+ echo $ac_n "checking for 64-bit OS""... $ac_c" 1>&6
+-echo "configure:7838: checking for 64-bit OS" >&5
++echo "configure:7843: checking for 64-bit OS" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 7840 "configure"
++#line 7845 "configure"
+ #include "confdefs.h"
+ $configure_static_assert_macros
+ int main() {
+ CONFIGURE_STATIC_ASSERT(sizeof(void*) == 8)
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7847: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7852: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ result="yes"
+ else
+@@ -8015,12 +8020,12 @@
+ if test -n "$MOZ_VALGRIND"; then
+ ac_safe=`echo "valgrind/valgrind.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for valgrind/valgrind.h""... $ac_c" 1>&6
+-echo "configure:8019: checking for valgrind/valgrind.h" >&5
++echo "configure:8024: checking for valgrind/valgrind.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8024 "configure"
++#line 8029 "configure"
+ #include "confdefs.h"
+
+ #include <valgrind/valgrind.h>
+@@ -8028,7 +8033,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8032: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8037: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -8278,7 +8283,7 @@
+ esac
+
+ echo $ac_n "checking for custom <stdint.h> implementation""... $ac_c" 1>&6
+-echo "configure:8282: checking for custom <stdint.h> implementation" >&5
++echo "configure:8287: checking for custom <stdint.h> implementation" >&5
+ if test "$MOZ_CUSTOM_STDINT_H"; then
+ cat >> confdefs.pytmp <<EOF
+ (''' MOZ_CUSTOM_STDINT_H ''', r''' "$MOZ_CUSTOM_STDINT_H" ''')
+@@ -8379,9 +8384,9 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for IBM XLC/C++ compiler version >= 9.0.0.7""... $ac_c" 1>&6
+-echo "configure:8383: checking for IBM XLC/C++ compiler version >= 9.0.0.7" >&5
++echo "configure:8388: checking for IBM XLC/C++ compiler version >= 9.0.0.7" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 8385 "configure"
++#line 8390 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -8390,7 +8395,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8394: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8399: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _BAD_COMPILER=
+ else
+@@ -8428,12 +8433,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:8432: checking for $ac_hdr" >&5
++echo "configure:8437: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8437 "configure"
++#line 8442 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -8441,7 +8446,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8445: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8450: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -8493,12 +8498,12 @@
+ STRIP_FLAGS="$STRIP_FLAGS -x -S"
+ # Check whether we're targeting OS X or iOS
+ echo $ac_n "checking for iOS target""... $ac_c" 1>&6
+-echo "configure:8497: checking for iOS target" >&5
++echo "configure:8502: checking for iOS target" >&5
+ if eval "test \"`echo '$''{'ac_cv_ios_target'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8502 "configure"
++#line 8507 "configure"
+ #include "confdefs.h"
+ #include <TargetConditionals.h>
+ #if !(TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR)
+@@ -8508,7 +8513,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8517: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_ios_target="yes"
+ else
+@@ -8567,18 +8572,18 @@
+ echo "Skipping -dead_strip because DTrace is enabled. See bug 403132."
+ else
+ echo $ac_n "checking for -dead_strip option to ld""... $ac_c" 1>&6
+-echo "configure:8571: checking for -dead_strip option to ld" >&5
++echo "configure:8576: checking for -dead_strip option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-dead_strip"
+ cat > conftest.$ac_ext <<EOF
+-#line 8575 "configure"
++#line 8580 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8582: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:8587: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ _HAVE_DEAD_STRIP=1
+ else
+@@ -8599,18 +8604,18 @@
+ fi
+
+ echo $ac_n "checking for -allow_heap_execute option to ld""... $ac_c" 1>&6
+-echo "configure:8603: checking for -allow_heap_execute option to ld" >&5
++echo "configure:8608: checking for -allow_heap_execute option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-allow_heap_execute"
+ cat > conftest.$ac_ext <<EOF
+-#line 8607 "configure"
++#line 8612 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8614: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:8619: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ _HAVE_ALLOW_HEAP_EXECUTE=1
+ else
+@@ -8784,7 +8789,7 @@
+ # warnings are useless on mingw.
+
+ echo $ac_n "checking whether the C compiler supports -Wno-format""... $ac_c" 1>&6
+-echo "configure:8788: checking whether the C compiler supports -Wno-format" >&5
++echo "configure:8793: checking whether the C compiler supports -Wno-format" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wno_format'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -8800,14 +8805,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wformat"
+ cat > conftest.$ac_ext <<EOF
+-#line 8804 "configure"
++#line 8809 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8811: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8816: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wno_format="yes"
+ else
+@@ -8835,7 +8840,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-format""... $ac_c" 1>&6
+-echo "configure:8839: checking whether the C++ compiler supports -Wno-format" >&5
++echo "configure:8844: checking whether the C++ compiler supports -Wno-format" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_format'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -8851,14 +8856,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wformat"
+ cat > conftest.$ac_ext <<EOF
+-#line 8855 "configure"
++#line 8860 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8862: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8867: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_format="yes"
+ else
+@@ -9249,19 +9254,19 @@
+ _DEFINES_CXXFLAGS="$_DEFINES_CXXFLAGS -Uunix -U__unix -U__unix__"
+
+ echo $ac_n "checking for __declspec(dllexport)""... $ac_c" 1>&6
+-echo "configure:9253: checking for __declspec(dllexport)" >&5
++echo "configure:9258: checking for __declspec(dllexport)" >&5
+ if eval "test \"`echo '$''{'ac_os2_declspec'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9258 "configure"
++#line 9263 "configure"
+ #include "confdefs.h"
+ __declspec(dllexport) void ac_os2_declspec(void) {}
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9265: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9270: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_os2_declspec="yes"
+ else
+@@ -9308,14 +9313,14 @@
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="-M /usr/lib/ld/map.noexstk $LDFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 9312 "configure"
++#line 9317 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9319: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:9324: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+@@ -9343,7 +9348,7 @@
+ CC_VERSION=`$CC -V 2>&1 | grep '^cc:' 2>/dev/null | $AWK -F\: '{ print $2 }'`
+ CXX_VERSION=`$CXX -V 2>&1 | grep '^CC:' 2>/dev/null | $AWK -F\: '{ print $2 }'`
+ echo $ac_n "checking for Sun C++ compiler version >= 5.9""... $ac_c" 1>&6
+-echo "configure:9347: checking for Sun C++ compiler version >= 5.9" >&5
++echo "configure:9352: checking for Sun C++ compiler version >= 5.9" >&5
+
+ ac_ext=C
+ # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+@@ -9353,7 +9358,7 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ cat > conftest.$ac_ext <<EOF
+-#line 9357 "configure"
++#line 9362 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -9362,7 +9367,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9366: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9371: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _BAD_COMPILER=
+ else
+@@ -9379,7 +9384,7 @@
+ _res="yes"
+ fi
+ cat > conftest.$ac_ext <<EOF
+-#line 9383 "configure"
++#line 9388 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -9388,7 +9393,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9392: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9397: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _ABOVE_SS12U1=
+ else
+@@ -9608,7 +9613,7 @@
+
+ if test "$GNU_CC" -a "$GCC_USE_GNU_LD" -a -z "$MOZ_DISABLE_ICF"; then
+ echo $ac_n "checking whether the linker supports Identical Code Folding""... $ac_c" 1>&6
+-echo "configure:9612: checking whether the linker supports Identical Code Folding" >&5
++echo "configure:9617: checking whether the linker supports Identical Code Folding" >&5
+ if eval "test \"`echo '$''{'LD_SUPPORTS_ICF'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9617,7 +9622,7 @@
+ 'int main() {return foo() - bar();}' > conftest.${ac_ext}
+ # If the linker supports ICF, foo and bar symbols will have
+ # the same address
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,--icf=safe -ffunction-sections conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:9621: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,--icf=safe -ffunction-sections conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:9626: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${ac_exeext} &&
+ objdump -t conftest${ac_exeext} | awk '{a[$6] = $1} END {if (a["foo"] && (a["foo"] != a["bar"])) { exit 1 }}'; then
+ LD_SUPPORTS_ICF=yes
+@@ -9632,14 +9637,14 @@
+ _SAVE_LDFLAGS="$LDFLAGS -Wl,--icf=safe"
+ LDFLAGS="$LDFLAGS -Wl,--icf=safe -Wl,--print-icf-sections"
+ cat > conftest.$ac_ext <<EOF
+-#line 9636 "configure"
++#line 9641 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9643: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:9648: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ LD_PRINT_ICF_SECTIONS=-Wl,--print-icf-sections
+ else
+@@ -9657,15 +9662,15 @@
+
+ if test "$GNU_CC" -a "$GCC_USE_GNU_LD" -a -n "$MOZ_DEBUG_FLAGS"; then
+ echo $ac_n "checking whether removing dead symbols breaks debugging""... $ac_c" 1>&6
+-echo "configure:9661: checking whether removing dead symbols breaks debugging" >&5
++echo "configure:9666: checking whether removing dead symbols breaks debugging" >&5
+ if eval "test \"`echo '$''{'GC_SECTIONS_BREAKS_DEBUG_RANGES'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo 'int foo() {return 42;}' \
+ 'int bar() {return 1;}' \
+ 'int main() {return foo();}' > conftest.${ac_ext}
+- if { ac_try='${CC-cc} -o conftest.${ac_objext} $CFLAGS $MOZ_DEBUG_FLAGS -c conftest.${ac_ext} 1>&2'; { (eval echo configure:9668: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+- { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS $MOZ_DEBUG_FLAGS -Wl,--gc-sections conftest.${ac_objext} $LIBS 1>&2'; { (eval echo configure:9669: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest.${ac_objext} $CFLAGS $MOZ_DEBUG_FLAGS -c conftest.${ac_ext} 1>&2'; { (eval echo configure:9673: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS $MOZ_DEBUG_FLAGS -Wl,--gc-sections conftest.${ac_objext} $LIBS 1>&2'; { (eval echo configure:9674: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${ac_exeext} -a -s conftest.${ac_objext}; then
+ if test "`$PYTHON "$_topsrcdir"/build/autoconf/check_debug_ranges.py conftest.${ac_objext} conftest.${ac_ext}`" = \
+ "`$PYTHON "$_topsrcdir"/build/autoconf/check_debug_ranges.py conftest${ac_exeext} conftest.${ac_ext}`"; then
+@@ -9688,12 +9693,12 @@
+
+ if test -z "$SKIP_COMPILER_CHECKS"; then
+ echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+-echo "configure:9692: checking for ANSI C header files" >&5
++echo "configure:9697: checking for ANSI C header files" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9697 "configure"
++#line 9702 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -9701,7 +9706,7 @@
+ #include <float.h>
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:9705: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:9710: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+ rm -rf conftest*
+@@ -9718,7 +9723,7 @@
+ if test $ac_cv_header_stdc = yes; then
+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 9722 "configure"
++#line 9727 "configure"
+ #include "confdefs.h"
+ #include <string.h>
+ EOF
+@@ -9736,7 +9741,7 @@
+ if test $ac_cv_header_stdc = yes; then
+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 9740 "configure"
++#line 9745 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ EOF
+@@ -9757,7 +9762,7 @@
+ :
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9761 "configure"
++#line 9766 "configure"
+ #include "confdefs.h"
+ #include <ctype.h>
+ #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+@@ -9768,7 +9773,7 @@
+ exit (0); }
+
+ EOF
+-if { (eval echo configure:9772: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:9777: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ :
+ else
+@@ -9795,12 +9800,12 @@
+ fi
+
+ echo $ac_n "checking for working const""... $ac_c" 1>&6
+-echo "configure:9799: checking for working const" >&5
++echo "configure:9804: checking for working const" >&5
+ if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9804 "configure"
++#line 9809 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -9849,7 +9854,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9853: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_c_const=yes
+ else
+@@ -9873,12 +9878,12 @@
+ fi
+
+ echo $ac_n "checking for mode_t""... $ac_c" 1>&6
+-echo "configure:9877: checking for mode_t" >&5
++echo "configure:9882: checking for mode_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_mode_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9882 "configure"
++#line 9887 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -9909,12 +9914,12 @@
+ fi
+
+ echo $ac_n "checking for off_t""... $ac_c" 1>&6
+-echo "configure:9913: checking for off_t" >&5
++echo "configure:9918: checking for off_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9918 "configure"
++#line 9923 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -9945,12 +9950,12 @@
+ fi
+
+ echo $ac_n "checking for pid_t""... $ac_c" 1>&6
+-echo "configure:9949: checking for pid_t" >&5
++echo "configure:9954: checking for pid_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9954 "configure"
++#line 9959 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -9981,12 +9986,12 @@
+ fi
+
+ echo $ac_n "checking for size_t""... $ac_c" 1>&6
+-echo "configure:9985: checking for size_t" >&5
++echo "configure:9990: checking for size_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9990 "configure"
++#line 9995 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -10024,12 +10029,12 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for __stdcall""... $ac_c" 1>&6
+-echo "configure:10028: checking for __stdcall" >&5
++echo "configure:10033: checking for __stdcall" >&5
+ if eval "test \"`echo '$''{'ac_cv___stdcall'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10033 "configure"
++#line 10038 "configure"
+ #include "confdefs.h"
+ template <typename Method> struct foo;
+ template <> struct foo<void (*)()> {};
+@@ -10038,7 +10043,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10042: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10047: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv___stdcall=true
+ else
+@@ -10070,12 +10075,12 @@
+ cross_compiling=$ac_cv_prog_cc_cross
+
+ echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
+-echo "configure:10074: checking for ssize_t" >&5
++echo "configure:10079: checking for ssize_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_ssize_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10079 "configure"
++#line 10084 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -10083,7 +10088,7 @@
+ ssize_t foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10087: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10092: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_type_ssize_t=true
+ else
+@@ -10108,12 +10113,12 @@
+ echo "$ac_t""no" 1>&6
+ fi
+ echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6
+-echo "configure:10112: checking for st_blksize in struct stat" >&5
++echo "configure:10117: checking for st_blksize in struct stat" >&5
+ if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10117 "configure"
++#line 10122 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -10121,7 +10126,7 @@
+ struct stat s; s.st_blksize;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10125: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10130: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_struct_st_blksize=yes
+ else
+@@ -10145,12 +10150,12 @@
+ fi
+
+ echo $ac_n "checking for siginfo_t""... $ac_c" 1>&6
+-echo "configure:10149: checking for siginfo_t" >&5
++echo "configure:10154: checking for siginfo_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_siginfo_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10154 "configure"
++#line 10159 "configure"
+ #include "confdefs.h"
+ #define _POSIX_C_SOURCE 199506L
+ #include <signal.h>
+@@ -10158,7 +10163,7 @@
+ siginfo_t* info;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10162: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10167: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_siginfo_t=true
+ else
+@@ -10184,12 +10189,12 @@
+ fi
+
+ echo $ac_n "checking for int64""... $ac_c" 1>&6
+-echo "configure:10188: checking for int64" >&5
++echo "configure:10193: checking for int64" >&5
+ if eval "test \"`echo '$''{'ac_cv_int64'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10193 "configure"
++#line 10198 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -10197,7 +10202,7 @@
+ int64 foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10201: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10206: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_int64=true
+ else
+@@ -10222,12 +10227,12 @@
+ echo "$ac_t""no" 1>&6
+ fi
+ echo $ac_n "checking for uint""... $ac_c" 1>&6
+-echo "configure:10226: checking for uint" >&5
++echo "configure:10231: checking for uint" >&5
+ if eval "test \"`echo '$''{'ac_cv_uint'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10231 "configure"
++#line 10236 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -10235,7 +10240,7 @@
+ uint foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10239: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10244: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_uint=true
+ else
+@@ -10260,12 +10265,12 @@
+ echo "$ac_t""no" 1>&6
+ fi
+ echo $ac_n "checking for uint_t""... $ac_c" 1>&6
+-echo "configure:10264: checking for uint_t" >&5
++echo "configure:10269: checking for uint_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_uint_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10269 "configure"
++#line 10274 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -10273,7 +10278,7 @@
+ uint_t foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10277: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10282: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_uint_t=true
+ else
+@@ -10307,12 +10312,12 @@
+
+
+ echo $ac_n "checking for uname.domainname""... $ac_c" 1>&6
+-echo "configure:10311: checking for uname.domainname" >&5
++echo "configure:10316: checking for uname.domainname" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_uname_domainname_field'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10316 "configure"
++#line 10321 "configure"
+ #include "confdefs.h"
+ #include <sys/utsname.h>
+ int main() {
+@@ -10320,7 +10325,7 @@
+ (void)uname(res); if (res != 0) { domain = res->domainname; }
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10329: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_uname_domainname_field=true
+ else
+@@ -10347,12 +10352,12 @@
+ fi
+
+ echo $ac_n "checking for uname.__domainname""... $ac_c" 1>&6
+-echo "configure:10351: checking for uname.__domainname" >&5
++echo "configure:10356: checking for uname.__domainname" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_uname_us_domainname_field'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10356 "configure"
++#line 10361 "configure"
+ #include "confdefs.h"
+ #include <sys/utsname.h>
+ int main() {
+@@ -10360,7 +10365,7 @@
+ (void)uname(res); if (res != 0) { domain = res->__domainname; }
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10364: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10369: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_uname_us_domainname_field=true
+ else
+@@ -10399,19 +10404,19 @@
+ CXXFLAGS="$CXXFLAGS -std=gnu++0x"
+
+ echo $ac_n "checking for gcc c++0x headers bug without rtti""... $ac_c" 1>&6
+-echo "configure:10403: checking for gcc c++0x headers bug without rtti" >&5
++echo "configure:10408: checking for gcc c++0x headers bug without rtti" >&5
+ if eval "test \"`echo '$''{'ac_cv_cxx0x_headers_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10408 "configure"
++#line 10413 "configure"
+ #include "confdefs.h"
+ #include <memory>
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10415: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10420: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cxx0x_headers_bug="no"
+ else
+@@ -10428,19 +10433,19 @@
+ if test "$CLANG_CXX" -a "$ac_cv_cxx0x_headers_bug" = "yes"; then
+ CXXFLAGS="$CXXFLAGS -I$_topsrcdir/build/unix/headers"
+ echo $ac_n "checking whether workaround for gcc c++0x headers conflict with clang works""... $ac_c" 1>&6
+-echo "configure:10432: checking whether workaround for gcc c++0x headers conflict with clang works" >&5
++echo "configure:10437: checking whether workaround for gcc c++0x headers conflict with clang works" >&5
+ if eval "test \"`echo '$''{'ac_cv_cxx0x_clang_workaround'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10437 "configure"
++#line 10442 "configure"
+ #include "confdefs.h"
+ #include <memory>
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10444: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cxx0x_clang_workaround="yes"
+ else
+@@ -10463,12 +10468,12 @@
+ fi
+
+ echo $ac_n "checking for usable char16_t (2 bytes, unsigned)""... $ac_c" 1>&6
+-echo "configure:10467: checking for usable char16_t (2 bytes, unsigned)" >&5
++echo "configure:10472: checking for usable char16_t (2 bytes, unsigned)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_usable_char16_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10472 "configure"
++#line 10477 "configure"
+ #include "confdefs.h"
+ $configure_static_assert_macros
+ int main() {
+@@ -10479,7 +10484,7 @@
+ CONFIGURE_STATIC_ASSERT(u'\xFFFF' > u'\x0')
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10483: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10488: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_usable_char16_t="yes"
+ else
+@@ -10507,12 +10512,12 @@
+
+
+ echo $ac_n "checking for usable wchar_t (2 bytes, unsigned)""... $ac_c" 1>&6
+-echo "configure:10511: checking for usable wchar_t (2 bytes, unsigned)" >&5
++echo "configure:10516: checking for usable wchar_t (2 bytes, unsigned)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_usable_wchar_v2'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10516 "configure"
++#line 10521 "configure"
+ #include "confdefs.h"
+ #include <stddef.h>
+ $configure_static_assert_macros
+@@ -10521,7 +10526,7 @@
+ CONFIGURE_STATIC_ASSERT((wchar_t)-1 > (wchar_t) 0)
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10525: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10530: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_usable_wchar_v2="yes"
+ else
+@@ -10549,12 +10554,12 @@
+ CXXFLAGS="$CXXFLAGS -fshort-wchar"
+
+ echo $ac_n "checking for compiler -fshort-wchar option""... $ac_c" 1>&6
+-echo "configure:10553: checking for compiler -fshort-wchar option" >&5
++echo "configure:10558: checking for compiler -fshort-wchar option" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_usable_wchar_option_v2'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10558 "configure"
++#line 10563 "configure"
+ #include "confdefs.h"
+ #include <stddef.h>
+ $configure_static_assert_macros
+@@ -10563,7 +10568,7 @@
+ CONFIGURE_STATIC_ASSERT((wchar_t)-1 > (wchar_t) 0)
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10567: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10572: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_usable_wchar_option_v2="yes"
+ else
+@@ -10609,7 +10614,7 @@
+
+ if test "$GNU_CC"; then
+ echo $ac_n "checking for visibility(hidden) attribute""... $ac_c" 1>&6
+-echo "configure:10613: checking for visibility(hidden) attribute" >&5
++echo "configure:10618: checking for visibility(hidden) attribute" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_hidden'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -10637,7 +10642,7 @@
+
+
+ echo $ac_n "checking for visibility(default) attribute""... $ac_c" 1>&6
+-echo "configure:10641: checking for visibility(default) attribute" >&5
++echo "configure:10646: checking for visibility(default) attribute" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_default'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -10665,7 +10670,7 @@
+
+
+ echo $ac_n "checking for visibility pragma support""... $ac_c" 1>&6
+-echo "configure:10669: checking for visibility pragma support" >&5
++echo "configure:10674: checking for visibility pragma support" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_pragma'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -10690,7 +10695,7 @@
+ echo "$ac_t""$ac_cv_visibility_pragma" 1>&6
+ if test "$ac_cv_visibility_pragma" = "yes"; then
+ echo $ac_n "checking For gcc visibility bug with class-level attributes (GCC bug 26905)""... $ac_c" 1>&6
+-echo "configure:10694: checking For gcc visibility bug with class-level attributes (GCC bug 26905)" >&5
++echo "configure:10699: checking For gcc visibility bug with class-level attributes (GCC bug 26905)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_visibility_class_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -10718,7 +10723,7 @@
+ echo "$ac_t""$ac_cv_have_visibility_class_bug" 1>&6
+
+ echo $ac_n "checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)""... $ac_c" 1>&6
+-echo "configure:10722: checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)" >&5
++echo "configure:10727: checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_visibility_builtin_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -10772,7 +10777,7 @@
+ if test "$GNU_CC"; then
+
+ echo $ac_n "checking for gcc PR49911""... $ac_c" 1>&6
+-echo "configure:10776: checking for gcc PR49911" >&5
++echo "configure:10781: checking for gcc PR49911" >&5
+ ac_have_gcc_pr49911="no"
+
+ ac_ext=C
+@@ -10789,7 +10794,7 @@
+ true
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10793 "configure"
++#line 10798 "configure"
+ #include "confdefs.h"
+
+ extern "C" void abort(void);
+@@ -10830,7 +10835,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:10834: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:10839: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ true
+ else
+@@ -10863,7 +10868,7 @@
+
+
+ echo $ac_n "checking for gcc pr39608""... $ac_c" 1>&6
+-echo "configure:10867: checking for gcc pr39608" >&5
++echo "configure:10872: checking for gcc pr39608" >&5
+ ac_have_gcc_pr39608="yes"
+
+ ac_ext=C
+@@ -10875,7 +10880,7 @@
+
+
+ cat > conftest.$ac_ext <<EOF
+-#line 10879 "configure"
++#line 10884 "configure"
+ #include "confdefs.h"
+
+ typedef void (*FuncType)();
+@@ -10893,7 +10898,7 @@
+ true
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10897: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10902: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_have_gcc_pr39608="no"
+ else
+@@ -10923,7 +10928,7 @@
+ # cannot do enough code gen for now to make this test work correctly.
+
+ echo $ac_n "checking for llvm pr8927""... $ac_c" 1>&6
+-echo "configure:10927: checking for llvm pr8927" >&5
++echo "configure:10932: checking for llvm pr8927" >&5
+ ac_have_llvm_pr8927="no"
+
+ ac_ext=c
+@@ -10940,7 +10945,7 @@
+ true
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10944 "configure"
++#line 10949 "configure"
+ #include "confdefs.h"
+
+ struct foobar {
+@@ -10963,7 +10968,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:10967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:10972: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ true
+ else
+@@ -11001,19 +11006,19 @@
+ CFLAGS_save="${CFLAGS}"
+ CFLAGS="${CFLAGS} -Werror"
+ echo $ac_n "checking for __force_align_arg_pointer__ attribute""... $ac_c" 1>&6
+-echo "configure:11005: checking for __force_align_arg_pointer__ attribute" >&5
++echo "configure:11010: checking for __force_align_arg_pointer__ attribute" >&5
+ if eval "test \"`echo '$''{'ac_cv_force_align_arg_pointer'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11010 "configure"
++#line 11015 "configure"
+ #include "confdefs.h"
+ __attribute__ ((__force_align_arg_pointer__)) void test() {}
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11017: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11022: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_force_align_arg_pointer="yes"
+ else
+@@ -11040,12 +11045,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6
+-echo "configure:11044: checking for $ac_hdr that defines DIR" >&5
++echo "configure:11049: checking for $ac_hdr that defines DIR" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_dirent_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11049 "configure"
++#line 11054 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <$ac_hdr>
+@@ -11053,7 +11058,7 @@
+ DIR *dirp = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11057: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11062: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_dirent_$ac_safe=yes"
+ else
+@@ -11081,7 +11086,7 @@
+ # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
+ if test $ac_header_dirent = dirent.h; then
+ echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6
+-echo "configure:11085: checking for opendir in -ldir" >&5
++echo "configure:11090: checking for opendir in -ldir" >&5
+ ac_lib_var=`echo dir'_'opendir | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -11089,7 +11094,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-ldir $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 11093 "configure"
++#line 11098 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -11100,7 +11105,7 @@
+ opendir()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11104: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11109: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -11122,7 +11127,7 @@
+
+ else
+ echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6
+-echo "configure:11126: checking for opendir in -lx" >&5
++echo "configure:11131: checking for opendir in -lx" >&5
+ ac_lib_var=`echo x'_'opendir | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -11130,7 +11135,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lx $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 11134 "configure"
++#line 11139 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -11141,7 +11146,7 @@
+ opendir()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11145: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11150: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -11175,12 +11180,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11179: checking for $ac_hdr" >&5
++echo "configure:11184: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11184 "configure"
++#line 11189 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -11188,7 +11193,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11192: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11197: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11223,12 +11228,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11227: checking for $ac_hdr" >&5
++echo "configure:11232: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11232 "configure"
++#line 11237 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -11236,7 +11241,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11240: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11245: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11270,12 +11275,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11274: checking for $ac_hdr" >&5
++echo "configure:11279: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11279 "configure"
++#line 11284 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -11283,7 +11288,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11287: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11292: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11316,12 +11321,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11320: checking for $ac_hdr" >&5
++echo "configure:11325: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11325 "configure"
++#line 11330 "configure"
+ #include "confdefs.h"
+ #include <sys/socket.h>
+ #include <$ac_hdr>
+@@ -11329,7 +11334,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11333: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11338: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11363,12 +11368,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11367: checking for $ac_hdr" >&5
++echo "configure:11372: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11372 "configure"
++#line 11377 "configure"
+ #include "confdefs.h"
+ #include <sys/socket.h>
+ #include <$ac_hdr>
+@@ -11376,7 +11381,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11380: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11385: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11410,12 +11415,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11414: checking for $ac_hdr" >&5
++echo "configure:11419: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11419 "configure"
++#line 11424 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -11423,7 +11428,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11432: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11454,12 +11459,12 @@
+
+
+ echo $ac_n "checking for sockaddr_in.sin_len""... $ac_c" 1>&6
+-echo "configure:11458: checking for sockaddr_in.sin_len" >&5
++echo "configure:11463: checking for sockaddr_in.sin_len" >&5
+ if eval "test \"`echo '$''{'ac_cv_sockaddr_in_sin_len'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11463 "configure"
++#line 11468 "configure"
+ #include "confdefs.h"
+ #ifdef HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+@@ -11471,7 +11476,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11475: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11480: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_sockaddr_in_sin_len=true
+ else
+@@ -11502,12 +11507,12 @@
+ fi
+
+ echo $ac_n "checking for sockaddr_in6.sin6_len""... $ac_c" 1>&6
+-echo "configure:11506: checking for sockaddr_in6.sin6_len" >&5
++echo "configure:11511: checking for sockaddr_in6.sin6_len" >&5
+ if eval "test \"`echo '$''{'ac_cv_sockaddr_in6_sin6_len'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11511 "configure"
++#line 11516 "configure"
+ #include "confdefs.h"
+ #ifdef HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+@@ -11519,7 +11524,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11523: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11528: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_sockaddr_in6_sin6_len=true
+ else
+@@ -11543,12 +11548,12 @@
+ fi
+
+ echo $ac_n "checking for sockaddr.sa_len""... $ac_c" 1>&6
+-echo "configure:11547: checking for sockaddr.sa_len" >&5
++echo "configure:11552: checking for sockaddr.sa_len" >&5
+ if eval "test \"`echo '$''{'ac_cv_sockaddr_sa_len'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11552 "configure"
++#line 11557 "configure"
+ #include "confdefs.h"
+ #ifdef HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+@@ -11560,7 +11565,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11564: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11569: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_sockaddr_sa_len=true
+ else
+@@ -11593,12 +11598,12 @@
+ NEW_H=new.h
+ ac_safe=`echo "new" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for new""... $ac_c" 1>&6
+-echo "configure:11597: checking for new" >&5
++echo "configure:11602: checking for new" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11602 "configure"
++#line 11607 "configure"
+ #include "confdefs.h"
+
+ #include <new>
+@@ -11606,7 +11611,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11610: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11615: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11650,12 +11655,12 @@
+ if test "x$enable_dtrace" = "xyes"; then
+ ac_safe=`echo "sys/sdt.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for sys/sdt.h""... $ac_c" 1>&6
+-echo "configure:11654: checking for sys/sdt.h" >&5
++echo "configure:11659: checking for sys/sdt.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11659 "configure"
++#line 11664 "configure"
+ #include "confdefs.h"
+
+ #include <sys/sdt.h>
+@@ -11663,7 +11668,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11667: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11672: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11705,12 +11710,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:11709: checking for $ac_hdr" >&5
++echo "configure:11714: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11714 "configure"
++#line 11719 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -11718,7 +11723,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11722: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11727: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11770,12 +11775,12 @@
+
+ ac_safe=`echo "linux/perf_event.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for linux/perf_event.h""... $ac_c" 1>&6
+-echo "configure:11774: checking for linux/perf_event.h" >&5
++echo "configure:11779: checking for linux/perf_event.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11779 "configure"
++#line 11784 "configure"
+ #include "confdefs.h"
+
+ #include <linux/perf_event.h>
+@@ -11783,7 +11788,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11787: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11792: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -11798,19 +11803,19 @@
+ if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for perf_event_open system call""... $ac_c" 1>&6
+-echo "configure:11802: checking for perf_event_open system call" >&5
++echo "configure:11807: checking for perf_event_open system call" >&5
+ if eval "test \"`echo '$''{'ac_cv_perf_event_open'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11807 "configure"
++#line 11812 "configure"
+ #include "confdefs.h"
+ #include <asm/unistd.h>
+ int main() {
+ return sizeof(__NR_perf_event_open);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11814: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11819: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_perf_event_open=yes
+ else
+@@ -11846,7 +11851,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for gethostbyname_r in -lc_r""... $ac_c" 1>&6
+-echo "configure:11850: checking for gethostbyname_r in -lc_r" >&5
++echo "configure:11855: checking for gethostbyname_r in -lc_r" >&5
+ ac_lib_var=`echo c_r'_'gethostbyname_r | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -11854,7 +11859,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lc_r $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 11858 "configure"
++#line 11863 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -11865,7 +11870,7 @@
+ gethostbyname_r()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11869: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11874: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -11906,14 +11911,14 @@
+ *)
+
+ echo $ac_n "checking for library containing dlopen""... $ac_c" 1>&6
+-echo "configure:11910: checking for library containing dlopen" >&5
++echo "configure:11915: checking for library containing dlopen" >&5
+ if eval "test \"`echo '$''{'ac_cv_search_dlopen'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_func_search_save_LIBS="$LIBS"
+ ac_cv_search_dlopen="no"
+ cat > conftest.$ac_ext <<EOF
+-#line 11917 "configure"
++#line 11922 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -11924,7 +11929,7 @@
+ dlopen()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_search_dlopen="none required"
+ else
+@@ -11935,7 +11940,7 @@
+ test "$ac_cv_search_dlopen" = "no" && for i in dl; do
+ LIBS="-l$i $ac_func_search_save_LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 11939 "configure"
++#line 11944 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -11946,7 +11951,7 @@
+ dlopen()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11950: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11955: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_search_dlopen="-l$i"
+ break
+@@ -11964,12 +11969,12 @@
+ test "$ac_cv_search_dlopen" = "none required" || LIBS="$ac_cv_search_dlopen $LIBS"
+ ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
+-echo "configure:11968: checking for dlfcn.h" >&5
++echo "configure:11973: checking for dlfcn.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11973 "configure"
++#line 11978 "configure"
+ #include "confdefs.h"
+
+ #include <dlfcn.h>
+@@ -11977,7 +11982,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11981: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11986: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -12014,12 +12019,12 @@
+ for ac_func in dladdr memmem
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:12018: checking for $ac_func" >&5
++echo "configure:12023: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12023 "configure"
++#line 12028 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -12042,7 +12047,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12046: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12051: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -12076,7 +12081,7 @@
+ case $target in
+ *-aix*)
+ echo $ac_n "checking for demangle in -lC_r""... $ac_c" 1>&6
+-echo "configure:12080: checking for demangle in -lC_r" >&5
++echo "configure:12085: checking for demangle in -lC_r" >&5
+ ac_lib_var=`echo C_r'_'demangle | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12084,7 +12089,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lC_r $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12088 "configure"
++#line 12093 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12095,7 +12100,7 @@
+ demangle()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12099: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12104: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12128,7 +12133,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for demangle in -lC""... $ac_c" 1>&6
+-echo "configure:12132: checking for demangle in -lC" >&5
++echo "configure:12137: checking for demangle in -lC" >&5
+ ac_lib_var=`echo C'_'demangle | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12136,7 +12141,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lC $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12140 "configure"
++#line 12145 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12147,7 +12152,7 @@
+ demangle()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12151: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12156: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12186,7 +12191,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6
+-echo "configure:12190: checking for socket in -lsocket" >&5
++echo "configure:12195: checking for socket in -lsocket" >&5
+ ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12194,7 +12199,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocket $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12198 "configure"
++#line 12203 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12205,7 +12210,7 @@
+ socket()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12209: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12214: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12260,7 +12265,7 @@
+ _SAVE_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$XLDFLAGS $LDFLAGS"
+ echo $ac_n "checking for XDrawLines in -lX11""... $ac_c" 1>&6
+-echo "configure:12264: checking for XDrawLines in -lX11" >&5
++echo "configure:12269: checking for XDrawLines in -lX11" >&5
+ ac_lib_var=`echo X11'_'XDrawLines | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12268,7 +12273,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lX11 $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12272 "configure"
++#line 12277 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12279,7 +12284,7 @@
+ XDrawLines()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12283: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12288: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12301,7 +12306,7 @@
+ fi
+
+ echo $ac_n "checking for XextAddDisplay in -lXext""... $ac_c" 1>&6
+-echo "configure:12305: checking for XextAddDisplay in -lXext" >&5
++echo "configure:12310: checking for XextAddDisplay in -lXext" >&5
+ ac_lib_var=`echo Xext'_'XextAddDisplay | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12309,7 +12314,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXext $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12313 "configure"
++#line 12318 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12320,7 +12325,7 @@
+ XextAddDisplay()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12324: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12329: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12343,7 +12348,7 @@
+
+
+ echo $ac_n "checking for XtFree in -lXt""... $ac_c" 1>&6
+-echo "configure:12347: checking for XtFree in -lXt" >&5
++echo "configure:12352: checking for XtFree in -lXt" >&5
+ ac_lib_var=`echo Xt'_'XtFree | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12351,7 +12356,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXt $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12355 "configure"
++#line 12360 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12362,7 +12367,7 @@
+ XtFree()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12366: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12371: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12383,7 +12388,7 @@
+
+ unset ac_cv_lib_Xt_XtFree
+ echo $ac_n "checking for IceFlush in -lICE""... $ac_c" 1>&6
+-echo "configure:12387: checking for IceFlush in -lICE" >&5
++echo "configure:12392: checking for IceFlush in -lICE" >&5
+ ac_lib_var=`echo ICE'_'IceFlush | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12391,7 +12396,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lICE $XT_LIBS $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12395 "configure"
++#line 12400 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12402,7 +12407,7 @@
+ IceFlush()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12406: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12411: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12423,7 +12428,7 @@
+ fi
+
+ echo $ac_n "checking for SmcCloseConnection in -lSM""... $ac_c" 1>&6
+-echo "configure:12427: checking for SmcCloseConnection in -lSM" >&5
++echo "configure:12432: checking for SmcCloseConnection in -lSM" >&5
+ ac_lib_var=`echo SM'_'SmcCloseConnection | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12431,7 +12436,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lSM $XT_LIBS $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12435 "configure"
++#line 12440 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12442,7 +12447,7 @@
+ SmcCloseConnection()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12446: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12451: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12463,7 +12468,7 @@
+ fi
+
+ echo $ac_n "checking for XtFree in -lXt""... $ac_c" 1>&6
+-echo "configure:12467: checking for XtFree in -lXt" >&5
++echo "configure:12472: checking for XtFree in -lXt" >&5
+ ac_lib_var=`echo Xt'_'XtFree | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12471,7 +12476,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXt $X_PRE_LIBS $XT_LIBS $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12475 "configure"
++#line 12480 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12482,7 +12487,7 @@
+ XtFree()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12486: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12491: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12516,7 +12521,7 @@
+ esac
+
+ echo $ac_n "checking for XShmCreateImage in -lXext""... $ac_c" 1>&6
+-echo "configure:12520: checking for XShmCreateImage in -lXext" >&5
++echo "configure:12525: checking for XShmCreateImage in -lXext" >&5
+ ac_lib_var=`echo Xext'_'XShmCreateImage | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12524,7 +12529,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXext $XLIBS $XEXT_LIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12528 "configure"
++#line 12533 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12535,7 +12540,7 @@
+ XShmCreateImage()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12539: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12544: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12558,12 +12563,12 @@
+
+ ac_safe=`echo "X11/extensions/scrnsaver.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for X11/extensions/scrnsaver.h""... $ac_c" 1>&6
+-echo "configure:12562: checking for X11/extensions/scrnsaver.h" >&5
++echo "configure:12567: checking for X11/extensions/scrnsaver.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12567 "configure"
++#line 12572 "configure"
+ #include "confdefs.h"
+
+ #include <X11/extensions/scrnsaver.h>
+@@ -12571,7 +12576,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12575: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12580: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -12586,7 +12591,7 @@
+ if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for XScreenSaverQueryInfo in -lXss""... $ac_c" 1>&6
+-echo "configure:12590: checking for XScreenSaverQueryInfo in -lXss" >&5
++echo "configure:12595: checking for XScreenSaverQueryInfo in -lXss" >&5
+ ac_lib_var=`echo Xss'_'XScreenSaverQueryInfo | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12594,7 +12599,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXss $XEXT_LIBS $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12598 "configure"
++#line 12603 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12605,7 +12610,7 @@
+ XScreenSaverQueryInfo()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12609: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12614: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12655,7 +12660,7 @@
+ *)
+
+ echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
+-echo "configure:12659: checking for pthread_create in -lpthreads" >&5
++echo "configure:12664: checking for pthread_create in -lpthreads" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -12678,7 +12683,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
+-echo "configure:12682: checking for pthread_create in -lpthread" >&5
++echo "configure:12687: checking for pthread_create in -lpthread" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -12701,7 +12706,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
+-echo "configure:12705: checking for pthread_create in -lc_r" >&5
++echo "configure:12710: checking for pthread_create in -lc_r" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -12724,7 +12729,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
+-echo "configure:12728: checking for pthread_create in -lc" >&5
++echo "configure:12733: checking for pthread_create in -lc" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -12783,7 +12788,7 @@
+ rm -f conftest*
+ ac_cv_have_dash_pthread=no
+ echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
+-echo "configure:12787: checking whether ${CC-cc} accepts -pthread" >&5
++echo "configure:12792: checking whether ${CC-cc} accepts -pthread" >&5
+ echo 'int main() { return 0; }' | cat > conftest.c
+ ${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
+ if test $? -eq 0; then
+@@ -12806,7 +12811,7 @@
+ ac_cv_have_dash_pthreads=no
+ if test "$ac_cv_have_dash_pthread" = "no"; then
+ echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
+-echo "configure:12810: checking whether ${CC-cc} accepts -pthreads" >&5
++echo "configure:12815: checking whether ${CC-cc} accepts -pthreads" >&5
+ echo 'int main() { return 0; }' | cat > conftest.c
+ ${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
+ if test $? -eq 0; then
+@@ -12912,13 +12917,13 @@
+
+ if test $ac_cv_prog_gcc = yes; then
+ echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
+-echo "configure:12916: checking whether ${CC-cc} needs -traditional" >&5
++echo "configure:12921: checking whether ${CC-cc} needs -traditional" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_pattern="Autoconf.*'x'"
+ cat > conftest.$ac_ext <<EOF
+-#line 12922 "configure"
++#line 12927 "configure"
+ #include "confdefs.h"
+ #include <sgtty.h>
+ Autoconf TIOCGETP
+@@ -12936,7 +12941,7 @@
+
+ if test $ac_cv_prog_gcc_traditional = no; then
+ cat > conftest.$ac_ext <<EOF
+-#line 12940 "configure"
++#line 12945 "configure"
+ #include "confdefs.h"
+ #include <termio.h>
+ Autoconf TCGETA
+@@ -12958,7 +12963,7 @@
+ fi
+
+ echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6
+-echo "configure:12962: checking for 8-bit clean memcmp" >&5
++echo "configure:12967: checking for 8-bit clean memcmp" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_memcmp_clean'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -12966,7 +12971,7 @@
+ ac_cv_func_memcmp_clean=no
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12970 "configure"
++#line 12975 "configure"
+ #include "confdefs.h"
+
+ main()
+@@ -12976,7 +12981,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:12980: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:12985: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_func_memcmp_clean=yes
+ else
+@@ -12996,12 +13001,12 @@
+ for ac_func in random strerror lchown fchmod snprintf memmove rint stat64 lstat64 truncate64 setbuf isatty
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:13000: checking for $ac_func" >&5
++echo "configure:13005: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13005 "configure"
++#line 13010 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -13024,7 +13029,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13028: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13033: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -13054,12 +13059,12 @@
+ for ac_func in statvfs64 statvfs statfs64 statfs
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:13058: checking for $ac_func" >&5
++echo "configure:13063: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13063 "configure"
++#line 13068 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -13082,7 +13087,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13086: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13091: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -13112,12 +13117,12 @@
+ for ac_func in flockfile getpagesize
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:13116: checking for $ac_func" >&5
++echo "configure:13121: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13121 "configure"
++#line 13126 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -13140,7 +13145,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13144: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13149: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -13170,12 +13175,12 @@
+ for ac_func in localtime_r strtok_r
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:13174: checking for $ac_func" >&5
++echo "configure:13179: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13179 "configure"
++#line 13184 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -13198,7 +13203,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13202: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -13227,7 +13232,7 @@
+
+
+ echo $ac_n "checking for clock_gettime(CLOCK_MONOTONIC)""... $ac_c" 1>&6
+-echo "configure:13231: checking for clock_gettime(CLOCK_MONOTONIC)" >&5
++echo "configure:13236: checking for clock_gettime(CLOCK_MONOTONIC)" >&5
+ if eval "test \"`echo '$''{'ac_cv_clock_monotonic'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -13235,7 +13240,7 @@
+ _SAVE_LIBS="$LIBS"
+ LIBS="$LIBS $libs"
+ cat > conftest.$ac_ext <<EOF
+-#line 13239 "configure"
++#line 13244 "configure"
+ #include "confdefs.h"
+ #include <time.h>
+ int main() {
+@@ -13243,7 +13248,7 @@
+ clock_gettime(CLOCK_MONOTONIC, &ts);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13247: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13252: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_clock_monotonic=$libs
+ LIBS="$_SAVE_LIBS"
+@@ -13284,19 +13289,19 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for wcrtomb""... $ac_c" 1>&6
+-echo "configure:13288: checking for wcrtomb" >&5
++echo "configure:13293: checking for wcrtomb" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_wcrtomb'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13293 "configure"
++#line 13298 "configure"
+ #include "confdefs.h"
+ #include <wchar.h>
+ int main() {
+ mbstate_t ps={0};wcrtomb(0,'f',&ps);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13305: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_wcrtomb="yes"
+ else
+@@ -13319,19 +13324,19 @@
+
+ fi
+ echo $ac_n "checking for mbrtowc""... $ac_c" 1>&6
+-echo "configure:13323: checking for mbrtowc" >&5
++echo "configure:13328: checking for mbrtowc" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_mbrtowc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13328 "configure"
++#line 13333 "configure"
+ #include "confdefs.h"
+ #include <wchar.h>
+ int main() {
+ mbstate_t ps={0};mbrtowc(0,0,0,&ps);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13335: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13340: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_mbrtowc="yes"
+ else
+@@ -13363,12 +13368,12 @@
+ fi
+
+ echo $ac_n "checking for res_ninit()""... $ac_c" 1>&6
+-echo "configure:13367: checking for res_ninit()" >&5
++echo "configure:13372: checking for res_ninit()" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_res_ninit'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13372 "configure"
++#line 13377 "configure"
+ #include "confdefs.h"
+
+ #ifdef linux
+@@ -13380,7 +13385,7 @@
+ int foo = res_ninit(&_res);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13384: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13389: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_func_res_ninit=yes
+ else
+@@ -13413,12 +13418,12 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for gnu_get_libc_version()""... $ac_c" 1>&6
+-echo "configure:13417: checking for gnu_get_libc_version()" >&5
++echo "configure:13422: checking for gnu_get_libc_version()" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_gnu_get_libc_version'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13422 "configure"
++#line 13427 "configure"
+ #include "confdefs.h"
+
+ #ifdef HAVE_GNU_LIBC_VERSION_H
+@@ -13429,7 +13434,7 @@
+ const char *glibc_version = gnu_get_libc_version();
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13433: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13438: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_func_gnu_get_libc_version=yes
+ else
+@@ -13461,7 +13466,7 @@
+ *)
+
+ echo $ac_n "checking for iconv in -lc""... $ac_c" 1>&6
+-echo "configure:13465: checking for iconv in -lc" >&5
++echo "configure:13470: checking for iconv in -lc" >&5
+ ac_lib_var=`echo c'_'iconv | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -13469,7 +13474,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lc $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 13473 "configure"
++#line 13478 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ #ifdef __cplusplus
+@@ -13483,7 +13488,7 @@
+ iconv()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13487: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13492: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -13502,7 +13507,7 @@
+ else
+ echo "$ac_t""no" 1>&6
+ echo $ac_n "checking for iconv in -liconv""... $ac_c" 1>&6
+-echo "configure:13506: checking for iconv in -liconv" >&5
++echo "configure:13511: checking for iconv in -liconv" >&5
+ ac_lib_var=`echo iconv'_'iconv | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -13510,7 +13515,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-liconv $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 13514 "configure"
++#line 13519 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ #ifdef __cplusplus
+@@ -13524,7 +13529,7 @@
+ iconv()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13528: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13533: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -13543,7 +13548,7 @@
+ else
+ echo "$ac_t""no" 1>&6
+ echo $ac_n "checking for libiconv in -liconv""... $ac_c" 1>&6
+-echo "configure:13547: checking for libiconv in -liconv" >&5
++echo "configure:13552: checking for libiconv in -liconv" >&5
+ ac_lib_var=`echo iconv'_'libiconv | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -13551,7 +13556,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-liconv $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 13555 "configure"
++#line 13560 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ #ifdef __cplusplus
+@@ -13565,7 +13570,7 @@
+ libiconv()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13569: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13574: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -13592,12 +13597,12 @@
+ _SAVE_LIBS=$LIBS
+ LIBS="$LIBS $_ICONV_LIBS"
+ echo $ac_n "checking for iconv()""... $ac_c" 1>&6
+-echo "configure:13596: checking for iconv()" >&5
++echo "configure:13601: checking for iconv()" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_iconv'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13601 "configure"
++#line 13606 "configure"
+ #include "confdefs.h"
+
+ #include <stdlib.h>
+@@ -13611,7 +13616,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13615: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13620: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_func_iconv=yes
+ else
+@@ -13638,12 +13643,12 @@
+ LIBXUL_LIBS="$LIBXUL_LIBS $_ICONV_LIBS"
+ LIBICONV="$_ICONV_LIBS"
+ echo $ac_n "checking for iconv() with const input""... $ac_c" 1>&6
+-echo "configure:13642: checking for iconv() with const input" >&5
++echo "configure:13647: checking for iconv() with const input" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_const_iconv'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13647 "configure"
++#line 13652 "configure"
+ #include "confdefs.h"
+
+ #include <stdlib.h>
+@@ -13658,7 +13663,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13662: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:13667: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_func_const_iconv=yes
+ else
+@@ -13690,19 +13695,19 @@
+
+
+ echo $ac_n "checking for nl_langinfo and CODESET""... $ac_c" 1>&6
+-echo "configure:13694: checking for nl_langinfo and CODESET" >&5
++echo "configure:13699: checking for nl_langinfo and CODESET" >&5
+ if eval "test \"`echo '$''{'am_cv_langinfo_codeset'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13699 "configure"
++#line 13704 "configure"
+ #include "confdefs.h"
+ #include <langinfo.h>
+ int main() {
+ char* cs = nl_langinfo(CODESET);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13706: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:13711: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ am_cv_langinfo_codeset=yes
+ else
+@@ -13737,7 +13742,7 @@
+
+
+ echo $ac_n "checking for an implementation of va_copy()""... $ac_c" 1>&6
+-echo "configure:13741: checking for an implementation of va_copy()" >&5
++echo "configure:13746: checking for an implementation of va_copy()" >&5
+ if eval "test \"`echo '$''{'ac_cv_va_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -13747,7 +13752,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13751 "configure"
++#line 13756 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -13761,7 +13766,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:13765: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:13770: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_va_copy=yes
+ else
+@@ -13778,7 +13783,7 @@
+
+ echo "$ac_t""$ac_cv_va_copy" 1>&6
+ echo $ac_n "checking for an implementation of __va_copy()""... $ac_c" 1>&6
+-echo "configure:13782: checking for an implementation of __va_copy()" >&5
++echo "configure:13787: checking for an implementation of __va_copy()" >&5
+ if eval "test \"`echo '$''{'ac_cv___va_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -13788,7 +13793,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13792 "configure"
++#line 13797 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -13802,7 +13807,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:13806: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:13811: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv___va_copy=yes
+ else
+@@ -13819,7 +13824,7 @@
+
+ echo "$ac_t""$ac_cv___va_copy" 1>&6
+ echo $ac_n "checking whether va_lists can be copied by value""... $ac_c" 1>&6
+-echo "configure:13823: checking whether va_lists can be copied by value" >&5
++echo "configure:13828: checking whether va_lists can be copied by value" >&5
+ if eval "test \"`echo '$''{'ac_cv_va_val_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -13829,7 +13834,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13833 "configure"
++#line 13838 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -13843,7 +13848,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:13847: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:13852: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_va_val_copy=yes
+ else
+@@ -13913,12 +13918,12 @@
+ if test "$GNU_CC"; then
+ if test "$CPU_ARCH" = "arm" ; then
+ echo $ac_n "checking for ARM EABI""... $ac_c" 1>&6
+-echo "configure:13917: checking for ARM EABI" >&5
++echo "configure:13922: checking for ARM EABI" >&5
+ if eval "test \"`echo '$''{'ac_cv_gcc_arm_eabi'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13922 "configure"
++#line 13927 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -13931,7 +13936,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13935: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:13940: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_gcc_arm_eabi="yes"
+ else
+@@ -13956,12 +13961,12 @@
+ fi
+
+ echo $ac_n "checking whether the C++ \"using\" keyword resolves ambiguity""... $ac_c" 1>&6
+-echo "configure:13960: checking whether the C++ \"using\" keyword resolves ambiguity" >&5
++echo "configure:13965: checking whether the C++ \"using\" keyword resolves ambiguity" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_ambiguity_resolving_using'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13965 "configure"
++#line 13970 "configure"
+ #include "confdefs.h"
+ class X {
+ public: int go(const X&) {return 3;}
+@@ -13977,7 +13982,7 @@
+ X x; Y y; y.jo(x);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13981: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:13986: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cpp_ambiguity_resolving_using=yes
+ else
+@@ -14001,7 +14006,7 @@
+ fi
+
+ echo $ac_n "checking for C++ dynamic_cast to void*""... $ac_c" 1>&6
+-echo "configure:14005: checking for C++ dynamic_cast to void*" >&5
++echo "configure:14010: checking for C++ dynamic_cast to void*" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_dynamic_cast_void_ptr'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -14009,7 +14014,7 @@
+ ac_cv_cpp_dynamic_cast_void_ptr=no
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14013 "configure"
++#line 14018 "configure"
+ #include "confdefs.h"
+ class X { int i; public: virtual ~X() { } };
+ class Y { int j; public: virtual ~Y() { } };
+@@ -14025,7 +14030,7 @@
+ ((void*)&mdo == dynamic_cast<void*>(suby))));
+ }
+ EOF
+-if { (eval echo configure:14029: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:14034: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_cpp_dynamic_cast_void_ptr=yes
+ else
+@@ -14052,19 +14057,19 @@
+
+
+ echo $ac_n "checking whether C++ requires implementation of unused virtual methods""... $ac_c" 1>&6
+-echo "configure:14056: checking whether C++ requires implementation of unused virtual methods" >&5
++echo "configure:14061: checking whether C++ requires implementation of unused virtual methods" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_unused_required'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14061 "configure"
++#line 14066 "configure"
+ #include "confdefs.h"
+ class X {private: virtual void never_called();};
+ int main() {
+ X x;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14068: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14073: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_cpp_unused_required=no
+ else
+@@ -14090,12 +14095,12 @@
+
+
+ echo $ac_n "checking for trouble comparing to zero near std::operator!=()""... $ac_c" 1>&6
+-echo "configure:14094: checking for trouble comparing to zero near std::operator!=()" >&5
++echo "configure:14099: checking for trouble comparing to zero near std::operator!=()" >&5
+ if eval "test \"`echo '$''{'ac_cv_trouble_comparing_to_zero'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14099 "configure"
++#line 14104 "configure"
+ #include "confdefs.h"
+ #include <algorithm>
+ template <class T> class Foo {};
+@@ -14106,7 +14111,7 @@
+ Foo<int> f; return (0 != f);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14110: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14115: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_trouble_comparing_to_zero=no
+ else
+@@ -14136,19 +14141,19 @@
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS $DSO_PIC_CFLAGS $DSO_LDOPTS $MOZ_OPTIMIZE_LDFLAGS"
+ echo $ac_n "checking for __thread keyword for TLS variables""... $ac_c" 1>&6
+-echo "configure:14140: checking for __thread keyword for TLS variables" >&5
++echo "configure:14145: checking for __thread keyword for TLS variables" >&5
+ if eval "test \"`echo '$''{'ac_cv_thread_keyword'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14145 "configure"
++#line 14150 "configure"
+ #include "confdefs.h"
+ __thread bool tlsIsMainThread = false;
+ int main() {
+ return tlsIsMainThread;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14152: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14157: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_thread_keyword=yes
+ else
+@@ -14202,12 +14207,12 @@
+
+ if test -n "$MOZ_LINKER" -a "$OS_TARGET" = "Android"; then
+ echo $ac_n "checking whether the CRT objects have text relocations""... $ac_c" 1>&6
+-echo "configure:14206: checking whether the CRT objects have text relocations" >&5
++echo "configure:14211: checking whether the CRT objects have text relocations" >&5
+ if eval "test \"`echo '$''{'ac_cv_crt_has_text_relocations'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo 'int foo() { return 0; }' > conftest.cpp
+- if { ac_try='${CXX-g++} -o conftest${DLL_SUFFIX} $CXXFLAGS $DSO_LDOPTS $LDFLAGS conftest.cpp $LIBS 1>&5'; { (eval echo configure:14211: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CXX-g++} -o conftest${DLL_SUFFIX} $CXXFLAGS $DSO_LDOPTS $LDFLAGS conftest.cpp $LIBS 1>&5'; { (eval echo configure:14216: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${DLL_SUFFIX}; then
+ if ${TOOLCHAIN_PREFIX}readelf -d conftest${DLL_SUFFIX} | grep TEXTREL > /dev/null; then
+ ac_cv_crt_has_text_relocations=yes
+@@ -14234,12 +14239,12 @@
+ for file in $MALLOC_HEADERS; do
+ ac_safe=`echo "$file" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $file""... $ac_c" 1>&6
+-echo "configure:14238: checking for $file" >&5
++echo "configure:14243: checking for $file" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14243 "configure"
++#line 14248 "configure"
+ #include "confdefs.h"
+
+ #include <$file>
+@@ -14247,7 +14252,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14251: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14256: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -14283,12 +14288,12 @@
+ for ac_func in strndup posix_memalign memalign valloc
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:14287: checking for $ac_func" >&5
++echo "configure:14292: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14292 "configure"
++#line 14297 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -14314,7 +14319,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14318: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14323: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -14345,12 +14350,12 @@
+ for ac_func in malloc_usable_size
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:14349: checking for $ac_func" >&5
++echo "configure:14354: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14354 "configure"
++#line 14359 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -14376,7 +14381,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14380: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14385: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -14406,19 +14411,19 @@
+
+
+ echo $ac_n "checking for __attribute__((always_inline))""... $ac_c" 1>&6
+-echo "configure:14410: checking for __attribute__((always_inline))" >&5
++echo "configure:14415: checking for __attribute__((always_inline))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_always_inline'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14415 "configure"
++#line 14420 "configure"
+ #include "confdefs.h"
+ inline void f(void) __attribute__((always_inline));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14422: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_always_inline=yes
+ else
+@@ -14433,19 +14438,19 @@
+ echo "$ac_t""$ac_cv_attribute_always_inline" 1>&6
+
+ echo $ac_n "checking for __attribute__((malloc))""... $ac_c" 1>&6
+-echo "configure:14437: checking for __attribute__((malloc))" >&5
++echo "configure:14442: checking for __attribute__((malloc))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_malloc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14442 "configure"
++#line 14447 "configure"
+ #include "confdefs.h"
+ void* f(int) __attribute__((malloc));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14454: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_malloc=yes
+ else
+@@ -14460,19 +14465,19 @@
+ echo "$ac_t""$ac_cv_attribute_malloc" 1>&6
+
+ echo $ac_n "checking for __attribute__((warn_unused_result))""... $ac_c" 1>&6
+-echo "configure:14464: checking for __attribute__((warn_unused_result))" >&5
++echo "configure:14469: checking for __attribute__((warn_unused_result))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_warn_unused'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14469 "configure"
++#line 14474 "configure"
+ #include "confdefs.h"
+ int f(void) __attribute__((warn_unused_result));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14476: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14481: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_warn_unused=yes
+ else
+@@ -14496,19 +14501,19 @@
+
+
+ echo $ac_n "checking for LC_MESSAGES""... $ac_c" 1>&6
+-echo "configure:14500: checking for LC_MESSAGES" >&5
++echo "configure:14505: checking for LC_MESSAGES" >&5
+ if eval "test \"`echo '$''{'ac_cv_i18n_lc_messages'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14505 "configure"
++#line 14510 "configure"
+ #include "confdefs.h"
+ #include <locale.h>
+ int main() {
+ int category = LC_MESSAGES;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14517: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_i18n_lc_messages=yes
+ else
+@@ -14534,12 +14539,12 @@
+ for ac_func in localeconv
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:14538: checking for $ac_func" >&5
++echo "configure:14543: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14543 "configure"
++#line 14548 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -14562,7 +14567,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14566: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14571: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -14751,7 +14756,7 @@
+ # Extract the first word of "nspr-config", so it can be a program name with args.
+ set dummy nspr-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:14755: checking for $ac_word" >&5
++echo "configure:14760: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_NSPR_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -14786,7 +14791,7 @@
+
+ min_nspr_version=4.10.2
+ echo $ac_n "checking for NSPR - version >= $min_nspr_version""... $ac_c" 1>&6
+-echo "configure:14790: checking for NSPR - version >= $min_nspr_version" >&5
++echo "configure:14795: checking for NSPR - version >= $min_nspr_version" >&5
+
+ no_nspr=""
+ if test "$NSPR_CONFIG" != "no"; then
+@@ -14845,7 +14850,7 @@
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $NSPR_CFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 14849 "configure"
++#line 14854 "configure"
+ #include "confdefs.h"
+ #include "prtypes.h"
+ int main() {
+@@ -14854,7 +14859,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14863: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_NSPR=1
+ else
+@@ -14865,7 +14870,7 @@
+ fi
+ rm -f conftest*
+ cat > conftest.$ac_ext <<EOF
+-#line 14869 "configure"
++#line 14874 "configure"
+ #include "confdefs.h"
+ #include "prtypes.h"
+ int main() {
+@@ -14874,7 +14879,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14878: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14883: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_NSPR=1
+ else
+@@ -14955,7 +14960,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:14959: checking for $ac_word" >&5
++echo "configure:14964: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -14999,19 +15004,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libevent""... $ac_c" 1>&6
+-echo "configure:15003: checking for libevent" >&5
++echo "configure:15008: checking for libevent" >&5
+
+ if $PKG_CONFIG --exists "libevent" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_LIBEVENT_CFLAGS""... $ac_c" 1>&6
+-echo "configure:15010: checking MOZ_LIBEVENT_CFLAGS" >&5
++echo "configure:15015: checking MOZ_LIBEVENT_CFLAGS" >&5
+ MOZ_LIBEVENT_CFLAGS=`$PKG_CONFIG --cflags "libevent"`
+ echo "$ac_t""$MOZ_LIBEVENT_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_LIBEVENT_LIBS""... $ac_c" 1>&6
+-echo "configure:15015: checking MOZ_LIBEVENT_LIBS" >&5
++echo "configure:15020: checking MOZ_LIBEVENT_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_LIBEVENT_LIBS="`$PKG_CONFIG --libs \"libevent\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_LIBEVENT_LIBS" 1>&6
+@@ -15048,12 +15053,12 @@
+ LDFLAGS="-L${LIBEVENT_DIR}/lib $LDFLAGS"
+ ac_safe=`echo "event.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for event.h""... $ac_c" 1>&6
+-echo "configure:15052: checking for event.h" >&5
++echo "configure:15057: checking for event.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 15057 "configure"
++#line 15062 "configure"
+ #include "confdefs.h"
+
+ #include <event.h>
+@@ -15061,7 +15066,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15065: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:15070: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -15084,7 +15089,7 @@
+ fi
+
+ echo $ac_n "checking for event_init in -levent""... $ac_c" 1>&6
+-echo "configure:15088: checking for event_init in -levent" >&5
++echo "configure:15093: checking for event_init in -levent" >&5
+ ac_lib_var=`echo event'_'event_init | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15092,7 +15097,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-levent $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15096 "configure"
++#line 15101 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15103,7 +15108,7 @@
+ event_init()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15107: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15112: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15186,7 +15191,7 @@
+ # Extract the first word of "nss-config", so it can be a program name with args.
+ set dummy nss-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:15190: checking for $ac_word" >&5
++echo "configure:15195: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_NSS_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -15219,9 +15224,9 @@
+ echo "$ac_t""no" 1>&6
+ fi
+
+- min_nss_version=3.15.3.1
++ min_nss_version=3.15.4
+ echo $ac_n "checking for NSS - version >= $min_nss_version""... $ac_c" 1>&6
+-echo "configure:15225: checking for NSS - version >= $min_nss_version" >&5
++echo "configure:15230: checking for NSS - version >= $min_nss_version" >&5
+
+ no_nss=""
+ if test "$NSS_CONFIG" = "no"; then
+@@ -15288,13 +15293,13 @@
+
+
+ echo $ac_n "checking for YASM assembler""... $ac_c" 1>&6
+-echo "configure:15292: checking for YASM assembler" >&5
++echo "configure:15297: checking for YASM assembler" >&5
+ for ac_prog in yasm
+ do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:15298: checking for $ac_word" >&5
++echo "configure:15303: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_YASM'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -15352,7 +15357,7 @@
+ MOZ_NATIVE_JPEG=
+ else
+ echo $ac_n "checking for jpeg_destroy_compress in -ljpeg""... $ac_c" 1>&6
+-echo "configure:15356: checking for jpeg_destroy_compress in -ljpeg" >&5
++echo "configure:15361: checking for jpeg_destroy_compress in -ljpeg" >&5
+ ac_lib_var=`echo jpeg'_'jpeg_destroy_compress | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15360,7 +15365,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-ljpeg $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15364 "configure"
++#line 15369 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15371,7 +15376,7 @@
+ jpeg_destroy_compress()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15375: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15380: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15396,7 +15401,7 @@
+
+ if test "$MOZ_NATIVE_JPEG" = 1; then
+ cat > conftest.$ac_ext <<EOF
+-#line 15400 "configure"
++#line 15405 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -15411,7 +15416,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15415: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:15420: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_JPEG=1
+ else
+@@ -15458,7 +15463,7 @@
+ MOZ_NATIVE_ZLIB=
+ else
+ echo $ac_n "checking for gzread in -lz""... $ac_c" 1>&6
+-echo "configure:15462: checking for gzread in -lz" >&5
++echo "configure:15467: checking for gzread in -lz" >&5
+ ac_lib_var=`echo z'_'gzread | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15466,7 +15471,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lz $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15470 "configure"
++#line 15475 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15477,7 +15482,7 @@
+ gzread()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15481: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15486: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15501,7 +15506,7 @@
+ if test "$MOZ_NATIVE_ZLIB" = 1; then
+ MOZZLIBNUM=`echo $MOZZLIB | awk -F. '{printf "0x%x\n", ((($1 * 16 + $2) * 16) + $3) * 16 + $4}'`
+ cat > conftest.$ac_ext <<EOF
+-#line 15505 "configure"
++#line 15510 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <string.h>
+@@ -15512,7 +15517,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15516: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:15521: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_ZLIB=1
+ else
+@@ -15563,7 +15568,7 @@
+ MOZ_NATIVE_BZ2=
+ else
+ echo $ac_n "checking for BZ2_bzread in -lbz2""... $ac_c" 1>&6
+-echo "configure:15567: checking for BZ2_bzread in -lbz2" >&5
++echo "configure:15572: checking for BZ2_bzread in -lbz2" >&5
+ ac_lib_var=`echo bz2'_'BZ2_bzread | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15571,7 +15576,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lbz2 $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15575 "configure"
++#line 15580 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15582,7 +15587,7 @@
+ BZ2_bzread()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15586: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15591: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15631,7 +15636,7 @@
+ MOZ_NATIVE_PNG=
+ else
+ echo $ac_n "checking for png_get_valid in -lpng""... $ac_c" 1>&6
+-echo "configure:15635: checking for png_get_valid in -lpng" >&5
++echo "configure:15640: checking for png_get_valid in -lpng" >&5
+ ac_lib_var=`echo png'_'png_get_valid | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15639,7 +15644,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lpng $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15643 "configure"
++#line 15648 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15650,7 +15655,7 @@
+ png_get_valid()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15654: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15659: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15672,7 +15677,7 @@
+ fi
+
+ echo $ac_n "checking for png_get_acTL in -lpng""... $ac_c" 1>&6
+-echo "configure:15676: checking for png_get_acTL in -lpng" >&5
++echo "configure:15681: checking for png_get_acTL in -lpng" >&5
+ ac_lib_var=`echo png'_'png_get_acTL | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -15680,7 +15685,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lpng $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 15684 "configure"
++#line 15689 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -15691,7 +15696,7 @@
+ png_get_acTL()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15695: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15700: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -15725,7 +15730,7 @@
+ fi
+ if test "$MOZ_NATIVE_PNG" = 1; then
+ cat > conftest.$ac_ext <<EOF
+-#line 15729 "configure"
++#line 15734 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -15739,7 +15744,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15743: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:15748: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_PNG=1
+ else
+@@ -15781,7 +15786,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:15785: checking for $ac_word" >&5
++echo "configure:15790: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -15825,19 +15830,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for hunspell""... $ac_c" 1>&6
+-echo "configure:15829: checking for hunspell" >&5
++echo "configure:15834: checking for hunspell" >&5
+
+ if $PKG_CONFIG --exists "hunspell" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_HUNSPELL_CFLAGS""... $ac_c" 1>&6
+-echo "configure:15836: checking MOZ_HUNSPELL_CFLAGS" >&5
++echo "configure:15841: checking MOZ_HUNSPELL_CFLAGS" >&5
+ MOZ_HUNSPELL_CFLAGS=`$PKG_CONFIG --cflags "hunspell"`
+ echo "$ac_t""$MOZ_HUNSPELL_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_HUNSPELL_LIBS""... $ac_c" 1>&6
+-echo "configure:15841: checking MOZ_HUNSPELL_LIBS" >&5
++echo "configure:15846: checking MOZ_HUNSPELL_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_HUNSPELL_LIBS="`$PKG_CONFIG --libs \"hunspell\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_HUNSPELL_LIBS" 1>&6
+@@ -15893,7 +15898,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:15897: checking for $ac_word" >&5
++echo "configure:15902: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -15937,19 +15942,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libffi > 3.0.9""... $ac_c" 1>&6
+-echo "configure:15941: checking for libffi > 3.0.9" >&5
++echo "configure:15946: checking for libffi > 3.0.9" >&5
+
+ if $PKG_CONFIG --exists "libffi > 3.0.9" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_FFI_CFLAGS""... $ac_c" 1>&6
+-echo "configure:15948: checking MOZ_FFI_CFLAGS" >&5
++echo "configure:15953: checking MOZ_FFI_CFLAGS" >&5
+ MOZ_FFI_CFLAGS=`$PKG_CONFIG --cflags "libffi > 3.0.9"`
+ echo "$ac_t""$MOZ_FFI_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_FFI_LIBS""... $ac_c" 1>&6
+-echo "configure:15953: checking MOZ_FFI_LIBS" >&5
++echo "configure:15958: checking MOZ_FFI_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_FFI_LIBS="`$PKG_CONFIG --libs \"libffi > 3.0.9\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_FFI_LIBS" 1>&6
+@@ -15985,7 +15990,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:15989: checking for $ac_word" >&5
++echo "configure:15994: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -16029,19 +16034,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libffi >= 3.0.9""... $ac_c" 1>&6
+-echo "configure:16033: checking for libffi >= 3.0.9" >&5
++echo "configure:16038: checking for libffi >= 3.0.9" >&5
+
+ if $PKG_CONFIG --exists "libffi >= 3.0.9" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_FFI_CFLAGS""... $ac_c" 1>&6
+-echo "configure:16040: checking MOZ_FFI_CFLAGS" >&5
++echo "configure:16045: checking MOZ_FFI_CFLAGS" >&5
+ MOZ_FFI_CFLAGS=`$PKG_CONFIG --cflags "libffi >= 3.0.9"`
+ echo "$ac_t""$MOZ_FFI_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_FFI_LIBS""... $ac_c" 1>&6
+-echo "configure:16045: checking MOZ_FFI_LIBS" >&5
++echo "configure:16050: checking MOZ_FFI_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_FFI_LIBS="`$PKG_CONFIG --libs \"libffi >= 3.0.9\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_FFI_LIBS" 1>&6
+@@ -16240,7 +16245,7 @@
+
+
+ echo $ac_n "checking for application to build""... $ac_c" 1>&6
+-echo "configure:16244: checking for application to build" >&5
++echo "configure:16249: checking for application to build" >&5
+ if test -z "$MOZ_BUILD_APP"; then
+ echo "$ac_t""browser" 1>&6
+ MOZ_BUILD_APP=browser
+@@ -16302,7 +16307,7 @@
+
+ # Allow the application to influence configure with a confvars.sh script.
+ echo $ac_n "checking if app-specific confvars.sh exists""... $ac_c" 1>&6
+-echo "configure:16306: checking if app-specific confvars.sh exists" >&5
++echo "configure:16311: checking if app-specific confvars.sh exists" >&5
+ if test -f "${srcdir}/${MOZ_BUILD_APP}/confvars.sh" ; then
+ echo "$ac_t""${srcdir}/${MOZ_BUILD_APP}/confvars.sh" 1>&6
+ . "${srcdir}/${MOZ_BUILD_APP}/confvars.sh"
+@@ -16802,7 +16807,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:16806: checking for $ac_word" >&5
++echo "configure:16811: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -16846,19 +16851,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES""... $ac_c" 1>&6
+-echo "configure:16850: checking for gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" >&5
++echo "configure:16855: checking for gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" >&5
+
+ if $PKG_CONFIG --exists "gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GTK3_CFLAGS""... $ac_c" 1>&6
+-echo "configure:16857: checking MOZ_GTK3_CFLAGS" >&5
++echo "configure:16862: checking MOZ_GTK3_CFLAGS" >&5
+ MOZ_GTK3_CFLAGS=`$PKG_CONFIG --cflags "gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES"`
+ echo "$ac_t""$MOZ_GTK3_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GTK3_LIBS""... $ac_c" 1>&6
+-echo "configure:16862: checking MOZ_GTK3_LIBS" >&5
++echo "configure:16867: checking MOZ_GTK3_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GTK3_LIBS="`$PKG_CONFIG --libs \"gtk+-3.0 >= $GTK3_VERSION gtk+-unix-print-3.0 glib-2.0 gobject-2.0 $GDK_PACKAGES\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GTK3_LIBS" 1>&6
+@@ -16899,7 +16904,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:16903: checking for $ac_word" >&5
++echo "configure:16908: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -16943,19 +16948,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES""... $ac_c" 1>&6
+-echo "configure:16947: checking for gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" >&5
++echo "configure:16952: checking for gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" >&5
+
+ if $PKG_CONFIG --exists "gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GTK2_CFLAGS""... $ac_c" 1>&6
+-echo "configure:16954: checking MOZ_GTK2_CFLAGS" >&5
++echo "configure:16959: checking MOZ_GTK2_CFLAGS" >&5
+ MOZ_GTK2_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES"`
+ echo "$ac_t""$MOZ_GTK2_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GTK2_LIBS""... $ac_c" 1>&6
+-echo "configure:16959: checking MOZ_GTK2_LIBS" >&5
++echo "configure:16964: checking MOZ_GTK2_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GTK2_LIBS="`$PKG_CONFIG --libs \"gtk+-2.0 >= $GTK2_VERSION gtk+-unix-print-2.0 glib-2.0 gobject-2.0 $GDK_PACKAGES\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GTK2_LIBS" 1>&6
+@@ -17037,7 +17042,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17041: checking for $ac_word" >&5
++echo "configure:17046: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17081,19 +17086,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION""... $ac_c" 1>&6
+-echo "configure:17085: checking for libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION" >&5
++echo "configure:17090: checking for libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION" >&5
+
+ if $PKG_CONFIG --exists "libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_STARTUP_NOTIFICATION_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17092: checking MOZ_STARTUP_NOTIFICATION_CFLAGS" >&5
++echo "configure:17097: checking MOZ_STARTUP_NOTIFICATION_CFLAGS" >&5
+ MOZ_STARTUP_NOTIFICATION_CFLAGS=`$PKG_CONFIG --cflags "libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION"`
+ echo "$ac_t""$MOZ_STARTUP_NOTIFICATION_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_STARTUP_NOTIFICATION_LIBS""... $ac_c" 1>&6
+-echo "configure:17097: checking MOZ_STARTUP_NOTIFICATION_LIBS" >&5
++echo "configure:17102: checking MOZ_STARTUP_NOTIFICATION_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_STARTUP_NOTIFICATION_LIBS="`$PKG_CONFIG --libs \"libstartup-notification-1.0 >= $STARTUP_NOTIFICATION_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_STARTUP_NOTIFICATION_LIBS" 1>&6
+@@ -17161,7 +17166,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17165: checking for $ac_word" >&5
++echo "configure:17170: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_HOST_QMAKE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17206,7 +17211,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17210: checking for $ac_word" >&5
++echo "configure:17215: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17250,19 +17255,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport""... $ac_c" 1>&6
+-echo "configure:17254: checking for Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport" >&5
++echo "configure:17259: checking for Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport" >&5
+
+ if $PKG_CONFIG --exists "Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_QT_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17261: checking MOZ_QT_CFLAGS" >&5
++echo "configure:17266: checking MOZ_QT_CFLAGS" >&5
+ MOZ_QT_CFLAGS=`$PKG_CONFIG --cflags "Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport"`
+ echo "$ac_t""$MOZ_QT_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_QT_LIBS""... $ac_c" 1>&6
+-echo "configure:17266: checking MOZ_QT_LIBS" >&5
++echo "configure:17271: checking MOZ_QT_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_QT_LIBS="`$PKG_CONFIG --libs \"Qt5Gui Qt5Network Qt5Core Qt5OpenGL Qt5Widgets Qt5PrintSupport\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_QT_LIBS" 1>&6
+@@ -17304,7 +17309,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17308: checking for $ac_word" >&5
++echo "configure:17313: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17348,19 +17353,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for QtGui QtNetwork QtCore QtOpenGL""... $ac_c" 1>&6
+-echo "configure:17352: checking for QtGui QtNetwork QtCore QtOpenGL" >&5
++echo "configure:17357: checking for QtGui QtNetwork QtCore QtOpenGL" >&5
+
+ if $PKG_CONFIG --exists "QtGui QtNetwork QtCore QtOpenGL" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_QT_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17359: checking MOZ_QT_CFLAGS" >&5
++echo "configure:17364: checking MOZ_QT_CFLAGS" >&5
+ MOZ_QT_CFLAGS=`$PKG_CONFIG --cflags "QtGui QtNetwork QtCore QtOpenGL"`
+ echo "$ac_t""$MOZ_QT_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_QT_LIBS""... $ac_c" 1>&6
+-echo "configure:17364: checking MOZ_QT_LIBS" >&5
++echo "configure:17369: checking MOZ_QT_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_QT_LIBS="`$PKG_CONFIG --libs \"QtGui QtNetwork QtCore QtOpenGL\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_QT_LIBS" 1>&6
+@@ -17402,7 +17407,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17406: checking for $ac_word" >&5
++echo "configure:17411: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_HOST_MOC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17437,7 +17442,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17441: checking for $ac_word" >&5
++echo "configure:17446: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_HOST_RCC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17517,7 +17522,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17521: checking for $ac_word" >&5
++echo "configure:17526: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17561,19 +17566,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for qmsystem2""... $ac_c" 1>&6
+-echo "configure:17565: checking for qmsystem2" >&5
++echo "configure:17570: checking for qmsystem2" >&5
+
+ if $PKG_CONFIG --exists "qmsystem2" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _QMSYSTEM2_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17572: checking _QMSYSTEM2_CFLAGS" >&5
++echo "configure:17577: checking _QMSYSTEM2_CFLAGS" >&5
+ _QMSYSTEM2_CFLAGS=`$PKG_CONFIG --cflags "qmsystem2"`
+ echo "$ac_t""$_QMSYSTEM2_CFLAGS" 1>&6
+
+ echo $ac_n "checking _QMSYSTEM2_LIBS""... $ac_c" 1>&6
+-echo "configure:17577: checking _QMSYSTEM2_LIBS" >&5
++echo "configure:17582: checking _QMSYSTEM2_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _QMSYSTEM2_LIBS="`$PKG_CONFIG --libs \"qmsystem2\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_QMSYSTEM2_LIBS" 1>&6
+@@ -17623,7 +17628,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17627: checking for $ac_word" >&5
++echo "configure:17632: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17667,19 +17672,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for QtNetwork >= 4.7""... $ac_c" 1>&6
+-echo "configure:17671: checking for QtNetwork >= 4.7" >&5
++echo "configure:17676: checking for QtNetwork >= 4.7" >&5
+
+ if $PKG_CONFIG --exists "QtNetwork >= 4.7" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _QTNETWORK_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17678: checking _QTNETWORK_CFLAGS" >&5
++echo "configure:17683: checking _QTNETWORK_CFLAGS" >&5
+ _QTNETWORK_CFLAGS=`$PKG_CONFIG --cflags "QtNetwork >= 4.7"`
+ echo "$ac_t""$_QTNETWORK_CFLAGS" 1>&6
+
+ echo $ac_n "checking _QTNETWORK_LIBS""... $ac_c" 1>&6
+-echo "configure:17683: checking _QTNETWORK_LIBS" >&5
++echo "configure:17688: checking _QTNETWORK_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _QTNETWORK_LIBS="`$PKG_CONFIG --libs \"QtNetwork >= 4.7\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_QTNETWORK_LIBS" 1>&6
+@@ -17727,7 +17732,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:17731: checking for $ac_word" >&5
++echo "configure:17736: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -17771,19 +17776,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for QtSensors QtFeedback QtLocation""... $ac_c" 1>&6
+-echo "configure:17775: checking for QtSensors QtFeedback QtLocation" >&5
++echo "configure:17780: checking for QtSensors QtFeedback QtLocation" >&5
+
+ if $PKG_CONFIG --exists "QtSensors QtFeedback QtLocation" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _QTMOBILITY_CFLAGS""... $ac_c" 1>&6
+-echo "configure:17782: checking _QTMOBILITY_CFLAGS" >&5
++echo "configure:17787: checking _QTMOBILITY_CFLAGS" >&5
+ _QTMOBILITY_CFLAGS=`$PKG_CONFIG --cflags "QtSensors QtFeedback QtLocation"`
+ echo "$ac_t""$_QTMOBILITY_CFLAGS" 1>&6
+
+ echo $ac_n "checking _QTMOBILITY_LIBS""... $ac_c" 1>&6
+-echo "configure:17787: checking _QTMOBILITY_LIBS" >&5
++echo "configure:17792: checking _QTMOBILITY_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _QTMOBILITY_LIBS="`$PKG_CONFIG --libs \"QtSensors QtFeedback QtLocation\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_QTMOBILITY_LIBS" 1>&6
+@@ -17818,7 +17823,7 @@
+ MOZ_QT_LIBS="$MOZ_QT_LIBS $_QTMOBILITY_LIBS"
+ else
+ echo $ac_n "checking for main in -lQtSensors""... $ac_c" 1>&6
+-echo "configure:17822: checking for main in -lQtSensors" >&5
++echo "configure:17827: checking for main in -lQtSensors" >&5
+ ac_lib_var=`echo QtSensors'_'main | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -17826,14 +17831,14 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lQtSensors $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 17830 "configure"
++#line 17835 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ main()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:17837: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:17842: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -18003,7 +18008,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18007: checking for $ac_word" >&5
++echo "configure:18012: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18047,19 +18052,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for pango >= $PANGO_VERSION""... $ac_c" 1>&6
+-echo "configure:18051: checking for pango >= $PANGO_VERSION" >&5
++echo "configure:18056: checking for pango >= $PANGO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "pango >= $PANGO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _PANGOCHK_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18058: checking _PANGOCHK_CFLAGS" >&5
++echo "configure:18063: checking _PANGOCHK_CFLAGS" >&5
+ _PANGOCHK_CFLAGS=`$PKG_CONFIG --cflags "pango >= $PANGO_VERSION"`
+ echo "$ac_t""$_PANGOCHK_CFLAGS" 1>&6
+
+ echo $ac_n "checking _PANGOCHK_LIBS""... $ac_c" 1>&6
+-echo "configure:18063: checking _PANGOCHK_LIBS" >&5
++echo "configure:18068: checking _PANGOCHK_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _PANGOCHK_LIBS="`$PKG_CONFIG --libs \"pango >= $PANGO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_PANGOCHK_LIBS" 1>&6
+@@ -18095,7 +18100,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18099: checking for $ac_word" >&5
++echo "configure:18104: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18139,19 +18144,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION""... $ac_c" 1>&6
+-echo "configure:18143: checking for pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION" >&5
++echo "configure:18148: checking for pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_PANGO_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18150: checking MOZ_PANGO_CFLAGS" >&5
++echo "configure:18155: checking MOZ_PANGO_CFLAGS" >&5
+ MOZ_PANGO_CFLAGS=`$PKG_CONFIG --cflags "pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION"`
+ echo "$ac_t""$MOZ_PANGO_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_PANGO_LIBS""... $ac_c" 1>&6
+-echo "configure:18155: checking MOZ_PANGO_LIBS" >&5
++echo "configure:18160: checking MOZ_PANGO_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_PANGO_LIBS="`$PKG_CONFIG --libs \"pango >= $PANGO_VERSION pangoft2 >= $PANGO_VERSION pangocairo >= $PANGO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_PANGO_LIBS" 1>&6
+@@ -18196,7 +18201,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18200: checking for $ac_word" >&5
++echo "configure:18205: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18240,19 +18245,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for freetype2 > 6.1.0""... $ac_c" 1>&6
+-echo "configure:18244: checking for freetype2 > 6.1.0" >&5
++echo "configure:18249: checking for freetype2 > 6.1.0" >&5
+
+ if $PKG_CONFIG --exists "freetype2 > 6.1.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking FT2_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18251: checking FT2_CFLAGS" >&5
++echo "configure:18256: checking FT2_CFLAGS" >&5
+ FT2_CFLAGS=`$PKG_CONFIG --cflags "freetype2 > 6.1.0"`
+ echo "$ac_t""$FT2_CFLAGS" 1>&6
+
+ echo $ac_n "checking FT2_LIBS""... $ac_c" 1>&6
+-echo "configure:18256: checking FT2_LIBS" >&5
++echo "configure:18261: checking FT2_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ FT2_LIBS="`$PKG_CONFIG --libs \"freetype2 > 6.1.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$FT2_LIBS" 1>&6
+@@ -18316,7 +18321,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18320: checking for $ac_word" >&5
++echo "configure:18325: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18360,19 +18365,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION""... $ac_c" 1>&6
+-echo "configure:18364: checking for gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION" >&5
++echo "configure:18369: checking for gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION" >&5
+
+ if $PKG_CONFIG --exists "gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GNOMEVFS_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18371: checking MOZ_GNOMEVFS_CFLAGS" >&5
++echo "configure:18376: checking MOZ_GNOMEVFS_CFLAGS" >&5
+ MOZ_GNOMEVFS_CFLAGS=`$PKG_CONFIG --cflags "gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION"`
+ echo "$ac_t""$MOZ_GNOMEVFS_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GNOMEVFS_LIBS""... $ac_c" 1>&6
+-echo "configure:18376: checking MOZ_GNOMEVFS_LIBS" >&5
++echo "configure:18381: checking MOZ_GNOMEVFS_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GNOMEVFS_LIBS="`$PKG_CONFIG --libs \"gnome-vfs-2.0 >= $GNOMEVFS_VERSION gnome-vfs-module-2.0 >= $GNOMEVFS_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GNOMEVFS_LIBS" 1>&6
+@@ -18444,7 +18449,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18448: checking for $ac_word" >&5
++echo "configure:18453: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18488,19 +18493,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gtk+-2.0 >= 2.14""... $ac_c" 1>&6
+-echo "configure:18492: checking for gtk+-2.0 >= 2.14" >&5
++echo "configure:18497: checking for gtk+-2.0 >= 2.14" >&5
+
+ if $PKG_CONFIG --exists "gtk+-2.0 >= 2.14" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _GTKCHECK_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18499: checking _GTKCHECK_CFLAGS" >&5
++echo "configure:18504: checking _GTKCHECK_CFLAGS" >&5
+ _GTKCHECK_CFLAGS=`$PKG_CONFIG --cflags "gtk+-2.0 >= 2.14"`
+ echo "$ac_t""$_GTKCHECK_CFLAGS" 1>&6
+
+ echo $ac_n "checking _GTKCHECK_LIBS""... $ac_c" 1>&6
+-echo "configure:18504: checking _GTKCHECK_LIBS" >&5
++echo "configure:18509: checking _GTKCHECK_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _GTKCHECK_LIBS="`$PKG_CONFIG --libs \"gtk+-2.0 >= 2.14\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_GTKCHECK_LIBS" 1>&6
+@@ -18535,7 +18540,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18539: checking for $ac_word" >&5
++echo "configure:18544: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18579,19 +18584,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gio-2.0 >= $GIO_VERSION""... $ac_c" 1>&6
+-echo "configure:18583: checking for gio-2.0 >= $GIO_VERSION" >&5
++echo "configure:18588: checking for gio-2.0 >= $GIO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "gio-2.0 >= $GIO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GIO_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18590: checking MOZ_GIO_CFLAGS" >&5
++echo "configure:18595: checking MOZ_GIO_CFLAGS" >&5
+ MOZ_GIO_CFLAGS=`$PKG_CONFIG --cflags "gio-2.0 >= $GIO_VERSION"`
+ echo "$ac_t""$MOZ_GIO_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GIO_LIBS""... $ac_c" 1>&6
+-echo "configure:18595: checking MOZ_GIO_LIBS" >&5
++echo "configure:18600: checking MOZ_GIO_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GIO_LIBS="`$PKG_CONFIG --libs \"gio-2.0 >= $GIO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GIO_LIBS" 1>&6
+@@ -18663,7 +18668,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18667: checking for $ac_word" >&5
++echo "configure:18672: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18707,19 +18712,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gconf-2.0 >= $GCONF_VERSION gobject-2.0 ""... $ac_c" 1>&6
+-echo "configure:18711: checking for gconf-2.0 >= $GCONF_VERSION gobject-2.0 " >&5
++echo "configure:18716: checking for gconf-2.0 >= $GCONF_VERSION gobject-2.0 " >&5
+
+ if $PKG_CONFIG --exists "gconf-2.0 >= $GCONF_VERSION gobject-2.0 " ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GCONF_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18718: checking MOZ_GCONF_CFLAGS" >&5
++echo "configure:18723: checking MOZ_GCONF_CFLAGS" >&5
+ MOZ_GCONF_CFLAGS=`$PKG_CONFIG --cflags "gconf-2.0 >= $GCONF_VERSION gobject-2.0 "`
+ echo "$ac_t""$MOZ_GCONF_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GCONF_LIBS""... $ac_c" 1>&6
+-echo "configure:18723: checking MOZ_GCONF_LIBS" >&5
++echo "configure:18728: checking MOZ_GCONF_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GCONF_LIBS="`$PKG_CONFIG --libs \"gconf-2.0 >= $GCONF_VERSION gobject-2.0 \" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GCONF_LIBS" 1>&6
+@@ -18800,7 +18805,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18804: checking for $ac_word" >&5
++echo "configure:18809: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18844,19 +18849,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libproxy-1.0""... $ac_c" 1>&6
+-echo "configure:18848: checking for libproxy-1.0" >&5
++echo "configure:18853: checking for libproxy-1.0" >&5
+
+ if $PKG_CONFIG --exists "libproxy-1.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_LIBPROXY_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18855: checking MOZ_LIBPROXY_CFLAGS" >&5
++echo "configure:18860: checking MOZ_LIBPROXY_CFLAGS" >&5
+ MOZ_LIBPROXY_CFLAGS=`$PKG_CONFIG --cflags "libproxy-1.0"`
+ echo "$ac_t""$MOZ_LIBPROXY_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_LIBPROXY_LIBS""... $ac_c" 1>&6
+-echo "configure:18860: checking MOZ_LIBPROXY_LIBS" >&5
++echo "configure:18865: checking MOZ_LIBPROXY_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_LIBPROXY_LIBS="`$PKG_CONFIG --libs \"libproxy-1.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_LIBPROXY_LIBS" 1>&6
+@@ -18929,7 +18934,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:18933: checking for $ac_word" >&5
++echo "configure:18938: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -18973,19 +18978,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libgnomeui-2.0 >= $GNOMEUI_VERSION""... $ac_c" 1>&6
+-echo "configure:18977: checking for libgnomeui-2.0 >= $GNOMEUI_VERSION" >&5
++echo "configure:18982: checking for libgnomeui-2.0 >= $GNOMEUI_VERSION" >&5
+
+ if $PKG_CONFIG --exists "libgnomeui-2.0 >= $GNOMEUI_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GNOMEUI_CFLAGS""... $ac_c" 1>&6
+-echo "configure:18984: checking MOZ_GNOMEUI_CFLAGS" >&5
++echo "configure:18989: checking MOZ_GNOMEUI_CFLAGS" >&5
+ MOZ_GNOMEUI_CFLAGS=`$PKG_CONFIG --cflags "libgnomeui-2.0 >= $GNOMEUI_VERSION"`
+ echo "$ac_t""$MOZ_GNOMEUI_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GNOMEUI_LIBS""... $ac_c" 1>&6
+-echo "configure:18989: checking MOZ_GNOMEUI_LIBS" >&5
++echo "configure:18994: checking MOZ_GNOMEUI_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GNOMEUI_LIBS="`$PKG_CONFIG --libs \"libgnomeui-2.0 >= $GNOMEUI_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GNOMEUI_LIBS" 1>&6
+@@ -19064,7 +19069,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:19068: checking for $ac_word" >&5
++echo "configure:19073: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -19108,19 +19113,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for dbus-1 >= $DBUS_VERSION""... $ac_c" 1>&6
+-echo "configure:19112: checking for dbus-1 >= $DBUS_VERSION" >&5
++echo "configure:19117: checking for dbus-1 >= $DBUS_VERSION" >&5
+
+ if $PKG_CONFIG --exists "dbus-1 >= $DBUS_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_DBUS_CFLAGS""... $ac_c" 1>&6
+-echo "configure:19119: checking MOZ_DBUS_CFLAGS" >&5
++echo "configure:19124: checking MOZ_DBUS_CFLAGS" >&5
+ MOZ_DBUS_CFLAGS=`$PKG_CONFIG --cflags "dbus-1 >= $DBUS_VERSION"`
+ echo "$ac_t""$MOZ_DBUS_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_DBUS_LIBS""... $ac_c" 1>&6
+-echo "configure:19124: checking MOZ_DBUS_LIBS" >&5
++echo "configure:19129: checking MOZ_DBUS_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_DBUS_LIBS="`$PKG_CONFIG --libs \"dbus-1 >= $DBUS_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_DBUS_LIBS" 1>&6
+@@ -19155,7 +19160,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:19159: checking for $ac_word" >&5
++echo "configure:19164: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -19199,19 +19204,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for dbus-glib-1 >= $DBUS_VERSION""... $ac_c" 1>&6
+-echo "configure:19203: checking for dbus-glib-1 >= $DBUS_VERSION" >&5
++echo "configure:19208: checking for dbus-glib-1 >= $DBUS_VERSION" >&5
+
+ if $PKG_CONFIG --exists "dbus-glib-1 >= $DBUS_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_DBUS_GLIB_CFLAGS""... $ac_c" 1>&6
+-echo "configure:19210: checking MOZ_DBUS_GLIB_CFLAGS" >&5
++echo "configure:19215: checking MOZ_DBUS_GLIB_CFLAGS" >&5
+ MOZ_DBUS_GLIB_CFLAGS=`$PKG_CONFIG --cflags "dbus-glib-1 >= $DBUS_VERSION"`
+ echo "$ac_t""$MOZ_DBUS_GLIB_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_DBUS_GLIB_LIBS""... $ac_c" 1>&6
+-echo "configure:19215: checking MOZ_DBUS_GLIB_LIBS" >&5
++echo "configure:19220: checking MOZ_DBUS_GLIB_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_DBUS_GLIB_LIBS="`$PKG_CONFIG --libs \"dbus-glib-1 >= $DBUS_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_DBUS_GLIB_LIBS" 1>&6
+@@ -19677,7 +19682,7 @@
+ MOZ_CUBEB=1
+
+ echo $ac_n "checking __attribute__ ((aligned ())) support""... $ac_c" 1>&6
+-echo "configure:19681: checking __attribute__ ((aligned ())) support" >&5
++echo "configure:19686: checking __attribute__ ((aligned ())) support" >&5
+ if eval "test \"`echo '$''{'ac_cv_c_attribute_aligned'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -19687,14 +19692,14 @@
+ for ac_cv_c_attr_align_try in 64 32 16 8; do
+ echo "trying $ac_cv_c_attr_align_try"
+ cat > conftest.$ac_ext <<EOF
+-#line 19691 "configure"
++#line 19696 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ static char c __attribute__ ((aligned(${ac_cv_c_attr_align_try}))) = 0; return c;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:19698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:19703: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_c_attribute_aligned="${ac_cv_c_attr_align_try}"
+ else
+@@ -19917,7 +19922,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:19921: checking for $ac_word" >&5
++echo "configure:19926: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -19961,19 +19966,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for vpx >= 1.0.0""... $ac_c" 1>&6
+-echo "configure:19965: checking for vpx >= 1.0.0" >&5
++echo "configure:19970: checking for vpx >= 1.0.0" >&5
+
+ if $PKG_CONFIG --exists "vpx >= 1.0.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_LIBVPX_CFLAGS""... $ac_c" 1>&6
+-echo "configure:19972: checking MOZ_LIBVPX_CFLAGS" >&5
++echo "configure:19977: checking MOZ_LIBVPX_CFLAGS" >&5
+ MOZ_LIBVPX_CFLAGS=`$PKG_CONFIG --cflags "vpx >= 1.0.0"`
+ echo "$ac_t""$MOZ_LIBVPX_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_LIBVPX_LIBS""... $ac_c" 1>&6
+-echo "configure:19977: checking MOZ_LIBVPX_LIBS" >&5
++echo "configure:19982: checking MOZ_LIBVPX_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_LIBVPX_LIBS="`$PKG_CONFIG --libs \"vpx >= 1.0.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_LIBVPX_LIBS" 1>&6
+@@ -20005,12 +20010,12 @@
+
+ ac_safe=`echo "vpx/vpx_decoder.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for vpx/vpx_decoder.h""... $ac_c" 1>&6
+-echo "configure:20009: checking for vpx/vpx_decoder.h" >&5
++echo "configure:20014: checking for vpx/vpx_decoder.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 20014 "configure"
++#line 20019 "configure"
+ #include "confdefs.h"
+
+ #include <vpx/vpx_decoder.h>
+@@ -20018,7 +20023,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:20022: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:20027: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -20041,7 +20046,7 @@
+
+ _SAVE_LIBS=$LIBS
+ echo $ac_n "checking for vpx_codec_dec_init_ver in -lvpx""... $ac_c" 1>&6
+-echo "configure:20045: checking for vpx_codec_dec_init_ver in -lvpx" >&5
++echo "configure:20050: checking for vpx_codec_dec_init_ver in -lvpx" >&5
+ ac_lib_var=`echo vpx'_'vpx_codec_dec_init_ver | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -20049,7 +20054,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lvpx $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 20053 "configure"
++#line 20058 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -20060,7 +20065,7 @@
+ vpx_codec_dec_init_ver()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:20064: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:20069: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -20312,7 +20317,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20316: checking for $ac_word" >&5
++echo "configure:20321: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20356,19 +20361,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for alsa""... $ac_c" 1>&6
+-echo "configure:20360: checking for alsa" >&5
++echo "configure:20365: checking for alsa" >&5
+
+ if $PKG_CONFIG --exists "alsa" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_ALSA_CFLAGS""... $ac_c" 1>&6
+-echo "configure:20367: checking MOZ_ALSA_CFLAGS" >&5
++echo "configure:20372: checking MOZ_ALSA_CFLAGS" >&5
+ MOZ_ALSA_CFLAGS=`$PKG_CONFIG --cflags "alsa"`
+ echo "$ac_t""$MOZ_ALSA_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_ALSA_LIBS""... $ac_c" 1>&6
+-echo "configure:20372: checking MOZ_ALSA_LIBS" >&5
++echo "configure:20377: checking MOZ_ALSA_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_ALSA_LIBS="`$PKG_CONFIG --libs \"alsa\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_ALSA_LIBS" 1>&6
+@@ -20432,7 +20437,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20436: checking for $ac_word" >&5
++echo "configure:20441: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20476,19 +20481,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libpulse""... $ac_c" 1>&6
+-echo "configure:20480: checking for libpulse" >&5
++echo "configure:20485: checking for libpulse" >&5
+
+ if $PKG_CONFIG --exists "libpulse" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_PULSEAUDIO_CFLAGS""... $ac_c" 1>&6
+-echo "configure:20487: checking MOZ_PULSEAUDIO_CFLAGS" >&5
++echo "configure:20492: checking MOZ_PULSEAUDIO_CFLAGS" >&5
+ MOZ_PULSEAUDIO_CFLAGS=`$PKG_CONFIG --cflags "libpulse"`
+ echo "$ac_t""$MOZ_PULSEAUDIO_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_PULSEAUDIO_LIBS""... $ac_c" 1>&6
+-echo "configure:20492: checking MOZ_PULSEAUDIO_LIBS" >&5
++echo "configure:20497: checking MOZ_PULSEAUDIO_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_PULSEAUDIO_LIBS="`$PKG_CONFIG --libs \"libpulse\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_PULSEAUDIO_LIBS" 1>&6
+@@ -20552,7 +20557,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20556: checking for $ac_word" >&5
++echo "configure:20561: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20598,7 +20603,7 @@
+ echo $ac_n "checking for gstreamer-$GST_API_VERSION >= $GST_VERSION
+ gstreamer-app-$GST_API_VERSION
+ gstreamer-plugins-base-$GST_API_VERSION""... $ac_c" 1>&6
+-echo "configure:20602: checking for gstreamer-$GST_API_VERSION >= $GST_VERSION
++echo "configure:20607: checking for gstreamer-$GST_API_VERSION >= $GST_VERSION
+ gstreamer-app-$GST_API_VERSION
+ gstreamer-plugins-base-$GST_API_VERSION" >&5
+
+@@ -20609,14 +20614,14 @@
+ succeeded=yes
+
+ echo $ac_n "checking GSTREAMER_CFLAGS""... $ac_c" 1>&6
+-echo "configure:20613: checking GSTREAMER_CFLAGS" >&5
++echo "configure:20618: checking GSTREAMER_CFLAGS" >&5
+ GSTREAMER_CFLAGS=`$PKG_CONFIG --cflags "gstreamer-$GST_API_VERSION >= $GST_VERSION
+ gstreamer-app-$GST_API_VERSION
+ gstreamer-plugins-base-$GST_API_VERSION"`
+ echo "$ac_t""$GSTREAMER_CFLAGS" 1>&6
+
+ echo $ac_n "checking GSTREAMER_LIBS""... $ac_c" 1>&6
+-echo "configure:20620: checking GSTREAMER_LIBS" >&5
++echo "configure:20625: checking GSTREAMER_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ GSTREAMER_LIBS="`$PKG_CONFIG --libs \"gstreamer-$GST_API_VERSION >= $GST_VERSION
+ gstreamer-app-$GST_API_VERSION
+@@ -20653,14 +20658,14 @@
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS $GSTREAMER_LIBS -lgstvideo-$GST_API_VERSION"
+ cat > conftest.$ac_ext <<EOF
+-#line 20657 "configure"
++#line 20662 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:20664: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:20669: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ _HAVE_LIBGSTVIDEO=1
+ else
+@@ -20779,7 +20784,7 @@
+ # Extract the first word of "java", so it can be a program name with args.
+ set dummy java; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20783: checking for $ac_word" >&5
++echo "configure:20788: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_JAVA'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20828,7 +20833,7 @@
+ # Extract the first word of "javac", so it can be a program name with args.
+ set dummy javac; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20832: checking for $ac_word" >&5
++echo "configure:20837: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_JAVAC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20877,7 +20882,7 @@
+ # Extract the first word of "javah", so it can be a program name with args.
+ set dummy javah; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20881: checking for $ac_word" >&5
++echo "configure:20886: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_JAVAH'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -20926,7 +20931,7 @@
+ # Extract the first word of "jar", so it can be a program name with args.
+ set dummy jar; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:20930: checking for $ac_word" >&5
++echo "configure:20935: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_JAR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -21107,12 +21112,12 @@
+ Linux)
+ ac_safe=`echo "linux/joystick.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for linux/joystick.h""... $ac_c" 1>&6
+-echo "configure:21111: checking for linux/joystick.h" >&5
++echo "configure:21116: checking for linux/joystick.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 21116 "configure"
++#line 21121 "configure"
+ #include "confdefs.h"
+
+ #include <linux/joystick.h>
+@@ -21120,7 +21125,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:21124: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:21129: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -21211,7 +21216,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:21215: checking for $ac_word" >&5
++echo "configure:21220: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -21255,19 +21260,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for gthread-2.0""... $ac_c" 1>&6
+-echo "configure:21259: checking for gthread-2.0" >&5
++echo "configure:21264: checking for gthread-2.0" >&5
+
+ if $PKG_CONFIG --exists "gthread-2.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_GTHREAD_CFLAGS""... $ac_c" 1>&6
+-echo "configure:21266: checking MOZ_GTHREAD_CFLAGS" >&5
++echo "configure:21271: checking MOZ_GTHREAD_CFLAGS" >&5
+ MOZ_GTHREAD_CFLAGS=`$PKG_CONFIG --cflags "gthread-2.0"`
+ echo "$ac_t""$MOZ_GTHREAD_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_GTHREAD_LIBS""... $ac_c" 1>&6
+-echo "configure:21271: checking MOZ_GTHREAD_LIBS" >&5
++echo "configure:21276: checking MOZ_GTHREAD_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_GTHREAD_LIBS="`$PKG_CONFIG --libs \"gthread-2.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_GTHREAD_LIBS" 1>&6
+@@ -21596,7 +21601,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:21600: checking for $ac_word" >&5
++echo "configure:21605: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_MAKENSISU'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -21654,7 +21659,7 @@
+ MAKENSISU_MINOR_VER=`echo $MAKENSISU_VER | $AWK -F\. '{ print $2 }'`
+ fi
+ echo $ac_n "checking for Unicode NSIS with major version == $REQ_NSIS_MAJOR_VER and minor version >= $MIN_NSIS_MINOR_VER""... $ac_c" 1>&6
+-echo "configure:21658: checking for Unicode NSIS with major version == $REQ_NSIS_MAJOR_VER and minor version >= $MIN_NSIS_MINOR_VER" >&5
++echo "configure:21663: checking for Unicode NSIS with major version == $REQ_NSIS_MAJOR_VER and minor version >= $MIN_NSIS_MINOR_VER" >&5
+ if test "$MAKENSISU_VER" = "" || \
+ test ! "$MAKENSISU_MAJOR_VER" = "$REQ_NSIS_MAJOR_VER" -o \
+ ! "$MAKENSISU_MINOR_VER" -ge $MIN_NSIS_MINOR_VER; then
+@@ -21702,13 +21707,13 @@
+ fi
+
+ echo $ac_n "checking for tar archiver""... $ac_c" 1>&6
+-echo "configure:21706: checking for tar archiver" >&5
++echo "configure:21711: checking for tar archiver" >&5
+ for ac_prog in gnutar gtar tar
+ do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:21712: checking for $ac_word" >&5
++echo "configure:21717: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_TAR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -21745,13 +21750,13 @@
+
+
+ echo $ac_n "checking for wget""... $ac_c" 1>&6
+-echo "configure:21749: checking for wget" >&5
++echo "configure:21754: checking for wget" >&5
+ for ac_prog in wget
+ do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:21755: checking for $ac_word" >&5
++echo "configure:21760: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_WGET'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22084,7 +22089,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:22088: checking for $ac_word" >&5
++echo "configure:22093: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22128,19 +22133,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for sqlite3 >= $SQLITE_VERSION""... $ac_c" 1>&6
+-echo "configure:22132: checking for sqlite3 >= $SQLITE_VERSION" >&5
++echo "configure:22137: checking for sqlite3 >= $SQLITE_VERSION" >&5
+
+ if $PKG_CONFIG --exists "sqlite3 >= $SQLITE_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking SQLITE_CFLAGS""... $ac_c" 1>&6
+-echo "configure:22139: checking SQLITE_CFLAGS" >&5
++echo "configure:22144: checking SQLITE_CFLAGS" >&5
+ SQLITE_CFLAGS=`$PKG_CONFIG --cflags "sqlite3 >= $SQLITE_VERSION"`
+ echo "$ac_t""$SQLITE_CFLAGS" 1>&6
+
+ echo $ac_n "checking SQLITE_LIBS""... $ac_c" 1>&6
+-echo "configure:22144: checking SQLITE_LIBS" >&5
++echo "configure:22149: checking SQLITE_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ SQLITE_LIBS="`$PKG_CONFIG --libs \"sqlite3 >= $SQLITE_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$SQLITE_LIBS" 1>&6
+@@ -22171,7 +22176,7 @@
+
+
+ echo $ac_n "checking for SQLITE_SECURE_DELETE support in system SQLite""... $ac_c" 1>&6
+-echo "configure:22175: checking for SQLITE_SECURE_DELETE support in system SQLite" >&5
++echo "configure:22180: checking for SQLITE_SECURE_DELETE support in system SQLite" >&5
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $SQLITE_CFLAGS"
+ _SAVE_LIBS="$LIBS"
+@@ -22185,7 +22190,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 22189 "configure"
++#line 22194 "configure"
+ #include "confdefs.h"
+
+ #include "sqlite3.h"
+@@ -22194,7 +22199,7 @@
+ return !sqlite3_compileoption_used("SQLITE_SECURE_DELETE");
+ }
+ EOF
+-if { (eval echo configure:22198: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:22203: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sqlite_secure_delete=yes
+ else
+@@ -22217,7 +22222,7 @@
+ fi
+
+ echo $ac_n "checking for SQLITE_THREADSAFE support in system SQLite""... $ac_c" 1>&6
+-echo "configure:22221: checking for SQLITE_THREADSAFE support in system SQLite" >&5
++echo "configure:22226: checking for SQLITE_THREADSAFE support in system SQLite" >&5
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $SQLITE_CFLAGS"
+ _SAVE_LIBS="$LIBS"
+@@ -22231,7 +22236,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 22235 "configure"
++#line 22240 "configure"
+ #include "confdefs.h"
+
+ #include "sqlite3.h"
+@@ -22240,7 +22245,7 @@
+ return !sqlite3_compileoption_used("SQLITE_THREADSAFE=1");
+ }
+ EOF
+-if { (eval echo configure:22244: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:22249: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sqlite_threadsafe=yes
+ else
+@@ -22263,7 +22268,7 @@
+ fi
+
+ echo $ac_n "checking for SQLITE_ENABLE_FTS3 support in system SQLite""... $ac_c" 1>&6
+-echo "configure:22267: checking for SQLITE_ENABLE_FTS3 support in system SQLite" >&5
++echo "configure:22272: checking for SQLITE_ENABLE_FTS3 support in system SQLite" >&5
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $SQLITE_CFLAGS"
+ _SAVE_LIBS="$LIBS"
+@@ -22277,7 +22282,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 22281 "configure"
++#line 22286 "configure"
+ #include "confdefs.h"
+
+ #include "sqlite3.h"
+@@ -22286,7 +22291,7 @@
+ return !sqlite3_compileoption_used("SQLITE_ENABLE_FTS3");
+ }
+ EOF
+-if { (eval echo configure:22290: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:22295: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sqlite_enable_fts3=yes
+ else
+@@ -22309,7 +22314,7 @@
+ fi
+
+ echo $ac_n "checking for SQLITE_ENABLE_UNLOCK_NOTIFY support in system SQLite""... $ac_c" 1>&6
+-echo "configure:22313: checking for SQLITE_ENABLE_UNLOCK_NOTIFY support in system SQLite" >&5
++echo "configure:22318: checking for SQLITE_ENABLE_UNLOCK_NOTIFY support in system SQLite" >&5
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $SQLITE_CFLAGS"
+ _SAVE_LIBS="$LIBS"
+@@ -22323,7 +22328,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 22327 "configure"
++#line 22332 "configure"
+ #include "confdefs.h"
+
+ #include "sqlite3.h"
+@@ -22332,7 +22337,7 @@
+ return !sqlite3_compileoption_used("SQLITE_ENABLE_UNLOCK_NOTIFY");
+ }
+ EOF
+-if { (eval echo configure:22336: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:22341: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sqlite_enable_unlock_notify=yes
+ else
+@@ -22467,7 +22472,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:22471: checking for $ac_word" >&5
++echo "configure:22476: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22511,19 +22516,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for conic""... $ac_c" 1>&6
+-echo "configure:22515: checking for conic" >&5
++echo "configure:22520: checking for conic" >&5
+
+ if $PKG_CONFIG --exists "conic" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBCONIC_CFLAGS""... $ac_c" 1>&6
+-echo "configure:22522: checking LIBCONIC_CFLAGS" >&5
++echo "configure:22527: checking LIBCONIC_CFLAGS" >&5
+ LIBCONIC_CFLAGS=`$PKG_CONFIG --cflags "conic"`
+ echo "$ac_t""$LIBCONIC_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBCONIC_LIBS""... $ac_c" 1>&6
+-echo "configure:22527: checking LIBCONIC_LIBS" >&5
++echo "configure:22532: checking LIBCONIC_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBCONIC_LIBS="`$PKG_CONFIG --libs \"conic\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBCONIC_LIBS" 1>&6
+@@ -22615,12 +22620,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:22619: checking for $ac_hdr" >&5
++echo "configure:22624: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 22624 "configure"
++#line 22629 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -22628,7 +22633,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:22632: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:22637: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -22658,7 +22663,7 @@
+ done
+
+ echo $ac_n "checking for XCompositeRedirectWindow in -lXcomposite""... $ac_c" 1>&6
+-echo "configure:22662: checking for XCompositeRedirectWindow in -lXcomposite" >&5
++echo "configure:22667: checking for XCompositeRedirectWindow in -lXcomposite" >&5
+ ac_lib_var=`echo Xcomposite'_'XCompositeRedirectWindow | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -22666,7 +22671,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lXcomposite $XLIBS $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 22670 "configure"
++#line 22675 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -22677,7 +22682,7 @@
+ XCompositeRedirectWindow()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:22681: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:22686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -22707,7 +22712,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:22711: checking for $ac_word" >&5
++echo "configure:22716: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22751,19 +22756,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libhildonmime""... $ac_c" 1>&6
+-echo "configure:22755: checking for libhildonmime" >&5
++echo "configure:22760: checking for libhildonmime" >&5
+
+ if $PKG_CONFIG --exists "libhildonmime" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBHILDONMIME_CFLAGS""... $ac_c" 1>&6
+-echo "configure:22762: checking LIBHILDONMIME_CFLAGS" >&5
++echo "configure:22767: checking LIBHILDONMIME_CFLAGS" >&5
+ LIBHILDONMIME_CFLAGS=`$PKG_CONFIG --cflags "libhildonmime"`
+ echo "$ac_t""$LIBHILDONMIME_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBHILDONMIME_LIBS""... $ac_c" 1>&6
+-echo "configure:22767: checking LIBHILDONMIME_LIBS" >&5
++echo "configure:22772: checking LIBHILDONMIME_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBHILDONMIME_LIBS="`$PKG_CONFIG --libs \"libhildonmime\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBHILDONMIME_LIBS" 1>&6
+@@ -22805,7 +22810,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:22809: checking for $ac_word" >&5
++echo "configure:22814: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22849,19 +22854,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libosso""... $ac_c" 1>&6
+-echo "configure:22853: checking for libosso" >&5
++echo "configure:22858: checking for libosso" >&5
+
+ if $PKG_CONFIG --exists "libosso" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBOSSO_CFLAGS""... $ac_c" 1>&6
+-echo "configure:22860: checking LIBOSSO_CFLAGS" >&5
++echo "configure:22865: checking LIBOSSO_CFLAGS" >&5
+ LIBOSSO_CFLAGS=`$PKG_CONFIG --cflags "libosso"`
+ echo "$ac_t""$LIBOSSO_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBOSSO_LIBS""... $ac_c" 1>&6
+-echo "configure:22865: checking LIBOSSO_LIBS" >&5
++echo "configure:22870: checking LIBOSSO_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBOSSO_LIBS="`$PKG_CONFIG --libs \"libosso\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBOSSO_LIBS" 1>&6
+@@ -22902,7 +22907,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:22906: checking for $ac_word" >&5
++echo "configure:22911: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -22946,19 +22951,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for hildon-fm-2""... $ac_c" 1>&6
+-echo "configure:22950: checking for hildon-fm-2" >&5
++echo "configure:22955: checking for hildon-fm-2" >&5
+
+ if $PKG_CONFIG --exists "hildon-fm-2" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBHILDONFM_CFLAGS""... $ac_c" 1>&6
+-echo "configure:22957: checking LIBHILDONFM_CFLAGS" >&5
++echo "configure:22962: checking LIBHILDONFM_CFLAGS" >&5
+ LIBHILDONFM_CFLAGS=`$PKG_CONFIG --cflags "hildon-fm-2"`
+ echo "$ac_t""$LIBHILDONFM_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBHILDONFM_LIBS""... $ac_c" 1>&6
+-echo "configure:22962: checking LIBHILDONFM_LIBS" >&5
++echo "configure:22967: checking LIBHILDONFM_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBHILDONFM_LIBS="`$PKG_CONFIG --libs \"hildon-fm-2\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBHILDONFM_LIBS" 1>&6
+@@ -23002,7 +23007,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:23006: checking for $ac_word" >&5
++echo "configure:23011: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -23046,19 +23051,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for ContentManager QtSparql""... $ac_c" 1>&6
+-echo "configure:23050: checking for ContentManager QtSparql" >&5
++echo "configure:23055: checking for ContentManager QtSparql" >&5
+
+ if $PKG_CONFIG --exists "ContentManager QtSparql" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBCONTENTMANAGER_CFLAGS""... $ac_c" 1>&6
+-echo "configure:23057: checking LIBCONTENTMANAGER_CFLAGS" >&5
++echo "configure:23062: checking LIBCONTENTMANAGER_CFLAGS" >&5
+ LIBCONTENTMANAGER_CFLAGS=`$PKG_CONFIG --cflags "ContentManager QtSparql"`
+ echo "$ac_t""$LIBCONTENTMANAGER_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBCONTENTMANAGER_LIBS""... $ac_c" 1>&6
+-echo "configure:23062: checking LIBCONTENTMANAGER_LIBS" >&5
++echo "configure:23067: checking LIBCONTENTMANAGER_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBCONTENTMANAGER_LIBS="`$PKG_CONFIG --libs \"ContentManager QtSparql\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBCONTENTMANAGER_LIBS" 1>&6
+@@ -23124,7 +23129,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:23128: checking for $ac_word" >&5
++echo "configure:23133: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -23168,19 +23173,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for contentaction-0.1""... $ac_c" 1>&6
+-echo "configure:23172: checking for contentaction-0.1" >&5
++echo "configure:23177: checking for contentaction-0.1" >&5
+
+ if $PKG_CONFIG --exists "contentaction-0.1" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBCONTENTACTION_CFLAGS""... $ac_c" 1>&6
+-echo "configure:23179: checking LIBCONTENTACTION_CFLAGS" >&5
++echo "configure:23184: checking LIBCONTENTACTION_CFLAGS" >&5
+ LIBCONTENTACTION_CFLAGS=`$PKG_CONFIG --cflags "contentaction-0.1"`
+ echo "$ac_t""$LIBCONTENTACTION_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBCONTENTACTION_LIBS""... $ac_c" 1>&6
+-echo "configure:23184: checking LIBCONTENTACTION_LIBS" >&5
++echo "configure:23189: checking LIBCONTENTACTION_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBCONTENTACTION_LIBS="`$PKG_CONFIG --libs \"contentaction-0.1\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBCONTENTACTION_LIBS" 1>&6
+@@ -23244,7 +23249,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:23248: checking for $ac_word" >&5
++echo "configure:23253: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -23288,19 +23293,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for meegotouchcore""... $ac_c" 1>&6
+-echo "configure:23292: checking for meegotouchcore" >&5
++echo "configure:23297: checking for meegotouchcore" >&5
+
+ if $PKG_CONFIG --exists "meegotouchcore" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_MEEGOTOUCH_CFLAGS""... $ac_c" 1>&6
+-echo "configure:23299: checking MOZ_MEEGOTOUCH_CFLAGS" >&5
++echo "configure:23304: checking MOZ_MEEGOTOUCH_CFLAGS" >&5
+ MOZ_MEEGOTOUCH_CFLAGS=`$PKG_CONFIG --cflags "meegotouchcore"`
+ echo "$ac_t""$MOZ_MEEGOTOUCH_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_MEEGOTOUCH_LIBS""... $ac_c" 1>&6
+-echo "configure:23304: checking MOZ_MEEGOTOUCH_LIBS" >&5
++echo "configure:23309: checking MOZ_MEEGOTOUCH_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_MEEGOTOUCH_LIBS="`$PKG_CONFIG --libs \"meegotouchcore\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_MEEGOTOUCH_LIBS" 1>&6
+@@ -23351,7 +23356,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:23355: checking for $ac_word" >&5
++echo "configure:23360: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -23395,19 +23400,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for liblocation""... $ac_c" 1>&6
+-echo "configure:23399: checking for liblocation" >&5
++echo "configure:23404: checking for liblocation" >&5
+
+ if $PKG_CONFIG --exists "liblocation" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBLOCATION_CFLAGS""... $ac_c" 1>&6
+-echo "configure:23406: checking LIBLOCATION_CFLAGS" >&5
++echo "configure:23411: checking LIBLOCATION_CFLAGS" >&5
+ LIBLOCATION_CFLAGS=`$PKG_CONFIG --cflags "liblocation"`
+ echo "$ac_t""$LIBLOCATION_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBLOCATION_LIBS""... $ac_c" 1>&6
+-echo "configure:23411: checking LIBLOCATION_LIBS" >&5
++echo "configure:23416: checking LIBLOCATION_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBLOCATION_LIBS="`$PKG_CONFIG --libs \"liblocation\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBLOCATION_LIBS" 1>&6
+@@ -23458,7 +23463,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:23462: checking for $ac_word" >&5
++echo "configure:23467: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -23502,19 +23507,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri""... $ac_c" 1>&6
+-echo "configure:23506: checking for ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri" >&5
++echo "configure:23511: checking for ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri" >&5
+
+ if $PKG_CONFIG --exists "ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking LIBMEEGOTOUCHSHARE_CFLAGS""... $ac_c" 1>&6
+-echo "configure:23513: checking LIBMEEGOTOUCHSHARE_CFLAGS" >&5
++echo "configure:23518: checking LIBMEEGOTOUCHSHARE_CFLAGS" >&5
+ LIBMEEGOTOUCHSHARE_CFLAGS=`$PKG_CONFIG --cflags "ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri"`
+ echo "$ac_t""$LIBMEEGOTOUCHSHARE_CFLAGS" 1>&6
+
+ echo $ac_n "checking LIBMEEGOTOUCHSHARE_LIBS""... $ac_c" 1>&6
+-echo "configure:23518: checking LIBMEEGOTOUCHSHARE_LIBS" >&5
++echo "configure:23523: checking LIBMEEGOTOUCHSHARE_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ LIBMEEGOTOUCHSHARE_LIBS="`$PKG_CONFIG --libs \"ShareUiInterface-maemo-meegotouch >= 0.3.31 mdatauri\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$LIBMEEGOTOUCHSHARE_LIBS" 1>&6
+@@ -23644,18 +23649,18 @@
+
+ if test -n "$MOZ_DEBUG"; then
+ echo $ac_n "checking for valid debug flags""... $ac_c" 1>&6
+-echo "configure:23648: checking for valid debug flags" >&5
++echo "configure:23653: checking for valid debug flags" >&5
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $MOZ_DEBUG_FLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 23652 "configure"
++#line 23657 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:23659: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:23664: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _results=yes
+ else
+@@ -23752,18 +23757,18 @@
+ if test "$COMPILE_ENVIRONMENT"; then
+ if test -n "$MOZ_OPTIMIZE"; then
+ echo $ac_n "checking for valid optimization flags""... $ac_c" 1>&6
+-echo "configure:23756: checking for valid optimization flags" >&5
++echo "configure:23761: checking for valid optimization flags" >&5
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $MOZ_OPTIMIZE_FLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 23760 "configure"
++#line 23765 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:23767: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:23772: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _results=yes
+ else
+@@ -24058,12 +24063,12 @@
+
+ if test -n "$MACOSX_DEPLOYMENT_TARGET"; then
+ echo $ac_n "checking how to do weak dynamic linking""... $ac_c" 1>&6
+-echo "configure:24062: checking how to do weak dynamic linking" >&5
++echo "configure:24067: checking how to do weak dynamic linking" >&5
+ if eval "test \"`echo '$''{'ac_cv_weak_dynamic_linking'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo 'extern void foo() __attribute__((weak_import));int bar() { if (foo) foo(); return 0; }' > conftest.c
+- if { ac_try='${CC-cc} -o conftest${DLL_SUFFIX} $CFLAGS -dynamiclib $LDFLAGS -Wl,-U,_foo conftest.c $LIBS 1>&5'; { (eval echo configure:24067: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest${DLL_SUFFIX} $CFLAGS -dynamiclib $LDFLAGS -Wl,-U,_foo conftest.c $LIBS 1>&5'; { (eval echo configure:24072: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${DLL_SUFFIX}; then
+ if otool -l conftest${DLL_SUFFIX} 2> /dev/null | grep "LC_DYLD_INFO_ONLY" > /dev/null; then
+ _CLASSIC_INFO=
+@@ -24107,12 +24112,12 @@
+ for ac_func in mallctl nallocm
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:24111: checking for $ac_func" >&5
++echo "configure:24116: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 24116 "configure"
++#line 24121 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -24135,7 +24140,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:24139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:24144: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -24217,7 +24222,7 @@
+ fi
+ else
+ echo $ac_n "checking size of int *""... $ac_c" 1>&6
+-echo "configure:24221: checking size of int *" >&5
++echo "configure:24226: checking size of int *" >&5
+ if eval "test \"`echo '$''{'ac_cv_sizeof_int_p'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -24225,7 +24230,7 @@
+ ac_cv_sizeof_int_p=4
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 24229 "configure"
++#line 24234 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main()
+@@ -24236,7 +24241,7 @@
+ return(0);
+ }
+ EOF
+-if { (eval echo configure:24240: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:24245: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sizeof_int_p=`cat conftestval`
+ else
+@@ -24577,7 +24582,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:24581: checking for $ac_word" >&5
++echo "configure:24586: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -24794,12 +24799,12 @@
+
+ if test -n "$USE_ELF_HACK"; then
+ echo $ac_n "checking whether linker creates PT_GNU_RELRO segments""... $ac_c" 1>&6
+-echo "configure:24798: checking whether linker creates PT_GNU_RELRO segments" >&5
++echo "configure:24803: checking whether linker creates PT_GNU_RELRO segments" >&5
+ if eval "test \"`echo '$''{'LINK_WITH_PT_GNU_RELRO'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo "int main() {return 0;}" > conftest.${ac_ext}
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:24803: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:24808: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${ac_exeext}; then
+ if ${TOOLCHAIN_PREFIX}readelf -l conftest${ac_exeext} | grep GNU_RELRO > /dev/null; then
+ LINK_WITH_PT_GNU_RELRO=yes
+@@ -24816,18 +24821,18 @@
+ if test "$LINK_WITH_PT_GNU_RELRO" = yes; then
+ if test "$USE_ELF_HACK" = F; then
+ echo $ac_n "checking for -z norelro option to ld""... $ac_c" 1>&6
+-echo "configure:24820: checking for -z norelro option to ld" >&5
++echo "configure:24825: checking for -z norelro option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-z,norelro"
+ cat > conftest.$ac_ext <<EOF
+-#line 24824 "configure"
++#line 24829 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:24831: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:24836: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ NSPR_LDFLAGS="$NSPR_LDFLAGS -Wl,-z,norelro"
+@@ -25071,12 +25076,12 @@
+ for ac_func in __cxa_demangle
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:25075: checking for $ac_func" >&5
++echo "configure:25080: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25080 "configure"
++#line 25085 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -25102,7 +25107,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25106: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:25111: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -25156,12 +25161,12 @@
+ if test -z "$SKIP_LIBRARY_CHECKS"; then
+ ac_safe=`echo "unwind.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for unwind.h""... $ac_c" 1>&6
+-echo "configure:25160: checking for unwind.h" >&5
++echo "configure:25165: checking for unwind.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25165 "configure"
++#line 25170 "configure"
+ #include "confdefs.h"
+
+ #include <unwind.h>
+@@ -25169,7 +25174,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25173: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:25178: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -25186,12 +25191,12 @@
+ for ac_func in _Unwind_Backtrace
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:25190: checking for $ac_func" >&5
++echo "configure:25195: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25195 "configure"
++#line 25200 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -25214,7 +25219,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25218: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:25223: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -25394,7 +25399,7 @@
+ # Compiler Options
+
+ echo $ac_n "checking for -pipe support""... $ac_c" 1>&6
+-echo "configure:25398: checking for -pipe support" >&5
++echo "configure:25403: checking for -pipe support" >&5
+ if test -n "$GNU_CC" -a -n "$GNU_CXX"; then
+ CFLAGS="$CFLAGS -pipe"
+ CXXFLAGS="$CXXFLAGS -pipe"
+@@ -25408,16 +25413,16 @@
+ CFLAGS="$CFLAGS -fprofile-generate -fprofile-correction"
+
+ echo $ac_n "checking whether C compiler supports -fprofile-generate""... $ac_c" 1>&6
+-echo "configure:25412: checking whether C compiler supports -fprofile-generate" >&5
++echo "configure:25417: checking whether C compiler supports -fprofile-generate" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 25414 "configure"
++#line 25419 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:25426: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ PROFILE_GEN_CFLAGS="-fprofile-generate"
+ result="yes"
+@@ -25468,12 +25473,12 @@
+ _SAVE_CXXFLAGS=$CXXFLAGS
+ CXXFLAGS="$CXXFLAGS ${_WARNINGS_CXXFLAGS}"
+ echo $ac_n "checking for correct overload resolution with const and templates""... $ac_c" 1>&6
+-echo "configure:25472: checking for correct overload resolution with const and templates" >&5
++echo "configure:25477: checking for correct overload resolution with const and templates" >&5
+ if eval "test \"`echo '$''{'ac_nscap_nonconst_opeq_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25477 "configure"
++#line 25482 "configure"
+ #include "confdefs.h"
+
+ template <class T>
+@@ -25503,7 +25508,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25507: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:25512: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_nscap_nonconst_opeq_bug="no"
+ else
+@@ -25548,20 +25553,20 @@
+
+
+ echo $ac_n "checking what kind of list files are supported by the linker""... $ac_c" 1>&6
+-echo "configure:25552: checking what kind of list files are supported by the linker" >&5
++echo "configure:25557: checking what kind of list files are supported by the linker" >&5
+ if eval "test \"`echo '$''{'EXPAND_LIBS_LIST_STYLE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo "int main() {return 0;}" > conftest.${ac_ext}
+- if { ac_try='${CC-cc} -o conftest.${OBJ_SUFFIX} -c $CFLAGS $CPPFLAGS conftest.${ac_ext} 1>&5'; { (eval echo configure:25557: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest.${OBJ_SUFFIX}; then
++ if { ac_try='${CC-cc} -o conftest.${OBJ_SUFFIX} -c $CFLAGS $CPPFLAGS conftest.${ac_ext} 1>&5'; { (eval echo configure:25562: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest.${OBJ_SUFFIX}; then
+ echo "INPUT(conftest.${OBJ_SUFFIX})" > conftest.list
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.list $LIBS 1>&5'; { (eval echo configure:25559: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.list $LIBS 1>&5'; { (eval echo configure:25564: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=linkerscript
+ else
+ echo "conftest.${OBJ_SUFFIX}" > conftest.list
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,-filelist,conftest.list $LIBS 1>&5'; { (eval echo configure:25563: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,-filelist,conftest.list $LIBS 1>&5'; { (eval echo configure:25568: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=filelist
+- elif { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS @conftest.list $LIBS 1>&5'; { (eval echo configure:25565: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ elif { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS @conftest.list $LIBS 1>&5'; { (eval echo configure:25570: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=list
+ else
+ EXPAND_LIBS_LIST_STYLE=none
+@@ -25581,7 +25586,7 @@
+
+ if test "$GCC_USE_GNU_LD"; then
+ echo $ac_n "checking what kind of ordering can be done with the linker""... $ac_c" 1>&6
+-echo "configure:25585: checking what kind of ordering can be done with the linker" >&5
++echo "configure:25590: checking what kind of ordering can be done with the linker" >&5
+ if eval "test \"`echo '$''{'EXPAND_LIBS_ORDER_STYLE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -25589,14 +25594,14 @@
+ _SAVE_LDFLAGS="$LDFLAGS"
+ LDFLAGS="${LDFLAGS} -Wl,--section-ordering-file,conftest.order"
+ cat > conftest.$ac_ext <<EOF
+-#line 25593 "configure"
++#line 25598 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25600: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:25605: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ EXPAND_LIBS_ORDER_STYLE=section-ordering-file
+ else
+@@ -25608,7 +25613,7 @@
+ rm -f conftest*
+ LDFLAGS="$_SAVE_LDFLAGS"
+ if test -z "$EXPAND_LIBS_ORDER_STYLE"; then
+- if { ac_try='${CC-cc} ${DSO_LDOPTS} ${LDFLAGS} -o ${DLL_PREFIX}conftest${DLL_SUFFIX} -Wl'; { (eval echo configure:25612: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; }; then
++ if { ac_try='${CC-cc} ${DSO_LDOPTS} ${LDFLAGS} -o ${DLL_PREFIX}conftest${DLL_SUFFIX} -Wl'; { (eval echo configure:25617: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; }; then
+ EXPAND_LIBS_ORDER_STYLE=linkerscript
+ else
+ EXPAND_LIBS_ORDER_STYLE=none
+@@ -25698,7 +25703,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:25702: checking for $ac_word" >&5
++echo "configure:25707: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -25742,19 +25747,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for glib-2.0 >= 1.3.7 gobject-2.0""... $ac_c" 1>&6
+-echo "configure:25746: checking for glib-2.0 >= 1.3.7 gobject-2.0" >&5
++echo "configure:25751: checking for glib-2.0 >= 1.3.7 gobject-2.0" >&5
+
+ if $PKG_CONFIG --exists "glib-2.0 >= 1.3.7 gobject-2.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking GLIB_CFLAGS""... $ac_c" 1>&6
+-echo "configure:25753: checking GLIB_CFLAGS" >&5
++echo "configure:25758: checking GLIB_CFLAGS" >&5
+ GLIB_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 >= 1.3.7 gobject-2.0"`
+ echo "$ac_t""$GLIB_CFLAGS" 1>&6
+
+ echo $ac_n "checking GLIB_LIBS""... $ac_c" 1>&6
+-echo "configure:25758: checking GLIB_LIBS" >&5
++echo "configure:25763: checking GLIB_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ GLIB_LIBS="`$PKG_CONFIG --libs \"glib-2.0 >= 1.3.7 gobject-2.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$GLIB_LIBS" 1>&6
+@@ -25826,7 +25831,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:25830: checking for $ac_word" >&5
++echo "configure:25835: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -25870,19 +25875,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for freetype2 >= 6.1.0""... $ac_c" 1>&6
+-echo "configure:25874: checking for freetype2 >= 6.1.0" >&5
++echo "configure:25879: checking for freetype2 >= 6.1.0" >&5
+
+ if $PKG_CONFIG --exists "freetype2 >= 6.1.0" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking FT2_CFLAGS""... $ac_c" 1>&6
+-echo "configure:25881: checking FT2_CFLAGS" >&5
++echo "configure:25886: checking FT2_CFLAGS" >&5
+ FT2_CFLAGS=`$PKG_CONFIG --cflags "freetype2 >= 6.1.0"`
+ echo "$ac_t""$FT2_CFLAGS" 1>&6
+
+ echo $ac_n "checking FT2_LIBS""... $ac_c" 1>&6
+-echo "configure:25886: checking FT2_LIBS" >&5
++echo "configure:25891: checking FT2_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ FT2_LIBS="`$PKG_CONFIG --libs \"freetype2 >= 6.1.0\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$FT2_LIBS" 1>&6
+@@ -25919,12 +25924,12 @@
+ CFLAGS="$CFLAGS $FT2_CFLAGS"
+
+ echo $ac_n "checking for FT_Bitmap_Size.y_ppem""... $ac_c" 1>&6
+-echo "configure:25923: checking for FT_Bitmap_Size.y_ppem" >&5
++echo "configure:25928: checking for FT_Bitmap_Size.y_ppem" >&5
+ if eval "test \"`echo '$''{'ac_cv_member_FT_Bitmap_Size_y_ppem'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25928 "configure"
++#line 25933 "configure"
+ #include "confdefs.h"
+ #include <ft2build.h>
+ #include FT_FREETYPE_H
+@@ -25934,7 +25939,7 @@
+ return 1
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25938: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:25943: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_member_FT_Bitmap_Size_y_ppem=yes
+ else
+@@ -25963,12 +25968,12 @@
+ for ac_func in FT_GlyphSlot_Embolden FT_Load_Sfnt_Table FT_Select_Size
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:25967: checking for $ac_func" >&5
++echo "configure:25972: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 25972 "configure"
++#line 25977 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -25991,7 +25996,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:25995: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:26000: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -26029,12 +26034,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:26033: checking for $ac_hdr" >&5
++echo "configure:26038: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 26038 "configure"
++#line 26043 "configure"
+ #include "confdefs.h"
+ #include <fontconfig/fontconfig.h>
+ #include <$ac_hdr>
+@@ -26042,7 +26047,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:26046: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:26051: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -26088,7 +26093,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:26092: checking for $ac_word" >&5
++echo "configure:26097: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -26132,19 +26137,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for fontconfig""... $ac_c" 1>&6
+-echo "configure:26136: checking for fontconfig" >&5
++echo "configure:26141: checking for fontconfig" >&5
+
+ if $PKG_CONFIG --exists "fontconfig" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking _FONTCONFIG_CFLAGS""... $ac_c" 1>&6
+-echo "configure:26143: checking _FONTCONFIG_CFLAGS" >&5
++echo "configure:26148: checking _FONTCONFIG_CFLAGS" >&5
+ _FONTCONFIG_CFLAGS=`$PKG_CONFIG --cflags "fontconfig"`
+ echo "$ac_t""$_FONTCONFIG_CFLAGS" 1>&6
+
+ echo $ac_n "checking _FONTCONFIG_LIBS""... $ac_c" 1>&6
+-echo "configure:26148: checking _FONTCONFIG_LIBS" >&5
++echo "configure:26153: checking _FONTCONFIG_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ _FONTCONFIG_LIBS="`$PKG_CONFIG --libs \"fontconfig\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$_FONTCONFIG_LIBS" 1>&6
+@@ -26242,7 +26247,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:26246: checking for $ac_word" >&5
++echo "configure:26251: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -26286,19 +26291,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for pixman-1 >= 0.19.2""... $ac_c" 1>&6
+-echo "configure:26290: checking for pixman-1 >= 0.19.2" >&5
++echo "configure:26295: checking for pixman-1 >= 0.19.2" >&5
+
+ if $PKG_CONFIG --exists "pixman-1 >= 0.19.2" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking PIXMAN_CFLAGS""... $ac_c" 1>&6
+-echo "configure:26297: checking PIXMAN_CFLAGS" >&5
++echo "configure:26302: checking PIXMAN_CFLAGS" >&5
+ PIXMAN_CFLAGS=`$PKG_CONFIG --cflags "pixman-1 >= 0.19.2"`
+ echo "$ac_t""$PIXMAN_CFLAGS" 1>&6
+
+ echo $ac_n "checking PIXMAN_LIBS""... $ac_c" 1>&6
+-echo "configure:26302: checking PIXMAN_LIBS" >&5
++echo "configure:26307: checking PIXMAN_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ PIXMAN_LIBS="`$PKG_CONFIG --libs \"pixman-1 >= 0.19.2\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$PIXMAN_LIBS" 1>&6
+@@ -26338,12 +26343,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:26342: checking for $ac_hdr" >&5
++echo "configure:26347: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 26347 "configure"
++#line 26352 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -26351,7 +26356,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:26355: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:26360: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -26435,12 +26440,12 @@
+
+ ac_safe=`echo "d3d9.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for d3d9.h""... $ac_c" 1>&6
+-echo "configure:26439: checking for d3d9.h" >&5
++echo "configure:26444: checking for d3d9.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 26444 "configure"
++#line 26449 "configure"
+ #include "confdefs.h"
+
+ #include <d3d9.h>
+@@ -26448,7 +26453,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:26452: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:26457: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -26472,12 +26477,12 @@
+ if test -n "$WIN32_D2D_SURFACE_FEATURE"; then
+ ac_safe=`echo "d3d10.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for d3d10.h""... $ac_c" 1>&6
+-echo "configure:26476: checking for d3d10.h" >&5
++echo "configure:26481: checking for d3d10.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 26481 "configure"
++#line 26486 "configure"
+ #include "confdefs.h"
+
+ #include <d3d10.h>
+@@ -26485,7 +26490,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:26489: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:26494: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -26561,7 +26566,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:26565: checking for $ac_word" >&5
++echo "configure:26570: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -26605,19 +26610,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for cairo >= $CAIRO_VERSION""... $ac_c" 1>&6
+-echo "configure:26609: checking for cairo >= $CAIRO_VERSION" >&5
++echo "configure:26614: checking for cairo >= $CAIRO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "cairo >= $CAIRO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking CAIRO_CFLAGS""... $ac_c" 1>&6
+-echo "configure:26616: checking CAIRO_CFLAGS" >&5
++echo "configure:26621: checking CAIRO_CFLAGS" >&5
+ CAIRO_CFLAGS=`$PKG_CONFIG --cflags "cairo >= $CAIRO_VERSION"`
+ echo "$ac_t""$CAIRO_CFLAGS" 1>&6
+
+ echo $ac_n "checking CAIRO_LIBS""... $ac_c" 1>&6
+-echo "configure:26621: checking CAIRO_LIBS" >&5
++echo "configure:26626: checking CAIRO_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ CAIRO_LIBS="`$PKG_CONFIG --libs \"cairo >= $CAIRO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$CAIRO_LIBS" 1>&6
+@@ -26654,7 +26659,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:26658: checking for $ac_word" >&5
++echo "configure:26663: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -26698,19 +26703,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for cairo-tee >= $CAIRO_VERSION""... $ac_c" 1>&6
+-echo "configure:26702: checking for cairo-tee >= $CAIRO_VERSION" >&5
++echo "configure:26707: checking for cairo-tee >= $CAIRO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "cairo-tee >= $CAIRO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking CAIRO_TEE_CFLAGS""... $ac_c" 1>&6
+-echo "configure:26709: checking CAIRO_TEE_CFLAGS" >&5
++echo "configure:26714: checking CAIRO_TEE_CFLAGS" >&5
+ CAIRO_TEE_CFLAGS=`$PKG_CONFIG --cflags "cairo-tee >= $CAIRO_VERSION"`
+ echo "$ac_t""$CAIRO_TEE_CFLAGS" 1>&6
+
+ echo $ac_n "checking CAIRO_TEE_LIBS""... $ac_c" 1>&6
+-echo "configure:26714: checking CAIRO_TEE_LIBS" >&5
++echo "configure:26719: checking CAIRO_TEE_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ CAIRO_TEE_LIBS="`$PKG_CONFIG --libs \"cairo-tee >= $CAIRO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$CAIRO_TEE_LIBS" 1>&6
+@@ -26746,7 +26751,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:26750: checking for $ac_word" >&5
++echo "configure:26755: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -26790,19 +26795,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for cairo-xlib-xrender >= $CAIRO_VERSION""... $ac_c" 1>&6
+-echo "configure:26794: checking for cairo-xlib-xrender >= $CAIRO_VERSION" >&5
++echo "configure:26799: checking for cairo-xlib-xrender >= $CAIRO_VERSION" >&5
+
+ if $PKG_CONFIG --exists "cairo-xlib-xrender >= $CAIRO_VERSION" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking CAIRO_XRENDER_CFLAGS""... $ac_c" 1>&6
+-echo "configure:26801: checking CAIRO_XRENDER_CFLAGS" >&5
++echo "configure:26806: checking CAIRO_XRENDER_CFLAGS" >&5
+ CAIRO_XRENDER_CFLAGS=`$PKG_CONFIG --cflags "cairo-xlib-xrender >= $CAIRO_VERSION"`
+ echo "$ac_t""$CAIRO_XRENDER_CFLAGS" 1>&6
+
+ echo $ac_n "checking CAIRO_XRENDER_LIBS""... $ac_c" 1>&6
+-echo "configure:26806: checking CAIRO_XRENDER_LIBS" >&5
++echo "configure:26811: checking CAIRO_XRENDER_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ CAIRO_XRENDER_LIBS="`$PKG_CONFIG --libs \"cairo-xlib-xrender >= $CAIRO_VERSION\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$CAIRO_XRENDER_LIBS" 1>&6
+@@ -27402,13 +27407,13 @@
+
+ # For extensions and langpacks, we require a max version that is compatible
+ # across security releases. MOZ_APP_MAXVERSION is our method for doing that.
+-# 10.0a1 and 10.0a2 aren't affected
+-# 10.0 becomes 10.0.*
+-# 10.0.1 becomes 10.0.*
++# 24.0a1 and 24.0a2 aren't affected
++# 24.0 becomes 24.*
++# 24.1.1 becomes 24.*
+ IS_ALPHA=`echo $MOZ_APP_VERSION | grep a`
+ if test -z "$IS_ALPHA"; then
+
+- MOZ_APP_MAXVERSION=`echo $MOZ_APP_VERSION | sed "s|\(^[0-9]*.[0-9]*\).*|\1|"`.*
++ MOZ_APP_MAXVERSION=`echo $MOZ_APP_VERSION | sed "s|\(^[0-9]*\).*|\1|"`.*
+
+ else
+ MOZ_APP_MAXVERSION=$MOZ_APP_VERSION
+@@ -27694,9 +27699,9 @@
+
+
+ echo $ac_n "checking for posix_fallocate""... $ac_c" 1>&6
+-echo "configure:27698: checking for posix_fallocate" >&5
++echo "configure:27703: checking for posix_fallocate" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 27700 "configure"
++#line 27705 "configure"
+ #include "confdefs.h"
+ #define _XOPEN_SOURCE 600
+ #include <fcntl.h>
+@@ -27704,7 +27709,7 @@
+ posix_fallocate(0, 0, 0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:27708: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:27713: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv___posix_fallocate=true
+ else
+@@ -27736,7 +27741,7 @@
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $XCFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 27740 "configure"
++#line 27745 "configure"
+ #include "confdefs.h"
+
+ #include <stdio.h>
+@@ -27755,7 +27760,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:27759: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:27764: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+@@ -27775,12 +27780,12 @@
+ if test "$MOZ_GL_DEFAULT_PROVIDER" = "GLX"; then
+ ac_safe=`echo "GL/glx.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for GL/glx.h""... $ac_c" 1>&6
+-echo "configure:27779: checking for GL/glx.h" >&5
++echo "configure:27784: checking for GL/glx.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 27784 "configure"
++#line 27789 "configure"
+ #include "confdefs.h"
+
+ #include <GL/glx.h>
+@@ -27788,7 +27793,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:27792: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:27797: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/src/nsGkAtomList.h seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/src/nsGkAtomList.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/src/nsGkAtomList.h 2013-09-16 22:26:27.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/src/nsGkAtomList.h 2014-02-10 01:13:31.433547623 +0400
+@@ -179,6 +179,7 @@
+ GK_ATOM(choose, "choose")
+ GK_ATOM(chromemargin, "chromemargin")
+ GK_ATOM(chromeOnlyContent, "chromeOnlyContent")
++GK_ATOM(exposeToUntrustedContent, "exposeToUntrustedContent")
+ GK_ATOM(circ, "circ")
+ GK_ATOM(circle, "circle")
+ GK_ATOM(cite, "cite")
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/Makefile.in 2013-09-16 22:26:27.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/Makefile.in 2014-02-10 01:13:31.583545005 +0400
+@@ -629,6 +629,7 @@
+ badMessageEvent2.eventsource \
+ badMessageEvent2.eventsource^headers^ \
+ test_object.html \
++ test_bug840098.html \
+ test_bug869006.html \
+ test_bug868999.html \
+ test_bug869000.html \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/test_bug631615.html seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/test_bug631615.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/test_bug631615.html 2013-09-16 22:26:28.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/test_bug631615.html 2014-02-10 01:13:31.596544778 +0400
+@@ -32,7 +32,10 @@
+ is(results.slice(0, 6), "throws", "looking for an exception");
+ }
+
+-SimpleTest.runTestExpectingConsoleMessages(doTest, []);
++SimpleTest.runTestExpectingConsoleMessages(doTest, [{
++ forbid: true,
++ message: /An invalid or illegal string was specified/
++}]);
+ </script>
+ </body>
+ </html>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/test_bug840098.html seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/test_bug840098.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/base/test/test_bug840098.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/base/test/test_bug840098.html 2014-02-10 01:13:31.620544357 +0400
+@@ -0,0 +1,36 @@
++<!DOCTYPE HTML>
++<html>
++<!--
++https://bugzilla.mozilla.org/show_bug.cgi?id=840098
++-->
++<head>
++ <meta charset="utf-8">
++ <title>Test for Bug 840098</title>
++ <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
++</head>
++<body>
++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=840098">Mozilla Bug 840098</a>
++<p id="display"></p>
++<div id="content" style="display: none">
++ <div id="foo"></div>
++</div>
++<marquee id="m">Hello</marquee>
++<pre id="test">
++<script type="application/javascript">
++
++/** Test for Bug 840098 **/
++
++var mar = document.getElementById("m");
++var anonymousNode = SpecialPowers.unwrap(SpecialPowers.wrap(document).getAnonymousNodes(mar)[0]);
++try {
++ document.implementation.createDocument("", "", null).adoptNode(anonymousNode);
++ ok(false, "shouldn't be able to adopt the root of an anonymous subtree");
++} catch (e) {
++ is(e.name, "NotSupportedError", "threw the correct type of error");
++}
++
++</script>
++</pre>
++</body>
++</html>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/src/CanvasRenderingContext2D.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/src/CanvasRenderingContext2D.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/src/CanvasRenderingContext2D.cpp 2013-09-16 22:26:28.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/src/CanvasRenderingContext2D.cpp 2014-02-10 01:13:31.620544357 +0400
+@@ -2535,6 +2535,10 @@
+ gfxFontGroup* currentFontStyle = GetCurrentFontStyle();
+ NS_ASSERTION(currentFontStyle, "font group is null");
+
++ // ensure user font set is up to date
++ currentFontStyle->
++ SetUserFontSet(presShell->GetPresContext()->GetUserFontSet());
++
+ if (currentFontStyle->GetStyle()->size == 0.0F) {
+ if (aWidth) {
+ *aWidth = 0;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/test/webgl/skipped_tests_linux.txt seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/test/webgl/skipped_tests_linux.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/test/webgl/skipped_tests_linux.txt 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/test/webgl/skipped_tests_linux.txt 2014-02-10 01:13:31.650543831 +0400
+@@ -0,0 +1 @@
++conformance/more/conformance/quickCheckAPI-B2.html
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/test/webgl/test_webgl_conformance_test_suite.html seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/test/webgl/test_webgl_conformance_test_suite.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/canvas/test/webgl/test_webgl_conformance_test_suite.html 2013-09-16 22:26:28.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/canvas/test/webgl/test_webgl_conformance_test_suite.html 2014-02-10 01:13:31.650543831 +0400
+@@ -517,6 +517,7 @@
+ break;
+ default:
+ failingTestsFilename = 'failing_tests_linux.txt';
++ skippedTestsFilename = 'skipped_tests_linux.txt';
+ break;
+ }
+ break;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/events/test/test_bug602962.xul seamonkey-2.21-esr3.0/comm-release/mozilla/content/events/test/test_bug602962.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/events/test/test_bug602962.xul 2013-09-16 22:26:28.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/events/test/test_bug602962.xul 2014-02-10 01:13:31.650543831 +0400
+@@ -73,6 +73,12 @@
+ }
+
+ function finish() {
++ if (win.outerWidth != oldWidth ||
++ win.outerHeight != oldHeight) {
++ // We should eventually get back to the original size.
++ setTimeout(finish, 0);
++ return;
++ }
+ is(mozBeforeResizeHasFired, true, "The MozBeforeResize event should already have fired");
+ sbo.scrollBy(scrollX, scrollY);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsBindingManager.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsBindingManager.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsBindingManager.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsBindingManager.cpp 2014-02-10 01:13:31.650543832 +0400
+@@ -41,6 +41,8 @@
+
+ #include "nsIScriptContext.h"
+ #include "nsBindingManager.h"
++#include "xpcpublic.h"
++#include "jswrapper.h"
+ #include "nsCxPusher.h"
+
+ #include "nsThreadUtils.h"
+@@ -1181,16 +1183,29 @@
+ if (!context)
+ return NS_NOINTERFACE;
+
+- AutoPushJSContext jscontext(context->GetNativeContext());
+- if (!jscontext)
++ AutoPushJSContext cx(context->GetNativeContext());
++ if (!cx)
+ return NS_NOINTERFACE;
+
+ nsIXPConnect *xpConnect = nsContentUtils::XPConnect();
+
+- JSObject* jsobj = aContent->GetWrapper();
++ JS::Rooted<JSObject*> jsobj(cx, aContent->GetWrapper());
+ NS_ENSURE_TRUE(jsobj, NS_NOINTERFACE);
+
+- nsresult rv = xpConnect->WrapJSAggregatedToNative(aContent, jscontext,
++ // If we're using an XBL scope, we need to use the Xray view to the bound
++ // content in order to view the full array of methods defined in the
++ // binding, some of which may not be exposed on the prototype of
++ // untrusted content.
++ //
++ // If there's no separate XBL scope, we'll end up with the global of the
++ // reflector, and this will all be a no-op.
++ JS::Rooted<JSObject*> xblScope(cx, xpc::GetXBLScope(cx, jsobj));
++ JSAutoCompartment ac(cx, xblScope);
++ bool ok = JS_WrapObject(cx, jsobj.address());
++ NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
++ MOZ_ASSERT_IF(js::IsWrapper(jsobj), xpc::IsXrayWrapper(jsobj));
++
++ nsresult rv = xpConnect->WrapJSAggregatedToNative(aContent, cx,
+ jsobj, aIID, aResult);
+ if (NS_FAILED(rv))
+ return rv;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.cpp 2014-02-10 01:13:31.650543832 +0400
+@@ -142,6 +142,7 @@
+ nsXBLBinding::nsXBLBinding(nsXBLPrototypeBinding* aBinding)
+ : mIsStyleBinding(true),
+ mMarkedForDeath(false),
++ mUsingXBLScope(false),
+ mPrototypeBinding(aBinding),
+ mInsertionPointTable(nullptr)
+ {
+@@ -287,6 +288,20 @@
+ mBoundElement = aElement;
+ if (mNextBinding)
+ mNextBinding->SetBoundElement(aElement);
++
++ if (!mBoundElement) {
++ return;
++ }
++
++ // Compute whether we're using an XBL scope.
++ //
++ // We disable XBL scopes for remote XUL, where we care about compat more
++ // than security. So we need to know whether we're using an XBL scope so that
++ // we can decide what to do about untrusted events when "allowuntrusted"
++ // is not given in the handler declaration.
++ nsCOMPtr<nsIGlobalObject> go = mBoundElement->OwnerDoc()->GetScopeObject();
++ NS_ENSURE_TRUE_VOID(go && go->GetGlobalJSObject());
++ mUsingXBLScope = xpc::UseXBLScope(js::GetObjectCompartment(go->GetGlobalJSObject()));
+ }
+
+ bool
+@@ -738,7 +753,7 @@
+
+ bool hasAllowUntrustedAttr = curr->HasAllowUntrustedAttr();
+ if ((hasAllowUntrustedAttr && curr->AllowUntrustedEvents()) ||
+- (!hasAllowUntrustedAttr && !isChromeDoc)) {
++ (!hasAllowUntrustedAttr && !isChromeDoc && !mUsingXBLScope)) {
+ flags.mAllowUntrustedEvents = true;
+ }
+
+@@ -754,6 +769,7 @@
+ for (i = 0; i < keyHandlers->Count(); ++i) {
+ nsXBLKeyEventHandler* handler = keyHandlers->ObjectAt(i);
+ handler->SetIsBoundToChrome(isChromeDoc);
++ handler->SetUsingXBLScope(mUsingXBLScope);
+
+ nsAutoString type;
+ handler->GetEventName(type);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.h seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.h 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLBinding.h 2014-02-10 01:13:31.650543832 +0400
+@@ -160,6 +160,7 @@
+
+ bool mIsStyleBinding;
+ bool mMarkedForDeath;
++ bool mUsingXBLScope;
+
+ nsXBLPrototypeBinding* mPrototypeBinding; // Weak, but we're holding a ref to the docinfo
+ nsCOMPtr<nsIContent> mContent; // Strong. Our anonymous content stays around with us.
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLContentSink.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLContentSink.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLContentSink.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLContentSink.cpp 2014-02-10 01:13:31.650543832 +0400
+@@ -776,6 +776,7 @@
+ const PRUnichar* readonly = nullptr;
+ const PRUnichar* onget = nullptr;
+ const PRUnichar* onset = nullptr;
++ bool exposeToUntrustedContent = false;
+
+ nsCOMPtr<nsIAtom> prefix, localName;
+ for (; *aAtts; aAtts += 2) {
+@@ -800,15 +801,21 @@
+ else if (localName == nsGkAtoms::onset) {
+ onset = aAtts[1];
+ }
++ else if (localName == nsGkAtoms::exposeToUntrustedContent &&
++ nsDependentString(aAtts[1]).EqualsLiteral("true"))
++ {
++ exposeToUntrustedContent = true;
++ }
+ }
+
+ if (name) {
+ // All of our pointers are now filled in. Construct our property with all of
+ // these parameters.
+ mProperty = new nsXBLProtoImplProperty(name, onget, onset, readonly, aLineNumber);
+- if (mProperty) {
+- AddMember(mProperty);
++ if (exposeToUntrustedContent) {
++ mProperty->SetExposeToUntrustedContent(true);
+ }
++ AddMember(mProperty);
+ }
+ }
+
+@@ -818,8 +825,14 @@
+ mMethod = nullptr;
+
+ const PRUnichar* name = nullptr;
++ const PRUnichar* expose = nullptr;
+ if (FindValue(aAtts, nsGkAtoms::name, &name)) {
+ mMethod = new nsXBLProtoImplMethod(name);
++ if (FindValue(aAtts, nsGkAtoms::exposeToUntrustedContent, &expose) &&
++ nsDependentString(expose).EqualsLiteral("true"))
++ {
++ mMethod->SetExposeToUntrustedContent(true);
++ }
+ }
+
+ if (mMethod) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.cpp 2014-02-10 01:13:31.650543832 +0400
+@@ -71,7 +71,8 @@
+ : mEventType(aEventType),
+ mPhase(aPhase),
+ mType(aType),
+- mIsBoundToChrome(false)
++ mIsBoundToChrome(false),
++ mUsingXBLScope(false)
+ {
+ }
+
+@@ -97,7 +98,7 @@
+ bool hasAllowUntrustedAttr = handler->HasAllowUntrustedAttr();
+ if ((trustedEvent ||
+ (hasAllowUntrustedAttr && handler->AllowUntrustedEvents()) ||
+- (!hasAllowUntrustedAttr && !mIsBoundToChrome)) &&
++ (!hasAllowUntrustedAttr && !mIsBoundToChrome && !mUsingXBLScope)) &&
+ handler->KeyEventMatched(aKeyEvent, aCharCode, aIgnoreShiftKey)) {
+ handler->ExecuteHandler(target, aKeyEvent);
+ executed = true;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.h seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.h 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLEventHandler.h 2014-02-10 01:13:31.650543832 +0400
+@@ -85,6 +85,12 @@
+ {
+ mIsBoundToChrome = aIsBoundToChrome;
+ }
++
++ void SetUsingXBLScope(bool aUsingXBLScope)
++ {
++ mUsingXBLScope = aUsingXBLScope;
++ }
++
+ private:
+ nsXBLKeyEventHandler();
+ bool ExecuteMatchedHandlers(nsIDOMKeyEvent* aEvent, uint32_t aCharCode,
+@@ -95,6 +101,7 @@
+ uint8_t mPhase;
+ uint8_t mType;
+ bool mIsBoundToChrome;
++ bool mUsingXBLScope;
+ };
+
+ nsresult
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImpl.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImpl.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImpl.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImpl.cpp 2014-02-10 01:13:31.651543815 +0400
+@@ -18,8 +18,11 @@
+ #include "nsIDOMNode.h"
+ #include "nsXBLPrototypeBinding.h"
+ #include "nsXBLProtoImplProperty.h"
++#include "js/CharacterEncoding.h"
+
+ using namespace mozilla;
++using js::GetGlobalForObjectCrossCompartment;
++using js::AssertSameCompartment;
+
+ nsresult
+ nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding* aPrototypeBinding,
+@@ -68,50 +71,68 @@
+ holder->GetJSObject());
+
+ AutoPushJSContext cx(context->GetNativeContext());
+- JSAutoCompartment ac(cx, targetClassObject);
+
+- // Walk our member list and install each one in turn.
+- for (nsXBLProtoImplMember* curr = mMembers;
+- curr;
+- curr = curr->GetNext())
+- curr->InstallMember(cx, targetClassObject);
++ // We want to define the canonical set of members in a safe place. If we're
++ // using a separate XBL scope, we want to define them there first (so that
++ // they'll be available for Xray lookups, among other things), and then copy
++ // the properties to the content-side prototype as needed. We don't need to
++ // bother about the field accessors here, since we don't use/support those
++ // for in-content bindings.
+
+- // If we're using a separate XBL scope, make a safe copy of the target class
+- // object in the XBL scope that we can use for Xray lookups. We don't need
+- // the field accessors, so do this before installing them.
++ // First, start by entering the compartment of the XBL scope. This may or may
++ // not be the same compartment as globalObject.
+ JS::Rooted<JSObject*> globalObject(cx,
+- JS_GetGlobalForObject(cx, targetClassObject));
++ GetGlobalForObjectCrossCompartment(targetClassObject));
+ JS::Rooted<JSObject*> scopeObject(cx, xpc::GetXBLScope(cx, globalObject));
+ NS_ENSURE_TRUE(scopeObject, NS_ERROR_OUT_OF_MEMORY);
++ JSAutoCompartment ac(cx, scopeObject);
++
++ // If they're different, create our safe holder object in the XBL scope.
++ JS::RootedObject propertyHolder(cx);
+ if (scopeObject != globalObject) {
+- JSAutoCompartment ac2(cx, scopeObject);
+
+- // Create the object. This is just a property holder, so it doesn't need
+- // any special JSClass.
+- JS::Rooted<JSObject*> shadowProto(cx,
+- JS_NewObjectWithGivenProto(cx, nullptr, nullptr, scopeObject));
+- NS_ENSURE_TRUE(shadowProto, NS_ERROR_OUT_OF_MEMORY);
++ // This is just a property holder, so it doesn't need any special JSClass.
++ propertyHolder = JS_NewObjectWithGivenProto(cx, nullptr, nullptr, scopeObject);
++ NS_ENSURE_TRUE(propertyHolder, NS_ERROR_OUT_OF_MEMORY);
+
+ // Define it as a property on the scopeObject, using the same name used on
+ // the content side.
+ bool ok = JS_DefineProperty(cx, scopeObject,
+ js::GetObjectClass(targetClassObject)->name,
+- JS::ObjectValue(*shadowProto), JS_PropertyStub,
++ JS::ObjectValue(*propertyHolder), JS_PropertyStub,
+ JS_StrictPropertyStub,
+ JSPROP_PERMANENT | JSPROP_READONLY);
+ NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
++ } else {
++ propertyHolder = targetClassObject;
++ }
+
+- // Copy all the properties from the content-visible prototype to the shadow
+- // object. This rewraps them appropriately, which should result in vanilla
+- // functions, since the properties on the content prototype were cross-
+- // compartment wrappers.
+- ok = JS_CopyPropertiesFrom(cx, shadowProto, targetClassObject);
+- NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
++ // Walk our member list and install each one in turn on the XBL scope object.
++ for (nsXBLProtoImplMember* curr = mMembers;
++ curr;
++ curr = curr->GetNext())
++ curr->InstallMember(cx, propertyHolder);
+
+- // Content shouldn't have any way to touch this object, but freeze it just
+- // to be safe.
+- ok = JS_FreezeObject(cx, shadowProto);
++ // From here on out, work in the scope of the bound element.
++ JSAutoCompartment ac2(cx, targetClassObject);
++
++ // Now, if we're using a separate XBL scope, enter the compartment of the
++ // bound node and copy exposable properties to the prototype there. This
++ // rewraps them appropriately, which should result in cross-compartment
++ // function wrappers.
++ if (propertyHolder != targetClassObject) {
++ AssertSameCompartment(propertyHolder, scopeObject);
++ AssertSameCompartment(targetClassObject, globalObject);
++ for (nsXBLProtoImplMember* curr = mMembers; curr; curr = curr->GetNext()) {
++ if (curr->ShouldExposeToUntrustedContent()) {
++ JS::Rooted<jsid> id(cx);
++ JS::TwoByteChars chars(curr->GetName(), NS_strlen(curr->GetName()));
++ bool ok = JS_CharsToId(cx, chars, id.address());
+ NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
++ JS_CopyPropertyFrom(cx, id, targetClassObject, propertyHolder);
++ NS_ENSURE_TRUE(ok, NS_ERROR_UNEXPECTED);
++ }
++ }
+ }
+
+ // Install all of our field accessors.
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMember.h seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMember.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMember.h 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMember.h 2014-02-10 01:13:31.651543815 +0400
+@@ -63,7 +63,12 @@
+ class nsXBLProtoImplMember
+ {
+ public:
+- nsXBLProtoImplMember(const PRUnichar* aName) :mNext(nullptr) { mName = ToNewUnicode(nsDependentString(aName)); }
++ nsXBLProtoImplMember(const PRUnichar* aName)
++ : mNext(nullptr)
++ , mExposeToUntrustedContent(false)
++ {
++ mName = ToNewUnicode(nsDependentString(aName));
++ }
+ virtual ~nsXBLProtoImplMember() {
+ nsMemory::Free(mName);
+ NS_CONTENT_DELETE_LIST_MEMBER(nsXBLProtoImplMember, this, mNext);
+@@ -71,6 +76,8 @@
+
+ nsXBLProtoImplMember* GetNext() { return mNext; }
+ void SetNext(nsXBLProtoImplMember* aNext) { mNext = aNext; }
++ bool ShouldExposeToUntrustedContent() { return mExposeToUntrustedContent; }
++ void SetExposeToUntrustedContent(bool aExpose) { mExposeToUntrustedContent = aExpose; }
+ const PRUnichar* GetName() { return mName; }
+
+ virtual nsresult InstallMember(JSContext* aCx,
+@@ -90,6 +97,11 @@
+ protected:
+ nsXBLProtoImplMember* mNext; // The members of an implementation are chained.
+ PRUnichar* mName; // The name of the field, method, or property.
++
++ bool mExposeToUntrustedContent; // If this binding is installed on an element
++ // in an untrusted scope, should this
++ // implementation member be accessible to the
++ // content?
+ };
+
+ #endif // nsXBLProtoImplMember_h__
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp 2014-02-10 01:13:31.651543815 +0400
+@@ -104,26 +104,16 @@
+ MOZ_ASSERT(js::IsObjectInContextCompartment(aTargetClassObject, aCx));
+
+ JS::Rooted<JSObject*> globalObject(aCx, JS_GetGlobalForObject(aCx, aTargetClassObject));
+- JS::Rooted<JSObject*> scopeObject(aCx, xpc::GetXBLScope(aCx, globalObject));
+- NS_ENSURE_TRUE(scopeObject, NS_ERROR_OUT_OF_MEMORY);
++ MOZ_ASSERT(xpc::IsInXBLScope(globalObject) ||
++ globalObject == xpc::GetXBLScope(aCx, globalObject));
+
+ // now we want to reevaluate our property using aContext and the script object for this window...
+ JS::Rooted<JSObject*> jsMethodObject(aCx, GetCompiledMethod());
+ if (jsMethodObject) {
+ nsDependentString name(mName);
+
+- // First, make the function in the compartment of the scope object.
+- JSAutoCompartment ac(aCx, scopeObject);
+- JS::Rooted<JSObject*> method(aCx, ::JS_CloneFunctionObject(aCx, jsMethodObject, scopeObject));
+- if (!method) {
+- return NS_ERROR_OUT_OF_MEMORY;
+- }
+-
+- // Then, enter the content compartment, wrap the method pointer, and define
+- // the wrapped version on the class object.
+- JSAutoCompartment ac2(aCx, aTargetClassObject);
+- if (!JS_WrapObject(aCx, method.address()))
+- return NS_ERROR_OUT_OF_MEMORY;
++ JS::Rooted<JSObject*> method(aCx, JS_CloneFunctionObject(aCx, jsMethodObject, globalObject));
++ NS_ENSURE_TRUE(method, NS_ERROR_OUT_OF_MEMORY);
+
+ JS::Rooted<JS::Value> value(aCx, JS::ObjectValue(*method));
+ if (!::JS_DefineUCProperty(aCx, aTargetClassObject,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplProperty.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplProperty.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplProperty.cpp 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/src/nsXBLProtoImplProperty.cpp 2014-02-10 01:13:31.651543815 +0400
+@@ -132,33 +132,25 @@
+ MOZ_ASSERT(mGetter.IsCompiled() && mSetter.IsCompiled());
+ MOZ_ASSERT(js::IsObjectInContextCompartment(aTargetClassObject, aCx));
+ JS::Rooted<JSObject*> globalObject(aCx, JS_GetGlobalForObject(aCx, aTargetClassObject));
+- JS::Rooted<JSObject*> scopeObject(aCx, xpc::GetXBLScope(aCx, globalObject));
+- NS_ENSURE_TRUE(scopeObject, NS_ERROR_OUT_OF_MEMORY);
++ MOZ_ASSERT(xpc::IsInXBLScope(globalObject) ||
++ globalObject == xpc::GetXBLScope(aCx, globalObject));
+
+ // now we want to reevaluate our property using aContext and the script object for this window...
+ if (mGetter.GetJSFunction() || mSetter.GetJSFunction()) {
+- // First, enter the compartment of the scope object and clone the functions.
+- JSAutoCompartment ac(aCx, scopeObject);
+-
+ JS::Rooted<JSObject*> getter(aCx, nullptr);
+ if (mGetter.GetJSFunction()) {
+- if (!(getter = ::JS_CloneFunctionObject(aCx, mGetter.GetJSFunction(), scopeObject)))
++ if (!(getter = ::JS_CloneFunctionObject(aCx, mGetter.GetJSFunction(), globalObject)))
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ JS::Rooted<JSObject*> setter(aCx, nullptr);
+ if (mSetter.GetJSFunction()) {
+- if (!(setter = ::JS_CloneFunctionObject(aCx, mSetter.GetJSFunction(), scopeObject)))
++ if (!(setter = ::JS_CloneFunctionObject(aCx, mSetter.GetJSFunction(), globalObject)))
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+- // Now, enter the content compartment, wrap the getter/setter, and define
+- // them on the class object.
+- JSAutoCompartment ac2(aCx, aTargetClassObject);
+ nsDependentString name(mName);
+- if (!JS_WrapObject(aCx, getter.address()) ||
+- !JS_WrapObject(aCx, setter.address()) ||
+- !::JS_DefineUCProperty(aCx, aTargetClassObject,
++ if (!::JS_DefineUCProperty(aCx, aTargetClassObject,
+ static_cast<const jschar*>(mName),
+ name.Length(), JSVAL_VOID,
+ JS_DATA_TO_FUNC_PTR(JSPropertyOp, getter.get()),
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/bug310107-resource.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/bug310107-resource.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/bug310107-resource.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/bug310107-resource.xhtml 2014-02-10 01:13:31.651543815 +0400
+@@ -8,7 +8,8 @@
+ <bindings xmlns="http://www.mozilla.org/xbl">
+ <binding id="binding">
+ <implementation>
+- <property name="prop" readonly="true" onget="return 2;"/>
++ <property name="prop" readonly="true" exposeToUntrustedContent="true"
++ onget="return 2;"/>
+ </implementation>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/file_bug481558.xbl seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/file_bug481558.xbl
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/file_bug481558.xbl 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/file_bug481558.xbl 2014-02-10 01:13:31.651543815 +0400
+@@ -7,7 +7,8 @@
+ Binding Attached
+ </content>
+ <implementation>
+- <property name="xblBoundProperty" onget="return 1;"/>
++ <property name="xblBoundProperty" onget="return 1;"
++ exposeToUntrustedContent="true"/>
+ </implementation>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/file_bug821850.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/file_bug821850.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/file_bug821850.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/file_bug821850.xhtml 2014-02-10 01:13:31.651543815 +0400
+@@ -43,6 +43,16 @@
+ is(bound.primitiveField, undefined, "Xrays don't show fields");
+ is(bound.wrappedJSObject.primitiveField, 2, "Waiving Xrays show fields");
+
++ // Check exposure behavior.
++ is(typeof bound.unexposedMethod, 'function',
++ "Unexposed method should be visible to XBL");
++ is(typeof bound.wrappedJSObject.unexposedMethod, 'undefined',
++ "Unexposed method should not be defined in content");
++ is(typeof bound.unexposedProperty, 'number',
++ "Unexposed property should be visible to XBL");
++ is(typeof bound.wrappedJSObject.unexposedProperty, 'undefined',
++ "Unexposed property should not be defined in content");
++
+ // Check that here document.QueryInterface works
+ ok("QueryInterface" in document,
+ "Should have a document.QueryInterface here");
+@@ -65,13 +75,15 @@
+ win.go();
+ </constructor>
+ <field name="primitiveField">2</field>
+- <method name="method">
++ <method name="unexposedMethod"><body></body></method>
++ <property name="unexposedProperty" onget="return 2;" readonly="true"></property>
++ <method name="method" exposeToUntrustedContent="true">
+ <parameter name="arg" />
+ <body>
+ return "method:" + arg;
+ </body>
+ </method>
+- <method name="passMeAJSObject">
++ <method name="passMeAJSObject" exposeToUntrustedContent="true">
+ <parameter name="arg" />
+ <body>
+ is(typeof arg.prop, 'undefined', "No properties");
+@@ -85,13 +97,16 @@
+ is(typeof arg.foo, 'undefined', "Shouldn't place props");
+ </body>
+ </method>
+- <property name="prop">
++ <property name="prop" exposeToUntrustedContent="true">
+ <getter>return this._prop;</getter>
+ <setter>this._prop = "set:" + val;</setter>
+ </property>
+ </implementation>
+ <handlers>
+- <handler event="testevent" action="ok(true, 'called event handler'); finish();"/>
++ <handler event="testevent" action="ok(true, 'called event handler'); finish();" allowuntrusted="true"/>
++ <handler event="testtrusted" action="ok(true, 'called trusted handler'); window.wrappedJSObject.triggeredTrustedHandler = true;"/>
++ <handler event="keyup" action="ok(true, 'called untrusted key handler'); window.wrappedJSObject.triggeredUntrustedKeyHandler = true;" allowuntrusted="true"/>
++ <handler event="keydown" action="ok(true, 'called trusted key handler'); window.wrappedJSObject.triggeredTrustedKeyHandler = true;"/>
+ </handlers>
+ </binding>
+ </bindings>
+@@ -194,6 +209,58 @@
+ Object.defineProperty(bound, 'prop', {value: "redefined"});
+ bound.primitiveField = 321;
+
++ // We need a chrome window to create trusted events. This isn't really doable
++ // in child processes, so let's just skip if that's the case.
++ if (SpecialPowers.isMainProcess()) {
++ var Ci = SpecialPowers.Ci;
++ var chromeWin = SpecialPowers.wrap(window.top)
++ .QueryInterface(Ci.nsIInterfaceRequestor)
++ .getInterface(Ci.nsIWebNavigation)
++ .QueryInterface(Ci.nsIDocShell)
++ .chromeEventHandler.ownerDocument.defaultView;
++
++ // Untrusted events should not trigger event handlers without
++ // exposeToUntrustedContent=true.
++ window.triggeredTrustedHandler = false;
++ var untrustedEvent = new CustomEvent('testtrusted');
++ ok(!untrustedEvent.isTrusted, "Created an untrusted event");
++ bound.dispatchEvent(untrustedEvent);
++ ok(!window.triggeredTrustedHandler, "untrusted events should not trigger trusted handler");
++ var trustedEvent = new chromeWin.CustomEvent('testtrusted');
++ ok(trustedEvent.isTrusted, "Created a trusted event");
++ SpecialPowers.wrap(bound).dispatchEvent(trustedEvent);
++ ok(window.triggeredTrustedHandler, "trusted events should trigger trusted handler");
++
++ //
++ // We check key events as well, since they're implemented differently.
++ //
++ // NB: We don't check isTrusted on the events we create here, because
++ // according to smaug, old-style event initialization doesn't mark the
++ // event as trusted until it's dispatched.
++ //
++
++ window.triggeredUntrustedKeyHandler = false;
++ window.triggeredTrustedKeyHandler = false;
++
++ // Untrusted event, permissive handler.
++ var untrustedKeyEvent = document.createEvent('KeyboardEvent');
++ untrustedKeyEvent.initEvent('keyup', true, true);
++ bound.dispatchEvent(untrustedKeyEvent);
++ ok(window.triggeredUntrustedKeyHandler, "untrusted key events should trigger untrusted handler");
++
++ // Untrusted event, strict handler.
++ var fakeTrustedKeyEvent = document.createEvent('KeyboardEvent');
++ fakeTrustedKeyEvent.initEvent('keydown', true, true);
++ bound.dispatchEvent(fakeTrustedKeyEvent);
++ ok(!window.triggeredTrustedKeyHandler, "untrusted key events should not trigger trusted handler");
++
++ // Trusted event, strict handler.
++ var trustedKeyEvent = chromeWin.document.createEvent('KeyboardEvent');
++ trustedKeyEvent.initEvent('keydown', true, true);
++ SpecialPowers.wrap(bound).dispatchEvent(trustedKeyEvent);
++ ok(window.triggeredTrustedKeyHandler, "trusted key events should trigger trusted handler");
++ }
++
+ // Hand control back to the XBL scope by dispatching an event on the bound element.
+ bound.dispatchEvent(new CustomEvent('testevent'));
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug371724.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug371724.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug371724.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug371724.xhtml 2014-02-10 01:13:31.651543815 +0400
+@@ -9,7 +9,7 @@
+ <bindings xmlns="http://www.mozilla.org/xbl">
+ <binding id="rd">
+ <implementation>
+- <property name="hallo" onget="return true;" readonly="true"/>
++ <property name="hallo" onget="return true;" readonly="true" exposeToUntrustedContent="true"/>
+ </implementation>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug403162.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug403162.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug403162.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug403162.xhtml 2014-02-10 01:13:31.651543815 +0400
+@@ -9,7 +9,7 @@
+ <bindings xmlns="http://www.mozilla.org/xbl">
+ <binding id="test">
+ <handlers>
+- <handler event="foo" action="XPCNativeWrapper.unwrap(window).triggerCount++"/>
++ <handler event="foo" action="XPCNativeWrapper.unwrap(window).triggerCount++" allowuntrusted="true"/>
+ </handlers>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug639338.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug639338.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug639338.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug639338.xhtml 2014-02-10 01:13:31.652543797 +0400
+@@ -9,9 +9,9 @@
+ <bindings xmlns="http://www.mozilla.org/xbl">
+ <binding id="test">
+ <handlers>
+- <handler event="DOMMouseScroll" action="XPCNativeWrapper.unwrap(window).triggerCount++"/>
+- <handler event="DOMMouseScroll" modifiers="shift" action="XPCNativeWrapper.unwrap(window).shiftCount++"/>
+- <handler event="DOMMouseScroll" modifiers="control" action="XPCNativeWrapper.unwrap(window).controlCount++"/>
++ <handler event="DOMMouseScroll" action="XPCNativeWrapper.unwrap(window).triggerCount++" allowuntrusted="true"/>
++ <handler event="DOMMouseScroll" modifiers="shift" action="XPCNativeWrapper.unwrap(window).shiftCount++" allowuntrusted="true"/>
++ <handler event="DOMMouseScroll" modifiers="control" action="XPCNativeWrapper.unwrap(window).controlCount++" allowuntrusted="true"/>
+ </handlers>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug790265.xhtml seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug790265.xhtml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/content/xbl/test/test_bug790265.xhtml 2013-09-16 22:26:29.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/content/xbl/test/test_bug790265.xhtml 2014-02-10 01:13:31.652543797 +0400
+@@ -10,7 +10,7 @@
+ <bindings xmlns="http://www.mozilla.org/xbl">
+ <binding id="binding">
+ <implementation>
+- <method name="foo">
++ <method name="foo" exposeToUntrustedContent="true">
+ <body><![CDATA[
+ return this;
+ ]]></body>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/docshell/test/chrome/test_bug456980.xul seamonkey-2.21-esr3.0/comm-release/mozilla/docshell/test/chrome/test_bug456980.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/docshell/test/chrome/test_bug456980.xul 2013-09-16 22:26:30.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/docshell/test/chrome/test_bug456980.xul 2014-02-10 01:13:31.652543797 +0400
+@@ -20,8 +20,6 @@
+
+ <!-- test code goes here -->
+ <script type="application/javascript"><![CDATA[
+- SimpleTest.expectAssertions(1);
+-
+ SimpleTest.waitForExplicitFinish();
+
+ addLoadEvent(function() {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/docshell/test/chrome/test_bug608669.xul seamonkey-2.21-esr3.0/comm-release/mozilla/docshell/test/chrome/test_bug608669.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/docshell/test/chrome/test_bug608669.xul 2013-09-16 22:26:30.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/docshell/test/chrome/test_bug608669.xul 2014-02-10 01:13:31.652543797 +0400
+@@ -39,9 +39,7 @@
+ }
+
+
+-SimpleTest.expectAssertions(1);
+-
+- /** Test for Bug 608669 **/
++/** Test for Bug 608669 **/
+ SimpleTest.waitForExplicitFinish();
+
+ addLoadEvent(nextTest);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/base/nsGlobalWindow.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/dom/base/nsGlobalWindow.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/base/nsGlobalWindow.cpp 2013-09-16 22:26:30.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/base/nsGlobalWindow.cpp 2014-02-10 01:13:31.654543761 +0400
+@@ -1718,7 +1718,10 @@
+ }
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mLocalStorage)
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mSessionStorage)
++ if (tmp->mApplicationCache) {
++ static_cast<nsDOMOfflineResourceList*>(tmp->mApplicationCache.get())->Disconnect();
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mApplicationCache)
++ }
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mDocumentPrincipal)
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mDoc)
+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mIdleService)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/CallbackObject.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/CallbackObject.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/CallbackObject.cpp 2013-09-16 22:26:30.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/CallbackObject.cpp 2014-02-10 01:13:31.693543079 +0400
+@@ -197,8 +197,7 @@
+ JSAutoCompartment ac(cx, callback);
+ nsRefPtr<nsXPCWrappedJS> wrappedJS;
+ nsresult rv =
+- nsXPCWrappedJS::GetNewOrUsed(callback, aIID,
+- nullptr, getter_AddRefs(wrappedJS));
++ nsXPCWrappedJS::GetNewOrUsed(callback, aIID, getter_AddRefs(wrappedJS));
+ if (NS_FAILED(rv) || !wrappedJS) {
+ return nullptr;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/Codegen.py seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/Codegen.py
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/Codegen.py 2014-02-10 01:12:09.675987545 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/Codegen.py 2014-02-10 01:13:31.694543062 +0400
+@@ -2419,18 +2419,9 @@
+ ).substitute(self.substitution)
+
+ return checkObjectType + string.Template(
+- """nsISupports* supp = nullptr;
+-if (XPCConvert::GetISupportsFromJSObject(${source}, &supp)) {
+- nsCOMPtr<nsIXPConnectWrappedNative> xpcwn = do_QueryInterface(supp);
+- if (xpcwn) {
+- supp = xpcwn->Native();
+- }
+-}
+-
+-const nsIID& iid = NS_GET_IID(${nativeType});
++ """const nsIID& iid = NS_GET_IID(${nativeType});
+ nsRefPtr<nsXPCWrappedJS> wrappedJS;
+-nsresult rv = nsXPCWrappedJS::GetNewOrUsed(${source}, iid,
+- supp, getter_AddRefs(wrappedJS));
++nsresult rv = nsXPCWrappedJS::GetNewOrUsed(${source}, iid, getter_AddRefs(wrappedJS));
+ if (NS_FAILED(rv) || !wrappedJS) {
+ ${codeOnFailure}
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/test/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/test/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/test/Makefile.in 2013-09-16 22:26:30.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/test/Makefile.in 2014-02-10 01:13:31.694543062 +0400
+@@ -77,6 +77,7 @@
+ test_ByteString.html \
+ test_exception_messages.html \
+ test_defineProperty.html \
++ test_barewordGetsWindow.html \
+ $(NULL)
+
+ MOCHITEST_CHROME_FILES = \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/test/test_barewordGetsWindow.html seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/test/test_barewordGetsWindow.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/bindings/test/test_barewordGetsWindow.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/bindings/test/test_barewordGetsWindow.html 2014-02-10 01:13:31.714542709 +0400
+@@ -0,0 +1,60 @@
++<!DOCTYPE HTML>
++<html>
++<!--
++https://bugzilla.mozilla.org/show_bug.cgi?id=936056
++-->
++<head>
++ <meta charset="utf-8">
++ <title>Test for Bug 936056</title>
++ <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
++ <script type="application/javascript">
++
++ /** Test for Bug 936056 **/
++ SimpleTest.waitForExplicitFinish();
++ window.onload = function() {
++ var desc = Object.getOwnPropertyDescriptor(frames[0], "document");
++ if (!desc || !desc.get) {
++ todo(false, "This test does nothing so far, but will once Window is on WebIDL bindings");
++ SimpleTest.finish();
++ return;
++ }
++ get = desc.get;
++ ok(get, "Couldn't find document getter");
++ Object.defineProperty(frames[0], "foo", { get: get });
++
++ var barewordFunc = frames[0].eval("(function (count) { var doc; for (var i = 0; i < count; ++i) doc = foo; return doc.documentElement; })");
++ var qualifiedFunc = frames[0].eval("(function (count) { var doc; for (var i = 0; i < count; ++i) doc = window.document; return doc.documentElement; })");
++ document.querySelector("iframe").onload = function () {
++ // interp
++ is(barewordFunc(1).textContent, "OLD", "Bareword should see own inner 1");
++ is(qualifiedFunc(1).textContent, "NEW",
++ "Qualified should see current inner 1");
++ // baseline
++ is(barewordFunc(100).textContent, "OLD", "Bareword should see own inner 2");
++ is(qualifiedFunc(100).textContent, "NEW",
++ "Qualified should see current inner 2");
++ // ion
++ is(barewordFunc(10000).textContent, "OLD", "Bareword should see own inner 3");
++ is(qualifiedFunc(10000).textContent, "NEW",
++ "Qualified should see current inner 2");
++ SimpleTest.finish();
++ }
++ frames[0].location = "data:text/plain,NEW";
++ }
++
++
++
++
++ </script>
++</head>
++<body>
++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=936056">Mozilla Bug 936056</a>
++<p id="display"></p>
++<div id="content" style="display: none">
++<iframe src="data:text/plain,OLD"></iframe>
++</div>
++<pre id="test">
++</pre>
++</body>
++</html>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/indexedDB/test/browser_perwindow_privateBrowsing.js seamonkey-2.21-esr3.0/comm-release/mozilla/dom/indexedDB/test/browser_perwindow_privateBrowsing.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/indexedDB/test/browser_perwindow_privateBrowsing.js 2013-09-16 22:26:31.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/indexedDB/test/browser_perwindow_privateBrowsing.js 2014-02-10 01:13:31.714542709 +0400
+@@ -17,6 +17,10 @@
+ {
+ gBrowser.selectedTab = gBrowser.addTab();
+ gBrowser.selectedBrowser.addEventListener("load", function () {
++ if (content.location != testPageURL) {
++ content.location = testPageURL;
++ return;
++ }
+ gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
+
+ setFinishedCallback(function(result, exception) {
+@@ -45,6 +49,10 @@
+ {
+ win.gBrowser.selectedTab = win.gBrowser.addTab();
+ win.gBrowser.selectedBrowser.addEventListener("load", function () {
++ if (win.content.location != testPageURL) {
++ win.content.location = testPageURL;
++ return;
++ }
+ win.gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
+
+ setFinishedCallback(function(result, exception) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/media/MediaManager.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/dom/media/MediaManager.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/media/MediaManager.cpp 2013-09-16 22:26:31.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/media/MediaManager.cpp 2014-02-10 01:13:31.714542709 +0400
+@@ -419,6 +419,7 @@
+ // when the page is invalidated (on navigation or close).
+ mListener->Activate(stream.forget(), mAudioSource, mVideoSource);
+
++ // Note: includes JS callbacks; must be released on MainThread
+ TracksAvailableCallback* tracksAvailableCallback =
+ new TracksAvailableCallback(mManager, mSuccess, mWindowID, trackunion);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/media/MediaManager.h seamonkey-2.21-esr3.0/comm-release/mozilla/dom/media/MediaManager.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/media/MediaManager.h 2013-09-16 22:26:31.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/media/MediaManager.h 2014-02-10 01:13:31.714542709 +0400
+@@ -331,10 +331,12 @@
+ // Forward mOnTracksAvailableCallback to GetUserMediaNotificationEvent,
+ // because mOnTracksAvailableCallback needs to be added to mStream
+ // on the main thread.
+- nsRefPtr<GetUserMediaNotificationEvent> event =
++ nsIRunnable *event =
+ new GetUserMediaNotificationEvent(GetUserMediaNotificationEvent::STARTING,
+ mStream.forget(),
+ mOnTracksAvailableCallback.forget());
++ // event must always be released on mainthread due to the JS callbacks
++ // in the TracksAvailableCallback
+ NS_DispatchToMainThread(event, NS_DISPATCH_NORMAL);
+ }
+ break;
+@@ -354,9 +356,11 @@
+ if (mFinish) {
+ source->Finish();
+ }
+- nsRefPtr<GetUserMediaNotificationEvent> event =
++ nsIRunnable *event =
+ new GetUserMediaNotificationEvent(mListener, GetUserMediaNotificationEvent::STOPPING);
+
++ // event must always be released on mainthread due to the JS callbacks
++ // in the TracksAvailableCallback
+ NS_DispatchToMainThread(event, NS_DISPATCH_NORMAL);
+ }
+ break;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/dom/workers/ScriptLoader.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/dom/workers/ScriptLoader.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/dom/workers/ScriptLoader.cpp 2013-09-16 22:26:33.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/dom/workers/ScriptLoader.cpp 2014-02-10 01:13:31.714542709 +0400
+@@ -890,8 +890,7 @@
+ break;
+
+ default:
+- JS_ReportError(aCx, "Failed to load script: %s (nsresult = 0x%x)",
+- url.get(), aLoadResult);
++ JS_ReportError(aCx, "Failed to load script (nsresult = 0x%x)", aLoadResult);
+ }
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/2d/QuartzSupport.h seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/2d/QuartzSupport.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/2d/QuartzSupport.h 2013-09-16 22:26:33.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/2d/QuartzSupport.h 2014-02-10 01:13:31.714542709 +0400
+@@ -9,6 +9,7 @@
+ #ifdef XP_MACOSX
+
+ #import <OpenGL/OpenGL.h>
++#import <OpenGL/gl.h>
+ #import "ApplicationServices/ApplicationServices.h"
+ #include "gfxTypes.h"
+ #include "mozilla/RefPtr.h"
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-1.html seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-1.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-1.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-1.html 2014-02-10 01:13:31.714542709 +0400
+@@ -0,0 +1,11 @@
++<script>
++o0 = document.createElement('canvas');
++(document.body || document.documentElement).appendChild(o0);
++o1 = o0.getContext('2d');
++
++o1.strokeRect(1.7976931348623157e+308, 0.651, 8, 34.323262543409996);
++o1.strokeRect(34.323262543409996, 1.7976931348623157e+308, 0.651, 8);
++o1.strokeRect(8, 34.323262543409996, 1.7976931348623157e+308, 0.651);
++o1.strokeRect(0.651, 8, 34.323262543409996, 1.7976931348623157e+308);
++
++</script>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-2.html seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-2.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-2.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-2.html 2014-02-10 01:13:31.714542709 +0400
+@@ -0,0 +1,30 @@
++<script>
++o0 = document.createElement('canvas');
++(document.body || document.documentElement).appendChild(o0);
++o1 = o0.getContext('2d');
++
++o1.rect(1.7976931348623157e+308, 0.651, 8, 34.323262543409996);
++o1.stroke()
++
++o1.rect(-1.7976931348623157e+308, 0.651, 8, 34.323262543409996);
++o1.stroke()
++
++o1.rect(34.323262543409996, 1.7976931348623157e+308, 0.651, 8);
++o1.stroke()
++
++o1.rect(34.323262543409996, -1.7976931348623157e+308, 0.651, 8);
++o1.stroke()
++
++o1.rect(8, 34.323262543409996, 1.7976931348623157e+308, 0.651);
++o1.stroke()
++
++o1.rect(8, 34.323262543409996, -1.7976931348623157e+308, 0.651);
++o1.stroke()
++
++o1.rect(0.651, 8, 34.323262543409996, 1.7976931348623157e+308);
++o1.stroke()
++
++o1.rect(0.651, 8, 34.323262543409996, -1.7976931348623157e+308);
++o1.stroke()
++
++</script>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-3.html seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-3.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-3.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-3.html 2014-02-10 01:13:31.715542694 +0400
+@@ -0,0 +1,44 @@
++<script>
++o0 = document.createElement('canvas');
++(document.body || document.documentElement).appendChild(o0);
++o1 = o0.getContext('2d');
++
++o1.beginPath();
++o1.moveTo(8,34.323262543409996);
++o1.lineTo(1.7976931348623157e+308,34.323262543409996);
++o1.arcTo(1.7976931348623157e+308, 150, 20, 150, 70);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(8,34.323262543409996);
++o1.lineTo(-1.7976931348623157e+308,34.323262543409996);
++o1.arcTo(70, 1.7976931348623157e+308, 150, 20, 150);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(34.323262543409996, 8);
++o1.lineTo(34.323262543409996, 1.7976931348623157e+308);
++o1.arcTo(150, 70, 1.7976931348623157e+308, 150, 20);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(34.323262543409996, 8);
++o1.lineTo(34.323262543409996, -1.7976931348623157e+308);
++o1.arcTo(20, 150, 70,1.7976931348623157e+308, 150);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(20, 20);
++o1.lineTo(100, 20);
++o1.arcTo(150, 20, 150, 70, 1.7976931348623157e+308);
++o1.lineTo(150, 120);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(20, 20);
++o1.lineTo(100, 20);
++o1.arcTo(150, 20, 150, 70, -1.7976931348623157e+308);
++o1.lineTo(150, 120);
++o1.stroke();
++
++</script>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-4.html seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-4.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/893572-4.html 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/893572-4.html 2014-02-10 01:13:31.715542694 +0400
+@@ -0,0 +1,38 @@
++<script>
++o0 = document.createElement('canvas');
++(document.body || document.documentElement).appendChild(o0);
++o1 = o0.getContext('2d');
++
++o1.beginPath();
++o1.moveTo(8,34.323262543409996);
++o1.lineTo(1.7976931348623157e+308,34.323262543409996);
++o1.lineTo(1.7976931348623157e+308,44.323262543409996);
++o1.lineTo(10.0,44.323262543409996);
++o1.lineTo(8,34.323262543409996);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(34.323262543409996, 8);
++o1.lineTo(34.323262543409996, 1.7976931348623157e+308);
++o1.lineTo(44.323262543409996, 1.7976931348623157e+308);
++o1.lineTo(44.323262543409996, 10.0);
++o1.lineTo(34.323262543409996, 8);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(8,34.323262543409996);
++o1.lineTo(-1.7976931348623157e+308,34.323262543409996);
++o1.lineTo(-1.7976931348623157e+308,44.323262543409996);
++o1.lineTo(10.0,44.323262543409996);
++o1.lineTo(8,34.323262543409996);
++o1.stroke();
++
++o1.beginPath();
++o1.moveTo(34.323262543409996, 8);
++o1.lineTo(34.323262543409996, -1.7976931348623157e+308);
++o1.lineTo(44.323262543409996, -1.7976931348623157e+308);
++o1.lineTo(44.323262543409996, 10.0);
++o1.lineTo(34.323262543409996, 8);
++o1.stroke();
++
++</script>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/crashtests.list seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/crashtests.list
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/tests/crashtests/crashtests.list 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/tests/crashtests/crashtests.list 2014-02-10 01:13:31.715542694 +0400
+@@ -99,3 +99,7 @@
+ asserts-if(winWidget,0-1) skip-if(B2G) load 815489.html
+ load 839745-1.html
+ load 856784-1.html
++load 893572-1.html
++load 893572-2.html
++load 893572-3.html
++load 893572-4.html
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxFont.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxFont.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxFont.cpp 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxFont.cpp 2014-02-10 01:13:31.715542694 +0400
+@@ -3825,14 +3825,16 @@
+ }
+
+ gfxFontGroup::gfxFontGroup(const nsAString& aFamilies, const gfxFontStyle *aStyle, gfxUserFontSet *aUserFontSet)
+- : mFamilies(aFamilies), mStyle(*aStyle), mUnderlineOffset(UNDERLINE_OFFSET_NOT_SET)
++ : mFamilies(aFamilies)
++ , mStyle(*aStyle)
++ , mUnderlineOffset(UNDERLINE_OFFSET_NOT_SET)
++ , mUserFontSet(aUserFontSet)
++ , mPageLang(gfxPlatform::GetFontPrefLangFor(aStyle->language))
++ , mSkipDrawing(false)
+ {
+- mUserFontSet = nullptr;
+- SetUserFontSet(aUserFontSet);
+-
+- mSkipDrawing = false;
+-
+- mPageLang = gfxPlatform::GetFontPrefLangFor(mStyle.language);
++ // We don't use SetUserFontSet() here, as we want to unconditionally call
++ // BuildFontList() rather than only do UpdateFontList() if it changed.
++ mCurrGeneration = GetGeneration();
+ BuildFontList();
+ }
+
+@@ -3980,7 +3982,6 @@
+ gfxFontGroup::~gfxFontGroup()
+ {
+ mFonts.Clear();
+- SetUserFontSet(nullptr);
+ }
+
+ gfxFontGroup *
+@@ -4808,10 +4809,12 @@
+ void
+ gfxFontGroup::SetUserFontSet(gfxUserFontSet *aUserFontSet)
+ {
+- NS_IF_RELEASE(mUserFontSet);
++ if (aUserFontSet == mUserFontSet) {
++ return;
++ }
+ mUserFontSet = aUserFontSet;
+- NS_IF_ADDREF(mUserFontSet);
+- mCurrGeneration = GetGeneration();
++ mCurrGeneration = GetGeneration() - 1;
++ UpdateFontList();
+ }
+
+ uint64_t
+@@ -4825,7 +4828,7 @@
+ void
+ gfxFontGroup::UpdateFontList()
+ {
+- if (mUserFontSet && mCurrGeneration != GetGeneration()) {
++ if (mCurrGeneration != GetGeneration()) {
+ // xxx - can probably improve this to detect when all fonts were found, so no need to update list
+ mFonts.Clear();
+ mUnderlineOffset = UNDERLINE_OFFSET_NOT_SET;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxFont.h seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxFont.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxFont.h 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxFont.h 2014-02-10 01:13:31.716542678 +0400
+@@ -3407,6 +3407,9 @@
+ // with no @font-face rule, this always returns 0.
+ uint64_t GetGeneration();
+
++ // This will call UpdateFontList() if the user font set is changed.
++ void SetUserFontSet(gfxUserFontSet *aUserFontSet);
++
+ // If there is a user font set, check to see whether the font list or any
+ // caches need updating.
+ virtual void UpdateFontList();
+@@ -3433,7 +3436,7 @@
+ nsTArray<FamilyFace> mFonts;
+ gfxFloat mUnderlineOffset;
+
+- gfxUserFontSet* mUserFontSet;
++ nsRefPtr<gfxUserFontSet> mUserFontSet;
+ uint64_t mCurrGeneration; // track the current user font set generation, rebuild font list if needed
+
+ // Cache a textrun representing an ellipsis (useful for CSS text-overflow)
+@@ -3460,10 +3463,6 @@
+ gfxTextRun *MakeBlankTextRun(uint32_t aLength,
+ const Parameters *aParams, uint32_t aFlags);
+
+- // Used for construction/destruction. Not intended to change the font set
+- // as invalidation of font lists and caches is not considered.
+- void SetUserFontSet(gfxUserFontSet *aUserFontSet);
+-
+ // Initialize the list of fonts
+ void BuildFontList();
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxPangoFonts.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxPangoFonts.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/gfx/thebes/gfxPangoFonts.cpp 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/gfx/thebes/gfxPangoFonts.cpp 2014-02-10 01:13:31.923539055 +0400
+@@ -1421,10 +1421,7 @@
+ void
+ gfxPangoFontGroup::UpdateFontList()
+ {
+- if (!mUserFontSet)
+- return;
+-
+- uint64_t newGeneration = mUserFontSet->GetGeneration();
++ uint64_t newGeneration = GetGeneration();
+ if (newGeneration == mCurrGeneration)
+ return;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/RasterImage.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/RasterImage.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/RasterImage.cpp 2014-02-10 01:12:09.943982821 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/RasterImage.cpp 2014-02-10 01:13:31.923539056 +0400
+@@ -395,7 +395,7 @@
+ #ifdef DEBUG
+ mFramesNotified(0),
+ #endif
+- mDecodingMutex("RasterImage"),
++ mDecodingMonitor("RasterImage Decoding Monitor"),
+ mDecoder(nullptr),
+ mBytesDecoded(0),
+ mInDecoder(false),
+@@ -443,7 +443,7 @@
+ if (mDecoder) {
+ // Kill off our decode request, if it's pending. (If not, this call is
+ // harmless.)
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+ DecodePool::StopDecoding(this);
+ mDecoder = nullptr;
+
+@@ -1663,7 +1663,7 @@
+ nsresult
+ RasterImage::AddSourceData(const char *aBuffer, uint32_t aCount)
+ {
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+
+ if (mError)
+ return NS_ERROR_FAILURE;
+@@ -1803,7 +1803,7 @@
+ }
+
+ {
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+
+ // If we're not storing any source data, then there's nothing more we can do
+ // once we've tried decoding for size.
+@@ -1861,7 +1861,7 @@
+
+ // We just recorded OnStopRequest; we need to inform our listeners.
+ {
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+ FinishedSomeDecoding();
+ }
+
+@@ -2195,7 +2195,7 @@
+ RasterImage::ShutdownDecoder(eShutdownIntent aIntent)
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+- mDecodingMutex.AssertCurrentThreadOwns();
++ mDecodingMonitor.AssertCurrentThreadIn();
+
+ // Ensure that our intent is valid
+ NS_ABORT_IF_FALSE((aIntent >= 0) && (aIntent < eShutdownIntent_AllCount),
+@@ -2263,7 +2263,7 @@
+ nsresult
+ RasterImage::WriteToDecoder(const char *aBuffer, uint32_t aCount)
+ {
+- mDecodingMutex.AssertCurrentThreadOwns();
++ mDecodingMonitor.AssertCurrentThreadIn();
+
+ // We should have a decoder
+ NS_ABORT_IF_FALSE(mDecoder, "Trying to write to null decoder!");
+@@ -2384,7 +2384,7 @@
+ }
+ }
+
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+
+ // If the image is waiting for decode work to be notified, go ahead and do that.
+ if (mDecodeRequest &&
+@@ -2475,7 +2475,7 @@
+ }
+ }
+
+- MutexAutoLock imgLock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+
+ // We really have no good way of forcing a synchronous decode if we're being
+ // called in a re-entrant manner (ie, from an event listener fired by a
+@@ -2739,7 +2739,7 @@
+
+ // We can only draw with the default decode flags
+ if (mFrameDecodeFlags != DECODE_FLAGS_DEFAULT) {
+- if (!CanForciblyDiscard())
++ if (!CanForciblyDiscard() || mDecoder || mAnim)
+ return NS_ERROR_NOT_AVAILABLE;
+ ForceDiscard();
+
+@@ -2837,7 +2837,7 @@
+ PR_LOG(GetCompressedImageAccountingLog(), PR_LOG_DEBUG,
+ ("RasterImage[0x%p] canceling decode because image "
+ "is now unlocked.", this));
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+ FinishedSomeDecoding(eShutdownIntent_NotNeeded);
+ ForceDiscard();
+ return NS_OK;
+@@ -2858,7 +2858,7 @@
+ NS_IMETHODIMP
+ RasterImage::RequestDiscard()
+ {
+- if (CanDiscard()) {
++ if (CanDiscard() && !mDecoder && !mAnim) {
+ ForceDiscard();
+ }
+
+@@ -2872,7 +2872,7 @@
+ // We should have a decoder if we get here
+ NS_ABORT_IF_FALSE(mDecoder, "trying to decode without decoder!");
+
+- mDecodingMutex.AssertCurrentThreadOwns();
++ mDecodingMonitor.AssertCurrentThreadIn();
+
+ // First, if we've just been called because we allocated a frame on the main
+ // thread, let the decoder deal with the data it set aside at that time by
+@@ -2908,7 +2908,7 @@
+ RasterImage::IsDecodeFinished()
+ {
+ // Precondition
+- mDecodingMutex.AssertCurrentThreadOwns();
++ mDecodingMonitor.AssertCurrentThreadIn();
+ NS_ABORT_IF_FALSE(mDecoder, "Can't call IsDecodeFinished() without decoder!");
+
+ // The decode is complete if we got what we wanted.
+@@ -2958,7 +2958,7 @@
+
+ // If we're mid-decode, shut down the decoder.
+ if (mDecoder) {
+- MutexAutoLock lock(mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mDecodingMonitor);
+ FinishedSomeDecoding(eShutdownIntent_Error);
+ }
+
+@@ -3055,7 +3055,7 @@
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+
+- mDecodingMutex.AssertCurrentThreadOwns();
++ mDecodingMonitor.AssertCurrentThreadIn();
+
+ nsRefPtr<DecodeRequest> request;
+ if (aRequest) {
+@@ -3123,9 +3123,6 @@
+ }
+
+ {
+- // Notifications can't go out with the decoding lock held.
+- MutexAutoUnlock unlock(mDecodingMutex);
+-
+ // Then, tell the observers what happened in the decoder.
+ // If we have no request, we have not yet created a decoder, but we still
+ // need to send out notifications.
+@@ -3225,7 +3222,7 @@
+ RasterImage::DecodePool::RequestDecode(RasterImage* aImg)
+ {
+ MOZ_ASSERT(aImg->mDecoder);
+- aImg->mDecodingMutex.AssertCurrentThreadOwns();
++ aImg->mDecodingMonitor.AssertCurrentThreadIn();
+
+ // If we're currently waiting on a new frame for this image, we can't do any
+ // decoding.
+@@ -3257,7 +3254,7 @@
+ RasterImage::DecodePool::DecodeABitOf(RasterImage* aImg)
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+- aImg->mDecodingMutex.AssertCurrentThreadOwns();
++ aImg->mDecodingMonitor.AssertCurrentThreadIn();
+
+ if (aImg->mDecodeRequest) {
+ // If the image is waiting for decode work to be notified, go ahead and do that.
+@@ -3289,7 +3286,7 @@
+ /* static */ void
+ RasterImage::DecodePool::StopDecoding(RasterImage* aImg)
+ {
+- aImg->mDecodingMutex.AssertCurrentThreadOwns();
++ aImg->mDecodingMonitor.AssertCurrentThreadIn();
+
+ // If we haven't got a decode request, we're not currently decoding. (Having
+ // a decode request doesn't imply we *are* decoding, though.)
+@@ -3301,7 +3298,7 @@
+ NS_IMETHODIMP
+ RasterImage::DecodePool::DecodeJob::Run()
+ {
+- MutexAutoLock imglock(mImage->mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mImage->mDecodingMonitor);
+
+ // If we were interrupted, we shouldn't do any work.
+ if (mRequest->mRequestStatus == DecodeRequest::REQUEST_STOPPED) {
+@@ -3366,8 +3363,7 @@
+ RasterImage::DecodePool::DecodeUntilSizeAvailable(RasterImage* aImg)
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+-
+- MutexAutoLock imgLock(aImg->mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(aImg->mDecodingMonitor);
+
+ if (aImg->mDecodeRequest) {
+ // If the image is waiting for decode work to be notified, go ahead and do that.
+@@ -3403,7 +3399,7 @@
+ {
+ NS_ABORT_IF_FALSE(aImg->mInitialized,
+ "Worker active for uninitialized container!");
+- aImg->mDecodingMutex.AssertCurrentThreadOwns();
++ aImg->mDecodingMonitor.AssertCurrentThreadIn();
+
+ // If an error is flagged, it probably happened while we were waiting
+ // in the event queue.
+@@ -3521,7 +3517,7 @@
+ void
+ RasterImage::DecodeDoneWorker::NotifyFinishedSomeDecoding(RasterImage* image, DecodeRequest* request)
+ {
+- image->mDecodingMutex.AssertCurrentThreadOwns();
++ image->mDecodingMonitor.AssertCurrentThreadIn();
+
+ nsCOMPtr<DecodeDoneWorker> worker = new DecodeDoneWorker(image, request);
+ NS_DispatchToMainThread(worker);
+@@ -3531,7 +3527,7 @@
+ RasterImage::DecodeDoneWorker::Run()
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+- MutexAutoLock lock(mImage->mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mImage->mDecodingMonitor);
+
+ mImage->FinishedSomeDecoding(eShutdownIntent_Done, mRequest);
+
+@@ -3553,7 +3549,7 @@
+ NS_IMETHODIMP
+ RasterImage::FrameNeededWorker::Run()
+ {
+- MutexAutoLock lock(mImage->mDecodingMutex);
++ ReentrantMonitorAutoEnter lock(mImage->mDecodingMonitor);
+ nsresult rv = NS_OK;
+
+ // If we got a synchronous decode in the mean time, we don't need to do
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/RasterImage.h seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/RasterImage.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/RasterImage.h 2014-02-10 01:12:09.943982821 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/RasterImage.h 2014-02-10 01:13:31.923539056 +0400
+@@ -29,12 +29,13 @@
+ #include "nsThreadUtils.h"
+ #include "DiscardTracker.h"
+ #include "nsISupportsImpl.h"
+-#include "mozilla/TimeStamp.h"
+-#include "mozilla/Telemetry.h"
+ #include "mozilla/LinkedList.h"
++#include "mozilla/Mutex.h"
++#include "mozilla/ReentrantMonitor.h"
++#include "mozilla/Telemetry.h"
++#include "mozilla/TimeStamp.h"
+ #include "mozilla/StaticPtr.h"
+ #include "mozilla/WeakPtr.h"
+-#include "mozilla/Mutex.h"
+ #include "gfx2DGlue.h"
+ #ifdef DEBUG
+ #include "imgIContainerDebug.h"
+@@ -128,11 +129,13 @@
+ class ScaleRequest;
+
+ namespace mozilla {
++
+ namespace layers {
+ class LayerManager;
+ class ImageContainer;
+ class Image;
+ }
++
+ namespace image {
+
+ class Decoder;
+@@ -478,8 +481,8 @@
+ private: /* members */
+
+ // mThreadPoolMutex protects mThreadPool. For all RasterImages R,
+- // R::mDecodingMutex must be acquired before mThreadPoolMutex if both are
+- // acquired; the other order may cause deadlock.
++ // R::mDecodingMonitor must be acquired before mThreadPoolMutex
++ // if both are acquired; the other order may cause deadlock.
+ mozilla::Mutex mThreadPoolMutex;
+ nsCOMPtr<nsIThreadPool> mThreadPool;
+ };
+@@ -699,10 +702,10 @@
+ #endif
+
+ // Below are the pieces of data that can be accessed on more than one thread
+- // at once, and hence need to be locked by mDecodingMutex.
++ // at once, and hence need to be locked by mDecodingMonitor.
+
+ // BEGIN LOCKED MEMBER VARIABLES
+- mozilla::Mutex mDecodingMutex;
++ mozilla::ReentrantMonitor mDecodingMonitor;
+
+ FallibleTArray<char> mSourceData;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgRequestProxy.h seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgRequestProxy.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgRequestProxy.h 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgRequestProxy.h 2014-02-10 01:13:31.923539056 +0400
+@@ -7,6 +7,7 @@
+ #ifndef imgRequestProxy_h__
+ #define imgRequestProxy_h__
+
++#include "mozilla/WeakPtr.h"
+ #include "imgIRequest.h"
+ #include "imgINotificationObserver.h"
+ #include "nsISecurityInfoProvider.h"
+@@ -43,7 +44,8 @@
+ class imgRequestProxy : public imgIRequest,
+ public nsISupportsPriority,
+ public nsISecurityInfoProvider,
+- public nsITimedChannel
++ public nsITimedChannel,
++ public mozilla::SupportsWeakPtr<imgRequestProxy>
+ {
+ public:
+ NS_DECL_ISUPPORTS
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgStatusTracker.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgStatusTracker.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgStatusTracker.cpp 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgStatusTracker.cpp 2014-02-10 01:13:31.923539056 +0400
+@@ -20,6 +20,7 @@
+ #include "mozilla/Services.h"
+
+ using namespace mozilla::image;
++using mozilla::WeakPtr;
+
+ class imgStatusTrackerNotifyingObserver : public imgDecoderObserver
+ {
+@@ -43,17 +44,23 @@
+
+ mTracker->RecordStartDecode();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendStartDecode(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendStartDecode(proxy);
++ }
+ }
+
+ if (!mTracker->IsMultipart()) {
+ mTracker->RecordBlockOnload();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendBlockOnload(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendBlockOnload(proxy);
++ }
+ }
+ }
+ }
+@@ -71,9 +78,12 @@
+ "OnStartContainer callback before we've created our image");
+ mTracker->RecordStartContainer(mTracker->GetImage());
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendStartContainer(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendStartContainer(proxy);
++ }
+ }
+ }
+
+@@ -97,9 +107,12 @@
+
+ mTracker->RecordFrameChanged(dirtyRect);
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendFrameChanged(iter.GetNext(), dirtyRect);
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendFrameChanged(proxy, dirtyRect);
++ }
+ }
+ }
+
+@@ -111,9 +124,12 @@
+
+ mTracker->RecordStopFrame();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendStopFrame(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendStopFrame(proxy);
++ }
+ }
+
+ mTracker->MaybeUnblockOnload();
+@@ -129,9 +145,12 @@
+
+ mTracker->RecordStopDecode(aStatus);
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendStopDecode(iter.GetNext(), aStatus);
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendStopDecode(proxy, aStatus);
++ }
+ }
+
+ // This is really hacky. We need to handle the case where we start decoding,
+@@ -155,9 +174,12 @@
+
+ mTracker->RecordDiscard();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendDiscard(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendDiscard(proxy);
++ }
+ }
+ }
+
+@@ -167,9 +189,12 @@
+ "OnUnlockedDraw callback before we've created our image");
+ mTracker->RecordUnlockedDraw();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
+- mTracker->SendUnlockedDraw(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ mTracker->SendUnlockedDraw(proxy);
++ }
+ }
+ }
+
+@@ -179,11 +204,14 @@
+ "OnImageIsAnimated callback before we've created our image");
+ mTracker->RecordImageIsAnimated();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mTracker->mConsumers);
++ imgStatusTracker::ProxyArray::ForwardIterator iter(mTracker->mConsumers);
+ while (iter.HasMore()) {
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
+ mTracker->SendImageIsAnimated(iter.GetNext());
+ }
+ }
++ }
+
+ virtual void OnError()
+ {
+@@ -463,17 +491,17 @@
+
+ #define NOTIFY_IMAGE_OBSERVERS(func) \
+ do { \
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(proxies); \
++ ProxyArray::ForwardIterator iter(proxies); \
+ while (iter.HasMore()) { \
+- nsRefPtr<imgRequestProxy> proxy = iter.GetNext(); \
+- if (!proxy->NotificationsDeferred()) { \
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get(); \
++ if (proxy && !proxy->NotificationsDeferred()) { \
+ proxy->func; \
+ } \
+ } \
+ } while (false);
+
+ /* static */ void
+-imgStatusTracker::SyncNotifyState(nsTObserverArray<imgRequestProxy*>& proxies,
++imgStatusTracker::SyncNotifyState(ProxyArray& proxies,
+ bool hasImage, uint32_t state,
+ nsIntRect& dirtyRect, bool hadLastPart)
+ {
+@@ -581,13 +609,13 @@
+ SyncNotifyState(mConsumers, !!mImage, diff.mDiffState, diff.mInvalidRect, mHadLastPart);
+
+ if (diff.mUnblockedOnload) {
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+ // Hold on to a reference to this proxy, since notifying the state can
+ // cause it to disappear.
+- nsRefPtr<imgRequestProxy> proxy = iter.GetNext();
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
+
+- if (!proxy->NotificationsDeferred()) {
++ if (proxy && !proxy->NotificationsDeferred()) {
+ SendUnblockOnload(proxy);
+ }
+ }
+@@ -623,8 +651,8 @@
+ r = mImage->FrameRect(imgIContainer::FRAME_CURRENT);
+ }
+
+- nsTObserverArray<imgRequestProxy*> array;
+- array.AppendElement(proxy);
++ ProxyArray array;
++ array.AppendElement(proxy->asWeakPtr());
+ SyncNotifyState(array, !!mImage, mState, r, mHadLastPart);
+ }
+
+@@ -662,7 +690,7 @@
+ void
+ imgStatusTracker::AddConsumer(imgRequestProxy* aConsumer)
+ {
+- mConsumers.AppendElementUnlessExists(aConsumer);
++ mConsumers.AppendElementUnlessExists(aConsumer->asWeakPtr());
+ }
+
+ // XXX - The last argument should go away.
+@@ -689,6 +717,20 @@
+ return removed;
+ }
+
++bool
++imgStatusTracker::FirstConsumerIs(imgRequestProxy* aConsumer)
++{
++ MOZ_ASSERT(NS_IsMainThread(), "Use mConsumers on main thread only");
++ ProxyArray::ForwardIterator iter(mConsumers);
++ while (iter.HasMore()) {
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ return proxy.get() == aConsumer;
++ }
++ }
++ return false;
++}
++
+ void
+ imgStatusTracker::RecordCancel()
+ {
+@@ -852,9 +894,12 @@
+ imgStatusTracker::OnUnlockedDraw()
+ {
+ RecordUnlockedDraw();
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendUnlockedDraw(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendUnlockedDraw(proxy);
++ }
+ }
+ }
+
+@@ -906,9 +951,12 @@
+ imgStatusTracker::OnStartRequest()
+ {
+ RecordStartRequest();
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendStartRequest(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendStartRequest(proxy);
++ }
+ }
+ }
+
+@@ -944,9 +992,12 @@
+
+ RecordStopRequest(aLastPart, aStatus);
+ /* notify the kids */
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator srIter(mConsumers);
++ ProxyArray::ForwardIterator srIter(mConsumers);
+ while (srIter.HasMore()) {
+- SendStopRequest(srIter.GetNext(), aLastPart, aStatus);
++ nsRefPtr<imgRequestProxy> proxy = srIter.GetNext().get();
++ if (proxy) {
++ SendStopRequest(proxy, aLastPart, aStatus);
++ }
+ }
+
+ if (NS_FAILED(aStatus) && !preexistingError) {
+@@ -960,9 +1011,12 @@
+ RecordDiscard();
+
+ /* notify the kids */
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendDiscard(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendDiscard(proxy);
++ }
+ }
+ }
+
+@@ -972,9 +1026,12 @@
+ RecordFrameChanged(aDirtyRect);
+
+ /* notify the kids */
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendFrameChanged(iter.GetNext(), aDirtyRect);
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendFrameChanged(proxy, aDirtyRect);
++ }
+ }
+ }
+
+@@ -984,9 +1041,12 @@
+ RecordStopFrame();
+
+ /* notify the kids */
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendStopFrame(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendStopFrame(proxy);
++ }
+ }
+ }
+
+@@ -994,9 +1054,12 @@
+ imgStatusTracker::OnDataAvailable()
+ {
+ // Notify any imgRequestProxys that are observing us that we have an Image.
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- iter.GetNext()->SetHasImage();
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ proxy->SetHasImage();
++ }
+ }
+ }
+
+@@ -1038,9 +1101,12 @@
+
+ RecordUnblockOnload();
+
+- nsTObserverArray<imgRequestProxy*>::ForwardIterator iter(mConsumers);
++ ProxyArray::ForwardIterator iter(mConsumers);
+ while (iter.HasMore()) {
+- SendUnblockOnload(iter.GetNext());
++ nsRefPtr<imgRequestProxy> proxy = iter.GetNext().get();
++ if (proxy) {
++ SendUnblockOnload(proxy);
++ }
+ }
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgStatusTracker.h seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgStatusTracker.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/image/src/imgStatusTracker.h 2013-09-16 22:26:35.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/image/src/imgStatusTracker.h 2014-02-10 01:13:31.980538058 +0400
+@@ -8,7 +8,6 @@
+ #define imgStatusTracker_h__
+
+ class imgIContainer;
+-class imgRequestProxy;
+ class imgStatusNotifyRunnable;
+ class imgRequestNotifyRunnable;
+ class imgStatusTrackerObserver;
+@@ -28,6 +27,7 @@
+ #include "nscore.h"
+ #include "imgDecoderObserver.h"
+ #include "nsISupportsImpl.h"
++#include "imgRequestProxy.h"
+
+ enum {
+ stateRequestStarted = 1u << 0,
+@@ -110,9 +110,7 @@
+ // This is intentionally non-general because its sole purpose is to support an
+ // some obscure network priority logic in imgRequest. That stuff could probably
+ // be improved, but it's too scary to mess with at the moment.
+- bool FirstConsumerIs(imgRequestProxy* aConsumer) {
+- return mConsumers.SafeElementAt(0, nullptr) == aConsumer;
+- }
++ bool FirstConsumerIs(imgRequestProxy* aConsumer);
+
+ void AdoptConsumers(imgStatusTracker* aTracker) { mConsumers = aTracker->mConsumers; }
+
+@@ -214,6 +212,7 @@
+
+ nsIntRect GetInvalidRect() const { return mInvalidRect; }
+
++ typedef nsTObserverArray<mozilla::WeakPtr<imgRequestProxy>> ProxyArray;
+ private:
+ friend class imgStatusNotifyRunnable;
+ friend class imgRequestNotifyRunnable;
+@@ -223,7 +222,7 @@
+
+ void FireFailureNotification();
+
+- static void SyncNotifyState(nsTObserverArray<imgRequestProxy*>& proxies,
++ static void SyncNotifyState(ProxyArray& proxies,
+ bool hasImage, uint32_t state,
+ nsIntRect& dirtyRect, bool hadLastPart);
+
+@@ -238,7 +237,7 @@
+
+ // List of proxies attached to the image. Each proxy represents a consumer
+ // using the image.
+- nsTObserverArray<imgRequestProxy*> mConsumers;
++ ProxyArray mConsumers;
+
+ mozilla::RefPtr<imgDecoderObserver> mTrackerObserver;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/intl/icu/source/common/umutex.h seamonkey-2.21-esr3.0/comm-release/mozilla/intl/icu/source/common/umutex.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/intl/icu/source/common/umutex.h 2013-09-16 22:26:36.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/intl/icu/source/common/umutex.h 2014-02-10 01:13:31.980538058 +0400
+@@ -48,16 +48,8 @@
+ #endif /* win32 */
+
+ #if U_PLATFORM_IS_DARWIN_BASED
+-#if defined(__STRICT_ANSI__)
+-#define UPRV_REMAP_INLINE
+-#define inline
+-#endif
+ #include <libkern/OSAtomic.h>
+ #define USE_MAC_OS_ATOMIC_INCREMENT 1
+-#if defined(UPRV_REMAP_INLINE)
+-#undef inline
+-#undef UPRV_REMAP_INLINE
+-#endif
+ #endif
+
+ /*
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/intl/icu-patches/bug-901348 seamonkey-2.21-esr3.0/comm-release/mozilla/intl/icu-patches/bug-901348
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/intl/icu-patches/bug-901348 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/intl/icu-patches/bug-901348 2014-02-10 01:13:31.980538058 +0400
+@@ -0,0 +1,38 @@
++# HG changeset patch
++# User Nomis101
++# Date 1380136873 -7200
++# Wed Sep 25 21:21:13 2013 +0200
++# Node ID 2921e2256ba8a8ac1ca8b5b0e48eb04511545d41
++# Parent 39f30376058cf20823534f2d510430eaa31844bf
++Bug 901348 - [10.9] Duplicate symbol errors building --with-intl-api
++
++diff --git a/intl/icu/source/common/umutex.h b/intl/icu/source/common/umutex.h
++--- a/intl/icu/source/common/umutex.h
+++++ b/intl/icu/source/common/umutex.h
++@@ -43,26 +43,18 @@
++ # define NOIME
++ # define NOMCX
++ # include <windows.h>
++ #endif /* 0 */
++ #define U_WINDOWS_CRIT_SEC_SIZE 64
++ #endif /* win32 */
++
++ #if U_PLATFORM_IS_DARWIN_BASED
++-#if defined(__STRICT_ANSI__)
++-#define UPRV_REMAP_INLINE
++-#define inline
++-#endif
++ #include <libkern/OSAtomic.h>
++ #define USE_MAC_OS_ATOMIC_INCREMENT 1
++-#if defined(UPRV_REMAP_INLINE)
++-#undef inline
++-#undef UPRV_REMAP_INLINE
++-#endif
++ #endif
++
++ /*
++ * If we do not compile with dynamic_annotations.h then define
++ * empty annotation macros.
++ * See http://code.google.com/p/data-race-test/wiki/DynamicAnnotations
++ */
++ #ifndef ANNOTATE_HAPPENS_BEFORE
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/config/milestone.txt seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/config/milestone.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/config/milestone.txt 2014-02-10 01:12:13.554918819 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/config/milestone.txt 2014-02-10 01:13:31.980538058 +0400
+@@ -10,4 +10,4 @@
+ # hardcoded milestones in the tree from these two files.
+ #--------------------------------------------------------
+
+-24.2.0
++24.3.0
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/configure.in seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/configure.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/configure.in 2014-02-10 01:12:10.530972416 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/configure.in 2014-02-10 01:13:32.017537412 +0400
+@@ -1133,7 +1133,12 @@
+ if test "$GNU_CC"; then
+ # Per bug 719659 comment 2, some of the headers on ancient build machines
+ # may require gnu89 inline semantics. But otherwise, we use C99.
+- CFLAGS="$CFLAGS -std=gnu99 -fgnu89-inline"
++ # But on OS X we just use C99 plus GNU extensions, in order to fix
++ # bug 917526.
++ CFLAGS="$CFLAGS -std=gnu99"
++ if test "${OS_ARCH}" != Darwin; then
++ CFLAGS="$CFLAGS -fgnu89-inline"
++ fi
+ MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+ MKCSHLIB='$(CC) $(CFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+ DSO_LDOPTS='-shared'
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/configure seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/configure
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/configure 2014-02-10 01:12:10.582971492 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/configure 2014-02-10 01:13:31.984537989 +0400
+@@ -6224,7 +6224,12 @@
+ if test "$GNU_CC"; then
+ # Per bug 719659 comment 2, some of the headers on ancient build machines
+ # may require gnu89 inline semantics. But otherwise, we use C99.
+- CFLAGS="$CFLAGS -std=gnu99 -fgnu89-inline"
++ # But on OS X we just use C99 plus GNU extensions, in order to fix
++ # bug 917526.
++ CFLAGS="$CFLAGS -std=gnu99"
++ if test "${OS_ARCH}" != Darwin; then
++ CFLAGS="$CFLAGS -fgnu89-inline"
++ fi
+ MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+ MKCSHLIB='$(CC) $(CFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -Wl,-h,$(notdir $@) -o $@'
+ DSO_LDOPTS='-shared'
+@@ -6248,18 +6253,18 @@
+ ASFLAGS="$ASFLAGS -fPIC"
+
+ echo $ac_n "checking for --build-id option to ld""... $ac_c" 1>&6
+-echo "configure:6252: checking for --build-id option to ld" >&5
++echo "configure:6257: checking for --build-id option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,--build-id"
+ cat > conftest.$ac_ext <<EOF
+-#line 6256 "configure"
++#line 6261 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6263: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:6268: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ echo "$ac_t""yes" 1>&6
+ else
+@@ -6283,7 +6288,7 @@
+ _WARNINGS_CFLAGS="${_WARNINGS_CFLAGS} -Wall -Wpointer-arith -Wdeclaration-after-statement"
+
+ echo $ac_n "checking whether the C compiler supports -Werror=return-type""... $ac_c" 1>&6
+-echo "configure:6287: checking whether the C compiler supports -Werror=return-type" >&5
++echo "configure:6292: checking whether the C compiler supports -Werror=return-type" >&5
+ if eval "test \"`echo '$''{'ac_c_has_werror_return_type'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6299,14 +6304,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Werror=return-type"
+ cat > conftest.$ac_ext <<EOF
+-#line 6303 "configure"
++#line 6308 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6310: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6315: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_werror_return_type="yes"
+ else
+@@ -6334,7 +6339,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wtype-limits""... $ac_c" 1>&6
+-echo "configure:6338: checking whether the C compiler supports -Wtype-limits" >&5
++echo "configure:6343: checking whether the C compiler supports -Wtype-limits" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wtype_limits'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6350,14 +6355,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wtype-limits"
+ cat > conftest.$ac_ext <<EOF
+-#line 6354 "configure"
++#line 6359 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6361: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6366: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wtype_limits="yes"
+ else
+@@ -6385,7 +6390,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wempty-body""... $ac_c" 1>&6
+-echo "configure:6389: checking whether the C compiler supports -Wempty-body" >&5
++echo "configure:6394: checking whether the C compiler supports -Wempty-body" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wempty_body'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6401,14 +6406,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wempty-body"
+ cat > conftest.$ac_ext <<EOF
+-#line 6405 "configure"
++#line 6410 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6412: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6417: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wempty_body="yes"
+ else
+@@ -6436,7 +6441,7 @@
+
+
+ echo $ac_n "checking whether the C compiler supports -Wsign-compare""... $ac_c" 1>&6
+-echo "configure:6440: checking whether the C compiler supports -Wsign-compare" >&5
++echo "configure:6445: checking whether the C compiler supports -Wsign-compare" >&5
+ if eval "test \"`echo '$''{'ac_c_has_sign_compare'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6452,14 +6457,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wsign-compare"
+ cat > conftest.$ac_ext <<EOF
+-#line 6456 "configure"
++#line 6461 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6463: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6468: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_sign_compare="yes"
+ else
+@@ -6544,7 +6549,7 @@
+ _WARNINGS_CXXFLAGS="${_WARNINGS_CXXFLAGS} -Wall -Wpointer-arith -Woverloaded-virtual"
+
+ echo $ac_n "checking whether the C++ compiler supports -Werror=return-type""... $ac_c" 1>&6
+-echo "configure:6548: checking whether the C++ compiler supports -Werror=return-type" >&5
++echo "configure:6553: checking whether the C++ compiler supports -Werror=return-type" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_werror_return_type'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6560,14 +6565,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Werror=return-type"
+ cat > conftest.$ac_ext <<EOF
+-#line 6564 "configure"
++#line 6569 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6571: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6576: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_werror_return_type="yes"
+ else
+@@ -6595,7 +6600,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wtype-limits""... $ac_c" 1>&6
+-echo "configure:6599: checking whether the C++ compiler supports -Wtype-limits" >&5
++echo "configure:6604: checking whether the C++ compiler supports -Wtype-limits" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wtype_limits'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6611,14 +6616,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wtype-limits"
+ cat > conftest.$ac_ext <<EOF
+-#line 6615 "configure"
++#line 6620 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6622: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6627: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wtype_limits="yes"
+ else
+@@ -6646,7 +6651,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wempty-body""... $ac_c" 1>&6
+-echo "configure:6650: checking whether the C++ compiler supports -Wempty-body" >&5
++echo "configure:6655: checking whether the C++ compiler supports -Wempty-body" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wempty_body'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6662,14 +6667,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wempty-body"
+ cat > conftest.$ac_ext <<EOF
+-#line 6666 "configure"
++#line 6671 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6673: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6678: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wempty_body="yes"
+ else
+@@ -6697,7 +6702,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Werror=conversion-null""... $ac_c" 1>&6
+-echo "configure:6701: checking whether the C++ compiler supports -Werror=conversion-null" >&5
++echo "configure:6706: checking whether the C++ compiler supports -Werror=conversion-null" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_werror_conversion_null'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6713,14 +6718,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Werror=conversion-null"
+ cat > conftest.$ac_ext <<EOF
+-#line 6717 "configure"
++#line 6722 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6724: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6729: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_werror_conversion_null="yes"
+ else
+@@ -6748,7 +6753,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wsign-compare""... $ac_c" 1>&6
+-echo "configure:6752: checking whether the C++ compiler supports -Wsign-compare" >&5
++echo "configure:6757: checking whether the C++ compiler supports -Wsign-compare" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_sign_compare'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6764,14 +6769,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wsign-compare"
+ cat > conftest.$ac_ext <<EOF
+-#line 6768 "configure"
++#line 6773 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6775: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6780: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_sign_compare="yes"
+ else
+@@ -6803,7 +6808,7 @@
+ #
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-invalid-offsetof""... $ac_c" 1>&6
+-echo "configure:6807: checking whether the C++ compiler supports -Wno-invalid-offsetof" >&5
++echo "configure:6812: checking whether the C++ compiler supports -Wno-invalid-offsetof" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_invalid_offsetof'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6819,14 +6824,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Winvalid-offsetof"
+ cat > conftest.$ac_ext <<EOF
+-#line 6823 "configure"
++#line 6828 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6835: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_invalid_offsetof="yes"
+ else
+@@ -6878,7 +6883,7 @@
+ _WARNINGS_CXXFLAGS="${_WARNINGS_CXXFLAGS} -Wno-c++0x-extensions"
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-extended-offsetof""... $ac_c" 1>&6
+-echo "configure:6882: checking whether the C++ compiler supports -Wno-extended-offsetof" >&5
++echo "configure:6887: checking whether the C++ compiler supports -Wno-extended-offsetof" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_extended_offsetof'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6894,14 +6899,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wextended-offsetof"
+ cat > conftest.$ac_ext <<EOF
+-#line 6898 "configure"
++#line 6903 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6905: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:6910: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_extended_offsetof="yes"
+ else
+@@ -6939,7 +6944,7 @@
+ if test "$COMPILE_ENVIRONMENT"; then
+ if test "$GNU_CC"; then
+ echo $ac_n "checking whether ld has archive extraction flags""... $ac_c" 1>&6
+-echo "configure:6943: checking whether ld has archive extraction flags" >&5
++echo "configure:6948: checking whether ld has archive extraction flags" >&5
+ if eval "test \"`echo '$''{'ac_cv_mkshlib_force_and_unforce'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -6956,14 +6961,14 @@
+ LDFLAGS=$force
+ LIBS=$unforce
+ cat > conftest.$ac_ext <<EOF
+-#line 6960 "configure"
++#line 6965 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:6967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:6972: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_mkshlib_force_and_unforce=$line; break
+ else
+@@ -6998,16 +7003,16 @@
+ cross_compiling=$ac_cv_prog_cc_cross
+
+ echo $ac_n "checking for 64-bit OS""... $ac_c" 1>&6
+-echo "configure:7002: checking for 64-bit OS" >&5
++echo "configure:7007: checking for 64-bit OS" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 7004 "configure"
++#line 7009 "configure"
+ #include "confdefs.h"
+ $configure_static_assert_macros
+ int main() {
+ CONFIGURE_STATIC_ASSERT(sizeof(void*) == 8)
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7011: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7016: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ result="yes"
+ else
+@@ -7128,7 +7133,7 @@
+ esac
+
+ echo $ac_n "checking for custom <stdint.h> implementation""... $ac_c" 1>&6
+-echo "configure:7132: checking for custom <stdint.h> implementation" >&5
++echo "configure:7137: checking for custom <stdint.h> implementation" >&5
+ if test "$MOZ_CUSTOM_STDINT_H"; then
+ cat >> confdefs.pytmp <<EOF
+ (''' MOZ_CUSTOM_STDINT_H ''', r''' "$MOZ_CUSTOM_STDINT_H" ''')
+@@ -7196,9 +7201,9 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for IBM XLC/C++ compiler version >= 9.0.0.7""... $ac_c" 1>&6
+-echo "configure:7200: checking for IBM XLC/C++ compiler version >= 9.0.0.7" >&5
++echo "configure:7205: checking for IBM XLC/C++ compiler version >= 9.0.0.7" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 7202 "configure"
++#line 7207 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -7207,7 +7212,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7211: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7216: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _BAD_COMPILER=
+ else
+@@ -7245,12 +7250,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:7249: checking for $ac_hdr" >&5
++echo "configure:7254: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 7254 "configure"
++#line 7259 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -7258,7 +7263,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7262: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7267: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -7315,17 +7320,17 @@
+ # builds.
+ _SAVE_LDFLAGS=$LDFLAGS
+ echo $ac_n "checking for -framework ExceptionHandling""... $ac_c" 1>&6
+-echo "configure:7319: checking for -framework ExceptionHandling" >&5
++echo "configure:7324: checking for -framework ExceptionHandling" >&5
+ LDFLAGS="$LDFLAGS -framework ExceptionHandling"
+ cat > conftest.$ac_ext <<EOF
+-#line 7322 "configure"
++#line 7327 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7329: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:7334: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_framework_exceptionhandling="yes"
+ else
+@@ -7347,18 +7352,18 @@
+ echo "Skipping -dead_strip because DTrace is enabled. See bug 403132."
+ else
+ echo $ac_n "checking for -dead_strip option to ld""... $ac_c" 1>&6
+-echo "configure:7351: checking for -dead_strip option to ld" >&5
++echo "configure:7356: checking for -dead_strip option to ld" >&5
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-dead_strip"
+ cat > conftest.$ac_ext <<EOF
+-#line 7355 "configure"
++#line 7360 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7362: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:7367: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ _HAVE_DEAD_STRIP=1
+ else
+@@ -7521,7 +7526,7 @@
+ # warnings are useless on mingw.
+
+ echo $ac_n "checking whether the C compiler supports -Wno-format""... $ac_c" 1>&6
+-echo "configure:7525: checking whether the C compiler supports -Wno-format" >&5
++echo "configure:7530: checking whether the C compiler supports -Wno-format" >&5
+ if eval "test \"`echo '$''{'ac_c_has_wno_format'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7537,14 +7542,14 @@
+ _SAVE_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror -Wformat"
+ cat > conftest.$ac_ext <<EOF
+-#line 7541 "configure"
++#line 7546 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7548: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7553: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_c_has_wno_format="yes"
+ else
+@@ -7572,7 +7577,7 @@
+
+
+ echo $ac_n "checking whether the C++ compiler supports -Wno-format""... $ac_c" 1>&6
+-echo "configure:7576: checking whether the C++ compiler supports -Wno-format" >&5
++echo "configure:7581: checking whether the C++ compiler supports -Wno-format" >&5
+ if eval "test \"`echo '$''{'ac_cxx_has_wno_format'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -7588,14 +7593,14 @@
+ _SAVE_CXXFLAGS="$CXXFLAGS"
+ CXXFLAGS="$CXXFLAGS -Werror -Wformat"
+ cat > conftest.$ac_ext <<EOF
+-#line 7592 "configure"
++#line 7597 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return(0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7599: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7604: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cxx_has_wno_format="yes"
+ else
+@@ -7951,19 +7956,19 @@
+ _DEFINES_CXXFLAGS="$_DEFINES_CXXFLAGS -Uunix -U__unix -U__unix__"
+
+ echo $ac_n "checking for __declspec(dllexport)""... $ac_c" 1>&6
+-echo "configure:7955: checking for __declspec(dllexport)" >&5
++echo "configure:7960: checking for __declspec(dllexport)" >&5
+ if eval "test \"`echo '$''{'ac_os2_declspec'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 7960 "configure"
++#line 7965 "configure"
+ #include "confdefs.h"
+ __declspec(dllexport) void ac_os2_declspec(void) {}
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:7967: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:7972: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_os2_declspec="yes"
+ else
+@@ -8015,14 +8020,14 @@
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="-M /usr/lib/ld/map.noexstk $LDFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 8019 "configure"
++#line 8024 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8026: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:8031: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+@@ -8050,7 +8055,7 @@
+ CC_VERSION=`$CC -V 2>&1 | grep '^cc:' 2>/dev/null | $AWK -F\: '{ print $2 }'`
+ CXX_VERSION=`$CXX -V 2>&1 | grep '^CC:' 2>/dev/null | $AWK -F\: '{ print $2 }'`
+ echo $ac_n "checking for Sun C++ compiler version >= 5.9""... $ac_c" 1>&6
+-echo "configure:8054: checking for Sun C++ compiler version >= 5.9" >&5
++echo "configure:8059: checking for Sun C++ compiler version >= 5.9" >&5
+
+ ac_ext=C
+ # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+@@ -8060,7 +8065,7 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ cat > conftest.$ac_ext <<EOF
+-#line 8064 "configure"
++#line 8069 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -8069,7 +8074,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8073: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8078: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _BAD_COMPILER=
+ else
+@@ -8086,7 +8091,7 @@
+ _res="yes"
+ fi
+ cat > conftest.$ac_ext <<EOF
+-#line 8090 "configure"
++#line 8095 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -8095,7 +8100,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8099: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8104: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _ABOVE_SS12U1=
+ else
+@@ -8511,7 +8516,7 @@
+
+ if test "$GNU_CC" -a "$GCC_USE_GNU_LD" -a -z "$MOZ_DISABLE_ICF"; then
+ echo $ac_n "checking whether the linker supports Identical Code Folding""... $ac_c" 1>&6
+-echo "configure:8515: checking whether the linker supports Identical Code Folding" >&5
++echo "configure:8520: checking whether the linker supports Identical Code Folding" >&5
+ if eval "test \"`echo '$''{'LD_SUPPORTS_ICF'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -8520,7 +8525,7 @@
+ 'int main() {return foo() - bar();}' > conftest.${ac_ext}
+ # If the linker supports ICF, foo and bar symbols will have
+ # the same address
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,--icf=safe -ffunction-sections conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:8524: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,--icf=safe -ffunction-sections conftest.${ac_ext} $LIBS 1>&2'; { (eval echo configure:8529: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${ac_exeext} &&
+ objdump -t conftest${ac_exeext} | awk '{a[$6] = $1} END {if (a["foo"] && (a["foo"] != a["bar"])) { exit 1 }}'; then
+ LD_SUPPORTS_ICF=yes
+@@ -8535,14 +8540,14 @@
+ _SAVE_LDFLAGS="$LDFLAGS -Wl,--icf=safe"
+ LDFLAGS="$LDFLAGS -Wl,--icf=safe -Wl,--print-icf-sections"
+ cat > conftest.$ac_ext <<EOF
+-#line 8539 "configure"
++#line 8544 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8546: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:8551: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ LD_PRINT_ICF_SECTIONS=-Wl,--print-icf-sections
+ else
+@@ -8560,15 +8565,15 @@
+
+ if test "$GNU_CC" -a "$GCC_USE_GNU_LD" -a -n "$MOZ_DEBUG_FLAGS"; then
+ echo $ac_n "checking whether removing dead symbols breaks debugging""... $ac_c" 1>&6
+-echo "configure:8564: checking whether removing dead symbols breaks debugging" >&5
++echo "configure:8569: checking whether removing dead symbols breaks debugging" >&5
+ if eval "test \"`echo '$''{'GC_SECTIONS_BREAKS_DEBUG_RANGES'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo 'int foo() {return 42;}' \
+ 'int bar() {return 1;}' \
+ 'int main() {return foo();}' > conftest.${ac_ext}
+- if { ac_try='${CC-cc} -o conftest.${ac_objext} $CFLAGS $MOZ_DEBUG_FLAGS -c conftest.${ac_ext} 1>&2'; { (eval echo configure:8571: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+- { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS $MOZ_DEBUG_FLAGS -Wl,--gc-sections conftest.${ac_objext} $LIBS 1>&2'; { (eval echo configure:8572: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ if { ac_try='${CC-cc} -o conftest.${ac_objext} $CFLAGS $MOZ_DEBUG_FLAGS -c conftest.${ac_ext} 1>&2'; { (eval echo configure:8576: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
++ { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS $MOZ_DEBUG_FLAGS -Wl,--gc-sections conftest.${ac_objext} $LIBS 1>&2'; { (eval echo configure:8577: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } &&
+ test -s conftest${ac_exeext} -a -s conftest.${ac_objext}; then
+ if test "`$PYTHON "$_topsrcdir"/build/autoconf/check_debug_ranges.py conftest.${ac_objext} conftest.${ac_ext}`" = \
+ "`$PYTHON "$_topsrcdir"/build/autoconf/check_debug_ranges.py conftest${ac_exeext} conftest.${ac_ext}`"; then
+@@ -8591,12 +8596,12 @@
+
+ if test -z "$SKIP_COMPILER_CHECKS"; then
+ echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+-echo "configure:8595: checking for ANSI C header files" >&5
++echo "configure:8600: checking for ANSI C header files" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8600 "configure"
++#line 8605 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -8604,7 +8609,7 @@
+ #include <float.h>
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:8608: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:8613: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+ rm -rf conftest*
+@@ -8621,7 +8626,7 @@
+ if test $ac_cv_header_stdc = yes; then
+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 8625 "configure"
++#line 8630 "configure"
+ #include "confdefs.h"
+ #include <string.h>
+ EOF
+@@ -8639,7 +8644,7 @@
+ if test $ac_cv_header_stdc = yes; then
+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 8643 "configure"
++#line 8648 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ EOF
+@@ -8660,7 +8665,7 @@
+ :
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8664 "configure"
++#line 8669 "configure"
+ #include "confdefs.h"
+ #include <ctype.h>
+ #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+@@ -8671,7 +8676,7 @@
+ exit (0); }
+
+ EOF
+-if { (eval echo configure:8675: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:8680: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ :
+ else
+@@ -8698,12 +8703,12 @@
+ fi
+
+ echo $ac_n "checking for working const""... $ac_c" 1>&6
+-echo "configure:8702: checking for working const" >&5
++echo "configure:8707: checking for working const" >&5
+ if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8707 "configure"
++#line 8712 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -8752,7 +8757,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8756: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8761: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_c_const=yes
+ else
+@@ -8776,12 +8781,12 @@
+ fi
+
+ echo $ac_n "checking for mode_t""... $ac_c" 1>&6
+-echo "configure:8780: checking for mode_t" >&5
++echo "configure:8785: checking for mode_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_mode_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8785 "configure"
++#line 8790 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -8812,12 +8817,12 @@
+ fi
+
+ echo $ac_n "checking for off_t""... $ac_c" 1>&6
+-echo "configure:8816: checking for off_t" >&5
++echo "configure:8821: checking for off_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8821 "configure"
++#line 8826 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -8848,12 +8853,12 @@
+ fi
+
+ echo $ac_n "checking for pid_t""... $ac_c" 1>&6
+-echo "configure:8852: checking for pid_t" >&5
++echo "configure:8857: checking for pid_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8857 "configure"
++#line 8862 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -8884,12 +8889,12 @@
+ fi
+
+ echo $ac_n "checking for size_t""... $ac_c" 1>&6
+-echo "configure:8888: checking for size_t" >&5
++echo "configure:8893: checking for size_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8893 "configure"
++#line 8898 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -8927,12 +8932,12 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for __stdcall""... $ac_c" 1>&6
+-echo "configure:8931: checking for __stdcall" >&5
++echo "configure:8936: checking for __stdcall" >&5
+ if eval "test \"`echo '$''{'ac_cv___stdcall'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8936 "configure"
++#line 8941 "configure"
+ #include "confdefs.h"
+ template <typename Method> struct foo;
+ template <> struct foo<void (*)()> {};
+@@ -8941,7 +8946,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8950: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv___stdcall=true
+ else
+@@ -8973,12 +8978,12 @@
+ cross_compiling=$ac_cv_prog_cc_cross
+
+ echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
+-echo "configure:8977: checking for ssize_t" >&5
++echo "configure:8982: checking for ssize_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_ssize_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 8982 "configure"
++#line 8987 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -8986,7 +8991,7 @@
+ ssize_t foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:8990: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:8995: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_type_ssize_t=true
+ else
+@@ -9011,12 +9016,12 @@
+ echo "$ac_t""no" 1>&6
+ fi
+ echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6
+-echo "configure:9015: checking for st_blksize in struct stat" >&5
++echo "configure:9020: checking for st_blksize in struct stat" >&5
+ if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9020 "configure"
++#line 9025 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -9024,7 +9029,7 @@
+ struct stat s; s.st_blksize;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9028: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9033: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_struct_st_blksize=yes
+ else
+@@ -9048,12 +9053,12 @@
+ fi
+
+ echo $ac_n "checking for siginfo_t""... $ac_c" 1>&6
+-echo "configure:9052: checking for siginfo_t" >&5
++echo "configure:9057: checking for siginfo_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_siginfo_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9057 "configure"
++#line 9062 "configure"
+ #include "confdefs.h"
+ #define _POSIX_C_SOURCE 199506L
+ #include <signal.h>
+@@ -9061,7 +9066,7 @@
+ siginfo_t* info;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9065: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9070: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_siginfo_t=true
+ else
+@@ -9088,7 +9093,7 @@
+
+
+ echo $ac_n "checking for the size of void*""... $ac_c" 1>&6
+-echo "configure:9092: checking for the size of void*" >&5
++echo "configure:9097: checking for the size of void*" >&5
+ if eval "test \"`echo '$''{'moz_cv_size_of_JS_BYTES_PER_WORD'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9096,7 +9101,7 @@
+ moz_cv_size_of_JS_BYTES_PER_WORD=
+ for size in 4 8; do
+ cat > conftest.$ac_ext <<EOF
+-#line 9100 "configure"
++#line 9105 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -9106,7 +9111,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9110: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9115: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ moz_cv_size_of_JS_BYTES_PER_WORD=$size; break
+ else
+@@ -9154,12 +9159,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:9158: checking for $ac_hdr" >&5
++echo "configure:9163: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9163 "configure"
++#line 9168 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -9167,7 +9172,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9171: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9176: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -9210,12 +9215,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:9214: checking for $ac_hdr" >&5
++echo "configure:9219: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9219 "configure"
++#line 9224 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <$ac_hdr>
+@@ -9223,7 +9228,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9227: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9232: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -9266,12 +9271,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:9270: checking for $ac_hdr" >&5
++echo "configure:9275: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9275 "configure"
++#line 9280 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -9279,7 +9284,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9283: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9288: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -9319,12 +9324,12 @@
+ fi
+
+ echo $ac_n "checking for uint""... $ac_c" 1>&6
+-echo "configure:9323: checking for uint" >&5
++echo "configure:9328: checking for uint" >&5
+ if eval "test \"`echo '$''{'ac_cv_uint'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9328 "configure"
++#line 9333 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -9332,7 +9337,7 @@
+ uint foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9336: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9341: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_uint=true
+ else
+@@ -9357,12 +9362,12 @@
+ echo "$ac_t""no" 1>&6
+ fi
+ echo $ac_n "checking for uint_t""... $ac_c" 1>&6
+-echo "configure:9361: checking for uint_t" >&5
++echo "configure:9366: checking for uint_t" >&5
+ if eval "test \"`echo '$''{'ac_cv_uint_t'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9366 "configure"
++#line 9371 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <sys/types.h>
+@@ -9370,7 +9375,7 @@
+ uint_t foo = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9374: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9379: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_uint_t=true
+ else
+@@ -9404,12 +9409,12 @@
+
+
+ echo $ac_n "checking for uname.domainname""... $ac_c" 1>&6
+-echo "configure:9408: checking for uname.domainname" >&5
++echo "configure:9413: checking for uname.domainname" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_uname_domainname_field'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9413 "configure"
++#line 9418 "configure"
+ #include "confdefs.h"
+ #include <sys/utsname.h>
+ int main() {
+@@ -9417,7 +9422,7 @@
+ (void)uname(res); if (res != 0) { domain = res->domainname; }
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9426: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_uname_domainname_field=true
+ else
+@@ -9444,12 +9449,12 @@
+ fi
+
+ echo $ac_n "checking for uname.__domainname""... $ac_c" 1>&6
+-echo "configure:9448: checking for uname.__domainname" >&5
++echo "configure:9453: checking for uname.__domainname" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_uname_us_domainname_field'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9453 "configure"
++#line 9458 "configure"
+ #include "confdefs.h"
+ #include <sys/utsname.h>
+ int main() {
+@@ -9457,7 +9462,7 @@
+ (void)uname(res); if (res != 0) { domain = res->__domainname; }
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9461: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9466: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_have_uname_us_domainname_field=true
+ else
+@@ -9497,19 +9502,19 @@
+ USE_CXX11=
+
+ echo $ac_n "checking for gcc c++0x headers bug without rtti""... $ac_c" 1>&6
+-echo "configure:9501: checking for gcc c++0x headers bug without rtti" >&5
++echo "configure:9506: checking for gcc c++0x headers bug without rtti" >&5
+ if eval "test \"`echo '$''{'ac_cv_cxx0x_headers_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9506 "configure"
++#line 9511 "configure"
+ #include "confdefs.h"
+ #include <memory>
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9513: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9518: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cxx0x_headers_bug="no"
+ else
+@@ -9526,19 +9531,19 @@
+ if test "$CLANG_CXX" -a "$ac_cv_cxx0x_headers_bug" = "yes"; then
+ CXXFLAGS="$CXXFLAGS -I$_topsrcdir/build/unix/headers"
+ echo $ac_n "checking whether workaround for gcc c++0x headers conflict with clang works""... $ac_c" 1>&6
+-echo "configure:9530: checking whether workaround for gcc c++0x headers conflict with clang works" >&5
++echo "configure:9535: checking whether workaround for gcc c++0x headers conflict with clang works" >&5
+ if eval "test \"`echo '$''{'ac_cv_cxx0x_clang_workaround'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9535 "configure"
++#line 9540 "configure"
+ #include "confdefs.h"
+ #include <memory>
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9542: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9547: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cxx0x_clang_workaround="yes"
+ else
+@@ -9572,7 +9577,7 @@
+
+ if test "$GNU_CC"; then
+ echo $ac_n "checking for visibility(hidden) attribute""... $ac_c" 1>&6
+-echo "configure:9576: checking for visibility(hidden) attribute" >&5
++echo "configure:9581: checking for visibility(hidden) attribute" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_hidden'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9600,7 +9605,7 @@
+
+
+ echo $ac_n "checking for visibility(default) attribute""... $ac_c" 1>&6
+-echo "configure:9604: checking for visibility(default) attribute" >&5
++echo "configure:9609: checking for visibility(default) attribute" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_default'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9628,7 +9633,7 @@
+
+
+ echo $ac_n "checking for visibility pragma support""... $ac_c" 1>&6
+-echo "configure:9632: checking for visibility pragma support" >&5
++echo "configure:9637: checking for visibility pragma support" >&5
+ if eval "test \"`echo '$''{'ac_cv_visibility_pragma'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9653,7 +9658,7 @@
+ echo "$ac_t""$ac_cv_visibility_pragma" 1>&6
+ if test "$ac_cv_visibility_pragma" = "yes"; then
+ echo $ac_n "checking For gcc visibility bug with class-level attributes (GCC bug 26905)""... $ac_c" 1>&6
+-echo "configure:9657: checking For gcc visibility bug with class-level attributes (GCC bug 26905)" >&5
++echo "configure:9662: checking For gcc visibility bug with class-level attributes (GCC bug 26905)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_visibility_class_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9681,7 +9686,7 @@
+ echo "$ac_t""$ac_cv_have_visibility_class_bug" 1>&6
+
+ echo $ac_n "checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)""... $ac_c" 1>&6
+-echo "configure:9685: checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)" >&5
++echo "configure:9690: checking For x86_64 gcc visibility bug with builtins (GCC bug 20297)" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_visibility_builtin_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -9733,7 +9738,7 @@
+ if test "$GNU_CC"; then
+
+ echo $ac_n "checking for gcc PR49911""... $ac_c" 1>&6
+-echo "configure:9737: checking for gcc PR49911" >&5
++echo "configure:9742: checking for gcc PR49911" >&5
+ ac_have_gcc_pr49911="no"
+
+ ac_ext=C
+@@ -9750,7 +9755,7 @@
+ true
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9754 "configure"
++#line 9759 "configure"
+ #include "confdefs.h"
+
+ extern "C" void abort(void);
+@@ -9791,7 +9796,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:9795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:9800: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ true
+ else
+@@ -9824,7 +9829,7 @@
+
+
+ echo $ac_n "checking for gcc pr39608""... $ac_c" 1>&6
+-echo "configure:9828: checking for gcc pr39608" >&5
++echo "configure:9833: checking for gcc pr39608" >&5
+ ac_have_gcc_pr39608="yes"
+
+ ac_ext=C
+@@ -9836,7 +9841,7 @@
+
+
+ cat > conftest.$ac_ext <<EOF
+-#line 9840 "configure"
++#line 9845 "configure"
+ #include "confdefs.h"
+
+ typedef void (*FuncType)();
+@@ -9854,7 +9859,7 @@
+ true
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9863: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_have_gcc_pr39608="no"
+ else
+@@ -9884,7 +9889,7 @@
+ # cannot do enough code gen for now to make this test work correctly.
+
+ echo $ac_n "checking for llvm pr8927""... $ac_c" 1>&6
+-echo "configure:9888: checking for llvm pr8927" >&5
++echo "configure:9893: checking for llvm pr8927" >&5
+ ac_have_llvm_pr8927="no"
+
+ ac_ext=c
+@@ -9901,7 +9906,7 @@
+ true
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9905 "configure"
++#line 9910 "configure"
+ #include "confdefs.h"
+
+ struct foobar {
+@@ -9924,7 +9929,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:9928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:9933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ true
+ else
+@@ -9963,12 +9968,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6
+-echo "configure:9967: checking for $ac_hdr that defines DIR" >&5
++echo "configure:9972: checking for $ac_hdr that defines DIR" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_dirent_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 9972 "configure"
++#line 9977 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <$ac_hdr>
+@@ -9976,7 +9981,7 @@
+ DIR *dirp = 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:9980: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:9985: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_dirent_$ac_safe=yes"
+ else
+@@ -10004,7 +10009,7 @@
+ # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
+ if test $ac_header_dirent = dirent.h; then
+ echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6
+-echo "configure:10008: checking for opendir in -ldir" >&5
++echo "configure:10013: checking for opendir in -ldir" >&5
+ ac_lib_var=`echo dir'_'opendir | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10012,7 +10017,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-ldir $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10016 "configure"
++#line 10021 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10023,7 +10028,7 @@
+ opendir()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10032: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10045,7 +10050,7 @@
+
+ else
+ echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6
+-echo "configure:10049: checking for opendir in -lx" >&5
++echo "configure:10054: checking for opendir in -lx" >&5
+ ac_lib_var=`echo x'_'opendir | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10053,7 +10058,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lx $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10057 "configure"
++#line 10062 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10064,7 +10069,7 @@
+ opendir()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10068: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10073: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10098,12 +10103,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:10102: checking for $ac_hdr" >&5
++echo "configure:10107: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10107 "configure"
++#line 10112 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -10111,7 +10116,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10115: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10120: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10146,12 +10151,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:10150: checking for $ac_hdr" >&5
++echo "configure:10155: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10155 "configure"
++#line 10160 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -10159,7 +10164,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10168: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10193,12 +10198,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:10197: checking for $ac_hdr" >&5
++echo "configure:10202: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10202 "configure"
++#line 10207 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -10206,7 +10211,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10210: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10215: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10239,12 +10244,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:10243: checking for $ac_hdr" >&5
++echo "configure:10248: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10248 "configure"
++#line 10253 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -10252,7 +10257,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10256: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10261: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10292,12 +10297,12 @@
+ NEW_H=new.h
+ ac_safe=`echo "new" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for new""... $ac_c" 1>&6
+-echo "configure:10296: checking for new" >&5
++echo "configure:10301: checking for new" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10301 "configure"
++#line 10306 "configure"
+ #include "confdefs.h"
+
+ #include <new>
+@@ -10305,7 +10310,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10309: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10314: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10349,12 +10354,12 @@
+ if test "x$enable_dtrace" = "xyes"; then
+ ac_safe=`echo "sys/sdt.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for sys/sdt.h""... $ac_c" 1>&6
+-echo "configure:10353: checking for sys/sdt.h" >&5
++echo "configure:10358: checking for sys/sdt.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10358 "configure"
++#line 10363 "configure"
+ #include "confdefs.h"
+
+ #include <sys/sdt.h>
+@@ -10362,7 +10367,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10366: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10371: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10404,12 +10409,12 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:10408: checking for $ac_hdr" >&5
++echo "configure:10413: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10413 "configure"
++#line 10418 "configure"
+ #include "confdefs.h"
+
+ #include <$ac_hdr>
+@@ -10417,7 +10422,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10421: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10426: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10469,12 +10474,12 @@
+
+ ac_safe=`echo "linux/perf_event.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for linux/perf_event.h""... $ac_c" 1>&6
+-echo "configure:10473: checking for linux/perf_event.h" >&5
++echo "configure:10478: checking for linux/perf_event.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10478 "configure"
++#line 10483 "configure"
+ #include "confdefs.h"
+
+ #include <linux/perf_event.h>
+@@ -10482,7 +10487,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10486: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10491: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10497,19 +10502,19 @@
+ if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for perf_event_open system call""... $ac_c" 1>&6
+-echo "configure:10501: checking for perf_event_open system call" >&5
++echo "configure:10506: checking for perf_event_open system call" >&5
+ if eval "test \"`echo '$''{'ac_cv_perf_event_open'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10506 "configure"
++#line 10511 "configure"
+ #include "confdefs.h"
+ #include <asm/unistd.h>
+ int main() {
+ return sizeof(__NR_perf_event_open);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10513: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10518: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_perf_event_open=yes
+ else
+@@ -10545,7 +10550,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for gethostbyname_r in -lc_r""... $ac_c" 1>&6
+-echo "configure:10549: checking for gethostbyname_r in -lc_r" >&5
++echo "configure:10554: checking for gethostbyname_r in -lc_r" >&5
+ ac_lib_var=`echo c_r'_'gethostbyname_r | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10553,7 +10558,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lc_r $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10557 "configure"
++#line 10562 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10564,7 +10569,7 @@
+ gethostbyname_r()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10568: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10573: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10605,14 +10610,14 @@
+ *)
+
+ echo $ac_n "checking for library containing dlopen""... $ac_c" 1>&6
+-echo "configure:10609: checking for library containing dlopen" >&5
++echo "configure:10614: checking for library containing dlopen" >&5
+ if eval "test \"`echo '$''{'ac_cv_search_dlopen'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_func_search_save_LIBS="$LIBS"
+ ac_cv_search_dlopen="no"
+ cat > conftest.$ac_ext <<EOF
+-#line 10616 "configure"
++#line 10621 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10623,7 +10628,7 @@
+ dlopen()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10627: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10632: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_search_dlopen="none required"
+ else
+@@ -10634,7 +10639,7 @@
+ test "$ac_cv_search_dlopen" = "no" && for i in dl; do
+ LIBS="-l$i $ac_func_search_save_LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10638 "configure"
++#line 10643 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10645,7 +10650,7 @@
+ dlopen()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10649: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10654: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_search_dlopen="-l$i"
+ break
+@@ -10663,12 +10668,12 @@
+ test "$ac_cv_search_dlopen" = "none required" || LIBS="$ac_cv_search_dlopen $LIBS"
+ ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
+-echo "configure:10667: checking for dlfcn.h" >&5
++echo "configure:10672: checking for dlfcn.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10672 "configure"
++#line 10677 "configure"
+ #include "confdefs.h"
+
+ #include <dlfcn.h>
+@@ -10676,7 +10681,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10680: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:10685: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -10713,12 +10718,12 @@
+ for ac_func in dladdr
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:10717: checking for $ac_func" >&5
++echo "configure:10722: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 10722 "configure"
++#line 10727 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -10741,7 +10746,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10745: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10750: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -10775,7 +10780,7 @@
+ case $target in
+ *-aix*)
+ echo $ac_n "checking for demangle in -lC_r""... $ac_c" 1>&6
+-echo "configure:10779: checking for demangle in -lC_r" >&5
++echo "configure:10784: checking for demangle in -lC_r" >&5
+ ac_lib_var=`echo C_r'_'demangle | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10783,7 +10788,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lC_r $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10787 "configure"
++#line 10792 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10794,7 +10799,7 @@
+ demangle()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10798: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10803: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10827,7 +10832,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for demangle in -lC""... $ac_c" 1>&6
+-echo "configure:10831: checking for demangle in -lC" >&5
++echo "configure:10836: checking for demangle in -lC" >&5
+ ac_lib_var=`echo C'_'demangle | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10835,7 +10840,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lC $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10839 "configure"
++#line 10844 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10846,7 +10851,7 @@
+ demangle()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10850: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10855: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10885,7 +10890,7 @@
+ ;;
+ *)
+ echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6
+-echo "configure:10889: checking for socket in -lsocket" >&5
++echo "configure:10894: checking for socket in -lsocket" >&5
+ ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -10893,7 +10898,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocket $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 10897 "configure"
++#line 10902 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -10904,7 +10909,7 @@
+ socket()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:10908: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:10913: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -10943,7 +10948,7 @@
+ *)
+
+ echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
+-echo "configure:10947: checking for pthread_create in -lpthreads" >&5
++echo "configure:10952: checking for pthread_create in -lpthreads" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -10966,7 +10971,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
+-echo "configure:10970: checking for pthread_create in -lpthread" >&5
++echo "configure:10975: checking for pthread_create in -lpthread" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -10989,7 +10994,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
+-echo "configure:10993: checking for pthread_create in -lc_r" >&5
++echo "configure:10998: checking for pthread_create in -lc_r" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -11012,7 +11017,7 @@
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
+-echo "configure:11016: checking for pthread_create in -lc" >&5
++echo "configure:11021: checking for pthread_create in -lc" >&5
+ echo "
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -11071,7 +11076,7 @@
+ rm -f conftest*
+ ac_cv_have_dash_pthread=no
+ echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
+-echo "configure:11075: checking whether ${CC-cc} accepts -pthread" >&5
++echo "configure:11080: checking whether ${CC-cc} accepts -pthread" >&5
+ echo 'int main() { return 0; }' | cat > conftest.c
+ ${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
+ if test $? -eq 0; then
+@@ -11094,7 +11099,7 @@
+ ac_cv_have_dash_pthreads=no
+ if test "$ac_cv_have_dash_pthread" = "no"; then
+ echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
+-echo "configure:11098: checking whether ${CC-cc} accepts -pthreads" >&5
++echo "configure:11103: checking whether ${CC-cc} accepts -pthreads" >&5
+ echo 'int main() { return 0; }' | cat > conftest.c
+ ${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
+ if test $? -eq 0; then
+@@ -11199,13 +11204,13 @@
+
+ if test $ac_cv_prog_gcc = yes; then
+ echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
+-echo "configure:11203: checking whether ${CC-cc} needs -traditional" >&5
++echo "configure:11208: checking whether ${CC-cc} needs -traditional" >&5
+ if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_pattern="Autoconf.*'x'"
+ cat > conftest.$ac_ext <<EOF
+-#line 11209 "configure"
++#line 11214 "configure"
+ #include "confdefs.h"
+ #include <sgtty.h>
+ Autoconf TIOCGETP
+@@ -11223,7 +11228,7 @@
+
+ if test $ac_cv_prog_gcc_traditional = no; then
+ cat > conftest.$ac_ext <<EOF
+-#line 11227 "configure"
++#line 11232 "configure"
+ #include "confdefs.h"
+ #include <termio.h>
+ Autoconf TCGETA
+@@ -11245,7 +11250,7 @@
+ fi
+
+ echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6
+-echo "configure:11249: checking for 8-bit clean memcmp" >&5
++echo "configure:11254: checking for 8-bit clean memcmp" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_memcmp_clean'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -11253,7 +11258,7 @@
+ ac_cv_func_memcmp_clean=no
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11257 "configure"
++#line 11262 "configure"
+ #include "confdefs.h"
+
+ main()
+@@ -11263,7 +11268,7 @@
+ }
+
+ EOF
+-if { (eval echo configure:11267: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:11272: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_func_memcmp_clean=yes
+ else
+@@ -11285,12 +11290,12 @@
+ stat64 statvfs statvfs64 strerror strtok_r truncate64
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:11289: checking for $ac_func" >&5
++echo "configure:11294: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11294 "configure"
++#line 11299 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -11313,7 +11318,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11317: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11322: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -11351,19 +11356,19 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for wcrtomb""... $ac_c" 1>&6
+-echo "configure:11355: checking for wcrtomb" >&5
++echo "configure:11360: checking for wcrtomb" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_wcrtomb'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11360 "configure"
++#line 11365 "configure"
+ #include "confdefs.h"
+ #include <wchar.h>
+ int main() {
+ mbstate_t ps={0};wcrtomb(0,'f',&ps);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11367: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11372: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_wcrtomb="yes"
+ else
+@@ -11386,19 +11391,19 @@
+
+ fi
+ echo $ac_n "checking for mbrtowc""... $ac_c" 1>&6
+-echo "configure:11390: checking for mbrtowc" >&5
++echo "configure:11395: checking for mbrtowc" >&5
+ if eval "test \"`echo '$''{'ac_cv_have_mbrtowc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11395 "configure"
++#line 11400 "configure"
+ #include "confdefs.h"
+ #include <wchar.h>
+ int main() {
+ mbstate_t ps={0};mbrtowc(0,0,0,&ps);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11402: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11407: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_have_mbrtowc="yes"
+ else
+@@ -11430,12 +11435,12 @@
+ fi
+
+ echo $ac_n "checking for res_ninit()""... $ac_c" 1>&6
+-echo "configure:11434: checking for res_ninit()" >&5
++echo "configure:11439: checking for res_ninit()" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_res_ninit'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11439 "configure"
++#line 11444 "configure"
+ #include "confdefs.h"
+
+ #ifdef linux
+@@ -11447,7 +11452,7 @@
+ int foo = res_ninit(&_res);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11451: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11456: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_func_res_ninit=yes
+ else
+@@ -11480,12 +11485,12 @@
+ cross_compiling=$ac_cv_prog_cxx_cross
+
+ echo $ac_n "checking for gnu_get_libc_version()""... $ac_c" 1>&6
+-echo "configure:11484: checking for gnu_get_libc_version()" >&5
++echo "configure:11489: checking for gnu_get_libc_version()" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_gnu_get_libc_version'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11489 "configure"
++#line 11494 "configure"
+ #include "confdefs.h"
+
+ #ifdef HAVE_GNU_LIBC_VERSION_H
+@@ -11496,7 +11501,7 @@
+ const char *glibc_version = gnu_get_libc_version();
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11500: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11505: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_func_gnu_get_libc_version=yes
+ else
+@@ -11530,7 +11535,7 @@
+
+
+ echo $ac_n "checking for an implementation of va_copy()""... $ac_c" 1>&6
+-echo "configure:11534: checking for an implementation of va_copy()" >&5
++echo "configure:11539: checking for an implementation of va_copy()" >&5
+ if eval "test \"`echo '$''{'ac_cv_va_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -11540,7 +11545,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11544 "configure"
++#line 11549 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -11554,7 +11559,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:11558: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:11563: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_va_copy=yes
+ else
+@@ -11571,7 +11576,7 @@
+
+ echo "$ac_t""$ac_cv_va_copy" 1>&6
+ echo $ac_n "checking for an implementation of __va_copy()""... $ac_c" 1>&6
+-echo "configure:11575: checking for an implementation of __va_copy()" >&5
++echo "configure:11580: checking for an implementation of __va_copy()" >&5
+ if eval "test \"`echo '$''{'ac_cv___va_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -11581,7 +11586,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11585 "configure"
++#line 11590 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -11595,7 +11600,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:11599: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:11604: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv___va_copy=yes
+ else
+@@ -11612,7 +11617,7 @@
+
+ echo "$ac_t""$ac_cv___va_copy" 1>&6
+ echo $ac_n "checking whether va_lists can be copied by value""... $ac_c" 1>&6
+-echo "configure:11616: checking whether va_lists can be copied by value" >&5
++echo "configure:11621: checking whether va_lists can be copied by value" >&5
+ if eval "test \"`echo '$''{'ac_cv_va_val_copy'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -11622,7 +11627,7 @@
+
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11626 "configure"
++#line 11631 "configure"
+ #include "confdefs.h"
+
+ #include <stdarg.h>
+@@ -11636,7 +11641,7 @@
+ }
+ int main() { f (0, 42); return 0; }
+ EOF
+-if { (eval echo configure:11640: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:11645: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_va_val_copy=yes
+ else
+@@ -11706,12 +11711,12 @@
+ if test "$GNU_CC"; then
+ if test "$CPU_ARCH" = "arm" ; then
+ echo $ac_n "checking for ARM EABI""... $ac_c" 1>&6
+-echo "configure:11710: checking for ARM EABI" >&5
++echo "configure:11715: checking for ARM EABI" >&5
+ if eval "test \"`echo '$''{'ac_cv_gcc_arm_eabi'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11715 "configure"
++#line 11720 "configure"
+ #include "confdefs.h"
+
+ int main() {
+@@ -11724,7 +11729,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11728: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11733: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_gcc_arm_eabi="yes"
+ else
+@@ -11749,12 +11754,12 @@
+ fi
+
+ echo $ac_n "checking whether the C++ \"using\" keyword resolves ambiguity""... $ac_c" 1>&6
+-echo "configure:11753: checking whether the C++ \"using\" keyword resolves ambiguity" >&5
++echo "configure:11758: checking whether the C++ \"using\" keyword resolves ambiguity" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_ambiguity_resolving_using'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11758 "configure"
++#line 11763 "configure"
+ #include "confdefs.h"
+ class X {
+ public: int go(const X&) {return 3;}
+@@ -11770,7 +11775,7 @@
+ X x; Y y; y.jo(x);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11774: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11779: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_cpp_ambiguity_resolving_using=yes
+ else
+@@ -11794,7 +11799,7 @@
+ fi
+
+ echo $ac_n "checking for C++ dynamic_cast to void*""... $ac_c" 1>&6
+-echo "configure:11798: checking for C++ dynamic_cast to void*" >&5
++echo "configure:11803: checking for C++ dynamic_cast to void*" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_dynamic_cast_void_ptr'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -11802,7 +11807,7 @@
+ ac_cv_cpp_dynamic_cast_void_ptr=no
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11806 "configure"
++#line 11811 "configure"
+ #include "confdefs.h"
+ class X { int i; public: virtual ~X() { } };
+ class Y { int j; public: virtual ~Y() { } };
+@@ -11818,7 +11823,7 @@
+ ((void*)&mdo == dynamic_cast<void*>(suby))));
+ }
+ EOF
+-if { (eval echo configure:11822: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:11827: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_cpp_dynamic_cast_void_ptr=yes
+ else
+@@ -11845,19 +11850,19 @@
+
+
+ echo $ac_n "checking whether C++ requires implementation of unused virtual methods""... $ac_c" 1>&6
+-echo "configure:11849: checking whether C++ requires implementation of unused virtual methods" >&5
++echo "configure:11854: checking whether C++ requires implementation of unused virtual methods" >&5
+ if eval "test \"`echo '$''{'ac_cv_cpp_unused_required'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11854 "configure"
++#line 11859 "configure"
+ #include "confdefs.h"
+ class X {private: virtual void never_called();};
+ int main() {
+ X x;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11866: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_cpp_unused_required=no
+ else
+@@ -11883,12 +11888,12 @@
+
+
+ echo $ac_n "checking for trouble comparing to zero near std::operator!=()""... $ac_c" 1>&6
+-echo "configure:11887: checking for trouble comparing to zero near std::operator!=()" >&5
++echo "configure:11892: checking for trouble comparing to zero near std::operator!=()" >&5
+ if eval "test \"`echo '$''{'ac_cv_trouble_comparing_to_zero'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11892 "configure"
++#line 11897 "configure"
+ #include "confdefs.h"
+ #include <algorithm>
+ template <class T> class Foo {};
+@@ -11899,7 +11904,7 @@
+ Foo<int> f; return (0 != f);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11903: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:11908: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_trouble_comparing_to_zero=no
+ else
+@@ -11929,19 +11934,19 @@
+ _SAVE_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS $DSO_PIC_CFLAGS $DSO_LDOPTS $MOZ_OPTIMIZE_LDFLAGS"
+ echo $ac_n "checking for __thread keyword for TLS variables""... $ac_c" 1>&6
+-echo "configure:11933: checking for __thread keyword for TLS variables" >&5
++echo "configure:11938: checking for __thread keyword for TLS variables" >&5
+ if eval "test \"`echo '$''{'ac_cv_thread_keyword'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11938 "configure"
++#line 11943 "configure"
+ #include "confdefs.h"
+ __thread bool tlsIsMainThread = false;
+ int main() {
+ return tlsIsMainThread;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11945: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:11950: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv_thread_keyword=yes
+ else
+@@ -11979,19 +11984,19 @@
+
+
+ echo $ac_n "checking for __attribute__((always_inline))""... $ac_c" 1>&6
+-echo "configure:11983: checking for __attribute__((always_inline))" >&5
++echo "configure:11988: checking for __attribute__((always_inline))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_always_inline'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 11988 "configure"
++#line 11993 "configure"
+ #include "confdefs.h"
+ inline void f(void) __attribute__((always_inline));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:11995: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12000: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_always_inline=yes
+ else
+@@ -12006,19 +12011,19 @@
+ echo "$ac_t""$ac_cv_attribute_always_inline" 1>&6
+
+ echo $ac_n "checking for __attribute__((malloc))""... $ac_c" 1>&6
+-echo "configure:12010: checking for __attribute__((malloc))" >&5
++echo "configure:12015: checking for __attribute__((malloc))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_malloc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12015 "configure"
++#line 12020 "configure"
+ #include "confdefs.h"
+ void* f(int) __attribute__((malloc));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12022: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12027: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_malloc=yes
+ else
+@@ -12033,19 +12038,19 @@
+ echo "$ac_t""$ac_cv_attribute_malloc" 1>&6
+
+ echo $ac_n "checking for __attribute__((warn_unused_result))""... $ac_c" 1>&6
+-echo "configure:12037: checking for __attribute__((warn_unused_result))" >&5
++echo "configure:12042: checking for __attribute__((warn_unused_result))" >&5
+ if eval "test \"`echo '$''{'ac_cv_attribute_warn_unused'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12042 "configure"
++#line 12047 "configure"
+ #include "confdefs.h"
+ int f(void) __attribute__((warn_unused_result));
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12049: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12054: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_attribute_warn_unused=yes
+ else
+@@ -12069,19 +12074,19 @@
+
+
+ echo $ac_n "checking for LC_MESSAGES""... $ac_c" 1>&6
+-echo "configure:12073: checking for LC_MESSAGES" >&5
++echo "configure:12078: checking for LC_MESSAGES" >&5
+ if eval "test \"`echo '$''{'ac_cv_i18n_lc_messages'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12078 "configure"
++#line 12083 "configure"
+ #include "confdefs.h"
+ #include <locale.h>
+ int main() {
+ int category = LC_MESSAGES;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12085: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12090: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_i18n_lc_messages=yes
+ else
+@@ -12107,12 +12112,12 @@
+ for ac_func in localeconv
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:12111: checking for $ac_func" >&5
++echo "configure:12116: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 12116 "configure"
++#line 12121 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -12135,7 +12140,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12139: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12144: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -12356,7 +12361,7 @@
+ # Extract the first word of "nspr-config", so it can be a program name with args.
+ set dummy nspr-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:12360: checking for $ac_word" >&5
++echo "configure:12365: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_NSPR_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -12391,7 +12396,7 @@
+
+ min_nspr_version=$NSPR_MINVER
+ echo $ac_n "checking for NSPR - version >= $min_nspr_version""... $ac_c" 1>&6
+-echo "configure:12395: checking for NSPR - version >= $min_nspr_version" >&5
++echo "configure:12400: checking for NSPR - version >= $min_nspr_version" >&5
+
+ no_nspr=""
+ if test "$NSPR_CONFIG" != "no"; then
+@@ -12454,7 +12459,7 @@
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $NSPR_CFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12458 "configure"
++#line 12463 "configure"
+ #include "confdefs.h"
+ #include "prlog.h"
+ int main() {
+@@ -12463,7 +12468,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12467: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12472: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_NSPR=1
+ else
+@@ -12505,7 +12510,7 @@
+ MOZ_NATIVE_ZLIB=
+ else
+ echo $ac_n "checking for gzread in -lz""... $ac_c" 1>&6
+-echo "configure:12509: checking for gzread in -lz" >&5
++echo "configure:12514: checking for gzread in -lz" >&5
+ ac_lib_var=`echo z'_'gzread | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -12513,7 +12518,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lz $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12517 "configure"
++#line 12522 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -12524,7 +12529,7 @@
+ gzread()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12528: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:12533: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -12548,7 +12553,7 @@
+ if test "$MOZ_NATIVE_ZLIB" = 1; then
+ MOZZLIBNUM=`echo $MOZZLIB | awk -F. '{printf "0x%x\n", ((($1 * 16 + $2) * 16) + $3) * 16 + $4}'`
+ cat > conftest.$ac_ext <<EOF
+-#line 12552 "configure"
++#line 12557 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ #include <string.h>
+@@ -12559,7 +12564,7 @@
+ #endif
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12563: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12568: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ MOZ_NATIVE_ZLIB=1
+ else
+@@ -12605,7 +12610,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:12609: checking for $ac_word" >&5
++echo "configure:12614: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -12649,19 +12654,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libffi > 3.0.9""... $ac_c" 1>&6
+-echo "configure:12653: checking for libffi > 3.0.9" >&5
++echo "configure:12658: checking for libffi > 3.0.9" >&5
+
+ if $PKG_CONFIG --exists "libffi > 3.0.9" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_FFI_CFLAGS""... $ac_c" 1>&6
+-echo "configure:12660: checking MOZ_FFI_CFLAGS" >&5
++echo "configure:12665: checking MOZ_FFI_CFLAGS" >&5
+ MOZ_FFI_CFLAGS=`$PKG_CONFIG --cflags "libffi > 3.0.9"`
+ echo "$ac_t""$MOZ_FFI_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_FFI_LIBS""... $ac_c" 1>&6
+-echo "configure:12665: checking MOZ_FFI_LIBS" >&5
++echo "configure:12670: checking MOZ_FFI_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_FFI_LIBS="`$PKG_CONFIG --libs \"libffi > 3.0.9\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_FFI_LIBS" 1>&6
+@@ -12697,7 +12702,7 @@
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+ set dummy pkg-config; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:12701: checking for $ac_word" >&5
++echo "configure:12706: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_PKG_CONFIG'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -12741,19 +12746,19 @@
+ PKG_CONFIG_MIN_VERSION=0.9.0
+ if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+ echo $ac_n "checking for libffi >= 3.0.9""... $ac_c" 1>&6
+-echo "configure:12745: checking for libffi >= 3.0.9" >&5
++echo "configure:12750: checking for libffi >= 3.0.9" >&5
+
+ if $PKG_CONFIG --exists "libffi >= 3.0.9" ; then
+ echo "$ac_t""yes" 1>&6
+ succeeded=yes
+
+ echo $ac_n "checking MOZ_FFI_CFLAGS""... $ac_c" 1>&6
+-echo "configure:12752: checking MOZ_FFI_CFLAGS" >&5
++echo "configure:12757: checking MOZ_FFI_CFLAGS" >&5
+ MOZ_FFI_CFLAGS=`$PKG_CONFIG --cflags "libffi >= 3.0.9"`
+ echo "$ac_t""$MOZ_FFI_CFLAGS" 1>&6
+
+ echo $ac_n "checking MOZ_FFI_LIBS""... $ac_c" 1>&6
+-echo "configure:12757: checking MOZ_FFI_LIBS" >&5
++echo "configure:12762: checking MOZ_FFI_LIBS" >&5
+ ## Remove evil flags like -Wl,--export-dynamic
+ MOZ_FFI_LIBS="`$PKG_CONFIG --libs \"libffi >= 3.0.9\" |sed s/-Wl,--export-dynamic//g`"
+ echo "$ac_t""$MOZ_FFI_LIBS" 1>&6
+@@ -12888,18 +12893,18 @@
+
+ if test -n "$MOZ_DEBUG"; then
+ echo $ac_n "checking for valid debug flags""... $ac_c" 1>&6
+-echo "configure:12892: checking for valid debug flags" >&5
++echo "configure:12897: checking for valid debug flags" >&5
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $MOZ_DEBUG_FLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12896 "configure"
++#line 12901 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12903: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:12908: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _results=yes
+ else
+@@ -12981,18 +12986,18 @@
+ if test "$COMPILE_ENVIRONMENT"; then
+ if test -n "$MOZ_OPTIMIZE"; then
+ echo $ac_n "checking for valid optimization flags""... $ac_c" 1>&6
+-echo "configure:12985: checking for valid optimization flags" >&5
++echo "configure:12990: checking for valid optimization flags" >&5
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $MOZ_OPTIMIZE_FLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 12989 "configure"
++#line 12994 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main() {
+ printf("Hello World\n");
+ ; return 0; }
+ EOF
+-if { (eval echo configure:12996: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:13001: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ _results=yes
+ else
+@@ -13201,7 +13206,7 @@
+ fi
+ else
+ echo $ac_n "checking size of int *""... $ac_c" 1>&6
+-echo "configure:13205: checking size of int *" >&5
++echo "configure:13210: checking size of int *" >&5
+ if eval "test \"`echo '$''{'ac_cv_sizeof_int_p'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -13209,7 +13214,7 @@
+ ac_cv_sizeof_int_p=4
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13213 "configure"
++#line 13218 "configure"
+ #include "confdefs.h"
+ #include <stdio.h>
+ int main()
+@@ -13220,7 +13225,7 @@
+ return(0);
+ }
+ EOF
+-if { (eval echo configure:13224: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:13229: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+ ac_cv_sizeof_int_p=`cat conftestval`
+ else
+@@ -13524,12 +13529,12 @@
+ if test -n "$MOZ_VALGRIND"; then
+ ac_safe=`echo "valgrind/valgrind.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for valgrind/valgrind.h""... $ac_c" 1>&6
+-echo "configure:13528: checking for valgrind/valgrind.h" >&5
++echo "configure:13533: checking for valgrind/valgrind.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 13533 "configure"
++#line 13538 "configure"
+ #include "confdefs.h"
+
+ #include <valgrind/valgrind.h>
+@@ -13537,7 +13542,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:13541: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:13546: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -13846,7 +13851,7 @@
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+ set dummy $ac_prog; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:13850: checking for $ac_word" >&5
++echo "configure:13855: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -14035,12 +14040,12 @@
+ for ac_func in __cxa_demangle
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:14039: checking for $ac_func" >&5
++echo "configure:14044: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14044 "configure"
++#line 14049 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -14066,7 +14071,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14070: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -14120,12 +14125,12 @@
+ if test -z "$SKIP_LIBRARY_CHECKS"; then
+ ac_safe=`echo "unwind.h" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for unwind.h""... $ac_c" 1>&6
+-echo "configure:14124: checking for unwind.h" >&5
++echo "configure:14129: checking for unwind.h" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14129 "configure"
++#line 14134 "configure"
+ #include "confdefs.h"
+
+ #include <unwind.h>
+@@ -14133,7 +14138,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14137: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14142: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+ else
+@@ -14150,12 +14155,12 @@
+ for ac_func in _Unwind_Backtrace
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:14154: checking for $ac_func" >&5
++echo "configure:14159: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14159 "configure"
++#line 14164 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -14178,7 +14183,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14182: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14187: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -14249,7 +14254,7 @@
+ # Compiler Options
+
+ echo $ac_n "checking for -pipe support""... $ac_c" 1>&6
+-echo "configure:14253: checking for -pipe support" >&5
++echo "configure:14258: checking for -pipe support" >&5
+ if test -n "$GNU_CC" -a -n "$GNU_CXX"; then
+ CFLAGS="$CFLAGS -pipe"
+ CXXFLAGS="$CXXFLAGS -pipe"
+@@ -14263,16 +14268,16 @@
+ CFLAGS="$CFLAGS -fprofile-generate -fprofile-correction"
+
+ echo $ac_n "checking whether C compiler supports -fprofile-generate""... $ac_c" 1>&6
+-echo "configure:14267: checking whether C compiler supports -fprofile-generate" >&5
++echo "configure:14272: checking whether C compiler supports -fprofile-generate" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 14269 "configure"
++#line 14274 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ return 0;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14276: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14281: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ PROFILE_GEN_CFLAGS="-fprofile-generate"
+ result="yes"
+@@ -14323,12 +14328,12 @@
+ _SAVE_CXXFLAGS=$CXXFLAGS
+ CXXFLAGS="$CXXFLAGS ${_WARNINGS_CXXFLAGS}"
+ echo $ac_n "checking for correct overload resolution with const and templates""... $ac_c" 1>&6
+-echo "configure:14327: checking for correct overload resolution with const and templates" >&5
++echo "configure:14332: checking for correct overload resolution with const and templates" >&5
+ if eval "test \"`echo '$''{'ac_nscap_nonconst_opeq_bug'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14332 "configure"
++#line 14337 "configure"
+ #include "confdefs.h"
+
+ template <class T>
+@@ -14358,7 +14363,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14362: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14367: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_nscap_nonconst_opeq_bug="no"
+ else
+@@ -14384,19 +14389,19 @@
+ fi
+
+ echo $ac_n "checking for tm_zone tm_gmtoff in struct tm""... $ac_c" 1>&6
+-echo "configure:14388: checking for tm_zone tm_gmtoff in struct tm" >&5
++echo "configure:14393: checking for tm_zone tm_gmtoff in struct tm" >&5
+ if eval "test \"`echo '$''{'ac_cv_struct_tm_zone_tm_gmtoff'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 14393 "configure"
++#line 14398 "configure"
+ #include "confdefs.h"
+ #include <time.h>
+ int main() {
+ struct tm tm; tm.tm_zone = 0; tm.tm_gmtoff = 1;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14400: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14405: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_struct_tm_zone_tm_gmtoff="yes"
+ else
+@@ -14438,20 +14443,20 @@
+
+
+ echo $ac_n "checking what kind of list files are supported by the linker""... $ac_c" 1>&6
+-echo "configure:14442: checking what kind of list files are supported by the linker" >&5
++echo "configure:14447: checking what kind of list files are supported by the linker" >&5
+ if eval "test \"`echo '$''{'EXPAND_LIBS_LIST_STYLE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ echo "int main() {return 0;}" > conftest.${ac_ext}
+- if { ac_try='${CC-cc} -o conftest.${OBJ_SUFFIX} -c $CFLAGS $CPPFLAGS conftest.${ac_ext} 1>&5'; { (eval echo configure:14447: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest.${OBJ_SUFFIX}; then
++ if { ac_try='${CC-cc} -o conftest.${OBJ_SUFFIX} -c $CFLAGS $CPPFLAGS conftest.${ac_ext} 1>&5'; { (eval echo configure:14452: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest.${OBJ_SUFFIX}; then
+ echo "INPUT(conftest.${OBJ_SUFFIX})" > conftest.list
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.list $LIBS 1>&5'; { (eval echo configure:14449: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS conftest.list $LIBS 1>&5'; { (eval echo configure:14454: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=linkerscript
+ else
+ echo "conftest.${OBJ_SUFFIX}" > conftest.list
+- if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,-filelist,conftest.list $LIBS 1>&5'; { (eval echo configure:14453: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ if { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS -Wl,-filelist,conftest.list $LIBS 1>&5'; { (eval echo configure:14458: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=filelist
+- elif { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS @conftest.list $LIBS 1>&5'; { (eval echo configure:14455: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
++ elif { ac_try='${CC-cc} -o conftest${ac_exeext} $LDFLAGS @conftest.list $LIBS 1>&5'; { (eval echo configure:14460: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } && test -s conftest${ac_exeext}; then
+ EXPAND_LIBS_LIST_STYLE=list
+ else
+ EXPAND_LIBS_LIST_STYLE=none
+@@ -14471,7 +14476,7 @@
+
+ if test "$GCC_USE_GNU_LD"; then
+ echo $ac_n "checking what kind of ordering can be done with the linker""... $ac_c" 1>&6
+-echo "configure:14475: checking what kind of ordering can be done with the linker" >&5
++echo "configure:14480: checking what kind of ordering can be done with the linker" >&5
+ if eval "test \"`echo '$''{'EXPAND_LIBS_ORDER_STYLE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -14479,14 +14484,14 @@
+ _SAVE_LDFLAGS="$LDFLAGS"
+ LDFLAGS="${LDFLAGS} -Wl,--section-ordering-file,conftest.order"
+ cat > conftest.$ac_ext <<EOF
+-#line 14483 "configure"
++#line 14488 "configure"
+ #include "confdefs.h"
+
+ int main() {
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14490: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14495: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ EXPAND_LIBS_ORDER_STYLE=section-ordering-file
+ else
+@@ -14498,7 +14503,7 @@
+ rm -f conftest*
+ LDFLAGS="$_SAVE_LDFLAGS"
+ if test -z "$EXPAND_LIBS_ORDER_STYLE"; then
+- if { ac_try='${CC-cc} ${DSO_LDOPTS} ${LDFLAGS} -o ${DLL_PREFIX}conftest${DLL_SUFFIX} -Wl'; { (eval echo configure:14502: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; }; then
++ if { ac_try='${CC-cc} ${DSO_LDOPTS} ${LDFLAGS} -o ${DLL_PREFIX}conftest${DLL_SUFFIX} -Wl'; { (eval echo configure:14507: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; }; then
+ EXPAND_LIBS_ORDER_STYLE=linkerscript
+ else
+ EXPAND_LIBS_ORDER_STYLE=none
+@@ -14572,7 +14577,7 @@
+ if test -z "$SKIP_LIBRARY_CHECKS" -a -z "$NO_EDITLINE"; then
+ if test -n "$JS_WANT_READLINE"; then
+ echo $ac_n "checking for readline in -lreadline""... $ac_c" 1>&6
+-echo "configure:14576: checking for readline in -lreadline" >&5
++echo "configure:14581: checking for readline in -lreadline" >&5
+ ac_lib_var=`echo readline'_'readline | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+@@ -14580,7 +14585,7 @@
+ ac_save_LIBS="$LIBS"
+ LIBS="-lreadline $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 14584 "configure"
++#line 14589 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+@@ -14591,7 +14596,7 @@
+ readline()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14595: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14600: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -14836,9 +14841,9 @@
+
+
+ echo $ac_n "checking for posix_fallocate""... $ac_c" 1>&6
+-echo "configure:14840: checking for posix_fallocate" >&5
++echo "configure:14845: checking for posix_fallocate" >&5
+ cat > conftest.$ac_ext <<EOF
+-#line 14842 "configure"
++#line 14847 "configure"
+ #include "confdefs.h"
+ #define _XOPEN_SOURCE 600
+ #include <fcntl.h>
+@@ -14846,7 +14851,7 @@
+ posix_fallocate(0, 0, 0);
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14850: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:14855: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ ac_cv___posix_fallocate=true
+ else
+@@ -14875,7 +14880,7 @@
+ _SAVE_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS $XCFLAGS"
+ cat > conftest.$ac_ext <<EOF
+-#line 14879 "configure"
++#line 14884 "configure"
+ #include "confdefs.h"
+
+ #include <stdio.h>
+@@ -14893,7 +14898,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:14897: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:14902: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+@@ -15127,12 +15132,12 @@
+ for ac_func in setlocale
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:15131: checking for $ac_func" >&5
++echo "configure:15136: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 15136 "configure"
++#line 15141 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -15155,7 +15160,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15159: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15164: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -15185,12 +15190,12 @@
+ for ac_func in localeconv
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:15189: checking for $ac_func" >&5
++echo "configure:15194: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ cat > conftest.$ac_ext <<EOF
+-#line 15194 "configure"
++#line 15199 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+@@ -15213,7 +15218,7 @@
+
+ ; return 0; }
+ EOF
+-if { (eval echo configure:15217: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:15222: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+ else
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/ds/LifoAlloc.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/ds/LifoAlloc.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/ds/LifoAlloc.h 2013-09-16 22:26:39.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/ds/LifoAlloc.h 2014-02-10 01:13:32.017537412 +0400
+@@ -288,17 +288,16 @@
+
+ template <typename T>
+ T *newArray(size_t count) {
+- void *mem = alloc(sizeof(T) * count);
+- if (!mem)
+- return NULL;
+ JS_STATIC_ASSERT(mozilla::IsPod<T>::value);
+- return (T *) mem;
++ return newArrayUninitialized<T>(count);
+ }
+
+ // Create an array with uninitialized elements of type |T|.
+ // The caller is responsible for initialization.
+ template <typename T>
+ T *newArrayUninitialized(size_t count) {
++ if (count & tl::MulOverflowMask<sizeof(T)>::result)
++ return NULL;
+ return static_cast<T *>(alloc(sizeof(T) * count));
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/BaselineIC.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/BaselineIC.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/BaselineIC.cpp 2014-02-10 01:12:13.556918783 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/BaselineIC.cpp 2014-02-10 01:13:32.018537394 +0400
+@@ -450,11 +450,9 @@
+ // We are removing edges from monitored stubs to gcthings (IonCode).
+ // Perform one final trace of all monitor stubs for incremental GC,
+ // as it must know about those edges.
+- if (hasFallbackStub_) {
+ for (ICStub *s = firstMonitorStub_; !s->isTypeMonitor_Fallback(); s = s->next())
+ s->trace(zone->barrierTracer());
+ }
+- }
+
+ firstMonitorStub_ = this;
+ numOptimizedMonitorStubs_ = 0;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/CodeGenerator.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/CodeGenerator.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/CodeGenerator.cpp 2014-02-10 01:12:13.684916508 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/CodeGenerator.cpp 2014-02-10 01:13:32.166534806 +0400
+@@ -4254,16 +4254,19 @@
+ masm.add32(Imm32(min), temp);
+ if (!bailoutIf(Assembler::Overflow, lir->snapshot()))
+ return false;
++ }
++
++ masm.cmp32(temp, Imm32(0));
++ if (!bailoutIf(Assembler::LessThan, lir->snapshot()))
++ return false;
++
++ if (min != 0) {
+ int32_t diff;
+ if (SafeSub(max, min, &diff))
+ max = diff;
+ else
+ masm.sub32(Imm32(min), temp);
+ }
+-
+- masm.cmp32(temp, Imm32(0));
+- if (!bailoutIf(Assembler::LessThan, lir->snapshot()))
+- return false;
+ }
+
+ // Compute the maximum possible index. No overflow check is needed when
+@@ -5646,7 +5649,8 @@
+ ConstantOrRegister index = TypedOrValueRegister(ToValue(ins, LGetElementCacheV::Index));
+ TypedOrValueRegister output = TypedOrValueRegister(GetValueOutput(ins));
+
+- GetElementIC cache(obj, index, output, ins->mir()->monitoredResult());
++ GetElementIC cache(obj, index, output, ins->mir()->monitoredResult(),
++ ins->mir()->allowDoubleResult());
+
+ return addCache(ins, allocateCache(cache));
+ }
+@@ -5658,7 +5662,8 @@
+ ConstantOrRegister index = TypedOrValueRegister(MIRType_Int32, ToAnyRegister(ins->index()));
+ TypedOrValueRegister output(ins->mir()->type(), ToAnyRegister(ins->output()));
+
+- GetElementIC cache(obj, index, output, ins->mir()->monitoredResult());
++ GetElementIC cache(obj, index, output, ins->mir()->monitoredResult(),
++ ins->mir()->allowDoubleResult());
+
+ return addCache(ins, allocateCache(cache));
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/FixedList.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/FixedList.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/FixedList.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/FixedList.h 2014-02-10 01:13:32.166534806 +0400
+@@ -23,7 +23,7 @@
+
+ public:
+ FixedList()
+- : length_(0)
++ : length_(0), list_(NULL)
+ { }
+
+ // Dynamic memory allocation requires the ability to report failure.
+@@ -32,6 +32,8 @@
+ if (length == 0)
+ return true;
+
++ if (length & tl::MulOverflowMask<sizeof(T)>::result)
++ return false;
+ list_ = (T *)GetIonContext()->temp->allocate(length * sizeof(T));
+ return list_ != NULL;
+ }
+@@ -46,6 +48,11 @@
+ }
+
+ bool growBy(size_t num) {
++ size_t newlength = length_ + num;
++ if (newlength < length_)
++ return false;
++ if (newlength & tl::MulOverflowMask<sizeof(T)>::result)
++ return false;
+ T *list = (T *)GetIonContext()->temp->allocate((length_ + num) * sizeof(T));
+ if (!list)
+ return false;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/IonCaches.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/IonCaches.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/IonCaches.cpp 2014-02-10 01:12:13.685916498 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/IonCaches.cpp 2014-02-10 01:13:32.166534806 +0400
+@@ -594,8 +594,19 @@
+ if (!shape->hasGetterValue() || !shape->getterValue().isObject())
+ return false;
+
+- return shape->getterValue().toObject().is<JSFunction>() &&
+- shape->getterValue().toObject().as<JSFunction>().isNative();
++ if (!shape->getterValue().toObject().is<JSFunction>())
++ return false;
++
++ JSFunction& getter = shape->getterValue().toObject().as<JSFunction>();
++ if (!getter.isNative())
++ return false;
++
++ // Check for a DOM method; those are OK with both inner and outer objects.
++ if (getter.jitInfo())
++ return true;
++
++ // For non-DOM methods, don't cache if obj has an outerObject hook.
++ return !obj->getClass()->ext.outerObject;
+ }
+
+ static bool
+@@ -2350,7 +2361,7 @@
+ int width = TypedArray::slotWidth(arrayType);
+ BaseIndex source(elementReg, indexReg, ScaleFromElemWidth(width));
+ if (output().hasValue())
+- masm.loadFromTypedArray(arrayType, source, output().valueReg(), true,
++ masm.loadFromTypedArray(arrayType, source, output().valueReg(), allowDoubleResult(),
+ elementReg, &popAndFail);
+ else
+ masm.loadFromTypedArray(arrayType, source, output().typedReg(),
+@@ -2522,6 +2533,9 @@
+ cache.getScriptedLocation(&script, &pc);
+ RootedValue lval(cx, ObjectValue(*obj));
+
++ // Override the return value when the script is invalidated (bug 728188).
++ AutoDetectInvalidation adi(cx, res.address(), ion);
++
+ if (cache.isDisabled()) {
+ if (!GetElementOperation(cx, JSOp(*pc), &lval, idval, res))
+ return false;
+@@ -2529,9 +2543,7 @@
+ return true;
+ }
+
+- // Override the return value if we are invalidated (bug 728188).
+- AutoFlushCache afc ("GetElementCache");
+- AutoDetectInvalidation adi(cx, res.address(), ion);
++ AutoFlushCache afc("GetElementCache");
+
+ RootedId id(cx);
+ if (!ValueToId<CanGC>(cx, idval, &id))
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/IonCaches.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/IonCaches.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/IonCaches.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/IonCaches.h 2014-02-10 01:13:32.167534788 +0400
+@@ -617,6 +617,7 @@
+ TypedOrValueRegister output_;
+
+ bool monitoredResult_ : 1;
++ bool allowDoubleResult_ : 1;
+ bool hasDenseStub_ : 1;
+ bool hasStrictArgumentsStub_ : 1;
+ bool hasNormalArgumentsStub_ : 1;
+@@ -627,11 +628,12 @@
+
+ public:
+ GetElementIC(Register object, ConstantOrRegister index,
+- TypedOrValueRegister output, bool monitoredResult)
++ TypedOrValueRegister output, bool monitoredResult, bool allowDoubleResult)
+ : object_(object),
+ index_(index),
+ output_(output),
+ monitoredResult_(monitoredResult),
++ allowDoubleResult_(allowDoubleResult),
+ hasDenseStub_(false),
+ hasStrictArgumentsStub_(false),
+ hasNormalArgumentsStub_(false),
+@@ -655,6 +657,9 @@
+ bool monitoredResult() const {
+ return monitoredResult_;
+ }
++ bool allowDoubleResult() const {
++ return allowDoubleResult_;
++ }
+ bool hasDenseStub() const {
+ return hasDenseStub_;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIR.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIR.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIR.cpp 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIR.cpp 2014-02-10 01:13:32.167534788 +0400
+@@ -2332,6 +2332,15 @@
+ }
+
+ bool
++MGetElementCache::allowDoubleResult() const
++{
++ if (!resultTypeSet())
++ return true;
++
++ return resultTypeSet()->hasType(types::Type::DoubleType());
++}
++
++bool
+ MGetPropertyPolymorphic::mightAlias(MDefinition *store)
+ {
+ // Allow hoisting this instruction if the store does not write to a
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIR.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIR.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIR.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIR.h 2014-02-10 01:13:32.177534614 +0400
+@@ -5942,6 +5942,9 @@
+ bool monitoredResult() const {
+ return monitoredResult_;
+ }
++
++ bool allowDoubleResult() const;
++
+ TypePolicy *typePolicy() {
+ if (type() == MIRType_Value)
+ return &PolicyV;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIRGenerator.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIRGenerator.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIRGenerator.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIRGenerator.h 2014-02-10 01:13:32.177534614 +0400
+@@ -60,6 +60,8 @@
+
+ template <typename T>
+ T * allocate(size_t count = 1) {
++ if (count & tl::MulOverflowMask<sizeof(T)>::result)
++ return NULL;
+ return reinterpret_cast<T *>(temp().allocate(sizeof(T) * count));
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIRGraph.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIRGraph.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/MIRGraph.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/MIRGraph.h 2014-02-10 01:13:32.177534614 +0400
+@@ -542,11 +542,6 @@
+ numBlocks_(0)
+ { }
+
+- template <typename T>
+- T * allocate(size_t count = 1) {
+- return reinterpret_cast<T *>(alloc_->allocate(sizeof(T) * count));
+- }
+-
+ void addBlock(MBasicBlock *block);
+ void insertBlockAfter(MBasicBlock *at, MBasicBlock *block);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/RangeAnalysis.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/RangeAnalysis.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/RangeAnalysis.cpp 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/RangeAnalysis.cpp 2014-02-10 01:13:32.178534596 +0400
+@@ -339,6 +339,8 @@
+ // Instead, we should use it to eliminate the dead block.
+ // (Bug 765127)
+ if (r->upper_ < r->lower_) {
++ // If both ranges can be NaN, the result can still be NaN.
++ if (!lhs->isInfinite() || !rhs->isInfinite())
+ *emptyRange = true;
+ r->makeRangeInfinite();
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/ValueNumbering.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/ValueNumbering.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit/ValueNumbering.cpp 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit/ValueNumbering.cpp 2014-02-10 01:13:32.178534596 +0400
+@@ -23,19 +23,18 @@
+ uint32_t
+ ValueNumberer::lookupValue(MDefinition *ins)
+ {
+-
+ ValueMap::AddPtr p = values.lookupForAdd(ins);
+-
+ if (p) {
+ // make sure this is in the correct group
+ setClass(ins, p->key);
+- } else {
++ return p->value;
++ }
++
+ if (!values.add(p, ins, ins->id()))
+ return 0;
+ breakClass(ins);
+- }
+
+- return p->value;
++ return ins->id();
+ }
+
+ MDefinition *
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit-test/tests/basic/bug908915.js seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit-test/tests/basic/bug908915.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jit-test/tests/basic/bug908915.js 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jit-test/tests/basic/bug908915.js 2014-02-10 01:13:32.178534596 +0400
+@@ -0,0 +1,24 @@
++// |jit-test| error: 42
++function f(y) {}
++for each(let e in newGlobal()) {
++ if (e.name === "quit" || e.name == "readline" || e.name == "terminate")
++ continue;
++ try {
++ e();
++ } catch (r) {}
++}
++(function() {
++ arguments.__proto__.__proto__ = newGlobal()
++ function f(y) {
++ y()
++ }
++ for each(b in []) {
++ if (b.name === "quit" || b.name == "readline" || b.name == "terminate")
++ continue;
++ try {
++ f(b)
++ } catch (e) {}
++ }
++})();
++
++throw 42;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsfriendapi.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsfriendapi.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsfriendapi.cpp 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsfriendapi.cpp 2014-02-10 01:13:32.178534596 +0400
+@@ -375,6 +375,20 @@
+ return &obj->global();
+ }
+
++JS_FRIEND_API(void)
++js::AssertSameCompartment(JSContext *cx, JSObject *obj)
++{
++ assertSameCompartment(cx, obj);
++}
++
++#ifdef DEBUG
++JS_FRIEND_API(void)
++js::AssertSameCompartment(JSObject *objA, JSObject *objB)
++{
++ JS_ASSERT(objA->compartment() == objB->compartment());
++}
++#endif
++
+ JS_FRIEND_API(JSObject *)
+ js::GetDefaultGlobalForContext(JSContext *cx)
+ {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsfriendapi.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsfriendapi.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsfriendapi.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsfriendapi.h 2014-02-10 01:13:32.261533144 +0400
+@@ -158,9 +158,23 @@
+ js_DumpChars(const jschar *s, size_t n);
+ #endif
+
++/*
++ * Copies all own properties from |obj| to |target|. |obj| must be a "native"
++ * object (that is to say, normal-ish - not an Array or a Proxy).
++ *
++ * On entry, |cx| must be in the compartment of |target|.
++ */
+ extern JS_FRIEND_API(bool)
+ JS_CopyPropertiesFrom(JSContext *cx, JSObject *target, JSObject *obj);
+
++/*
++ * Single-property version of the above. This function asserts that an |own|
++ * property of the given name exists on |obj|.
++ */
++extern JS_FRIEND_API(bool)
++JS_CopyPropertyFrom(JSContext *cx, JS::HandleId id, JS::HandleObject target,
++ JS::HandleObject obj);
++
+ extern JS_FRIEND_API(JSBool)
+ JS_WrapPropertyDescriptor(JSContext *cx, js::PropertyDescriptor *desc);
+
+@@ -440,6 +454,16 @@
+ JS_FRIEND_API(JSObject *)
+ GetGlobalForObjectCrossCompartment(JSObject *obj);
+
++JS_FRIEND_API(void)
++AssertSameCompartment(JSContext *cx, JSObject *obj);
++
++#ifdef DEBUG
++JS_FRIEND_API(void)
++AssertSameCompartment(JSObject *objA, JSObject *objB);
++#else
++inline void AssertSameCompartment(JSObject *objA, JSObject *objB) {}
++#endif
++
+ // For legacy consumers only. This whole concept is going away soon.
+ JS_FRIEND_API(JSObject *)
+ GetDefaultGlobalForContext(JSContext *cx);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsinferinlines.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsinferinlines.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsinferinlines.h 2013-09-16 22:26:40.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsinferinlines.h 2014-02-10 01:13:32.261533144 +0400
+@@ -703,7 +703,7 @@
+ return true;
+
+ if (fun->isArrow())
+- return true;
++ return false;
+
+ if (fun->hasSingletonType())
+ return false;
+@@ -1131,19 +1131,21 @@
+ * probing. TODO: replace these with jshashtables.
+ */
+ const unsigned SET_ARRAY_SIZE = 8;
++const unsigned SET_CAPACITY_OVERFLOW = 1u << 30;
+
+ /* Get the capacity of a set with the given element count. */
+ static inline unsigned
+ HashSetCapacity(unsigned count)
+ {
+ JS_ASSERT(count >= 2);
++ JS_ASSERT(count < SET_CAPACITY_OVERFLOW);
+
+ if (count <= SET_ARRAY_SIZE)
+ return SET_ARRAY_SIZE;
+
+ unsigned log2;
+ JS_FLOOR_LOG2(log2, count);
+- return 1 << (log2 + 2);
++ return 1u << (log2 + 2);
+ }
+
+ /* Compute the FNV hash for the low 32 bits of v. */
+@@ -1181,6 +1183,9 @@
+ }
+ }
+
++ if (count >= SET_CAPACITY_OVERFLOW)
++ return NULL;
++
+ count++;
+ unsigned newCapacity = HashSetCapacity(count);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsobj.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsobj.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsobj.cpp 2013-09-16 22:26:41.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsobj.cpp 2014-02-10 01:13:32.262533127 +0400
+@@ -1703,11 +1703,54 @@
+ return deleteProperty(cx, obj, propname, succeeded);
+ }
+
++static bool
++CopyProperty(JSContext *cx, HandleObject target, HandleObject obj,
++ HandleShape shape)
++{
++ // |shape| and |obj| are generally not same-compartment with |target| and
++ // |cx| here.
++ assertSameCompartment(cx, target);
++
++ unsigned attrs = shape->attributes();
++ PropertyOp getter = shape->getter();
++ StrictPropertyOp setter = shape->setter();
++ AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
++ if ((attrs & JSPROP_GETTER) && !cx->compartment()->wrap(cx, &getter))
++ return false;
++ if ((attrs & JSPROP_SETTER) && !cx->compartment()->wrap(cx, &setter))
++ return false;
++ RootedValue v(cx, shape->hasSlot() ? obj->getSlot(shape->slot())
++ : UndefinedValue());
++ if (!cx->compartment()->wrap(cx, &v))
++ return false;
++ RootedId id(cx, shape->propid());
++ return JSObject::defineGeneric(cx, target, id, v, getter,
++ setter, attrs);
++}
++
++JS_FRIEND_API(bool)
++JS_CopyPropertyFrom(JSContext *cx, HandleId id, HandleObject target,
++ HandleObject obj)
++{
++ assertSameCompartment(cx, target);
++ MOZ_ASSERT(obj->isNative());
++ RootedObject obj2(cx);
++ RootedShape shape(cx);
++ {
++ AutoCompartment ac(cx, obj);
++ if (!JSObject::lookupGeneric(cx, obj, id, &obj2, &shape))
++ return false;
++ }
++ MOZ_ASSERT(shape && obj == obj2);
++ return CopyProperty(cx, target, obj, shape);
++}
++
+ JS_FRIEND_API(bool)
+ JS_CopyPropertiesFrom(JSContext *cx, JSObject *targetArg, JSObject *objArg)
+ {
+ RootedObject target(cx, targetArg);
+ RootedObject obj(cx, objArg);
++ assertSameCompartment(cx, target);
+
+ // If we're not native, then we cannot copy properties.
+ JS_ASSERT(target->isNative() == obj->isNative());
+@@ -1720,25 +1763,11 @@
+ return false;
+ }
+
+- RootedShape shape(cx);
+- RootedValue v(cx);
+- RootedId id(cx);
+ size_t n = shapes.length();
++ RootedShape shape(cx);
+ while (n > 0) {
+ shape = shapes[--n];
+- unsigned attrs = shape->attributes();
+- PropertyOp getter = shape->getter();
+- StrictPropertyOp setter = shape->setter();
+- AutoRooterGetterSetter gsRoot(cx, attrs, &getter, &setter);
+- if ((attrs & JSPROP_GETTER) && !cx->compartment()->wrap(cx, &getter))
+- return false;
+- if ((attrs & JSPROP_SETTER) && !cx->compartment()->wrap(cx, &setter))
+- return false;
+- v = shape->hasSlot() ? obj->getSlot(shape->slot()) : UndefinedValue();
+- if (!cx->compartment()->wrap(cx, &v))
+- return false;
+- id = shape->propid();
+- if (!JSObject::defineGeneric(cx, target, id, v, getter, setter, attrs))
++ if (!CopyProperty(cx, target, obj, shape))
+ return false;
+ }
+ return true;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsscript.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsscript.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/jsscript.cpp 2013-09-16 22:26:41.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/jsscript.cpp 2014-02-10 01:13:32.262533127 +0400
+@@ -2425,6 +2425,7 @@
+ dst->funNeedsDeclEnvObject = src->funNeedsDeclEnvObject;
+ dst->funHasAnyAliasedFormal = src->funHasAnyAliasedFormal;
+ dst->hasSingletons = src->hasSingletons;
++ dst->treatAsRunOnce = src->treatAsRunOnce;
+ dst->isGenerator = src->isGenerator;
+ dst->isGeneratorExp = src->isGeneratorExp;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/shell/js.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/shell/js.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/shell/js.cpp 2014-02-10 01:12:09.947982749 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/shell/js.cpp 2014-02-10 01:13:32.322532076 +0400
+@@ -1955,6 +1955,7 @@
+ /* Without arguments, disassemble the current script. */
+ RootedScript script(cx, GetTopScript(cx));
+ if (script) {
++ JSAutoCompartment ac(cx, script);
+ if (!js_Disassemble(cx, script, p.lines, sprinter))
+ return false;
+ SrcNotes(cx, script, sprinter);
+@@ -3363,11 +3364,16 @@
+ args.rval().setString(cx->runtime()->emptyString);
+ return true;
+ }
++
++ {
++ JSAutoCompartment ac(cx, script);
+ JSString *result = JS_DecompileScript(cx, script, "test", 0);
+ if (!result)
+ return false;
+ args.rval().setString(result);
+- return true;
++ }
++
++ return JS_WrapValue(cx, vp);
+ }
+
+ static JSBool
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/vm/Interpreter.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/vm/Interpreter.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/src/vm/Interpreter.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/src/vm/Interpreter.cpp 2014-02-10 01:13:32.322532076 +0400
+@@ -519,14 +519,19 @@
+ /*
+ * We must call the thisObject hook in case we are not called from the
+ * interpreter, where a prior bytecode has computed an appropriate
+- * |this| already.
++ * |this| already. But don't do that if fval is a DOM function.
+ */
++ if (!fval.isObject() || !fval.toObject().is<JSFunction>() ||
++ !fval.toObject().as<JSFunction>().isNative() ||
++ !fval.toObject().as<JSFunction>().jitInfo())
++ {
+ RootedObject thisObj(cx, &args.thisv().toObject());
+ JSObject *thisp = JSObject::thisObject(cx, thisObj);
+ if (!thisp)
+ return false;
+ args.setThis(ObjectValue(*thisp));
+ }
++ }
+
+ if (!Invoke(cx, args))
+ return false;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCConvert.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCConvert.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCConvert.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCConvert.cpp 2014-02-10 01:13:32.323532058 +0400
+@@ -987,6 +987,11 @@
+ // If we're looking at a security wrapper, see now if we're allowed to
+ // pass it to C++. If we are, then fall through to the code below. If
+ // we aren't, throw an exception eagerly.
++ //
++ // NB: It's very important that we _don't_ unwrap in the aOuter case,
++ // because the caller may explicitly want to create the XPCWrappedJS
++ // around a security wrapper. XBL does this with Xrays from the XBL
++ // scope - see nsBindingManager::GetBindingImplementation.
+ JSObject* inner = js::CheckedUnwrap(src, /* stopAtOuter = */ false);
+
+ // Hack - For historical reasons, wrapped chrome JS objects have been
+@@ -1024,10 +1029,16 @@
+ // else...
+
+ nsXPCWrappedJS* wrapper;
+- nsresult rv = nsXPCWrappedJS::GetNewOrUsed(src, *iid, aOuter, &wrapper);
++ nsresult rv = nsXPCWrappedJS::GetNewOrUsed(src, *iid, &wrapper);
+ if (pErr)
+ *pErr = rv;
+ if (NS_SUCCEEDED(rv) && wrapper) {
++ // If the caller wanted to aggregate this JS object to a native,
++ // attach it to the wrapper. Note that we allow a maximum of one
++ // aggregated native for a given XPCWrappedJS.
++ if (aOuter)
++ wrapper->SetAggregatedNativeObject(aOuter);
++
+ // We need to go through the QueryInterface logic to make this return
+ // the right thing for the various 'special' interfaces; e.g.
+ // nsIPropertyBag. We must use AggregatedQueryInterface in cases where
+@@ -1182,8 +1193,7 @@
+ // lets try to build a wrapper around the JSObject
+ nsXPCWrappedJS* jswrapper;
+ nsresult rv =
+- nsXPCWrappedJS::GetNewOrUsed(obj, NS_GET_IID(nsIException),
+- nullptr, &jswrapper);
++ nsXPCWrappedJS::GetNewOrUsed(obj, NS_GET_IID(nsIException), &jswrapper);
+ if (NS_FAILED(rv))
+ return rv;
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCJSRuntime.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCJSRuntime.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCJSRuntime.cpp 2014-02-10 01:12:13.851913553 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCJSRuntime.cpp 2014-02-10 01:13:32.323532058 +0400
+@@ -343,6 +343,12 @@
+ }
+
+ bool
++IsInXBLScope(JSObject *obj)
++{
++ return IsXBLScope(js::GetObjectCompartment(obj));
++}
++
++bool
+ IsUniversalXPConnectEnabled(JSCompartment *compartment)
+ {
+ CompartmentPrivate *priv = GetCompartmentPrivate(compartment);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCJSWeakReference.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCJSWeakReference.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCJSWeakReference.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCJSWeakReference.cpp 2014-02-10 01:13:32.323532058 +0400
+@@ -41,7 +41,6 @@
+ nsRefPtr<nsXPCWrappedJS> wrapped;
+ nsresult rv = nsXPCWrappedJS::GetNewOrUsed(obj,
+ NS_GET_IID(nsISupports),
+- nullptr,
+ getter_AddRefs(wrapped));
+ if (!wrapped) {
+ NS_ERROR("can't get nsISupportsWeakReference wrapper for obj");
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCQuickStubs.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCQuickStubs.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCQuickStubs.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCQuickStubs.cpp 2014-02-10 01:13:32.341531746 +0400
+@@ -722,8 +722,7 @@
+ }
+
+ nsRefPtr<nsXPCWrappedJS> wrappedJS;
+- rv = nsXPCWrappedJS::GetNewOrUsed(src, iid, nullptr,
+- getter_AddRefs(wrappedJS));
++ rv = nsXPCWrappedJS::GetNewOrUsed(src, iid, getter_AddRefs(wrappedJS));
+ if (NS_FAILED(rv) || !wrappedJS) {
+ *ppArgRef = nullptr;
+ return rv;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJS.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJS.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJS.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJS.cpp 2014-02-10 01:13:32.341531746 +0400
+@@ -174,21 +174,6 @@
+ MOZ_CRASH();
+ NS_PRECONDITION(0 != mRefCnt, "dup release");
+
+- if (mMainThreadOnly && !NS_IsMainThread()) {
+- // We'd like to abort here, but this can happen if someone uses a proxy
+- // for the nsXPCWrappedJS.
+- nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
+- // If we can't get the main thread anymore we just leak, but this really
+- // shouldn't happen.
+- NS_ASSERTION(mainThread,
+- "Can't get main thread, leaking nsXPCWrappedJS!");
+- if (mainThread) {
+- NS_ProxyRelease(mainThread,
+- static_cast<nsIXPConnectWrappedJS*>(this));
+- }
+- return mRefCnt;
+- }
+-
+ // need to take the map lock here to prevent GetNewOrUsed from trying
+ // to reuse a wrapper on one thread while it's being destroyed on another
+ XPCJSRuntime* rt = nsXPConnect::GetRuntimeInstance();
+@@ -250,33 +235,10 @@
+ return xpc_UnmarkGrayObject(mJSObj);
+ }
+
+-static bool
+-CheckMainThreadOnly(nsXPCWrappedJS *aWrapper)
+-{
+- if(aWrapper->IsMainThreadOnly())
+- return NS_IsMainThread();
+-
+- nsCOMPtr<nsIClassInfo> ci;
+- CallQueryInterface(aWrapper, getter_AddRefs(ci));
+- if (ci) {
+- uint32_t flags;
+- if (NS_SUCCEEDED(ci->GetFlags(&flags)) && !(flags & nsIClassInfo::MAIN_THREAD_ONLY))
+- return true;
+-
+- if (!NS_IsMainThread())
+- return false;
+- }
+-
+- aWrapper->SetIsMainThreadOnly();
+-
+- return true;
+-}
+-
+ // static
+ nsresult
+ nsXPCWrappedJS::GetNewOrUsed(JSObject* aJSObj,
+ REFNSIID aIID,
+- nsISupports* aOuter,
+ nsXPCWrappedJS** wrapperResult)
+ {
+ // Do a release-mode assert against accessing nsXPCWrappedJS off-main-thread.
+@@ -327,8 +289,7 @@
+ // build the root wrapper
+ if (rootJSObj == jsObj) {
+ // the root will do double duty as the interface wrapper
+- wrapper = root = new nsXPCWrappedJS(cx, jsObj, clazz, nullptr,
+- aOuter);
++ wrapper = root = new nsXPCWrappedJS(cx, jsObj, clazz, nullptr);
+ if (!root)
+ goto return_wrapper;
+
+@@ -341,13 +302,6 @@
+ map->Add(root);
+ }
+
+- if (!CheckMainThreadOnly(root)) {
+- XPCAutoLock lock(rt->GetMapLock());
+- map->Remove(root);
+-
+- wrapper = NULL;
+- }
+-
+ goto return_wrapper;
+ } else {
+ // just a root wrapper
+@@ -357,7 +311,7 @@
+ if (!rootClazz)
+ goto return_wrapper;
+
+- root = new nsXPCWrappedJS(cx, rootJSObj, rootClazz, nullptr, aOuter);
++ root = new nsXPCWrappedJS(cx, rootJSObj, rootClazz, nullptr);
+ NS_RELEASE(rootClazz);
+
+ if (!root)
+@@ -374,12 +328,6 @@
+ map->Add(root);
+ }
+
+- if (!CheckMainThreadOnly(root)) {
+- XPCAutoLock lock(rt->GetMapLock());
+- map->Remove(root);
+-
+- goto return_wrapper;
+- }
+ }
+ }
+
+@@ -388,7 +336,7 @@
+ NS_ASSERTION(clazz,"bad clazz");
+
+ if (!wrapper) {
+- wrapper = new nsXPCWrappedJS(cx, jsObj, clazz, root, aOuter);
++ wrapper = new nsXPCWrappedJS(cx, jsObj, clazz, root);
+ if (!wrapper)
+ goto return_wrapper;
+ #if DEBUG_xpc_leaks
+@@ -417,32 +365,19 @@
+ nsXPCWrappedJS::nsXPCWrappedJS(JSContext* cx,
+ JSObject* aJSObj,
+ nsXPCWrappedJSClass* aClass,
+- nsXPCWrappedJS* root,
+- nsISupports* aOuter)
++ nsXPCWrappedJS* root)
+ : mJSObj(aJSObj),
+ mClass(aClass),
+ mRoot(root ? root : this),
+ mNext(nullptr),
+- mOuter(root ? nullptr : aOuter),
+- mMainThread(NS_IsMainThread()),
+- mMainThreadOnly(root && root->mMainThreadOnly)
+-{
+-#ifdef DEBUG_stats_jband
+- static int count = 0;
+- static const int interval = 10;
+- if (0 == (++count % interval))
+- printf("//////// %d instances of nsXPCWrappedJS created\n", count);
+-#endif
+-
+- MOZ_ASSERT_IF(mMainThreadOnly, mMainThread);
+-
++ mOuter(nullptr)
++{
+ InitStub(GetClass()->GetIID());
+
+ // intentionally do double addref - see Release().
+ NS_ADDREF_THIS();
+ NS_ADDREF_THIS();
+ NS_ADDREF(aClass);
+- NS_IF_ADDREF(mOuter);
+
+ if (mRoot != this)
+ NS_ADDREF(mRoot);
+@@ -572,20 +507,6 @@
+
+ if (!IsValid())
+ return NS_ERROR_UNEXPECTED;
+- if (NS_IsMainThread() != mMainThread) {
+- NS_NAMED_LITERAL_STRING(kFmt, "Attempt to use JS function on a different thread calling %s.%s. JS objects may not be shared across threads.");
+- PRUnichar* msg =
+- nsTextFormatter::smprintf(kFmt.get(),
+- GetClass()->GetInterfaceName(),
+- info->name);
+- nsCOMPtr<nsIConsoleService> cs =
+- do_GetService(NS_CONSOLESERVICE_CONTRACTID);
+- if (cs)
+- cs->LogStringMessage(msg);
+- NS_Free(msg);
+-
+- return NS_ERROR_NOT_SAME_THREAD;
+- }
+ return GetClass()->CallMethod(this, methodIndex, info, params);
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJSClass.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJSClass.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJSClass.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedJSClass.cpp 2014-02-10 01:13:32.342531728 +0400
+@@ -727,8 +727,7 @@
+ // XPConvert::JSObject2NativeInterface() here to make sure we
+ // get a new (or used) nsXPCWrappedJS.
+ nsXPCWrappedJS* wrapper;
+- nsresult rv = nsXPCWrappedJS::GetNewOrUsed(jsobj, aIID, nullptr,
+- &wrapper);
++ nsresult rv = nsXPCWrappedJS::GetNewOrUsed(jsobj, aIID, &wrapper);
+ if (NS_SUCCEEDED(rv) && wrapper) {
+ // We need to go through the QueryInterface logic to make
+ // this return the right thing for the various 'special'
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedNativeScope.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedNativeScope.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedNativeScope.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/XPCWrappedNativeScope.cpp 2014-02-10 01:13:32.342531728 +0400
+@@ -283,6 +283,13 @@
+ XPCWrappedNativeScope *scope = EnsureCompartmentPrivate(c)->scope;
+ return scope && scope->AllowXBLScope();
+ }
++
++bool UseXBLScope(JSCompartment *c)
++{
++ XPCWrappedNativeScope *scope = EnsureCompartmentPrivate(c)->scope;
++ return scope && scope->UseXBLScope();
++}
++
+ } /* namespace xpc */
+
+ XPCWrappedNativeScope::~XPCWrappedNativeScope()
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/nsXPConnect.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/nsXPConnect.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/nsXPConnect.cpp 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/nsXPConnect.cpp 2014-02-10 01:13:32.342531728 +0400
+@@ -1697,3 +1697,13 @@
+
+ JS_END_EXTERN_C
+
++namespace xpc {
++
++bool
++IsXrayWrapper(JSObject *obj)
++{
++ return WrapperFactory::IsXrayWrapper(obj);
++}
++
++} // namespace xpc
++
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/xpcprivate.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/xpcprivate.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/xpcprivate.h 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/xpcprivate.h 2014-02-10 01:13:32.343531710 +0400
+@@ -1436,6 +1436,7 @@
+
+ bool IsXBLScope() { return mIsXBLScope; }
+ bool AllowXBLScope() { return mAllowXBLScope; }
++ bool UseXBLScope() { return mUseXBLScope; }
+
+ protected:
+ virtual ~XPCWrappedNativeScope();
+@@ -2766,7 +2767,6 @@
+ static nsresult
+ GetNewOrUsed(JSObject* aJSObj,
+ REFNSIID aIID,
+- nsISupports* aOuter,
+ nsXPCWrappedJS** wrapper);
+
+ nsISomeInterface* GetXPTCStub() { return mXPTCStub; }
+@@ -2803,12 +2803,15 @@
+
+ JSBool IsAggregatedToNative() const {return mRoot->mOuter != nullptr;}
+ nsISupports* GetAggregatedNativeObject() const {return mRoot->mOuter;}
+-
+- void SetIsMainThreadOnly() {
+- MOZ_ASSERT(mMainThread);
+- mMainThreadOnly = true;
++ void SetAggregatedNativeObject(nsISupports *aNative) {
++ MOZ_ASSERT(aNative);
++ if (mRoot->mOuter) {
++ MOZ_ASSERT(mRoot->mOuter == aNative,
++ "Only one aggregated native can be set");
++ return;
++ }
++ NS_ADDREF(mRoot->mOuter = aNative);
+ }
+- bool IsMainThreadOnly() const {return mMainThreadOnly;}
+
+ void TraceJS(JSTracer* trc);
+ static void GetTraceName(JSTracer* trc, char *buf, size_t bufsize);
+@@ -2819,8 +2822,7 @@
+ nsXPCWrappedJS(JSContext* cx,
+ JSObject* aJSObj,
+ nsXPCWrappedJSClass* aClass,
+- nsXPCWrappedJS* root,
+- nsISupports* aOuter);
++ nsXPCWrappedJS* root);
+
+ void Unlink();
+
+@@ -2830,8 +2832,6 @@
+ nsXPCWrappedJS* mRoot;
+ nsXPCWrappedJS* mNext;
+ nsISupports* mOuter; // only set in root
+- bool mMainThread;
+- bool mMainThreadOnly;
+ };
+
+ /***************************************************************************/
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/xpcpublic.h seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/xpcpublic.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/src/xpcpublic.h 2014-02-10 01:12:13.852913534 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/src/xpcpublic.h 2014-02-10 01:13:32.343531710 +0400
+@@ -59,9 +59,18 @@
+ bool
+ AllowXBLScope(JSCompartment *c);
+
++// Returns whether we will use an XBL scope for this compartment. This is
++// semantically equivalent to comparing global != GetXBLScope(global), but it
++// does not have the side-effect of eagerly creating the XBL scope if it does
++// not already exist.
++bool
++UseXBLScope(JSCompartment *c);
++
+ bool
+ IsSandboxPrototypeProxy(JSObject *obj);
+
++bool
++IsXrayWrapper(JSObject *obj);
+ } /* namespace xpc */
+
+ #define XPCONNECT_GLOBAL_FLAGS \
+@@ -333,6 +342,7 @@
+ nsIPrincipal *GetObjectPrincipal(JSObject *obj);
+
+ bool IsXBLScope(JSCompartment *compartment);
++bool IsInXBLScope(JSObject *obj);
+
+ void DumpJSHeap(FILE* file);
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/chrome/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/chrome/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/chrome/Makefile.in 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/chrome/Makefile.in 2014-02-10 01:13:32.403530662 +0400
+@@ -50,6 +50,7 @@
+ test_bug812415.xul \
+ test_bug853283.xul \
+ test_bug853571.xul \
++ test_bug932906.xul \
+ test_APIExposer.xul \
+ test_chrometoSource.xul \
+ outoflinexulscript.js \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/chrome/test_bug932906.xul seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/chrome/test_bug932906.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/chrome/test_bug932906.xul 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/chrome/test_bug932906.xul 2014-02-10 01:13:32.403530662 +0400
+@@ -0,0 +1,74 @@
++<?xml version="1.0"?>
++<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
++<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
++<!--
++https://bugzilla.mozilla.org/show_bug.cgi?id=932906
++-->
++<window title="Mozilla Bug 932906"
++ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
++
++ <!-- test results are displayed in the html:body -->
++ <body xmlns="http://www.w3.org/1999/xhtml">
++ <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=932906"
++ target="_blank">Mozilla Bug 932906</a>
++ </body>
++
++ <!-- test code goes here -->
++ <script type="application/javascript">
++ <![CDATA[
++ const Cu = Components.utils;
++ Cu.import('resource://gre/modules/Services.jsm');
++
++ /** Test for Bug 932906 **/
++ SimpleTest.waitForExplicitFinish();
++
++ function passToContent(shouldThrow) {
++ try {
++ $('ifr').contentWindow.obs = Services.obs;
++ ok(!shouldThrow, "Didn't throw when passing non-DOM XPCWN to content");
++ } catch (e) {
++ ok(shouldThrow, "Threw when passing non-DOM XPCWN to content");
++ ok(/denied/.test(e), "Threw correct exception: " + e);
++ }
++ }
++ var pref = 'dom.use_xbl_scopes_for_remote_xul';
++
++ var gLoadCount = 0;
++ function loaded() {
++ ++gLoadCount;
++ if (gLoadCount == 1)
++ part1();
++ else if (gLoadCount == 2)
++ part2();
++ else
++ ok(false, "Didn't expect three loads");
++ }
++
++ function part1() {
++
++ // Make sure that the pref is what we expect for mochitests.
++ is(Services.prefs.getBoolPref(pref), true,
++ "Test harness set up like we expect");
++
++
++ // First, test that we can't normally pass non-DOM XPCWNs to content.
++ passToContent(/* shouldThrow = */ true);
++
++ // Now, make sure we _can_ for the remote xul case.
++ //
++ // On esr24, SpecialPowers.pushPrefEnv doesn't work for some reason.
++ Services.prefs.setBoolPref(pref, false);
++ SimpleTest.executeSoon(function() { $('ifr').contentWindow.location.reload(); });
++ }
++
++ function part2() {
++ passToContent(/* shouldThrow = */ false);
++ Services.prefs.setBoolPref(pref, true);
++ SimpleTest.finish();
++ }
++
++ ]]>
++ </script>
++ <iframe id="ifr" onload="loaded();" type="content" src="http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html" />
++</window>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/mochitest/file_bug795275.xml seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/mochitest/file_bug795275.xml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/js/xpconnect/tests/mochitest/file_bug795275.xml 2013-09-16 22:26:43.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/js/xpconnect/tests/mochitest/file_bug795275.xml 2014-02-10 01:13:32.403530662 +0400
+@@ -3,13 +3,14 @@
+ xmlns:html="http://www.w3.org/1999/xhtml">
+ <binding id="xbltest">
+ <implementation>
+-<method name="testMethod">
++<method name="testMethod" exposeToUntrustedContent="true">
+ <body>
+ Components.interfaces;
+ </body>
+ </method>
+ <property name="testProp" readonly="true"
+- onget="Components; return 3;" />
++ onget="Components; return 3;"
++ exposeToUntrustedContent="true" />
+ <constructor>
+ var foo = Components;
+ </constructor>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/layout/base/tests/chrome/test_leaf_layers_partition_browser_window.xul seamonkey-2.21-esr3.0/comm-release/mozilla/layout/base/tests/chrome/test_leaf_layers_partition_browser_window.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/layout/base/tests/chrome/test_leaf_layers_partition_browser_window.xul 2013-09-16 22:26:44.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/layout/base/tests/chrome/test_leaf_layers_partition_browser_window.xul 2014-02-10 01:13:32.404530644 +0400
+@@ -32,14 +32,6 @@
+ }
+
+ function doTest(evt) {
+- if (tests[testIndex].maximize) {
+- SimpleTest.info("Maximizing test " + testIndex + " window" + testInfo());
+- Components.classes["@mozilla.org/appshell/window-mediator;1"]
+- .getService(Components.interfaces.nsIWindowMediator)
+- .getMostRecentWindow("navigator:browser")
+- .maximize();
+- }
+-
+ var initialCount = win.mozPaintCount;
+
+ function nextStep() {
+@@ -65,8 +57,23 @@
+ nextTest();
+ }
+
++ if (tests[testIndex].maximize) {
++ function resizeListener() {
++ win.removeEventListener("resize", resizeListener, true);
++ // We want a paint after resize.
++ initialCount = win.mozPaintCount;
+ SimpleTest.executeSoon(nextStep);
+ }
++ win.addEventListener("resize", resizeListener, true);
++ SimpleTest.info("Maximizing test " + testIndex + " window" + testInfo());
++ Components.classes["@mozilla.org/appshell/window-mediator;1"]
++ .getService(Components.interfaces.nsIWindowMediator)
++ .getMostRecentWindow("navigator:browser")
++ .maximize();
++ } else {
++ SimpleTest.executeSoon(nextStep);
++ }
++ }
+
+ function nextTest() {
+ if (testIndex >= tests.length) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/layout/forms/test/test_bug536567_perwindowpb.html seamonkey-2.21-esr3.0/comm-release/mozilla/layout/forms/test/test_bug536567_perwindowpb.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/layout/forms/test/test_bug536567_perwindowpb.html 2013-09-16 22:26:44.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/layout/forms/test/test_bug536567_perwindowpb.html 2014-02-10 01:13:32.685525708 +0400
+@@ -139,12 +139,20 @@
+ getInterface(Ci.nsIDOMWindow);
+ var contentPage = "http://mochi.test:8888/chrome/layout/forms/test/bug536567_iframe.html";
+
++function whenDelayedStartupFinished(aWindow, aCallback) {
++ Services.obs.addObserver(function observer(aSubject, aTopic) {
++ if (aWindow == aSubject) {
++ Services.obs.removeObserver(observer, aTopic);
++ setTimeout(aCallback, 0);
++ }
++ }, "browser-delayed-startup-finished", false);
++}
++
+ function testOnWindow(aIsPrivate, aCallback) {
+ var win = mainWindow.OpenBrowserWindow({private: aIsPrivate});
+- win.addEventListener("load", function onLoad() {
+- win.removeEventListener("load", onLoad, false);
++ whenDelayedStartupFinished(win, function() {
+ win.addEventListener("DOMContentLoaded", function onInnerLoad() {
+- if (win.content.location.href == "about:privatebrowsing") {
++ if (win.content.location.href != contentPage) {
+ win.gBrowser.loadURI(contentPage);
+ return;
+ }
+@@ -155,7 +163,7 @@
+ }, true);
+ SimpleTest.info("load's window: " + win.location + " vs. " + window.location);
+ win.setTimeout(function() { win.gBrowser.loadURI(contentPage); }, 0);
+- }, true);
++ });
+ }
+
+ MockFilePicker.showCallback = function(filepicker) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/layout/style/xbl-marquee/xbl-marquee.xml seamonkey-2.21-esr3.0/comm-release/mozilla/layout/style/xbl-marquee/xbl-marquee.xml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/layout/style/xbl-marquee/xbl-marquee.xml 2013-09-16 22:26:49.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/layout/style/xbl-marquee/xbl-marquee.xml 2014-02-10 01:13:32.685525708 +0400
+@@ -17,7 +17,7 @@
+ </resources>
+ <implementation>
+
+- <property name="scrollAmount">
++ <property name="scrollAmount" exposeToUntrustedContent="true">
+ <getter>
+ <![CDATA[
+ var val = parseInt(this.getAttribute("scrollamount"));
+@@ -33,7 +33,7 @@
+ </setter>
+ </property>
+
+- <property name="scrollDelay">
++ <property name="scrollDelay" exposeToUntrustedContent="true">
+ <getter>
+ <![CDATA[
+ var val = parseInt(this.getAttribute("scrolldelay"));
+@@ -49,7 +49,7 @@
+ </setter>
+ </property>
+
+- <property name="trueSpeed">
++ <property name="trueSpeed" exposeToUntrustedContent="true">
+ <getter>
+ <![CDATA[
+ if (!this.hasAttribute("truespeed"))
+@@ -68,7 +68,7 @@
+ </setter>
+ </property>
+
+- <property name="direction">
++ <property name="direction" exposeToUntrustedContent="true">
+ <getter>
+ return this.getAttribute("direction");
+ </getter>
+@@ -77,7 +77,7 @@
+ </setter>
+ </property>
+
+- <property name="behavior">
++ <property name="behavior" exposeToUntrustedContent="true">
+ <getter>
+ return this._behavior;
+ </getter>
+@@ -87,7 +87,7 @@
+ </property>
+
+
+- <property name="loop">
++ <property name="loop" exposeToUntrustedContent="true">
+ <getter>
+ <![CDATA[
+ var val = parseInt(this.getAttribute('loop'));
+@@ -104,7 +104,7 @@
+ </property>
+
+
+- <property name="onstart">
++ <property name="onstart" exposeToUntrustedContent="true">
+ <getter>
+ return this.getAttribute("onstart");
+ </getter>
+@@ -114,7 +114,7 @@
+ </setter>
+ </property>
+
+- <property name="onfinish">
++ <property name="onfinish" exposeToUntrustedContent="true">
+ <getter>
+ return this.getAttribute("onfinish");
+ </getter>
+@@ -124,7 +124,7 @@
+ </setter>
+ </property>
+
+- <property name="onbounce">
++ <property name="onbounce" exposeToUntrustedContent="true">
+ <getter>
+ return this.getAttribute("onbounce");
+ </getter>
+@@ -142,12 +142,12 @@
+ onget="return document.getAnonymousElementByAttribute(this, 'class', 'innerDiv');"
+ />
+
+- <property name="height"
++ <property name="height" exposeToUntrustedContent="true"
+ onget="return this.getAttribute('height');"
+ onset="this.setAttribute('height', val);"
+ />
+
+- <property name="width"
++ <property name="width" exposeToUntrustedContent="true"
+ onget="return this.getAttribute('width');"
+ onset="this.setAttribute('width', val);"
+ />
+@@ -303,7 +303,7 @@
+ </body>
+ </method>
+
+- <method name="start">
++ <method name="start" exposeToUntrustedContent="true">
+ <body>
+ <![CDATA[
+ if (this.runId == 0) {
+@@ -316,7 +316,7 @@
+ </body>
+ </method>
+
+- <method name="stop">
++ <method name="stop" exposeToUntrustedContent="true">
+ <body>
+ <![CDATA[
+ if (this.runId != 0) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/media/webrtc/signaling/src/sipcc/core/ccapp/ccprovider.c seamonkey-2.21-esr3.0/comm-release/mozilla/media/webrtc/signaling/src/sipcc/core/ccapp/ccprovider.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/media/webrtc/signaling/src/sipcc/core/ccapp/ccprovider.c 2013-09-16 22:26:50.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/media/webrtc/signaling/src/sipcc/core/ccapp/ccprovider.c 2014-02-10 01:13:32.687525689 +0400
+@@ -1490,6 +1490,8 @@
+ if ((CCAPI_DeviceInfo_isPhoneIdle(handle) == TRUE) && (sendResetUpdates)) {
+ resetNotReady();
+ }
++ /* Increment the refcount before putting it in the hashtable */
++ CCAPI_Call_retainCallInfo(data);
+ (void) addhash(data->sess_id, data);
+ }
+
+@@ -1551,12 +1553,11 @@
+ // find and deep free then delete
+ sess_data_p = (session_data_t *)findhash(sessUpd->sessionID);
+ if ( sess_data_p != NULL ){
+- cleanSessionData(sess_data_p);
+ if ( 0 > delhash(sessUpd->sessionID) ) {
+ APP_ERR_MSG (DEB_F_PREFIX"failed to delete hash sessid=0x%08x",
+ DEB_F_PREFIX_ARGS(SIP_CC_PROV, fname),sessUpd->sessionID);
+ }
+- cpr_free(sess_data_p);
++ CCAPI_Call_releaseCallInfo(sess_data_p);
+ }
+ if ( (gCCApp.inPreservation || (gCCApp.cucm_mode == FALLBACK)) && isNoCallExist()) {
+ /* The phone is now Idle. Clear the inPreservation Flag */
+@@ -1610,12 +1611,11 @@
+ // find and deep free then delete
+ sess_data_p = (session_data_t *)findhash(sessUpd->sessionID);
+ if ( sess_data_p != NULL ){
+- cleanSessionData(sess_data_p);
+ if ( 0 > delhash(sessUpd->sessionID) ) {
+ APP_ERR_MSG (DEB_F_PREFIX"failed to delete hash sessid=0x%08x",
+ DEB_F_PREFIX_ARGS(SIP_CC_PROV, fname),sessUpd->sessionID);
+ }
+- cpr_free(sess_data_p);
++ CCAPI_Call_releaseCallInfo(sess_data_p);
+ data = NULL;
+ }
+ if ((gCCApp.inPreservation || (gCCApp.cucm_mode == FALLBACK)) && isNoCallExist()) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/python/mozboot/mozboot/osx.py seamonkey-2.21-esr3.0/comm-release/mozilla/python/mozboot/mozboot/osx.py
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/python/mozboot/mozboot/osx.py 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/python/mozboot/mozboot/osx.py 2014-02-10 01:13:32.687525689 +0400
+@@ -36,6 +36,14 @@
+ XCODE_REQUIRED = '''
+ Xcode is required to build Firefox. Please complete the install of Xcode
+ through the App Store.
++
++It's possible Xcode is already installed on this machine but it isn't being
++detected. This is possible with developer preview releases of Xcode, for
++example. To correct this problem, run:
++
++ `xcode-select --switch /path/to/Xcode.app`.
++
++e.g. `sudo xcode-select --switch /Applications/Xcode.app`.
+ '''
+
+ XCODE_REQUIRED_LEGACY = '''
+@@ -143,8 +151,19 @@
+ subprocess.check_call(['open', XCODE_LEGACY])
+ sys.exit(1)
+
++ # OS X 10.7 have Xcode come from the app store. However, users can
++ # still install Xcode into any arbitrary location. We honor the
++ # location of Xcode as set by xcode-select. This should also pick up
++ # developer preview releases of Xcode, which can be installed into
++ # paths like /Applications/Xcode5-DP6.app.
+ elif self.os_version >= StrictVersion('10.7'):
+- if not os.path.exists('/Applications/Xcode.app'):
++ select = self.which('xcode-select')
++ output = self.check_output([select, '--print-path'])
++
++ # This isn't the most robust check in the world. It relies on the
++ # default value not being in an application bundle, which seems to
++ # hold on at least Mavericks.
++ if '.app/' not in output:
+ print(XCODE_REQUIRED)
+
+ subprocess.check_call(['open', XCODE_APP_STORE])
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.errors seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.errors
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.errors 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.errors 2014-02-10 01:13:32.687525689 +0400
+@@ -1,67 +1,86 @@
+-accounts.google.com: max-age too low: 2592000
+ alpha.irccloud.com: could not connect to host
+ api.mega.co.nz: could not connect to host
+ api.recurly.com: did not receive HSTS header
+ api.simple.com: did not receive HSTS header
+ apis.google.com: did not receive HSTS header
+ appengine.google.com: did not receive HSTS header
++bcrook.com: max-age too low: 86400
+ betnet.fr: could not connect to host
+ bigshinylock.minazo.net: could not connect to host
+-blueseed.co: did not receive HSTS header
+-braintreegateway.com: could not connect to host
++braintreegateway.com: did not receive HSTS header
+ braintreepayments.com: did not receive HSTS header
+ browserid.org: did not receive HSTS header
++business.medbank.com.mt: did not receive HSTS header
+ carlolly.co.uk: did not receive HSTS header
+ cert.se: max-age too low: 2628001
+ checkout.google.com: did not receive HSTS header
+ chrome-devtools-frontend.appspot.com: did not receive HSTS header
+ chrome.google.com: did not receive HSTS header
++cloud.google.com: did not receive HSTS header
+ code.google.com: did not receive HSTS header
+ codereview.chromium.org: did not receive HSTS header
++crate.io: did not receive HSTS header
++crowdcurity.com: did not receive HSTS header
+ crypto.is: did not receive HSTS header
+ csawctf.poly.edu: did not receive HSTS header
+ dl.google.com: did not receive HSTS header
+ docs.google.com: did not receive HSTS header
+ drive.google.com: did not receive HSTS header
+ dropcam.com: did not receive HSTS header
+-emailprivacytester.com: max-age too low: 8640000
++email.lookout.com: could not connect to host
++emailprivacytester.com: did not receive HSTS header
+ encrypted.google.com: did not receive HSTS header
+-epoxate.com: max-age too low: 259200
++espra.com: could not connect to host
++factor.cc: could not connect to host
+ fatzebra.com.au: did not receive HSTS header
+ fj.simple.com: did not receive HSTS header
++get.zenpayroll.com: did not receive HSTS header
++getcloak.com: max-age too low: 2678400
++glass.google.com: did not receive HSTS header
+ gmail.com: did not receive HSTS header
+ googlemail.com: did not receive HSTS header
+ googleplex.com: could not connect to host
++goto.google.com: did not receive HSTS header
+ greplin.com: did not receive HSTS header
+-grepular.com: max-age too low: 8640000
+ groups.google.com: did not receive HSTS header
+-health.google.com: did not receive HSTS header
+ history.google.com: did not receive HSTS header
+ hostedtalkgadget.google.com: did not receive HSTS header
++id.atlassian.com: did not receive HSTS header
++in.xero.com: max-age too low: 3600
+ iop.intuit.com: max-age too low: 86400
+ irccloud.com: did not receive HSTS header
+ jitsi.org: did not receive HSTS header
+ jottit.com: did not receive HSTS header
+ kiwiirc.com: max-age too low: 5256000
+-ledgerscope.net: max-age too low: 86400
++ledgerscope.net: did not receive HSTS header
++liberty.lavabit.com: could not connect to host
++lifeguard.aecom.com: max-age too low: 3600
+ lists.mayfirst.org: did not receive HSTS header
+-logentries.com: did not receive HSTS header
+ mail.google.com: did not receive HSTS header
+ market.android.com: did not receive HSTS header
++medium.com: max-age too low: 2592000
+ my.alfresco.com: did not receive HSTS header
+ mydigipass.com: did not receive HSTS header
+ neonisi.com: could not connect to host
+ openshift.redhat.com: did not receive HSTS header
+ ottospora.nl: could not connect to host
+ packagist.org: max-age too low: 2592000
+-passwd.io: could not connect to host
++passport.yandex.by: did not receive HSTS header
++passport.yandex.com: did not receive HSTS header
++passport.yandex.com.tr: did not receive HSTS header
++passport.yandex.kz: did not receive HSTS header
++passport.yandex.ru: did not receive HSTS header
++passport.yandex.ua: did not receive HSTS header
+ paypal.com: max-age too low: 14400
+-piratenlogin.de: could not connect to host
++payroll.xero.com: max-age too low: 3600
++platform.lookout.com: could not connect to host
++play.google.com: did not receive HSTS header
+ plus.google.com: did not receive HSTS header
+ plus.sandbox.google.com: did not receive HSTS header
+ profiles.google.com: did not receive HSTS header
+-romab.com: max-age too low: 2628000
++rapidresearch.me: did not receive HSTS header
+ sah3.net: could not connect to host
++saturngames.co.uk: did not receive HSTS header
+ script.google.com: did not receive HSTS header
+ security.google.com: did not receive HSTS header
+ serverdensity.io: did not receive HSTS header
+@@ -78,17 +97,21 @@
+ surfeasy.com: did not receive HSTS header
+ talk.google.com: did not receive HSTS header
+ talkgadget.google.com: did not receive HSTS header
+-torproject.org: did not receive HSTS header
++translate.googleapis.com: did not receive HSTS header
+ uprotect.it: could not connect to host
++wallet.google.com: did not receive HSTS header
++whonix.org: did not receive HSTS header
++www.cueup.com: did not receive HSTS header
+ www.developer.mydigipass.com: could not connect to host
+ www.dropcam.com: max-age too low: 2592000
+ www.elanex.biz: did not receive HSTS header
++www.getcloak.com: max-age too low: 2678400
+ www.gmail.com: did not receive HSTS header
+ www.googlemail.com: did not receive HSTS header
+-www.greplin.com: did not receive HSTS header
++www.greplin.com: could not connect to host
+ www.jitsi.org: did not receive HSTS header
+ www.lastpass.com: did not receive HSTS header
+-www.ledgerscope.net: max-age too low: 86400
++www.ledgerscope.net: did not receive HSTS header
+ www.logentries.com: did not receive HSTS header
+ www.moneybookers.com: did not receive HSTS header
+ www.neonisi.com: could not connect to host
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.inc seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.inc
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.inc 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/boot/src/nsSTSPreloadList.inc 2014-02-10 01:13:32.937521319 +0400
+@@ -8,7 +8,7 @@
+ /*****************************************************************************/
+
+ #include "mozilla/StandardInteger.h"
+-const PRTime gPreloadListExpirationTime = INT64_C(1386411273170000);
++const PRTime gPreloadListExpirationTime = INT64_C(1401534343864000);
+
+ class nsSTSPreload
+ {
+@@ -18,43 +18,64 @@
+ };
+
+ static const nsSTSPreload kSTSPreloadList[] = {
++ { "accounts.google.com", true },
+ { "aladdinschools.appspot.com", false },
+ { "alpha.irccloud.com", false },
+ { "api.intercom.io", false },
++ { "api.xero.com", false },
+ { "app.recurly.com", false },
++ { "app.yinxiang.com", false },
++ { "appseccalifornia.org", true },
+ { "arivo.com.br", true },
+ { "bank.simple.com", false },
+ { "bassh.net", true },
+ { "bccx.com", true },
++ { "bitbucket.org", false },
+ { "blog.cyveillance.com", true },
+ { "blog.linode.com", false },
++ { "blog.lookout.com", false },
+ { "blog.torproject.org", false },
+ { "bugzilla.mozilla.org", true },
+- { "business.medbank.com.mt", true },
++ { "business.lookout.com", false },
+ { "carezone.com", false },
+ { "check.torproject.org", false },
+ { "chromiumcodereview.appspot.com", false },
++ { "cloudns.com.au", true },
+ { "cloudsecurityalliance.org", true },
+ { "codereview.appspot.com", false },
+ { "conformal.com", true },
+ { "controlcenter.gigahost.dk", true },
+- { "crate.io", true },
+ { "crm.onlime.ch", false },
+ { "crypto.cat", false },
++ { "cupcake.io", true },
++ { "cupcake.is", true },
++ { "cybozu.com", true },
+ { "cyphertite.com", true },
++ { "data.qld.gov.au", false },
++ { "davidlyness.com", true },
+ { "developer.mydigipass.com", false },
+ { "dist.torproject.org", false },
+ { "dm.lookout.com", false },
+ { "dm.mylookout.com", false },
+ { "download.jitsi.org", false },
+ { "ebanking.indovinabank.com.vn", false },
++ { "ecosystem.atlassian.net", true },
++ { "eff.org", true },
+ { "entropia.de", false },
++ { "epoxate.com", false },
++ { "errors.zenpayroll.com", false },
+ { "espra.com", true },
++ { "f-droid.org", true },
+ { "factor.cc", false },
++ { "faq.lookout.com", false },
+ { "forum.linode.com", false },
+ { "forum.quantifiedself.com", true },
++ { "gernert-server.de", true },
++ { "getlantern.org", false },
++ { "go.xero.com", false },
+ { "gocardless.com", true },
+ { "grc.com", false },
++ { "grepular.com", true },
+ { "haste.ch", true },
+ { "howrandom.org", true },
+ { "id.mayfirst.org", false },
+@@ -62,74 +83,100 @@
+ { "intercom.io", false },
+ { "itriskltd.com", true },
+ { "keyerror.com", true },
++ { "kinsights.com", false },
+ { "lastpass.com", false },
+ { "launchkey.com", true },
+ { "library.linode.com", false },
+ { "linode.com", false },
+ { "linx.net", false },
+ { "lockify.com", true },
++ { "logentries.com", false },
+ { "login.persona.org", true },
+ { "login.sapo.pt", true },
++ { "login.xero.com", false },
+ { "logotype.se", true },
++ { "lolicore.ch", true },
+ { "lookout.com", false },
++ { "lumi.do", false },
+ { "luneta.nearbuysystems.com", false },
+- { "makeyourlaws.org", true },
++ { "mail.de", true },
++ { "makeyourlaws.org", false },
++ { "manage.zenpayroll.com", false },
+ { "manager.linode.com", false },
++ { "matteomarescotti.name", true },
+ { "mattmccutchen.net", true },
++ { "mediacru.sh", true },
+ { "mega.co.nz", false },
+ { "members.mayfirst.org", false },
+ { "members.nearlyfreespeech.net", false },
++ { "mnsure.org", true },
++ { "mudcrab.us", true },
+ { "my.onlime.ch", false },
++ { "my.xero.com", false },
++ { "mykolab.com", true },
+ { "mylookout.com", false },
+ { "neg9.org", false },
++ { "oplop.appspot.com", true },
++ { "opsmate.com", false },
+ { "p.linode.com", false },
+ { "passwd.io", true },
+ { "paste.linode.com", false },
+ { "pastebin.linode.com", false },
+ { "pay.gigahost.dk", true },
+ { "paymill.com", true },
+- { "paymill.de", true },
++ { "paymill.de", false },
+ { "piratenlogin.de", true },
+ { "pixi.me", true },
+- { "rapidresearch.me", true },
++ { "publications.qld.gov.au", false },
+ { "riseup.net", true },
++ { "romab.com", true },
+ { "roundcube.mayfirst.org", false },
+ { "sandbox.mydigipass.com", false },
+ { "securityheaders.com", true },
+ { "shodan.io", true },
+- { "silentcircle.com", true },
++ { "silentcircle.com", false },
++ { "simbolo.co.uk", false },
+ { "simple.com", false },
++ { "skydrive.live.com", false },
+ { "squareup.com", false },
+ { "stocktrade.de", false },
+ { "stripe.com", true },
++ { "strongest-privacy.com", true },
+ { "support.mayfirst.org", false },
+ { "surkatty.org", true },
++ { "tent.io", true },
+ { "therapynotes.com", false },
++ { "torproject.org", false },
+ { "twitter.com", false },
+ { "ubertt.org", true },
+ { "webmail.gigahost.dk", false },
+ { "webmail.mayfirst.org", false },
+ { "webmail.onlime.ch", false },
+- { "whonix.org", true },
++ { "wiki.python.org", true },
+ { "wiz.biz", true },
+ { "writeapp.me", false },
+ { "www.apollo-auto.com", true },
+ { "www.braintreepayments.com", false },
+- { "www.cueup.com", false },
+ { "www.cyveillance.com", true },
+ { "www.entropia.de", false },
++ { "www.evernote.com", false },
+ { "www.gov.uk", false },
+ { "www.grc.com", false },
++ { "www.heliosnet.com", true },
+ { "www.intercom.io", false },
+ { "www.irccloud.com", false },
+ { "www.linode.com", false },
+ { "www.lookout.com", false },
+- { "www.makeyourlaws.org", true },
++ { "www.makeyourlaws.org", false },
+ { "www.mydigipass.com", false },
+ { "www.mylookout.com", false },
+ { "www.noisebridge.net", false },
++ { "www.opsmate.com", true },
++ { "www.simbolo.co.uk", false },
+ { "www.simple.com", false },
+ { "www.therapynotes.com", false },
+ { "www.torproject.org", false },
+ { "www.twitter.com", false },
++ { "www.zenpayroll.com", false },
++ { "zenpayroll.com", false },
+ };
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/src/SSLServerCertVerification.cpp 2014-02-10 01:13:32.937521320 +0400
+@@ -143,6 +143,9 @@
+ // the code, since performance in the error case is not important.
+ Mutex *gSSLVerificationTelemetryMutex = nullptr;
+
++// We add a mutex to serialize PKCS11 database operations
++Mutex *gSSLVerificationPK11Mutex = nullptr;
++
+ } // unnamed namespace
+
+ // Called when the socket transport thread starts, to initialize the SSL cert
+@@ -159,6 +162,7 @@
+ InitializeSSLServerCertVerificationThreads()
+ {
+ gSSLVerificationTelemetryMutex = new Mutex("SSLVerificationTelemetryMutex");
++ gSSLVerificationPK11Mutex = new Mutex("SSLVerificationPK11Mutex");
+ // TODO: tuning, make parameters preferences
+ // XXX: instantiate nsThreadPool directly, to make this more bulletproof.
+ // Currently, the nsThreadPool.h header isn't exported for us to do so.
+@@ -195,6 +199,10 @@
+ delete gSSLVerificationTelemetryMutex;
+ gSSLVerificationTelemetryMutex = nullptr;
+ }
++ if (gSSLVerificationPK11Mutex) {
++ delete gSSLVerificationPK11Mutex;
++ gSSLVerificationPK11Mutex = nullptr;
++ }
+ }
+
+ namespace {
+@@ -943,6 +951,10 @@
+ // We have found a signer cert that we want to remember.
+ char* nickname = nsNSSCertificate::defaultServerNickname(node->cert);
+ if (nickname && *nickname) {
++ // There is a suspicion that there is some thread safety issues
++ // in PK11_importCert and the mutex is a way to serialize until
++ // this issue has been cleared.
++ MutexAutoLock PK11Mutex(*gSSLVerificationPK11Mutex);
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (slot) {
+ PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/src/nsCertTree.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/src/nsCertTree.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/src/nsCertTree.cpp 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/src/nsCertTree.cpp 2014-02-10 01:13:32.937521320 +0400
+@@ -312,9 +312,7 @@
+ RefPtr<nsCertTreeDispInfo> certdi(mDispInfo.SafeElementAt(certIndex,
+ nullptr));
+ if (certdi) {
+- nsCertTreeDispInfo *raw = certdi.get();
+- NS_IF_ADDREF(raw);
+- return raw;
++ return certdi.forget();
+ }
+ break;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/Makefile.in 2013-09-16 22:26:55.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/Makefile.in 2014-02-10 01:13:32.937521320 +0400
+@@ -14,6 +14,7 @@
+ MOCHITEST_BROWSER_FILES = \
+ head.js \
+ browser_bug627234_perwindowpb.js \
++ browser_certificateManagerLeak.js \
+ $(NULL)
+
+ include $(topsrcdir)/config/rules.mk
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js 2014-02-10 01:13:32.944521197 +0400
+@@ -0,0 +1,26 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++let gBugWindow;
++
++function onLoad() {
++ gBugWindow.removeEventListener("load", onLoad);
++ gBugWindow.addEventListener("unload", onUnload);
++ gBugWindow.close();
++}
++
++function onUnload() {
++ gBugWindow.removeEventListener("unload", onUnload);
++ window.focus();
++ finish();
++}
++
++// This test opens and then closes the certificate manager to test that it
++// does not leak. The test harness keeps track of and reports leaks, so
++// there are no actual checks here.
++function test() {
++ waitForExplicitFinish();
++ gBugWindow = window.openDialog("chrome://pippki/content/certManager.xul");
++ gBugWindow.addEventListener("load", onLoad);
++}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/TAG-INFO seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/TAG-INFO
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/TAG-INFO 2014-02-10 01:12:13.857913452 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/TAG-INFO 2014-02-10 01:13:32.944521197 +0400
+@@ -1 +1 @@
+-NSS_3_15_3_1_RTM
++NSS_3_15_4_RTM
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/bbenv-example.sh seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/bbenv-example.sh
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/bbenv-example.sh 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/bbenv-example.sh 2014-02-10 01:13:32.944521197 +0400
+@@ -0,0 +1,69 @@
++#! /bin/bash
++
++# Each buildbot-slave requires a bbenv.sh file that defines
++# machine specific variables. This is an example file.
++
++
++HOST=$(hostname | cut -d. -f1)
++export HOST
++
++# if your machine's IP isn't registered in DNS,
++# you must set appropriate environment variables
++# that can be resolved locally.
++# For example, if localhost.localdomain works on your system, set:
++#HOST=localhost
++#DOMSUF=localdomain
++#export DOMSUF
++
++ARCH=$(uname -s)
++
++ulimit -c unlimited 2> /dev/null
++
++export NSS_ENABLE_ECC=1
++export NSS_ECC_MORE_THAN_SUITE_B=1
++export NSPR_LOG_MODULES="pkix:1"
++
++#export JAVA_HOME_32=
++#export JAVA_HOME_64=
++
++#enable if you have PKITS data
++#export PKITS_DATA=$HOME/pkits/data/
++
++NSS_BUILD_TARGET="clean nss_build_all"
++JSS_BUILD_TARGET="clean all"
++
++MAKE=gmake
++AWK=awk
++PATCH=patch
++
++if [ "${ARCH}" = "SunOS" ]; then
++ AWK=nawk
++ PATCH=gpatch
++ ARCH=SunOS/$(uname -p)
++fi
++
++if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then
++ VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release`
++ ARCH=Linux/${VERSION}
++ echo ${ARCH}
++fi
++
++PROCESSOR=$(uname -p)
++if [ "${PROCESSOR}" = "ppc64" ]; then
++ ARCH="${ARCH}/ppc64"
++fi
++if [ "${PROCESSOR}" = "powerpc" ]; then
++ ARCH="${ARCH}/ppc"
++fi
++
++PORT_64_DBG=8543
++PORT_64_OPT=8544
++PORT_32_DBG=8545
++PORT_32_OPT=8546
++
++if [ "${NSS_TESTS}" = "memleak" ]; then
++ PORT_64_DBG=8547
++ PORT_64_OPT=8548
++ PORT_32_DBG=8549
++ PORT_32_OPT=8550
++fi
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/build.sh seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/build.sh
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/build.sh 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/build.sh 2014-02-10 01:13:32.944521197 +0400
+@@ -0,0 +1,378 @@
++#! /bin/bash
++
++# Ensure a failure of the first command inside a pipe
++# won't be hidden by commands later in the pipe.
++# (e.g. as in ./dosomething | grep)
++
++set -o pipefail
++
++proc_args()
++{
++ while [ -n "$1" ]; do
++ OPT=$(echo $1 | cut -d= -f1)
++ VAL=$(echo $1 | cut -d= -f2)
++
++ case $OPT in
++ "--build-nss")
++ BUILD_NSS=1
++ ;;
++ "--test-nss")
++ TEST_NSS=1
++ ;;
++ "--build-jss")
++ BUILD_JSS=1
++ ;;
++ "--test-jss")
++ TEST_JSS=1
++ ;;
++ "--memtest")
++ NSS_TESTS="memleak"
++ export NSS_TESTS
++ ;;
++ "--nojsssign")
++ NO_JSS_SIGN=1
++ ;;
++ *)
++ echo "Usage: $0 ..."
++ echo " --memtest - run the memory leak tests"
++ echo " --nojsssign - try to sign jss"
++ echo " --build-nss"
++ echo " --build-jss"
++ echo " --test-nss"
++ echo " --test-jss"
++ exit 1
++ ;;
++ esac
++
++ shift
++ done
++}
++
++set_env()
++{
++ TOPDIR=$(pwd)
++ HGDIR=$(pwd)$(echo "/hg")
++ OUTPUTDIR=$(pwd)$(echo "/output")
++ LOG_ALL="${OUTPUTDIR}/all.log"
++ LOG_TMP="${OUTPUTDIR}/tmp.log"
++
++ echo "hello" |grep --line-buffered hello >/dev/null 2>&1
++ [ $? -eq 0 ] && GREP_BUFFER="--line-buffered"
++}
++
++print_log()
++{
++ DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
++ echo "${DATE} $*"
++ echo "${DATE} $*" >> ${LOG_ALL}
++}
++
++print_result()
++{
++ TESTNAME=$1
++ RET=$2
++ EXP=$3
++
++ if [ ${RET} -eq ${EXP} ]; then
++ print_log "${TESTNAME} PASSED"
++ else
++ print_log "${TESTNAME} FAILED"
++ fi
++}
++
++print_env()
++{
++ print_log "######## Environment variables ########"
++
++ uname -a | tee -a ${LOG_ALL}
++ if [ -e "/etc/redhat-release" ]; then
++ cat "/etc/redhat-release" | tee -a ${LOG_ALL}
++ fi
++ # don't print the MAIL command, it might contain a password
++ env | grep -v "^MAIL=" | tee -a ${LOG_ALL}
++}
++
++set_cycle()
++{
++ BITS=$1
++ OPT=$2
++
++ if [ "${BITS}" = "64" ]; then
++ USE_64=1
++ JAVA_HOME=${JAVA_HOME_64}
++ PORT_DBG=${PORT_64_DBG}
++ PORT_OPT=${PORT_64_OPT}
++ else
++ USE_64=
++ JAVA_HOME=${JAVA_HOME_32}
++ PORT_DBG=${PORT_32_DBG}
++ PORT_OPT=${PORT_32_OPT}
++ fi
++ export USE_64
++ export JAVA_HOME
++
++ BUILD_OPT=
++ if [ "${OPT}" = "OPT" ]; then
++ BUILD_OPT=1
++ XPCLASS=xpclass.jar
++ PORT=${PORT_OPT}
++ else
++ BUILD_OPT=
++ XPCLASS=xpclass_dbg.jar
++ PORT=${PORT_DBG}
++ fi
++ export BUILD_OPT
++
++ PORT_JSS_SERVER=$(expr ${PORT} + 20)
++ PORT_JSSE_SERVER=$(expr ${PORT} + 40)
++
++ export PORT
++ export PORT_JSS_SERVER
++ export PORT_JSSE_SERVER
++}
++
++build_nss()
++{
++ print_log "######## NSS - build - ${BITS} bits - ${OPT} ########"
++
++ print_log "$ cd ${HGDIR}/nss"
++ cd ${HGDIR}/nss
++
++ print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
++ #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
++ ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
++ RET=$?
++ print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
++
++ if [ ${RET} -eq 0 ]; then
++ return 0
++ else
++ tail -100 ${LOG_ALL}
++ return ${RET}
++ fi
++}
++
++build_jss()
++{
++ print_log "######## JSS - build - ${BITS} bits - ${OPT} ########"
++
++ print_log "$ cd ${HGDIR}/jss"
++ cd ${HGDIR}/jss
++
++ print_log "$ ${MAKE} ${JSS_BUILD_TARGET}"
++ #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
++ ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
++ RET=$?
++ print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0
++ [ ${RET} -eq 0 ] || return ${RET}
++
++ print_log "$ cd ${HGDIR}/dist"
++ cd ${HGDIR}/dist
++
++ if [ -z "${NO_JSS_SIGN}" ]; then
++ print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa"
++ cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1
++ RET=$?
++ print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0
++ [ ${RET} -eq 0 ] || return ${RET}
++ fi
++ print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}"
++ ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1
++ RET=$?
++ print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0
++ [ ${RET} -eq 0 ] || return ${RET}
++
++ return 0
++}
++
++test_nss()
++{
++ print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########"
++
++ if [ "${OS_TARGET}" = "Android" ]; then
++ print_log "$ cd ${HGDIR}/nss/tests/remote"
++ cd ${HGDIR}/nss/tests/remote
++ print_log "$ make test_android"
++ make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
++ OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log
++ else
++ print_log "$ cd ${HGDIR}/nss/tests"
++ cd ${HGDIR}/nss/tests
++ print_log "$ ./all.sh"
++ ./all.sh 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
++ OUTPUTFILE=${LOG_TMP}
++ fi
++
++ cat ${LOG_TMP} >> ${LOG_ALL}
++ tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL}
++ RET=$?
++
++ print_log "######## details of detected failures (if any) ########"
++ grep -B50 FAIL ${OUTPUTFILE}
++ [ $? -eq 1 ] || RET=1
++
++ print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
++ return ${RET}
++}
++
++test_jss()
++{
++ print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
++
++ print_log "$ cd ${HGDIR}/jss"
++ cd ${HGDIR}/jss
++
++ print_log "$ ${MAKE} platform"
++ PLATFORM=$(${MAKE} platform)
++ print_log "PLATFORM=${PLATFORM}"
++
++ print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests"
++ cd ${HGDIR}/jss/org/mozilla/jss/tests
++
++ print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}"
++ perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP}
++ cat ${LOG_TMP} >> ${LOG_ALL}
++
++ tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null
++ RET=$?
++
++ grep FAIL ${LOG_TMP}
++ [ $? -eq 1 ] || RET=1
++
++ print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
++ return ${RET}
++}
++
++build_and_test()
++{
++ if [ -n "${BUILD_NSS}" ]; then
++ build_nss
++ [ $? -eq 0 ] || return 1
++ fi
++
++ if [ -n "${TEST_NSS}" ]; then
++ test_nss
++ [ $? -eq 0 ] || return 1
++ fi
++
++ if [ -n "${BUILD_JSS}" ]; then
++ build_jss
++ [ $? -eq 0 ] || return 1
++ fi
++
++ if [ -n "${TEST_JSS}" ]; then
++ test_jss
++ [ $? -eq 0 ] || return 1
++ fi
++
++ return 0
++}
++
++run_cycle()
++{
++ print_env
++ build_and_test
++ RET=$?
++
++ grep ^TinderboxPrint ${LOG_ALL}
++
++ return ${RET}
++}
++
++prepare()
++{
++ rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
++ mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
++ mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
++ mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
++ mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
++ mkdir -p ${OUTPUTDIR}
++
++ if [ -n "${NSS_ENABLE_ECC}" -a -n "${NSS_ECC_MORE_THAN_SUITE_B}" ]; then
++ cd ${HGDIR}/nss
++ ECF="lib/freebl/ecl/ecl-curve.h"
++ print_log "hg revert -r NSS_3_11_1_RTM ${ECF}"
++ hg revert -r NSS_3_11_1_RTM security/nss/${ECF}
++ cp -f security/nss/${ECF} ${ECF}
++ fi
++
++ return 0
++}
++
++move_results()
++{
++ cd ${HGDIR}
++ if [ -n "${TEST_NSS}" ]; then
++ mv -f tests_results ${OUTPUTDIR}
++ fi
++ tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist
++ rm -rf dist
++}
++
++run_all()
++{
++ set_cycle ${BITS} ${OPT}
++ prepare
++ run_cycle
++ RESULT=$?
++ print_log "### result of run_cycle is ${RESULT}"
++ move_results
++ return ${RESULT}
++}
++
++main()
++{
++ VALID=0
++ RET=1
++
++ for BITS in 32 64; do
++ echo ${RUN_BITS} | grep ${BITS} > /dev/null
++ [ $? -eq 0 ] || continue
++ for OPT in DBG OPT; do
++ echo ${RUN_OPT} | grep ${OPT} > /dev/null
++ [ $? -eq 0 ] || continue
++
++ VALID=1
++ set_env
++ run_all
++ RET=$?
++ print_log "### result of run_all is ${RET}"
++ done
++ done
++
++ if [ ${VALID} -ne 1 ]; then
++ echo "Need to set valid bits/opt values."
++ return 1
++ fi
++
++ return ${RET}
++}
++
++#function killallsub()
++#{
++# FINAL_RET=$?
++# for proc in `jobs -p`
++# do
++# kill -9 $proc
++# done
++# return ${FINAL_RET}
++#}
++#trap killallsub EXIT
++
++#IS_RUNNING_FILE="./build-is-running"
++
++#if [ -a $IS_RUNNING_FILE ]; then
++# echo "exiting, because old job is still running"
++# exit 1
++#fi
++
++#touch $IS_RUNNING_FILE
++
++echo "tinderbox args: $0 $@"
++. ${ENVVARS}
++proc_args "$@"
++main
++
++#RET=$?
++#rm $IS_RUNNING_FILE
++#exit ${RET}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/reboot.bat seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/reboot.bat
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/reboot.bat 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/reboot.bat 2014-02-10 01:13:32.945521179 +0400
+@@ -0,0 +1,6 @@
++IF EXIST ..\buildbot-is-building (
++ del ..\buildbot-is-building
++ shutdown /r /t 0
++
++ timeout /t 120
++)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/startbuild.bat seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/startbuild.bat
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/automation/buildbot-slave/startbuild.bat 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/automation/buildbot-slave/startbuild.bat 2014-02-10 01:13:32.945521179 +0400
+@@ -0,0 +1,14 @@
++echo running > ..\buildbot-is-building
++
++echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
++"%MOZILLABUILD%\msys\bin\bash" -c "hg/tinder/buildbot/build.sh %*"
++
++if %errorlevel% neq 0 (
++ set EXITCODE=1
++) else (
++ set EXITCODE=0
++)
++
++del ..\buildbot-is-building
++
++exit /b %EXITCODE%
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/blapitest.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/blapitest.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/blapitest.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/blapitest.c 2014-02-10 01:13:32.946521161 +0400
+@@ -29,12 +29,6 @@
+ const ECParams *srcParams);
+ #endif
+
+-/* Temporary - add debugging output on windows for RSA to track QA failure */
+-#ifdef _WIN32
+-#define TRACK_BLTEST_BUG
+- char __bltDBG[] = "BLTEST DEBUG";
+-#endif
+-
+ char *progName;
+ char *testdir = NULL;
+
+@@ -629,6 +623,9 @@
+ const unsigned char *src,
+ PRUint32 src_length);
+
++/* Note: Algorithms are grouped in order to support is_symmkeyCipher /
++ * is_pubkeyCipher / is_hashCipher / is_sigCipher
++ */
+ typedef enum {
+ bltestINVALID = -1,
+ bltestDES_ECB, /* Symmetric Key Ciphers */
+@@ -652,10 +649,12 @@
+ bltestSEED_ECB, /* SEED algorithm */
+ bltestSEED_CBC, /* SEED algorithm */
+ bltestRSA, /* Public Key Ciphers */
++ bltestRSA_OAEP, /* . (Public Key Enc.) */
++ bltestRSA_PSS, /* . (Public Key Sig.) */
+ #ifdef NSS_ENABLE_ECC
+ bltestECDSA, /* . (Public Key Sig.) */
+ #endif
+- bltestDSA, /* . */
++ bltestDSA, /* . (Public Key Sig.) */
+ bltestMD2, /* Hash algorithms */
+ bltestMD5, /* . */
+ bltestSHA1, /* . */
+@@ -689,6 +688,8 @@
+ "seed_ecb",
+ "seed_cbc",
+ "rsa",
++ "rsa_oaep",
++ "rsa_pss",
+ #ifdef NSS_ENABLE_ECC
+ "ecdsa",
+ #endif
+@@ -727,34 +728,49 @@
+ {
+ bltestIO key;
+ int keysizeInBits;
+- RSAPrivateKey *rsakey;
++
++ /* OAEP & PSS */
++ HASH_HashType hashAlg;
++ HASH_HashType maskHashAlg;
++ bltestIO seed; /* salt if PSS */
+ } bltestRSAParams;
+
+ typedef struct
+ {
+- bltestIO key;
+ bltestIO pqgdata;
+ unsigned int keysize;
+ bltestIO keyseed;
+ bltestIO sigseed;
+- bltestIO sig; /* if doing verify, have additional input */
+ PQGParams *pqg;
+- DSAPrivateKey *dsakey;
+ } bltestDSAParams;
+
+ #ifdef NSS_ENABLE_ECC
+ typedef struct
+ {
+- bltestIO key;
+ char *curveName;
+ bltestIO sigseed;
+- bltestIO sig; /* if doing verify, have additional input */
+- ECPrivateKey *eckey;
+ } bltestECDSAParams;
+ #endif
+
+ typedef struct
+ {
++ bltestIO key;
++ void * privKey;
++ void * pubKey;
++ bltestIO sig; /* if doing verify, the signature (which may come
++ * from sigfile. */
++
++ union {
++ bltestRSAParams rsa;
++ bltestDSAParams dsa;
++#ifdef NSS_ENABLE_ECC
++ bltestECDSAParams ecdsa;
++#endif
++ } cipherParams;
++} bltestAsymKeyParams;
++
++typedef struct
++{
+ bltestIO key; /* unused */
+ PRBool restart;
+ } bltestHashParams;
+@@ -765,11 +781,7 @@
+ bltestSymmKeyParams sk;
+ bltestAuthSymmKeyParams ask;
+ bltestRC5Params rc5;
+- bltestRSAParams rsa;
+- bltestDSAParams dsa;
+-#ifdef NSS_ENABLE_ECC
+- bltestECDSAParams ecdsa;
+-#endif
++ bltestAsymKeyParams asymk;
+ bltestHashParams hash;
+ } bltestParams;
+
+@@ -859,11 +871,7 @@
+ is_sigCipher(bltestCipherMode mode)
+ {
+ /* change as needed! */
+-#ifdef NSS_ENABLE_ECC
+- if (mode >= bltestECDSA && mode <= bltestDSA)
+-#else
+- if (mode >= bltestDSA && mode <= bltestDSA)
+-#endif
++ if (mode >= bltestRSA_PSS && mode <= bltestDSA)
+ return PR_TRUE;
+ return PR_FALSE;
+ }
+@@ -899,10 +907,8 @@
+ if (file && (numBytes == 0 || file == PR_STDIN)) {
+ /* grabbing data from a file */
+ rv = SECU_FileToItem(&fileData, file);
+- if (rv != SECSuccess) {
+- PR_Close(file);
++ if (rv != SECSuccess)
+ return SECFailure;
+- }
+ in = &fileData;
+ } else if (str) {
+ /* grabbing data from command line */
+@@ -1161,40 +1167,125 @@
+ }
+
+ SECStatus
+-rsa_PublicKeyOp(void *key, SECItem *output, const SECItem *input)
++rsa_PublicKeyOp(void *cx, SECItem *output, const SECItem *input)
++{
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ RSAPublicKey *pubKey = (RSAPublicKey *)params->pubKey;
++ SECStatus rv = RSA_PublicKeyOp(pubKey, output->data, input->data);
++ if (rv == SECSuccess) {
++ output->len = pubKey->modulus.data[0] ? pubKey->modulus.len :
++ pubKey->modulus.len - 1;
++ }
++ return rv;
++}
++
++SECStatus
++rsa_PrivateKeyOp(void *cx, SECItem *output, const SECItem *input)
++{
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ RSAPrivateKey *privKey = (RSAPrivateKey *)params->privKey;
++ SECStatus rv = RSA_PrivateKeyOp(privKey, output->data, input->data);
++ if (rv == SECSuccess) {
++ output->len = privKey->modulus.data[0] ? privKey->modulus.len :
++ privKey->modulus.len - 1;
++ }
++ return rv;
++}
++
++SECStatus
++rsa_signDigestPSS(void *cx, SECItem *output, const SECItem *input)
+ {
+- return RSA_PublicKeyOp((RSAPublicKey *)key, output->data, input->data);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
++ return RSA_SignPSS((RSAPrivateKey *)params->privKey,
++ rsaParams->hashAlg,
++ rsaParams->maskHashAlg,
++ rsaParams->seed.buf.data,
++ rsaParams->seed.buf.len,
++ output->data, &output->len, output->len,
++ input->data, input->len);
+ }
+
+ SECStatus
+-rsa_PrivateKeyOp(void *key, SECItem *output, const SECItem *input)
++rsa_verifyDigestPSS(void *cx, SECItem *output, const SECItem *input)
+ {
+- return RSA_PrivateKeyOp((RSAPrivateKey *)key, output->data, input->data);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
++ return RSA_CheckSignPSS((RSAPublicKey *)params->pubKey,
++ rsaParams->hashAlg,
++ rsaParams->maskHashAlg,
++ rsaParams->seed.buf.len,
++ output->data, output->len,
++ input->data, input->len);
+ }
+
+ SECStatus
+-dsa_signDigest(void *key, SECItem *output, const SECItem *input)
++rsa_encryptOAEP(void *cx, SECItem *output, const SECItem *input)
+ {
+- return DSA_SignDigest((DSAPrivateKey *)key, output, input);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
++ return RSA_EncryptOAEP((RSAPublicKey *)params->pubKey,
++ rsaParams->hashAlg,
++ rsaParams->maskHashAlg,
++ NULL, 0,
++ rsaParams->seed.buf.data,
++ rsaParams->seed.buf.len,
++ output->data, &output->len, output->len,
++ input->data, input->len);
+ }
+
+ SECStatus
+-dsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
++rsa_decryptOAEP(void *cx, SECItem *output, const SECItem *input)
+ {
+- return DSA_VerifyDigest((DSAPublicKey *)key, output, input);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ bltestRSAParams *rsaParams = ¶ms->cipherParams.rsa;
++ return RSA_DecryptOAEP((RSAPrivateKey *)params->privKey,
++ rsaParams->hashAlg,
++ rsaParams->maskHashAlg,
++ NULL, 0,
++ output->data, &output->len, output->len,
++ input->data, input->len);
++}
++
++SECStatus
++dsa_signDigest(void *cx, SECItem *output, const SECItem *input)
++{
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ if (params->cipherParams.dsa.sigseed.buf.len > 0) {
++ return DSA_SignDigestWithSeed((DSAPrivateKey *)params->privKey,
++ output, input,
++ params->cipherParams.dsa.sigseed.buf.data);
++ }
++ return DSA_SignDigest((DSAPrivateKey *)params->privKey, output, input);
++}
++
++SECStatus
++dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
++{
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
+ }
+
+ #ifdef NSS_ENABLE_ECC
+ SECStatus
+-ecdsa_signDigest(void *key, SECItem *output, const SECItem *input)
++ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
+ {
+- return ECDSA_SignDigest((ECPrivateKey *)key, output, input);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ if (params->cipherParams.ecdsa.sigseed.buf.len > 0) {
++ return ECDSA_SignDigestWithSeed(
++ (ECPrivateKey *)params->privKey,
++ output, input,
++ params->cipherParams.ecdsa.sigseed.buf.data,
++ params->cipherParams.ecdsa.sigseed.buf.len);
++ }
++ return ECDSA_SignDigest((ECPrivateKey *)params->privKey, output, input);
+ }
+
+ SECStatus
+-ecdsa_verifyDigest(void *key, SECItem *output, const SECItem *input)
++ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
+ {
+- return ECDSA_VerifyDigest((ECPublicKey *)key, output, input);
++ bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
++ return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input);
+ }
+ #endif
+
+@@ -1491,10 +1582,17 @@
+ {
+ int i;
+ RSAPrivateKey **dummyKey;
++ RSAPrivateKey *privKey;
++ RSAPublicKey *pubKey;
+ PRIntervalTime time1, time2;
+- bltestRSAParams *rsap = &cipherInfo->params.rsa;
++
++ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
++ bltestRSAParams *rsap = &asymk->cipherParams.rsa;
++
+ /* RSA key gen was done during parameter setup */
+- cipherInfo->cx = cipherInfo->params.rsa.rsakey;
++ cipherInfo->cx = asymk;
++ privKey = (RSAPrivateKey *)asymk->privKey;
++
+ /* For performance testing */
+ if (cipherInfo->cxreps > 0) {
+ /* Create space for n private key objects */
+@@ -1504,28 +1602,39 @@
+ TIMESTART();
+ for (i=0; i<cipherInfo->cxreps; i++)
+ dummyKey[i] = RSA_NewKey(rsap->keysizeInBits,
+- &rsap->rsakey->publicExponent);
++ &privKey->publicExponent);
+ TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
+ /* Free the n key objects */
+ for (i=0; i<cipherInfo->cxreps; i++)
+ PORT_FreeArena(dummyKey[i]->arena, PR_TRUE);
+ PORT_Free(dummyKey);
+ }
+- if (encrypt) {
++
++ if ((encrypt && !is_sigCipher(cipherInfo->mode)) ||
++ (!encrypt && is_sigCipher(cipherInfo->mode))) {
+ /* Have to convert private key to public key. Memory
+ * is freed with private key's arena */
+- RSAPublicKey *pubkey;
+- RSAPrivateKey *key = (RSAPrivateKey *)cipherInfo->cx;
+- pubkey = (RSAPublicKey *)PORT_ArenaAlloc(key->arena,
++ pubKey = (RSAPublicKey *)PORT_ArenaAlloc(privKey->arena,
+ sizeof(RSAPublicKey));
+- pubkey->modulus.len = key->modulus.len;
+- pubkey->modulus.data = key->modulus.data;
+- pubkey->publicExponent.len = key->publicExponent.len;
+- pubkey->publicExponent.data = key->publicExponent.data;
+- cipherInfo->cx = (void *)pubkey;
+- cipherInfo->cipher.pubkeyCipher = rsa_PublicKeyOp;
+- } else {
+- cipherInfo->cipher.pubkeyCipher = rsa_PrivateKeyOp;
++ pubKey->modulus.len = privKey->modulus.len;
++ pubKey->modulus.data = privKey->modulus.data;
++ pubKey->publicExponent.len = privKey->publicExponent.len;
++ pubKey->publicExponent.data = privKey->publicExponent.data;
++ asymk->pubKey = (void *)pubKey;
++ }
++ switch (cipherInfo->mode) {
++ case bltestRSA:
++ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_PublicKeyOp
++ : rsa_PrivateKeyOp;
++ break;
++ case bltestRSA_PSS:
++ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_signDigestPSS
++ : rsa_verifyDigestPSS;
++ break;
++ case bltestRSA_OAEP:
++ cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP
++ : rsa_decryptOAEP;
++ break;
+ }
+ return SECSuccess;
+ }
+@@ -1560,10 +1669,10 @@
+ DSAPrivateKey **dummyKey;
+ PQGParams *dummypqg;
+ PRIntervalTime time1, time2;
+- bltestDSAParams *dsap = &cipherInfo->params.dsa;
++ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
++ bltestDSAParams *dsap = &asymk->cipherParams.dsa;
+ PQGVerify *ignore = NULL;
+- /* DSA key gen was done during parameter setup */
+- cipherInfo->cx = cipherInfo->params.dsa.dsakey;
++ cipherInfo->cx = asymk;
+ /* For performance testing */
+ if (cipherInfo->cxreps > 0) {
+ /* Create space for n private key objects */
+@@ -1585,8 +1694,8 @@
+ if (!dsap->pqg && dsap->pqgdata.buf.len > 0) {
+ dsap->pqg = pqg_from_filedata(&dsap->pqgdata.buf);
+ }
+- if (!cipherInfo->cx && dsap->key.buf.len > 0) {
+- cipherInfo->cx = dsakey_from_filedata(&dsap->key.buf);
++ if (!asymk->privKey && asymk->key.buf.len > 0) {
++ asymk->privKey = dsakey_from_filedata(&asymk->key.buf);
+ }
+ if (encrypt) {
+ cipherInfo->cipher.pubkeyCipher = dsa_signDigest;
+@@ -1594,7 +1703,7 @@
+ /* Have to convert private key to public key. Memory
+ * is freed with private key's arena */
+ DSAPublicKey *pubkey;
+- DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
++ DSAPrivateKey *key = (DSAPrivateKey *)asymk->privKey;
+ pubkey = (DSAPublicKey *)PORT_ArenaZAlloc(key->params.arena,
+ sizeof(DSAPublicKey));
+ pubkey->params.prime.len = key->params.prime.len;
+@@ -1605,6 +1714,7 @@
+ pubkey->params.base.data = key->params.base.data;
+ pubkey->publicValue.len = key->publicValue.len;
+ pubkey->publicValue.data = key->publicValue.data;
++ asymk->pubKey = pubkey;
+ cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
+ }
+ return SECSuccess;
+@@ -1617,9 +1727,8 @@
+ int i;
+ ECPrivateKey **dummyKey;
+ PRIntervalTime time1, time2;
+- bltestECDSAParams *ecdsap = &cipherInfo->params.ecdsa;
+- /* ECDSA key gen was done during parameter setup */
+- cipherInfo->cx = cipherInfo->params.ecdsa.eckey;
++ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
++ cipherInfo->cx = asymk;
+ /* For performance testing */
+ if (cipherInfo->cxreps > 0) {
+ /* Create space for n private key objects */
+@@ -1628,7 +1737,7 @@
+ /* Time n keygens, storing in the array */
+ TIMESTART();
+ for (i=0; i<cipherInfo->cxreps; i++) {
+- EC_NewKey(&ecdsap->eckey->ecParams, &dummyKey[i]);
++ EC_NewKey(&((ECPrivateKey *)asymk->privKey)->ecParams, &dummyKey[i]);
+ }
+ TIMEFINISH(cipherInfo->cxtime, cipherInfo->cxreps);
+ /* Free the n key objects */
+@@ -1636,8 +1745,8 @@
+ PORT_FreeArena(dummyKey[i]->ecParams.arena, PR_TRUE);
+ PORT_Free(dummyKey);
+ }
+- if (!cipherInfo->cx && ecdsap->key.buf.len > 0) {
+- cipherInfo->cx = eckey_from_filedata(&ecdsap->key.buf);
++ if (!asymk->privKey && asymk->key.buf.len > 0) {
++ asymk->privKey = eckey_from_filedata(&asymk->key.buf);
+ }
+ if (encrypt) {
+ cipherInfo->cipher.pubkeyCipher = ecdsa_signDigest;
+@@ -1645,7 +1754,7 @@
+ /* Have to convert private key to public key. Memory
+ * is freed with private key's arena */
+ ECPublicKey *pubkey;
+- ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
++ ECPrivateKey *key = (ECPrivateKey *)asymk->privKey;
+ pubkey = (ECPublicKey *)PORT_ArenaZAlloc(key->ecParams.arena,
+ sizeof(ECPublicKey));
+ pubkey->ecParams.type = key->ecParams.type;
+@@ -1672,6 +1781,7 @@
+ pubkey->ecParams.name= key->ecParams.name;
+ pubkey->publicValue.len = key->publicValue.len;
+ pubkey->publicValue.data = key->publicValue.data;
++ asymk->pubKey = pubkey;
+ cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
+ }
+ return SECSuccess;
+@@ -1975,74 +2085,81 @@
+ {
+ int i;
+ SECStatus rv = SECSuccess;
++ bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
+ bltestRSAParams *rsap;
++ RSAPrivateKey **rsaKey = NULL;
+ bltestDSAParams *dsap;
++ DSAPrivateKey **dsaKey = NULL;
+ #ifdef NSS_ENABLE_ECC
+- bltestECDSAParams *ecdsap;
+ SECItem *tmpECParamsDER;
+ ECParams *tmpECParams = NULL;
+ SECItem ecSerialize[3];
++ ECPrivateKey **ecKey = NULL;
+ #endif
+ switch (cipherInfo->mode) {
+ case bltestRSA:
+- rsap = &cipherInfo->params.rsa;
++ case bltestRSA_PSS:
++ case bltestRSA_OAEP:
++ rsap = &asymk->cipherParams.rsa;
++ rsaKey = (RSAPrivateKey **)&asymk->privKey;
+ if (keysize > 0) {
+ SECItem expitem = { 0, 0, 0 };
+ SECITEM_AllocItem(cipherInfo->arena, &expitem, sizeof(int));
+ for (i = 1; i <= sizeof(int); i++)
+ expitem.data[i-1] = exponent >> (8*(sizeof(int) - i));
+- rsap->rsakey = RSA_NewKey(keysize * 8, &expitem);
+- serialize_key(&rsap->rsakey->version, 9, file);
++ *rsaKey = RSA_NewKey(keysize * 8, &expitem);
++ serialize_key(&(*rsaKey)->version, 9, file);
+ rsap->keysizeInBits = keysize * 8;
+ } else {
+- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+- rsap->rsakey = rsakey_from_filedata(&cipherInfo->params.key.buf);
+- rsap->keysizeInBits = rsap->rsakey->modulus.len * 8;
++ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
++ *rsaKey = rsakey_from_filedata(&asymk->key.buf);
++ rsap->keysizeInBits = (*rsaKey)->modulus.len * 8;
+ }
+ break;
+ case bltestDSA:
+- dsap = &cipherInfo->params.dsa;
++ dsap = &asymk->cipherParams.dsa;
++ dsaKey = (DSAPrivateKey **)&asymk->privKey;
+ if (keysize > 0) {
+ dsap->keysize = keysize*8;
+ if (!dsap->pqg)
+ bltest_pqg_init(dsap);
+- rv = DSA_NewKey(dsap->pqg, &dsap->dsakey);
++ rv = DSA_NewKey(dsap->pqg, dsaKey);
+ CHECKERROR(rv, __LINE__);
+- serialize_key(&dsap->dsakey->params.prime, 5, file);
++ serialize_key(&(*dsaKey)->params.prime, 5, file);
+ } else {
+- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+- dsap->dsakey = dsakey_from_filedata(&cipherInfo->params.key.buf);
+- dsap->keysize = dsap->dsakey->params.prime.len*8;
++ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
++ *dsaKey = dsakey_from_filedata(&asymk->key.buf);
++ dsap->keysize = (*dsaKey)->params.prime.len*8;
+ }
+ break;
+ #ifdef NSS_ENABLE_ECC
+ case bltestECDSA:
+- ecdsap = &cipherInfo->params.ecdsa;
++ ecKey = (ECPrivateKey **)&asymk->privKey;
+ if (curveName != NULL) {
+ tmpECParamsDER = getECParams(curveName);
+ rv = SECOID_Init();
+ CHECKERROR(rv, __LINE__);
+ rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
+ CHECKERROR(rv, __LINE__);
+- rv = EC_NewKey(tmpECParams, &ecdsap->eckey);
++ rv = EC_NewKey(tmpECParams, ecKey);
+ CHECKERROR(rv, __LINE__);
+ ecSerialize[0].type = tmpECParamsDER->type;
+ ecSerialize[0].data = tmpECParamsDER->data;
+ ecSerialize[0].len = tmpECParamsDER->len;
+- ecSerialize[1].type = ecdsap->eckey->publicValue.type;
+- ecSerialize[1].data = ecdsap->eckey->publicValue.data;
+- ecSerialize[1].len = ecdsap->eckey->publicValue.len;
+- ecSerialize[2].type = ecdsap->eckey->privateValue.type;
+- ecSerialize[2].data = ecdsap->eckey->privateValue.data;
+- ecSerialize[2].len = ecdsap->eckey->privateValue.len;
++ ecSerialize[1].type = (*ecKey)->publicValue.type;
++ ecSerialize[1].data = (*ecKey)->publicValue.data;
++ ecSerialize[1].len = (*ecKey)->publicValue.len;
++ ecSerialize[2].type = (*ecKey)->privateValue.type;
++ ecSerialize[2].data = (*ecKey)->privateValue.data;
++ ecSerialize[2].len = (*ecKey)->privateValue.len;
+ serialize_key(&(ecSerialize[0]), 3, file);
+ SECITEM_FreeItem(tmpECParamsDER, PR_TRUE);
+ PORT_FreeArena(tmpECParams->arena, PR_TRUE);
+ rv = SECOID_Shutdown();
+ CHECKERROR(rv, __LINE__);
+ } else {
+- setupIO(cipherInfo->arena, &cipherInfo->params.key, file, NULL, 0);
+- ecdsap->eckey = eckey_from_filedata(&cipherInfo->params.key.buf);
++ setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
++ *ecKey = eckey_from_filedata(&asymk->key.buf);
+ }
+ break;
+ #endif
+@@ -2110,19 +2227,29 @@
+ return bltest_seed_init(cipherInfo, encrypt);
+ break;
+ case bltestRSA:
++ case bltestRSA_OAEP:
++ case bltestRSA_PSS:
++ if (encrypt || cipherInfo->mode != bltestRSA_PSS) {
++ /* Don't allocate a buffer for PSS in verify mode, as no actual
++ * output is produced. */
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+- cipherInfo->input.pBuf.len);
++ RSA_MAX_MODULUS_BITS / 8);
++ }
+ return bltest_rsa_init(cipherInfo, encrypt);
+ break;
+ case bltestDSA:
++ if (encrypt) {
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+ DSA_MAX_SIGNATURE_LEN);
++ }
+ return bltest_dsa_init(cipherInfo, encrypt);
+ break;
+ #ifdef NSS_ENABLE_ECC
+ case bltestECDSA:
++ if (encrypt) {
+ SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+ 2 * MAX_ECKEY_LEN);
++ }
+ return bltest_ecdsa_init(cipherInfo, encrypt);
+ break;
+ #endif
+@@ -2186,248 +2313,6 @@
+ }
+
+ SECStatus
+-dsaOp(bltestCipherInfo *cipherInfo)
+-{
+- PRIntervalTime time1, time2;
+- SECStatus rv = SECSuccess;
+- int i;
+- int maxLen = cipherInfo->output.pBuf.len;
+- SECItem dummyOut = { 0, 0, 0 };
+- SECITEM_AllocItem(NULL, &dummyOut, maxLen);
+- if (cipherInfo->cipher.pubkeyCipher == dsa_signDigest) {
+- if (cipherInfo->params.dsa.sigseed.buf.len > 0) {
+- bltestDSAParams *dsa = &cipherInfo->params.dsa;
+- DSAPrivateKey *key = (DSAPrivateKey *)cipherInfo->cx;
+-
+- TIMESTART();
+- rv = DSA_SignDigestWithSeed(key,
+- &cipherInfo->output.pBuf,
+- &cipherInfo->input.pBuf,
+- dsa->sigseed.buf.data);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = DSA_SignDigestWithSeed(key, &dummyOut,
+- &cipherInfo->input.pBuf,
+- dsa->sigseed.buf.data);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = DSA_SignDigestWithSeed(key, &dummyOut,
+- &cipherInfo->input.pBuf,
+- dsa->sigseed.buf.data);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- } else {
+- TIMESTART();
+- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+- &cipherInfo->output.pBuf,
+- &cipherInfo->input.pBuf);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+- &dummyOut,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = DSA_SignDigest((DSAPrivateKey *)cipherInfo->cx,
+- &dummyOut,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- }
+- cipherInfo->output.buf.len = cipherInfo->output.pBuf.len;
+- bltestCopyIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
+- &cipherInfo->output);
+- } else {
+- TIMESTART();
+- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.dsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.dsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = DSA_VerifyDigest((DSAPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.dsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- }
+- SECITEM_FreeItem(&dummyOut, PR_FALSE);
+- return rv;
+-}
+-
+-#ifdef NSS_ENABLE_ECC
+-SECStatus
+-ecdsaOp(bltestCipherInfo *cipherInfo)
+-{
+- PRIntervalTime time1, time2;
+- SECStatus rv = SECSuccess;
+- int i;
+- int maxLen = cipherInfo->output.pBuf.len;
+- SECItem dummyOut = { 0, 0, 0 };
+- SECITEM_AllocItem(NULL, &dummyOut, maxLen);
+- if (cipherInfo->cipher.pubkeyCipher == ecdsa_signDigest) {
+- if (cipherInfo->params.ecdsa.sigseed.buf.len > 0) {
+- ECPrivateKey *key = (ECPrivateKey *)cipherInfo->cx;
+- bltestECDSAParams *ecdsa = &cipherInfo->params.ecdsa;
+-
+- TIMESTART();
+- rv = ECDSA_SignDigestWithSeed(key,
+- &cipherInfo->output.pBuf,
+- &cipherInfo->input.pBuf,
+- ecdsa->sigseed.buf.data,
+- ecdsa->sigseed.buf.len);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
+- &cipherInfo->input.pBuf,
+- ecdsa->sigseed.buf.data,
+- ecdsa->sigseed.buf.len);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = ECDSA_SignDigestWithSeed(key, &dummyOut,
+- &cipherInfo->input.pBuf,
+- ecdsa->sigseed.buf.data,
+- ecdsa->sigseed.buf.len);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- } else {
+- TIMESTART();
+- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+- &cipherInfo->output.pBuf,
+- &cipherInfo->input.pBuf);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+- &dummyOut,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = ECDSA_SignDigest((ECPrivateKey *)cipherInfo->cx,
+- &dummyOut,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- }
+- bltestCopyIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
+- &cipherInfo->output);
+- } else {
+- TIMESTART();
+- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.ecdsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- CHECKERROR(rv, __LINE__);
+- cipherInfo->repetitions = 0;
+- if (cipherInfo->repetitionsToPerfom != 0) {
+- TIMESTART();
+- for (i=0; i<cipherInfo->repetitionsToPerfom;
+- i++, cipherInfo->repetitions++) {
+- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.ecdsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- } else {
+- int opsBetweenChecks = 0;
+- TIMEMARK(cipherInfo->seconds);
+- while (! (TIMETOFINISH())) {
+- int j = 0;
+- for (;j < opsBetweenChecks;j++) {
+- rv = ECDSA_VerifyDigest((ECPublicKey *)cipherInfo->cx,
+- &cipherInfo->params.ecdsa.sig.buf,
+- &cipherInfo->input.pBuf);
+- CHECKERROR(rv, __LINE__);
+- }
+- cipherInfo->repetitions += j;
+- }
+- }
+- TIMEFINISH(cipherInfo->optime, 1.0);
+- }
+- SECITEM_FreeItem(&dummyOut, PR_FALSE);
+- return rv;
+-}
+-#endif
+-
+-SECStatus
+ cipherDoOp(bltestCipherInfo *cipherInfo)
+ {
+ PRIntervalTime time1, time2;
+@@ -2436,12 +2321,6 @@
+ unsigned int len;
+ unsigned int maxLen = cipherInfo->output.pBuf.len;
+ unsigned char *dummyOut;
+- if (cipherInfo->mode == bltestDSA)
+- return dsaOp(cipherInfo);
+-#ifdef NSS_ENABLE_ECC
+- else if (cipherInfo->mode == bltestECDSA)
+- return ecdsaOp(cipherInfo);
+-#endif
+ dummyOut = PORT_Alloc(maxLen);
+ if (is_symmkeyCipher(cipherInfo->mode)) {
+ const unsigned char *input = cipherInfo->input.pBuf.data;
+@@ -2612,7 +2491,9 @@
+ break;
+ #endif
+ case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
+- case bltestDSA: /* will be freed with it. */
++ case bltestRSA_PSS: /* will be freed with it. */
++ case bltestRSA_OAEP:
++ case bltestDSA:
+ #ifdef NSS_ENABLE_ECC
+ case bltestECDSA:
+ #endif
+@@ -2774,26 +2655,32 @@
+ break;
+ #endif
+ case bltestRSA:
++ case bltestRSA_PSS:
++ case bltestRSA_OAEP:
+ if (td) {
+ fprintf(stdout, "%8s", "rsa_mod");
+ fprintf(stdout, "%12s", "rsa_pe");
+ } else {
+- fprintf(stdout, "%8d", info->params.rsa.keysizeInBits);
+- print_exponent(&info->params.rsa.rsakey->publicExponent);
++ bltestAsymKeyParams *asymk = &info->params.asymk;
++ fprintf(stdout, "%8d", asymk->cipherParams.rsa.keysizeInBits);
++ print_exponent(
++ &((RSAPrivateKey *)asymk->privKey)->publicExponent);
+ }
+ break;
+ case bltestDSA:
+- if (td)
++ if (td) {
+ fprintf(stdout, "%8s", "pqg_mod");
+- else
+- fprintf(stdout, "%8d", info->params.dsa.keysize);
++ } else {
++ fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
++ }
+ break;
+ #ifdef NSS_ENABLE_ECC
+ case bltestECDSA:
+- if (td)
++ if (td) {
+ fprintf(stdout, "%12s", "ec_curve");
+- else {
+- ECCurveName curveName = info->params.ecdsa.eckey->ecParams.name;
++ } else {
++ ECPrivateKey *key = (ECPrivateKey*)info->params.asymk.privKey;
++ ECCurveName curveName = key->ecParams.name;
+ fprintf(stdout, "%12s",
+ ecCurve_map[curveName]? ecCurve_map[curveName]->text:
+ "Unsupported curve");
+@@ -2876,8 +2763,36 @@
+ data->pBuf.data = NULL;
+ data->pBuf.len = 0;
+ file = PR_Open(fn, PR_RDONLY, 00660);
+- if (file)
++ if (file) {
+ setupIO(arena, data, file, NULL, 0);
++ PR_Close(file);
++ }
++}
++
++HASH_HashType
++mode_str_to_hash_alg(const SECItem *modeStr)
++{
++ bltestCipherMode mode;
++ char* tempModeStr = NULL;
++ if (!modeStr || modeStr->len == 0)
++ return HASH_AlgNULL;
++ tempModeStr = PORT_Alloc(modeStr->len + 1);
++ if (!tempModeStr)
++ return HASH_AlgNULL;
++ memcpy(tempModeStr, modeStr->data, modeStr->len);
++ tempModeStr[modeStr->len] = '\0';
++ mode = get_mode(tempModeStr);
++ PORT_Free(tempModeStr);
++ switch (mode) {
++ case bltestMD2: return HASH_AlgMD2;
++ case bltestMD5: return HASH_AlgMD5;
++ case bltestSHA1: return HASH_AlgSHA1;
++ case bltestSHA224: return HASH_AlgSHA224;
++ case bltestSHA256: return HASH_AlgSHA256;
++ case bltestSHA384: return HASH_AlgSHA384;
++ case bltestSHA512: return HASH_AlgSHA512;
++ }
++ return HASH_AlgNULL;
+ }
+
+ void
+@@ -2886,6 +2801,8 @@
+ {
+ char filename[256];
+ char *modestr = mode_strings[mode];
++ bltestIO tempIO;
++
+ #ifdef NSS_SOFTOKEN_DOES_RC5
+ FILE *file;
+ char *mark, *param, *val;
+@@ -2944,38 +2861,62 @@
+ }
+ break;
+ #endif
++ case bltestRSA_PSS:
++ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
++ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
++ /* fall through */
++ case bltestRSA_OAEP:
++ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "seed", j);
++ load_file_data(arena, ¶ms->asymk.cipherParams.rsa.seed,
++ filename, bltestBase64Encoded);
++
++ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "hash", j);
++ load_file_data(arena, &tempIO, filename, bltestBinary);
++ params->asymk.cipherParams.rsa.hashAlg =
++ mode_str_to_hash_alg(&tempIO.buf);
++
++ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "maskhash", j);
++ load_file_data(arena, &tempIO, filename, bltestBinary);
++ params->asymk.cipherParams.rsa.maskHashAlg =
++ mode_str_to_hash_alg(&tempIO.buf);
++ /* fall through */
+ case bltestRSA:
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+- load_file_data(arena, ¶ms->rsa.key, filename, bltestBase64Encoded);
+- params->rsa.rsakey = rsakey_from_filedata(¶ms->key.buf);
++ load_file_data(arena, ¶ms->asymk.key, filename,
++ bltestBase64Encoded);
++ params->asymk.privKey =
++ (void *)rsakey_from_filedata(¶ms->asymk.key.buf);
+ break;
+ case bltestDSA:
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+- load_file_data(arena, ¶ms->dsa.key, filename, bltestBase64Encoded);
+- params->dsa.dsakey = dsakey_from_filedata(¶ms->key.buf);
++ load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded);
++ params->asymk.privKey =
++ (void *)dsakey_from_filedata(¶ms->asymk.key.buf);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "pqg", j);
+- load_file_data(arena, ¶ms->dsa.pqgdata, filename,
++ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.pqgdata, filename,
+ bltestBase64Encoded);
+- params->dsa.pqg = pqg_from_filedata(¶ms->dsa.pqgdata.buf);
++ params->asymk.cipherParams.dsa.pqg =
++ pqg_from_filedata(¶ms->asymk.cipherParams.dsa.pqgdata.buf);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "keyseed", j);
+- load_file_data(arena, ¶ms->dsa.keyseed, filename,
++ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.keyseed, filename,
+ bltestBase64Encoded);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
+- load_file_data(arena, ¶ms->dsa.sigseed, filename,
++ load_file_data(arena, ¶ms->asymk.cipherParams.dsa.sigseed, filename,
+ bltestBase64Encoded);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
+- load_file_data(arena, ¶ms->dsa.sig, filename, bltestBase64Encoded);
++ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
+ break;
+ #ifdef NSS_ENABLE_ECC
+ case bltestECDSA:
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
+- load_file_data(arena, ¶ms->ecdsa.key, filename, bltestBase64Encoded);
+- params->ecdsa.eckey = eckey_from_filedata(¶ms->key.buf);
++ load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded);
++ params->asymk.privKey =
++ (void *)eckey_from_filedata(¶ms->asymk.key.buf);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
+- load_file_data(arena, ¶ms->ecdsa.sigseed, filename,
+- bltestBase64Encoded);
++ load_file_data(arena, ¶ms->asymk.cipherParams.ecdsa.sigseed,
++ filename, bltestBase64Encoded);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
+- load_file_data(arena, ¶ms->ecdsa.sig, filename, bltestBase64Encoded);
++ load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
+ break;
+ #endif
+ case bltestMD2:
+@@ -3074,11 +3015,6 @@
+ modestr = mode_strings[mode];
+ cipherInfo.mode = mode;
+ params = &cipherInfo.params;
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Self-Testing RSA\n", __bltDBG);
+- }
+-#endif
+ /* get the number of tests in the directory */
+ sprintf(filename, "%s/tests/%s/%s", testdir, modestr, "numtests");
+ file = PR_Open(filename, PR_RDONLY, 00660);
+@@ -3087,11 +3023,6 @@
+ return SECFailure;
+ }
+ rv = SECU_FileToItem(&item, file);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Loaded data from %s\n", __bltDBG, filename);
+- }
+-#endif
+ PR_Close(file);
+ /* loop over the tests in the directory */
+ numtests = 0;
+@@ -3103,35 +3034,16 @@
+ numtests += (int) (item.data[j] - '0');
+ }
+ for (j=0; j<numtests; j++) {
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Executing self-test #%d\n", __bltDBG, j);
+- }
+-#endif
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
+ "plaintext", j);
+ load_file_data(arena, &pt, filename,
+-#ifdef NSS_ENABLE_ECC
+- ((mode == bltestDSA) || (mode == bltestECDSA))
+-#else
+- (mode == bltestDSA)
+-#endif
+- ? bltestBase64Encoded : bltestBinary);
++ is_sigCipher(mode) ? bltestBase64Encoded
++ : bltestBinary);
+ sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr,
+ "ciphertext", j);
+ load_file_data(arena, &ct, filename, bltestBase64Encoded);
+
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Loaded data for self-test #%d\n", __bltDBG, j);
+- }
+-#endif
+ get_params(arena, params, mode, j);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Got parameters for #%d\n", __bltDBG, j);
+- }
+-#endif
+ /* Forward Operation (Encrypt/Sign/Hash)
+ ** Align the input buffer (plaintext) according to request
+ ** then perform operation and compare to ciphertext
+@@ -3144,34 +3056,26 @@
+ memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
+ rv |= cipherInit(&cipherInfo, PR_TRUE);
+ misalignBuffer(arena, &cipherInfo.output, outoff);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
+- }
+-#endif
+ rv |= cipherDoOp(&cipherInfo);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Performed encrypt for #%d\n", __bltDBG, j);
+- }
+-#endif
+ rv |= cipherFinish(&cipherInfo);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Finished encrypt for #%d\n", __bltDBG, j);
+- }
+-#endif
+ rv |= verify_self_test(&cipherInfo.output,
+ &ct, mode, PR_TRUE, 0);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
+- }
+-#endif
+ /* If testing hash, only one op to test */
+ if (is_hashCipher(mode))
+ continue;
+ /*if (rv) return rv;*/
++ if (is_sigCipher(mode)) {
++ /* Verify operations support detached signature files. For
++ ** consistency between tests that run Sign/Verify back to
++ ** back (eg: self-tests) and tests that are only running
++ ** verify operations, copy the output into the sig buf,
++ ** and then copy the sig buf back out when verifying. For
++ ** self-tests, this is unnecessary copying, but for
++ ** verify-only operations, this ensures that the output
++ ** buffer is properly configured
++ */
++ bltestCopyIO(arena, ¶ms->asymk.sig, &cipherInfo.output);
++ }
+ }
+ if (!decrypt)
+ continue;
+@@ -3181,43 +3085,21 @@
+ ** Align the input buffer (ciphertext) according to request
+ ** then perform operation and compare to plaintext
+ */
+-#ifdef NSS_ENABLE_ECC
+- if ((mode != bltestDSA) && (mode != bltestECDSA))
+-#else
+- if (mode != bltestDSA)
+-#endif
+- bltestCopyIO(arena, &cipherInfo.input, &ct);
+- else
++ if (is_sigCipher(mode)) {
+ bltestCopyIO(arena, &cipherInfo.input, &pt);
+- misalignBuffer(arena, &cipherInfo.input, inoff);
++ bltestCopyIO(arena, &cipherInfo.output, ¶ms->asymk.sig);
++ } else {
++ bltestCopyIO(arena, &cipherInfo.input, &ct);
+ memset(&cipherInfo.output.buf, 0, sizeof cipherInfo.output.buf);
++ }
++ misalignBuffer(arena, &cipherInfo.input, inoff);
+ rv |= cipherInit(&cipherInfo, PR_FALSE);
+ misalignBuffer(arena, &cipherInfo.output, outoff);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Inited cipher context and buffers for #%d\n", __bltDBG, j);
+- }
+-#endif
+ srv = SECSuccess;
+ srv |= cipherDoOp(&cipherInfo);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Performed decrypt for #%d\n", __bltDBG, j);
+- }
+-#endif
+ rv |= cipherFinish(&cipherInfo);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Finished decrypt for #%d\n", __bltDBG, j);
+- }
+-#endif
+ rv |= verify_self_test(&cipherInfo.output,
+ &pt, mode, PR_FALSE, srv);
+-#ifdef TRACK_BLTEST_BUG
+- if (mode == bltestRSA) {
+- fprintf(stderr, "[%s] Verified self-test for #%d\n", __bltDBG, j);
+- }
+-#endif
+ /*if (rv) return rv;*/
+ }
+ }
+@@ -3230,7 +3112,7 @@
+ bltestIO keydata;
+ PLArenaPool *arena = NULL;
+ arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
+- if (mode == bltestRSA) {
++ if (mode == bltestRSA || mode == bltestRSA_PSS || mode == bltestRSA_OAEP) {
+ RSAPrivateKey *key;
+ load_file_data(arena, &keydata, filename, bltestBase64Encoded);
+ key = rsakey_from_filedata(&keydata.buf);
+@@ -3965,18 +3847,10 @@
+
+ if (bltest.commands[cmd_Verify].activated) {
+ file = PR_Open(bltest.options[opt_SigFile].arg, PR_RDONLY, 00660);
+- if (cipherInfo->mode == bltestDSA) {
+- memset(&cipherInfo->params.dsa.sig, 0, sizeof(bltestIO));
+- cipherInfo->params.dsa.sig.mode = ioMode;
+- setupIO(cipherInfo->arena, &cipherInfo->params.dsa.sig,
+- file, NULL, 0);
+-#ifdef NSS_ENABLE_ECC
+- } else if (cipherInfo->mode == bltestECDSA) {
+- memset(&cipherInfo->params.ecdsa.sig, 0, sizeof(bltestIO));
+- cipherInfo->params.ecdsa.sig.mode = ioMode;
+- setupIO(cipherInfo->arena, &cipherInfo->params.ecdsa.sig,
+- file, NULL, 0);
+-#endif
++ if (is_sigCipher(cipherInfo->mode)) {
++ memset(¶ms->asymk.sig, 0, sizeof(bltestIO));
++ params->asymk.sig.mode = ioMode;
++ setupIO(cipherInfo->arena, ¶ms->asymk.sig, file, NULL, 0);
+ }
+ if (file) {
+ PR_Close(file);
+@@ -3985,8 +3859,9 @@
+
+ if (bltest.options[opt_PQGFile].activated) {
+ file = PR_Open(bltest.options[opt_PQGFile].arg, PR_RDONLY, 00660);
+- params->dsa.pqgdata.mode = bltestBase64Encoded;
+- setupIO(cipherInfo->arena, ¶ms->dsa.pqgdata, file, NULL, 0);
++ params->asymk.cipherParams.dsa.pqgdata.mode = bltestBase64Encoded;
++ setupIO(cipherInfo->arena, ¶ms->asymk.cipherParams.dsa.pqgdata,
++ file, NULL, 0);
+ if (file) {
+ PR_Close(file);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/README seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/README
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/README 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/README 2014-02-10 01:13:33.019519886 +0400
+@@ -46,4 +46,11 @@
+ bltest -E -m rsa -i plaintext0 -o ciphertext0 -e 65537 -g 32 -a
+ mv tmp.key key0
+
++RSA-OAEP/RSA-PSS:
++RSA-OAEP and RSA-PSS have a number of additional parameters to feed in.
++- "seedN": The seed or salt to use when encrypting/signing
++- "hashN" / "maskhashN" - The base digest algorithm and the digest algorithm
++ to use with MGF1, respectively. This should be an ASCII string specifying
++ one of the hash algorithms recognized by bltest (eg: "sha1", "sha256")
++
+ [note: specifying a keysize (-g) when using RSA is important!]
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext0 2014-02-10 01:13:33.019519886 +0400
+@@ -0,0 +1,3 @@
++NU/me0oSbV01/jbHd3kaP3uhPe9ITi05CK/3IvrUaPshaW3pXQvpEcLTF0+K/MIBA197bY5pQC3l
++RRYYwhpTX6nXv8W43Z/CQ/jPkn2zEyLW6IHqqRqZYXDmV6BaJmQm2YyIAD+Ed8EicJSg2foejEAk
++MJzh7My1IQA11HrHLoo=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext1 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,3 @@
++ZA2xrMWOBWj+VAfl+bcB3/jDyR5xbFNvx/zsbLW3HBFlmI1KJ54Vd9cw/Hopky4/AMgVFSNtjY4x
++AXp6Cd9DUtkEzet5qlg63MMeppikwFKD2rqQib5UkfZ8Gk7kjcdLu+ZkOu+EZnm0yzlaNS1e0RWR
++LfaW/+BwKTKUbXFJK0Q=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext10 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,4 @@
++Iyr7ySf6CML2onuH1KXLCcB9wm+uc9c6kFWIOfT9ZtKBuH7HNLziN7oWZpjtgpEGp95pQs1s3OeP
++7Y0uTYFCjmZJDQNiZM75KvlB0+NQVf45geFNKcu5pPZ0cwY7rseaEXn1oXycGDLyg4/X1eWbuWWd
++VtzooBnt7xuzrMxpfMbMenePYKBkx/b11SnGIQJi4APeWD6B4xZ7iZcfuMDhXUT//vibU9jWTdeX
++0Vm1bSsI6lMH6hLCQb1Y1O4nih8u
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext11 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,4 @@
++Q4zH3AimjaJJ5CUF+Fc7pg4sJ3PVspD0z53/cY6EIIHDg+ZwJKDylZTqmHudJeS3OPKFlw0ZWrs6
++jIBU49eda5yagye6WW8SWeJxJmdHZpB9jVgv86hHYVSSmtsebRI1ssy07I9mO6nMZwqSvr2FPI2/
++acZDbQFvYa3YNulHMkUENCB/n9TEPewqEqlY76Ae/iZpiZteYEwlXFX7cWbeVYnjaVl7sJFowG3V
++2xd+BqF0DrLVyC+uym2S/O6ZMbqf
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext12 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++U+pdwIzSYPs7hYVnKH+pFVLDCy/r+6IT8K6HcC0GjRm6sH/ldFI9+0ITnWjDxa/u4L/ky3lpy/OC
++uATW5hOWFE4tDmB0H4mTwwFLWLmxlXqLq80jr4VPTDVvsWYqpyv8x+WGVZ3EKA0WDBJnhacj6+6+
++/3HxFZRECq74fRB5Ood0ojnUoEyH/hRnudr4UgjsbHJVeUqWzCkUL5qL1Bjjwf1nNEsM0IKd87K+
++xgJTGWKTxrNNP3XTLyE91Fxic9UFrfTM7RBXy3WPwmru+kQSVe1OZMGZ7gdefxZkYYL9tGRzm2ir
++Xa/w5j6VUgFoJPBUv008jJCpe7a2VTKE60KfzA==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext13 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++orGkMKnWV+L6HCu17UP/slwFowj+kJPAEDF5X1h0QAEQgorlj7m1gc6d3dPlSa4EoJhUWb3mxiZZ
++TnsF3EJ4sqFGXBNoQIgjyF6W3GbDowmDxjlmT8RWmjf+IeWhlbV3bu0t+NjTYa9obnUCKbvWY/Fh
++hopQYV4MM3vsDKNf7AuxnDbrLgu8wFgvodk6rNsGEGP1nyzh7kNgXl2J7KGD0qzf6fgQEQIq07Q6
++PdQX2slLThHqgbGSlm6WaxgggucZZGB7T4AC82KZhEoR8q4PrqwurnD49PmAiKzc0KxVbp/MxRFS
++GQj60m8ExkIBRQMFd4dYsFOL+LW7FEqCjmKXlQ==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext14 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++mIbD5nZKi5qE6EFI69jDsaqAUDgaePZocUwW2c/Spu3FaXnFNdne47RLhcGL6JKJkjcXEUciFtld
++2pjS7oNHybFN/9/4SqSNJawG99fmU5islnsc6Qkl9n3OBJt/gS2wdCmXp01E/oHb4Oej/q8uXECv
++iI1VDdu+O8IGV6KVQ/j8KRO5vRphsqsiVuxAm719wNF3F+olxD9C7Sffhzi/SvxnZv96/whZVV7i
++g5IPTIpjxKc0DLr93DOezbSwUVAC+WyTK1t5Fnr2mcCtP8z98PROhacCYr8uGP40uFBYmXXoZ/+W
++nUjqvyEicVRs3AWmnstSblKHDINvMHvXmHgO3g==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext15 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++Yxjp+1wNBeUwfhaDQ26QMpOsRkI1iqoiPXFjATq6h+Lf2o5gxoYOKaHpJoYWPqC5F18ynKOxMaHt
++06d3Wai5e61qT49DlvKM9vOcpYES5IFg1uID2qWFbzrKX/7Vd69JlAjj39Iz4+YE2+NKnEyQgt5l
++UnysYzHSncgOBQig+nEi5/Mp9sylz6NNTR2kF4BUV+AIvsVJ5Hj/nhKnY8R30Vu7ePW2m9V4MPws
++TtaG15vHKpXYX4gTTGsK/laozPvIVYKLszm9F5Cc8dcN4zNa4HA5CT5gbWVTZd5lULhyzW3h1EDu
++AxthlF9imtijU7DUCTnpajxFDSqNXu6fZ4CTyA==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext16 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++dSkIcsz9SkUFZg1lH1babaoJyhMB2JBjL2qZLz1WXO5GSv3tQO07W+k1ZxTqWqdlX0oTZsLxfHKP
++byxaXR+OKEKbxOb48s/42o3A4KmAjkX9CeovpAyyts5v//XA4VnRG2jZCoX3uE4QOwnmgmZkgMZX
++UFwJKSWUaKMUeG106rExVzzyNL9X232eZsxnSBkuAC3A3uqTBYXwgx/c2bwz1R957S/8Frz01ZgS
++/OvKo/kGmw5EVobWRMJcz2O0Vu5fpv/pbxnN91H+2erzWVd1Tb9L/qUhaqGETcUHyy0IDnIuuhUD
++CMK1/xGTYg8XZuz0SBuvuUO9KSh38hNspJSroA==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext17 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,5 @@
++LSB6c0Mqj7TAMFGz9zsophdkCY36NMR6IJlfgRWqaBZnm1V+gtvuWEkIxuaXgtfes029Za8GPVf8
++p2pf0GlJL9YGjZmE0gk1BWWmLlx38jA4wSyxDGY0cJtUfEb2tKcJvYXKEi10Rl75d2LCl2Pgbbx6
++nnOMeL/KAQLcXnnWW5c/KCQMqrLhYaeLV9JiRX7YGV1T48eunaAhiDxtt8JK/dIyLqyXKtPDVMX8
++7x4UbDoCkPtnrfAHBm4AQo0s7BjOWPkyhpje/vSy617HaRj94cGYy7OLevxnYmqa7+xDIr/ZDSVj
++SByaIh94yCcsgtG2KrkU4cafavbvMMpSYNtKRg==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext2 2014-02-10 01:13:33.020519869 +0400
+@@ -0,0 +1,3 @@
++Qjc27QNfYCavJ2w1wLN0GzZeX3bKCRtOjCni8L7+5gNZWqgyLWAtLmJeleuBsvHJck6CLsp224YY
++zwnFNDUDpDYINbWQO8Y344efsF4O8yaF1a7FBnzXzJb+SyZwturDBmsfz1aGtoWJqvt9YpsC2Phi
++XKODNiTUgA+wgbHPlOs=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext3 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,3 @@
++RerUylUeZiyYAPGsqCg7BSXmq64wvktKunYvpA/T044iq+/Gl5T267vAXduxEhYkfS9BL9D7qHxu
++Os2IiBNkb9DkjnhSBPnD9z1tgjlWJyLd3Ydx/sSLg6Me5vWSxM/UvIgXTzsToRKq47n3uA4Pxvcl
++W6iA3H2AIeIq1qhfB1U=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext4 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,3 @@
++NvbjTZSo002qy6M6ITnQCthak0WoYFHnMHFiAFa5IOIZAFhVohOg8jiXzc1zG0UlfHd/6QggK+/d
++C1g4axJE6gz1OaBdXRAynaROEwMP12Dc1kTP7yCU0ZENP0M+HHxt0YvB8t9/ZD1mL7ndN+rZBZGQ
++9PpmyjnoacTrRJy9xDk=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext5 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,3 @@
++Qs7iYXsezqTbP0gpOG+9Ydr78DjhgNg3yWNm3yTAl7SrD6xr31kNghyfEGQuaBrQW414s3jA9Gzi
+++tY/dOCtPfBrB11+tfVjb41AO5BZynYbXGK7UqpFAC6nC6rOCN7SQ7nYy9YqaK3iZYMrVlZOQ6b6
++Qu0ZmgmXaXQt8VOeglU=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext6 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,4 @@
++JnvNEYrKsfyLqByF1zADy4YQ+lXB2X2o1Ip8fwaJak23UaooQlW502rWXzdlPYKfGzf5e4ABlCVF
++svwsVac3bKehvksXYMjgWjPlqiUmuNmOMXCI54NMdVsqWbEmMaGCwF1dQ6sXeSZPhFb1Fc5X399R
++LVST2re3M43Et9eNucCRrDuvU3pp/H9UnZefDv+alP2kFpvU0dGaacmeM8O1VJDVAbObHtrhGP9n
++k6FTJhWE06Xzn25oLj0XyM0SYfpy
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext7 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,4 @@
++k6yfBnHsKay7RE7/waV0E1HWD9sOOT+/dUrPDeSXYaFIQd93cum8gnc5ZqFYTE1yuuoAEY+D81zK
++blN8vU2BH1WDspeD2KbZTNMb5w1vUmwQ/wnG+nzgaXlaP80FEf1fy1ZLzIDqnHjzi4ABJTnYpN32
++/oHpzdt/UNu7vMfl2GCXzPTsSRifuL8xi+bVoHFdUWtJrxkSWM0y3IM85utGc8A6Gbus6IzFSJX2
++NswMHsiQltEc4jWiZcoXZCMqaJro
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext8 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,4 @@
++gevdlQVLDIIu+a12k/Woet+0tMTOcN8t+E7UnATaWLpfwgoZ4abot6OQCyJ5bcToae5rQnktFajs
++61bAnGmRToE86o9pMeS47W9CGvKY1ZXJf0eJx8qmEsfvNgmEwhuT7cVAEGi1r0x4qHcbmE1TuOqK
++3y9qfUoLp2x14d2fZY8g3tSkYHHUbXeRtWgD2P6n8LD45Brj8JODpvlYX+d1Pqr/0r+UVjEIvuzC
++B7u1NfX8xwXw3en3CMYvSanJA3HT
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/ciphertext9 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1,4 @@
++vMNflM3mbLETZiXWJblEMqNbIvPS+hGmE/8PylvVf4e5AszcHNCuvLBxXuhp0dH+OV9nkwA/XspG
++UFnIhmDURv9fCBhVICJVfjjAimfq2ZEmIlTxBoKXXsVjl3aFN/SXevbV9qrOt/sl3sWTcjAjH9iX
++ivSRGaKfKeQkq4JytHVieS1clPd0uIKdCw2fGoye3fN1dNX6JI7vqcUnH8XsJXnIG91htBD6Yf42
++5CQiHBE63bJ1ZkyAHTTKjGNR5KhY
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash0 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash1 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash10 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash11 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash12 2014-02-10 01:13:33.020519870 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash13 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash14 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash15 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash16 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash17 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash2 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash3 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash4 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash5 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash6 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash7 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash8 2014-02-10 01:13:33.022519832 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/hash9 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key0 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key1 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key10 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key11 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key12 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key13 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key14 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key15 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key16 2014-02-10 01:13:33.023519814 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key17 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEArkXtVgHOxrjMBfgDk1xnTdvg11xMCf15UfxrDK7DE6jfOZcMUYv/ul7Wjz8NfyKkAp1BPxrgfk6+nkF3ziPn9UBLVp5O4b3PPB+wPvETgC1PhV65tRNLWnyAha3K5vovoUF+w3Y74XGwxit2Dt4jwSrZK5gIhMZB9aj6wmva1KAzgaIv4bdUiFCUyCUG1AGaU1ooav6ycbubpZLeGNz2AMKu6uVuAvfPefwUzzvcfNhP67v5UMqQMEsiGaeqBjrvosPBmA5WDNZK/neVhbYQdle5V4V+/eYBCYirfeQX/IjY84TE5ucsP5Q+DDHAxKXMNvh52KOsnX1Zhg6q2muDuwAAAAMBAAEAAAEABWsEIW/l81SsdyUKS2sMhSWoXFmwvYDFZFCiLV9DjllqMzqodeKR3UP0jLiLnV/A1Jn5/NHDl/mvwHDNnjmMjRnmHbfHQQprJnXfv100W4BNIBrdUC1c4t/LCRzpmXu+vlcwbzg+TViBA/A29+hdGTTRUqMj5KjbRR1vSlsbDxAswVDgL+7iuI3qStTBusyyTYQHLRTh0kpncfdAjuMFZPuG1Dk6NLzwt4hQHRkzA/E6IoSwAfD2Ser3kyjUrFxDCrRBSSCpRg7Rt7xA7GU+h20Jq8UJrkW1JRkBFqDCYQGEgphQnBw786SD5ydAVOFelwdQNumJ9gkygHtSV3UeeQAAAIDs9a7NHlUV//rL11ooFsbr9JAYzftGOOGF1mpzlrb4CQ+AGMf9lcw0uFfcF/DMZRa7E0arTVgsra17QQM1I4e3AzjQhAR8nZU5tkliBLPdbqRCSZIHvsAflkKH/2M2w5hGWDNoRvVuRoYYgcECM9IXa/FaXpbdx4C8hoqnfTznaQAAAIC8RsRk/GrEyng7DrCKPIQbdy9+my8our1YiuiF4aDGHkhYoPslrCmZkPNb6FFkwlm6EXXN1xknBxNRhJkrbCm3Rt0NLKvhQoNf
fRSMwWFSS0oJlG1IuChHPxzna2y2iGw0XAPgX0HVG1w6kKPyQHPH10pP4l2c8hx1lg8/w4YxgwAAAIDHNWRXHQD7FdCKPemVelCRXXEm6UQtrPQryC6GLlZz/2oAjtTS43RhffifF6FgtDt/2py2trdCGGCYFffUXKJjwVmqMtJy0Sf69LyMotdzeOiusZsK19o8s94K5zFJgPYrbUsKh10d8DwbrjnM2DPvbNfi2VKL8ITR+WnnlOn2wQAAAIAmWLN/bfnBAwvh22gRf6nYfjnqK2k7fm06L3CUdBPuxhQuGPuN/LasVF18hqCtSPhFcXDw77JrxIEmxT79HRaSAZjcKhEH3CgttqgM0wYjYLo/oT9w5DEv8abNa4/EzZxcPbF8bWpXIS9zrin2GTJ7rVmxU4WFhbpOKLYKYqReSQAAAIBvOFJrOSUIVTTvPkFag27ei4YViix8v+zLC9g0ME/saDuo1PR5xDPUNBbmMmliPOoQB3bYWv9AHT//YQ7mVBHOOxNj1jqXCe7eQmR86lYUk9VFcKh5wYaCzZdxC5YgXsMRF9c7XzYiP63W6LqQ3XwO5h1E4WMlHiDH9m6zBRF8uA==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key2 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key3 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key4 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key5 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACAqLOyhK+OtQs4cDSoYPFGxJGfMYdjzWxVmMiuSBGh4KvEx+CwgtaTpef87Wdc9GaFEncsDLxkp0LGxjD1M8jMcvYq6DPEC/JYQumEu3i9v5fAEH1VvbZi9cTg+rmEXLUUjvc5LdOq/5OuHmtme7PUJHYW1PW6ENTP0ibeiNOfFvsAAAADAQABAAAAgFMznP23n8hGamVccxasqFxV/Y9t2Jj9rxGVF+9PUuj9jiWN+T/uGA+g5KspaTzYOxUqVT1KxNGBK4ufpa8Of1X+cwTfQVcJJvMxHxXE1lpzLEgxFu49PS0K81Sa2b98v7eK2IT4TVvrBHJNxzabMd7zfQz1OenPzdPeZTcp6tXRAAAAQNMnN+cmf/4TQbLVwNFQqBtYb7MTK+0vjVJihkqcufMK84vkSFmNQToXLvuALCGs8cEcUgwvJqRx3K0hLqx8o50AAABAzIhT0dVNpjD6wAT0cfKBx7iYLYIkpJDtvrM9Pj1cyTxHZXA9HdeRZC8fEWoN2FK+JBmyr3K/6aAw6GCwKItddwAAAEAOEr8XGOnO9VmbocOIL+gEapCHTu/OjyzMIOTydB+wozo4SK7JyTBfvsvS12gZln1GcazGQx5AN5aNs3h45pXBAAAAQJUpew+Vovpn0AcH1gnf1PwFyJ2vwu9tbqVb7HceozNzTZJR55CC7NqGbv7xPEWeGmMThrfjVMiZ9fESyoXXFYMAAABAT0VsUCSTvcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2h90qjKHS9PvY4Q==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key6 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key7 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key8 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/key9 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADAzyzUHjTKOnKOpcuK/2TDbSe971Nk4zb9aNMSPFoZaowocBPoU9UVbVjRUZVFIPtPbXsXq7aBd2WQnFdhGWWdkCsZBu2KKxDBVcJNEkUo2rnurjeb6sZuSkEXhty4/QBi68Aw3hIZoEwqjBt90xMeTWtsruLjGl7UGsFQmy7x7iqxg2S+VoypQcJezIT/nWQ7XsGqrhAqINc/R5t4D9bakQdSEtnqwDoGdNiZ66LkMfTES2Fba6IjK9SzO67XPWJdAAAAAwEAAQAAAMAZjBQeI3FakrzPahGaW8ETiUaNKBH1SNcn4XtKsOuYbW8hHvtTtx98y+qH7mnHXuYVAIxTMt61K/OQq9+/431yBTaBWbJjjB3jJuIdIiUfD7WEizvxUAXSp0Mw8K/pFu5izME0TR2DpwnmBnYnOED383dCSl4KTadfAbMf92gZz5y/3SFSQ8ORfAPvOBmTEuVns7967Tq0V/Nx74oUI/RbaMbiguwRG7ooM7mH/Wn62DvBuMYTxeHqFsEe0SXqfsEAAABg/I1sBL7E65qBksp5AMvlNuLotRnezzOyRZeYxpCd9PF2230jGQ/HK4hlpxiviV8bzZFFKYAnQjtgXnCkfPWDkKjD6I/IxI6LMuPaIQ374+iB6lZ0tqNIwh6T+eVepl79AAAAYNIA1F54iqzqYGpAHQRg+H3VwQJ+EtwaDXWG6JOdnPeJtA9RrARClh3n0hzCHgXIMVXB8qqRkzh8/flWy0jRU7onBAb5u7pTfUmH2eL5lC16FMv//qdP7N2pKNI+JZ9e4QAAAGDbFoAveaLw1F81jWn9M+RLgfroKGIuk6VCU+mX0BsHQ3WdoOgStKpObIvqsjKNVDGVWkGKZ/8mqMXIB6XaNU4F7zHMjPdY9GNzKVCwPiZXJvuU451qVyomJEqwjbdXUq0AAABgoKMXz+ffFCP4em3uhFH04rSmflSX8ptPHk6DC5+t2UAR
ZwJvVZblo5yXgX4PXxbifhnsmQLgHX6m+5qjx2Cv7h44G2neasnAdYWgatnEugC/dcitL6iYpHnoCuKU/tKhAAAAYAsh8zXDUzQutEw6okRFeAwtZVuUAXTK44x8ik5kk8C6n9MDdIJnsIO5p6bLYeQts2K4yYlttwZOAq1a5hWH2hW0ZJyQWUkJ/rN9vLZUvrcmjsgB5ai0qjkRvr2IVC8Fvg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash0 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash1 2014-02-10 01:13:33.024519797 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash10 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash11 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash12 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash13 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash14 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash15 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash16 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash17 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash2 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash3 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash4 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash5 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash6 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash7 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash8 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/maskhash9 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/numtests seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/numtests
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/numtests 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/numtests 2014-02-10 01:13:33.025519780 +0400
+@@ -0,0 +1 @@
++18
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext1 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++u�@GõGèä��…e#)ŠÉºâEï¯�—ûåoÕ
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext10 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++SæèÇ)ÖùÃ�Ý1~t°ÛŽLÌ¢_<ƒ�tn�zÆ:cï79絕«¹nUåO{Ô�´37û‘�
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext11 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++¶²Ž¢����¼d
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext12 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++‹ºkø*l�†Õñun—•hp°‰S°kN²�¼�”î
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext13 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++æ���;X©�òEu�7>W
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext14 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1,2 @@
++Q
++,ö�†o¢4�SÉN£Ÿ¼%c�è>”EKA$
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext16 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++§Ýl}ÂKFùÝ_�‘¤Ã³ß”~‡r2©
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext17 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++êñ§:��F S}æœÙ"‹¼ûšŒ¨ÆÃï¯�oä§ôcNÐ�|9ìi"׸ê,�ë¬
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext2 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++ÙJàƒ.dEÎB3�°mS�‚±ÛKªÓ�tmÉ�ß$ÔãÂE�ÿY¦B>°áÐ-OæFÏiýŒn—°Q
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext3 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++RæPÙŽ*�‹O†…!S¹~�Ý1o4j�öz…
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext4 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++¨ŸÙåùt¢ŸïûF+I��lùè�
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext5 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++&R�P„Bq
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext6 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++÷5ýUº’Y,;R¸ùÄöšª�¾øþˆÐ•YT�Fœôì�‰lYí¡b�çTœŠ»�ͼ!¡.ɶµ¸ý/�9ž¶
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext7 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++¹�`P�¦:«ä-ß�á—‰�õ@Ltt²mÎ>Ô‚¿–�Ì‹ô ÅFY
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext8 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++ý2d)ß›‰� µK�¸óO�$
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/plaintext9 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1,3 @@
++ñE›_�’ð��r:.VbHMŒ
++ ü)ÚÖ¬Ô;µóïýôá¶>�ýþf(Ð×L¡›òÖžJ
++¿†Ò“’Zygrø�Ž
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed0 2014-02-10 01:13:33.026519763 +0400
+@@ -0,0 +1 @@
++GLd26iEGnWl3ajPpa61I4d2gpe8=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed1 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++DMdCzkqbfzL5UbyyUe/ZJf5P418=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed10 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++/LxCFALp7KvGCCr6QLpfJlIshA4=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed11 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++I6reDh4Iu5uaeNIwKlL5whsuG6I=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed12 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++R+GrcRn+5WyV7l6q2G9A0KpjvTM=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed13 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++bRf1tMH/rDUdGVv3sJ0J8JpAec8=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed14 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++OFOHUU3szHx0DdjN+druSaHL/VQ=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed15 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++XKymoPdkFhqWhPhdkrbg7zfKi2U=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed16 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++lbyp44WYlLPdhp+n7NW7xkAb8+Q=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed17 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++n0fd9C6X7qhWqb28cU6zrCL26zI=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed2 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++JRTfRpV1WmeyiOr0kFw27sZv0v0=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed3 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++xENaPhoYpotoIENikKN877hds/s=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed4 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++sxjELfO+D4P+qCP1p7R+1eQlo7U=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed5 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++5OwJgsIzbzpnf2o1YXTrDOiHq8I=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed6 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++jsll8TSj7Jkx6SocoNyBadXqcFw=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed7 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++7LG4sl+lDNqwjlYEKGf0r1gm0Ww=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed8 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++6JuwMsbOYiy9tTvJRmAU6nf3d8A=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_oaep/seed9 2014-02-10 01:13:33.027519745 +0400
+@@ -0,0 +1 @@
++YG87mcC5zNdx6qKeoOTIhPMYnMw=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext0 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++kHQwj7WY6XAbIpQ4jlL5cfqsK2ClFFrxhd9Sh7XtKIflfOf9RNyGNOQHyODkNgvCJvPsIn+dnlRj
++jo0x9QUSFd9uu5wvlXmqd1mKOPkUtbnBvYPE4vnzgqDQqjVC/+5lmEpgG8aeso3rJ9yhLILC1MP2
++bNUA8f8rmU2KTjDLszw=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext1 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++Pvf0boMb+SsyJ0FCpYX/zvvcp7Mq6Q0Q+w8McpmE8E7ymp3weAd1zkNzm5eDg5DbClUF5j3pJwKN
++nSmyGcosRReDJVilXWlKbSW52rZgA8TMzZB4Ahk75RcNJhR9N7k1kCQb5RwlBV9H72J1LPviFBj6
++/pjCLE1NR3JP21Zp6EM=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext10 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,4 @@
++ghAt+MuR5xeZGaBNJtM11k+8L4csRIM5QyQd6EVIECdM3z219C1CPbFSr3E19wFCDjm0lKZ8v9Gf
++kRnaIzoj2lxkObW6DSvDc+7jUHABN41KQHOFa3/iq6C17pOyf0r+x9TRIJIcg/YGdlsCwZ5Naho7
++lfpMQilRvk9SExB37xcXlynN3721aVDbrO7+eMsWZAoJnqVtJDie7xD4/ssxuj6jsifAqGaYu4nj
++6TY5Bb8id3sqOqUhtltM73bYO95M
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext11 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,4 @@
++p/2w0lkWXKLIjQC78QKKhn0zdpnQYRk7F6lkjhTMu6rerKrN7IFedXEpTruKEXryBfoHi0ewcSwZ
++njrQUTXFBMJLgXBRFXQIAkh5kv/VEdSvxrhUSR6z8N1SMTlUL/FcMQHuhVQ1F8ajx5QXxn4t2ap0
++HpopsG3LWTwjNrNnCuOvusfD524hVHPoZuM4yiRN4AtiYk1rlCaCLOrp+MxGCJX0ElAHP9RcWh57
++QlwgSkI6aZFZ9pA+cQs3p7sryASf
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext12 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++gsKxYAk7iqPA91IrGfhzVAZsd4R6vyqfzlQtDoTpIMWvtJ/9/azhZWDulKE2lgEUjrrXoOFRzxYz
++F5Glcn0F8h505+uBFEAgaTXXRHZaFeefAVy2bFMsh6agWWHIv610GppmVwIolDk+ciNzl5bAKndF
++XQ9VWw7AHd8lm2IH/Q/VdhTO8aVXO6r/TsAAaZUWWbhfJDAKJRYMqFItxuZyflfQGdfmNim4/l6J
++4lzBW+s6ZHV3VZKZKAubKPebBAkAC+JbvZZAi6O0PMSGGE3RyOYlU/oa9AQPYGY95/XknAQ4jiV/
++HOicldq0ijFdm2axt2KCM4dv8jhSMNBw0H4WZg==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext13 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++FK412d0GupL387iXl4rtfNS/X/C1haQL1GzhtCzScDBTu5BE1k6BPY+W2y3XAH0QEY9vj4SWCXrX
++Xh/2kjQbKJKtVaYzocVefwoK1ZoOIDpbgniuxU3YYi4oMdhxdPjK/0PubEZEU0XYSlllm/uS7NTI
++GGaGlfNHBvZoKKiZWWN/K/PjJRwkvbpNS3ZJ2gAiIYsRnITnmmUn7FuKX4YcFZlS4j7AXh5xc0b6
++7+ixaGglvSsmL7JTEGbA3gms3i5CMWkHKLXYXhFaL2uSt5wlq8m9k5n/i8+CWlLqH1bqdt0m9Duq
+++hi/qSpQTL01aZ4m0dzFoohzhfPGMjLwbzJEww==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext14 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++bj5Ne2sV0vtGATuJAKpbuzk5zywJVxeYcEICbuYsdMVM/9XX1X77v5UKD1xXT6CdP8HJ9ROwW0/1
++Ddjfft+iAQKFTDXlkhgBGacM5bCFGCqgLZ6iqpDR3wPy2q6IW6L10Fr9rJdHbwa5O1vJShqAqpEW
++xNYV8zOwmIkrJf+s4mb121paO8wQqCTtVarTW3J4NPuMB9oo/PQWpdmyIk8fi0QrNvkeRW/eotfP
++4zZyaN4DB6THTpJBWe0zOT1eBlVTHHcye4mCG97fiAFhx4zUGWtUGfesw/E+Xr8WG258ZyRxbKM7
++hcLiVkAZKsKFllHVC95+uXblHOyCi5i2VjuGuw==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext15 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++NAR/+WxNwNyQstT/WaGjYaR1SyVdLuCvfYv4fJvJ593u3jOTTGPKHA49JiyxRe+TKh8sCpl6pqNP
++jq7nR32CzPCQlaa4rK041O7J+36retAtodEdjlTBgl5Vv1jCojI0uQK+Ek+ekDio9o+kXaty9m4J
++Rb8di6zJBExvBwmMn87FijqrEAyAUXgVXwMKEkxFDlrL2kfQ5PELgKI/gD53TQI7ABXCC5+bvnyR
++KWM41ey0ccr7AyAHtnpgvl9pUEqfAauzy0Z7Jg4rzoYL6Nlb+SwMjhSW7R5ShZOkq7bfRi3eiglo
++3/5GgxFoV6Iy9ev2yFviOHRa0POPdnpf2/SG+w==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext16 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++fgk16hj01sHRfOgusrODbFWzhFic4Z3+dDNjrJlI0fNGt7/d/pLv14rbIfrvyJreQrEPN0AD/hIu
++Z0KaHLjL0fjZAUVkxE0SARb0mQ8abjh3TBlL0bghMoawd7BJnS57P0NKsSKJxVZoTe7XgTGTS7Pd
++ZTcjb3xvPcsJ1Ha+B3IeN+HO7Zsve0Boh71TFXMF4ci0+E1zO8Hhhv4GzFm27bj0vX/+/fT3upz7
++nVcGibWhpBCadGppCJPbN5klWgy5IV0tHNSQWQ6VLoyHhqoAESZSUkcMBB37w+7Hw8v3HCSGnRFc
++DLSpVvVtUwuAq1iaz+/GkHUd3zbo04P4PO3SzA==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext17 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,5 @@
++bTtbh/Z+plevIfdUQZd9IYD5GyxfaS3oKVVpamhnMNm5d42XB1jMsmBxwiCf+9YSW+LpbqgbZ8ub
++kwgjn9oX97K2Ts2glra5NWQKWhy0KpFVscnvemM6AsWfDW7lm4UsQ7NQKec8lA/wQQ6PEU7tRrvQ
+++uFl5CviUopAHDso/YGO8yMtyp9NKg9RZuxZxCOW1sEdvBIVpW+hcWnblXU0PvNPneMqSc3DF0ki
++8inCPhjkXfk1MRnsQxnO3OehfGQIjB9vUr4pY0EAs5GdOPPR7ZTmiR5mpzuPuEn1h031lFnimMe7
++zi7ueCoZWqZv4tBzKyXllfV9PgYbH8PkBjv5jw==
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext2 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++ZmAm+6cb0+fPExV8wsUajkqmhK+XePkYSfNDNdFBwAFUxBl2IfliSmdbWrwi7n1bqv+q4cm6yizD
++c7PzPnjmFDw5WpGqf6ymZOtzOv0U2IJyWdmadVD6ylAe8rBOM8I6pR9LnoKC79tyjMCrCUBakWB8
++Y2mWG8gnDS1POfzmErE=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext3 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++Rgl5OyPp0JNi3CG7R9oLTzp2ImSaR9RkAZua6v5TNZwXjJHNWLpry3i+A0anvGN/S4c9S6s47mYf
++GZY0xUehrYRC4D2gFbE25UP3qwfAwT5CJbjejM4l1PbrhAD4H34YM7fubjNNNwlkynn9uHK011Ij
++te6wgQFZH7Uy0VWm3oc=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext4 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++HSqtIhyk0x3fE1CSOQGTmOPRSzLcNNxa9K6uo8CVr3NHnPCkXlYpY1pToBg3dhWxbLmxOz4J1nHr
++ceOHuFRcWWDaWmR3bnaOgrLJNYO/EEw/2yNRK3tOifYz3QBjpTDbRSSwHD84TAkxDjFaedzT1oQC
++Kn8xyGWmZOMWl4t1n60=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext5 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,3 @@
++KjT2El4fawv5cehPvUHGMr6PLCrOfei2km4x/5Ppr5h/vAblHpvhT1GY+R8/lTvWfaYKnfWXZMPc
++D+COHL7wt1+GjRCtP7p0n+9Z+22sRqDW5QQ2kzFYb1jkYo85qieJglQ7wO61N9xhlYAZs5T7Jz8h
++WFigoBrE1lC5VcZ/TFg=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext6 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,4 @@
++WGEHImw84BOnyPBNGmopWbtLjiBbpDontQ8SQRG8Ne9YmwOfWTIYfLaW19mjLAw4MApc3aSDS2LS
++6yQK8z950T378JW/WZ4NloaUjBlkdHtn6JyaulzYUBYjb1ZsxYAssT6tUbx8pr7zuU3L27HVcEaX
++cd8OALGooGd3Ry0jFiee2uhkdGaNTh7/+V8d5hxgINoyrpK78WUg/vPPTYj2ESHyS72f6RtZyvEj
++WyqT/4H8QDrd9OveqEk0qc2vjhqe
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext7 2014-02-10 01:13:33.028519727 +0400
+@@ -0,0 +1,4 @@
++gLbWQyVSCfCkVnY4l6ye0lnUWbScKIfliC7LRDTP1m3X4WmTdTgeUc1/VU8sJxcEs5nUK0viVAoO
++ymGVH1Umf3woeMEihC2tsosBvV+MAl9+IoQYpnPAPWvAxzbQopVGvWf3htnWkszqd41x2YwgY7en
++EJIYek01rxCBEdg+g+rkbEaqNCd+BgRFiZA3iPHV587iX7SF6SlJEYgU1vLD7jYUiQFvMn+1vFF+
++tQRwv/oa+l9M6aoM5bjuGb9VAblY
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext8 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1,4 @@
++SEQI84mM1fU0g/gIGe+/JwjDTSeosqb66LMi+SQCN/mBgXrKGEbxCE2qbXwHlfblvxr1nDjhhYQ3
++zh9+xBm5jIc2rfbdmgCxgG0r060Kc3deBfUt/vOlmrSwgUPw3wXNGtnQS+zsptqkohKYA+IAy8d3
++h8r0wdBmOmxZh7YFlSAZeCyvLsFCbWj7lO0dS+gWp+0IG3fmqzMLP/wHOCD+zeNyf8vile5hoFCj
++Q2WGN8P9ZZz7Y3Nt4y2fkNPC9j7K
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/ciphertext9 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1,4 @@
++hOvrSBvlmEW0ZGi6+0ccARLgKyNdhLXZEcvRkm7lB0rgQkSVyyDoIwi467ZfQZoD+0DnK3iYHYiq
++0UMFNoUXLJeynIt78K5ztbImPEA9oO0vgP90UK94KOuLhvACi9KosXak0ijMzqGDlPI4sJ/3WMwA
++vAQwEVI1V0LygrVOZjqRnnCdjaJK3lUAp7mqUCJuDKUpI+bC2GDsUP9ID6V0d+grBWX0N595x3LV
++wtqAr5+/Ml7Ob8ILAJYWFL7omhg+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash0 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash1 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash10 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash11 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash12 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash13 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash14 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash15 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash16 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash17 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash2 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash3 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash4 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash5 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash6 2014-02-10 01:13:33.029519709 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash7 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash8 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/hash9 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key0 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key1 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key10 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key11 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key12 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key13 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key14 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key15 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key16 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key17 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAAEApd2GesTLAvkLlFfUjBSncO+ZHFbDnA7GX9Ea+ok3zqV7m+esc7RcABdhW4LWIuMYdTtgJ8D9FXvhL4CQ/uKnrc0O73WfiLpJl8ekLVjJqhLLma4AH+UhwTu1QxRFqNWuT15MfpSKwifTYEBx8g5XfpBfvrFd+vBtHeWuYlPWOmohILMaXaXavJVQYA4g8n03OeJieSX+o8xQnyHf8E5u6kVJxUDWgJ/5MH7t6R//WHM9g4WiN9bTcFoz45GQCZIHDfet8TV89+NwDONmfeg/F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGuBQAAAAMBAAEAAAEALS/1Z7P+dOBhkbf97W3hEikMZwaSQw1ZaRhAR9ojTJaT3u0Wc+1ClTnJadNywE1rR+D1uM7ghD5cIoNdvTsFoJl5hK5gWLEbxJB8v2fthPqa4lLfsNDNSeYY4139/lm8o93WbDPOu8d61EGqaV4T4yS1GPAcYPWoXJlK0XnyprX76TQCsRdnvgG/BzRE1rod0rylvQdNSl+uNTGtEwPYSzDYlzGMu7oE4DwuZt5tkfgvluodS7VKWq4QLVlGV/XJeJVTUSspbeop2AIxljV+PjpulY8548I0QDjqYEsx7cbw9/9ucYGlfJKCaiaPhnaOlvh4Vi/HHYXWnkSGEvcEjwAAAIDP1QKD/u65f28I1zy8ezg2+Cu81JlHn15vdv38uLOMT3Hcnoi9am92Nxr9ZdKvGGKzKvs0qV9xuLEyBD/+vjqVK691kkSBSMA/nGmx1o5M5c8yyGuvRv7TAcoatAMGmzL0VrkfcYmKsIHNjEJS71JxkVyXlLjylYUdp1EPmctz6wAAAIDMTpDSobOgZdOy0fWo/OMbVER1Zk6rVh0pcbmft774ROjsHzYLjCrINZaSlx6mo49yP8whH128sXeg/axRZKHU/3+7ToKZhjU8
uYNlmhSM3UIMfTG6OCLqkKMr5GwDDowX4foK03hZ4GsKpvo7IW2cvmwOIjOXacCmFZE+XacZzwAAAIAcLR/DL2vEAE/YXf3g+7+aTDj5x8TkHeoaqII0ogHNkvO32lJlg6mK2FuzYPuYO3EeI0SdVh0XeNelFUhry/R7Rsnp4aOh93AA776wmor+R+W4V82pnLFtf/+bcS471gypbZx5c9YW1Gk0qcBQKBwAQ5nO/x233aeHZqipucsIcwAAAIDLOzwEyqWMYL59my3rs+OWQ/T1c5e+CCNqHp6vqnBlNuccOs/gHMZR8jyeBYWP7hO7aor8R99O3JpLowvOy3PQFXhSMn7niQFcLo3ue58FoPMayU62FzFkdAxclRR81fO1riy0qDeH8B2Ksx8nwtDuot2KEauQarogfEPG7hJTMQAAAIAS9rLPE3SnNvrQVhYFD5arS2HRF3x/nVJaKfPRgOd2Z+mdmavwUl0HWGYPN1JlWw8luN+EMdmo/3fBbBKgpRIqnwv3z9WiZqNcFZ+ZEgi5Axb/RE8+C2vQ6TuKeiRI6Vfj3abPzyJmsQYBOsRoCNOziHs7ADRLqslTC0znCPwytg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key2 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key3 2014-02-10 01:13:33.030519692 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key4 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key5 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAACApW5KDnAQF1iaUYfcfqhB0Vby7A42rVKkTf6x5h962ZHYxRBW/+2xYrTA8oOhKoijlN/1JqtykcuzB86r/OCx39XNlQgJbVsri2311nHvY3fAkhyyPCcKcOJZjm/4nRnxBazC0/DLNfKSgOE4a29kxO8i4eHyDQzoz/siSb2aITcAAAADAQABAAAAgDOlBCqQsn1PVFHKm7vQtEdxoQGviENArvmIXypLvpLolKckrDxWjI+XhTrQfAJmyMajygkp8ejxEjGIRCn8TZrlX+6JahDOcHw+1+c05Ecno5V0UBpTJoMQnCq6yrooPDG0vS9Tw+4341LO40+eUDvYDAYirXnG3O6INUfGo7MlAAAAQOfolCcgqHdRcnOjVgU+oqG8DJSqctVcboYpay38lnlIwKcsvMyn6ss1cG4Jod9VoVNb2bPMNBYLO23NPtqOZEMAAABAtp3KHPfU1+yB51uQ/MqHSrzeEj/ScAGAqpBHm25I3o1n7ST58Z2FuidYdPVCzSDccj5pYzZKH5QlRSsmmmeZ/QAAAEAo+hOThlW+H4oVnLrKWnLqGQwwCJ4ZzSdKVW82xPbhn1VLNMB3eQQnu92N0+3iRIMo84XYGzDo5Dsv/6Anhhl5AAAAQBqLOPOY+nEgSYmNf7ee4Kd2aHkSmc36Ce/A5Qessh7XQwHvW/1IvkVerrbhZ4JVgnWAqOTo4UFR0VEKgqPy5ykAAABAJxVqukEm0kqB86Uoy/sn9WiG+ECp9uhuF6RLlP6TGVhLjiL93h5aLjvYqluo2FhBlOshkKz4MrhH8To9JKefTQ==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key6 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key7 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key8 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/key9 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++AAAAAQAAAADA5r1pKslmRXkEA/3Q9b64ub+S7RAAf8NlBGQZ3QbAXFtbL0js+YnkziaRCZecu0C0oK0k0iSD0e4xWtTMsVNCaDUmkcUk9t2ObCnSJM8kaXOuyGxb9rFAGoUNG5rRu4y87Eewbw+Mf0XT/I8xkpnFQz3bwrMFO0fe0uzUpMrv1hSDPci7Yi8xftB2uAV/6N4/hEgK1eg+SmGQSk8kj7OXAnNX4dMORjE5gVxv1P1axbgXKkUjDstjGKBPFFXYTlqLAAAAAwEAAQAAAMBqf9hPuF+tBzs0QG23T41hpqvBIZapYd15Vl6dpuUYe84tmAJQ9zWVdTWScNkVkLsOQnxxRgtV1RQQsZG88wn+oTGpLI5wJzj6cZ8eAEH1LkDpHyKfTZah5vFy4VWWtFEKba7CYQXyvrxTMWuHvfITEWZgcOjf7mnVLHGpdsqueccraNKFgNxobZ9RKdIl+Cs9YVUTqIKz25FBa0jOCIiCE+N+65r4ANgcqzKM5CBomQPADHtf0xt1UDptQZaE1ikAAABg+OuX6Y3xJmTu/bdhWWpp3c0Odtrs5u1L9aG1CsCG95KKTS+HJqd+UVt02kGYjyILHMh6ofyBDOmagvLRzoIe3O15TGlB9Cx6GguMTSjHXsYLZSJ59hVKdirtFl1H3uNnAAAAYO1NcdCm4kuTwuX2tLvgX1+wr6BC0gT+M3jTZcLyiLao2tfv5F0VPu9Aysx7gf+TQALRCJlLlKXkcozZyWM3WuSZZb2lXL8O/tjWVTtAJ/LYYgim5rSJwXYSgJLWKeSdPQAAAGArtovd+wxPVshVi/+viS2AQwN4Qef6gc+mGjjF45uQHI7nESKl2iInvWze60gUUsEq09YdXk93agq1Vlkb7+Plnlp/3bg0Xh8vNbn0zuV8MkFMCGrsmT6TU+SA2e7GKJ8AAABgT/iXcJ+tB5dGSUV45w/YVGEw7qtWJ8SbCA8F7krZ8+S3
y6nWpd/xE6QcNAkzaDPxkIFtimvELpvsVrdWfQ88nGltthmyRdkB3YVtt8gJLnfpoczNVu5NukLF/bYa7CZpAAAAYHe50RN7UEBKmCcpMW76/H3+ZtNOWhgmANXzCgqFEgUcVg0IHU0KGDXsPSWmD05NaqlIsr89u1sSTLvDSJJVo6lINy9peElnRflD4dtPGDgs6qUF38ZXV7s/hXpY3OUhVg==
+\ No newline at end of file
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash0 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash1 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash10 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash11 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash12 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash13 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash14 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash15 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash16 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash17 2014-02-10 01:13:33.031519675 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash2 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash3 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash4 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash5 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash6 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash7 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash8 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/maskhash9 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++sha1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/numtests seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/numtests
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/numtests 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/numtests 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++18
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext0 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++zYtlOMuOjeVmtovQZ1advx7icY4=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext1 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++41vvwXodFguc41+9jrFufuSR0/0=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext10 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++altL5M02zJff3pmV77+PCXpKmRo=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext11 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++ud/R33akYcUeZXbGyO0Kkj0cUOc=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext12 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++lZa7Ywz2qNTqRgBCK566ixNnXdQ=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext13 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++tQMxk5knf9bByPEDPL8EGZ6iFxY=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext14 2014-02-10 01:13:33.032519658 +0400
+@@ -0,0 +1 @@
++UKrt6FNrLDByCLJ1pnri3xlsdig=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext15 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++qgtyuLNx3dEMiuR0QlzMz4hCopQ=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext16 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
+++tOQLJdQYiorxnJiLEgnDMV9Pqg=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext17 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++EiGW3rXRIr2Mb8eB/2kk18aVqt4=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext2 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++BlLsZ7zuMPnSaZEiuRwZq9uon5E=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext3 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++OcIcTM7anBrfg5x0ThISpkN1dew=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext4 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++NtrpE7d70XyubnsJRT0kVEzrszw=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext5 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++Re7xkfT3nDH+XS7eflCYmU6SnS0=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext6 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++JxWkm4sAEs167oTBFkRubf4/rsA=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext7 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++LayVbVOWR0isNk0GWVgnxrTxQ80=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext8 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++KNmMRszK+9O8BOcvlnpUvT6hIpg=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/plaintext9 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++CGbS/1p58l72aM1vMbQt7kIeTA4=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed0 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed0
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed0 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed0 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++3ulZx+BkETYUIP+AGF7Vfz5ndq8=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed1 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed1 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++7yhp+kDDRssYPas9e//Jj9Vt9C0=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed10 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed10
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed10 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed10 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++1okleobv+mghLF4MYZ7KKV+5G2c=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed11 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed11
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed11 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed11 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++wl8Tv2fQgWcaBIGh8YINYTu6InY=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed12 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed12
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed12 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed12 2014-02-10 01:13:33.032519659 +0400
+@@ -0,0 +1 @@
++BOIV7m/5NLnacNdzDIc0q/zs3ok=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed13 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed13
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed13 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed13 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++iyvdS0D69UXHeN35vBpJy1f5txs=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed14 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed14
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed14 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed14 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++Tpb8GzmPkrRGcQEMDcPv1uIMLXM=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed15 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed15
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed15 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed15 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++x81pjYS2USjYg146ix6w4By1Qew=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed16 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed16
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed16 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed16 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++76i/+WISsvSj83GhDVdBUmVfXfs=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed17 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed17
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed17 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed17 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++rYsVI3A2RiJLZgtVCIWRfKLR3yg=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed2 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed2
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed2 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed2 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++cQucR0fYANTeh/Eq/c5t8YEHzHc=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed3 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed3
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed3 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed3 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++BW8AmF3hTY71zqnoL4wnvvcgM14=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed4 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed4
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed4 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed4 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++gOcP+GoI3j7GCXKzm0+/3Opnro4=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed5 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed5
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed5 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed5 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++qKtp3YAfAHTCofxgZJg2xhbZloE=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed6 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed6
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed6 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed6 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++wKQlMT3411ZL0kNNMRUj1SV+7YA=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed7 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed7
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed7 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed7 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++swfEO0hQqNrC8V8y43g574xcDpE=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed8 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed8
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed8 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed8 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++misAfoCXi7sZLDVOt9qa7fx02/U=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed9 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed9
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed9 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/bltest/tests/rsa_pss/seed9 2014-02-10 01:13:33.033519641 +0400
+@@ -0,0 +1 @@
++cPOCvd9NXS3YizvHtzCL5jK4QEU=
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/certutil/certutil.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/certutil/certutil.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/certutil/certutil.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/certutil/certutil.c 2014-02-10 01:13:33.035519604 +0400
+@@ -945,7 +945,7 @@
+ {
+ #define FPS fprintf(stderr,
+ FPS "Type %s -H for more detailed descriptions\n", progName);
+- FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
++ FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
+ FPS "Usage: %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
+ "\t\t [-f pwfile] [-0 SSO-password]\n", progName);
+ FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
+@@ -1361,6 +1361,8 @@
+ " -d certdir");
+ FPS "%-20s Cert & Key database prefix\n",
+ " -P dbprefix");
++ FPS "%-20s use empty password when creating a new database\n",
++ " --empty-password");
+ FPS "\n");
+ }
+
+@@ -2191,6 +2193,7 @@
+ opt_KeyOpFlagsOn,
+ opt_KeyOpFlagsOff,
+ opt_KeyAttrFlags,
++ opt_EmptyPassword,
+ opt_Help
+ };
+
+@@ -2298,6 +2301,8 @@
+ "keyOpFlagsOff"},
+ { /* opt_KeyAttrFlags */ 0, PR_TRUE, 0, PR_FALSE,
+ "keyAttrFlags"},
++ { /* opt_EmptyPassword */ 0, PR_FALSE, 0, PR_FALSE,
++ "empty-password"},
+ };
+ #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
+
+@@ -2809,6 +2814,9 @@
+
+ /* If creating new database, initialize the password. */
+ if (certutil.commands[cmd_NewDBs].activated) {
++ if(certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot)))
++ PK11_InitPin(slot, (char*)NULL, "");
++ else
+ SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+ certutil.options[opt_NewPasswordFile].arg);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/fipstest/fipstest.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/fipstest/fipstest.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/fipstest/fipstest.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/fipstest/fipstest.c 2014-02-10 01:13:33.035519604 +0400
+@@ -3616,7 +3616,6 @@
+ goto loser;
+ }
+ msg = PORT_ZAlloc(msgLen);
+- memset(msg, 0, msgLen);
+ if (msg == NULL) {
+ goto loser;
+ }
+@@ -3677,7 +3676,7 @@
+ keyLen = 0;
+ TLen = 0;
+ memset(key, 0, sizeof key);
+- memset(msg, 0, sizeof msg);
++ memset(msg, 0, msgLen);
+ memset(HMAC, 0, sizeof HMAC);
+ continue;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/httpserv/httpserv.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/httpserv/httpserv.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/httpserv/httpserv.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/httpserv/httpserv.c 2014-02-10 01:13:33.036519586 +0400
+@@ -27,6 +27,15 @@
+ #include "prnetdb.h"
+ #include "prclist.h"
+ #include "plgetopt.h"
++#include "pk11func.h"
++#include "nss.h"
++#include "nssb64.h"
++#include "sechash.h"
++#include "cert.h"
++#include "certdb.h"
++#include "ocsp.h"
++#include "ocspti.h"
++#include "ocspi.h"
+
+ #ifndef PORT_Sprintf
+ #define PORT_Sprintf sprintf
+@@ -42,12 +51,6 @@
+
+ static int handle_connection( PRFileDesc *, PRFileDesc *, int );
+
+-static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
+-
+-#define DEFAULT_BULK_TEST 16384
+-#define MAX_BULK_TEST 1048576 /* 1 MB */
+-static PRBool testBulk;
+-
+ /* data and structures for shutdown */
+ static int stopping;
+
+@@ -70,11 +73,23 @@
+
+ "Usage: %s -p port [-Dbv]\n"
+ " [-t threads] [-i pid_file]\n"
++" [-A nickname -C crl-filename]... [-O method]\n"
++" [-d dbdir] [-f password_file] [-w password] [-P dbprefix]\n"
+ "-D means disable Nagle delays in TCP\n"
+ "-b means try binding to the port and exit\n"
+ "-v means verbose output\n"
+ "-t threads -- specify the number of threads to use for connections.\n"
+-"-i pid_file file to write the process id of selfserve\n"
++"-i pid_file file to write the process id of httpserv\n"
++"Parameters -A, -C and -O are used to provide an OCSP server at /ocsp?\n"
++"-A a nickname of a CA certificate\n"
++"-C a CRL filename corresponding to the preceding CA nickname\n"
++"-O allowed HTTP methods for OCSP requests: get, post, all, random, get-unknown\n"
++" random means: randomly fail if request method is GET, POST always works\n"
++" get-unknown means: status unknown for GET, correct status for POST\n"
++"Multiple pairs of parameters -A and -C are allowed.\n"
++"If status for a cert from an unknown CA is requested, the cert from the\n"
++"first -A parameter will be used to sign the unknown status response.\n"
++"NSS database parameters are used only if OCSP parameters are used.\n"
+ ,progName);
+ }
+
+@@ -84,7 +99,7 @@
+ PRErrorCode perr = PR_GetError();
+ const char * errString = SECU_Strerror(perr);
+
+- fprintf(stderr, "selfserv: %s returned error %d:\n%s\n",
++ fprintf(stderr, "httpserv: %s returned error %d:\n%s\n",
+ funcString, perr, errString);
+ return errString;
+ }
+@@ -96,7 +111,6 @@
+ exit(3);
+ }
+
+-
+ #define MAX_VIRT_SERVER_NAME_ARRAY_INDEX 10
+
+ /**************************************************************************
+@@ -255,7 +269,7 @@
+ (PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
+ PR_UNJOINABLE_THREAD, 0);
+ if (slot->prThread == NULL) {
+- printf("selfserv: Failed to launch thread!\n");
++ printf("httpserv: Failed to launch thread!\n");
+ slot->state = rs_idle;
+ rv = SECFailure;
+ break;
+@@ -277,7 +291,7 @@
+ void
+ terminateWorkerThreads(void)
+ {
+- VLOG(("selfserv: server_thead: waiting on stopping"));
++ VLOG(("httpserv: server_thead: waiting on stopping"));
+ PZ_Lock(qLock);
+ PZ_NotifyAllCondVar(jobQNotEmptyCv);
+ while (threadCount > 0) {
+@@ -303,8 +317,25 @@
+
+ PRBool NoReuse = PR_FALSE;
+ PRBool disableLocking = PR_FALSE;
+-PRBool failedToNegotiateName = PR_FALSE;
++static secuPWData pwdata = { PW_NONE, 0 };
+
++struct caRevoInfoStr
++{
++ PRCList link;
++ char *nickname;
++ char *crlFilename;
++ CERTCertificate *cert;
++ CERTOCSPCertID *id;
++ CERTSignedCrl *crl;
++};
++typedef struct caRevoInfoStr caRevoInfo;
++/* Created during app init. No locks necessary,
++ * because later on, only read access will occur. */
++static caRevoInfo *caRevoInfos = NULL;
++
++static enum {
++ ocspGetOnly, ocspPostOnly, ocspGetAndPost, ocspRandomGetFailure, ocspGetUnknown
++} ocspMethodsAllowed = ocspGetAndPost;
+
+ static const char stopCmd[] = { "GET /stop " };
+ static const char getCmd[] = { "GET " };
+@@ -316,6 +347,17 @@
+ "Content-type: text/plain\r\n"
+ "\r\n"
+ };
++static const char outOcspHeader[] = {
++ "HTTP/1.0 200 OK\r\n"
++ "Server: Generic OCSP Server\r\n"
++ "Content-type: application/ocsp-response\r\n"
++ "\r\n"
++};
++static const char outBadRequestHeader[] = {
++ "HTTP/1.0 400 Bad Request\r\n"
++ "Server: Generic OCSP Server\r\n"
++ "\r\n"
++};
+
+ void stop_server()
+ {
+@@ -324,6 +366,47 @@
+ PZ_TraceFlush();
+ }
+
++/* Will only work if the original input to url encoding was
++ * a base64 encoded buffer. Will only decode the sequences used
++ * for encoding the special base64 characters, and fail if any
++ * other encoded chars are found.
++ * Will return SECSuccess if input could be processed.
++ * Coversion is done in place.
++ */
++static SECStatus
++urldecode_base64chars_inplace(char *buf)
++{
++ char *walk;
++ size_t remaining_bytes;
++
++ if (!buf || !*buf)
++ return SECFailure;
++
++ walk = buf;
++ remaining_bytes = strlen(buf) + 1; /* include terminator */
++
++ while (*walk) {
++ if (*walk == '%') {
++ if (!PL_strncasecmp(walk, "%2B", 3)) {
++ *walk = '+';
++ } else if (!PL_strncasecmp(walk, "%2F", 3)) {
++ *walk = '/';
++ } else if (!PL_strncasecmp(walk, "%3D", 3)) {
++ *walk = '=';
++ } else {
++ return SECFailure;
++ }
++ remaining_bytes -= 3;
++ ++walk;
++ memmove(walk, walk+2, remaining_bytes);
++ } else {
++ ++walk;
++ --remaining_bytes;
++ }
++ }
++ return SECSuccess;
++}
++
+ int
+ handle_connection(
+ PRFileDesc *tcp_sock,
+@@ -333,7 +416,6 @@
+ {
+ PRFileDesc * ssl_sock = NULL;
+ PRFileDesc * local_file_fd = NULL;
+- char * post;
+ char * pBuf; /* unused space at end of buf */
+ const char * errString;
+ PRStatus status;
+@@ -349,16 +431,23 @@
+ char msgBuf[160];
+ char buf[10240];
+ char fileName[513];
++ char *getData = NULL; /* inplace conversion */
++ SECItem postData;
++ PRBool isOcspRequest = PR_FALSE;
++ PRBool isPost;
++
++ postData.data = NULL;
++ postData.len = 0;
+
+ pBuf = buf;
+ bufRem = sizeof buf;
+
+- VLOG(("selfserv: handle_connection: starting"));
++ VLOG(("httpserv: handle_connection: starting"));
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
+ PR_SetSocketOption(tcp_sock, &opt);
+
+- VLOG(("selfserv: handle_connection: starting\n"));
++ VLOG(("httpserv: handle_connection: starting\n"));
+ ssl_sock = tcp_sock;
+
+ if (noDelay) {
+@@ -375,8 +464,13 @@
+ }
+
+ while (1) {
++ const char *post;
++ const char *foundStr = NULL;
++ const char *tmp = NULL;
++
+ newln = 0;
+ reqLen = 0;
++
+ rv = PR_Read(ssl_sock, pBuf, bufRem - 1);
+ if (rv == 0 ||
+ (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
+@@ -426,8 +520,23 @@
+ if (!post || *post != 'P')
+ break;
+
++ postData.data = (void*)(buf + reqLen);
++
++ tmp = "content-length: ";
++ foundStr = PL_strcasestr(buf, tmp);
++ if (foundStr) {
++ int expectedPostLen;
++ int havePostLen;
++
++ expectedPostLen = atoi(foundStr+strlen(tmp));
++ havePostLen = bufDat - reqLen;
++ if (havePostLen >= expectedPostLen) {
++ postData.len = expectedPostLen;
++ break;
++ }
++ } else {
++ /* use legacy hack */
+ /* It's a post, so look for the next and final CR/LF. */
+- /* We should parse content length here, but ... */
+ while (reqLen < bufDat && newln < 3) {
+ int octet = buf[reqLen++];
+ if (octet == '\n') {
+@@ -436,29 +545,63 @@
+ }
+ if (newln == 3)
+ break;
++ }
+ } /* read loop */
+
+ bufDat = pBuf - buf;
+ if (bufDat) do { /* just close if no data */
+ /* Have either (a) a complete get, (b) a complete post, (c) EOF */
+- if (reqLen > 0 && !strncmp(buf, getCmd, sizeof getCmd - 1)) {
+- char * fnBegin = buf + 4;
++ if (reqLen > 0) {
++ PRBool isGetOrPost = PR_FALSE;
++ unsigned skipChars = 0;
++ isPost = PR_FALSE;
++
++ if (!strncmp(buf, getCmd, sizeof getCmd - 1)) {
++ isGetOrPost = PR_TRUE;
++ skipChars = 4;
++ }
++ else if (!strncmp(buf, "POST ", 5)) {
++ isGetOrPost = PR_TRUE;
++ isPost = PR_TRUE;
++ skipChars = 5;
++ }
++
++ if (isGetOrPost) {
++ char * fnBegin = buf;
+ char * fnEnd;
++ char * fnstart = NULL;
+ PRFileInfo info;
+- /* try to open the file named.
+- * If successful, then write it to the client.
+- */
++
++ fnBegin += skipChars;
++
+ fnEnd = strpbrk(fnBegin, " \r\n");
+ if (fnEnd) {
+ int fnLen = fnEnd - fnBegin;
+ if (fnLen < sizeof fileName) {
+- char *fnstart;
+ strncpy(fileName, fnBegin, fnLen);
+ fileName[fnLen] = 0; /* null terminate */
+ fnstart = fileName;
+ /* strip initial / because our root is the current directory*/
+ while (*fnstart && *fnstart=='/')
+ ++fnstart;
++ }
++ }
++ if (fnstart) {
++ if (!strncmp(fnstart, "ocsp", 4)) {
++ if (isPost) {
++ if (postData.data) {
++ isOcspRequest = PR_TRUE;
++ }
++ } else {
++ if (!strncmp(fnstart, "ocsp/", 5)) {
++ isOcspRequest = PR_TRUE;
++ getData = fnstart + 5;
++ }
++ }
++ } else {
++ /* try to open the file named.
++ * If successful, then write it to the client.
++ */
+ status = PR_GetFileInfo(fnstart, &info);
+ if (status == PR_SUCCESS &&
+ info.type == PR_FILE_FILE &&
+@@ -468,6 +611,7 @@
+ }
+ }
+ }
++ }
+
+ numIOVs = 0;
+
+@@ -475,7 +619,147 @@
+ iovs[numIOVs].iov_len = (sizeof(outHeader)) - 1;
+ numIOVs++;
+
+- if (local_file_fd) {
++ if (isOcspRequest && caRevoInfos) {
++ CERTOCSPRequest *request = NULL;
++ PRBool failThisRequest = PR_FALSE;
++
++ if (ocspMethodsAllowed == ocspGetOnly && postData.len) {
++ failThisRequest = PR_TRUE;
++ } else if (ocspMethodsAllowed == ocspPostOnly && getData) {
++ failThisRequest = PR_TRUE;
++ } else if (ocspMethodsAllowed == ocspRandomGetFailure && getData) {
++ if (!(rand() % 2)) {
++ failThisRequest = PR_TRUE;
++ }
++ }
++
++ if (failThisRequest) {
++ PR_Write(ssl_sock, outBadRequestHeader, strlen(outBadRequestHeader));
++ break;
++ }
++ /* get is base64, post is binary.
++ * If we have base64, convert into the (empty) postData array.
++ */
++ if (getData) {
++ if (urldecode_base64chars_inplace(getData) == SECSuccess) {
++ NSSBase64_DecodeBuffer(NULL, &postData, getData, strlen(getData));
++ }
++ }
++ if (postData.len) {
++ request = CERT_DecodeOCSPRequest(&postData);
++ }
++ if (!request || !request->tbsRequest ||
++ !request->tbsRequest->requestList ||
++ !request->tbsRequest->requestList[0]) {
++ PORT_Sprintf(msgBuf, "Cannot decode OCSP request.\r\n");
++
++ iovs[numIOVs].iov_base = msgBuf;
++ iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
++ numIOVs++;
++ } else {
++ /* TODO: support more than one request entry */
++ CERTOCSPCertID *reqid = request->tbsRequest->requestList[0]->reqCert;
++ const caRevoInfo *revoInfo = NULL;
++ PRBool unknown = PR_FALSE;
++ PRBool revoked = PR_FALSE;
++ PRTime nextUpdate = 0;
++ PRTime revoDate = 0;
++ PRCList *caRevoIter;
++
++ caRevoIter = &caRevoInfos->link;
++ do {
++ CERTOCSPCertID *caid;
++
++ revoInfo = (caRevoInfo*)caRevoIter;
++ caid = revoInfo->id;
++
++ if (SECOID_CompareAlgorithmID(&reqid->hashAlgorithm,
++ &caid->hashAlgorithm) == SECEqual
++ &&
++ SECITEM_CompareItem(&reqid->issuerNameHash,
++ &caid->issuerNameHash) == SECEqual
++ &&
++ SECITEM_CompareItem(&reqid->issuerKeyHash,
++ &caid->issuerKeyHash) == SECEqual) {
++ break;
++ }
++ revoInfo = NULL;
++ caRevoIter = PR_NEXT_LINK(caRevoIter);
++ } while (caRevoIter != &caRevoInfos->link);
++
++ if (!revoInfo) {
++ unknown = PR_TRUE;
++ revoInfo = caRevoInfos;
++ } else {
++ CERTCrl *crl = &revoInfo->crl->crl;
++ CERTCrlEntry *entry = NULL;
++ DER_DecodeTimeChoice(&nextUpdate, &crl->nextUpdate);
++ if (crl->entries) {
++ int iv = 0;
++ /* assign, not compare */
++ while ((entry = crl->entries[iv++])) {
++ if (SECITEM_CompareItem(&reqid->serialNumber,
++ &entry->serialNumber) == SECEqual) {
++ break;
++ }
++ }
++ }
++ if (entry) {
++ /* revoked status response */
++ revoked = PR_TRUE;
++ DER_DecodeTimeChoice(&revoDate, &entry->revocationDate);
++ } else {
++ /* else good status response */
++ if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
++ unknown = PR_TRUE;
++ nextUpdate = PR_Now() + 60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
++ revoDate = PR_Now() - 60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
++ }
++ }
++ }
++
++ {
++ PRTime now = PR_Now();
++ PLArenaPool *arena = NULL;
++ CERTOCSPSingleResponse *sr;
++ CERTOCSPSingleResponse **singleResponses;
++ SECItem *ocspResponse;
++
++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++
++ if (unknown) {
++ sr = CERT_CreateOCSPSingleResponseUnknown(arena, reqid, now,
++ &nextUpdate);
++ } else if (revoked) {
++ sr = CERT_CreateOCSPSingleResponseRevoked(arena, reqid, now,
++ &nextUpdate, revoDate, NULL);
++ } else {
++ sr = CERT_CreateOCSPSingleResponseGood(arena, reqid, now,
++ &nextUpdate);
++ }
++
++ /* meaning of value 2: one entry + one end marker */
++ singleResponses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
++ singleResponses[0] = sr;
++ singleResponses[1] = NULL;
++ ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
++ revoInfo->cert, ocspResponderID_byName, now,
++ singleResponses, &pwdata);
++
++ if (!ocspResponse) {
++ PORT_Sprintf(msgBuf, "Failed to encode response\r\n");
++ iovs[numIOVs].iov_base = msgBuf;
++ iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
++ numIOVs++;
++ } else {
++ PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader));
++ PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len);
++ PORT_FreeArena(arena, PR_FALSE);
++ }
++ }
++ break;
++ }
++ } else if (local_file_fd) {
+ PRInt32 bytes;
+ int errLen;
+ bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
+@@ -485,7 +769,7 @@
+ if (bytes >= 0) {
+ bytes -= sizeof outHeader - 1;
+ FPRINTF(stderr,
+- "selfserv: PR_TransmitFile wrote %d bytes from %s\n",
++ "httpserv: PR_TransmitFile wrote %d bytes from %s\n",
+ bytes, fileName);
+ break;
+ }
+@@ -523,13 +807,6 @@
+ numIOVs++;
+ }
+
+- /* Don't add the EOF if we want to test bulk encryption */
+- if (!testBulk) {
+- iovs[numIOVs].iov_base = (char *)EOFmsg;
+- iovs[numIOVs].iov_len = sizeof EOFmsg - 1;
+- numIOVs++;
+- }
+-
+ rv = PR_Writev(ssl_sock, iovs, numIOVs, PR_INTERVAL_NO_TIMEOUT);
+ if (rv < 0) {
+ errWarn("PR_Writev");
+@@ -546,14 +823,14 @@
+ }
+ if (local_file_fd)
+ PR_Close(local_file_fd);
+- VLOG(("selfserv: handle_connection: exiting\n"));
++ VLOG(("httpserv: handle_connection: exiting\n"));
+
+ /* do a nice shutdown if asked. */
+ if (!strncmp(buf, stopCmd, sizeof stopCmd - 1)) {
+- VLOG(("selfserv: handle_connection: stop command"));
++ VLOG(("httpserv: handle_connection: stop command"));
+ stop_server();
+ }
+- VLOG(("selfserv: handle_connection: exiting"));
++ VLOG(("httpserv: handle_connection: exiting"));
+ return SECSuccess; /* success */
+ }
+
+@@ -561,7 +838,7 @@
+
+ void sigusr1_handler(int sig)
+ {
+- VLOG(("selfserv: sigusr1_handler: stop server"));
++ VLOG(("httpserv: sigusr1_handler: stop server"));
+ stop_server();
+ }
+
+@@ -580,7 +857,7 @@
+ struct sigaction act;
+ #endif
+
+- VLOG(("selfserv: do_accepts: starting"));
++ VLOG(("httpserv: do_accepts: starting"));
+ PR_SetThreadPriority( PR_GetCurrentThread(), PR_PRIORITY_HIGH);
+
+ acceptorThread = PR_GetCurrentThread();
+@@ -598,7 +875,7 @@
+ PRFileDesc *tcp_sock;
+ PRCList *myLink;
+
+- FPRINTF(stderr, "\n\n\nselfserv: About to call accept.\n");
++ FPRINTF(stderr, "\n\n\nhttpserv: About to call accept.\n");
+ tcp_sock = PR_Accept(listen_sock, &addr, PR_INTERVAL_NO_TIMEOUT);
+ if (tcp_sock == NULL) {
+ perr = PR_GetError();
+@@ -615,7 +892,7 @@
+ break;
+ }
+
+- VLOG(("selfserv: do_accept: Got connection\n"));
++ VLOG(("httpserv: do_accept: Got connection\n"));
+
+ PZ_Lock(qLock);
+ while (PR_CLIST_IS_EMPTY(&freeJobs) && !stopping) {
+@@ -645,8 +922,8 @@
+ PZ_Unlock(qLock);
+ }
+
+- FPRINTF(stderr, "selfserv: Closing listen socket.\n");
+- VLOG(("selfserv: do_accepts: exiting"));
++ FPRINTF(stderr, "httpserv: Closing listen socket.\n");
++ VLOG(("httpserv: do_accepts: exiting"));
+ if (listen_sock) {
+ PR_Close(listen_sock);
+ }
+@@ -755,10 +1032,94 @@
+ return newProcess;
+ }
+
++/* slightly adjusted version of ocsp_CreateCertID (not using issuer) */
++static CERTOCSPCertID *
++ocsp_CreateSelfCAID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
++{
++ CERTOCSPCertID *certID;
++ void *mark = PORT_ArenaMark(arena);
++ SECStatus rv;
++
++ PORT_Assert(arena != NULL);
++
++ certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
++ if (certID == NULL) {
++ goto loser;
++ }
++
++ rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
++ NULL);
++ if (rv != SECSuccess) {
++ goto loser;
++ }
++
++ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_SHA1,
++ &(certID->issuerNameHash)) == NULL) {
++ goto loser;
++ }
++ certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
++ certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
++
++ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD5,
++ &(certID->issuerMD5NameHash)) == NULL) {
++ goto loser;
++ }
++
++ if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD2,
++ &(certID->issuerMD2NameHash)) == NULL) {
++ goto loser;
++ }
++
++ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_SHA1,
++ &certID->issuerKeyHash) == NULL) {
++ goto loser;
++ }
++ certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
++ certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
++ /* cache the other two hash algorithms as well */
++ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD5,
++ &certID->issuerMD5KeyHash) == NULL) {
++ goto loser;
++ }
++ if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD2,
++ &certID->issuerMD2KeyHash) == NULL) {
++ goto loser;
++ }
++
++ PORT_ArenaUnmark(arena, mark);
++ return certID;
++
++loser:
++ PORT_ArenaRelease(arena, mark);
++ return NULL;
++}
++
++/* slightly adjusted version of CERT_CreateOCSPCertID */
++CERTOCSPCertID*
++cert_CreateSelfCAID(CERTCertificate *cert, PRTime time)
++{
++ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++ CERTOCSPCertID *certID;
++ PORT_Assert(arena != NULL);
++ if (!arena)
++ return NULL;
++
++ certID = ocsp_CreateSelfCAID(arena, cert, time);
++ if (!certID) {
++ PORT_FreeArena(arena, PR_FALSE);
++ return NULL;
++ }
++ certID->poolp = arena;
++ return certID;
++}
++
+ int
+ main(int argc, char **argv)
+ {
+ char * progName = NULL;
++ const char * dir = ".";
++ char * passwd = NULL;
++ char * pwfile = NULL;
+ const char * pidFile = NULL;
+ char * tmp;
+ PRFileDesc * listen_sock;
+@@ -770,6 +1131,11 @@
+ PRBool useLocalThreads = PR_FALSE;
+ PLOptState *optstate;
+ PLOptStatus status;
++ char emptyString[] = { "" };
++ char* certPrefix = emptyString;
++ caRevoInfo *revoInfo = NULL;
++ PRCList *caRevoIter = NULL;
++ PRBool provideOcsp = PR_FALSE;
+
+ tmp = strrchr(argv[0], '/');
+ tmp = tmp ? tmp + 1 : argv[0];
+@@ -782,14 +1148,60 @@
+ ** numbers, then capital letters, then lower case, alphabetical.
+ */
+ optstate = PL_CreateOptState(argc, argv,
+- "Dbhi:p:t:v");
++ "A:C:DO:P:bd:f:hi:p:t:vw:");
+ while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ ++optionsFound;
+ switch(optstate->option) {
++ /* A first, must be followed by C. Any other order is an error.
++ * A creates the object. C completes and moves into list.
++ */
++ case 'A':
++ provideOcsp = PR_TRUE;
++ if (revoInfo) { Usage(progName); exit(0); }
++ revoInfo = PORT_New(caRevoInfo);
++ revoInfo->nickname = PORT_Strdup(optstate->value);
++ break;
++ case 'C':
++ if (!revoInfo) { Usage(progName); exit(0); }
++ revoInfo->crlFilename = PORT_Strdup(optstate->value);
++ if (!caRevoInfos) {
++ PR_INIT_CLIST(&revoInfo->link);
++ caRevoInfos = revoInfo;
++ } else {
++ PR_APPEND_LINK(&revoInfo->link, &caRevoInfos->link);
++ }
++ revoInfo = NULL;
++ break;
++
++ case 'O':
++ if (!PL_strcasecmp(optstate->value, "all")) {
++ ocspMethodsAllowed = ocspGetAndPost;
++ } else if (!PL_strcasecmp(optstate->value, "get")) {
++ ocspMethodsAllowed = ocspGetOnly;
++ } else if (!PL_strcasecmp(optstate->value, "post")) {
++ ocspMethodsAllowed = ocspPostOnly;
++ } else if (!PL_strcasecmp(optstate->value, "random")) {
++ ocspMethodsAllowed = ocspRandomGetFailure;
++ } else if (!PL_strcasecmp(optstate->value, "get-unknown")) {
++ ocspMethodsAllowed = ocspGetUnknown;
++ } else {
++ Usage(progName); exit(0);
++ }
++ break;
++
+ case 'D': noDelay = PR_TRUE; break;
+
++ case 'P': certPrefix = PORT_Strdup(optstate->value); break;
++
+ case 'b': bindOnly = PR_TRUE; break;
+
++ case 'd': dir = optstate->value; break;
++
++ case 'f':
++ pwdata.source = PW_FROMFILE;
++ pwdata.data = pwfile = PORT_Strdup(optstate->value);
++ break;
++
+ case 'h': Usage(progName); exit(0); break;
+
+ case 'i': pidFile = optstate->value; break;
+@@ -804,6 +1216,11 @@
+
+ case 'v': verbose++; break;
+
++ case 'w':
++ pwdata.source = PW_PLAINTEXT;
++ pwdata.data = passwd = PORT_Strdup(optstate->value);
++ break;
++
+ default:
+ case '?':
+ fprintf(stderr, "Unrecognized or bad option specified.\n");
+@@ -824,7 +1241,7 @@
+ }
+
+ /* The -b (bindOnly) option is only used by the ssl.sh test
+- * script on Linux to determine whether a previous selfserv
++ * script on Linux to determine whether a previous httpserv
+ * process has fully died and freed the port. (Bug 129701)
+ */
+ if (bindOnly) {
+@@ -865,6 +1282,62 @@
+
+ lm = PR_NewLogModule("TestCase");
+
++ /* set our password function */
++ PK11_SetPasswordFunc(SECU_GetModulePassword);
++
++ if (provideOcsp) {
++ /* Call the NSS initialization routines */
++ rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
++ if (rv != SECSuccess) {
++ fputs("NSS_Init failed.\n", stderr);
++ exit(8);
++ }
++
++ if (caRevoInfos) {
++ caRevoIter = &caRevoInfos->link;
++ do {
++ PRFileDesc *inFile;
++ int rv = SECFailure;
++ SECItem crlDER;
++ crlDER.data = NULL;
++
++ revoInfo = (caRevoInfo*)caRevoIter;
++ revoInfo->cert = CERT_FindCertByNickname(
++ CERT_GetDefaultCertDB(), revoInfo->nickname);
++ if (!revoInfo->cert) {
++ fprintf(stderr, "cannot find cert with nickname %s\n",
++ revoInfo->nickname);
++ exit(1);
++ }
++ inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0);
++ if (inFile) {
++ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
++ }
++ if (!inFile || rv != SECSuccess) {
++ fprintf(stderr, "unable to read crl file %s\n",
++ revoInfo->crlFilename);
++ exit(1);
++ }
++ revoInfo->crl =
++ CERT_DecodeDERCrlWithFlags(NULL, &crlDER, SEC_CRL_TYPE,
++ CRL_DECODE_DEFAULT_OPTIONS);
++ if (!revoInfo->crl) {
++ fprintf(stderr, "unable to decode crl file %s\n",
++ revoInfo->crlFilename);
++ exit(1);
++ }
++ if (CERT_CompareName(&revoInfo->crl->crl.name,
++ &revoInfo->cert->subject) != SECEqual) {
++ fprintf(stderr, "CRL %s doesn't match cert identified by preceding nickname %s\n",
++ revoInfo->crlFilename, revoInfo->nickname);
++ exit(1);
++ }
++ revoInfo->id = cert_CreateSelfCAID(revoInfo->cert, PR_Now());
++ caRevoIter = PR_NEXT_LINK(caRevoIter);
++ } while (caRevoIter != &caRevoInfos->link);
++ }
++ }
++
+ /* allocate the array of thread slots, and launch the worker threads. */
+ rv = launch_threads(&jobLoop, 0, 0, 0, useLocalThreads);
+
+@@ -873,15 +1346,47 @@
+ 0);
+ }
+
+- VLOG(("selfserv: server_thread: exiting"));
++ VLOG(("httpserv: server_thread: exiting"));
++
++ if (provideOcsp) {
++ if (caRevoInfos) {
++ PRCList *caRevoIter;
+
+- if (failedToNegotiateName) {
+- fprintf(stderr, "selfserv: Failed properly negotiate server name\n");
++ caRevoIter = &caRevoInfos->link;
++ do {
++ caRevoInfo *revoInfo = (caRevoInfo*)caRevoIter;
++ if (revoInfo->nickname)
++ PORT_Free(revoInfo->nickname);
++ if (revoInfo->crlFilename)
++ PORT_Free(revoInfo->crlFilename);
++ if (revoInfo->cert)
++ CERT_DestroyCertificate(revoInfo->cert);
++ if (revoInfo->id)
++ CERT_DestroyOCSPCertID(revoInfo->id);
++ if (revoInfo->crl)
++ SEC_DestroyCrl(revoInfo->crl);
++
++ caRevoIter = PR_NEXT_LINK(caRevoIter);
++ } while (caRevoIter != &caRevoInfos->link);
++
++ }
++ if (NSS_Shutdown() != SECSuccess) {
++ SECU_PrintError(progName, "NSS_Shutdown");
++ PR_Cleanup();
+ exit(1);
+ }
+-
++ }
++ if (passwd) {
++ PORT_Free(passwd);
++ }
++ if (pwfile) {
++ PORT_Free(pwfile);
++ }
++ if (certPrefix && certPrefix != emptyString) {
++ PORT_Free(certPrefix);
++ }
+ PR_Cleanup();
+- printf("selfserv: normal termination\n");
++ printf("httpserv: normal termination\n");
+ return 0;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/lib/secutil.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/lib/secutil.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/lib/secutil.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/lib/secutil.c 2014-02-10 01:13:33.036519586 +0400
+@@ -1453,6 +1453,18 @@
+ }
+ }
+
++static void
++printStringWithoutCRLF(FILE *out, const char *str)
++{
++ const char *c = str;
++ while (*c) {
++ if (*c != '\r' && *c != '\n') {
++ fputc(*c, out);
++ }
++ ++c;
++ }
++}
++
+ int
+ SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
+ int level)
+@@ -1479,15 +1491,32 @@
+ }
+
+ SECU_PrintName(out, &c->subject, "Subject", 0);
+- fprintf(out, "\n");
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ SECU_PrintName(out, &c->issuer, "Issuer", 0);
+- fprintf(out, "\n");
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ SECU_PrintInteger(out, &c->serialNumber, "Serial Number", 0);
+
+ derIssuerB64 = BTOA_ConvertItemToAscii(&c->derIssuer);
+ derSerialB64 = BTOA_ConvertItemToAscii(&c->serialNumber);
+- fprintf(out, "Issuer DER Base64:\n%s\n", derIssuerB64);
+- fprintf(out, "Serial DER Base64:\n%s\n", derSerialB64);
++
++ fprintf(out, "Issuer DER Base64:\n");
++ if (SECU_GetWrapEnabled()) {
++ fprintf(out, "%s\n", derIssuerB64);
++ } else {
++ printStringWithoutCRLF(out, derIssuerB64);
++ fputs("\n", out);
++ }
++
++ fprintf(out, "Serial DER Base64:\n");
++ if (SECU_GetWrapEnabled()) {
++ fprintf(out, "%s\n", derSerialB64);
++ } else {
++ printStringWithoutCRLF(out, derSerialB64);
++ fputs("\n", out);
++ }
++
+ PORT_Free(derIssuerB64);
+ PORT_Free(derSerialB64);
+
+@@ -2293,6 +2322,8 @@
+ SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+ SECU_PrintInteger(out, &cr->version, "Version", level+1);
+ SECU_PrintName(out, &cr->subject, "Subject", level+1);
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo,
+ "Subject Public Key Info", level+1);
+ if (cr->attributes)
+@@ -2335,8 +2366,12 @@
+ SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
+ SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
+ SECU_PrintName(out, &c->issuer, "Issuer", level+1);
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ secu_PrintValidity(out, &c->validity, "Validity", level+1);
+ SECU_PrintName(out, &c->subject, "Subject", level+1);
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo,
+ "Subject Public Key Info", level+1);
+ if (c->issuerID.data)
+@@ -3010,6 +3045,8 @@
+ goto loser;
+
+ SECU_PrintName(out, name, m, level);
++ if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
++ SECU_Newline(out);
+ loser:
+ PORT_FreeArena(arena, PR_FALSE);
+ return rv;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/modutil/install-ds.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/modutil/install-ds.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/modutil/install-ds.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/modutil/install-ds.c 2014-02-10 01:13:33.036519586 +0400
+@@ -214,13 +214,14 @@
+ FILE_PERMISSIONS_STRING)) {
+ subiter = Pk11Install_ListIter_new(subpair->list);
+ subval = subiter->current;
+- if(!subval || (subval->type != STRING_VALUE)){
++ if(!subval || (subval->type != STRING_VALUE) ||
++ !subval->string || !subval->string[0]){
+ errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
+ _this->jarPath);
+ goto loser;
+ }
+ _this->permissions = (int) strtol(subval->string, &endp, 8);
+- if(*endp != '\0' || subval->string == "\0") {
++ if(*endp != '\0') {
+ errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
+ _this->jarPath);
+ goto loser;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/pp/pp.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/pp/pp.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/pp/pp.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/pp/pp.c 2014-02-10 01:13:33.036519586 +0400
+@@ -22,7 +22,7 @@
+ static void Usage(char *progName)
+ {
+ fprintf(stderr,
+- "Usage: %s -t type [-a] [-i input] [-o output]\n",
++ "Usage: %s -t type [-a] [-i input] [-o output] [-w]\n",
+ progName);
+ fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n",
+ "-t type", SEC_CT_PRIVATE_KEY);
+@@ -36,6 +36,8 @@
+ "-i input");
+ fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+ "-o output");
++ fprintf(stderr, "%-20s Don't wrap long output lines\n",
++ "-w");
+ exit(-1);
+ }
+
+@@ -48,6 +50,7 @@
+ SECItem der, data;
+ char *typeTag;
+ PLOptState *optstate;
++ PRBool wrap = PR_TRUE;
+
+ progName = strrchr(argv[0], '/');
+ progName = progName ? progName+1 : argv[0];
+@@ -56,7 +59,7 @@
+ inFile = 0;
+ outFile = 0;
+ typeTag = 0;
+- optstate = PL_CreateOptState(argc, argv, "at:i:o:");
++ optstate = PL_CreateOptState(argc, argv, "at:i:o:w");
+ while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
+ switch (optstate->option) {
+ case '?':
+@@ -88,6 +91,10 @@
+ case 't':
+ typeTag = strdup(optstate->value);
+ break;
++
++ case 'w':
++ wrap = PR_FALSE;
++ break;
+ }
+ }
+ PL_DestroyOptState(optstate);
+@@ -115,16 +122,15 @@
+ data.data = der.data;
+ data.len = der.len;
+
++ SECU_EnableWrap(wrap);
++
+ /* Pretty print it */
+ if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) {
+ rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
+ SECU_PrintCertificate);
+ } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) {
+- PRBool saveWrapeState = SECU_GetWrapEnabled();
+- SECU_EnableWrap(PR_FALSE);
+ rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
+ SECU_PrintDumpDerIssuerAndSerial);
+- SECU_EnableWrap(saveWrapeState);
+ } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) {
+ rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
+ SECU_PrintCertificateRequest);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/strsclnt/strsclnt.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/strsclnt/strsclnt.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/strsclnt/strsclnt.c 2013-09-16 22:26:56.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/strsclnt/strsclnt.c 2014-02-10 01:13:33.036519586 +0400
+@@ -180,10 +180,11 @@
+ errWarn(char * funcString)
+ {
+ PRErrorCode perr = PR_GetError();
++ PRInt32 oserr = PR_GetOSError();
+ const char * errString = SECU_Strerror(perr);
+
+- fprintf(stderr, "strsclnt: %s returned error %d:\n%s\n",
+- funcString, perr, errString);
++ fprintf(stderr, "strsclnt: %s returned error %d, OS error %d: %s\n",
++ funcString, perr, oserr, errString);
+ }
+
+ static void
+@@ -765,11 +766,13 @@
+ prStatus = PR_Connect(tcp_sock, addr, PR_INTERVAL_NO_TIMEOUT);
+ if (prStatus != PR_SUCCESS) {
+ PRErrorCode err = PR_GetError(); /* save error code */
++ PRInt32 oserr = PR_GetOSError();
+ if (ThrottleUp) {
+ PRTime now = PR_Now();
+ PR_Lock(threadLock);
+ lastConnectFailure = PR_MAX(now, lastConnectFailure);
+ PR_Unlock(threadLock);
++ PR_SetError(err, oserr); /* restore error code */
+ }
+ if ((err == PR_CONNECT_REFUSED_ERROR) ||
+ (err == PR_CONNECT_RESET_ERROR) ) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/tstclnt/tstclnt.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/tstclnt/tstclnt.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/cmd/tstclnt/tstclnt.c 2014-02-10 01:12:09.952982661 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/cmd/tstclnt/tstclnt.c 2014-02-10 01:13:33.036519586 +0400
+@@ -528,12 +528,13 @@
+ csa = SSL_PeerStapledOCSPResponses(fd);
+ if (csa) {
+ for (i = 0; i < csa->len; ++i) {
+- CERT_CacheOCSPResponseFromSideChannel(
+- serverCertAuth->dbHandle,
+- cert,
+- PR_Now(),
+- &csa->items[i],
+- arg);
++ PORT_SetError(0);
++ if (CERT_CacheOCSPResponseFromSideChannel(
++ serverCertAuth->dbHandle, cert, PR_Now(),
++ &csa->items[i], arg) != SECSuccess) {
++ PRErrorCode error = PR_GetError();
++ PORT_Assert(error != 0);
++ }
+ }
+ }
+
+@@ -751,7 +752,7 @@
+ PRBool override)
+ {
+ SECStatus rv;
+- PRErrorCode status;
++ PRErrorCode error;
+
+ if (!serverCertAuth->isPaused)
+ return SECSuccess;
+@@ -762,20 +763,20 @@
+ serverCertAuth->isPaused = PR_FALSE;
+ rv = SSL_AuthCertificate(serverCertAuth->dbHandle, fd, PR_TRUE, PR_FALSE);
+ if (rv != SECSuccess) {
+- status = PR_GetError();
+- if (status == 0) {
++ error = PR_GetError();
++ if (error == 0) {
+ PR_NOT_REACHED("SSL_AuthCertificate return SECFailure without "
+ "setting error code.");
+- status = PR_INVALID_STATE_ERROR;
++ error = PR_INVALID_STATE_ERROR;
+ } else if (override) {
+ rv = ownBadCertHandler(NULL, fd);
+ }
+ }
+ if (rv == SECSuccess) {
+- status = 0;
++ error = 0;
+ }
+
+- if (SSL_AuthCertificateComplete(fd, status) != SECSuccess) {
++ if (SSL_AuthCertificateComplete(fd, error) != SECSuccess) {
+ rv = SECFailure;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/WIN32.mk seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/WIN32.mk
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/WIN32.mk 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/WIN32.mk 2014-02-10 01:13:33.036519586 +0400
+@@ -25,7 +25,7 @@
+ CCC = cl
+ LINK = link
+ AR = lib
+- AR += -NOLOGO -OUT:"$@"
++ AR += -NOLOGO -OUT:$@
+ RANLIB = echo
+ BSDECHO = echo
+ RC = rc.exe
+@@ -130,7 +130,7 @@
+ OPTIMIZER += -O2
+ endif
+ DEFINES += -UDEBUG -U_DEBUG -DNDEBUG
+- DLLFLAGS += -OUT:"$@"
++ DLLFLAGS += -OUT:$@
+ ifdef MOZ_DEBUG_SYMBOLS
+ ifdef MOZ_DEBUG_FLAGS
+ OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd$(OBJDIR)/
+@@ -156,7 +156,7 @@
+ USERNAME := $(subst $(SPACE),_,$(USERNAME))
+ USERNAME := $(subst -,_,$(USERNAME))
+ DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+- DLLFLAGS += -DEBUG -OUT:"$@"
++ DLLFLAGS += -DEBUG -OUT:$@
+ LDFLAGS += -DEBUG
+ ifeq ($(_MSC_VER),$(_MSC_VER_6))
+ ifndef MOZ_DEBUG_SYMBOLS
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/arch.mk seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/arch.mk
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/arch.mk 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/arch.mk 2014-02-10 01:13:33.036519586 +0400
+@@ -146,36 +146,10 @@
+ # uses fibers).
+ #
+ # If OS_TARGET is not specified, it defaults to $(OS_ARCH), i.e., no
+-# cross-compilation.
++# cross-compilation, except on Windows, where it defaults to WIN95.
+ #
+
+ #
+-# The following hack allows one to build on a WIN95 machine (as if
+-# s/he were cross-compiling on a WINNT host for a WIN95 target).
+-# It also accomodates for MKS's and Cygwin's uname.exe.
+-#
+-ifeq ($(OS_ARCH),WIN95)
+- OS_ARCH = WINNT
+- OS_TARGET = WIN95
+-endif
+-ifeq ($(OS_ARCH),Windows_95)
+- OS_ARCH = Windows_NT
+- OS_TARGET = WIN95
+-endif
+-ifeq ($(OS_ARCH),CYGWIN_95-4.0)
+- OS_ARCH = CYGWIN_NT-4.0
+- OS_TARGET = WIN95
+-endif
+-ifeq ($(OS_ARCH),CYGWIN_98-4.10)
+- OS_ARCH = CYGWIN_NT-4.0
+- OS_TARGET = WIN95
+-endif
+-ifeq ($(OS_ARCH),CYGWIN_ME-4.90)
+- OS_ARCH = CYGWIN_NT-4.0
+- OS_TARGET = WIN95
+-endif
+-
+-#
+ # On WIN32, we also define the variable CPU_ARCH, if it isn't already.
+ #
+ ifndef CPU_ARCH
+@@ -211,7 +185,7 @@
+ endif
+ endif
+ #
+-# If uname -s returns "CYGWIN_NT-4.0", we assume that we are using
++# If uname -s returns "CYGWIN_NT-*", we assume that we are using
+ # the uname.exe in the Cygwin tools.
+ #
+ ifeq (CYGWIN_NT,$(findstring CYGWIN_NT,$(OS_ARCH)))
+@@ -231,7 +205,7 @@
+ endif
+ endif
+ #
+-# If uname -s returns "MINGW32_NT-5.1", we assume that we are using
++# If uname -s returns "MINGW32_NT-*", we assume that we are using
+ # the uname.exe in the MSYS toolkit.
+ #
+ ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
+@@ -261,8 +235,12 @@
+ endif
+
+ ifndef OS_TARGET
++ifeq ($(OS_ARCH), WINNT)
++ OS_TARGET = WIN95
++else
+ OS_TARGET = $(OS_ARCH)
+ endif
++endif
+
+ ifeq ($(OS_TARGET), WIN95)
+ OS_RELEASE = 4.0
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/nsinstall/pathsub.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/nsinstall/pathsub.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/coreconf/nsinstall/pathsub.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/coreconf/nsinstall/pathsub.c 2014-02-10 01:13:33.037519569 +0400
+@@ -240,7 +240,7 @@
+ if (rv < 0) {
+ perror(myPath);
+ } else if (S_ISLNK(sb.st_mode)) {
+- rv = readlink(myPath, buf, sizeof buf);
++ rv = readlink(myPath, buf, sizeof(buf) - 1);
+ if (rv < 0) {
+ perror("readlink");
+ buf[0] = 0;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/certutil.xml seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/certutil.xml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/certutil.xml 2014-02-10 01:12:09.952982661 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/certutil.xml 2014-02-10 01:13:33.037519569 +0400
+@@ -209,6 +209,11 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>--email email-address</term>
++ <listitem><para>Specify the email address of a certificate to list. Used with the -L command option.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-f password-file</term>
+ <listitem><para>Specify a file that will automatically supply the password to include in a certificate
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
+@@ -644,14 +649,19 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>--empty-password</term>
++ <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>--keyAttrFlags attrflags</term>
+ <listitem><para>
+ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>--keyFlagsOn opflags</term>
+- <term>--keyFlagsOff opflags</term>
++ <term>--keyOpFlagsOn opflags</term>
++ <term>--keyOpFlagsOff opflags</term>
+ <listitem><para>
+ PKCS #11 key Operation Flags.
+ Comma separated list of one or more of the following:
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/certutil.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/certutil.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/certutil.html 2014-02-10 01:12:09.953982643 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/certutil.html 2014-02-10 01:13:33.037519569 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207694846832"></a><h2>STATUS</h2><p>This documentation is st
ill work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm224672048528"></a><h2>STATUS</h2><p>This documentation is st
ill work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span
> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request fi
le. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
+ <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
+ </p><p>
+@@ -10,7 +10,7 @@
+ </p><p>
+ If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity.
+ Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string
+- with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is spec
ified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
++ with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is spec
ified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
+ unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
+ The valid key type options are rsa, dsa, ec, or all. The default
+@@ -109,8 +109,8 @@
+ msTrustListSign
+ </p></li><li class="listitem"><p>
+ critical
+- </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access
extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></d
t><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
+-PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyFlagsOn opflags, </span><span class="term">--keyFlagsOff opflags</span></dt><dd><p>
++ </p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access
extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></d
t><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
++PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyOpFlagsOn opflags, </span><span class="term">--keyOpFlagsOff opflags</span></dt><dd><p>
+ PKCS #11 key Operation Flags.
+ Comma separated list of one or more of the following:
+ {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/modutil.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/modutil.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/modutil.html 2014-02-10 01:12:09.954982625 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/modutil.html 2014-02-10 01:13:33.037519569 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207698456864"></a><h2>STATUS</h2><p>This documentation is still w
ork in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm224666099264"></a><h2>STATUS</h2><p>This documentation is still w
ork in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Security Module Database Tool, <span class="command"><strong>modutil</strong></span>, is a command-line utility for managing PKCS #11 module information both within <code class="filename">secmod.db</code> files and within hardware tokens. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><p>
+ Running <span class="command"><strong>modutil</strong></span> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
+ </p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS
mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="optio
n">-slot</code> argument to disable a specific slot.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code
> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><
span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose thi
s list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided a
s a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p
>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Wi
th the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Spe
cify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that wher
e the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example:
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/pk12util.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/pk12util.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/pk12util.html 2014-02-10 01:12:09.954982625 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/pk12util.html 2014-02-10 01:13:33.037519569 +0400
+@@ -4,7 +4,7 @@
+
+ common-options are:
+ [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+- ]</p></div></div><div class="refsection"><a name="idm207680667808"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++ ]</p></div></div><div class="refsection"><a name="idm224682436944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><stro
ng>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used
on the certificate and key databases. This option is provided as a special case.
+ Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt
><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS
init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22
- cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-
h</code> for a token).
+ </p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/pp.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/pp.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/pp.html 2014-02-10 01:12:09.954982625 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/pp.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,7 +1,7 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm207695084256"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?
id=836477" target="_top">Mozilla NSS bug 836477</a>
+- </p></div><div class="refsection"><a name="idm207691286816"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm224681757664"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?
id=836477" target="_top">Mozilla NSS bug 836477</a>
++ </p></div><div class="refsection"><a name="idm224678000880"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
+ pkcs7 or crl files
+- </p></div><div class="refsection"><a name="idm207691284880"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in c
onjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel at redhat.com and pki-users at redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
++ </p></div><div class="refsection"><a name="idm224677998992"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in c
onjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel at redhat.com and pki-users at redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
+ Authors: Elio Maldonado <emaldona at redhat.com>, Deon Lackey <dlackey at redhat.com>.
+ </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </p></div></div><div class="navfooter"><hr></div></body></html>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/signtool.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/signtool.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/signtool.html 2014-02-10 01:12:09.954982625 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/signtool.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname]
] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm207702595360"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname]
] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm224666150896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your d
igital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sur
e it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server sof
tware running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive a
n object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p>
+ Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/signver.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/signver.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/signver.html 2014-02-10 01:12:09.955982607 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/signver.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,7 +1,7 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code
></em>] [-v]</p></div></div><div class="refsection"><a name="idm207691938384"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+- </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of
databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd>
<p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm207695803904"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code
></em>] [-v]</p></div></div><div class="refsection"><a name="idm224680848704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of
databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd>
<p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm224681951616"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
+
+-signatureValid=yes</pre></div><div class="refsection"><a name="idm207695800736"></a><h3>Printing Signature Data</h3><p>
++signatureValid=yes</pre></div><div class="refsection"><a name="idm224679496656"></a><h3>Printing Signature Data</h3><p>
+ The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout.
+ </p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information.
+ The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/ssltap.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/ssltap.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/ssltap.html 2014-02-10 01:12:09.955982607 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/ssltap.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm207705899984"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://
bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm224680842512"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://
bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p>
+ Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
+ </p></dd><dt><span class="term">-f </span></dt><dd><p>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/vfychain.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/vfychain.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/vfychain.html 2014-02-10 01:12:09.955982607 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/vfychain.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm207689306736"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla
.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm224658292400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla
.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class=
"term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt
><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p>
+ 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
+ 4=Email signer, 5=Email recipient, 6=Object signer,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/vfyserv.html seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/vfyserv.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/html/vfyserv.html 2014-02-10 01:12:09.955982607 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/html/vfyserv.html 2014-02-10 01:13:33.039519534 +0400
+@@ -1,4 +1,4 @@
+-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm207703284240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a
>
++<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm224662974480"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a
>
+ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><d
iv class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
+ Authors: Elio Maldonado <emaldona at redhat.com>, Deon Lackey <dlackey at redhat.com>.
+ </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/certutil.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/certutil.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/certutil.1 2014-02-10 01:12:09.956982589 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/certutil.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: CERTUTIL
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "CERTUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "CERTUTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+@@ -251,6 +251,11 @@
+ Check a certificate\*(Aqs signature during the process of validating a certificate\&.
+ .RE
+ .PP
++\-\-email email\-address
++.RS 4
++Specify the email address of a certificate to list\&. Used with the \-L command option\&.
++.RE
++.PP
+ \-f password\-file
+ .RS 4
+ Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
+@@ -905,12 +910,17 @@
+ Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&.
+ .RE
+ .PP
++\-\-empty\-password
++.RS 4
++Use empty password when creating new certificate database with \-N\&.
++.RE
++.PP
+ \-\-keyAttrFlags attrflags
+ .RS 4
+ PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
+ .RE
+ .PP
+-\-\-keyFlagsOn opflags, \-\-keyFlagsOff opflags
++\-\-keyOpFlagsOn opflags, \-\-keyOpFlagsOff opflags
+ .RS 4
+ PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
+ .RE
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/pk12util.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/pk12util.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/pk12util.1 2014-02-10 01:12:09.956982589 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/pk12util.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: PK12UTIL
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "PK12UTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "PK12UTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/pp.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/pp.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/pp.1 2014-02-10 01:12:09.956982589 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/pp.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: PP
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "PP" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "PP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/signtool.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/signtool.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/signtool.1 2014-02-10 01:12:09.956982589 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/signtool.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: signtool
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "SIGNTOOL" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "SIGNTOOL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/signver.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/signver.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/signver.1 2014-02-10 01:12:09.956982589 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/signver.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: SIGNVER
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "SIGNVER" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "SIGNVER" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/ssltap.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/ssltap.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/ssltap.1 2014-02-10 01:12:09.957982571 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/ssltap.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: SSLTAP
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "SSLTAP" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "SSLTAP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/vfychain.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/vfychain.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/vfychain.1 2014-02-10 01:12:09.957982571 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/vfychain.1 2014-02-10 01:13:33.039519535 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: VFYCHAIN
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "VFYCHAIN" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "VFYCHAIN" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/vfyserv.1 seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/vfyserv.1
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/doc/nroff/vfyserv.1 2014-02-10 01:12:09.957982571 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/doc/nroff/vfyserv.1 2014-02-10 01:13:33.040519518 +0400
+@@ -2,12 +2,12 @@
+ .\" Title: VFYSERV
+ .\" Author: [see the "Authors" section]
+ .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+-.\" Date: 19 July 2013
++.\" Date: 12 November 2013
+ .\" Manual: NSS Security Tools
+ .\" Source: nss-tools
+ .\" Language: English
+ .\"
+-.TH "VFYSERV" "1" "19 July 2013" "nss-tools" "NSS Security Tools"
++.TH "VFYSERV" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
+ .\" -----------------------------------------------------------------
+ .\" * Define some portability stuff
+ .\" -----------------------------------------------------------------
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/cert.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/cert.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/cert.h 2014-02-10 01:12:09.957982571 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/cert.h 2014-02-10 01:13:33.040519518 +0400
+@@ -1218,6 +1218,7 @@
+ CERTCertList *
+ CERT_NewCertList(void);
+
++/* free the cert list and all the certs in the list */
+ void
+ CERT_DestroyCertList(CERTCertList *certs);
+
+@@ -1225,16 +1226,26 @@
+ void
+ CERT_RemoveCertListNode(CERTCertListNode *node);
+
++/* equivalent to CERT_AddCertToListTailWithData(certs, cert, NULL) */
+ SECStatus
+ CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
+
++/* equivalent to CERT_AddCertToListHeadWithData(certs, cert, NULL) */
+ SECStatus
+ CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
+
++/*
++ * The new cert list node takes ownership of "cert". "cert" is freed
++ * when the list node is removed.
++ */
+ SECStatus
+ CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
+ void *appData);
+
++/*
++ * The new cert list node takes ownership of "cert". "cert" is freed
++ * when the list node is removed.
++ */
+ SECStatus
+ CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
+ void *appData);
+@@ -1493,15 +1504,25 @@
+
+ /*
+ * Digest the cert's subject public key using the specified algorithm.
++ * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
++ * the tag, length, and number of unused bits) rather than the whole
++ * subjectPublicKeyInfo field.
++ *
+ * The necessary storage for the digest data is allocated. If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise. Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */
+ extern SECItem *
+-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
++CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill);
+
++/*
++ * Digest the cert's subject name using the specified algorithm.
++ */
++extern SECItem *
++CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
++ SECOidTag digestAlg, SECItem *fill);
+
+ SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
+ const SECItem* dp, PRTime t, void* wincx);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/certt.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/certt.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/certt.h 2014-02-10 01:12:09.957982571 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/certt.h 2014-02-10 01:13:33.040519518 +0400
+@@ -1106,6 +1106,11 @@
+ #define CERT_REV_M_STOP_TESTING_ON_FRESH_INFO 0UL
+ #define CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO 32UL
+
++/* When this flag is used, libpkix will never attempt to use the GET HTTP
++ * method for OCSP requests; it will always use POST.
++ */
++#define CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP 64UL
++
+ /*
+ * The following flags are supposed to be used to control bits in
+ * CERTRevocationTests.cert_rev_method_independent_flags
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/polcyxtn.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/polcyxtn.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certdb/polcyxtn.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certdb/polcyxtn.c 2014-02-10 01:13:33.040519518 +0400
+@@ -643,6 +643,9 @@
+ return(oidSeq);
+
+ loser:
++ if (arena) {
++ PORT_FreeArena(arena, PR_FALSE);
++ }
+ return(NULL);
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.c 2014-02-10 01:12:09.958982554 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.c 2014-02-10 01:13:33.042519483 +0400
+@@ -24,6 +24,7 @@
+ #include "hasht.h"
+ #include "sechash.h"
+ #include "secasn1.h"
++#include "plbase64.h"
+ #include "keyhi.h"
+ #include "cryptohi.h"
+ #include "ocsp.h"
+@@ -86,6 +87,7 @@
+ OCSPCacheData cache;
+ SEC_OcspFailureMode ocspFailureMode;
+ CERT_StringFromCertFcn alternateOCSPAIAFcn;
++ PRBool forcePost;
+ } OCSP_Global = { NULL,
+ NULL,
+ DEFAULT_OCSP_CACHE_SIZE,
+@@ -94,7 +96,8 @@
+ DEFAULT_OSCP_TIMEOUT_SECONDS,
+ {NULL, 0, NULL, NULL},
+ ocspMode_FailureIsVerificationFailure,
+- NULL
++ NULL,
++ PR_FALSE
+ };
+
+
+@@ -103,7 +106,9 @@
+ static SECItem *
+ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
+ CERTOCSPRequest *request,
+- const char *location, PRTime time,
++ const char *location,
++ const char *method,
++ PRTime time,
+ PRBool addServiceLocator,
+ void *pwArg,
+ CERTOCSPRequest **pRequest);
+@@ -117,23 +122,14 @@
+ SECStatus *rv_ocsp);
+
+ static SECStatus
+-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
++ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+- PRBool cacheInvalid,
+- PRBool *certIDWasConsumed,
+- SECStatus *rv_ocsp);
+-
+-static SECStatus
+-ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+- CERTOCSPResponse *response,
+- CERTOCSPCertID *certID,
+- CERTCertificate *signerCert,
+- PRTime time,
+- CERTOCSPSingleResponse **pSingleResponse);
++ CERTOCSPResponse **pDecodedResponse,
++ CERTOCSPSingleResponse **pSingle);
+
+ static SECStatus
+ ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time);
+@@ -754,14 +750,23 @@
+ ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
+ {
+ PRTime now;
+- PRBool retval;
++ PRBool fresh;
+
+- PR_EnterMonitor(OCSP_Global.monitor);
+ now = PR_Now();
+- retval = (cacheItem->nextFetchAttemptTime > now);
+- OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", retval));
+- PR_ExitMonitor(OCSP_Global.monitor);
+- return retval;
++
++ fresh = cacheItem->nextFetchAttemptTime > now;
++
++ /* Work around broken OCSP responders that return unknown responses for
++ * certificates, especially certificates that were just recently issued.
++ */
++ if (fresh && cacheItem->certStatusArena &&
++ cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) {
++ fresh = PR_FALSE;
++ }
++
++ OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh));
++
++ return fresh;
+ }
+
+ /*
+@@ -788,6 +793,19 @@
+ PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
+
+ cacheItem = ocsp_FindCacheEntry(cache, certID);
++
++ /* Don't replace an unknown or revoked entry with an error entry, even if
++ * the existing entry is expired. Instead, we'll continue to use the
++ * existing (possibly expired) cache entry until we receive a valid signed
++ * response to replace it.
++ */
++ if (!single && cacheItem && cacheItem->certStatusArena &&
++ (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked ||
++ cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) {
++ PR_ExitMonitor(OCSP_Global.monitor);
++ return SECSuccess;
++ }
++
+ if (!cacheItem) {
+ CERTOCSPCertID *myCertID;
+ if (certIDWasConsumed) {
+@@ -1460,15 +1478,12 @@
+ CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request,
+ void *pwArg)
+ {
+- ocspTBSRequest *tbsRequest;
+ SECStatus rv;
+
+ /* XXX All of these should generate errors if they fail. */
+ PORT_Assert(request);
+ PORT_Assert(request->tbsRequest);
+
+- tbsRequest = request->tbsRequest;
+-
+ if (request->tbsRequest->extensionHandle != NULL) {
+ rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+ request->tbsRequest->extensionHandle = NULL;
+@@ -1636,7 +1651,7 @@
+ * results in a NULL being returned (and an appropriate error set).
+ */
+ SECItem *
+-CERT_GetSPKIDigest(PLArenaPool *arena, const CERTCertificate *cert,
++CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill)
+ {
+ SECItem spk;
+@@ -1655,8 +1670,8 @@
+ /*
+ * Digest the cert's subject name using the specified algorithm.
+ */
+-static SECItem *
+-cert_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
++SECItem *
++CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert,
+ SECOidTag digestAlg, SECItem *fill)
+ {
+ SECItem name;
+@@ -1706,36 +1721,36 @@
+ goto loser;
+ }
+
+- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
++ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1,
+ &(certID->issuerNameHash)) == NULL) {
+ goto loser;
+ }
+ certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
+ certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
+
+- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
++ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5,
+ &(certID->issuerMD5NameHash)) == NULL) {
+ goto loser;
+ }
+
+- if (cert_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
++ if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2,
+ &(certID->issuerMD2NameHash)) == NULL) {
+ goto loser;
+ }
+
+- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_SHA1,
+- &(certID->issuerKeyHash)) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1,
++ &certID->issuerKeyHash) == NULL) {
+ goto loser;
+ }
+ certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
+ certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
+ /* cache the other two hash algorithms as well */
+- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD5,
+- &(certID->issuerMD5KeyHash)) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5,
++ &certID->issuerMD5KeyHash) == NULL) {
+ goto loser;
+ }
+- if (CERT_GetSPKIDigest(arena, issuerCert, SEC_OID_MD2,
+- &(certID->issuerMD2KeyHash)) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2,
++ &certID->issuerMD2KeyHash) == NULL) {
+ goto loser;
+ }
+
+@@ -2980,6 +2995,12 @@
+ * SEC_ERROR_CERT_BAD_ACCESS_LOCATION. Other errors are likely problems
+ * connecting to it, or writing to it, or allocating memory, and the low-level
+ * errors appropriate to the problem will be set.
++ * if (encodedRequest == NULL)
++ * then location MUST already include the full request,
++ * including base64 and urlencode,
++ * and the request will be sent with GET
++ * if (encodedRequest != NULL)
++ * then the request will be sent with POST
+ */
+ static PRFileDesc *
+ ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest)
+@@ -3012,6 +3033,21 @@
+ PR_snprintf(portstr, sizeof(portstr), ":%d", port);
+ }
+
++ if (!encodedRequest) {
++ header = PR_smprintf("GET %s HTTP/1.0\r\n"
++ "Host: %s%s\r\n\r\n",
++ path, hostname, portstr);
++ if (header == NULL)
++ goto loser;
++
++ /*
++ * The NSPR documentation promises that if it can, it will write the full
++ * amount; this will not return a partial value expecting us to loop.
++ */
++ if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
++ goto loser;
++ }
++ else {
+ header = PR_smprintf("POST %s HTTP/1.0\r\n"
+ "Host: %s%s\r\n"
+ "Content-Type: application/ocsp-request\r\n"
+@@ -3030,6 +3066,7 @@
+ if (PR_Write(sock, encodedRequest->data,
+ (PRInt32) encodedRequest->len) < 0)
+ goto loser;
++ }
+
+ returnSock = sock;
+ sock = NULL;
+@@ -3338,6 +3375,13 @@
+ */
+ #define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024
+
++/* if (encodedRequest == NULL)
++ * then location MUST already include the full request,
++ * including base64 and urlencode,
++ * and the request will be sent with GET
++ * if (encodedRequest != NULL)
++ * then the request will be sent with POST
++ */
+ static SECItem *
+ fetchOcspHttpClientV1(PLArenaPool *arena,
+ const SEC_HttpClientFcnV1 *hcv1,
+@@ -3381,14 +3425,15 @@
+ pServerSession,
+ "http",
+ path,
+- "POST",
++ encodedRequest ? "POST" : "GET",
+ PR_TicksPerSecond() * OCSP_Global.timeoutSeconds,
+ &pRequestSession) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+ goto loser;
+ }
+
+- if ((*hcv1->setPostDataFcn)(
++ if (encodedRequest &&
++ (*hcv1->setPostDataFcn)(
+ pRequestSession,
+ (char*)encodedRequest->data,
+ encodedRequest->len,
+@@ -3444,7 +3489,7 @@
+ }
+
+ /*
+- * FUNCTION: CERT_GetEncodedOCSPResponse
++ * FUNCTION: CERT_GetEncodedOCSPResponseByMethod
+ * Creates and sends a request to an OCSP responder, then reads and
+ * returns the (encoded) response.
+ * INPUTS:
+@@ -3462,6 +3507,11 @@
+ * sent and whether there are any trusted responders in place.
+ * const char *location
+ * The location of the OCSP responder (a URL).
++ * const char *method
++ * The protocol method used when retrieving the OCSP response.
++ * Currently support: "GET" (http GET) and "POST" (http POST).
++ * Additionals methods for http or other protocols might be added
++ * in the future.
+ * PRTime time
+ * Indicates the time for which the certificate status is to be
+ * determined -- this may be used in the search for the cert's issuer
+@@ -3490,9 +3540,9 @@
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */
+ SECItem *
+-CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
+- const char *location, PRTime time,
+- PRBool addServiceLocator,
++CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList,
++ const char *location, const char *method,
++ PRTime time, PRBool addServiceLocator,
+ CERTCertificate *signerCert, void *pwArg,
+ CERTOCSPRequest **pRequest)
+ {
+@@ -3502,14 +3552,102 @@
+ if (!request)
+ return NULL;
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+- time, addServiceLocator,
++ method, time, addServiceLocator,
+ pwArg, pRequest);
+ }
+
++/*
++ * FUNCTION: CERT_GetEncodedOCSPResponse
++ * Creates and sends a request to an OCSP responder, then reads and
++ * returns the (encoded) response.
++ *
++ * This is a legacy API that behaves identically to
++ * CERT_GetEncodedOCSPResponseByMethod using the "POST" method.
++ */
++SECItem *
++CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList,
++ const char *location, PRTime time,
++ PRBool addServiceLocator,
++ CERTCertificate *signerCert, void *pwArg,
++ CERTOCSPRequest **pRequest)
++{
++ return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location,
++ "POST", time, addServiceLocator,
++ signerCert, pwArg, pRequest);
++}
++
++/* URL encode a buffer that consists of base64-characters, only,
++ * which means we can use a simple encoding logic.
++ *
++ * No output buffer size checking is performed.
++ * You should call the function twice, to calculate the required buffer size.
++ *
++ * If the outpufBuf parameter is NULL, the function will calculate the
++ * required size, including the trailing zero termination char.
++ *
++ * The function returns the number of bytes calculated or produced.
++ */
++size_t
++ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf)
++{
++ const char *walkInput = NULL;
++ char *walkOutput = outputBuf;
++ size_t count = 0;
++
++ for (walkInput=base64Buf; *walkInput; ++walkInput) {
++ char c = *walkInput;
++ if (isspace(c))
++ continue;
++ switch (c) {
++ case '+':
++ if (outputBuf) {
++ strcpy(walkOutput, "%2B");
++ walkOutput += 3;
++ }
++ count += 3;
++ break;
++ case '/':
++ if (outputBuf) {
++ strcpy(walkOutput, "%2F");
++ walkOutput += 3;
++ }
++ count += 3;
++ break;
++ case '=':
++ if (outputBuf) {
++ strcpy(walkOutput, "%3D");
++ walkOutput += 3;
++ }
++ count += 3;
++ break;
++ default:
++ if (outputBuf) {
++ *walkOutput = *walkInput;
++ ++walkOutput;
++ }
++ ++count;
++ break;
++ }
++ }
++ if (outputBuf) {
++ *walkOutput = 0;
++ }
++ ++count;
++ return count;
++}
++
++enum { max_get_request_size = 255 }; /* defined by RFC2560 */
++
++static SECItem *
++cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
++ const SECItem *encodedRequest);
++
+ static SECItem *
+ ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,
+ CERTOCSPRequest *request,
+- const char *location, PRTime time,
++ const char *location,
++ const char *method,
++ PRTime time,
+ PRBool addServiceLocator,
+ void *pwArg,
+ CERTOCSPRequest **pRequest)
+@@ -3518,6 +3656,9 @@
+ SECItem *encodedResponse = NULL;
+ SECStatus rv;
+
++ if (!location || !*location) /* location should be at least one byte */
++ goto loser;
++
+ rv = CERT_AddOCSPAcceptableResponses(request,
+ SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+ if (rv != SECSuccess)
+@@ -3527,7 +3668,15 @@
+ if (encodedRequest == NULL)
+ goto loser;
+
++ if (!strcmp(method, "GET")) {
++ encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
++ }
++ else if (!strcmp(method, "POST")) {
+ encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
++ }
++ else {
++ goto loser;
++ }
+
+ if (encodedResponse != NULL && pRequest != NULL) {
+ *pRequest = request;
+@@ -3539,14 +3688,90 @@
+ CERT_DestroyOCSPRequest(request);
+ if (encodedRequest != NULL)
+ SECITEM_FreeItem(encodedRequest, PR_TRUE);
+-
+ return encodedResponse;
+ }
+
++static SECItem *
++cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
++ const SECItem *encodedRequest);
++
++/* using HTTP GET method */
++static SECItem *
++cert_GetOCSPResponse(PLArenaPool *arena, const char *location,
++ const SECItem *encodedRequest)
++{
++ char *walkOutput = NULL;
++ char *fullGetPath = NULL;
++ size_t pathLength;
++ PRInt32 urlEncodedBufLength;
++ size_t base64size;
++ char b64ReqBuf[max_get_request_size+1];
++ size_t slashLengthIfNeeded = 0;
++ size_t getURLLength;
++ SECItem *item;
++
++ if (!location || !*location) {
++ return NULL;
++ }
++
++ pathLength = strlen(location);
++ if (location[pathLength-1] != '/') {
++ slashLengthIfNeeded = 1;
++ }
++
++ /* Calculation as documented by PL_Base64Encode function.
++ * Use integer conversion to avoid having to use function ceil().
++ */
++ base64size = (((encodedRequest->len +2)/3) * 4);
++ if (base64size > max_get_request_size) {
++ return NULL;
++ }
++ memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
++ PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len,
++ b64ReqBuf);
++
++ urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
++ getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
++
++ /* urlEncodedBufLength already contains room for the zero terminator.
++ * Add another if we must add the '/' char.
++ */
++ if (arena) {
++ fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength);
++ } else {
++ fullGetPath = (char*)PORT_Alloc(getURLLength);
++ }
++ if (!fullGetPath) {
++ return NULL;
++ }
++
++ strcpy(fullGetPath, location);
++ walkOutput = fullGetPath + pathLength;
++
++ if (walkOutput > fullGetPath && slashLengthIfNeeded) {
++ strcpy(walkOutput, "/");
++ ++walkOutput;
++ }
++ ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
++
++ item = cert_FetchOCSPResponse(arena, fullGetPath, NULL);
++ if (!arena) {
++ PORT_Free(fullGetPath);
++ }
++ return item;
++}
++
+ SECItem *
+ CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,
+ const SECItem *encodedRequest)
+ {
++ return cert_FetchOCSPResponse(arena, location, encodedRequest);
++}
++
++SECItem *
++cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,
++ const SECItem *encodedRequest)
++{
+ const SEC_HttpClientFcn *registeredHttpClient;
+ SECItem *encodedResponse = NULL;
+
+@@ -3574,7 +3799,9 @@
+ ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena,
+ CERTOCSPCertID *certID,
+ CERTCertificate *singleCert,
+- const char *location, PRTime time,
++ const char *location,
++ const char *method,
++ PRTime time,
+ PRBool addServiceLocator,
+ void *pwArg,
+ CERTOCSPRequest **pRequest)
+@@ -3585,7 +3812,7 @@
+ if (!request)
+ return NULL;
+ return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location,
+- time, addServiceLocator,
++ method, time, addServiceLocator,
+ pwArg, pRequest);
+ }
+
+@@ -3676,19 +3903,22 @@
+ item.data = buf;
+ item.len = SHA1_LENGTH;
+
+- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1,
++ &item) == NULL) {
+ return PR_FALSE;
+ }
+ if (SECITEM_ItemsAreEqual(certIndex,&item)) {
+ return PR_TRUE;
+ }
+- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5,
++ &item) == NULL) {
+ return PR_FALSE;
+ }
+ if (SECITEM_ItemsAreEqual(certIndex,&item)) {
+ return PR_TRUE;
+ }
+- if (CERT_GetSPKIDigest(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
++ if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2,
++ &item) == NULL) {
+ return PR_FALSE;
+ }
+ if (SECITEM_ItemsAreEqual(certIndex,&item)) {
+@@ -3789,6 +4019,9 @@
+ signerCert = CERT_DupCertificate(certs[i]);
+ }
+ }
++ if (signerCert == NULL) {
++ PORT_SetError(SEC_ERROR_UNKNOWN_CERT);
++ }
+ }
+
+ finish:
+@@ -4238,7 +4471,7 @@
+
+ hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
+
+- keyHash = CERT_GetSPKIDigest(NULL, signerCert, hashAlg, NULL);
++ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL);
+ if (keyHash != NULL) {
+
+ keyHashEQ =
+@@ -4247,7 +4480,7 @@
+ SECITEM_FreeItem(keyHash, PR_TRUE);
+ }
+ if (keyHashEQ &&
+- (nameHash = cert_GetSubjectNameDigest(NULL, signerCert,
++ (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert,
+ hashAlg, NULL))) {
+ nameHashEQ =
+ (SECITEM_CompareItem(nameHash,
+@@ -4285,8 +4518,8 @@
+ return PR_FALSE;
+ }
+
+- keyHash = CERT_GetSPKIDigest(NULL, issuerCert, hashAlg, NULL);
+- nameHash = cert_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
++ keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL);
++ nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL);
+
+ CERT_DestroyCertificate(issuerCert);
+
+@@ -4672,7 +4905,7 @@
+ * See if the cert represented in the single response had a good status
+ * at the specified time.
+ */
+-static SECStatus
++SECStatus
+ ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time)
+ {
+ SECStatus rv;
+@@ -4704,7 +4937,7 @@
+ return ocsp_CertHasGoodStatus(single->certStatus, time);
+ }
+
+-/* Return value SECFailure means: not found or not fresh.
++/* SECFailure means the arguments were invalid.
+ * On SECSuccess, the out parameters contain the OCSP status.
+ * rvOcsp contains the overall result of the OCSP operation.
+ * Depending on input parameter ignoreGlobalOcspFailureSetting,
+@@ -4712,34 +4945,39 @@
+ * If the cached attempt to obtain OCSP information had resulted
+ * in a failure, missingResponseError shows the error code of
+ * that failure.
++ * cacheFreshness is ocspMissing if no entry was found,
++ * ocspFresh if a fresh entry was found, or
++ * ocspStale if a stale entry was found.
+ */
+ SECStatus
+-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
++ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+ PRTime time,
+ PRBool ignoreGlobalOcspFailureSetting,
+ SECStatus *rvOcsp,
+- SECErrorCodes *missingResponseError)
++ SECErrorCodes *missingResponseError,
++ OCSPFreshness *cacheFreshness)
+ {
+ OCSPCacheItem *cacheItem = NULL;
+- SECStatus rv = SECFailure;
+
+- if (!certID || !missingResponseError || !rvOcsp) {
++ if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ *rvOcsp = SECFailure;
+ *missingResponseError = 0;
++ *cacheFreshness = ocspMissing;
+
+ PR_EnterMonitor(OCSP_Global.monitor);
+ cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
+- if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) {
++ if (cacheItem) {
++ *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
++ : ocspStale;
+ /* having an arena means, we have a cached certStatus */
+ if (cacheItem->certStatusArena) {
+ *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
+ if (*rvOcsp != SECSuccess) {
+ *missingResponseError = PORT_GetError();
+ }
+- rv = SECSuccess;
+ } else {
+ /*
+ * No status cached, the previous attempt failed.
+@@ -4747,17 +4985,17 @@
+ * However, if OCSP is optional, a recent OCSP failure is
+ * an allowed good state.
+ */
+- if (!ignoreGlobalOcspFailureSetting &&
++ if (*cacheFreshness == ocspFresh &&
++ !ignoreGlobalOcspFailureSetting &&
+ OCSP_Global.ocspFailureMode ==
+ ocspMode_FailureIsNotAVerificationFailure) {
+- rv = SECSuccess;
+ *rvOcsp = SECSuccess;
+ }
+ *missingResponseError = cacheItem->missingResponseError;
+ }
+ }
+ PR_ExitMonitor(OCSP_Global.monitor);
+- return rv;
++ return SECSuccess;
+ }
+
+ PRBool
+@@ -4828,9 +5066,10 @@
+ {
+ CERTOCSPCertID *certID;
+ PRBool certIDWasConsumed = PR_FALSE;
+- SECStatus rv = SECFailure;
++ SECStatus rv;
+ SECStatus rvOcsp;
+- SECErrorCodes dummy_error_code; /* we ignore this */
++ SECErrorCodes cachedErrorCode;
++ OCSPFreshness cachedResponseFreshness;
+
+ OCSP_TRACE_CERT(cert);
+ OCSP_TRACE_TIME("## requested validity time:", time);
+@@ -4838,21 +5077,41 @@
+ certID = CERT_CreateOCSPCertID(cert, time);
+ if (!certID)
+ return SECFailure;
+- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
++ rv = ocsp_GetCachedOCSPResponseStatus(
+ certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
+- &rvOcsp, &dummy_error_code);
+- if (rv == SECSuccess) {
++ &rvOcsp, &cachedErrorCode, &cachedResponseFreshness);
++ if (rv != SECSuccess) {
++ CERT_DestroyOCSPCertID(certID);
++ return SECFailure;
++ }
++ if (cachedResponseFreshness == ocspFresh) {
+ CERT_DestroyOCSPCertID(certID);
+ return rvOcsp;
+ }
++
+ rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
+ &certIDWasConsumed,
+ &rvOcsp);
+ if (rv != SECSuccess) {
+- /* we were unable to obtain ocsp status. Check if we should
+- * return cert status revoked. */
+- rvOcsp = ocsp_FetchingFailureIsVerificationFailure() ?
+- SECFailure : SECSuccess;
++ PRErrorCode err = PORT_GetError();
++ if (ocsp_FetchingFailureIsVerificationFailure()) {
++ PORT_SetError(err);
++ rvOcsp = SECFailure;
++ } else if (cachedResponseFreshness == ocspStale &&
++ (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
++ cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
++ /* If we couldn't get a response for a certificate that the OCSP
++ * responder previously told us was bad, then assume it is still
++ * bad until we hear otherwise, as it is very unlikely that the
++ * certificate status has changed from "revoked" to "good" and it
++ * is also unlikely that the certificate status has changed from
++ * "unknown" to "good", except for some buggy OCSP responders.
++ */
++ PORT_SetError(cachedErrorCode);
++ rvOcsp = SECFailure;
++ } else {
++ rvOcsp = SECSuccess;
++ }
+ }
+ if (!certIDWasConsumed) {
+ CERT_DestroyOCSPCertID(certID);
+@@ -4898,8 +5157,11 @@
+ CERTOCSPCertID *certID = NULL;
+ PRBool certIDWasConsumed = PR_FALSE;
+ SECStatus rv = SECFailure;
+- SECStatus rvOcsp;
++ SECStatus rvOcsp = SECFailure;
+ SECErrorCodes dummy_error_code; /* we ignore this */
++ CERTOCSPResponse *decodedResponse = NULL;
++ CERTOCSPSingleResponse *singleResponse = NULL;
++ OCSPFreshness freshness;
+
+ /* The OCSP cache can be in three states regarding this certificate:
+ * + Good (cached, timely, 'good' response, or revoked in the future)
+@@ -4940,17 +5202,21 @@
+ * side channel.
+ */
+
+- if (!cert) {
++ if (!cert || !encodedResponse) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ certID = CERT_CreateOCSPCertID(cert, time);
+ if (!certID)
+ return SECFailure;
+- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+- certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
+- &rvOcsp, &dummy_error_code);
+- if (rv == SECSuccess && rvOcsp == SECSuccess) {
++
++ /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached
++ * error entry is not interpreted as being a 'Good' entry here.
++ */
++ rv = ocsp_GetCachedOCSPResponseStatus(
++ certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */
++ &rvOcsp, &dummy_error_code, &freshness);
++ if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) {
+ /* The cached value is good. We don't want to waste time validating
+ * this OCSP response. This is the first column in the table above. */
+ CERT_DestroyOCSPCertID(certID);
+@@ -4958,12 +5224,21 @@
+ }
+
+ /* The logic for caching the more recent response is handled in
+- * ocsp_CreateOrUpdateCacheEntry, which is called by this function. */
+- rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time,
+- pwArg, encodedResponse,
+- PR_FALSE /* don't cache if invalid */,
+- &certIDWasConsumed,
+- &rvOcsp);
++ * ocsp_CacheSingleResponse. */
++
++ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
++ time, pwArg,
++ encodedResponse,
++ &decodedResponse,
++ &singleResponse);
++ if (rv == SECSuccess) {
++ rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
++ /* Cache any valid singleResponse, regardless of status. */
++ ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed);
++ }
++ if (decodedResponse) {
++ CERT_DestroyOCSPResponse(decodedResponse);
++ }
+ if (!certIDWasConsumed) {
+ CERT_DestroyOCSPCertID(certID);
+ }
+@@ -4989,6 +5264,11 @@
+ CERTOCSPRequest *request = NULL;
+ SECStatus rv = SECFailure;
+
++ CERTOCSPResponse *decodedResponse = NULL;
++ CERTOCSPSingleResponse *singleResponse = NULL;
++ enum { stageGET, stagePOST } currentStage;
++ PRBool retry = PR_FALSE;
++
+ if (!certIDWasConsumed || !rv_ocsp) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+@@ -4996,6 +5276,18 @@
+ *certIDWasConsumed = PR_FALSE;
+ *rv_ocsp = SECFailure;
+
++ if (!OCSP_Global.monitor) {
++ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
++ return SECFailure;
++ }
++ PR_EnterMonitor(OCSP_Global.monitor);
++ if (OCSP_Global.forcePost) {
++ currentStage = stagePOST;
++ } else {
++ currentStage = stageGET;
++ }
++ PR_ExitMonitor(OCSP_Global.monitor);
++
+ /*
+ * The first thing we need to do is find the location of the responder.
+ * This will be the value of the default responder (if enabled), else
+@@ -5041,36 +5333,88 @@
+ * should be passed into this function or retrieved via some operation
+ * on the handle/context.
+ */
++
++ do {
++ const char *method;
++ PRBool validResponseWithAccurateInfo = PR_FALSE;
++ retry = PR_FALSE;
++ *rv_ocsp = SECFailure;
++
++ if (currentStage == stageGET) {
++ method = "GET";
++ } else {
++ PORT_Assert(currentStage == stagePOST);
++ method = "POST";
++ }
++
+ encodedResponse =
+- ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, location,
++ ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
++ location, method,
+ time, locationIsDefault,
+ pwArg, &request);
+- if (encodedResponse == NULL) {
+- goto loser;
+- }
+
+- rv = ocsp_CacheEncodedOCSPResponse(handle, certID, cert, time, pwArg,
++ if (encodedResponse) {
++ rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert,
++ time, pwArg,
+ encodedResponse,
+- PR_TRUE /* cache if invalid */,
+- certIDWasConsumed, rv_ocsp);
++ &decodedResponse,
++ &singleResponse);
++ if (rv == SECSuccess) {
++ switch (singleResponse->certStatus->certStatusType) {
++ case ocspCertStatus_good:
++ case ocspCertStatus_revoked:
++ validResponseWithAccurateInfo = PR_TRUE;
++ break;
++ default:
++ break;
++ }
++ *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time);
++ }
++ }
+
+-loser:
+- if (request != NULL)
+- CERT_DestroyOCSPRequest(request);
+- if (encodedResponse != NULL)
++ if (currentStage == stageGET) {
++ /* only accept GET response if good or revoked */
++ if (validResponseWithAccurateInfo) {
++ ocsp_CacheSingleResponse(certID, singleResponse,
++ certIDWasConsumed);
++ } else {
++ retry = PR_TRUE;
++ currentStage = stagePOST;
++ }
++ } else {
++ /* cache the POST respone, regardless of status */
++ if (!singleResponse) {
++ cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
++ } else {
++ ocsp_CacheSingleResponse(certID, singleResponse,
++ certIDWasConsumed);
++ }
++ }
++
++ if (encodedResponse) {
+ SECITEM_FreeItem(encodedResponse, PR_TRUE);
+- if (location != NULL)
+- PORT_Free(location);
++ encodedResponse = NULL;
++ }
++ if (request) {
++ CERT_DestroyOCSPRequest(request);
++ request = NULL;
++ }
++ if (decodedResponse) {
++ CERT_DestroyOCSPResponse(decodedResponse);
++ decodedResponse = NULL;
++ }
++ singleResponse = NULL;
+
++ } while (retry);
++
++ PORT_Free(location);
+ return rv;
+ }
+
+ /*
+- * FUNCTION: ocsp_CacheEncodedOCSPResponse
++ * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID
+ * This function decodes an OCSP response and checks for a valid response
+- * concerning the given certificate. If such a response is not found
+- * then nothing is cached. Otherwise, if it is a good response, or if
+- * cacheNegative is true, the results are stored in the OCSP cache.
++ * concerning the given certificate.
+ *
+ * Note: a 'valid' response is one that parses successfully, is not an OCSP
+ * exception (see RFC 2560 Section 2.3), is correctly signed and is current.
+@@ -5090,41 +5434,37 @@
+ * the opaque argument to the password prompting function.
+ * SECItem *encodedResponse
+ * the DER encoded bytes of the OCSP response
+- * PRBool cacheInvalid
+- * If true then invalid responses will cause a negative cache entry to be
+- * created. (Invalid means bad syntax, bad signature etc)
+- * PRBool *certIDWasConsumed
+- * (output) on return, this is true iff |certID| was consumed by this
+- * function.
+- * SECStatus *rv_ocsp
+- * (output) on return, this is SECSuccess iff the response is good (see
+- * definition of 'good' above).
++ * CERTOCSPResponse **pDecodedResponse
++ * (output) The caller must ALWAYS check for this output parameter,
++ * and if it's non-null, must destroy it using CERT_DestroyOCSPResponse.
++ * CERTOCSPSingleResponse **pSingle
++ * (output) on success, this points to the single response that corresponds
++ * to the certID parameter. Points to the inside of pDecodedResponse.
++ * It isn't a copy, don't free it.
+ * RETURN:
+ * SECSuccess iff the response is valid.
+ */
+ static SECStatus
+-ocsp_CacheEncodedOCSPResponse(CERTCertDBHandle *handle,
++ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle,
+ CERTOCSPCertID *certID,
+ CERTCertificate *cert,
+ PRTime time,
+ void *pwArg,
+ const SECItem *encodedResponse,
+- PRBool cacheInvalid,
+- PRBool *certIDWasConsumed,
+- SECStatus *rv_ocsp)
++ CERTOCSPResponse **pDecodedResponse,
++ CERTOCSPSingleResponse **pSingle)
+ {
+- CERTOCSPResponse *response = NULL;
+ CERTCertificate *signerCert = NULL;
+ CERTCertificate *issuerCert = NULL;
+- CERTOCSPSingleResponse *single = NULL;
+ SECStatus rv = SECFailure;
+
+- *certIDWasConsumed = PR_FALSE;
+- *rv_ocsp = SECFailure;
+-
+- response = CERT_DecodeOCSPResponse(encodedResponse);
+- if (response == NULL) {
+- goto loser;
++ if (!pSingle || !pDecodedResponse) {
++ return SECFailure;
++ }
++ *pSingle = NULL;
++ *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse);
++ if (!*pDecodedResponse) {
++ return SECFailure;
+ }
+
+ /*
+@@ -5136,7 +5476,7 @@
+ * Otherwise, we continue to find the actual per-cert status
+ * in the response.
+ */
+- if (CERT_GetOCSPResponseStatus(response) != SECSuccess) {
++ if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) {
+ goto loser;
+ }
+
+@@ -5145,54 +5485,60 @@
+ * So, check for that.
+ */
+ issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
+- rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
+- issuerCert);
+- if (rv != SECSuccess)
++ rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg,
++ &signerCert, issuerCert);
++ if (rv != SECSuccess) {
+ goto loser;
++ }
+
+ PORT_Assert(signerCert != NULL); /* internal consistency check */
+ /* XXX probably should set error, return failure if signerCert is null */
+
+-
+ /*
+ * Again, we are only doing one request for one cert.
+ * XXX When we handle cert chains, the following code will obviously
+ * have to be modified, in coordation with the code above that will
+ * have to determine how to make multiple requests, etc.
+ */
+-
+- rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,
+- signerCert, time, &single);
+- if (rv != SECSuccess)
+- goto loser;
+-
+- *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(single, time);
+-
++ rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, certID,
++ signerCert, time, pSingle);
+ loser:
+- /* If single == NULL here then the response was invalid. */
+- if (single != NULL || cacheInvalid) {
++ if (issuerCert != NULL)
++ CERT_DestroyCertificate(issuerCert);
++ if (signerCert != NULL)
++ CERT_DestroyCertificate(signerCert);
++ return rv;
++}
++
++/*
++ * FUNCTION: ocsp_CacheSingleResponse
++ * This function requires that the caller has checked that the response
++ * is valid and verified.
++ * The (positive or negative) valid response will be used to update the cache.
++ * INPUTS:
++ * CERTOCSPCertID *certID
++ * the cert ID corresponding to |cert|
++ * PRBool *certIDWasConsumed
++ * (output) on return, this is true iff |certID| was consumed by this
++ * function.
++ */
++void
++ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
++ CERTOCSPSingleResponse *single,
++ PRBool *certIDWasConsumed)
++{
++ if (single != NULL) {
+ PR_EnterMonitor(OCSP_Global.monitor);
+ if (OCSP_Global.maxCacheEntries >= 0) {
+- /* single == NULL means: remember response failure */
+ ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single,
+ certIDWasConsumed);
+ /* ignore cache update failures */
+ }
+ PR_ExitMonitor(OCSP_Global.monitor);
+ }
+-
+- /* 'single' points within the response so there's no need to free it. */
+-
+- if (issuerCert != NULL)
+- CERT_DestroyCertificate(issuerCert);
+- if (signerCert != NULL)
+- CERT_DestroyCertificate(signerCert);
+- if (response != NULL)
+- CERT_DestroyOCSPResponse(response);
+- return rv;
+ }
+
+-static SECStatus
++SECStatus
+ ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
+ CERTOCSPResponse *response,
+ CERTOCSPCertID *certID,
+@@ -5785,6 +6131,20 @@
+ return SECSuccess;
+ }
+
++SECStatus
++CERT_ForcePostMethodForOCSP(PRBool forcePost)
++{
++ if (!OCSP_Global.monitor) {
++ PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
++ return SECFailure;
++ }
++
++ PR_EnterMonitor(OCSP_Global.monitor);
++ OCSP_Global.forcePost = forcePost;
++ PR_ExitMonitor(OCSP_Global.monitor);
++
++ return SECSuccess;
++}
+
+ SECStatus
+ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocsp.h 2014-02-10 01:13:33.042519484 +0400
+@@ -171,6 +171,15 @@
+ extern SECStatus
+ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
++/* If forcePost is set, OCSP requests will only be sent using the HTTP POST
++ * method. When forcePost is not set, OCSP requests will be sent using the
++ * HTTP GET method, with a fallback to POST when we fail to receive a response
++ * and/or when we receive an uncacheable response like "Unknown."
++ *
++ * The default is to use GET and fallback to POST.
++ */
++extern SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost);
++
+ /*
+ * -------------------------------------------------------
+ * The Functions above are those expected to be used by a client
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocspi.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocspi.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocspi.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocspi.h 2014-02-10 01:13:33.042519484 +0400
+@@ -41,12 +41,15 @@
+ PRBool addServiceLocator,
+ CERTCertificate *signerCert);
+
++typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
++
+ SECStatus
+-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
++ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+ PRTime time,
+ PRBool ignoreOcspFailureMode,
+ SECStatus *rvOcsp,
+- SECErrorCodes *missingResponseError);
++ SECErrorCodes *missingResponseError,
++ OCSPFreshness *freshness);
+
+ /*
+ * FUNCTION: cert_ProcessOCSPResponse
+@@ -139,4 +142,23 @@
+ PRBool
+ ocsp_FetchingFailureIsVerificationFailure(void);
+
++size_t
++ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf);
++
++SECStatus
++ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,
++ CERTOCSPResponse *response,
++ CERTOCSPCertID *certID,
++ CERTCertificate *signerCert,
++ PRTime time,
++ CERTOCSPSingleResponse **pSingleResponse);
++
++SECStatus
++ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time);
++
++void
++ocsp_CacheSingleResponse(CERTOCSPCertID *certID,
++ CERTOCSPSingleResponse *single,
++ PRBool *certIDWasConsumed);
++
+ #endif /* _OCSPI_H_ */
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocspsig.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocspsig.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/certhigh/ocspsig.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/certhigh/ocspsig.c 2014-02-10 01:13:33.042519484 +0400
+@@ -472,8 +472,8 @@
+ }
+ else {
+ responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+- if (!CERT_GetSPKIDigest(tmpArena, responderCert, SEC_OID_SHA1,
+- &rid->responderIDValue.keyHash))
++ if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
++ SEC_OID_SHA1, &rid->responderIDValue.keyHash))
+ goto done;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/bfind.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/bfind.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/bfind.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/bfind.c 2014-02-10 01:13:33.042519484 +0400
+@@ -115,10 +115,11 @@
+ /* match a decoded serial number */
+ if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
+ int len;
+- unsigned char *data;
++ unsigned char *data = NULL;
+
+ len = builtins_derUnwrapInt(b->data,b->size,&data);
+- if ((len == a->ulValueLen) &&
++ if (data &&
++ (len == a->ulValueLen) &&
+ nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+ return CK_TRUE;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/certdata.txt seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/certdata.txt 2014-02-10 01:12:13.860913398 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/certdata.txt 2014-02-10 01:13:33.049519360 +0400
+@@ -72,6 +72,13 @@
+ #
+ # Certificate "GTE CyberTrust Global Root"
+ #
++# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Serial Number: 421 (0x1a5)
++# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Not Valid Before: Thu Aug 13 00:29:00 1998
++# Not Valid After : Mon Aug 13 23:59:00 2018
++# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
++# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -144,6 +151,13 @@
+ END
+
+ # Trust for Certificate "GTE CyberTrust Global Root"
++# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Serial Number: 421 (0x1a5)
++# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Not Valid Before: Thu Aug 13 00:29:00 1998
++# Not Valid After : Mon Aug 13 23:59:00 2018
++# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
++# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -177,6 +191,13 @@
+ #
+ # Certificate "Thawte Server CA"
+ #
++# Issuer: E=server-certs at thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Serial Number: 1 (0x1)
++# Subject: E=server-certs at thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Not Valid Before: Thu Aug 01 00:00:00 1996
++# Not Valid After : Thu Dec 31 23:59:59 2020
++# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
++# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -271,6 +292,13 @@
+ END
+
+ # Trust for Certificate "Thawte Server CA"
++# Issuer: E=server-certs at thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Serial Number: 1 (0x1)
++# Subject: E=server-certs at thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Not Valid Before: Thu Aug 01 00:00:00 1996
++# Not Valid After : Thu Dec 31 23:59:59 2020
++# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
++# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -309,6 +337,13 @@
+ #
+ # Certificate "Thawte Premium Server CA"
+ #
++# Issuer: E=premium-server at thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Serial Number: 1 (0x1)
++# Subject: E=premium-server at thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Not Valid Before: Thu Aug 01 00:00:00 1996
++# Not Valid After : Thu Dec 31 23:59:59 2020
++# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
++# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -406,6 +441,13 @@
+ END
+
+ # Trust for Certificate "Thawte Premium Server CA"
++# Issuer: E=premium-server at thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Serial Number: 1 (0x1)
++# Subject: E=premium-server at thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
++# Not Valid Before: Thu Aug 01 00:00:00 1996
++# Not Valid After : Thu Dec 31 23:59:59 2020
++# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
++# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -445,6 +487,13 @@
+ #
+ # Certificate "Equifax Secure CA"
+ #
++# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
++# Serial Number: 903804111 (0x35def4cf)
++# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
++# Not Valid Before: Sat Aug 22 16:41:51 1998
++# Not Valid After : Wed Aug 22 16:41:51 2018
++# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
++# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -524,6 +573,13 @@
+ END
+
+ # Trust for Certificate "Equifax Secure CA"
++# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
++# Serial Number: 903804111 (0x35def4cf)
++# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
++# Not Valid Before: Sat Aug 22 16:41:51 1998
++# Not Valid After : Wed Aug 22 16:41:51 2018
++# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
++# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -554,6 +610,13 @@
+ #
+ # Certificate "Digital Signature Trust Co. Global CA 1"
+ #
++# Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
++# Serial Number: 913315222 (0x36701596)
++# Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
++# Not Valid Before: Thu Dec 10 18:10:23 1998
++# Not Valid After : Mon Dec 10 18:40:23 2018
++# Fingerprint (MD5): 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
++# Fingerprint (SHA1): 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -633,6 +696,13 @@
+ END
+
+ # Trust for Certificate "Digital Signature Trust Co. Global CA 1"
++# Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
++# Serial Number: 913315222 (0x36701596)
++# Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
++# Not Valid Before: Thu Dec 10 18:10:23 1998
++# Not Valid After : Mon Dec 10 18:40:23 2018
++# Fingerprint (MD5): 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
++# Fingerprint (SHA1): 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -663,6 +733,13 @@
+ #
+ # Certificate "Digital Signature Trust Co. Global CA 3"
+ #
++# Issuer: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
++# Serial Number: 913232846 (0x366ed3ce)
++# Subject: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
++# Not Valid Before: Wed Dec 09 19:17:26 1998
++# Not Valid After : Sun Dec 09 19:47:26 2018
++# Fingerprint (MD5): 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
++# Fingerprint (SHA1): AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -742,6 +819,13 @@
+ END
+
+ # Trust for Certificate "Digital Signature Trust Co. Global CA 3"
++# Issuer: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
++# Serial Number: 913232846 (0x366ed3ce)
++# Subject: OU=DSTCA E2,O=Digital Signature Trust Co.,C=US
++# Not Valid Before: Wed Dec 09 19:17:26 1998
++# Not Valid After : Sun Dec 09 19:47:26 2018
++# Fingerprint (MD5): 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
++# Fingerprint (SHA1): AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -772,6 +856,13 @@
+ #
+ # Certificate "Verisign Class 3 Public Primary Certification Authority"
+ #
++# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
++# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
++# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -841,6 +932,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
++# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
++# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
++# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -874,6 +972,13 @@
+ #
+ # Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
+ #
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:4c:c7:ea:aa:98:3e:71:d3:93:10:f8:3d:3a:89:91:92
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
++# Fingerprint (SHA1): 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -968,6 +1073,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:4c:c7:ea:aa:98:3e:71:d3:93:10:f8:3d:3a:89:91:92
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 1 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
++# Fingerprint (SHA1): 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1007,6 +1119,13 @@
+ #
+ # Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
+ #
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
++# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1101,6 +1220,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
++# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1140,6 +1266,13 @@
+ #
+ # Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
+ #
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
++# Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1234,6 +1367,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
++# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
++# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon May 18 00:00:00 1998
++# Not Valid After : Tue Aug 01 23:59:59 2028
++# Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
++# Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1273,6 +1413,13 @@
+ #
+ # Certificate "GlobalSign Root CA"
+ #
++# Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
++# Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
++# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
++# Not Valid Before: Tue Sep 01 12:00:00 1998
++# Not Valid After : Fri Jan 28 12:00:00 2028
++# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
++# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1359,6 +1506,13 @@
+ END
+
+ # Trust for Certificate "GlobalSign Root CA"
++# Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
++# Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
++# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
++# Not Valid Before: Tue Sep 01 12:00:00 1998
++# Not Valid After : Fri Jan 28 12:00:00 2028
++# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
++# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1390,6 +1544,13 @@
+ #
+ # Certificate "GlobalSign Root CA - R2"
+ #
++# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
++# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
++# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
++# Not Valid Before: Fri Dec 15 08:00:00 2006
++# Not Valid After : Wed Dec 15 08:00:00 2021
++# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
++# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1478,6 +1639,13 @@
+ END
+
+ # Trust for Certificate "GlobalSign Root CA - R2"
++# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
++# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
++# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
++# Not Valid Before: Fri Dec 15 08:00:00 2006
++# Not Valid After : Wed Dec 15 08:00:00 2021
++# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
++# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1508,6 +1676,13 @@
+ #
+ # Certificate "ValiCert Class 1 VA"
+ #
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Fri Jun 25 22:23:48 1999
++# Not Valid After : Tue Jun 25 22:23:48 2019
++# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
++# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1597,6 +1772,13 @@
+ END
+
+ # Trust for Certificate "ValiCert Class 1 VA"
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Fri Jun 25 22:23:48 1999
++# Not Valid After : Tue Jun 25 22:23:48 2019
++# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
++# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1634,6 +1816,13 @@
+ #
+ # Certificate "ValiCert Class 2 VA"
+ #
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Sat Jun 26 00:19:54 1999
++# Not Valid After : Wed Jun 26 00:19:54 2019
++# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
++# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1723,6 +1912,13 @@
+ END
+
+ # Trust for Certificate "ValiCert Class 2 VA"
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Sat Jun 26 00:19:54 1999
++# Not Valid After : Wed Jun 26 00:19:54 2019
++# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
++# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1760,6 +1956,13 @@
+ #
+ # Certificate "RSA Root Certificate 1"
+ #
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Sat Jun 26 00:22:33 1999
++# Not Valid After : Wed Jun 26 00:22:33 2019
++# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
++# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1849,6 +2052,13 @@
+ END
+
+ # Trust for Certificate "RSA Root Certificate 1"
++# Issuer: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Serial Number: 1 (0x1)
++# Subject: E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
++# Not Valid Before: Sat Jun 26 00:22:33 1999
++# Not Valid After : Wed Jun 26 00:22:33 2019
++# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
++# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1886,6 +2096,13 @@
+ #
+ # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+ #
++# Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
++# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
++# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -1997,6 +2214,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
++# Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
++# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
++# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2036,6 +2260,13 @@
+ #
+ # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+ #
++# Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
++# Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
++# Fingerprint (SHA1): 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2147,6 +2378,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
++# Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
++# Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
++# Fingerprint (SHA1): 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2186,6 +2424,13 @@
+ #
+ # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+ #
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
++# Fingerprint (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2297,6 +2542,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
++# Fingerprint (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2336,6 +2588,13 @@
+ #
+ # Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
+ #
++# Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
++# Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
++# Fingerprint (SHA1): C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2447,6 +2706,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
++# Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
++# Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Fri Oct 01 00:00:00 1999
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
++# Fingerprint (SHA1): C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2486,6 +2752,13 @@
+ #
+ # Certificate "Entrust.net Secure Server CA"
+ #
++# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
++# Serial Number: 927650371 (0x374ad243)
++# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
++# Not Valid Before: Tue May 25 16:09:40 1999
++# Not Valid After : Sat May 25 16:39:40 2019
++# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
++# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2608,6 +2881,13 @@
+ END
+
+ # Trust for Certificate "Entrust.net Secure Server CA"
++# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
++# Serial Number: 927650371 (0x374ad243)
++# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
++# Not Valid Before: Tue May 25 16:09:40 1999
++# Not Valid After : Sat May 25 16:39:40 2019
++# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
++# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2806,6 +3086,13 @@
+ #
+ # Certificate "Baltimore CyberTrust Root"
+ #
++# Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
++# Serial Number: 33554617 (0x20000b9)
++# Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
++# Not Valid Before: Fri May 12 18:46:00 2000
++# Not Valid After : Mon May 12 23:59:00 2025
++# Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
++# Fingerprint (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2892,6 +3179,13 @@
+ END
+
+ # Trust for Certificate "Baltimore CyberTrust Root"
++# Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
++# Serial Number: 33554617 (0x20000b9)
++# Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
++# Not Valid Before: Fri May 12 18:46:00 2000
++# Not Valid After : Mon May 12 23:59:00 2025
++# Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
++# Fingerprint (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2923,6 +3217,13 @@
+ #
+ # Certificate "Equifax Secure Global eBusiness CA"
+ #
++# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Not Valid Before: Mon Jun 21 04:00:00 1999
++# Not Valid After : Sun Jun 21 04:00:00 2020
++# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
++# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -2995,6 +3296,13 @@
+ END
+
+ # Trust for Certificate "Equifax Secure Global eBusiness CA"
++# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Not Valid Before: Mon Jun 21 04:00:00 1999
++# Not Valid After : Sun Jun 21 04:00:00 2020
++# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
++# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3026,6 +3334,13 @@
+ #
+ # Certificate "Equifax Secure eBusiness CA 1"
+ #
++# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 4 (0x4)
++# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Not Valid Before: Mon Jun 21 04:00:00 1999
++# Not Valid After : Sun Jun 21 04:00:00 2020
++# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
++# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3097,6 +3412,13 @@
+ END
+
+ # Trust for Certificate "Equifax Secure eBusiness CA 1"
++# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 4 (0x4)
++# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Not Valid Before: Mon Jun 21 04:00:00 1999
++# Not Valid After : Sun Jun 21 04:00:00 2020
++# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
++# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3128,6 +3450,13 @@
+ #
+ # Certificate "AddTrust Low-Value Services Root"
+ #
++# Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:38:31 2000
++# Not Valid After : Sat May 30 10:38:31 2020
++# Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
++# Fingerprint (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3226,6 +3555,13 @@
+ END
+
+ # Trust for Certificate "AddTrust Low-Value Services Root"
++# Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:38:31 2000
++# Not Valid After : Sat May 30 10:38:31 2020
++# Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
++# Fingerprint (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3258,6 +3594,13 @@
+ #
+ # Certificate "AddTrust External Root"
+ #
++# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:48:38 2000
++# Not Valid After : Sat May 30 10:48:38 2020
++# Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
++# Fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3360,6 +3703,13 @@
+ END
+
+ # Trust for Certificate "AddTrust External Root"
++# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:48:38 2000
++# Not Valid After : Sat May 30 10:48:38 2020
++# Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
++# Fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3393,6 +3743,13 @@
+ #
+ # Certificate "AddTrust Public Services Root"
+ #
++# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:41:50 2000
++# Not Valid After : Sat May 30 10:41:50 2020
++# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
++# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3491,6 +3848,13 @@
+ END
+
+ # Trust for Certificate "AddTrust Public Services Root"
++# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:41:50 2000
++# Not Valid After : Sat May 30 10:41:50 2020
++# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
++# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3523,6 +3887,13 @@
+ #
+ # Certificate "AddTrust Qualified Certificates Root"
+ #
++# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:44:50 2000
++# Not Valid After : Sat May 30 10:44:50 2020
++# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
++# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3622,6 +3993,13 @@
+ END
+
+ # Trust for Certificate "AddTrust Qualified Certificates Root"
++# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Serial Number: 1 (0x1)
++# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
++# Not Valid Before: Tue May 30 10:44:50 2000
++# Not Valid After : Sat May 30 10:44:50 2020
++# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
++# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3654,6 +4032,13 @@
+ #
+ # Certificate "Entrust Root Certification Authority"
+ #
++# Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
++# Serial Number: 1164660820 (0x456b5054)
++# Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
++# Not Valid Before: Mon Nov 27 20:23:42 2006
++# Not Valid After : Fri Nov 27 20:53:42 2026
++# Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
++# Fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3770,6 +4155,13 @@
+ END
+
+ # Trust for Certificate "Entrust Root Certification Authority"
++# Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
++# Serial Number: 1164660820 (0x456b5054)
++# Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
++# Not Valid Before: Mon Nov 27 20:23:42 2006
++# Not Valid After : Fri Nov 27 20:53:42 2026
++# Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
++# Fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3807,6 +4199,13 @@
+ #
+ # Certificate "RSA Security 2048 v3"
+ #
++# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
++# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
++# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
++# Not Valid Before: Thu Feb 22 20:39:23 2001
++# Not Valid After : Sun Feb 22 20:39:23 2026
++# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
++# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3889,6 +4288,13 @@
+ END
+
+ # Trust for Certificate "RSA Security 2048 v3"
++# Issuer: OU=RSA Security 2048 V3,O=RSA Security Inc
++# Serial Number:0a:01:01:01:00:00:02:7c:00:00:00:0a:00:00:00:02
++# Subject: OU=RSA Security 2048 V3,O=RSA Security Inc
++# Not Valid Before: Thu Feb 22 20:39:23 2001
++# Not Valid After : Sun Feb 22 20:39:23 2026
++# Fingerprint (MD5): 77:0D:19:B1:21:FD:00:42:9C:3E:0C:A5:DD:0B:02:8E
++# Fingerprint (SHA1): 25:01:90:19:CF:FB:D9:99:1C:B7:68:25:74:8D:94:5F:30:93:95:42
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -3919,6 +4325,13 @@
+ #
+ # Certificate "GeoTrust Global CA"
+ #
++# Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
++# Serial Number: 144470 (0x23456)
++# Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
++# Not Valid Before: Tue May 21 04:00:00 2002
++# Not Valid After : Sat May 21 04:00:00 2022
++# Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
++# Fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4001,6 +4414,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Global CA"
++# Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
++# Serial Number: 144470 (0x23456)
++# Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
++# Not Valid Before: Tue May 21 04:00:00 2002
++# Not Valid After : Sat May 21 04:00:00 2022
++# Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
++# Fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4031,6 +4451,13 @@
+ #
+ # Certificate "GeoTrust Global CA 2"
+ #
++# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Mon Mar 04 05:00:00 2019
++# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
++# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4114,6 +4541,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Global CA 2"
++# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Mon Mar 04 05:00:00 2019
++# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
++# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4144,6 +4578,13 @@
+ #
+ # Certificate "GeoTrust Universal CA"
+ #
++# Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Sun Mar 04 05:00:00 2029
++# Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
++# Fingerprint (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4259,6 +4700,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Universal CA"
++# Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Sun Mar 04 05:00:00 2029
++# Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
++# Fingerprint (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4289,6 +4737,13 @@
+ #
+ # Certificate "GeoTrust Universal CA 2"
+ #
++# Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Sun Mar 04 05:00:00 2029
++# Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
++# Fingerprint (SHA1): 37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4404,6 +4859,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Universal CA 2"
++# Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
++# Not Valid Before: Thu Mar 04 05:00:00 2004
++# Not Valid After : Sun Mar 04 05:00:00 2029
++# Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
++# Fingerprint (SHA1): 37:9A:19:7B:41:85:45:35:0C:A6:03:69:F3:3C:2E:AF:47:4F:20:79
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4434,6 +4896,13 @@
+ #
+ # Certificate "UTN-USER First-Network Applications"
+ #
++# Issuer: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:30:4b:c0:33:77
++# Subject: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:48:39 1999
++# Not Valid After : Tue Jul 09 18:57:49 2019
++# Fingerprint (MD5): BF:60:59:A3:5B:BA:F6:A7:76:42:DA:6F:1A:7B:50:CF
++# Fingerprint (SHA1): 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4546,6 +5015,13 @@
+ END
+
+ # Trust for Certificate "UTN-USER First-Network Applications"
++# Issuer: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:30:4b:c0:33:77
++# Subject: CN=UTN-USERFirst-Network Applications,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:48:39 1999
++# Not Valid After : Tue Jul 09 18:57:49 2019
++# Fingerprint (MD5): BF:60:59:A3:5B:BA:F6:A7:76:42:DA:6F:1A:7B:50:CF
++# Fingerprint (SHA1): 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4583,6 +5059,13 @@
+ #
+ # Certificate "America Online Root Certification Authority 1"
+ #
++# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
++# Not Valid Before: Tue May 28 06:00:00 2002
++# Not Valid After : Thu Nov 19 20:43:00 2037
++# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
++# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4674,6 +5157,13 @@
+ END
+
+ # Trust for Certificate "America Online Root Certification Authority 1"
++# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
++# Not Valid Before: Tue May 28 06:00:00 2002
++# Not Valid After : Thu Nov 19 20:43:00 2037
++# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
++# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4706,6 +5196,13 @@
+ #
+ # Certificate "America Online Root Certification Authority 2"
+ #
++# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
++# Not Valid Before: Tue May 28 06:00:00 2002
++# Not Valid After : Tue Sep 29 14:08:00 2037
++# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
++# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4829,6 +5326,13 @@
+ END
+
+ # Trust for Certificate "America Online Root Certification Authority 2"
++# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
++# Not Valid Before: Tue May 28 06:00:00 2002
++# Not Valid After : Tue Sep 29 14:08:00 2037
++# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
++# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4861,6 +5365,13 @@
+ #
+ # Certificate "Visa eCommerce Root"
+ #
++# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
++# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
++# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
++# Not Valid Before: Wed Jun 26 02:18:36 2002
++# Not Valid After : Fri Jun 24 00:16:12 2022
++# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
++# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4953,6 +5464,13 @@
+ END
+
+ # Trust for Certificate "Visa eCommerce Root"
++# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
++# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
++# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
++# Not Valid Before: Wed Jun 26 02:18:36 2002
++# Not Valid After : Fri Jun 24 00:16:12 2022
++# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
++# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -4986,6 +5504,13 @@
+ #
+ # Certificate "Certum Root CA"
+ #
++# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
++# Serial Number: 65568 (0x10020)
++# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
++# Not Valid Before: Tue Jun 11 10:46:39 2002
++# Not Valid After : Fri Jun 11 10:46:39 2027
++# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
++# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5061,6 +5586,13 @@
+ END
+
+ # Trust for Certificate "Certum Root CA"
++# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
++# Serial Number: 65568 (0x10020)
++# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
++# Not Valid Before: Tue Jun 11 10:46:39 2002
++# Not Valid After : Fri Jun 11 10:46:39 2027
++# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
++# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5090,6 +5622,13 @@
+ #
+ # Certificate "Comodo AAA Services root"
+ #
++# Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
++# Fingerprint (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5192,6 +5731,13 @@
+ END
+
+ # Trust for Certificate "Comodo AAA Services root"
++# Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
++# Fingerprint (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5225,6 +5771,13 @@
+ #
+ # Certificate "Comodo Secure Services root"
+ #
++# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
++# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5328,6 +5881,13 @@
+ END
+
+ # Trust for Certificate "Comodo Secure Services root"
++# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
++# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5361,6 +5921,13 @@
+ #
+ # Certificate "Comodo Trusted Services root"
+ #
++# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
++# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5466,6 +6033,13 @@
+ END
+
+ # Trust for Certificate "Comodo Trusted Services root"
++# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number: 1 (0x1)
++# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Jan 01 00:00:00 2004
++# Not Valid After : Sun Dec 31 23:59:59 2028
++# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
++# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5500,6 +6074,13 @@
+ #
+ # Certificate "QuoVadis Root CA"
+ #
++# Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
++# Serial Number: 985026699 (0x3ab6508b)
++# Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
++# Not Valid Before: Mon Mar 19 18:33:33 2001
++# Not Valid After : Wed Mar 17 18:33:33 2021
++# Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
++# Fingerprint (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5630,6 +6211,13 @@
+ END
+
+ # Trust for Certificate "QuoVadis Root CA"
++# Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
++# Serial Number: 985026699 (0x3ab6508b)
++# Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
++# Not Valid Before: Mon Mar 19 18:33:33 2001
++# Not Valid After : Wed Mar 17 18:33:33 2021
++# Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
++# Fingerprint (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5664,6 +6252,13 @@
+ #
+ # Certificate "QuoVadis Root CA 2"
+ #
++# Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
++# Serial Number: 1289 (0x509)
++# Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
++# Not Valid Before: Fri Nov 24 18:27:00 2006
++# Not Valid After : Mon Nov 24 18:23:33 2031
++# Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
++# Fingerprint (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5784,6 +6379,13 @@
+ END
+
+ # Trust for Certificate "QuoVadis Root CA 2"
++# Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
++# Serial Number: 1289 (0x509)
++# Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
++# Not Valid Before: Fri Nov 24 18:27:00 2006
++# Not Valid After : Mon Nov 24 18:23:33 2031
++# Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
++# Fingerprint (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5814,6 +6416,13 @@
+ #
+ # Certificate "QuoVadis Root CA 3"
+ #
++# Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
++# Serial Number: 1478 (0x5c6)
++# Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
++# Not Valid Before: Fri Nov 24 19:11:23 2006
++# Not Valid After : Mon Nov 24 19:06:44 2031
++# Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
++# Fingerprint (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5949,6 +6558,13 @@
+ END
+
+ # Trust for Certificate "QuoVadis Root CA 3"
++# Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
++# Serial Number: 1478 (0x5c6)
++# Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
++# Not Valid Before: Fri Nov 24 19:11:23 2006
++# Not Valid After : Mon Nov 24 19:06:44 2031
++# Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
++# Fingerprint (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -5979,6 +6595,13 @@
+ #
+ # Certificate "Security Communication Root CA"
+ #
++# Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
++# Not Valid Before: Tue Sep 30 04:20:49 2003
++# Not Valid After : Sat Sep 30 04:20:49 2023
++# Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
++# Fingerprint (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6063,6 +6686,13 @@
+ END
+
+ # Trust for Certificate "Security Communication Root CA"
++# Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
++# Not Valid Before: Tue Sep 30 04:20:49 2003
++# Not Valid After : Sat Sep 30 04:20:49 2023
++# Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
++# Fingerprint (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6094,6 +6724,13 @@
+ #
+ # Certificate "Sonera Class 1 Root CA"
+ #
++# Issuer: CN=Sonera Class1 CA,O=Sonera,C=FI
++# Serial Number: 36 (0x24)
++# Subject: CN=Sonera Class1 CA,O=Sonera,C=FI
++# Not Valid Before: Fri Apr 06 10:49:13 2001
++# Not Valid After : Tue Apr 06 10:49:13 2021
++# Fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6F
++# Fingerprint (SHA1): 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6171,6 +6808,13 @@
+ END
+
+ # Trust for Certificate "Sonera Class 1 Root CA"
++# Issuer: CN=Sonera Class1 CA,O=Sonera,C=FI
++# Serial Number: 36 (0x24)
++# Subject: CN=Sonera Class1 CA,O=Sonera,C=FI
++# Not Valid Before: Fri Apr 06 10:49:13 2001
++# Not Valid After : Tue Apr 06 10:49:13 2021
++# Fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6F
++# Fingerprint (SHA1): 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6200,6 +6844,13 @@
+ #
+ # Certificate "Sonera Class 2 Root CA"
+ #
++# Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
++# Serial Number: 29 (0x1d)
++# Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
++# Not Valid Before: Fri Apr 06 07:29:40 2001
++# Not Valid After : Tue Apr 06 07:29:40 2021
++# Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
++# Fingerprint (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6277,6 +6928,13 @@
+ END
+
+ # Trust for Certificate "Sonera Class 2 Root CA"
++# Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
++# Serial Number: 29 (0x1d)
++# Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
++# Not Valid Before: Fri Apr 06 07:29:40 2001
++# Not Valid After : Tue Apr 06 07:29:40 2021
++# Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
++# Fingerprint (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6306,6 +6964,13 @@
+ #
+ # Certificate "Staat der Nederlanden Root CA"
+ #
++# Issuer: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000010 (0x98968a)
++# Subject: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Tue Dec 17 09:23:49 2002
++# Not Valid After : Wed Dec 16 09:15:38 2015
++# Fingerprint (MD5): 60:84:7C:5A:CE:DB:0C:D4:CB:A7:E9:FE:02:C6:A9:C0
++# Fingerprint (SHA1): 10:1D:FA:3F:D5:0B:CB:BB:9B:B5:60:0C:19:55:A4:1A:F4:73:3A:04
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6396,6 +7061,13 @@
+ END
+
+ # Trust for Certificate "Staat der Nederlanden Root CA"
++# Issuer: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000010 (0x98968a)
++# Subject: CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Tue Dec 17 09:23:49 2002
++# Not Valid After : Wed Dec 16 09:15:38 2015
++# Fingerprint (MD5): 60:84:7C:5A:CE:DB:0C:D4:CB:A7:E9:FE:02:C6:A9:C0
++# Fingerprint (SHA1): 10:1D:FA:3F:D5:0B:CB:BB:9B:B5:60:0C:19:55:A4:1A:F4:73:3A:04
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6427,6 +7099,13 @@
+ #
+ # Certificate "TDC Internet Root CA"
+ #
++# Issuer: OU=TDC Internet Root CA,O=TDC Internet,C=DK
++# Serial Number: 986490188 (0x3acca54c)
++# Subject: OU=TDC Internet Root CA,O=TDC Internet,C=DK
++# Not Valid Before: Thu Apr 05 16:33:17 2001
++# Not Valid After : Mon Apr 05 17:03:17 2021
++# Fingerprint (MD5): 91:F4:03:55:20:A1:F8:63:2C:62:DE:AC:FB:61:1C:8E
++# Fingerprint (SHA1): 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6522,6 +7201,13 @@
+ END
+
+ # Trust for Certificate "TDC Internet Root CA"
++# Issuer: OU=TDC Internet Root CA,O=TDC Internet,C=DK
++# Serial Number: 986490188 (0x3acca54c)
++# Subject: OU=TDC Internet Root CA,O=TDC Internet,C=DK
++# Not Valid Before: Thu Apr 05 16:33:17 2001
++# Not Valid After : Mon Apr 05 17:03:17 2021
++# Fingerprint (MD5): 91:F4:03:55:20:A1:F8:63:2C:62:DE:AC:FB:61:1C:8E
++# Fingerprint (SHA1): 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6552,6 +7238,13 @@
+ #
+ # Certificate "TDC OCES Root CA"
+ #
++# Issuer: CN=TDC OCES CA,O=TDC,C=DK
++# Serial Number: 1044954564 (0x3e48bdc4)
++# Subject: CN=TDC OCES CA,O=TDC,C=DK
++# Not Valid Before: Tue Feb 11 08:39:30 2003
++# Not Valid After : Wed Feb 11 09:09:30 2037
++# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
++# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6660,6 +7353,13 @@
+ END
+
+ # Trust for Certificate "TDC OCES Root CA"
++# Issuer: CN=TDC OCES CA,O=TDC,C=DK
++# Serial Number: 1044954564 (0x3e48bdc4)
++# Subject: CN=TDC OCES CA,O=TDC,C=DK
++# Not Valid Before: Tue Feb 11 08:39:30 2003
++# Not Valid After : Wed Feb 11 09:09:30 2037
++# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
++# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6689,6 +7389,13 @@
+ #
+ # Certificate "UTN DATACorp SGC Root CA"
+ #
++# Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
++# Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Thu Jun 24 18:57:21 1999
++# Not Valid After : Mon Jun 24 19:06:30 2019
++# Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
++# Fingerprint (SHA1): 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6799,6 +7506,13 @@
+ END
+
+ # Trust for Certificate "UTN DATACorp SGC Root CA"
++# Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
++# Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Thu Jun 24 18:57:21 1999
++# Not Valid After : Mon Jun 24 19:06:30 2019
++# Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
++# Fingerprint (SHA1): 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6835,6 +7549,13 @@
+ #
+ # Certificate "UTN USERFirst Email Root CA"
+ #
++# Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
++# Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 17:28:50 1999
++# Not Valid After : Tue Jul 09 17:36:58 2019
++# Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
++# Fingerprint (SHA1): B1:72:B1:A5:6D:95:F9:1F:E5:02:87:E1:4D:37:EA:6A:44:63:76:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6953,6 +7674,13 @@
+ END
+
+ # Trust for Certificate "UTN USERFirst Email Root CA"
++# Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
++# Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 17:28:50 1999
++# Not Valid After : Tue Jul 09 17:36:58 2019
++# Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
++# Fingerprint (SHA1): B1:72:B1:A5:6D:95:F9:1F:E5:02:87:E1:4D:37:EA:6A:44:63:76:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -6991,6 +7719,13 @@
+ #
+ # Certificate "UTN USERFirst Hardware Root CA"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
++# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:10:42 1999
++# Not Valid After : Tue Jul 09 18:19:22 2019
++# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
++# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7102,6 +7837,13 @@
+ END
+
+ # Trust for Certificate "UTN USERFirst Hardware Root CA"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
++# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:10:42 1999
++# Not Valid After : Tue Jul 09 18:19:22 2019
++# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
++# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7138,6 +7880,13 @@
+ #
+ # Certificate "UTN USERFirst Object Root CA"
+ #
++# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
++# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:31:20 1999
++# Not Valid After : Tue Jul 09 18:40:36 2019
++# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
++# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7248,6 +7997,13 @@
+ END
+
+ # Trust for Certificate "UTN USERFirst Object Root CA"
++# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
++# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Not Valid Before: Fri Jul 09 18:31:20 1999
++# Not Valid After : Tue Jul 09 18:40:36 2019
++# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
++# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7284,6 +8040,13 @@
+ #
+ # Certificate "Camerfirma Chambers of Commerce Root"
+ #
++# Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Serial Number: 0 (0x0)
++# Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Not Valid Before: Tue Sep 30 16:13:43 2003
++# Not Valid After : Wed Sep 30 16:13:44 2037
++# Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
++# Fingerprint (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7397,6 +8160,13 @@
+ END
+
+ # Trust for Certificate "Camerfirma Chambers of Commerce Root"
++# Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Serial Number: 0 (0x0)
++# Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Not Valid Before: Tue Sep 30 16:13:43 2003
++# Not Valid After : Wed Sep 30 16:13:44 2037
++# Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
++# Fingerprint (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7431,6 +8201,13 @@
+ #
+ # Certificate "Camerfirma Global Chambersign Root"
+ #
++# Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Serial Number: 0 (0x0)
++# Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Not Valid Before: Tue Sep 30 16:14:18 2003
++# Not Valid After : Wed Sep 30 16:14:18 2037
++# Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
++# Fingerprint (SHA1): 33:9B:6B:14:50:24:9B:55:7A:01:87:72:84:D9:E0:2F:C3:D2:D8:E9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7542,6 +8319,13 @@
+ END
+
+ # Trust for Certificate "Camerfirma Global Chambersign Root"
++# Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Serial Number: 0 (0x0)
++# Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
++# Not Valid Before: Tue Sep 30 16:14:18 2003
++# Not Valid After : Wed Sep 30 16:14:18 2037
++# Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
++# Fingerprint (SHA1): 33:9B:6B:14:50:24:9B:55:7A:01:87:72:84:D9:E0:2F:C3:D2:D8:E9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7575,6 +8359,13 @@
+ #
+ # Certificate "NetLock Qualified (Class QA) Root"
+ #
++# Issuer: E=info at netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 123 (0x7b)
++# Subject: E=info at netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Sun Mar 30 01:47:11 2003
++# Not Valid After : Thu Dec 15 01:47:11 2022
++# Fingerprint (MD5): D4:80:65:68:24:F9:89:22:28:DB:F5:A4:9A:17:8F:14
++# Fingerprint (SHA1): 01:68:97:E1:A0:B8:F2:C3:B1:34:66:5C:20:A7:27:B7:A1:58:E2:8F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7729,6 +8520,13 @@
+ END
+
+ # Trust for Certificate "NetLock Qualified (Class QA) Root"
++# Issuer: E=info at netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 123 (0x7b)
++# Subject: E=info at netlock.hu,CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Sun Mar 30 01:47:11 2003
++# Not Valid After : Thu Dec 15 01:47:11 2022
++# Fingerprint (MD5): D4:80:65:68:24:F9:89:22:28:DB:F5:A4:9A:17:8F:14
++# Fingerprint (SHA1): 01:68:97:E1:A0:B8:F2:C3:B1:34:66:5C:20:A7:27:B7:A1:58:E2:8F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7767,6 +8565,13 @@
+ #
+ # Certificate "NetLock Notary (Class A) Root"
+ #
++# Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
++# Serial Number: 259 (0x103)
++# Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
++# Not Valid Before: Wed Feb 24 23:14:47 1999
++# Not Valid After : Tue Feb 19 23:14:47 2019
++# Fingerprint (MD5): 86:38:6D:5E:49:63:6C:85:5C:DB:6D:DC:94:B7:D0:F7
++# Fingerprint (SHA1): AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7914,6 +8719,13 @@
+ END
+
+ # Trust for Certificate "NetLock Notary (Class A) Root"
++# Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
++# Serial Number: 259 (0x103)
++# Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU
++# Not Valid Before: Wed Feb 24 23:14:47 1999
++# Not Valid After : Tue Feb 19 23:14:47 2019
++# Fingerprint (MD5): 86:38:6D:5E:49:63:6C:85:5C:DB:6D:DC:94:B7:D0:F7
++# Fingerprint (SHA1): AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -7951,6 +8763,13 @@
+ #
+ # Certificate "NetLock Business (Class B) Root"
+ #
++# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 105 (0x69)
++# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Feb 25 14:10:22 1999
++# Not Valid After : Wed Feb 20 14:10:22 2019
++# Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
++# Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8074,6 +8893,13 @@
+ END
+
+ # Trust for Certificate "NetLock Business (Class B) Root"
++# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 105 (0x69)
++# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Feb 25 14:10:22 1999
++# Not Valid After : Wed Feb 20 14:10:22 2019
++# Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
++# Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8109,6 +8935,13 @@
+ #
+ # Certificate "NetLock Express (Class C) Root"
+ #
++# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 104 (0x68)
++# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Feb 25 14:08:11 1999
++# Not Valid After : Wed Feb 20 14:08:11 2019
++# Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
++# Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8233,6 +9066,13 @@
+ END
+
+ # Trust for Certificate "NetLock Express (Class C) Root"
++# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Serial Number: 104 (0x68)
++# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Feb 25 14:08:11 1999
++# Not Valid After : Wed Feb 20 14:08:11 2019
++# Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
++# Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8268,6 +9108,13 @@
+ #
+ # Certificate "XRamp Global CA Root"
+ #
++# Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
++# Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
++# Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
++# Not Valid Before: Mon Nov 01 17:14:04 2004
++# Not Valid After : Mon Jan 01 05:37:19 2035
++# Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
++# Fingerprint (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8373,6 +9220,13 @@
+ END
+
+ # Trust for Certificate "XRamp Global CA Root"
++# Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
++# Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
++# Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
++# Not Valid Before: Mon Nov 01 17:14:04 2004
++# Not Valid After : Mon Jan 01 05:37:19 2035
++# Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
++# Fingerprint (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8408,6 +9262,13 @@
+ #
+ # Certificate "Go Daddy Class 2 CA"
+ #
++# Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
++# Serial Number: 0 (0x0)
++# Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
++# Not Valid Before: Tue Jun 29 17:06:20 2004
++# Not Valid After : Thu Jun 29 17:06:20 2034
++# Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
++# Fingerprint (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8505,6 +9366,13 @@
+ END
+
+ # Trust for Certificate "Go Daddy Class 2 CA"
++# Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
++# Serial Number: 0 (0x0)
++# Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
++# Not Valid Before: Tue Jun 29 17:06:20 2004
++# Not Valid After : Thu Jun 29 17:06:20 2034
++# Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
++# Fingerprint (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8537,6 +9405,13 @@
+ #
+ # Certificate "Starfield Class 2 CA"
+ #
++# Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
++# Serial Number: 0 (0x0)
++# Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
++# Not Valid Before: Tue Jun 29 17:39:16 2004
++# Not Valid After : Thu Jun 29 17:39:16 2034
++# Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
++# Fingerprint (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8635,6 +9510,13 @@
+ END
+
+ # Trust for Certificate "Starfield Class 2 CA"
++# Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
++# Serial Number: 0 (0x0)
++# Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
++# Not Valid Before: Tue Jun 29 17:39:16 2004
++# Not Valid After : Thu Jun 29 17:39:16 2034
++# Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
++# Fingerprint (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8667,6 +9549,13 @@
+ #
+ # Certificate "StartCom Certification Authority"
+ #
++# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
++# Serial Number: 1 (0x1)
++# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
++# Not Valid Before: Sun Sep 17 19:46:36 2006
++# Not Valid After : Wed Sep 17 19:46:36 2036
++# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
++# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8826,6 +9715,13 @@
+ END
+
+ # Trust for Certificate "StartCom Certification Authority"
++# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
++# Serial Number: 1 (0x1)
++# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
++# Not Valid Before: Sun Sep 17 19:46:36 2006
++# Not Valid After : Wed Sep 17 19:46:36 2036
++# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
++# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8859,6 +9755,13 @@
+ #
+ # Certificate "Taiwan GRCA"
+ #
++# Issuer: O=Government Root Certification Authority,C=TW
++# Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
++# Subject: O=Government Root Certification Authority,C=TW
++# Not Valid Before: Thu Dec 05 13:23:33 2002
++# Not Valid After : Sun Dec 05 13:23:33 2032
++# Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
++# Fingerprint (SHA1): F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -8976,6 +9879,13 @@
+ END
+
+ # Trust for Certificate "Taiwan GRCA"
++# Issuer: O=Government Root Certification Authority,C=TW
++# Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
++# Subject: O=Government Root Certification Authority,C=TW
++# Not Valid Before: Thu Dec 05 13:23:33 2002
++# Not Valid After : Sun Dec 05 13:23:33 2032
++# Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
++# Fingerprint (SHA1): F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9007,6 +9917,13 @@
+ #
+ # Certificate "Firmaprofesional Root CA"
+ #
++# Issuer: E=ca at firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
++# Serial Number: 1 (0x1)
++# Subject: E=ca at firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
++# Not Valid Before: Wed Oct 24 22:00:00 2001
++# Not Valid After : Thu Oct 24 22:00:00 2013
++# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
++# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9115,6 +10032,13 @@
+ END
+
+ # Trust for Certificate "Firmaprofesional Root CA"
++# Issuer: E=ca at firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
++# Serial Number: 1 (0x1)
++# Subject: E=ca at firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
++# Not Valid Before: Wed Oct 24 22:00:00 2001
++# Not Valid After : Thu Oct 24 22:00:00 2013
++# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
++# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9148,141 +10072,15 @@
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "Wells Fargo Root CA"
+-#
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Wells Fargo Root CA"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
+-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
+-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
+-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
+-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
+-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
+-\157\162\151\164\171
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
+-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
+-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
+-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
+-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
+-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
+-\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\071\344\227\236
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\003\345\060\202\002\315\240\003\002\001\002\002\004\071
+-\344\227\236\060\015\006\011\052\206\110\206\367\015\001\001\005
+-\005\000\060\201\202\061\013\060\011\006\003\125\004\006\023\002
+-\125\123\061\024\060\022\006\003\125\004\012\023\013\127\145\154
+-\154\163\040\106\141\162\147\157\061\054\060\052\006\003\125\004
+-\013\023\043\127\145\154\154\163\040\106\141\162\147\157\040\103
+-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+-\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023
+-\046\127\145\154\154\163\040\106\141\162\147\157\040\122\157\157
+-\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
+-\164\150\157\162\151\164\171\060\036\027\015\060\060\061\060\061
+-\061\061\066\064\061\062\070\132\027\015\062\061\060\061\061\064
+-\061\066\064\061\062\070\132\060\201\202\061\013\060\011\006\003
+-\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012
+-\023\013\127\145\154\154\163\040\106\141\162\147\157\061\054\060
+-\052\006\003\125\004\013\023\043\127\145\154\154\163\040\106\141
+-\162\147\157\040\103\145\162\164\151\146\151\143\141\164\151\157
+-\156\040\101\165\164\150\157\162\151\164\171\061\057\060\055\006
+-\003\125\004\003\023\046\127\145\154\154\163\040\106\141\162\147
+-\157\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
+-\164\145\040\101\165\164\150\157\162\151\164\171\060\202\001\042
+-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+-\202\001\017\000\060\202\001\012\002\202\001\001\000\325\250\063
+-\073\046\371\064\377\315\233\176\345\004\107\316\000\342\175\167
+-\347\061\302\056\047\245\115\150\271\061\272\215\103\131\227\307
+-\163\252\177\075\134\100\236\005\345\241\342\211\331\114\270\077
+-\233\371\014\264\310\142\031\054\105\256\221\036\163\161\101\304
+-\113\023\375\160\302\045\254\042\365\165\013\267\123\344\245\053
+-\335\316\275\034\072\172\303\367\023\217\046\124\234\026\153\153
+-\257\373\330\226\261\140\232\110\340\045\042\044\171\064\316\016
+-\046\000\013\116\253\375\213\316\202\327\057\010\160\150\301\250
+-\012\371\164\117\007\253\244\371\342\203\176\047\163\164\076\270
+-\371\070\102\374\245\250\133\110\043\263\353\343\045\262\200\256
+-\226\324\012\234\302\170\232\306\150\030\256\067\142\067\136\121
+-\165\250\130\143\300\121\356\100\170\176\250\257\032\240\341\260
+-\170\235\120\214\173\347\263\374\216\043\260\333\145\000\160\204
+-\001\010\000\024\156\124\206\232\272\314\371\067\020\366\340\336
+-\204\055\235\244\205\067\323\207\343\025\320\301\027\220\176\031
+-\041\152\022\251\166\375\022\002\351\117\041\136\027\002\003\001
+-\000\001\243\141\060\137\060\017\006\003\125\035\023\001\001\377
+-\004\005\060\003\001\001\377\060\114\006\003\125\035\040\004\105
+-\060\103\060\101\006\013\140\206\110\001\206\373\173\207\007\001
+-\013\060\062\060\060\006\010\053\006\001\005\005\007\002\001\026
+-\044\150\164\164\160\072\057\057\167\167\167\056\167\145\154\154
+-\163\146\141\162\147\157\056\143\157\155\057\143\145\162\164\160
+-\157\154\151\143\171\060\015\006\011\052\206\110\206\367\015\001
+-\001\005\005\000\003\202\001\001\000\322\047\335\234\012\167\053
+-\273\042\362\002\265\112\112\221\371\321\055\276\344\273\032\150
+-\357\016\244\000\351\356\347\357\356\366\371\345\164\244\302\330
+-\122\130\304\164\373\316\153\265\073\051\171\030\132\357\233\355
+-\037\153\066\356\110\045\045\024\266\126\242\020\350\356\247\177
+-\320\077\243\320\303\135\046\356\007\314\303\301\044\041\207\036
+-\337\052\022\123\157\101\026\347\355\256\224\372\214\162\372\023
+-\107\360\074\176\256\175\021\072\023\354\355\372\157\162\144\173
+-\235\175\177\046\375\172\373\045\255\352\076\051\177\114\343\000
+-\127\062\260\263\351\355\123\027\331\213\262\024\016\060\350\345
+-\325\023\306\144\257\304\000\325\330\130\044\374\365\217\354\361
+-\307\175\245\333\017\047\321\306\362\100\210\346\037\366\141\250
+-\364\102\310\271\067\323\251\276\054\126\170\302\162\233\131\135
+-\065\100\212\350\116\143\032\266\351\040\152\121\342\316\244\220
+-\337\166\160\231\134\160\103\115\267\266\247\031\144\116\222\267
+-\305\221\074\177\110\026\145\173\026\375\313\374\373\331\325\326
+-\117\041\145\073\112\177\107\243\373
+-END
+-
+-# Trust for Certificate "Wells Fargo Root CA"
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Wells Fargo Root CA"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\223\346\253\042\003\003\265\043\050\334\332\126\236\272\344\321
+-\321\314\373\145
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\040\013\112\172\210\247\251\102\206\212\137\164\126\173\210\005
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
+-\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
+-\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
+-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+-\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
+-\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
+-\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
+-\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\004\071\344\227\236
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Swisscom Root CA 1"
+ #
++# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
++# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
++# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
++# Not Valid Before: Thu Aug 18 12:06:20 2005
++# Not Valid After : Mon Aug 18 22:06:20 2025
++# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
++# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9410,6 +10208,13 @@
+ END
+
+ # Trust for Certificate "Swisscom Root CA 1"
++# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
++# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
++# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
++# Not Valid Before: Thu Aug 18 12:06:20 2005
++# Not Valid After : Mon Aug 18 22:06:20 2025
++# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
++# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9443,6 +10248,13 @@
+ #
+ # Certificate "DigiCert Assured ID Root CA"
+ #
++# Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
++# Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
++# Fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9536,6 +10348,13 @@
+ END
+
+ # Trust for Certificate "DigiCert Assured ID Root CA"
++# Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
++# Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
++# Fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9569,6 +10388,13 @@
+ #
+ # Certificate "DigiCert Global Root CA"
+ #
++# Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
++# Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
++# Fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9662,6 +10488,13 @@
+ END
+
+ # Trust for Certificate "DigiCert Global Root CA"
++# Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
++# Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
++# Fingerprint (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9695,6 +10528,13 @@
+ #
+ # Certificate "DigiCert High Assurance EV Root CA"
+ #
++# Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
++# Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
++# Fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9789,6 +10629,13 @@
+ END
+
+ # Trust for Certificate "DigiCert High Assurance EV Root CA"
++# Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
++# Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
++# Not Valid Before: Fri Nov 10 00:00:00 2006
++# Not Valid After : Mon Nov 10 00:00:00 2031
++# Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
++# Fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9822,6 +10669,13 @@
+ #
+ # Certificate "Certplus Class 2 Primary CA"
+ #
++# Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
++# Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
++# Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
++# Not Valid Before: Wed Jul 07 17:05:00 1999
++# Not Valid After : Sat Jul 06 23:59:59 2019
++# Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
++# Fingerprint (SHA1): 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9907,6 +10761,13 @@
+ END
+
+ # Trust for Certificate "Certplus Class 2 Primary CA"
++# Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
++# Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
++# Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
++# Not Valid Before: Wed Jul 07 17:05:00 1999
++# Not Valid After : Sat Jul 06 23:59:59 2019
++# Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
++# Fingerprint (SHA1): 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -9937,6 +10798,13 @@
+ #
+ # Certificate "DST Root CA X3"
+ #
++# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
++# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
++# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
++# Not Valid Before: Sat Sep 30 21:12:19 2000
++# Not Valid After : Thu Sep 30 14:01:15 2021
++# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
++# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10019,6 +10887,13 @@
+ END
+
+ # Trust for Certificate "DST Root CA X3"
++# Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
++# Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
++# Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
++# Not Valid Before: Sat Sep 30 21:12:19 2000
++# Not Valid After : Thu Sep 30 14:01:15 2021
++# Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
++# Fingerprint (SHA1): DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10050,6 +10925,13 @@
+ #
+ # Certificate "DST ACES CA X6"
+ #
++# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
++# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
++# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
++# Not Valid Before: Thu Nov 20 21:19:58 2003
++# Not Valid After : Mon Nov 20 21:19:58 2017
++# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
++# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10146,6 +11028,13 @@
+ END
+
+ # Trust for Certificate "DST ACES CA X6"
++# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
++# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
++# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
++# Not Valid Before: Thu Nov 20 21:19:58 2003
++# Not Valid After : Mon Nov 20 21:19:58 2017
++# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
++# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10178,6 +11067,13 @@
+ #
+ # Certificate "TURKTRUST Certificate Services Provider Root 1"
+ #
++# Issuer: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number: 1 (0x1)
++# Subject: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Fri May 13 10:27:17 2005
++# Not Valid After : Sun Mar 22 10:27:17 2015
++# Fingerprint (MD5): F1:6A:22:18:C9:CD:DF:CE:82:1D:1D:B7:78:5C:A9:A5
++# Fingerprint (SHA1): 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10284,6 +11180,13 @@
+ END
+
+ # Trust for Certificate "TURKTRUST Certificate Services Provider Root 1"
++# Issuer: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number: 1 (0x1)
++# Subject: O=(c) 2005 T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hiz...,L=ANKARA,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Fri May 13 10:27:17 2005
++# Not Valid After : Sun Mar 22 10:27:17 2015
++# Fingerprint (MD5): F1:6A:22:18:C9:CD:DF:CE:82:1D:1D:B7:78:5C:A9:A5
++# Fingerprint (SHA1): 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10321,6 +11224,13 @@
+ #
+ # Certificate "TURKTRUST Certificate Services Provider Root 2"
+ #
++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number: 1 (0x1)
++# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Mon Nov 07 10:07:57 2005
++# Not Valid After : Wed Sep 16 10:07:57 2015
++# Fingerprint (MD5): 37:A5:6E:D4:B1:25:84:97:B7:FD:56:15:7A:F9:A2:00
++# Fingerprint (SHA1): B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10433,6 +11343,13 @@
+ END
+
+ # Trust for Certificate "TURKTRUST Certificate Services Provider Root 2"
++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number: 1 (0x1)
++# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Mon Nov 07 10:07:57 2005
++# Not Valid After : Wed Sep 16 10:07:57 2015
++# Fingerprint (MD5): 37:A5:6E:D4:B1:25:84:97:B7:FD:56:15:7A:F9:A2:00
++# Fingerprint (SHA1): B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10471,6 +11388,13 @@
+ #
+ # Certificate "SwissSign Platinum CA - G2"
+ #
++# Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
++# Serial Number:4e:b2:00:67:0c:03:5d:4f
++# Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:36:00 2006
++# Not Valid After : Sat Oct 25 08:36:00 2036
++# Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
++# Fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10592,6 +11516,13 @@
+ END
+
+ # Trust for Certificate "SwissSign Platinum CA - G2"
++# Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
++# Serial Number:4e:b2:00:67:0c:03:5d:4f
++# Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:36:00 2006
++# Not Valid After : Sat Oct 25 08:36:00 2036
++# Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
++# Fingerprint (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10622,6 +11553,13 @@
+ #
+ # Certificate "SwissSign Gold CA - G2"
+ #
++# Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
++# Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
++# Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:30:35 2006
++# Not Valid After : Sat Oct 25 08:30:35 2036
++# Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
++# Fingerprint (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10742,6 +11680,13 @@
+ END
+
+ # Trust for Certificate "SwissSign Gold CA - G2"
++# Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
++# Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
++# Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:30:35 2006
++# Not Valid After : Sat Oct 25 08:30:35 2036
++# Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
++# Fingerprint (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10772,6 +11717,13 @@
+ #
+ # Certificate "SwissSign Silver CA - G2"
+ #
++# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
++# Serial Number:4f:1b:d4:2f:54:bb:2f:4b
++# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:32:46 2006
++# Not Valid After : Sat Oct 25 08:32:46 2036
++# Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
++# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10893,6 +11845,13 @@
+ END
+
+ # Trust for Certificate "SwissSign Silver CA - G2"
++# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
++# Serial Number:4f:1b:d4:2f:54:bb:2f:4b
++# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
++# Not Valid Before: Wed Oct 25 08:32:46 2006
++# Not Valid After : Sat Oct 25 08:32:46 2036
++# Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
++# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -10923,6 +11882,13 @@
+ #
+ # Certificate "GeoTrust Primary Certification Authority"
+ #
++# Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
++# Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
++# Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
++# Not Valid Before: Mon Nov 27 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
++# Fingerprint (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11010,6 +11976,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Primary Certification Authority"
++# Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
++# Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
++# Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
++# Not Valid Before: Mon Nov 27 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
++# Fingerprint (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11042,6 +12015,13 @@
+ #
+ # Certificate "thawte Primary Root CA"
+ #
++# Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
++# Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Not Valid Before: Fri Nov 17 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
++# Fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11150,6 +12130,13 @@
+ END
+
+ # Trust for Certificate "thawte Primary Root CA"
++# Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
++# Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Not Valid Before: Fri Nov 17 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
++# Fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11187,6 +12174,13 @@
+ #
+ # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+ #
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Wed Nov 08 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
++# Fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11310,6 +12304,13 @@
+ END
+
+ # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Wed Nov 08 00:00:00 2006
++# Not Valid After : Wed Jul 16 23:59:59 2036
++# Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
++# Fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11349,6 +12350,13 @@
+ #
+ # Certificate "SecureTrust CA"
+ #
++# Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
++# Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
++# Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
++# Not Valid Before: Tue Nov 07 19:31:18 2006
++# Not Valid After : Mon Dec 31 19:40:55 2029
++# Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
++# Fingerprint (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11438,6 +12446,13 @@
+ END
+
+ # Trust for Certificate "SecureTrust CA"
++# Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
++# Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
++# Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
++# Not Valid Before: Tue Nov 07 19:31:18 2006
++# Not Valid After : Mon Dec 31 19:40:55 2029
++# Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
++# Fingerprint (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11469,6 +12484,13 @@
+ #
+ # Certificate "Secure Global CA"
+ #
++# Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
++# Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
++# Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
++# Not Valid Before: Tue Nov 07 19:42:28 2006
++# Not Valid After : Mon Dec 31 19:52:06 2029
++# Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
++# Fingerprint (SHA1): 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11558,6 +12580,13 @@
+ END
+
+ # Trust for Certificate "Secure Global CA"
++# Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
++# Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
++# Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
++# Not Valid Before: Tue Nov 07 19:42:28 2006
++# Not Valid After : Mon Dec 31 19:52:06 2029
++# Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
++# Fingerprint (SHA1): 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11589,6 +12618,13 @@
+ #
+ # Certificate "COMODO Certification Authority"
+ #
++# Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
++# Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Fri Dec 01 00:00:00 2006
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
++# Fingerprint (SHA1): 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11693,6 +12729,13 @@
+ END
+
+ # Trust for Certificate "COMODO Certification Authority"
++# Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
++# Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Fri Dec 01 00:00:00 2006
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
++# Fingerprint (SHA1): 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11728,6 +12771,13 @@
+ #
+ # Certificate "Network Solutions Certificate Authority"
+ #
++# Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
++# Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
++# Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
++# Not Valid Before: Fri Dec 01 00:00:00 2006
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
++# Fingerprint (SHA1): 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11824,6 +12874,13 @@
+ END
+
+ # Trust for Certificate "Network Solutions Certificate Authority"
++# Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
++# Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
++# Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
++# Not Valid Before: Fri Dec 01 00:00:00 2006
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
++# Fingerprint (SHA1): 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11857,6 +12914,13 @@
+ #
+ # Certificate "WellsSecure Public Root Certificate Authority"
+ #
++# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
++# Not Valid Before: Thu Dec 13 17:07:54 2007
++# Not Valid After : Wed Dec 14 00:07:54 2022
++# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
++# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -11970,6 +13034,13 @@
+ END
+
+ # Trust for Certificate "WellsSecure Public Root Certificate Authority"
++# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
++# Serial Number: 1 (0x1)
++# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
++# Not Valid Before: Thu Dec 13 17:07:54 2007
++# Not Valid After : Wed Dec 14 00:07:54 2022
++# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
++# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12004,6 +13075,13 @@
+ #
+ # Certificate "COMODO ECC Certification Authority"
+ #
++# Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
++# Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Mar 06 00:00:00 2008
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
++# Fingerprint (SHA1): 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12082,6 +13160,13 @@
+ END
+
+ # Trust for Certificate "COMODO ECC Certification Authority"
++# Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
++# Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
++# Not Valid Before: Thu Mar 06 00:00:00 2008
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
++# Fingerprint (SHA1): 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12117,6 +13202,13 @@
+ #
+ # Certificate "MD5 Collisions Forged Rogue CA 25c3"
+ #
++# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 66 (0x42)
++# Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
++# Not Valid Before: Sat Jul 31 00:00:01 2004
++# Not Valid After : Thu Sep 02 00:00:01 2004
++# Fingerprint (MD5): 16:7A:13:15:B9:17:39:A3:F1:05:6A:E6:3E:D9:3A:38
++# Fingerprint (SHA1): 64:23:13:7E:5C:53:D6:4A:A6:64:85:ED:36:54:F5:AB:05:5A:8B:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12213,6 +13305,13 @@
+ END
+
+ # Trust for Certificate "MD5 Collisions Forged Rogue CA 25c3"
++# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
++# Serial Number: 66 (0x42)
++# Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
++# Not Valid Before: Sat Jul 31 00:00:01 2004
++# Not Valid After : Thu Sep 02 00:00:01 2004
++# Fingerprint (MD5): 16:7A:13:15:B9:17:39:A3:F1:05:6A:E6:3E:D9:3A:38
++# Fingerprint (SHA1): 64:23:13:7E:5C:53:D6:4A:A6:64:85:ED:36:54:F5:AB:05:5A:8B:8A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12244,6 +13343,13 @@
+ #
+ # Certificate "IGC/A"
+ #
++# Issuer: E=igca at sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
++# Serial Number:39:11:45:10:94
++# Subject: E=igca at sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
++# Not Valid Before: Fri Dec 13 14:29:23 2002
++# Not Valid After : Sat Oct 17 14:29:22 2020
++# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
++# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12345,6 +13451,13 @@
+ END
+
+ # Trust for Certificate "IGC/A"
++# Issuer: E=igca at sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
++# Serial Number:39:11:45:10:94
++# Subject: E=igca at sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
++# Not Valid Before: Fri Dec 13 14:29:23 2002
++# Not Valid After : Sat Oct 17 14:29:22 2020
++# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
++# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12407,6 +13520,13 @@
+ #
+ # Certificate "Security Communication EV RootCA1"
+ #
++# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Not Valid Before: Wed Jun 06 02:12:32 2007
++# Not Valid After : Sat Jun 06 02:12:32 2037
++# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
++# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12496,6 +13616,13 @@
+ END
+
+ # Trust for Certificate "Security Communication EV RootCA1"
++# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Not Valid Before: Wed Jun 06 02:12:32 2007
++# Not Valid After : Sat Jun 06 02:12:32 2037
++# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
++# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12528,6 +13655,13 @@
+ #
+ # Certificate "OISTE WISeKey Global Root GA CA"
+ #
++# Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
++# Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
++# Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
++# Not Valid Before: Sun Dec 11 16:03:44 2005
++# Not Valid After : Fri Dec 11 16:09:51 2037
++# Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
++# Fingerprint (SHA1): 59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12629,6 +13763,13 @@
+ END
+
+ # Trust for Certificate "OISTE WISeKey Global Root GA CA"
++# Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
++# Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
++# Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
++# Not Valid Before: Sun Dec 11 16:03:44 2005
++# Not Valid After : Fri Dec 11 16:09:51 2037
++# Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
++# Fingerprint (SHA1): 59:22:A1:E1:5A:EA:16:35:21:F8:98:39:6A:46:46:B0:44:1B:0F:A9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12664,6 +13805,13 @@
+ #
+ # Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
+ #
++# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
++# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
++# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
++# Not Valid Before: Wed Jun 22 00:00:00 2005
++# Not Valid After : Fri Jun 21 23:59:59 2030
++# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
++# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12779,6 +13927,13 @@
+ END
+
+ # Trust for Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
++# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
++# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
++# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
++# Not Valid Before: Wed Jun 22 00:00:00 2005
++# Not Valid After : Fri Jun 21 23:59:59 2030
++# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
++# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12817,6 +13972,13 @@
+ #
+ # Certificate "Microsec e-Szigno Root CA"
+ #
++# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
++# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
++# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
++# Not Valid Before: Wed Apr 06 12:28:44 2005
++# Not Valid After : Thu Apr 06 12:28:44 2017
++# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
++# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -12975,6 +14137,13 @@
+ END
+
+ # Trust for Certificate "Microsec e-Szigno Root CA"
++# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
++# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
++# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
++# Not Valid Before: Wed Apr 06 12:28:44 2005
++# Not Valid After : Thu Apr 06 12:28:44 2017
++# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
++# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13009,6 +14178,13 @@
+ #
+ # Certificate "Certigna"
+ #
++# Issuer: CN=Certigna,O=Dhimyotis,C=FR
++# Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
++# Subject: CN=Certigna,O=Dhimyotis,C=FR
++# Not Valid Before: Fri Jun 29 15:13:05 2007
++# Not Valid After : Tue Jun 29 15:13:05 2027
++# Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
++# Fingerprint (SHA1): B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13094,6 +14270,13 @@
+ END
+
+ # Trust for Certificate "Certigna"
++# Issuer: CN=Certigna,O=Dhimyotis,C=FR
++# Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
++# Subject: CN=Certigna,O=Dhimyotis,C=FR
++# Not Valid Before: Fri Jun 29 15:13:05 2007
++# Not Valid After : Tue Jun 29 15:13:05 2027
++# Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
++# Fingerprint (SHA1): B1:2E:13:63:45:86:A4:6F:1A:B2:60:68:37:58:2D:C4:AC:FD:94:97
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13123,6 +14306,13 @@
+ #
+ # Certificate "AC Raiz Certicamara S.A."
+ #
++# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
++# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
++# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
++# Not Valid Before: Mon Nov 27 20:46:29 2006
++# Not Valid After : Tue Apr 02 21:42:02 2030
++# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
++# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13261,6 +14451,13 @@
+ END
+
+ # Trust for Certificate "AC Raiz Certicamara S.A."
++# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
++# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
++# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
++# Not Valid Before: Mon Nov 27 20:46:29 2006
++# Not Valid After : Tue Apr 02 21:42:02 2030
++# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
++# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13295,6 +14492,13 @@
+ #
+ # Certificate "TC TrustCenter Class 2 CA II"
+ #
++# Issuer: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:2e:6a:00:01:00:02:1f:d7:52:21:2c:11:5c:3b
++# Subject: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Thu Jan 12 14:38:43 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23
++# Fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13404,6 +14608,13 @@
+ END
+
+ # Trust for Certificate "TC TrustCenter Class 2 CA II"
++# Issuer: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:2e:6a:00:01:00:02:1f:d7:52:21:2c:11:5c:3b
++# Subject: CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Thu Jan 12 14:38:43 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23
++# Fingerprint (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13437,6 +14648,13 @@
+ #
+ # Certificate "TC TrustCenter Class 3 CA II"
+ #
++# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
++# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Thu Jan 12 14:41:57 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
++# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13546,6 +14764,13 @@
+ END
+
+ # Trust for Certificate "TC TrustCenter Class 3 CA II"
++# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
++# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Thu Jan 12 14:41:57 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
++# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13579,6 +14804,13 @@
+ #
+ # Certificate "TC TrustCenter Universal CA I"
+ #
++# Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
++# Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Wed Mar 22 15:54:28 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): 45:E1:A5:72:C5:A9:36:64:40:9E:F5:E4:58:84:67:8C
++# Fingerprint (SHA1): 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13676,6 +14908,13 @@
+ END
+
+ # Trust for Certificate "TC TrustCenter Universal CA I"
++# Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
++# Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Wed Mar 22 15:54:28 2006
++# Not Valid After : Wed Dec 31 22:59:59 2025
++# Fingerprint (MD5): 45:E1:A5:72:C5:A9:36:64:40:9E:F5:E4:58:84:67:8C
++# Fingerprint (SHA1): 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13709,6 +14948,13 @@
+ #
+ # Certificate "Deutsche Telekom Root CA 2"
+ #
++# Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
++# Serial Number: 38 (0x26)
++# Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
++# Not Valid Before: Fri Jul 09 12:11:00 1999
++# Not Valid After : Tue Jul 09 23:59:00 2019
++# Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
++# Fingerprint (SHA1): 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13802,6 +15048,13 @@
+ END
+
+ # Trust for Certificate "Deutsche Telekom Root CA 2"
++# Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
++# Serial Number: 38 (0x26)
++# Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
++# Not Valid Before: Fri Jul 09 12:11:00 1999
++# Not Valid After : Tue Jul 09 23:59:00 2019
++# Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
++# Fingerprint (SHA1): 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13835,6 +15088,13 @@
+ #
+ # Certificate "ComSign CA"
+ #
++# Issuer: C=IL,O=ComSign,CN=ComSign CA
++# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
++# Subject: C=IL,O=ComSign,CN=ComSign CA
++# Not Valid Before: Wed Mar 24 11:32:18 2004
++# Not Valid After : Mon Mar 19 15:02:18 2029
++# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
++# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13920,6 +15180,13 @@
+ END
+
+ # Trust for Certificate "ComSign CA"
++# Issuer: C=IL,O=ComSign,CN=ComSign CA
++# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
++# Subject: C=IL,O=ComSign,CN=ComSign CA
++# Not Valid Before: Wed Mar 24 11:32:18 2004
++# Not Valid After : Mon Mar 19 15:02:18 2029
++# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
++# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -13950,6 +15217,13 @@
+ #
+ # Certificate "ComSign Secured CA"
+ #
++# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
++# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
++# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
++# Not Valid Before: Wed Mar 24 11:37:20 2004
++# Not Valid After : Fri Mar 16 15:04:56 2029
++# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
++# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14036,6 +15310,13 @@
+ END
+
+ # Trust for Certificate "ComSign Secured CA"
++# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
++# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
++# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
++# Not Valid Before: Wed Mar 24 11:37:20 2004
++# Not Valid After : Fri Mar 16 15:04:56 2029
++# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
++# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14066,6 +15347,13 @@
+ #
+ # Certificate "Cybertrust Global Root"
+ #
++# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
++# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
++# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
++# Not Valid Before: Fri Dec 15 08:00:00 2006
++# Not Valid After : Wed Dec 15 08:00:00 2021
++# Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
++# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14151,6 +15439,13 @@
+ END
+
+ # Trust for Certificate "Cybertrust Global Root"
++# Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
++# Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
++# Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
++# Not Valid Before: Fri Dec 15 08:00:00 2006
++# Not Valid After : Wed Dec 15 08:00:00 2021
++# Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
++# Fingerprint (SHA1): 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14180,6 +15475,13 @@
+ #
+ # Certificate "ePKI Root Certification Authority"
+ #
++# Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
++# Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
++# Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
++# Not Valid Before: Mon Dec 20 02:31:27 2004
++# Not Valid After : Wed Dec 20 02:31:27 2034
++# Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
++# Fingerprint (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14303,6 +15605,13 @@
+ END
+
+ # Trust for Certificate "ePKI Root Certification Authority"
++# Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
++# Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
++# Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
++# Not Valid Before: Mon Dec 20 02:31:27 2004
++# Not Valid After : Wed Dec 20 02:31:27 2034
++# Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
++# Fingerprint (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14335,6 +15644,13 @@
+ #
+ # Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+ #
++# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 17 (0x11)
++# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Fri Aug 24 11:37:07 2007
++# Not Valid After : Mon Aug 21 11:37:07 2017
++# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
++# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14473,6 +15789,13 @@
+ END
+
+ # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
++# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 17 (0x11)
++# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Fri Aug 24 11:37:07 2007
++# Not Valid After : Mon Aug 21 11:37:07 2017
++# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
++# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14517,6 +15840,13 @@
+ #
+ # Certificate "Buypass Class 2 CA 1"
+ #
++# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
++# Serial Number: 1 (0x1)
++# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
++# Not Valid Before: Fri Oct 13 10:25:09 2006
++# Not Valid After : Thu Oct 13 10:25:09 2016
++# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
++# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14599,6 +15929,13 @@
+ END
+
+ # Trust for Certificate "Buypass Class 2 CA 1"
++# Issuer: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
++# Serial Number: 1 (0x1)
++# Subject: CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO
++# Not Valid Before: Fri Oct 13 10:25:09 2006
++# Not Valid After : Thu Oct 13 10:25:09 2016
++# Fingerprint (MD5): B8:08:9A:F0:03:CC:1B:0D:C8:6C:0B:76:A1:75:64:23
++# Fingerprint (SHA1): A0:A1:AB:90:C9:FC:84:7B:3B:12:61:E8:97:7D:5F:D3:22:61:D3:CC
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14629,6 +15966,13 @@
+ #
+ # Certificate "Buypass Class 3 CA 1"
+ #
++# Issuer: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
++# Serial Number: 2 (0x2)
++# Subject: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
++# Not Valid Before: Mon May 09 14:13:03 2005
++# Not Valid After : Sat May 09 14:13:03 2015
++# Fingerprint (MD5): DF:3C:73:59:81:E7:39:50:81:04:4C:34:A2:CB:B3:7B
++# Fingerprint (SHA1): 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14711,6 +16055,13 @@
+ END
+
+ # Trust for Certificate "Buypass Class 3 CA 1"
++# Issuer: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
++# Serial Number: 2 (0x2)
++# Subject: CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
++# Not Valid Before: Mon May 09 14:13:03 2005
++# Not Valid After : Sat May 09 14:13:03 2015
++# Fingerprint (MD5): DF:3C:73:59:81:E7:39:50:81:04:4C:34:A2:CB:B3:7B
++# Fingerprint (SHA1): 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14741,6 +16092,13 @@
+ #
+ # Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
+ #
++# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number:4c:af:73:42:1c:8e:74:02
++# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Thu Aug 17 00:21:09 2006
++# Not Valid After : Sun Aug 14 00:31:09 2016
++# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
++# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14872,6 +16230,13 @@
+ END
+
+ # Trust for Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
++# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Serial Number:4c:af:73:42:1c:8e:74:02
++# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
++# Not Valid Before: Thu Aug 17 00:21:09 2006
++# Not Valid After : Sun Aug 14 00:31:09 2016
++# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
++# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14906,6 +16271,13 @@
+ #
+ # Certificate "certSIGN ROOT CA"
+ #
++# Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
++# Serial Number:20:06:05:16:70:02
++# Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
++# Not Valid Before: Tue Jul 04 17:20:04 2006
++# Not Valid After : Fri Jul 04 17:20:04 2031
++# Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
++# Fingerprint (SHA1): FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -14984,6 +16356,13 @@
+ END
+
+ # Trust for Certificate "certSIGN ROOT CA"
++# Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
++# Serial Number:20:06:05:16:70:02
++# Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
++# Not Valid Before: Tue Jul 04 17:20:04 2006
++# Not Valid After : Fri Jul 04 17:20:04 2031
++# Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
++# Fingerprint (SHA1): FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15013,6 +16392,13 @@
+ #
+ # Certificate "CNNIC ROOT"
+ #
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079105 (0x49330001)
++# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Not Valid Before: Mon Apr 16 07:09:14 2007
++# Not Valid After : Fri Apr 16 07:09:14 2027
++# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
++# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15093,6 +16479,13 @@
+ END
+
+ # Trust for Certificate "CNNIC ROOT"
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079105 (0x49330001)
++# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Not Valid Before: Mon Apr 16 07:09:14 2007
++# Not Valid After : Fri Apr 16 07:09:14 2027
++# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
++# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15122,6 +16515,13 @@
+ #
+ # Certificate "ApplicationCA - Japanese Government"
+ #
++# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
++# Serial Number: 49 (0x31)
++# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
++# Not Valid Before: Wed Dec 12 15:00:00 2007
++# Not Valid After : Tue Dec 12 15:00:00 2017
++# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
++# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15209,6 +16609,13 @@
+ END
+
+ # Trust for Certificate "ApplicationCA - Japanese Government"
++# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
++# Serial Number: 49 (0x31)
++# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
++# Not Valid Before: Wed Dec 12 15:00:00 2007
++# Not Valid After : Tue Dec 12 15:00:00 2017
++# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
++# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15239,6 +16646,13 @@
+ #
+ # Certificate "GeoTrust Primary Certification Authority - G3"
+ #
++# Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
++# Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
++# Fingerprint (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15343,6 +16757,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
++# Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
++# Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
++# Fingerprint (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15379,6 +16800,13 @@
+ #
+ # Certificate "thawte Primary Root CA - G2"
+ #
++# Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
++# Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
++# Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
++# Fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15457,6 +16885,13 @@
+ END
+
+ # Trust for Certificate "thawte Primary Root CA - G2"
++# Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
++# Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
++# Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
++# Fingerprint (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15492,6 +16927,13 @@
+ #
+ # Certificate "thawte Primary Root CA - G3"
+ #
++# Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
++# Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
++# Fingerprint (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15602,6 +17044,13 @@
+ END
+
+ # Trust for Certificate "thawte Primary Root CA - G3"
++# Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
++# Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
++# Fingerprint (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15640,6 +17089,13 @@
+ #
+ # Certificate "GeoTrust Primary Certification Authority - G2"
+ #
++# Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
++# Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
++# Fingerprint (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15723,6 +17179,13 @@
+ END
+
+ # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
++# Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
++# Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
++# Fingerprint (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15759,6 +17222,13 @@
+ #
+ # Certificate "VeriSign Universal Root Certification Authority"
+ #
++# Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
++# Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
++# Fingerprint (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15878,6 +17348,13 @@
+ END
+
+ # Trust for Certificate "VeriSign Universal Root Certification Authority"
++# Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
++# Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Wed Apr 02 00:00:00 2008
++# Not Valid After : Tue Dec 01 23:59:59 2037
++# Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
++# Fingerprint (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -15916,6 +17393,13 @@
+ #
+ # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
+ #
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
++# Fingerprint (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16018,6 +17502,13 @@
+ END
+
+ # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
++# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Nov 05 00:00:00 2007
++# Not Valid After : Mon Jan 18 23:59:59 2038
++# Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
++# Fingerprint (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16057,6 +17548,13 @@
+ #
+ # Certificate "NetLock Arany (Class Gold) FÅ‘tanúsÃtvány"
+ #
++# Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
++# Serial Number:49:41:2c:e4:00:10
++# Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Dec 11 15:08:21 2008
++# Not Valid After : Wed Dec 06 15:08:21 2028
++# Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
++# Fingerprint (SHA1): 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16163,6 +17661,13 @@
+ END
+
+ # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsÃtvány"
++# Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
++# Serial Number:49:41:2c:e4:00:10
++# Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
++# Not Valid Before: Thu Dec 11 15:08:21 2008
++# Not Valid After : Wed Dec 06 15:08:21 2028
++# Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
++# Fingerprint (SHA1): 06:08:3F:59:3F:15:A1:04:A0:69:A4:6B:A9:03:D0:06:B7:97:09:91
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16199,6 +17704,13 @@
+ #
+ # Certificate "Staat der Nederlanden Root CA - G2"
+ #
++# Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000012 (0x98968c)
++# Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Mar 26 11:18:17 2008
++# Not Valid After : Wed Mar 25 11:03:10 2020
++# Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
++# Fingerprint (SHA1): 59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16322,6 +17834,13 @@
+ END
+
+ # Trust for Certificate "Staat der Nederlanden Root CA - G2"
++# Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000012 (0x98968c)
++# Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Mar 26 11:18:17 2008
++# Not Valid After : Wed Mar 25 11:03:10 2020
++# Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
++# Fingerprint (SHA1): 59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16353,6 +17872,13 @@
+ #
+ # Certificate "CA Disig"
+ #
++# Issuer: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
++# Serial Number: 1 (0x1)
++# Subject: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
++# Not Valid Before: Wed Mar 22 01:39:34 2006
++# Not Valid After : Tue Mar 22 01:39:34 2016
++# Fingerprint (MD5): 3F:45:96:39:E2:50:87:F7:BB:FE:98:0C:3C:20:98:E6
++# Fingerprint (SHA1): 2A:C8:D5:8B:57:CE:BF:2F:49:AF:F2:FC:76:8F:51:14:62:90:7A:41
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16447,6 +17973,13 @@
+ END
+
+ # Trust for Certificate "CA Disig"
++# Issuer: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
++# Serial Number: 1 (0x1)
++# Subject: CN=CA Disig,O=Disig a.s.,L=Bratislava,C=SK
++# Not Valid Before: Wed Mar 22 01:39:34 2006
++# Not Valid After : Tue Mar 22 01:39:34 2016
++# Fingerprint (MD5): 3F:45:96:39:E2:50:87:F7:BB:FE:98:0C:3C:20:98:E6
++# Fingerprint (SHA1): 2A:C8:D5:8B:57:CE:BF:2F:49:AF:F2:FC:76:8F:51:14:62:90:7A:41
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16477,6 +18010,13 @@
+ #
+ # Certificate "Juur-SK"
+ #
++# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki at sk.ee
++# Serial Number: 999181308 (0x3b8e4bfc)
++# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki at sk.ee
++# Not Valid Before: Thu Aug 30 14:23:01 2001
++# Not Valid After : Fri Aug 26 14:23:01 2016
++# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
++# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16586,6 +18126,13 @@
+ END
+
+ # Trust for Certificate "Juur-SK"
++# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki at sk.ee
++# Serial Number: 999181308 (0x3b8e4bfc)
++# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki at sk.ee
++# Not Valid Before: Thu Aug 30 14:23:01 2001
++# Not Valid After : Fri Aug 26 14:23:01 2016
++# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
++# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16617,6 +18164,13 @@
+ #
+ # Certificate "Hongkong Post Root CA 1"
+ #
++# Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
++# Serial Number: 1000 (0x3e8)
++# Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
++# Not Valid Before: Thu May 15 05:13:14 2003
++# Not Valid After : Mon May 15 04:52:29 2023
++# Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
++# Fingerprint (SHA1): D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16697,6 +18251,13 @@
+ END
+
+ # Trust for Certificate "Hongkong Post Root CA 1"
++# Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
++# Serial Number: 1000 (0x3e8)
++# Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
++# Not Valid Before: Thu May 15 05:13:14 2003
++# Not Valid After : Mon May 15 04:52:29 2023
++# Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
++# Fingerprint (SHA1): D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16727,6 +18288,13 @@
+ #
+ # Certificate "SecureSign RootCA11"
+ #
++# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
++# Serial Number: 1 (0x1)
++# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
++# Not Valid Before: Wed Apr 08 04:56:47 2009
++# Not Valid After : Sun Apr 08 04:56:47 2029
++# Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
++# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16813,6 +18381,13 @@
+ END
+
+ # Trust for Certificate "SecureSign RootCA11"
++# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
++# Serial Number: 1 (0x1)
++# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
++# Not Valid Before: Wed Apr 08 04:56:47 2009
++# Not Valid After : Sun Apr 08 04:56:47 2029
++# Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
++# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16844,6 +18419,13 @@
+ #
+ # Certificate "ACEDICOM Root"
+ #
++# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
++# Serial Number:61:8d:c7:86:3b:01:82:05
++# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
++# Not Valid Before: Fri Apr 18 16:24:22 2008
++# Not Valid After : Thu Apr 13 16:24:22 2028
++# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
++# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16964,6 +18546,13 @@
+ END
+
+ # Trust for Certificate "ACEDICOM Root"
++# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
++# Serial Number:61:8d:c7:86:3b:01:82:05
++# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
++# Not Valid Before: Fri Apr 18 16:24:22 2008
++# Not Valid After : Thu Apr 13 16:24:22 2028
++# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
++# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -16995,6 +18584,13 @@
+ #
+ # Certificate "Verisign Class 1 Public Primary Certification Authority"
+ #
++# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
++# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Wed Aug 02 23:59:59 2028
++# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
++# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17064,6 +18660,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
++# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
++# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Wed Aug 02 23:59:59 2028
++# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
++# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17097,6 +18700,13 @@
+ #
+ # Certificate "Verisign Class 3 Public Primary Certification Authority"
+ #
++# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
++# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Wed Aug 02 23:59:59 2028
++# Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
++# Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17166,6 +18776,13 @@
+ END
+
+ # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
++# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
++# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
++# Not Valid Before: Mon Jan 29 00:00:00 1996
++# Not Valid After : Wed Aug 02 23:59:59 2028
++# Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
++# Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17199,6 +18816,13 @@
+ #
+ # Certificate "Microsec e-Szigno Root CA 2009"
+ #
++# Issuer: E=info at e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
++# Serial Number:00:c2:7e:43:04:4e:47:3f:19
++# Subject: E=info at e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
++# Not Valid Before: Tue Jun 16 11:30:18 2009
++# Not Valid After : Sun Dec 30 11:30:18 2029
++# Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
++# Fingerprint (SHA1): 89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17300,6 +18924,13 @@
+ END
+
+ # Trust for Certificate "Microsec e-Szigno Root CA 2009"
++# Issuer: E=info at e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
++# Serial Number:00:c2:7e:43:04:4e:47:3f:19
++# Subject: E=info at e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
++# Not Valid Before: Tue Jun 16 11:30:18 2009
++# Not Valid After : Sun Dec 30 11:30:18 2029
++# Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
++# Fingerprint (SHA1): 89:DF:74:FE:5C:F4:0F:4A:80:F9:E3:37:7D:54:DA:91:E1:01:31:8E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17334,6 +18965,13 @@
+ #
+ # Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+ #
++# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
++# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
++# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
++# Not Valid Before: Thu Jan 04 11:32:48 2007
++# Not Valid After : Wed Jan 04 11:32:48 2017
++# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
++# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17429,6 +19067,13 @@
+ END
+
+ # Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
++# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
++# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
++# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
++# Not Valid Before: Thu Jan 04 11:32:48 2007
++# Not Valid After : Wed Jan 04 11:32:48 2017
++# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
++# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17463,6 +19108,13 @@
+ #
+ # Certificate "GlobalSign Root CA - R3"
+ #
++# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
++# Serial Number:04:00:00:00:00:01:21:58:53:08:a2
++# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
++# Not Valid Before: Wed Mar 18 10:00:00 2009
++# Not Valid After : Sun Mar 18 10:00:00 2029
++# Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
++# Fingerprint (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17546,6 +19198,13 @@
+ END
+
+ # Trust for Certificate "GlobalSign Root CA - R3"
++# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
++# Serial Number:04:00:00:00:00:01:21:58:53:08:a2
++# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
++# Not Valid Before: Wed Mar 18 10:00:00 2009
++# Not Valid After : Sun Mar 18 10:00:00 2029
++# Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
++# Fingerprint (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17576,6 +19235,13 @@
+ #
+ # Certificate "TC TrustCenter Universal CA III"
+ #
++# Issuer: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:63:25:00:01:00:02:14:8d:33:15:02:e4:6c:f4
++# Subject: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Wed Sep 09 08:15:27 2009
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): 9F:DD:DB:AB:FF:8E:FF:45:21:5F:F0:6C:9D:8F:FE:2B
++# Fingerprint (SHA1): 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17673,6 +19339,13 @@
+ END
+
+ # Trust for Certificate "TC TrustCenter Universal CA III"
++# Issuer: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Serial Number:63:25:00:01:00:02:14:8d:33:15:02:e4:6c:f4
++# Subject: CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
++# Not Valid Before: Wed Sep 09 08:15:27 2009
++# Not Valid After : Mon Dec 31 23:59:59 2029
++# Fingerprint (MD5): 9F:DD:DB:AB:FF:8E:FF:45:21:5F:F0:6C:9D:8F:FE:2B
++# Fingerprint (SHA1): 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17706,6 +19379,13 @@
+ #
+ # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+ #
++# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
++# Serial Number:53:ec:3b:ee:fb:b2:48:5f
++# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
++# Not Valid Before: Wed May 20 08:38:15 2009
++# Not Valid After : Tue Dec 31 08:38:15 2030
++# Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
++# Fingerprint (SHA1): AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17834,6 +19514,13 @@
+ END
+
+ # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
++# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
++# Serial Number:53:ec:3b:ee:fb:b2:48:5f
++# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
++# Not Valid Before: Wed May 20 08:38:15 2009
++# Not Valid After : Tue Dec 31 08:38:15 2030
++# Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
++# Fingerprint (SHA1): AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17865,6 +19552,13 @@
+ #
+ # Certificate "Izenpe.com"
+ #
++# Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
++# Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
++# Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
++# Not Valid Before: Thu Dec 13 13:08:28 2007
++# Not Valid After : Sun Dec 13 08:27:25 2037
++# Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
++# Fingerprint (SHA1): 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -17988,6 +19682,13 @@
+ END
+
+ # Trust for Certificate "Izenpe.com"
++# Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
++# Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
++# Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
++# Not Valid Before: Thu Dec 13 13:08:28 2007
++# Not Valid After : Sun Dec 13 08:27:25 2037
++# Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
++# Fingerprint (SHA1): 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18018,6 +19719,13 @@
+ #
+ # Certificate "Chambers of Commerce Root - 2008"
+ #
++# Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Serial Number:00:a3:da:42:7e:a4:b1:ae:da
++# Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Not Valid Before: Fri Aug 01 12:29:50 2008
++# Not Valid After : Sat Jul 31 12:29:50 2038
++# Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
++# Fingerprint (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18178,6 +19886,13 @@
+ END
+
+ # Trust for Certificate "Chambers of Commerce Root - 2008"
++# Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Serial Number:00:a3:da:42:7e:a4:b1:ae:da
++# Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Not Valid Before: Fri Aug 01 12:29:50 2008
++# Not Valid After : Sat Jul 31 12:29:50 2038
++# Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
++# Fingerprint (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18215,6 +19930,13 @@
+ #
+ # Certificate "Global Chambersign Root - 2008"
+ #
++# Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
++# Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Not Valid Before: Fri Aug 01 12:31:40 2008
++# Not Valid After : Sat Jul 31 12:31:40 2038
++# Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
++# Fingerprint (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18372,6 +20094,13 @@
+ END
+
+ # Trust for Certificate "Global Chambersign Root - 2008"
++# Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
++# Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
++# Not Valid Before: Fri Aug 01 12:31:40 2008
++# Not Valid After : Sat Jul 31 12:31:40 2038
++# Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
++# Fingerprint (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18408,6 +20137,13 @@
+ #
+ # Certificate "Bogus Mozilla Addons"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
++# Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 84:C5:18:67:1F:2A:1A:90:BE:E2:B1:18:4F:03:00:32
++# Fingerprint (SHA1): 30:5F:8B:D1:7A:A2:CB:C4:83:A4:C4:1B:19:A3:9A:0C:75:DA:39:D6
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18548,6 +20284,13 @@
+ END
+
+ # Trust for Certificate "Bogus Mozilla Addons"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
++# Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 84:C5:18:67:1F:2A:1A:90:BE:E2:B1:18:4F:03:00:32
++# Fingerprint (SHA1): 30:5F:8B:D1:7A:A2:CB:C4:83:A4:C4:1B:19:A3:9A:0C:75:DA:39:D6
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18584,6 +20327,13 @@
+ #
+ # Certificate "Bogus Global Trustee"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0
++# Subject: CN=global trustee,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Global Trustee,O=Global Trustee,STREET=Sea Village 10,L=Tampa,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): FE:0D:01:6E:71:CB:8C:D8:3F:0E:0C:CD:49:35:B8:57
++# Fingerprint (SHA1): 61:79:3F:CB:FA:4F:90:08:30:9B:BA:5F:F1:2D:2C:B2:9C:D4:15:1A
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18739,6 +20489,13 @@
+ END
+
+ # Trust for Certificate "Bogus Global Trustee"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0
++# Subject: CN=global trustee,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Global Trustee,O=Global Trustee,STREET=Sea Village 10,L=Tampa,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): FE:0D:01:6E:71:CB:8C:D8:3F:0E:0C:CD:49:35:B8:57
++# Fingerprint (SHA1): 61:79:3F:CB:FA:4F:90:08:30:9B:BA:5F:F1:2D:2C:B2:9C:D4:15:1A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18775,6 +20532,13 @@
+ #
+ # Certificate "Bogus GMail"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e
++# Subject: CN=mail.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 4C:77:1F:EB:CA:31:C1:29:98:E9:2C:10:B3:AF:49:1C
++# Fingerprint (SHA1): 64:31:72:30:36:FD:26:DE:A5:02:79:2F:A5:95:92:24:93:03:0F:97
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18915,6 +20679,13 @@
+ END
+
+ # Trust for Certificate "Bogus GMail"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e
++# Subject: CN=mail.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 4C:77:1F:EB:CA:31:C1:29:98:E9:2C:10:B3:AF:49:1C
++# Fingerprint (SHA1): 64:31:72:30:36:FD:26:DE:A5:02:79:2F:A5:95:92:24:93:03:0F:97
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -18951,6 +20722,13 @@
+ #
+ # Certificate "Bogus Google"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06
++# Subject: CN=www.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 01:73:A9:58:F0:BC:C9:BE:94:2B:1A:4C:98:24:E3:B8
++# Fingerprint (SHA1): 19:16:A2:AF:34:6D:39:9F:50:31:3C:39:32:00:F1:41:40:45:66:16
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19090,6 +20868,13 @@
+ END
+
+ # Trust for Certificate "Bogus Google"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06
++# Subject: CN=www.google.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 01:73:A9:58:F0:BC:C9:BE:94:2B:1A:4C:98:24:E3:B8
++# Fingerprint (SHA1): 19:16:A2:AF:34:6D:39:9F:50:31:3C:39:32:00:F1:41:40:45:66:16
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19126,6 +20911,13 @@
+ #
+ # Certificate "Bogus Skype"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47
++# Subject: CN=login.skype.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 85:A4:B4:C4:69:21:DF:A1:6A:0D:58:56:58:4B:33:44
++# Fingerprint (SHA1): 47:1C:94:9A:81:43:DB:5A:D5:CD:F1:C9:72:86:4A:25:04:FA:23:C9
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19266,6 +21058,13 @@
+ END
+
+ # Trust for Certificate "Bogus Skype"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47
++# Subject: CN=login.skype.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 85:A4:B4:C4:69:21:DF:A1:6A:0D:58:56:58:4B:33:44
++# Fingerprint (SHA1): 47:1C:94:9A:81:43:DB:5A:D5:CD:F1:C9:72:86:4A:25:04:FA:23:C9
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19302,6 +21101,13 @@
+ #
+ # Certificate "Bogus Yahoo 1"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 0C:1F:BE:D3:FC:09:6E:E6:6E:C2:66:39:75:86:6B:EB
++# Fingerprint (SHA1): 63:FE:AE:96:0B:AA:91:E3:43:CE:2B:D8:B7:17:98:C7:6B:DB:77:D0
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19442,6 +21248,13 @@
+ END
+
+ # Trust for Certificate "Bogus Yahoo 1"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 0C:1F:BE:D3:FC:09:6E:E6:6E:C2:66:39:75:86:6B:EB
++# Fingerprint (SHA1): 63:FE:AE:96:0B:AA:91:E3:43:CE:2B:D8:B7:17:98:C7:6B:DB:77:D0
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19478,6 +21291,13 @@
+ #
+ # Certificate "Bogus Yahoo 2"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 72:DC:C8:72:6C:53:3B:B2:FD:CC:5D:19:BD:AF:A6:31
++# Fingerprint (SHA1): D0:18:B6:2D:C5:18:90:72:47:DF:50:92:5B:B0:9A:CF:4A:5C:B3:AD
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19616,6 +21436,13 @@
+ END
+
+ # Trust for Certificate "Bogus Yahoo 2"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 72:DC:C8:72:6C:53:3B:B2:FD:CC:5D:19:BD:AF:A6:31
++# Fingerprint (SHA1): D0:18:B6:2D:C5:18:90:72:47:DF:50:92:5B:B0:9A:CF:4A:5C:B3:AD
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19652,6 +21479,13 @@
+ #
+ # Certificate "Bogus Yahoo 3"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 4A:DC:3C:67:ED:21:CD:5B:CE:5D:C8:11:E4:9E:CF:3D
++# Fingerprint (SHA1): 80:96:2A:E4:D6:C5:B4:42:89:4E:95:A1:3E:4A:69:9E:07:D6:94:CF
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19790,6 +21624,13 @@
+ END
+
+ # Trust for Certificate "Bogus Yahoo 3"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71
++# Subject: CN=login.yahoo.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): 4A:DC:3C:67:ED:21:CD:5B:CE:5D:C8:11:E4:9E:CF:3D
++# Fingerprint (SHA1): 80:96:2A:E4:D6:C5:B4:42:89:4E:95:A1:3E:4A:69:9E:07:D6:94:CF
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19826,6 +21667,13 @@
+ #
+ # Certificate "Bogus live.com"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0
++# Subject: CN=login.live.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): D0:D4:39:E3:CC:5C:52:DD:08:CD:E9:AB:E8:11:59:D4
++# Fingerprint (SHA1): CE:A5:86:B2:CE:59:3E:C7:D9:39:89:83:37:C5:78:14:70:8A:B2:BE
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -19965,6 +21813,13 @@
+ END
+
+ # Trust for Certificate "Bogus live.com"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:00:b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0
++# Subject: CN=login.live.com,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
++# Not Valid Before: Tue Mar 15 00:00:00 2011
++# Not Valid After : Fri Mar 14 23:59:59 2014
++# Fingerprint (MD5): D0:D4:39:E3:CC:5C:52:DD:08:CD:E9:AB:E8:11:59:D4
++# Fingerprint (SHA1): CE:A5:86:B2:CE:59:3E:C7:D9:39:89:83:37:C5:78:14:70:8A:B2:BE
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20001,6 +21856,13 @@
+ #
+ # Certificate "Bogus kuix.de"
+ #
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
++# Subject: CN=kuix.de,OU=Comodo Trial SSL,OU=TEST USE ONLY - NO WARRANTY ATTACHED,OU=For Testing Purposes Only,O=Kai Engert,STREET=Test Street,L=Test City,ST=Test State,postalCode=12345,C=DE
++# Not Valid Before: Thu Mar 17 00:00:00 2011
++# Not Valid After : Sat Apr 16 23:59:59 2011
++# Fingerprint (MD5): F7:5F:98:BC:D8:64:0C:16:E5:AE:EE:AA:00:F6:1F:07
++# Fingerprint (SHA1): 82:61:4B:EC:97:48:15:DE:CC:9A:CC:6E:84:21:71:79:B2:64:20:40
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20133,6 +21995,13 @@
+ END
+
+ # Trust for Certificate "Bogus kuix.de"
++# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
++# Serial Number:72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
++# Subject: CN=kuix.de,OU=Comodo Trial SSL,OU=TEST USE ONLY - NO WARRANTY ATTACHED,OU=For Testing Purposes Only,O=Kai Engert,STREET=Test Street,L=Test City,ST=Test State,postalCode=12345,C=DE
++# Not Valid Before: Thu Mar 17 00:00:00 2011
++# Not Valid After : Sat Apr 16 23:59:59 2011
++# Fingerprint (MD5): F7:5F:98:BC:D8:64:0C:16:E5:AE:EE:AA:00:F6:1F:07
++# Fingerprint (SHA1): 82:61:4B:EC:97:48:15:DE:CC:9A:CC:6E:84:21:71:79:B2:64:20:40
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20169,6 +22038,13 @@
+ #
+ # Certificate "Go Daddy Root Certificate Authority - G2"
+ #
++# Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
++# Fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20266,6 +22142,13 @@
+ END
+
+ # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
++# Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
++# Fingerprint (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20300,6 +22183,13 @@
+ #
+ # Certificate "Starfield Root Certificate Authority - G2"
+ #
++# Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
++# Fingerprint (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20401,6 +22291,13 @@
+ END
+
+ # Trust for Certificate "Starfield Root Certificate Authority - G2"
++# Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
++# Fingerprint (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20436,6 +22333,13 @@
+ #
+ # Certificate "Starfield Services Root Certificate Authority - G2"
+ #
++# Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
++# Fingerprint (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20538,6 +22442,13 @@
+ END
+
+ # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
++# Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Serial Number: 0 (0x0)
++# Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
++# Not Valid Before: Tue Sep 01 00:00:00 2009
++# Not Valid After : Thu Dec 31 23:59:59 2037
++# Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
++# Fingerprint (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20573,6 +22484,13 @@
+ #
+ # Certificate "AffirmTrust Commercial"
+ #
++# Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
++# Serial Number:77:77:06:27:26:a9:b1:7c
++# Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:06:06 2010
++# Not Valid After : Tue Dec 31 14:06:06 2030
++# Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
++# Fingerprint (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20654,6 +22572,13 @@
+ END
+
+ # Trust for Certificate "AffirmTrust Commercial"
++# Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
++# Serial Number:77:77:06:27:26:a9:b1:7c
++# Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:06:06 2010
++# Not Valid After : Tue Dec 31 14:06:06 2030
++# Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
++# Fingerprint (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20684,6 +22609,13 @@
+ #
+ # Certificate "AffirmTrust Networking"
+ #
++# Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
++# Serial Number:7c:4f:04:39:1c:d4:99:2d
++# Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:08:24 2010
++# Not Valid After : Tue Dec 31 14:08:24 2030
++# Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
++# Fingerprint (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20765,6 +22697,13 @@
+ END
+
+ # Trust for Certificate "AffirmTrust Networking"
++# Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
++# Serial Number:7c:4f:04:39:1c:d4:99:2d
++# Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:08:24 2010
++# Not Valid After : Tue Dec 31 14:08:24 2030
++# Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
++# Fingerprint (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20795,6 +22734,13 @@
+ #
+ # Certificate "AffirmTrust Premium"
+ #
++# Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
++# Serial Number:6d:8c:14:46:b1:a6:0a:ee
++# Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:10:36 2010
++# Not Valid After : Mon Dec 31 14:10:36 2040
++# Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
++# Fingerprint (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20908,6 +22854,13 @@
+ END
+
+ # Trust for Certificate "AffirmTrust Premium"
++# Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
++# Serial Number:6d:8c:14:46:b1:a6:0a:ee
++# Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:10:36 2010
++# Not Valid After : Mon Dec 31 14:10:36 2040
++# Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
++# Fingerprint (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20938,6 +22891,13 @@
+ #
+ # Certificate "AffirmTrust Premium ECC"
+ #
++# Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
++# Serial Number:74:97:25:8a:c7:3f:7a:54
++# Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:20:24 2010
++# Not Valid After : Mon Dec 31 14:20:24 2040
++# Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
++# Fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -20999,6 +22959,13 @@
+ END
+
+ # Trust for Certificate "AffirmTrust Premium ECC"
++# Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
++# Serial Number:74:97:25:8a:c7:3f:7a:54
++# Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
++# Not Valid Before: Fri Jan 29 14:20:24 2010
++# Not Valid After : Mon Dec 31 14:20:24 2040
++# Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
++# Fingerprint (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21029,6 +22996,13 @@
+ #
+ # Certificate "Certum Trusted Network CA"
+ #
++# Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
++# Serial Number: 279744 (0x444c0)
++# Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
++# Not Valid Before: Wed Oct 22 12:07:37 2008
++# Not Valid After : Mon Dec 31 12:07:37 2029
++# Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
++# Fingerprint (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21123,6 +23097,13 @@
+ END
+
+ # Trust for Certificate "Certum Trusted Network CA"
++# Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
++# Serial Number: 279744 (0x444c0)
++# Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
++# Not Valid Before: Wed Oct 22 12:07:37 2008
++# Not Valid After : Mon Dec 31 12:07:37 2029
++# Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
++# Fingerprint (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21156,6 +23137,13 @@
+ #
+ # Certificate "Certinomis - Autorité Racine"
+ #
++# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
++# Serial Number: 1 (0x1)
++# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
++# Not Valid Before: Wed Sep 17 08:28:59 2008
++# Not Valid After : Sun Sep 17 08:28:59 2028
++# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
++# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21278,6 +23266,13 @@
+ END
+
+ # Trust for Certificate "Certinomis - Autorité Racine"
++# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
++# Serial Number: 1 (0x1)
++# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
++# Not Valid Before: Wed Sep 17 08:28:59 2008
++# Not Valid After : Sun Sep 17 08:28:59 2028
++# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
++# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21310,6 +23305,13 @@
+ #
+ # Certificate "Root CA Generalitat Valenciana"
+ #
++# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
++# Serial Number: 994436456 (0x3b45e568)
++# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
++# Not Valid Before: Fri Jul 06 16:22:47 2001
++# Not Valid After : Thu Jul 01 15:22:47 2021
++# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
++# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21447,6 +23449,13 @@
+ END
+
+ # Trust for Certificate "Root CA Generalitat Valenciana"
++# Issuer: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
++# Serial Number: 994436456 (0x3b45e568)
++# Subject: CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES
++# Not Valid Before: Fri Jul 06 16:22:47 2001
++# Not Valid After : Thu Jul 01 15:22:47 2021
++# Fingerprint (MD5): 2C:8C:17:5E:B1:54:AB:93:17:B5:36:5A:DB:D1:C6:F2
++# Fingerprint (SHA1): A0:73:E5:C5:BD:43:61:0D:86:4C:21:13:0A:85:58:57:CC:9C:EA:46
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21479,6 +23488,13 @@
+ #
+ # Certificate "A-Trust-nQual-03"
+ #
++# Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
++# Serial Number: 93214 (0x16c1e)
++# Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
++# Not Valid Before: Wed Aug 17 22:00:00 2005
++# Not Valid After : Mon Aug 17 22:00:00 2015
++# Fingerprint (MD5): 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
++# Fingerprint (SHA1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21577,6 +23593,13 @@
+ END
+
+ # Trust for Certificate "A-Trust-nQual-03"
++# Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
++# Serial Number: 93214 (0x16c1e)
++# Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
++# Not Valid Before: Wed Aug 17 22:00:00 2005
++# Not Valid After : Mon Aug 17 22:00:00 2015
++# Fingerprint (MD5): 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
++# Fingerprint (SHA1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21611,6 +23634,13 @@
+ #
+ # Certificate "TWCA Root Certification Authority"
+ #
++# Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
++# Serial Number: 1 (0x1)
++# Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
++# Not Valid Before: Thu Aug 28 07:24:33 2008
++# Not Valid After : Tue Dec 31 15:59:59 2030
++# Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
++# Fingerprint (SHA1): CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21699,6 +23729,13 @@
+ END
+
+ # Trust for Certificate "TWCA Root Certification Authority"
++# Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
++# Serial Number: 1 (0x1)
++# Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
++# Not Valid Before: Thu Aug 28 07:24:33 2008
++# Not Valid After : Tue Dec 31 15:59:59 2030
++# Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
++# Fingerprint (SHA1): CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21731,6 +23768,13 @@
+ #
+ # Certificate "Explicitly Distrust DigiNotar Root CA"
+ #
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
++# Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
++# Subject: E=info at diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
++# Not Valid Before: Fri Jul 27 17:19:37 2007
++# Not Valid After : Mon Mar 31 18:19:22 2025
++# Fingerprint (MD5): 0A:A4:D5:CC:BA:B4:FB:A3:59:E3:E6:01:DD:53:D9:4E
++# Fingerprint (SHA1): C1:77:CB:4B:E0:B4:26:8E:F5:C7:CF:45:99:22:B9:B0:CE:BA:21:2F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21853,6 +23897,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrust DigiNotar Root CA"
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
++# Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
++# Subject: E=info at diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
++# Not Valid Before: Fri Jul 27 17:19:37 2007
++# Not Valid After : Mon Mar 31 18:19:22 2025
++# Fingerprint (MD5): 0A:A4:D5:CC:BA:B4:FB:A3:59:E3:E6:01:DD:53:D9:4E
++# Fingerprint (SHA1): C1:77:CB:4B:E0:B4:26:8E:F5:C7:CF:45:99:22:B9:B0:CE:BA:21:2F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21886,6 +23937,13 @@
+ #
+ # Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
+ #
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: E=info at diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
++# Not Valid Before: Thu Jul 26 15:59:01 2007
++# Not Valid After : Mon Aug 26 16:29:01 2013
++# Fingerprint (MD5): 2F:16:68:97:4C:68:4F:CE:52:8A:EC:53:8F:93:49:F8
++# Fingerprint (SHA1): 12:3B:EA:CA:66:67:77:61:E0:EB:68:F2:FE:ED:A2:0F:20:05:55:70
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -21974,6 +24032,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrust DigiNotar Services 1024 CA"
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: E=info at diginotar.nl,CN=DigiNotar Services 1024 CA,O=DigiNotar,C=NL
++# Not Valid Before: Thu Jul 26 15:59:01 2007
++# Not Valid After : Mon Aug 26 16:29:01 2013
++# Fingerprint (MD5): 2F:16:68:97:4C:68:4F:CE:52:8A:EC:53:8F:93:49:F8
++# Fingerprint (SHA1): 12:3B:EA:CA:66:67:77:61:E0:EB:68:F2:FE:ED:A2:0F:20:05:55:70
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22006,6 +24071,13 @@
+ #
+ # Certificate "Explicitly Distrust DigiNotar Cyber CA"
+ #
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: E=info at diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Not Valid Before: Wed Oct 04 10:54:12 2006
++# Not Valid After : Tue Oct 04 10:53:12 2011
++# Fingerprint (MD5): BC:BD:89:12:B4:FF:E5:F9:26:47:C8:60:36:5B:D9:54
++# Fingerprint (SHA1): A5:8E:A0:EC:F6:44:56:35:19:1D:68:5B:C7:A0:E4:1C:B0:4D:79:2E
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22123,6 +24195,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA"
++# Issuer: E=info at diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: E=info at diginotar.nl,CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Not Valid Before: Wed Oct 04 10:54:12 2006
++# Not Valid After : Tue Oct 04 10:53:12 2011
++# Fingerprint (MD5): BC:BD:89:12:B4:FF:E5:F9:26:47:C8:60:36:5B:D9:54
++# Fingerprint (SHA1): A5:8E:A0:EC:F6:44:56:35:19:1D:68:5B:C7:A0:E4:1C:B0:4D:79:2E
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22155,6 +24234,13 @@
+ #
+ # Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
+ #
++# Issuer: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Not Valid Before: Wed Sep 27 10:53:53 2006
++# Not Valid After : Fri Sep 20 09:44:07 2013
++# Fingerprint (MD5): F0:AE:A9:3D:F2:2C:88:DC:7C:85:1B:96:7D:5A:1C:11
++# Fingerprint (SHA1): 88:1E:45:05:0F:98:D9:59:FB:0A:35:F9:4C:0E:28:97:55:16:29:B3
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22262,6 +24348,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrust DigiNotar Cyber CA 2nd"
++# Issuer: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar Cyber CA,O=DigiNotar,C=NL
++# Not Valid Before: Wed Sep 27 10:53:53 2006
++# Not Valid After : Fri Sep 20 09:44:07 2013
++# Fingerprint (MD5): F0:AE:A9:3D:F2:2C:88:DC:7C:85:1B:96:7D:5A:1C:11
++# Fingerprint (SHA1): 88:1E:45:05:0F:98:D9:59:FB:0A:35:F9:4C:0E:28:97:55:16:29:B3
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22291,6 +24384,13 @@
+ #
+ # Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
+ #
++# Issuer: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
++# Not Valid Before: Thu Jul 05 08:42:08 2007
++# Not Valid After : Mon Jul 27 08:39:47 2015
++# Fingerprint (MD5): A3:CF:B3:FF:F9:4F:A7:B1:EB:3A:75:58:4E:2E:9F:EA
++# Fingerprint (SHA1): A7:A8:C9:AC:F4:5F:90:92:76:86:B8:C0:A2:0E:93:58:7D:DE:30:E4
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22397,6 +24497,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid"
++# Issuer: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,O=DigiNotar B.V.,C=NL
++# Not Valid Before: Thu Jul 05 08:42:08 2007
++# Not Valid After : Mon Jul 27 08:39:47 2015
++# Fingerprint (MD5): A3:CF:B3:FF:F9:4F:A7:B1:EB:3A:75:58:4E:2E:9F:EA
++# Fingerprint (SHA1): A7:A8:C9:AC:F4:5F:90:92:76:86:B8:C0:A2:0E:93:58:7D:DE:30:E4
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22429,6 +24536,13 @@
+ #
+ # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+ #
++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
++# Not Valid Before: Wed May 12 08:51:39 2010
++# Not Valid After : Mon Mar 23 09:50:05 2020
++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22565,6 +24679,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
++# Serial Number: 268435455 (0xfffffff)
++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
++# Not Valid Before: Wed May 12 08:51:39 2010
++# Not Valid After : Mon Mar 23 09:50:05 2020
++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22596,6 +24717,13 @@
+ #
+ # Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
+ #
++# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Serial Number:07:ff:ff:ff:ff:ff
++# Subject: CN=Digisign Server ID (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
++# Not Valid Before: Tue Jul 17 15:17:49 2007
++# Not Valid After : Tue Jul 17 15:16:55 2012
++# Fingerprint (MD5): D2:DE:AE:50:A4:98:2D:6F:37:B7:86:52:C8:2D:4B:6A
++# Fingerprint (SHA1): 55:50:AF:EC:BF:E8:C3:AD:C4:0B:E3:AD:0C:A7:E4:15:8C:39:59:4F
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22691,6 +24819,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
++# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
++# Serial Number:07:ff:ff:ff:ff:ff
++# Subject: CN=Digisign Server ID (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
++# Not Valid Before: Tue Jul 17 15:17:49 2007
++# Not Valid After : Tue Jul 17 15:16:55 2012
++# Fingerprint (MD5): D2:DE:AE:50:A4:98:2D:6F:37:B7:86:52:C8:2D:4B:6A
++# Fingerprint (SHA1): 55:50:AF:EC:BF:E8:C3:AD:C4:0B:E3:AD:0C:A7:E4:15:8C:39:59:4F
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22724,6 +24859,13 @@
+ #
+ # Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
+ #
++# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
++# Serial Number:07:ff:ff:ff:ff:ff
++# Subject: CN=Digisign Server ID - (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
++# Not Valid Before: Fri Jul 16 17:23:38 2010
++# Not Valid After : Thu Jul 16 17:53:38 2015
++# Fingerprint (MD5): D7:69:61:7F:35:0F:9C:46:A3:AA:EB:F8:55:FC:84:F2
++# Fingerprint (SHA1): 6B:3C:3B:80:AD:CA:A6:BA:8A:9F:54:A6:7A:ED:12:69:05:6D:31:26
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22839,6 +24981,13 @@
+ END
+
+ # Trust for Certificate "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
++# Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
++# Serial Number:07:ff:ff:ff:ff:ff
++# Subject: CN=Digisign Server ID - (Enrich),OU=457608-K,O=Digicert Sdn. Bhd.,C=MY
++# Not Valid Before: Fri Jul 16 17:23:38 2010
++# Not Valid After : Thu Jul 16 17:53:38 2015
++# Fingerprint (MD5): D7:69:61:7F:35:0F:9C:46:A3:AA:EB:F8:55:FC:84:F2
++# Fingerprint (SHA1): 6B:3C:3B:80:AD:CA:A6:BA:8A:9F:54:A6:7A:ED:12:69:05:6D:31:26
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22877,6 +25026,13 @@
+ #
+ # Certificate "Security Communication RootCA2"
+ #
++# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Not Valid Before: Fri May 29 05:00:39 2009
++# Not Valid After : Tue May 29 05:00:39 2029
++# Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
++# Fingerprint (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22963,6 +25119,13 @@
+ END
+
+ # Trust for Certificate "Security Communication RootCA2"
++# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Serial Number: 0 (0x0)
++# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
++# Not Valid Before: Fri May 29 05:00:39 2009
++# Not Valid After : Tue May 29 05:00:39 2029
++# Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
++# Fingerprint (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -22994,6 +25157,13 @@
+ #
+ # Certificate "EC-ACC"
+ #
++# Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
++# Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
++# Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
++# Not Valid Before: Tue Jan 07 23:00:00 2003
++# Not Valid After : Tue Jan 07 22:59:59 2031
++# Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
++# Fingerprint (SHA1): 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -23131,6 +25301,13 @@
+ END
+
+ # Trust for Certificate "EC-ACC"
++# Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
++# Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
++# Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
++# Not Valid Before: Tue Jan 07 23:00:00 2003
++# Not Valid After : Tue Jan 07 22:59:59 2031
++# Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
++# Fingerprint (SHA1): 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -23173,6 +25350,13 @@
+ #
+ # Certificate "Hellenic Academic and Research Institutions RootCA 2011"
+ #
++# Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
++# Serial Number: 0 (0x0)
++# Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
++# Not Valid Before: Tue Dec 06 13:49:52 2011
++# Not Valid After : Mon Dec 01 13:49:52 2031
++# Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
++# Fingerprint (SHA1): FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -23279,6 +25463,13 @@
+ END
+
+ # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
++# Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
++# Serial Number: 0 (0x0)
++# Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
++# Not Valid Before: Tue Dec 06 13:49:52 2011
++# Not Valid After : Mon Dec 01 13:49:52 2031
++# Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
++# Fingerprint (SHA1): FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+@@ -26244,3 +28435,537 @@
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "SG TRUST SERVICES RACINE"
++#
++# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
++# Serial Number:3e:d5:51:19:e6:4d:ce:7e
++# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
++# Not Valid Before: Mon Sep 06 12:53:42 2010
++# Not Valid After : Thu Sep 05 12:53:42 2030
++# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
++# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
++\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
++\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
++\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
++\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
++\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
++\013\060\011\006\003\125\004\006\023\002\106\122
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
++\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
++\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
++\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
++\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
++\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
++\013\060\011\006\003\125\004\006\023\002\106\122
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\010\076\325\121\031\346\115\316\176
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\006\031\060\202\004\001\240\003\002\001\002\002\010\076
++\325\121\031\346\115\316\176\060\015\006\011\052\206\110\206\367
++\015\001\001\013\005\000\060\152\061\041\060\037\006\003\125\004
++\003\023\030\123\107\040\124\122\125\123\124\040\123\105\122\126
++\111\103\105\123\040\122\101\103\111\116\105\061\034\060\032\006
++\003\125\004\013\023\023\060\060\060\062\040\064\063\065\062\065
++\062\070\071\065\060\060\060\062\062\061\032\060\030\006\003\125
++\004\012\023\021\123\107\040\124\122\125\123\124\040\123\105\122
++\126\111\103\105\123\061\013\060\011\006\003\125\004\006\023\002
++\106\122\060\036\027\015\061\060\060\071\060\066\061\062\065\063
++\064\062\132\027\015\063\060\060\071\060\065\061\062\065\063\064
++\062\132\060\152\061\041\060\037\006\003\125\004\003\023\030\123
++\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123
++\040\122\101\103\111\116\105\061\034\060\032\006\003\125\004\013
++\023\023\060\060\060\062\040\064\063\065\062\065\062\070\071\065
++\060\060\060\062\062\061\032\060\030\006\003\125\004\012\023\021
++\123\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105
++\123\061\013\060\011\006\003\125\004\006\023\002\106\122\060\202
++\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
++\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\332
++\250\126\002\354\174\225\360\116\351\012\322\267\007\243\042\213
++\120\263\271\056\031\075\127\333\031\252\322\053\344\316\102\342
++\154\241\344\135\045\036\063\035\266\105\321\264\372\131\212\126
++\160\311\155\010\166\151\160\232\346\307\234\010\060\023\376\346
++\321\222\150\141\076\114\021\362\156\362\261\173\127\126\113\011
++\275\334\017\331\161\014\350\232\067\336\042\020\034\231\136\326
++\261\027\007\323\244\071\055\302\032\163\375\312\113\051\007\302
++\171\051\310\310\046\256\054\304\374\043\310\113\342\206\126\017
++\050\375\266\207\033\150\137\071\144\105\375\150\203\154\165\044
++\036\074\165\231\141\372\322\024\370\251\113\261\330\175\247\170
++\322\023\142\145\265\326\276\176\152\003\274\265\262\374\144\060
++\303\320\302\231\075\231\244\323\315\321\261\304\123\207\173\114
++\023\023\146\177\277\325\145\123\150\371\134\036\345\264\377\066
++\231\105\243\237\142\300\177\021\202\001\124\336\017\145\245\071
++\256\235\110\114\211\243\020\073\340\346\203\365\260\332\054\036
++\172\034\134\037\000\254\314\253\247\140\144\263\306\305\173\307
++\125\106\164\074\220\201\016\112\216\131\235\124\260\110\261\122
++\114\073\230\356\253\332\064\267\123\315\111\332\057\353\225\276
++\014\127\021\366\226\114\004\171\134\231\325\345\344\276\157\352
++\107\356\121\113\357\042\046\256\265\330\021\252\103\273\170\277
++\013\176\264\335\317\164\035\045\251\211\143\261\342\064\201\304
++\210\065\070\342\002\015\017\023\311\325\052\202\025\360\212\304
++\103\062\126\344\123\035\035\254\266\317\175\233\226\135\036\144
++\351\164\163\304\126\344\026\112\122\155\222\071\323\341\115\016
++\077\142\271\336\255\265\035\145\271\135\122\376\135\011\251\234
++\264\244\014\331\057\105\166\245\317\216\152\232\236\252\260\021
++\241\353\141\306\353\077\036\374\146\264\022\235\106\177\062\026
++\211\276\161\105\257\221\041\331\375\223\277\264\002\221\102\377
++\111\037\355\213\025\150\335\037\216\254\233\335\202\005\234\104
++\151\026\144\027\126\137\101\017\112\117\004\017\145\120\206\223
++\227\354\105\277\135\302\034\334\317\304\330\072\346\170\005\320
++\305\125\125\251\136\376\253\072\041\273\345\162\024\367\013\002
++\003\001\000\001\243\201\302\060\201\277\060\035\006\003\125\035
++\016\004\026\004\024\051\040\313\361\303\017\332\006\216\023\223
++\207\376\137\140\032\051\273\363\266\060\017\006\003\125\035\023
++\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035
++\043\004\030\060\026\200\024\051\040\313\361\303\017\332\006\216
++\023\223\207\376\137\140\032\051\273\363\266\060\021\006\003\125
++\035\040\004\012\060\010\060\006\006\004\125\035\040\000\060\111
++\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206
++\070\150\164\164\160\072\057\057\143\162\154\056\163\147\164\162
++\165\163\164\163\145\162\166\151\143\145\163\056\143\157\155\057
++\162\141\143\151\156\145\055\107\162\157\165\160\145\123\107\057
++\114\141\164\145\163\164\103\122\114\060\016\006\003\125\035\017
++\001\001\377\004\004\003\002\001\006\060\015\006\011\052\206\110
++\206\367\015\001\001\013\005\000\003\202\002\001\000\114\106\147
++\340\104\120\365\305\266\272\262\121\012\045\023\035\267\307\210
++\056\037\271\053\144\240\313\223\210\122\131\252\140\365\314\051
++\122\027\377\004\347\067\264\061\021\106\176\053\036\154\247\213
++\074\107\232\136\364\252\135\220\073\105\075\237\112\311\212\173
++\216\300\356\076\171\213\222\243\310\224\112\270\050\021\153\246
++\045\137\135\275\307\310\373\203\117\125\061\346\134\360\023\174
++\343\275\177\052\054\067\067\224\111\257\204\037\024\047\242\130
++\020\217\012\071\067\032\022\040\101\217\031\366\251\037\031\355
++\262\064\262\255\175\063\104\213\137\012\007\103\362\166\105\105
++\055\255\344\215\016\000\375\004\010\252\347\153\373\027\275\260
++\010\126\016\065\052\162\360\263\347\115\072\117\015\334\363\140
++\022\263\070\144\214\333\371\341\046\215\057\357\116\350\044\107
++\076\066\064\212\151\017\050\153\213\207\306\275\205\046\371\323
++\353\151\041\126\140\221\326\367\340\142\302\250\161\256\056\336
++\146\043\265\122\106\246\244\110\067\054\177\001\026\127\021\367
++\047\015\016\345\017\326\220\105\341\036\077\041\334\322\374\026
++\030\023\076\115\152\262\046\152\100\136\045\170\375\070\364\254
++\130\172\067\033\230\100\004\307\216\311\324\304\147\141\261\230
++\256\360\315\016\334\271\257\145\203\173\012\004\212\077\141\252
++\367\135\101\206\346\306\114\302\117\072\134\126\352\050\073\247
++\104\317\310\112\144\365\162\140\055\343\103\270\112\340\165\074
++\062\344\252\026\327\021\271\301\105\331\233\146\143\146\345\042
++\267\064\356\272\325\164\057\045\144\363\201\124\313\167\336\127
++\324\223\343\254\007\061\072\076\134\003\203\127\123\307\360\376
++\150\330\045\120\115\022\310\346\341\225\215\147\253\074\223\077
++\027\002\272\070\327\236\367\060\245\075\075\104\001\063\032\232
++\237\216\320\237\361\356\060\210\163\357\256\044\031\272\227\163
++\025\301\354\161\014\204\144\265\173\354\274\151\076\244\155\011
++\026\066\312\112\071\212\313\247\173\306\035\176\347\063\210\311
++\276\060\155\234\205\225\041\351\107\073\006\176\201\342\352\106
++\346\160\130\200\346\250\362\235\013\151\321\063\211\131\060\363
++\144\323\013\366\316\053\011\373\175\020\166\056\020
++END
++
++# Trust for "SG TRUST SERVICES RACINE"
++# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
++# Serial Number:3e:d5:51:19:e6:4d:ce:7e
++# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
++# Not Valid Before: Mon Sep 06 12:53:42 2010
++# Not Valid After : Thu Sep 05 12:53:42 2030
++# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
++# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\014\142\217\134\125\160\261\311\127\372\375\070\077\260\075\173
++\175\327\271\306
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\045\357\317\110\112\204\267\060\237\140\323\035\126\221\057\341
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
++\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
++\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
++\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
++\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
++\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
++\013\060\011\006\003\125\004\006\023\002\106\122
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\010\076\325\121\031\346\115\316\176
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "ACCVRAIZ1"
++#
++# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
++# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
++# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
++# Not Valid Before: Thu May 05 09:37:37 2011
++# Not Valid After : Tue Dec 31 09:37:37 2030
++# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
++# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "ACCVRAIZ1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
++\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
++\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
++\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
++\023\002\105\123
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
++\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
++\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
++\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
++\023\002\105\123
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\010\136\303\267\246\103\177\244\340
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\007\323\060\202\005\273\240\003\002\001\002\002\010\136
++\303\267\246\103\177\244\340\060\015\006\011\052\206\110\206\367
++\015\001\001\005\005\000\060\102\061\022\060\020\006\003\125\004
++\003\014\011\101\103\103\126\122\101\111\132\061\061\020\060\016
++\006\003\125\004\013\014\007\120\113\111\101\103\103\126\061\015
++\060\013\006\003\125\004\012\014\004\101\103\103\126\061\013\060
++\011\006\003\125\004\006\023\002\105\123\060\036\027\015\061\061
++\060\065\060\065\060\071\063\067\063\067\132\027\015\063\060\061
++\062\063\061\060\071\063\067\063\067\132\060\102\061\022\060\020
++\006\003\125\004\003\014\011\101\103\103\126\122\101\111\132\061
++\061\020\060\016\006\003\125\004\013\014\007\120\113\111\101\103
++\103\126\061\015\060\013\006\003\125\004\012\014\004\101\103\103
++\126\061\013\060\011\006\003\125\004\006\023\002\105\123\060\202
++\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
++\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\233
++\251\253\277\141\112\227\257\057\227\146\232\164\137\320\331\226
++\375\317\342\344\146\357\037\037\107\063\302\104\243\337\232\336
++\037\265\124\335\025\174\151\065\021\157\273\310\014\216\152\030
++\036\330\217\331\026\274\020\110\066\134\360\143\263\220\132\134
++\044\067\327\243\326\313\011\161\271\361\001\162\204\260\175\333
++\115\200\315\374\323\157\311\370\332\266\016\202\322\105\205\250
++\033\150\250\075\350\364\104\154\275\241\302\313\003\276\214\076
++\023\000\204\337\112\110\300\343\042\012\350\351\067\247\030\114
++\261\011\015\043\126\177\004\115\331\027\204\030\245\310\332\100
++\224\163\353\316\016\127\074\003\201\072\235\012\241\127\103\151
++\254\127\155\171\220\170\345\265\264\073\330\274\114\215\050\241
++\247\243\247\272\002\116\045\321\052\256\355\256\003\042\270\153
++\040\017\060\050\124\225\177\340\356\316\012\146\235\321\100\055
++\156\042\257\235\032\301\005\031\322\157\300\362\237\370\173\263
++\002\102\373\120\251\035\055\223\017\043\253\306\301\017\222\377
++\320\242\025\365\123\011\161\034\377\105\023\204\346\046\136\370
++\340\210\034\012\374\026\266\250\163\006\270\360\143\204\002\240
++\306\132\354\347\164\337\160\256\243\203\045\352\326\307\227\207
++\223\247\306\212\212\063\227\140\067\020\076\227\076\156\051\025
++\326\241\017\321\210\054\022\237\157\252\244\306\102\353\101\242
++\343\225\103\323\001\205\155\216\273\073\363\043\066\307\376\073
++\340\241\045\007\110\253\311\211\164\377\010\217\200\277\300\226
++\145\363\356\354\113\150\275\235\210\303\061\263\100\361\350\317
++\366\070\273\234\344\321\177\324\345\130\233\174\372\324\363\016
++\233\165\221\344\272\122\056\031\176\321\365\315\132\031\374\272
++\006\366\373\122\250\113\231\004\335\370\371\264\213\120\243\116
++\142\211\360\207\044\372\203\102\301\207\372\325\055\051\052\132
++\161\172\144\152\327\047\140\143\015\333\316\111\365\215\037\220
++\211\062\027\370\163\103\270\322\132\223\206\141\326\341\165\012
++\352\171\146\166\210\117\161\353\004\045\326\012\132\172\223\345
++\271\113\027\100\017\261\266\271\365\336\117\334\340\263\254\073
++\021\160\140\204\112\103\156\231\040\300\051\161\012\300\145\002
++\003\001\000\001\243\202\002\313\060\202\002\307\060\175\006\010
++\053\006\001\005\005\007\001\001\004\161\060\157\060\114\006\010
++\053\006\001\005\005\007\060\002\206\100\150\164\164\160\072\057
++\057\167\167\167\056\141\143\143\166\056\145\163\057\146\151\154
++\145\141\144\155\151\156\057\101\162\143\150\151\166\157\163\057
++\143\145\162\164\151\146\151\143\141\144\157\163\057\162\141\151
++\172\141\143\143\166\061\056\143\162\164\060\037\006\010\053\006
++\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157
++\143\163\160\056\141\143\143\166\056\145\163\060\035\006\003\125
++\035\016\004\026\004\024\322\207\264\343\337\067\047\223\125\366
++\126\352\201\345\066\314\214\036\077\275\060\017\006\003\125\035
++\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125
++\035\043\004\030\060\026\200\024\322\207\264\343\337\067\047\223
++\125\366\126\352\201\345\066\314\214\036\077\275\060\202\001\163
++\006\003\125\035\040\004\202\001\152\060\202\001\146\060\202\001
++\142\006\004\125\035\040\000\060\202\001\130\060\202\001\042\006
++\010\053\006\001\005\005\007\002\002\060\202\001\024\036\202\001
++\020\000\101\000\165\000\164\000\157\000\162\000\151\000\144\000
++\141\000\144\000\040\000\144\000\145\000\040\000\103\000\145\000
++\162\000\164\000\151\000\146\000\151\000\143\000\141\000\143\000
++\151\000\363\000\156\000\040\000\122\000\141\000\355\000\172\000
++\040\000\144\000\145\000\040\000\154\000\141\000\040\000\101\000
++\103\000\103\000\126\000\040\000\050\000\101\000\147\000\145\000
++\156\000\143\000\151\000\141\000\040\000\144\000\145\000\040\000
++\124\000\145\000\143\000\156\000\157\000\154\000\157\000\147\000
++\355\000\141\000\040\000\171\000\040\000\103\000\145\000\162\000
++\164\000\151\000\146\000\151\000\143\000\141\000\143\000\151\000
++\363\000\156\000\040\000\105\000\154\000\145\000\143\000\164\000
++\162\000\363\000\156\000\151\000\143\000\141\000\054\000\040\000
++\103\000\111\000\106\000\040\000\121\000\064\000\066\000\060\000
++\061\000\061\000\065\000\066\000\105\000\051\000\056\000\040\000
++\103\000\120\000\123\000\040\000\145\000\156\000\040\000\150\000
++\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167\000
++\167\000\056\000\141\000\143\000\143\000\166\000\056\000\145\000
++\163\060\060\006\010\053\006\001\005\005\007\002\001\026\044\150
++\164\164\160\072\057\057\167\167\167\056\141\143\143\166\056\145
++\163\057\154\145\147\151\163\154\141\143\151\157\156\137\143\056
++\150\164\155\060\125\006\003\125\035\037\004\116\060\114\060\112
++\240\110\240\106\206\104\150\164\164\160\072\057\057\167\167\167
++\056\141\143\143\166\056\145\163\057\146\151\154\145\141\144\155
++\151\156\057\101\162\143\150\151\166\157\163\057\143\145\162\164
++\151\146\151\143\141\144\157\163\057\162\141\151\172\141\143\143
++\166\061\137\144\145\162\056\143\162\154\060\016\006\003\125\035
++\017\001\001\377\004\004\003\002\001\006\060\027\006\003\125\035
++\021\004\020\060\016\201\014\141\143\143\166\100\141\143\143\166
++\056\145\163\060\015\006\011\052\206\110\206\367\015\001\001\005
++\005\000\003\202\002\001\000\227\061\002\237\347\375\103\147\110
++\104\024\344\051\207\355\114\050\146\320\217\065\332\115\141\267
++\112\227\115\265\333\220\340\005\056\016\306\171\320\362\227\151
++\017\275\004\107\331\276\333\265\051\332\233\331\256\251\231\325
++\323\074\060\223\365\215\241\250\374\006\215\104\364\312\026\225
++\174\063\334\142\213\250\067\370\047\330\011\055\033\357\310\024
++\047\040\251\144\104\377\056\326\165\252\154\115\140\100\031\111
++\103\124\143\332\342\314\272\146\345\117\104\172\133\331\152\201
++\053\100\325\177\371\001\047\130\054\310\355\110\221\174\077\246
++\000\317\304\051\163\021\066\336\206\031\076\235\356\031\212\033
++\325\260\355\216\075\234\052\300\015\330\075\146\343\074\015\275
++\325\224\134\342\342\247\065\033\004\000\366\077\132\215\352\103
++\275\137\211\035\251\301\260\314\231\342\115\000\012\332\311\047
++\133\347\023\220\134\344\365\063\242\125\155\334\340\011\115\057
++\261\046\133\047\165\000\011\304\142\167\051\010\137\236\131\254
++\266\176\255\237\124\060\042\003\301\036\161\144\376\371\070\012
++\226\030\335\002\024\254\043\313\006\034\036\244\175\215\015\336
++\047\101\350\255\332\025\267\260\043\335\053\250\323\332\045\207
++\355\350\125\104\115\210\364\066\176\204\232\170\254\367\016\126
++\111\016\326\063\045\326\204\120\102\154\040\022\035\052\325\276
++\274\362\160\201\244\160\140\276\005\265\233\236\004\104\276\141
++\043\254\351\245\044\214\021\200\224\132\242\242\271\111\322\301
++\334\321\247\355\061\021\054\236\031\246\356\341\125\341\300\352
++\317\015\204\344\027\267\242\174\245\336\125\045\006\356\314\300
++\207\134\100\332\314\225\077\125\340\065\307\270\204\276\264\135
++\315\172\203\001\162\356\207\346\137\035\256\265\205\306\046\337
++\346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
++\167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
++\040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
++\013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
++\244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
++\302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
++\125\064\106\052\213\206\073
++END
++
++# Trust for "ACCVRAIZ1"
++# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
++# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
++# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
++# Not Valid Before: Thu May 05 09:37:37 2011
++# Not Valid After : Tue Dec 31 09:37:37 2030
++# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
++# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "ACCVRAIZ1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\223\005\172\210\025\306\117\316\210\057\372\221\026\122\050\170
++\274\123\144\027
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\320\240\132\356\005\266\011\224\041\241\175\361\262\051\202\002
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
++\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
++\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
++\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
++\023\002\105\123
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\010\136\303\267\246\103\177\244\340
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "TWCA Global Root CA"
++#
++# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
++# Serial Number: 3262 (0xcbe)
++# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
++# Not Valid Before: Wed Jun 27 06:28:33 2012
++# Not Valid After : Tue Dec 31 15:59:59 2030
++# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
++# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TWCA Global Root CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
++\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
++\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
++\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
++\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
++\040\103\101
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
++\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
++\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
++\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
++\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
++\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\002\014\276
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\101\060\202\003\051\240\003\002\001\002\002\002\014
++\276\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
++\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
++\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
++\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
++\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
++\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
++\040\103\101\060\036\027\015\061\062\060\066\062\067\060\066\062
++\070\063\063\132\027\015\063\060\061\062\063\061\061\065\065\071
++\065\071\132\060\121\061\013\060\011\006\003\125\004\006\023\002
++\124\127\061\022\060\020\006\003\125\004\012\023\011\124\101\111
++\127\101\116\055\103\101\061\020\060\016\006\003\125\004\013\023
++\007\122\157\157\164\040\103\101\061\034\060\032\006\003\125\004
++\003\023\023\124\127\103\101\040\107\154\157\142\141\154\040\122
++\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
++\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
++\002\012\002\202\002\001\000\260\005\333\310\353\214\304\156\212
++\041\357\216\115\234\161\012\037\122\160\355\155\202\234\227\305
++\327\114\116\105\111\313\100\102\265\022\064\154\031\302\164\244
++\061\137\205\002\227\354\103\063\012\123\322\234\214\216\267\270
++\171\333\053\325\152\362\216\146\304\356\053\001\007\222\324\263
++\320\002\337\120\366\125\257\146\016\313\340\107\140\057\053\062
++\071\065\122\072\050\203\370\173\026\306\030\270\142\326\107\045
++\221\316\360\031\022\115\255\143\365\323\077\165\137\051\360\241
++\060\034\052\240\230\246\025\275\356\375\031\066\360\342\221\103
++\217\372\312\326\020\047\111\114\357\335\301\361\205\160\233\312
++\352\250\132\103\374\155\206\157\163\351\067\105\251\360\066\307
++\314\210\165\036\273\154\006\377\233\153\076\027\354\141\252\161
++\174\306\035\242\367\111\351\025\265\074\326\241\141\365\021\367
++\005\157\035\375\021\276\320\060\007\302\051\260\011\116\046\334
++\343\242\250\221\152\037\302\221\105\210\134\345\230\270\161\245
++\025\031\311\174\165\021\314\160\164\117\055\233\035\221\104\375
++\126\050\240\376\273\206\152\310\372\134\013\130\334\306\113\166
++\310\253\042\331\163\017\245\364\132\002\211\077\117\236\042\202
++\356\242\164\123\052\075\123\047\151\035\154\216\062\054\144\000
++\046\143\141\066\116\243\106\267\077\175\263\055\254\155\220\242
++\225\242\316\317\332\202\347\007\064\031\226\351\270\041\252\051
++\176\246\070\276\216\051\112\041\146\171\037\263\303\265\011\147
++\336\326\324\007\106\363\052\332\346\042\067\140\313\201\266\017
++\240\017\351\310\225\177\277\125\221\005\172\317\075\025\300\157
++\336\011\224\001\203\327\064\033\314\100\245\360\270\233\147\325
++\230\221\073\247\204\170\225\046\244\132\010\370\053\164\264\000
++\004\074\337\270\024\216\350\337\251\215\154\147\222\063\035\300
++\267\322\354\222\310\276\011\277\054\051\005\157\002\153\236\357
++\274\277\052\274\133\300\120\217\101\160\161\207\262\115\267\004
++\251\204\243\062\257\256\356\153\027\213\262\261\376\154\341\220
++\214\210\250\227\110\316\310\115\313\363\006\317\137\152\012\102
++\261\036\036\167\057\216\240\346\222\016\006\374\005\042\322\046
++\341\061\121\175\062\334\017\002\003\001\000\001\243\043\060\041
++\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
++\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
++\377\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
++\003\202\002\001\000\137\064\201\166\357\226\035\325\345\265\331
++\002\143\204\026\301\256\240\160\121\247\367\114\107\065\310\013
++\327\050\075\211\161\331\252\063\101\352\024\033\154\041\000\300
++\154\102\031\176\237\151\133\040\102\337\242\322\332\304\174\227
++\113\215\260\350\254\310\356\245\151\004\231\012\222\246\253\047
++\056\032\115\201\277\204\324\160\036\255\107\376\375\112\235\063
++\340\362\271\304\105\010\041\012\332\151\151\163\162\015\276\064
++\376\224\213\255\303\036\065\327\242\203\357\345\070\307\245\205
++\037\253\317\064\354\077\050\376\014\361\127\206\116\311\125\367
++\034\324\330\245\175\006\172\157\325\337\020\337\201\116\041\145
++\261\266\341\027\171\225\105\006\316\137\314\334\106\211\143\150
++\104\215\223\364\144\160\240\075\235\050\005\303\071\160\270\142
++\173\040\375\344\333\351\010\241\270\236\075\011\307\117\373\054
++\370\223\166\101\336\122\340\341\127\322\235\003\274\167\236\376
++\236\051\136\367\301\121\140\037\336\332\013\262\055\165\267\103
++\110\223\347\366\171\306\204\135\200\131\140\224\374\170\230\217
++\074\223\121\355\100\220\007\337\144\143\044\313\116\161\005\241
++\327\224\032\210\062\361\042\164\042\256\245\246\330\022\151\114
++\140\243\002\356\053\354\324\143\222\013\136\276\057\166\153\243
++\266\046\274\217\003\330\012\362\114\144\106\275\071\142\345\226
++\353\064\143\021\050\314\225\361\255\357\357\334\200\130\110\351
++\113\270\352\145\254\351\374\200\265\265\310\105\371\254\301\237
++\331\271\352\142\210\216\304\361\113\203\022\255\346\213\204\326
++\236\302\353\203\030\237\152\273\033\044\140\063\160\314\354\367
++\062\363\134\331\171\175\357\236\244\376\311\043\303\044\356\025
++\222\261\075\221\117\046\206\275\146\163\044\023\352\244\256\143
++\301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
++\225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
++\272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
++\150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
++\246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
++\311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
++\053\006\320\004\315
++END
++
++# Trust for "TWCA Global Root CA"
++# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
++# Serial Number: 3262 (0xcbe)
++# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
++# Not Valid Before: Wed Jun 27 06:28:33 2012
++# Not Valid After : Tue Dec 31 15:59:59 2030
++# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
++# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TWCA Global Root CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\234\273\110\123\366\244\366\323\122\244\350\062\122\125\140\023
++\365\255\257\145
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\371\003\176\317\346\236\074\163\172\052\220\007\151\377\053\226
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
++\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
++\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
++\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
++\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
++\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\002\014\276
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h 2014-02-10 01:12:13.861913380 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h 2014-02-10 01:13:33.049519361 +0400
+@@ -45,8 +45,8 @@
+ * of the comment in the CK_VERSION type definition.
+ */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 95
+-#define NSS_BUILTINS_LIBRARY_VERSION "1.95"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96
++#define NSS_BUILTINS_LIBRARY_VERSION "1.96"
+
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/blapi.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/blapi.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/blapi.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/blapi.h 2014-02-10 01:13:33.049519361 +0400
+@@ -108,6 +108,174 @@
+ extern SECStatus RSA_PopulatePrivateKey(RSAPrivateKey *key);
+
+ /********************************************************************
++** RSA algorithm
++*/
++
++/********************************************************************
++** Raw signing/encryption/decryption operations.
++**
++** No padding or formatting will be applied.
++** inputLen MUST be equivalent to the modulus size (in bytes).
++*/
++extern SECStatus
++RSA_SignRaw(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++extern SECStatus
++RSA_CheckSignRaw(RSAPublicKey * key,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * hash,
++ unsigned int hashLen);
++
++extern SECStatus
++RSA_CheckSignRecoverRaw(RSAPublicKey * key,
++ unsigned char * data,
++ unsigned int * dataLen,
++ unsigned int maxDataLen,
++ const unsigned char * sig,
++ unsigned int sigLen);
++
++extern SECStatus
++RSA_EncryptRaw(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++extern SECStatus
++RSA_DecryptRaw(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++/********************************************************************
++** RSAES-OAEP encryption/decryption, as defined in RFC 3447, Section 7.1.
++**
++** Note: Only MGF1 is supported as the mask generation function. It will be
++** used with maskHashAlg as the inner hash function.
++**
++** Unless performing Known Answer Tests, "seed" should be NULL, indicating that
++** freebl should generate a random value. Otherwise, it should be an octet
++** string of seedLen bytes, which should be the same size as the output of
++** hashAlg.
++*/
++extern SECStatus
++RSA_EncryptOAEP(RSAPublicKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen,
++ const unsigned char * seed,
++ unsigned int seedLen,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++extern SECStatus
++RSA_DecryptOAEP(RSAPrivateKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++/********************************************************************
++** RSAES-PKCS1-v1_5 encryption/decryption, as defined in RFC 3447, Section 7.2.
++*/
++extern SECStatus
++RSA_EncryptBlock(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++extern SECStatus
++RSA_DecryptBlock(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++/********************************************************************
++** RSASSA-PSS signing/verifying, as defined in RFC 3447, Section 8.1.
++**
++** Note: Only MGF1 is supported as the mask generation function. It will be
++** used with maskHashAlg as the inner hash function.
++**
++** Unless performing Known Answer Tests, "salt" should be NULL, indicating that
++** freebl should generate a random value.
++*/
++extern SECStatus
++RSA_SignPSS(RSAPrivateKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * salt,
++ unsigned int saltLen,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen);
++
++extern SECStatus
++RSA_CheckSignPSS(RSAPublicKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ unsigned int saltLen,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * hash,
++ unsigned int hashLen);
++
++/********************************************************************
++** RSASSA-PKCS1-v1_5 signing/verifying, as defined in RFC 3447, Section 8.2.
++**
++** These functions expect as input to be the raw value to be signed. For most
++** cases using PKCS1-v1_5, this should be the value of T, the DER-encoded
++** DigestInfo structure defined in Section 9.2, Step 2.
++** Note: This can also be used for signatures that use PKCS1-v1_5 padding, such
++** as the signatures used in SSL/TLS, which sign a raw hash.
++*/
++extern SECStatus
++RSA_Sign(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * data,
++ unsigned int dataLen);
++
++extern SECStatus
++RSA_CheckSign(RSAPublicKey * key,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * data,
++ unsigned int dataLen);
++
++extern SECStatus
++RSA_CheckSignRecover(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * sig,
++ unsigned int sigLen);
++
++/********************************************************************
+ ** DSA signing algorithm
+ */
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/dh.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/dh.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/dh.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/dh.c 2014-02-10 01:13:33.049519361 +0400
+@@ -203,7 +203,7 @@
+ SECItem *derivedSecret,
+ unsigned int outBytes)
+ {
+- mp_int p, Xa, Yb, ZZ;
++ mp_int p, Xa, Yb, ZZ, psub1;
+ mp_err err = MP_OKAY;
+ int len = 0;
+ unsigned int nb;
+@@ -217,13 +217,33 @@
+ MP_DIGITS(&Xa) = 0;
+ MP_DIGITS(&Yb) = 0;
+ MP_DIGITS(&ZZ) = 0;
++ MP_DIGITS(&psub1) = 0;
+ CHECK_MPI_OK( mp_init(&p) );
+ CHECK_MPI_OK( mp_init(&Xa) );
+ CHECK_MPI_OK( mp_init(&Yb) );
+ CHECK_MPI_OK( mp_init(&ZZ) );
++ CHECK_MPI_OK( mp_init(&psub1) );
+ SECITEM_TO_MPINT(*publicValue, &Yb);
+ SECITEM_TO_MPINT(*privateValue, &Xa);
+ SECITEM_TO_MPINT(*prime, &p);
++ CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
++
++ /* We assume that the modulus, p, is a safe prime. That is, p = 2q+1 where
++ * q is also a prime. Thus the orders of the subgroups are factors of 2q:
++ * namely 1, 2, q and 2q.
++ *
++ * We check that the peer's public value isn't zero (which isn't in the
++ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
++ * also check that the public value is less than p, to avoid being fooled
++ * by values like p+1 or 2*p-1.
++ *
++ * Thus we must be operating in the subgroup of size q or 2q. */
++ if (mp_cmp_d(&Yb, 1) <= 0 ||
++ mp_cmp(&Yb, &psub1) >= 0) {
++ err = MP_BADARG;
++ goto cleanup;
++ }
++
+ /* ZZ = (Yb)**Xa mod p */
+ CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
+ /* number of bytes in the derived secret */
+@@ -260,6 +280,7 @@
+ mp_clear(&Xa);
+ mp_clear(&Yb);
+ mp_clear(&ZZ);
++ mp_clear(&psub1);
+ if (secret) {
+ /* free the buffer allocated for the full secret. */
+ PORT_ZFree(secret, len);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/ldvector.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/ldvector.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/ldvector.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/ldvector.c 2014-02-10 01:13:33.050519343 +0400
+@@ -263,9 +263,26 @@
+ /* End of Version 3.014 */
+
+ HMAC_ConstantTime,
+- SSLv3_MAC_ConstantTime
++ SSLv3_MAC_ConstantTime,
+
+ /* End of Version 3.015 */
++
++ RSA_SignRaw,
++ RSA_CheckSignRaw,
++ RSA_CheckSignRecoverRaw,
++ RSA_EncryptRaw,
++ RSA_DecryptRaw,
++ RSA_EncryptOAEP,
++ RSA_DecryptOAEP,
++ RSA_EncryptBlock,
++ RSA_DecryptBlock,
++ RSA_SignPSS,
++ RSA_CheckSignPSS,
++ RSA_Sign,
++ RSA_CheckSign,
++ RSA_CheckSignRecover
++
++ /* End of Version 3.016 */
+ };
+
+ const FREEBLVector *
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/loader.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/loader.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/loader.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/loader.c 2014-02-10 01:13:33.050519343 +0400
+@@ -1906,3 +1906,188 @@
+ header, headerLen,
+ body, bodyLen, bodyTotalLen);
+ }
++
++SECStatus RSA_SignRaw(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_SignRaw)(key, output, outputLen, maxOutputLen, input,
++ inputLen);
++}
++
++SECStatus RSA_CheckSignRaw(RSAPublicKey *key,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *hash,
++ unsigned int hashLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_CheckSignRaw)(key, sig, sigLen, hash, hashLen);
++}
++
++SECStatus RSA_CheckSignRecoverRaw(RSAPublicKey *key,
++ unsigned char *data,
++ unsigned int *dataLen,
++ unsigned int maxDataLen,
++ const unsigned char *sig,
++ unsigned int sigLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_CheckSignRecoverRaw)(key, data, dataLen, maxDataLen,
++ sig, sigLen);
++}
++
++SECStatus RSA_EncryptRaw(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_EncryptRaw)(key, output, outputLen, maxOutputLen,
++ input, inputLen);
++}
++
++SECStatus RSA_DecryptRaw(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_DecryptRaw)(key, output, outputLen, maxOutputLen,
++ input, inputLen);
++
++}
++
++SECStatus RSA_EncryptOAEP(RSAPublicKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *label,
++ unsigned int labelLen,
++ const unsigned char *seed,
++ unsigned int seedLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_EncryptOAEP)(key, hashAlg, maskHashAlg, label,
++ labelLen, seed, seedLen, output,
++ outputLen, maxOutputLen, input, inputLen);
++}
++
++SECStatus RSA_DecryptOAEP(RSAPrivateKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *label,
++ unsigned int labelLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_DecryptOAEP)(key, hashAlg, maskHashAlg, label,
++ labelLen, output, outputLen,
++ maxOutputLen, input, inputLen);
++}
++
++SECStatus RSA_EncryptBlock(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_EncryptBlock)(key, output, outputLen, maxOutputLen,
++ input, inputLen);
++}
++
++SECStatus RSA_DecryptBlock(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_DecryptBlock)(key, output, outputLen, maxOutputLen,
++ input, inputLen);
++}
++
++SECStatus RSA_SignPSS(RSAPrivateKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *salt,
++ unsigned int saltLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_SignPSS)(key, hashAlg, maskHashAlg, salt, saltLen,
++ output, outputLen, maxOutputLen, input,
++ inputLen);
++}
++
++SECStatus RSA_CheckSignPSS(RSAPublicKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ unsigned int saltLen,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *hash,
++ unsigned int hashLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_CheckSignPSS)(key, hashAlg, maskHashAlg, saltLen,
++ sig, sigLen, hash, hashLen);
++}
++
++SECStatus RSA_Sign(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_Sign)(key, output, outputLen, maxOutputLen, input,
++ inputLen);
++}
++
++SECStatus RSA_CheckSign(RSAPublicKey *key,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *data,
++ unsigned int dataLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_CheckSign)(key, sig, sigLen, data, dataLen);
++
++}
++
++SECStatus RSA_CheckSignRecover(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *sig,
++ unsigned int sigLen) {
++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
++ return SECFailure;
++ return (vector->p_RSA_CheckSignRecover)(key, output, outputLen, maxOutputLen,
++ sig, sigLen);
++}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/loader.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/loader.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/loader.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/loader.h 2014-02-10 01:13:33.050519343 +0400
+@@ -10,7 +10,7 @@
+
+ #include "blapi.h"
+
+-#define FREEBL_VERSION 0x030F
++#define FREEBL_VERSION 0x0310
+
+ struct FREEBLVectorStr {
+
+@@ -596,6 +596,110 @@
+ unsigned int bodyTotalLen);
+
+ /* Version 3.015 came to here */
++
++ SECStatus (* p_RSA_SignRaw)(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_CheckSignRaw)(RSAPublicKey *key,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *hash,
++ unsigned int hashLen);
++ SECStatus (* p_RSA_CheckSignRecoverRaw)(RSAPublicKey *key,
++ unsigned char *data,
++ unsigned int *dataLen,
++ unsigned int maxDataLen,
++ const unsigned char *sig,
++ unsigned int sigLen);
++ SECStatus (* p_RSA_EncryptRaw)(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_DecryptRaw)(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_EncryptOAEP)(RSAPublicKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *label,
++ unsigned int labelLen,
++ const unsigned char *seed,
++ unsigned int seedLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_DecryptOAEP)(RSAPrivateKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *label,
++ unsigned int labelLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_EncryptBlock)(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_DecryptBlock)(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_SignPSS)(RSAPrivateKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char *salt,
++ unsigned int saltLen,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_CheckSignPSS)(RSAPublicKey *key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ unsigned int saltLen,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *hash,
++ unsigned int hashLen);
++ SECStatus (* p_RSA_Sign)(RSAPrivateKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *input,
++ unsigned int inputLen);
++ SECStatus (* p_RSA_CheckSign)(RSAPublicKey *key,
++ const unsigned char *sig,
++ unsigned int sigLen,
++ const unsigned char *data,
++ unsigned int dataLen);
++ SECStatus (* p_RSA_CheckSignRecover)(RSAPublicKey *key,
++ unsigned char *output,
++ unsigned int *outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char *sig,
++ unsigned int sigLen);
++
++ /* Version 3.016 came to here */
++
++ /* Add new function pointers at the end of this struct and bump
++ * FREEBL_VERSION at the beginning of this file. */
+ };
+
+ typedef struct FREEBLVectorStr FREEBLVector;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/manifest.mn seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/manifest.mn
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/manifest.mn 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/manifest.mn 2014-02-10 01:13:33.050519343 +0400
+@@ -113,6 +113,7 @@
+ pqg.c \
+ dsa.c \
+ rsa.c \
++ rsapkcs.c \
+ shvfy.c \
+ tlsprfalg.c \
+ seed.c \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/rijndael.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/rijndael.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/rijndael.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/rijndael.c 2014-02-10 01:13:33.050519343 +0400
+@@ -27,7 +27,6 @@
+ static int has_intel_avx = 0;
+ static int has_intel_clmul = 0;
+ static PRBool use_hw_aes = PR_FALSE;
+-static PRBool use_hw_avx = PR_FALSE;
+ static PRBool use_hw_gcm = PR_FALSE;
+ #endif
+
+@@ -967,6 +966,25 @@
+ }
+
+
++#if USE_HW_AES
++/*
++ * Adapted from the example code in "How to detect New Instruction support in
++ * the 4th generation Intel Core processor family" by Max Locktyukhin.
++ */
++static PRBool
++check_xcr0_ymm()
++{
++ PRUint32 xcr0;
++#if defined(_MSC_VER)
++ xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */
++#else
++ __asm__ ("xgetbv" : "=a" (xcr0) : "c" (0) : "%edx");
++#endif
++ /* Check if xmm and ymm state are enabled in XCR0. */
++ return (xcr0 & 6) == 6;
++}
++#endif
++
+ /*
+ ** Initialize a new AES context suitable for AES encryption/decryption in
+ ** the ECB or CBC mode.
+@@ -1013,7 +1031,12 @@
+ freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
+ has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
+ has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
+- has_intel_avx = (ecx & (1 << 28)) != 0 ? 1 : -1;
++ if ((ecx & (1 << 27)) != 0 && (ecx & (1 << 28)) != 0 &&
++ check_xcr0_ymm()) {
++ has_intel_avx = 1;
++ } else {
++ has_intel_avx = -1;
++ }
+ } else {
+ has_intel_aes = -1;
+ has_intel_avx = -1;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/rsapkcs.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/rsapkcs.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/rsapkcs.c 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/rsapkcs.c 2014-02-10 01:13:33.051519325 +0400
+@@ -0,0 +1,1382 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++/*
++ * RSA PKCS#1 v2.1 (RFC 3447) operations
++ */
++
++#ifdef FREEBL_NO_DEPEND
++#include "stubs.h"
++#endif
++
++#include "secerr.h"
++
++#include "blapi.h"
++#include "secitem.h"
++#include "blapii.h"
++
++#define RSA_BLOCK_MIN_PAD_LEN 8
++#define RSA_BLOCK_FIRST_OCTET 0x00
++#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
++#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
++
++/*
++ * RSA block types
++ *
++ * The actual values are important -- they are fixed, *not* arbitrary.
++ * The explicit value assignments are not needed (because C would give
++ * us those same values anyway) but are included as a reminder...
++ */
++typedef enum {
++ RSA_BlockUnused = 0, /* unused */
++ RSA_BlockPrivate = 1, /* pad for a private-key operation */
++ RSA_BlockPublic = 2, /* pad for a public-key operation */
++ RSA_BlockRaw = 4, /* simply justify the block appropriately */
++ RSA_BlockTotal
++} RSA_BlockType;
++
++/* Needed for RSA-PSS functions */
++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
++
++/* Constant time comparison of a single byte.
++ * Returns 1 iff a == b, otherwise returns 0.
++ * Note: For ranges of bytes, use constantTimeCompare.
++ */
++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
++ unsigned char c = ~((a - b) | (b - a));
++ c >>= 7;
++ return c;
++}
++
++/* Constant time comparison of a range of bytes.
++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
++ * returns 0.
++ */
++static unsigned char constantTimeCompare(const unsigned char *a,
++ const unsigned char *b,
++ unsigned int len) {
++ unsigned char tmp = 0;
++ unsigned int i;
++ for (i = 0; i < len; ++i, ++a, ++b)
++ tmp |= *a ^ *b;
++ return constantTimeEQ8(0x00, tmp);
++}
++
++/* Constant time conditional.
++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
++ * not 0 or 1.
++ */
++static unsigned int constantTimeCondition(unsigned int c,
++ unsigned int a,
++ unsigned int b)
++{
++ return (~(c - 1) & a) | ((c - 1) & b);
++}
++
++static unsigned int
++rsa_modulusLen(SECItem * modulus)
++{
++ unsigned char byteZero = modulus->data[0];
++ unsigned int modLen = modulus->len - !byteZero;
++ return modLen;
++}
++
++/*
++ * Format one block of data for public/private key encryption using
++ * the rules defined in PKCS #1.
++ */
++static unsigned char *
++rsa_FormatOneBlock(unsigned modulusLen,
++ RSA_BlockType blockType,
++ SECItem * data)
++{
++ unsigned char *block;
++ unsigned char *bp;
++ int padLen;
++ int i, j;
++ SECStatus rv;
++
++ block = (unsigned char *) PORT_Alloc(modulusLen);
++ if (block == NULL)
++ return NULL;
++
++ bp = block;
++
++ /*
++ * All RSA blocks start with two octets:
++ * 0x00 || BlockType
++ */
++ *bp++ = RSA_BLOCK_FIRST_OCTET;
++ *bp++ = (unsigned char) blockType;
++
++ switch (blockType) {
++
++ /*
++ * Blocks intended for private-key operation.
++ */
++ case RSA_BlockPrivate: /* preferred method */
++ /*
++ * 0x00 || BT || Pad || 0x00 || ActualData
++ * 1 1 padLen 1 data->len
++ * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
++ */
++ padLen = modulusLen - data->len - 3;
++ PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
++ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
++ PORT_Free(block);
++ return NULL;
++ }
++ PORT_Memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
++ bp += padLen;
++ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
++ PORT_Memcpy(bp, data->data, data->len);
++ break;
++
++ /*
++ * Blocks intended for public-key operation.
++ */
++ case RSA_BlockPublic:
++ /*
++ * 0x00 || BT || Pad || 0x00 || ActualData
++ * 1 1 padLen 1 data->len
++ * Pad is all non-zero random bytes.
++ *
++ * Build the block left to right.
++ * Fill the entire block from Pad to the end with random bytes.
++ * Use the bytes after Pad as a supply of extra random bytes from
++ * which to find replacements for the zero bytes in Pad.
++ * If we need more than that, refill the bytes after Pad with
++ * new random bytes as necessary.
++ */
++ padLen = modulusLen - (data->len + 3);
++ PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
++ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
++ PORT_Free(block);
++ return NULL;
++ }
++ j = modulusLen - 2;
++ rv = RNG_GenerateGlobalRandomBytes(bp, j);
++ if (rv == SECSuccess) {
++ for (i = 0; i < padLen; ) {
++ unsigned char repl;
++ /* Pad with non-zero random data. */
++ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
++ ++i;
++ continue;
++ }
++ if (j <= padLen) {
++ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
++ modulusLen - (2 + padLen));
++ if (rv != SECSuccess)
++ break;
++ j = modulusLen - 2;
++ }
++ do {
++ repl = bp[--j];
++ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
++ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
++ bp[i++] = repl;
++ }
++ }
++ }
++ if (rv != SECSuccess) {
++ PORT_Free(block);
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return NULL;
++ }
++ bp += padLen;
++ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
++ PORT_Memcpy(bp, data->data, data->len);
++ break;
++
++ default:
++ PORT_Assert(0);
++ PORT_Free(block);
++ return NULL;
++ }
++
++ return block;
++}
++
++static SECStatus
++rsa_FormatBlock(SECItem * result,
++ unsigned modulusLen,
++ RSA_BlockType blockType,
++ SECItem * data)
++{
++ switch (blockType) {
++ case RSA_BlockPrivate:
++ case RSA_BlockPublic:
++ /*
++ * 0x00 || BT || Pad || 0x00 || ActualData
++ *
++ * The "3" below is the first octet + the second octet + the 0x00
++ * octet that always comes just before the ActualData.
++ */
++ PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
++
++ result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
++ if (result->data == NULL) {
++ result->len = 0;
++ return SECFailure;
++ }
++ result->len = modulusLen;
++
++ break;
++
++ case RSA_BlockRaw:
++ /*
++ * Pad || ActualData
++ * Pad is zeros. The application is responsible for recovering
++ * the actual data.
++ */
++ if (data->len > modulusLen ) {
++ return SECFailure;
++ }
++ result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
++ result->len = modulusLen;
++ PORT_Memcpy(result->data + (modulusLen - data->len),
++ data->data, data->len);
++ break;
++
++ default:
++ PORT_Assert(0);
++ result->data = NULL;
++ result->len = 0;
++ return SECFailure;
++ }
++
++ return SECSuccess;
++}
++
++/*
++ * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
++ */
++static SECStatus
++MGF1(HASH_HashType hashAlg,
++ unsigned char * mask,
++ unsigned int maskLen,
++ const unsigned char * mgfSeed,
++ unsigned int mgfSeedLen)
++{
++ unsigned int digestLen;
++ PRUint32 counter;
++ PRUint32 rounds;
++ unsigned char * tempHash;
++ unsigned char * temp;
++ const SECHashObject * hash;
++ void * hashContext;
++ unsigned char C[4];
++
++ hash = HASH_GetRawHashObject(hashAlg);
++ if (hash == NULL)
++ return SECFailure;
++
++ hashContext = (*hash->create)();
++ rounds = (maskLen + hash->length - 1) / hash->length;
++ for (counter = 0; counter < rounds; counter++) {
++ C[0] = (unsigned char)((counter >> 24) & 0xff);
++ C[1] = (unsigned char)((counter >> 16) & 0xff);
++ C[2] = (unsigned char)((counter >> 8) & 0xff);
++ C[3] = (unsigned char)(counter & 0xff);
++
++ /* This could be optimized when the clone functions in
++ * rawhash.c are implemented. */
++ (*hash->begin)(hashContext);
++ (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
++ (*hash->update)(hashContext, C, sizeof C);
++
++ tempHash = mask + counter * hash->length;
++ if (counter != (rounds - 1)) {
++ (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
++ } else { /* we're in the last round and need to cut the hash */
++ temp = (unsigned char *)PORT_Alloc(hash->length);
++ (*hash->end)(hashContext, temp, &digestLen, hash->length);
++ PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
++ PORT_Free(temp);
++ }
++ }
++ (*hash->destroy)(hashContext, PR_TRUE);
++
++ return SECSuccess;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_SignRaw(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * data,
++ unsigned int dataLen)
++{
++ SECStatus rv = SECSuccess;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ SECItem formatted;
++ SECItem unformatted;
++
++ if (maxOutputLen < modulusLen)
++ return SECFailure;
++
++ unformatted.len = dataLen;
++ unformatted.data = (unsigned char*)data;
++ formatted.data = NULL;
++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
++ if (rv != SECSuccess)
++ goto done;
++
++ rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
++ *outputLen = modulusLen;
++
++done:
++ if (formatted.data != NULL)
++ PORT_ZFree(formatted.data, modulusLen);
++ return rv;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_CheckSignRaw(RSAPublicKey * key,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * hash,
++ unsigned int hashLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned char * buffer;
++
++ if (sigLen != modulusLen)
++ goto failure;
++ if (hashLen > modulusLen)
++ goto failure;
++
++ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
++ if (!buffer)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, buffer, sig);
++ if (rv != SECSuccess)
++ goto loser;
++
++ /*
++ * make sure we get the same results
++ */
++ /* XXX(rsleevi): Constant time */
++ /* NOTE: should we verify the leading zeros? */
++ if (PORT_Memcmp(buffer + (modulusLen - hashLen), hash, hashLen) != 0)
++ goto loser;
++
++ PORT_Free(buffer);
++ return SECSuccess;
++
++loser:
++ PORT_Free(buffer);
++failure:
++ return SECFailure;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_CheckSignRecoverRaw(RSAPublicKey * key,
++ unsigned char * data,
++ unsigned int * dataLen,
++ unsigned int maxDataLen,
++ const unsigned char * sig,
++ unsigned int sigLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++
++ if (sigLen != modulusLen)
++ goto failure;
++ if (maxDataLen < modulusLen)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, data, sig);
++ if (rv != SECSuccess)
++ goto failure;
++
++ *dataLen = modulusLen;
++ return SECSuccess;
++
++failure:
++ return SECFailure;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_EncryptRaw(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ SECItem formatted;
++ SECItem unformatted;
++
++ formatted.data = NULL;
++ if (maxOutputLen < modulusLen)
++ goto failure;
++
++ unformatted.len = inputLen;
++ unformatted.data = (unsigned char*)input;
++ formatted.data = NULL;
++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, &unformatted);
++ if (rv != SECSuccess)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, output, formatted.data);
++ if (rv != SECSuccess)
++ goto failure;
++
++ PORT_ZFree(formatted.data, modulusLen);
++ *outputLen = modulusLen;
++ return SECSuccess;
++
++failure:
++ if (formatted.data != NULL)
++ PORT_ZFree(formatted.data, modulusLen);
++ return SECFailure;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_DecryptRaw(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++
++ if (modulusLen > maxOutputLen)
++ goto failure;
++ if (inputLen != modulusLen)
++ goto failure;
++
++ rv = RSA_PrivateKeyOp(key, output, input);
++ if (rv != SECSuccess)
++ goto failure;
++
++ *outputLen = modulusLen;
++ return SECSuccess;
++
++failure:
++ return SECFailure;
++}
++
++/*
++ * Decodes an EME-OAEP encoded block, validating the encoding in constant
++ * time.
++ * Described in RFC 3447, section 7.1.2.
++ * input contains the encoded block, after decryption.
++ * label is the optional value L that was associated with the message.
++ * On success, the original message and message length will be stored in
++ * output and outputLen.
++ */
++static SECStatus
++eme_oaep_decode(unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen)
++{
++ const SECHashObject * hash;
++ void * hashContext;
++ SECStatus rv = SECFailure;
++ unsigned char labelHash[HASH_LENGTH_MAX];
++ unsigned int i;
++ unsigned int maskLen;
++ unsigned int paddingOffset;
++ unsigned char * mask = NULL;
++ unsigned char * tmpOutput = NULL;
++ unsigned char isGood;
++ unsigned char foundPaddingEnd;
++
++ hash = HASH_GetRawHashObject(hashAlg);
++
++ /* 1.c */
++ if (inputLen < (hash->length * 2) + 2) {
++ PORT_SetError(SEC_ERROR_INPUT_LEN);
++ return SECFailure;
++ }
++
++ /* Step 3.a - Generate lHash */
++ hashContext = (*hash->create)();
++ if (hashContext == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ (*hash->begin)(hashContext);
++ if (labelLen > 0)
++ (*hash->update)(hashContext, label, labelLen);
++ (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
++ (*hash->destroy)(hashContext, PR_TRUE);
++
++ tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
++ if (tmpOutput == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ goto done;
++ }
++
++ maskLen = inputLen - hash->length - 1;
++ mask = (unsigned char*)PORT_Alloc(maskLen);
++ if (mask == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ goto done;
++ }
++
++ PORT_Memcpy(tmpOutput, input, inputLen);
++
++ /* 3.c - Generate seedMask */
++ MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
++ inputLen - hash->length - 1);
++ /* 3.d - Unmask seed */
++ for (i = 0; i < hash->length; ++i)
++ tmpOutput[1 + i] ^= mask[i];
++
++ /* 3.e - Generate dbMask */
++ MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
++ /* 3.f - Unmask DB */
++ for (i = 0; i < maskLen; ++i)
++ tmpOutput[1 + hash->length + i] ^= mask[i];
++
++ /* 3.g - Compare Y, lHash, and PS in constant time
++ * Warning: This code is timing dependent and must not disclose which of
++ * these were invalid.
++ */
++ paddingOffset = 0;
++ isGood = 1;
++ foundPaddingEnd = 0;
++
++ /* Compare Y */
++ isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
++
++ /* Compare lHash and lHash' */
++ isGood &= constantTimeCompare(&labelHash[0],
++ &tmpOutput[1 + hash->length],
++ hash->length);
++
++ /* Compare that the padding is zero or more zero octets, followed by a
++ * 0x01 octet */
++ for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
++ unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
++ unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
++ /* non-constant time equivalent:
++ * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
++ * paddingOffset = i;
++ */
++ paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
++ paddingOffset);
++ /* non-constant time equivalent:
++ * if (tmpOutput[i] == 0x01)
++ * foundPaddingEnd = true;
++ *
++ * Note: This may yield false positives, as it will be set whenever
++ * a 0x01 byte is encountered. If there was bad padding (eg:
++ * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
++ * paddingOffset will still be set to 2.
++ */
++ foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
++ /* non-constant time equivalent:
++ * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
++ * !foundPaddingEnd) {
++ * isGood = false;
++ * }
++ *
++ * Note: This may yield false positives, as a message (and padding)
++ * that is entirely zeros will result in isGood still being true. Thus
++ * it's necessary to check foundPaddingEnd is positive below.
++ */
++ isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
++ }
++
++ /* While both isGood and foundPaddingEnd may have false positives, they
++ * cannot BOTH have false positives. If both are not true, then an invalid
++ * message was received. Note, this comparison must still be done in constant
++ * time so as not to leak either condition.
++ */
++ if (!(isGood & foundPaddingEnd)) {
++ PORT_SetError(SEC_ERROR_BAD_DATA);
++ goto done;
++ }
++
++ /* End timing dependent code */
++
++ ++paddingOffset; /* Skip the 0x01 following the end of PS */
++
++ *outputLen = inputLen - paddingOffset;
++ if (*outputLen > maxOutputLen) {
++ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++ goto done;
++ }
++
++ if (*outputLen)
++ PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
++ rv = SECSuccess;
++
++done:
++ if (mask)
++ PORT_ZFree(mask, maskLen);
++ if (tmpOutput)
++ PORT_ZFree(tmpOutput, inputLen);
++ return rv;
++}
++
++/*
++ * Generate an EME-OAEP encoded block for encryption
++ * Described in RFC 3447, section 7.1.1
++ * We use input instead of M for the message to be encrypted
++ * label is the optional value L to be associated with the message.
++ */
++static SECStatus
++eme_oaep_encode(unsigned char * em,
++ unsigned int emLen,
++ const unsigned char * input,
++ unsigned int inputLen,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen,
++ const unsigned char * seed,
++ unsigned int seedLen)
++{
++ const SECHashObject * hash;
++ void * hashContext;
++ SECStatus rv;
++ unsigned char * mask;
++ unsigned int reservedLen;
++ unsigned int dbMaskLen;
++ unsigned int i;
++
++ hash = HASH_GetRawHashObject(hashAlg);
++ PORT_Assert(seed == NULL || seedLen == hash->length);
++
++ /* Step 1.b */
++ reservedLen = (2 * hash->length) + 2;
++ if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
++ PORT_SetError(SEC_ERROR_INPUT_LEN);
++ return SECFailure;
++ }
++
++ /*
++ * From RFC 3447, Section 7.1
++ * +----------+---------+-------+
++ * DB = | lHash | PS | M |
++ * +----------+---------+-------+
++ * |
++ * +----------+ V
++ * | seed |--> MGF ---> xor
++ * +----------+ |
++ * | |
++ * +--+ V |
++ * |00| xor <----- MGF <-----|
++ * +--+ | |
++ * | | |
++ * V V V
++ * +--+----------+----------------------------+
++ * EM = |00|maskedSeed| maskedDB |
++ * +--+----------+----------------------------+
++ *
++ * We use mask to hold the result of the MGF functions, and all other
++ * values are generated in their final resting place.
++ */
++ *em = 0x00;
++
++ /* Step 2.a - Generate lHash */
++ hashContext = (*hash->create)();
++ if (hashContext == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ (*hash->begin)(hashContext);
++ if (labelLen > 0)
++ (*hash->update)(hashContext, label, labelLen);
++ (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
++ (*hash->destroy)(hashContext, PR_TRUE);
++
++ /* Step 2.b - Generate PS */
++ if (emLen - reservedLen - inputLen > 0) {
++ PORT_Memset(em + 1 + (hash->length * 2), 0x00,
++ emLen - reservedLen - inputLen);
++ }
++
++ /* Step 2.c. - Generate DB
++ * DB = lHash || PS || 0x01 || M
++ * Note that PS and lHash have already been placed into em at their
++ * appropriate offsets. This just copies M into place
++ */
++ em[emLen - inputLen - 1] = 0x01;
++ if (inputLen)
++ PORT_Memcpy(em + emLen - inputLen, input, inputLen);
++
++ if (seed == NULL) {
++ /* Step 2.d - Generate seed */
++ rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ } else {
++ /* For Known Answer Tests, copy the supplied seed. */
++ PORT_Memcpy(em + 1, seed, seedLen);
++ }
++
++ /* Step 2.e - Generate dbMask*/
++ dbMaskLen = emLen - hash->length - 1;
++ mask = (unsigned char*)PORT_Alloc(dbMaskLen);
++ if (mask == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
++ /* Step 2.f - Compute maskedDB*/
++ for (i = 0; i < dbMaskLen; ++i)
++ em[1 + hash->length + i] ^= mask[i];
++
++ /* Step 2.g - Generate seedMask */
++ MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
++ /* Step 2.h - Compute maskedSeed */
++ for (i = 0; i < hash->length; ++i)
++ em[1 + i] ^= mask[i];
++
++ PORT_ZFree(mask, dbMaskLen);
++ return SECSuccess;
++}
++
++SECStatus
++RSA_EncryptOAEP(RSAPublicKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen,
++ const unsigned char * seed,
++ unsigned int seedLen,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned char * oaepEncoded = NULL;
++
++ if (maxOutputLen < modulusLen) {
++ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++ return SECFailure;
++ }
++
++ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ if ((labelLen == 0 && label != NULL) ||
++ (labelLen > 0 && label == NULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
++ if (oaepEncoded == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
++ hashAlg, maskHashAlg, label, labelLen, seed, seedLen);
++ if (rv != SECSuccess)
++ goto done;
++
++ rv = RSA_PublicKeyOp(key, output, oaepEncoded);
++ if (rv != SECSuccess)
++ goto done;
++ *outputLen = modulusLen;
++
++done:
++ PORT_Free(oaepEncoded);
++ return rv;
++}
++
++SECStatus
++RSA_DecryptOAEP(RSAPrivateKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * label,
++ unsigned int labelLen,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned char * oaepEncoded = NULL;
++
++ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ if (inputLen != modulusLen) {
++ PORT_SetError(SEC_ERROR_INPUT_LEN);
++ return SECFailure;
++ }
++
++ if ((labelLen == 0 && label != NULL) ||
++ (labelLen > 0 && label == NULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
++ if (oaepEncoded == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++
++ rv = RSA_PrivateKeyOpDoubleChecked(key, oaepEncoded, input);
++ if (rv != SECSuccess) {
++ goto done;
++ }
++ rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
++ modulusLen, hashAlg, maskHashAlg, label,
++ labelLen);
++
++done:
++ if (oaepEncoded)
++ PORT_ZFree(oaepEncoded, modulusLen);
++ return rv;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_EncryptBlock(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ SECItem formatted;
++ SECItem unformatted;
++
++ formatted.data = NULL;
++ if (maxOutputLen < modulusLen)
++ goto failure;
++
++ unformatted.len = inputLen;
++ unformatted.data = (unsigned char*)input;
++ formatted.data = NULL;
++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic,
++ &unformatted);
++ if (rv != SECSuccess)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, output, formatted.data);
++ if (rv != SECSuccess)
++ goto failure;
++
++ PORT_ZFree(formatted.data, modulusLen);
++ *outputLen = modulusLen;
++ return SECSuccess;
++
++failure:
++ if (formatted.data != NULL)
++ PORT_ZFree(formatted.data, modulusLen);
++ return SECFailure;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_DecryptBlock(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned int i;
++ unsigned char * buffer;
++
++ if (inputLen != modulusLen)
++ goto failure;
++
++ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
++ if (!buffer)
++ goto failure;
++
++ rv = RSA_PrivateKeyOp(key, buffer, input);
++ if (rv != SECSuccess)
++ goto loser;
++
++ /* XXX(rsleevi): Constant time */
++ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
++ buffer[1] != (unsigned char)RSA_BlockPublic) {
++ goto loser;
++ }
++ *outputLen = 0;
++ for (i = 2; i < modulusLen; i++) {
++ if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
++ *outputLen = modulusLen - i - 1;
++ break;
++ }
++ }
++ if (*outputLen == 0)
++ goto loser;
++ if (*outputLen > maxOutputLen)
++ goto loser;
++
++ PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
++
++ PORT_Free(buffer);
++ return SECSuccess;
++
++loser:
++ PORT_Free(buffer);
++failure:
++ return SECFailure;
++}
++
++/*
++ * Encode a RSA-PSS signature.
++ * Described in RFC 3447, section 9.1.1.
++ * We use mHash instead of M as input.
++ * emBits from the RFC is just modBits - 1, see section 8.1.1.
++ * We only support MGF1 as the MGF.
++ *
++ * NOTE: this code assumes modBits is a multiple of 8.
++ */
++static SECStatus
++emsa_pss_encode(unsigned char * em,
++ unsigned int emLen,
++ const unsigned char * mHash,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * salt,
++ unsigned int saltLen)
++{
++ const SECHashObject * hash;
++ void * hash_context;
++ unsigned char * dbMask;
++ unsigned int dbMaskLen;
++ unsigned int i;
++ SECStatus rv;
++
++ hash = HASH_GetRawHashObject(hashAlg);
++ dbMaskLen = emLen - hash->length - 1;
++
++ /* Step 3 */
++ if (emLen < hash->length + saltLen + 2) {
++ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++ return SECFailure;
++ }
++
++ /* Step 4 */
++ if (salt == NULL) {
++ rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - saltLen], saltLen);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ } else {
++ PORT_Memcpy(&em[dbMaskLen - saltLen], salt, saltLen);
++ }
++
++ /* Step 5 + 6 */
++ /* Compute H and store it at its final location &em[dbMaskLen]. */
++ hash_context = (*hash->create)();
++ if (hash_context == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ (*hash->begin)(hash_context);
++ (*hash->update)(hash_context, eightZeros, 8);
++ (*hash->update)(hash_context, mHash, hash->length);
++ (*hash->update)(hash_context, &em[dbMaskLen - saltLen], saltLen);
++ (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
++ (*hash->destroy)(hash_context, PR_TRUE);
++
++ /* Step 7 + 8 */
++ PORT_Memset(em, 0, dbMaskLen - saltLen - 1);
++ em[dbMaskLen - saltLen - 1] = 0x01;
++
++ /* Step 9 */
++ dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
++ if (dbMask == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
++
++ /* Step 10 */
++ for (i = 0; i < dbMaskLen; i++)
++ em[i] ^= dbMask[i];
++ PORT_Free(dbMask);
++
++ /* Step 11 */
++ em[0] &= 0x7f;
++
++ /* Step 12 */
++ em[emLen - 1] = 0xbc;
++
++ return SECSuccess;
++}
++
++/*
++ * Verify a RSA-PSS signature.
++ * Described in RFC 3447, section 9.1.2.
++ * We use mHash instead of M as input.
++ * emBits from the RFC is just modBits - 1, see section 8.1.2.
++ * We only support MGF1 as the MGF.
++ *
++ * NOTE: this code assumes modBits is a multiple of 8.
++ */
++static SECStatus
++emsa_pss_verify(const unsigned char * mHash,
++ const unsigned char * em,
++ unsigned int emLen,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ unsigned int saltLen)
++{
++ const SECHashObject * hash;
++ void * hash_context;
++ unsigned char * db;
++ unsigned char * H_; /* H' from the RFC */
++ unsigned int i;
++ unsigned int dbMaskLen;
++ SECStatus rv;
++
++ hash = HASH_GetRawHashObject(hashAlg);
++ dbMaskLen = emLen - hash->length - 1;
++
++ /* Step 3 + 4 + 6 */
++ if ((emLen < (hash->length + saltLen + 2)) ||
++ (em[emLen - 1] != 0xbc) ||
++ ((em[0] & 0x80) != 0)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++
++ /* Step 7 */
++ db = (unsigned char *)PORT_Alloc(dbMaskLen);
++ if (db == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ /* &em[dbMaskLen] points to H, used as mgfSeed */
++ MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
++
++ /* Step 8 */
++ for (i = 0; i < dbMaskLen; i++) {
++ db[i] ^= em[i];
++ }
++
++ /* Step 9 */
++ db[0] &= 0x7f;
++
++ /* Step 10 */
++ for (i = 0; i < (dbMaskLen - saltLen - 1); i++) {
++ if (db[i] != 0) {
++ PORT_Free(db);
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ }
++ if (db[dbMaskLen - saltLen - 1] != 0x01) {
++ PORT_Free(db);
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++
++ /* Step 12 + 13 */
++ H_ = (unsigned char *)PORT_Alloc(hash->length);
++ if (H_ == NULL) {
++ PORT_Free(db);
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ hash_context = (*hash->create)();
++ if (hash_context == NULL) {
++ PORT_Free(db);
++ PORT_Free(H_);
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ (*hash->begin)(hash_context);
++ (*hash->update)(hash_context, eightZeros, 8);
++ (*hash->update)(hash_context, mHash, hash->length);
++ (*hash->update)(hash_context, &db[dbMaskLen - saltLen], saltLen);
++ (*hash->end)(hash_context, H_, &i, hash->length);
++ (*hash->destroy)(hash_context, PR_TRUE);
++
++ PORT_Free(db);
++
++ /* Step 14 */
++ if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ } else {
++ rv = SECSuccess;
++ }
++
++ PORT_Free(H_);
++ return rv;
++}
++
++SECStatus
++RSA_SignPSS(RSAPrivateKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ const unsigned char * salt,
++ unsigned int saltLength,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv = SECSuccess;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned char *pssEncoded = NULL;
++
++ if (maxOutputLen < modulusLen) {
++ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++ return SECFailure;
++ }
++
++ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ pssEncoded = (unsigned char *)PORT_Alloc(modulusLen);
++ if (pssEncoded == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++ rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg,
++ maskHashAlg, salt, saltLength);
++ if (rv != SECSuccess)
++ goto done;
++
++ rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded);
++ *outputLen = modulusLen;
++
++done:
++ PORT_Free(pssEncoded);
++ return rv;
++}
++
++SECStatus
++RSA_CheckSignPSS(RSAPublicKey * key,
++ HASH_HashType hashAlg,
++ HASH_HashType maskHashAlg,
++ unsigned int saltLength,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * hash,
++ unsigned int hashLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned char * buffer;
++
++ if (sigLen != modulusLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++
++ if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ buffer = (unsigned char *)PORT_Alloc(modulusLen);
++ if (!buffer) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
++ return SECFailure;
++ }
++
++ rv = RSA_PublicKeyOp(key, buffer, sig);
++ if (rv != SECSuccess) {
++ PORT_Free(buffer);
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++
++ rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg,
++ maskHashAlg, saltLength);
++ PORT_Free(buffer);
++
++ return rv;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_Sign(RSAPrivateKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * input,
++ unsigned int inputLen)
++{
++ SECStatus rv = SECSuccess;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ SECItem formatted;
++ SECItem unformatted;
++
++ if (maxOutputLen < modulusLen)
++ return SECFailure;
++
++ unformatted.len = inputLen;
++ unformatted.data = (unsigned char*)input;
++ formatted.data = NULL;
++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate,
++ &unformatted);
++ if (rv != SECSuccess)
++ goto done;
++
++ rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
++ *outputLen = modulusLen;
++
++ goto done;
++
++done:
++ if (formatted.data != NULL)
++ PORT_ZFree(formatted.data, modulusLen);
++ return rv;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_CheckSign(RSAPublicKey * key,
++ const unsigned char * sig,
++ unsigned int sigLen,
++ const unsigned char * data,
++ unsigned int dataLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned int i;
++ unsigned char * buffer;
++
++ if (sigLen != modulusLen)
++ goto failure;
++ /*
++ * 0x00 || BT || Pad || 0x00 || ActualData
++ *
++ * The "3" below is the first octet + the second octet + the 0x00
++ * octet that always comes just before the ActualData.
++ */
++ if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))
++ goto failure;
++
++ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
++ if (!buffer)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, buffer, sig);
++ if (rv != SECSuccess)
++ goto loser;
++
++ /*
++ * check the padding that was used
++ */
++ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
++ buffer[1] != (unsigned char)RSA_BlockPrivate) {
++ goto loser;
++ }
++ for (i = 2; i < modulusLen - dataLen - 1; i++) {
++ if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
++ goto loser;
++ }
++ if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET)
++ goto loser;
++
++ /*
++ * make sure we get the same results
++ */
++ if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0)
++ goto loser;
++
++ PORT_Free(buffer);
++ return SECSuccess;
++
++loser:
++ PORT_Free(buffer);
++failure:
++ return SECFailure;
++}
++
++/* XXX Doesn't set error code */
++SECStatus
++RSA_CheckSignRecover(RSAPublicKey * key,
++ unsigned char * output,
++ unsigned int * outputLen,
++ unsigned int maxOutputLen,
++ const unsigned char * sig,
++ unsigned int sigLen)
++{
++ SECStatus rv;
++ unsigned int modulusLen = rsa_modulusLen(&key->modulus);
++ unsigned int i;
++ unsigned char * buffer;
++
++ if (sigLen != modulusLen)
++ goto failure;
++
++ buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
++ if (!buffer)
++ goto failure;
++
++ rv = RSA_PublicKeyOp(key, buffer, sig);
++ if (rv != SECSuccess)
++ goto loser;
++ *outputLen = 0;
++
++ /*
++ * check the padding that was used
++ */
++ if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
++ buffer[1] != (unsigned char)RSA_BlockPrivate) {
++ goto loser;
++ }
++ for (i = 2; i < modulusLen; i++) {
++ if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
++ *outputLen = modulusLen - i - 1;
++ break;
++ }
++ if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
++ goto loser;
++ }
++ if (*outputLen == 0)
++ goto loser;
++ if (*outputLen > maxOutputLen)
++ goto loser;
++
++ PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
++
++ PORT_Free(buffer);
++ return SECSuccess;
++
++loser:
++ PORT_Free(buffer);
++failure:
++ return SECFailure;
++}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/stubs.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/stubs.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/stubs.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/stubs.c 2014-02-10 01:13:33.051519325 +0400
+@@ -32,7 +32,6 @@
+ #include <prtime.h>
+ #include <prcvar.h>
+ #include <secasn1.h>
+-#include <secoid.h>
+ #include <secdig.h>
+ #include <secport.h>
+ #include <secitem.h>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/unix_rand.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/unix_rand.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/freebl/unix_rand.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/freebl/unix_rand.c 2014-02-10 01:13:33.051519325 +0400
+@@ -959,7 +959,8 @@
+ size_t RNG_FileUpdate(const char *fileName, size_t limit)
+ {
+ FILE * file;
+- size_t bytes;
++ int fd;
++ int bytes;
+ size_t fileBytes = 0;
+ struct stat stat_buf;
+ unsigned char buffer[BUFSIZ];
+@@ -972,12 +973,22 @@
+ return fileBytes;
+ RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
+
+- file = fopen((char *)fileName, "r");
++ file = fopen(fileName, "r");
+ if (file != NULL) {
++ /* Read from the underlying file descriptor directly to bypass stdio
++ * buffering and avoid reading more bytes than we need from
++ * /dev/urandom. NOTE: we can't use fread with unbuffered I/O because
++ * fread may return EOF in unbuffered I/O mode on Android.
++ *
++ * Moreover, we read into a buffer of size BUFSIZ, so buffered I/O
++ * has no performance advantage. */
++ fd = fileno(file);
++ /* 'file' was just opened, so this should not fail. */
++ PORT_Assert(fd != -1);
+ while (limit > fileBytes) {
+ bytes = PR_MIN(sizeof buffer, limit - fileBytes);
+- bytes = fread(buffer, 1, bytes, file);
+- if (bytes == 0)
++ bytes = read(fd, buffer, bytes);
++ if (bytes <= 0)
+ break;
+ RNG_RandomUpdate(buffer, bytes);
+ fileBytes += bytes;
+@@ -1009,7 +1020,7 @@
+ FILE * file;
+ unsigned char buffer[BUFSIZ];
+
+- file = fopen((char *)fileName, "rb");
++ file = fopen(fileName, "rb");
+ if (file != NULL) {
+ while (fread(buffer, 1, sizeof(buffer), file) > 0)
+ ;
+@@ -1126,7 +1137,8 @@
+ size_t RNG_SystemRNG(void *dest, size_t maxLen)
+ {
+ FILE *file;
+- size_t bytes;
++ int fd;
++ int bytes;
+ size_t fileBytes = 0;
+ unsigned char *buffer = dest;
+
+@@ -1134,10 +1146,18 @@
+ if (file == NULL) {
+ return rng_systemFromNoise(dest, maxLen);
+ }
++ /* Read from the underlying file descriptor directly to bypass stdio
++ * buffering and avoid reading more bytes than we need from /dev/urandom.
++ * NOTE: we can't use fread with unbuffered I/O because fread may return
++ * EOF in unbuffered I/O mode on Android.
++ */
++ fd = fileno(file);
++ /* 'file' was just opened, so this should not fail. */
++ PORT_Assert(fd != -1);
+ while (maxLen > fileBytes) {
+ bytes = maxLen - fileBytes;
+- bytes = fread(buffer, 1, bytes, file);
+- if (bytes == 0)
++ bytes = read(fd, buffer, bytes);
++ if (bytes <= 0)
+ break;
+ fileBytes += bytes;
+ buffer += bytes;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h 2014-02-10 01:13:33.053519289 +0400
+@@ -1094,4 +1094,6 @@
+ PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed,0),
+ PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed,0),
+ PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed,0),
+-PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0)
++PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding,0),
++PKIX_ERRORENTRY(INVALIDOCSPHTTPMETHOD,Unsupported HTTP Method for OCSP retrieval,0),
++PKIX_ERRORENTRY(OCSPGETREQUESTTOOBIG,OCSP request too big for HTTP GET method,0)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c 2014-02-10 01:13:33.053519289 +0400
+@@ -200,12 +200,18 @@
+ * either (a) the default Responder has been set and enabled, and a Check
+ * request is received with no responder specified, or (b) a Check request is
+ * received with a specified responder. A request message is constructed and
+- * given to the HttpClient. If non-blocking I/O is used the client may return
+- * with WOULDBLOCK, in which case the OCSPChecker returns the WOULDBLOCK
+- * condition to its caller in turn. On a subsequent call the I/O is resumed.
+- * When a response is received it is decoded and the results provided to the
+- * caller.
++ * given to the HttpClient. When a response is received it is decoded and the
++ * results provided to the caller.
+ *
++ * During the most recent enhancement of this function, it has been found that
++ * it doesn't correctly implement non-blocking I/O.
++ *
++ * The nbioContext is used in two places, for "response-obtaining" and
++ * for "response-verification".
++ *
++ * However, if this function gets called to resume, it always
++ * repeats the "request creation" and "response fetching" steps!
++ * As a result, the earlier operation is never resumed.
+ */
+ PKIX_Error *
+ pkix_OcspChecker_CheckExternal(
+@@ -230,6 +236,8 @@
+ PKIX_PL_Date *validity = NULL;
+ PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
+ void *nbioContext = NULL;
++ enum { stageGET, stagePOST } currentStage;
++ PRBool retry = PR_FALSE;
+
+ PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal");
+
+@@ -258,58 +266,135 @@
+ goto cleanup;
+ }
+
++ if (methodFlags & CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP) {
++ /* Do not try HTTP GET, only HTTP POST */
++ currentStage = stagePOST;
++ } else {
++ /* Try HTTP GET first, falling back to POST */
++ currentStage = stageGET;
++ }
++
++ do {
++ const char *method;
++ passed = PKIX_TRUE;
++
++ retry = PR_FALSE;
++ if (currentStage == stageGET) {
++ method = "GET";
++ } else {
++ PORT_Assert(currentStage == stagePOST);
++ method = "POST";
++ }
++
+ /* send request and create a response object */
+- PKIX_CHECK(
+- pkix_pl_OcspResponse_Create(request, NULL,
++ PKIX_CHECK_NO_GOTO(
++ pkix_pl_OcspResponse_Create(request, method, NULL,
+ checker->certVerifyFcn,
+ &nbioContext,
+ &response,
+ plContext),
+ PKIX_OCSPRESPONSECREATEFAILED);
+- if (nbioContext != 0) {
++
++ if (pkixErrorResult) {
++ passed = PKIX_FALSE;
++ }
++
++ if (passed && nbioContext != 0) {
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+
+- PKIX_CHECK(
++ if (passed){
++ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_Decode(response, &passed,
+ &resultCode, plContext),
+ PKIX_OCSPRESPONSEDECODEFAILED);
+- if (passed == PKIX_FALSE) {
+- goto cleanup;
++ if (pkixErrorResult) {
++ passed = PKIX_FALSE;
++ }
+ }
+
+- PKIX_CHECK(
++ if (passed){
++ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_GetStatus(response, &passed,
+ &resultCode, plContext),
+ PKIX_OCSPRESPONSEGETSTATUSRETURNEDANERROR);
+- if (passed == PKIX_FALSE) {
+- goto cleanup;
++ if (pkixErrorResult) {
++ passed = PKIX_FALSE;
++ }
+ }
+
+- PKIX_CHECK(
++ if (passed){
++ PKIX_CHECK_NO_GOTO(
+ pkix_pl_OcspResponse_VerifySignature(response, cert,
+ procParams, &passed,
+ &nbioContext, plContext),
+ PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
++ if (pkixErrorResult) {
++ passed = PKIX_FALSE;
++ } else {
+ if (nbioContext != 0) {
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+- if (passed == PKIX_FALSE) {
+- goto cleanup;
++ }
+ }
+
+- PKIX_CHECK(
+- pkix_pl_OcspResponse_GetStatusForCert(cid, response, date,
++ if (!passed && currentStage == stagePOST) {
++ /* We won't retry a POST failure, so it's final.
++ * Because the following block with its call to
++ * pkix_pl_OcspResponse_GetStatusForCert
++ * will take care of caching good or bad state,
++ * but we only execute that next block if there hasn't
++ * been a failure yet, we must cache the POST
++ * failure now.
++ */
++
++ if (cid && cid->certID) {
++ /* Caching MIGHT consume the cid. */
++ PKIX_Error *err;
++ err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
++ cid, plContext);
++ if (err) {
++ PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
++ }
++ }
++ }
++
++ if (passed){
++ PKIX_Boolean allowCachingOfFailures =
++ (currentStage == stagePOST) ? PKIX_TRUE : PKIX_FALSE;
++
++ PKIX_CHECK_NO_GOTO(
++ pkix_pl_OcspResponse_GetStatusForCert(cid, response,
++ allowCachingOfFailures,
++ date,
+ &passed, &resultCode,
+ plContext),
+ PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
+- if (passed == PKIX_FALSE) {
++ if (pkixErrorResult) {
++ passed = PKIX_FALSE;
++ } else if (passed == PKIX_FALSE) {
+ revStatus = pkix_OcspChecker_MapResultCodeToRevStatus(resultCode);
+ } else {
+ revStatus = PKIX_RevStatus_Success;
+ }
++ }
++
++ if (currentStage == stageGET && revStatus != PKIX_RevStatus_Success &&
++ revStatus != PKIX_RevStatus_Revoked) {
++ /* we'll retry */
++ PKIX_DECREF(response);
++ retry = PR_TRUE;
++ currentStage = stagePOST;
++ revStatus = PKIX_RevStatus_NoInfo;
++ if (pkixErrorResult) {
++ PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
++ plContext);
++ pkixErrorResult = NULL;
++ }
++ }
++ } while (retry);
+
+ cleanup:
+ if (revStatus == PKIX_RevStatus_NoInfo && (uriFound ||
+@@ -319,23 +404,11 @@
+ }
+ *pRevStatus = revStatus;
+
+- /* ocsp carries only tree statuses: good, bad, and unknown.
++ /* ocsp carries only three statuses: good, bad, and unknown.
+ * revStatus is used to pass them. reasonCode is always set
+ * to be unknown. */
+ *pReasonCode = crlEntryReasonUnspecified;
+
+- if (!passed && cid && cid->certID) {
+- /* We still own the certID object, which means that
+- * it did not get consumed to create a cache entry.
+- * Let's make sure there is one.
+- */
+- PKIX_Error *err;
+- err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
+- cid, plContext);
+- if (err) {
+- PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext);
+- }
+- }
+ PKIX_DECREF(cid);
+ PKIX_DECREF(request);
+ PKIX_DECREF(response);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c 2014-02-10 01:13:33.053519289 +0400
+@@ -184,6 +184,7 @@
+ PRTime time = 0;
+ SECStatus rv;
+ SECStatus rvOcsp;
++ OCSPFreshness freshness;
+
+ PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_GetFreshCacheStatus");
+ PKIX_NULLCHECK_THREE(cid, hasFreshStatus, statusIsGood);
+@@ -195,11 +196,11 @@
+ time = PR_Now();
+ }
+
+- rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
++ rv = ocsp_GetCachedOCSPResponseStatus(
+ cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
+- &rvOcsp, missingResponseError);
++ &rvOcsp, missingResponseError, &freshness);
+
+- *hasFreshStatus = (rv == SECSuccess);
++ *hasFreshStatus = (rv == SECSuccess && freshness == ocspFresh);
+ if (*hasFreshStatus) {
+ *statusIsGood = (rvOcsp == SECSuccess);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c 2014-02-10 01:13:33.053519289 +0400
+@@ -341,6 +341,8 @@
+ * PARAMETERS
+ * "request"
+ * Address of the OcspRequest for which a response is desired.
++ * "httpMethod"
++ * GET or POST
+ * "responder"
+ * Address, if non-NULL, of the SEC_HttpClientFcn to be sent the OCSP
+ * query.
+@@ -364,6 +366,7 @@
+ PKIX_Error *
+ pkix_pl_OcspResponse_Create(
+ PKIX_PL_OcspRequest *request,
++ const char *httpMethod,
+ void *responder,
+ PKIX_PL_VerifyCallback verifyFcn,
+ void **pNBIOContext,
+@@ -389,6 +392,10 @@
+ PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_Create");
+ PKIX_NULLCHECK_TWO(pNBIOContext, pResponse);
+
++ if (!strcmp(httpMethod, "GET") && !strcmp(httpMethod, "POST")) {
++ PKIX_ERROR(PKIX_INVALIDOCSPHTTPMETHOD);
++ }
++
+ nbioContext = *pNBIOContext;
+ *pNBIOContext = NULL;
+
+@@ -422,6 +429,9 @@
+ }
+
+ if (httpClient && (httpClient->version == 1)) {
++ char *fullGetPath = NULL;
++ const char *sessionPath = NULL;
++ PRBool usePOST = !strcmp(httpMethod, "POST");
+
+ hcv1 = &(httpClient->fcnTable.ftable1);
+
+@@ -441,14 +451,60 @@
+ PKIX_ERROR(PKIX_OCSPSERVERERROR);
+ }
+
+- rv = (*hcv1->createFcn)(serverSession, "http", path,
+- "POST",
++ if (usePOST) {
++ sessionPath = path;
++ } else {
++ /* calculate, are we allowed to use GET? */
++ enum { max_get_request_size = 255 }; /* defined by RFC2560 */
++ char b64ReqBuf[max_get_request_size+1];
++ size_t base64size;
++ size_t slashLengthIfNeeded = 0;
++ size_t pathLength;
++ PRInt32 urlEncodedBufLength;
++ size_t getURLLength;
++ char *walkOutput = NULL;
++
++ pathLength = strlen(path);
++ if (path[pathLength-1] != '/') {
++ slashLengthIfNeeded = 1;
++ }
++ base64size = (((encodedRequest->len +2)/3) * 4);
++ if (base64size > max_get_request_size) {
++ PKIX_ERROR(PKIX_OCSPGETREQUESTTOOBIG);
++ }
++ memset(b64ReqBuf, 0, sizeof(b64ReqBuf));
++ PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, b64ReqBuf);
++ urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
++ getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
++ fullGetPath = (char*)PORT_Alloc(getURLLength);
++ if (!fullGetPath) {
++ PKIX_ERROR(PKIX_OUTOFMEMORY);
++ }
++ strcpy(fullGetPath, path);
++ walkOutput = fullGetPath + pathLength;
++ if (walkOutput > fullGetPath && slashLengthIfNeeded) {
++ strcpy(walkOutput, "/");
++ ++walkOutput;
++ }
++ ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput);
++ sessionPath = fullGetPath;
++ }
++
++ rv = (*hcv1->createFcn)(serverSession, "http",
++ sessionPath, httpMethod,
+ PR_SecondsToInterval(timeout),
+ &sessionRequest);
++ sessionPath = NULL;
++ if (fullGetPath) {
++ PORT_Free(fullGetPath);
++ fullGetPath = NULL;
++ }
++
+ if (rv != SECSuccess) {
+ PKIX_ERROR(PKIX_OCSPSERVERERROR);
+ }
+
++ if (usePOST) {
+ rv = (*hcv1->setPostDataFcn)(sessionRequest,
+ (char *)encodedRequest->data,
+ encodedRequest->len,
+@@ -456,6 +512,7 @@
+ if (rv != SECSuccess) {
+ PKIX_ERROR(PKIX_OCSPSERVERERROR);
+ }
++ }
+
+ /* create a PKIX_PL_OcspResponse object */
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+@@ -797,10 +854,12 @@
+ signature, issuerCert);
+
+ if (response->signerCert == NULL) {
+- PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
++ if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
++ /* Make the error a little more specific. */
++ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
++ }
+ goto cleanup;
+ }
+-
+ PKIX_CHECK(
+ PKIX_PL_Cert_CreateFromCERTCertificate(response->signerCert,
+ &(response->pkixSignerCert),
+@@ -937,6 +996,7 @@
+ pkix_pl_OcspResponse_GetStatusForCert(
+ PKIX_PL_OcspCertID *cid,
+ PKIX_PL_OcspResponse *response,
++ PKIX_Boolean allowCachingOfFailures,
+ PKIX_PL_Date *validity,
+ PKIX_Boolean *pPassed,
+ SECErrorCodes *pReturnCode,
+@@ -944,8 +1004,7 @@
+ {
+ PRTime time = 0;
+ SECStatus rv = SECFailure;
+- SECStatus rvCache;
+- PRBool certIDWasConsumed = PR_FALSE;
++ CERTOCSPSingleResponse *single = NULL;
+
+ PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert");
+ PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode);
+@@ -966,16 +1025,35 @@
+ time = PR_Now();
+ }
+
+- rv = cert_ProcessOCSPResponse(response->handle,
++ rv = ocsp_GetVerifiedSingleResponseForCertID(response->handle,
+ response->nssOCSPResponse,
+ cid->certID,
+ response->signerCert,
+- time,
+- &certIDWasConsumed,
+- &rvCache);
++ time, &single);
++ if (rv == SECSuccess) {
++ /*
++ * Check whether the status says revoked, and if so
++ * how that compares to the time value passed into this routine.
++ */
++ rv = ocsp_CertHasGoodStatus(single->certStatus, time);
++ }
++
++ if (rv == SECSuccess || allowCachingOfFailures) {
++ /* allowed to update the cache */
++ PRBool certIDWasConsumed = PR_FALSE;
++
++ if (single) {
++ ocsp_CacheSingleResponse(cid->certID,single,
++ &certIDWasConsumed);
++ } else {
++ cert_RememberOCSPProcessingFailure(cid->certID,
++ &certIDWasConsumed);
++ }
++
+ if (certIDWasConsumed) {
+ cid->certID = NULL;
+ }
++ }
+
+ if (rv == SECSuccess) {
+ *pPassed = PKIX_TRUE;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h 2014-02-10 01:13:33.053519289 +0400
+@@ -17,6 +17,7 @@
+ #include "cryptohi.h"
+ #include "ocspti.h"
+ #include "ocspi.h"
++#include "plbase64.h"
+
+ #ifdef __cplusplus
+ extern "C" {
+@@ -47,6 +48,7 @@
+ PKIX_Error *
+ pkix_pl_OcspResponse_Create(
+ PKIX_PL_OcspRequest *request,
++ const char *httpMechanism,
+ void *responder,
+ PKIX_PL_VerifyCallback verifyFcn,
+ void **pNBIOContext,
+@@ -80,6 +82,7 @@
+ pkix_pl_OcspResponse_GetStatusForCert(
+ PKIX_PL_OcspCertID *cid,
+ PKIX_PL_OcspResponse *response,
++ PKIX_Boolean allowCachingOfFailures,
+ PKIX_PL_Date *validity,
+ PKIX_Boolean *pPassed,
+ SECErrorCodes *pReturnCode,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/nss/nss.def seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/nss/nss.def
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/nss/nss.def 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/nss/nss.def 2014-02-10 01:13:33.053519289 +0400
+@@ -1037,3 +1037,11 @@
+ ;+ local:
+ ;+ *;
+ ;+};
++;+NSS_3.15.4 { # NSS 3.15.4 release
++;+ global:
++CERT_ForcePostMethodForOCSP;
++CERT_GetSubjectNameDigest;
++CERT_GetSubjectPublicKeyDigest;
++;+ local:
++;+ *;
++;+};
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/nss/nss.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/nss/nss.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/nss/nss.h 2014-02-10 01:12:14.137908477 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/nss/nss.h 2014-02-10 01:13:33.054519272 +0400
+@@ -33,11 +33,11 @@
+ * The format of the version string should be
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
+ */
+-#define NSS_VERSION "3.15.3.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
++#define NSS_VERSION "3.15.4" _NSS_ECC_STRING _NSS_CUSTOMIZED
+ #define NSS_VMAJOR 3
+ #define NSS_VMINOR 15
+-#define NSS_VPATCH 3
+-#define NSS_VBUILD 1
++#define NSS_VPATCH 4
++#define NSS_VBUILD 0
+ #define NSS_BETA PR_FALSE
+
+ #ifndef RC_INVOKED
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/pk11wrap/pk11pub.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/pk11wrap/pk11pub.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/pk11wrap/pk11pub.h 2014-02-10 01:12:09.959982537 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/pk11wrap/pk11pub.h 2014-02-10 01:13:33.054519272 +0400
+@@ -770,9 +770,9 @@
+ /**********************************************************************
+ * Functions to manage secmod flags
+ **********************************************************************/
+-PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
+-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
+- PRBool );
++PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size);
++SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
++ PK11DefaultArrayEntry *entry, PRBool add);
+
+ /**********************************************************************
+ * Functions to look at PKCS #11 dependent data
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/pk11wrap/secmodi.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/pk11wrap/secmodi.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/pk11wrap/secmodi.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/pk11wrap/secmodi.h 2014-02-10 01:13:33.054519272 +0400
+@@ -94,8 +94,6 @@
+ CK_ATTRIBUTE *inTemplate,int tsize);
+ CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
+ CK_ATTRIBUTE *inTemplate,int tsize, int *objCount);
+-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
+- PK11DefaultArrayEntry *entry, PRBool add);
+
+ #define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
+ #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/smime/smime.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/smime/smime.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/smime/smime.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/smime/smime.h 2014-02-10 01:13:33.054519272 +0400
+@@ -7,8 +7,8 @@
+ * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
+ */
+
+-#ifndef _SECMIME_H_
+-#define _SECMIME_H_ 1
++#ifndef _SMIME_H_
++#define _SMIME_H_ 1
+
+ #include "cms.h"
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/manifest.mn seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/manifest.mn
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/manifest.mn 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/manifest.mn 2014-02-10 01:13:33.054519272 +0400
+@@ -44,7 +44,6 @@
+ pkcs11.c \
+ pkcs11c.c \
+ pkcs11u.c \
+- rsawrapr.c \
+ sdb.c \
+ sftkdb.c \
+ sftkhmac.c \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/pkcs11c.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/pkcs11c.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/pkcs11c.c 2014-02-10 01:12:09.961982501 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/pkcs11c.c 2014-02-10 01:13:33.055519255 +0400
+@@ -274,7 +274,33 @@
+ /*
+ ************** Crypto Functions: Utilities ************************
+ */
+-
++/*
++ * Utility function for converting PSS/OAEP parameter types into
++ * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447.
++ */
++static HASH_HashType
++GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
++{
++ switch (mech) {
++ case CKM_SHA_1:
++ case CKG_MGF1_SHA1:
++ return HASH_AlgSHA1;
++ case CKM_SHA224:
++ case CKG_MGF1_SHA224:
++ return HASH_AlgSHA224;
++ case CKM_SHA256:
++ case CKG_MGF1_SHA256:
++ return HASH_AlgSHA256;
++ case CKM_SHA384:
++ case CKG_MGF1_SHA384:
++ return HASH_AlgSHA384;
++ case CKM_SHA512:
++ case CKG_MGF1_SHA512:
++ return HASH_AlgSHA512;
++ default:
++ return HASH_AlgNULL;
++ }
++}
+
+ /*
+ * return a context based on the SFTKContext type.
+@@ -458,21 +484,152 @@
+ }
+
+ static SECStatus
+-sftk_EncryptOAEP(SFTKOAEPEncryptInfo *info, unsigned char *output,
++sftk_RSAEncryptRaw(NSSLOWKEYPublicKey *key, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_EncryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++
++ return rv;
++}
++
++static SECStatus
++sftk_RSADecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_DecryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++
++ return rv;
++}
++
++static SECStatus
++sftk_RSAEncrypt(NSSLOWKEYPublicKey *key, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_EncryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++
++ return rv;
++}
++
++static SECStatus
++sftk_RSADecrypt(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+- unsigned char *input, unsigned int inputLen)
++ const unsigned char *input, unsigned int inputLen)
+ {
+- return RSA_EncryptOAEP(info->params, info->key, output, outputLen,
+- maxLen, input, inputLen);
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_DecryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++
++ return rv;
+ }
+
+ static SECStatus
+-sftk_DecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
++sftk_RSAEncryptOAEP(SFTKOAEPEncryptInfo *info, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+- unsigned char *input, unsigned int inputLen)
++ const unsigned char *input, unsigned int inputLen)
+ {
+- return RSA_DecryptOAEP(info->params, info->key, output, outputLen,
+- maxLen, input, inputLen);
++ HASH_HashType hashAlg;
++ HASH_HashType maskHashAlg;
++
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
++ maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
++
++ if (info->params->source != CKZ_DATA_SPECIFIED) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ return RSA_EncryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
++ (const unsigned char*)info->params->pSourceData,
++ info->params->ulSourceDataLen, NULL, 0,
++ output, outputLen, maxLen, input, inputLen);
++}
++
++static SECStatus
++sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++ HASH_HashType hashAlg;
++ HASH_HashType maskHashAlg;
++
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
++ maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
++
++ if (info->params->source != CKZ_DATA_SPECIFIED) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return SECFailure;
++ }
++
++ rv = RSA_DecryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
++ (const unsigned char*)info->params->pSourceData,
++ info->params->ulSourceDataLen,
++ output, outputLen, maxLen, input, inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++ return rv;
+ }
+
+ /** NSC_CryptInit initializes an encryption/Decryption operation.
+@@ -538,7 +695,7 @@
+ context->cipherInfo = (void *)pubKey;
+ context->update = (SFTKCipher)
+ (pMechanism->mechanism == CKM_RSA_X_509
+- ? RSA_EncryptRaw : RSA_EncryptBlock);
++ ? sftk_RSAEncryptRaw : sftk_RSAEncrypt);
+ } else {
+ NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
+ if (privKey == NULL) {
+@@ -549,7 +706,7 @@
+ context->cipherInfo = (void *)privKey;
+ context->update = (SFTKCipher)
+ (pMechanism->mechanism == CKM_RSA_X_509
+- ? RSA_DecryptRaw : RSA_DecryptBlock);
++ ? sftk_RSADecryptRaw : sftk_RSADecrypt);
+ }
+ context->destroy = sftk_Null;
+ break;
+@@ -579,7 +736,7 @@
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+- context->update = (SFTKCipher) sftk_EncryptOAEP;
++ context->update = (SFTKCipher) sftk_RSAEncryptOAEP;
+ context->maxLen = nsslowkey_PublicModulusLen(info->key);
+ context->cipherInfo = info;
+ } else {
+@@ -595,7 +752,7 @@
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+- context->update = (SFTKCipher) sftk_DecryptOAEP;
++ context->update = (SFTKCipher) sftk_RSADecryptOAEP;
+ context->maxLen = nsslowkey_PrivateModulusLen(info->key);
+ context->cipherInfo = info;
+ }
+@@ -1171,18 +1328,22 @@
+ || context->padDataLength == context->blockSize);
+
+
+- if (!pPart) {
+ if (context->doPad) {
+- /* we can check the data length here because if we are padding,
++ /* Check the data length for block ciphers. If we are padding,
+ * then we must be using a block cipher. In the non-padding case
+ * the error will be returned by the underlying decryption
+- * function when do do the actual decrypt. We need to do the
+- * check here to avoid returning a negative length to the caller.
++ * function when we do the actual decrypt. We need to do the
++ * check here to avoid returning a negative length to the caller
++ * or reading before the beginning of the pEncryptedPart buffer.
+ */
+ if ((ulEncryptedPartLen == 0) ||
+ (ulEncryptedPartLen % context->blockSize) != 0) {
+ return CKR_ENCRYPTED_DATA_LEN_RANGE;
+ }
++ }
++
++ if (!pPart) {
++ if (context->doPad) {
+ *pulPartLen =
+ ulEncryptedPartLen + context->padDataLength - context->blockSize;
+ return CKR_OK;
+@@ -1886,11 +2047,18 @@
+ * encode RSA PKCS #1 Signature data before signing...
+ */
+ static SECStatus
+-sftk_HashSign(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
+- unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
++sftk_RSAHashSign(SFTKHashSignInfo *info, unsigned char *sig,
++ unsigned int *sigLen, unsigned int maxLen,
++ const unsigned char *hash, unsigned int hashLen)
+ {
+- return RSA_HashSign(info->hashOid,info->key,sig,sigLen,maxLen,
+- hash,hashLen);
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_HashSign(info->hashOid, info->key, sig, sigLen, maxLen,
++ hash, hashLen);
+ }
+
+ /* XXX Old template; want to expunge it eventually. */
+@@ -1919,12 +2087,14 @@
+ { 0, }
+ };
+
++/*
++ * encode RSA PKCS #1 Signature data before signing...
++ */
+ SECStatus
+ RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+- unsigned char *hash, unsigned int hashLen)
++ const unsigned char *hash, unsigned int hashLen)
+ {
+-
+ SECStatus rv = SECFailure;
+ SECItem digder;
+ PLArenaPool *arena = NULL;
+@@ -1933,11 +2103,15 @@
+ digder.data = NULL;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+- if ( !arena ) { goto loser; }
++ if (!arena) {
++ goto loser;
++ }
+
+ /* Construct digest info */
+ di = SGN_CreateDigestInfo(hashOid, hash, hashLen);
+- if (!di) { goto loser; }
++ if (!di) {
++ goto loser;
++ }
+
+ /* Der encode the digest as a DigestInfo */
+ rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+@@ -1949,7 +2123,11 @@
+ ** Encrypt signature after constructing appropriate PKCS#1 signature
+ ** block
+ */
+- rv = RSA_Sign(key,sig,sigLen,maxLen,digder.data,digder.len);
++ rv = RSA_Sign(&key->u.rsa, sig, sigLen, maxLen, digder.data,
++ digder.len);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
+
+ loser:
+ SGN_DestroyDigestInfo(di);
+@@ -1960,11 +2138,73 @@
+ }
+
+ static SECStatus
+-sftk_SignPSS(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
+- unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
++sftk_RSASign(NSSLOWKEYPrivateKey *key, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxOutputLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_Sign(&key->u.rsa, output, outputLen, maxOutputLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++ return rv;
++}
++
++static SECStatus
++sftk_RSASignRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
++ unsigned int *outputLen, unsigned int maxOutputLen,
++ const unsigned char *input, unsigned int inputLen)
++{
++ SECStatus rv = SECFailure;
++
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ rv = RSA_SignRaw(&key->u.rsa, output, outputLen, maxOutputLen, input,
++ inputLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++ return rv;
++
++}
++
++static SECStatus
++sftk_RSASignPSS(SFTKHashSignInfo *info, unsigned char *sig,
++ unsigned int *sigLen, unsigned int maxLen,
++ const unsigned char *hash, unsigned int hashLen)
+ {
+- return RSA_SignPSS(info->params,info->key,sig,sigLen,maxLen,
+- hash,hashLen);
++ SECStatus rv = SECFailure;
++ HASH_HashType hashAlg;
++ HASH_HashType maskHashAlg;
++ CK_RSA_PKCS_PSS_PARAMS *params = (CK_RSA_PKCS_PSS_PARAMS *)info->params;
++
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ hashAlg = GetHashTypeFromMechanism(params->hashAlg);
++ maskHashAlg = GetHashTypeFromMechanism(params->mgf);
++
++ rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL,
++ params->sLen, sig, sigLen, maxLen, hash, hashLen);
++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
++ sftk_fatalError = PR_TRUE;
++ }
++ return rv;
+ }
+
+ static SECStatus
+@@ -2095,7 +2335,7 @@
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub ## mmm (context); \
+ if (crv != CKR_OK) break; \
+- context->update = (SFTKCipher) sftk_HashSign; \
++ context->update = (SFTKCipher) sftk_RSAHashSign; \
+ info = PORT_New(SFTKHashSignInfo); \
+ if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
+ info->hashOid = SEC_OID_ ## mmm ; \
+@@ -2111,10 +2351,10 @@
+ INIT_RSA_SIGN_MECH(SHA512)
+
+ case CKM_RSA_PKCS:
+- context->update = (SFTKCipher) RSA_Sign;
++ context->update = (SFTKCipher) sftk_RSASign;
+ goto finish_rsa;
+ case CKM_RSA_X_509:
+- context->update = (SFTKCipher) RSA_SignRaw;
++ context->update = (SFTKCipher) sftk_RSASignRaw;
+ finish_rsa:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+@@ -2163,7 +2403,7 @@
+ }
+ context->cipherInfo = info;
+ context->destroy = (SFTKDestroy) sftk_Space;
+- context->update = (SFTKCipher) sftk_SignPSS;
++ context->update = (SFTKCipher) sftk_RSASignPSS;
+ context->maxLen = nsslowkey_PrivateModulusLen(info->key);
+ break;
+
+@@ -2275,7 +2515,7 @@
+ context->hashUpdate = sftk_HMACConstantTime_Update;
+ context->hashdestroy = sftk_MACConstantTime_DestroyContext;
+ context->end = sftk_MACConstantTime_EndHash;
+- context->update = sftk_SignCopy;
++ context->update = (SFTKCipher) sftk_SignCopy;
+ context->destroy = sftk_Space;
+ context->maxLen = 64;
+ context->multi = PR_TRUE;
+@@ -2304,7 +2544,7 @@
+ context->hashUpdate = sftk_SSLv3MACConstantTime_Update;
+ context->hashdestroy = sftk_MACConstantTime_DestroyContext;
+ context->end = sftk_MACConstantTime_EndHash;
+- context->update = sftk_SignCopy;
++ context->update = (SFTKCipher) sftk_SignCopy;
+ context->destroy = sftk_Space;
+ context->maxLen = 64;
+ context->multi = PR_TRUE;
+@@ -2572,40 +2812,54 @@
+
+ /* Handle RSA Signature formatting */
+ static SECStatus
+-sftk_hashCheckSign(SFTKHashVerifyInfo *info, unsigned char *sig,
+- unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
++sftk_hashCheckSign(SFTKHashVerifyInfo *info, const unsigned char *sig,
++ unsigned int sigLen, const unsigned char *digest,
++ unsigned int digestLen)
+ {
+- return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen,
+- digest, digestLen);
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest,
++ digestLen);
+ }
+
+ SECStatus
+ RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
+- unsigned char *sig, unsigned int sigLen,
+- unsigned char *digest, unsigned int digestLen)
++ const unsigned char *sig, unsigned int sigLen,
++ const unsigned char *hash, unsigned int hashLen)
+ {
+-
+ SECItem it;
+ SGNDigestInfo *di = NULL;
+ SECStatus rv = SECSuccess;
+
+ it.data = NULL;
+-
+- if (key == NULL) goto loser;
+-
+ it.len = nsslowkey_PublicModulusLen(key);
+- if (!it.len) goto loser;
++ if (!it.len) {
++ goto loser;
++ }
+
+- it.data = (unsigned char *) PORT_Alloc(it.len);
+- if (it.data == NULL) goto loser;
++ it.data = (unsigned char *)PORT_Alloc(it.len);
++ if (it.data == NULL) {
++ goto loser;
++ }
+
+ /* decrypt the block */
+- rv = RSA_CheckSignRecover(key, it.data, &it.len, it.len, sig, sigLen);
+- if (rv != SECSuccess) goto loser;
++ rv = RSA_CheckSignRecover(&key->u.rsa, it.data, &it.len, it.len, sig,
++ sigLen);
++ if (rv != SECSuccess) {
++ goto loser;
++ }
+
+ di = SGN_DecodeDigestInfo(&it);
+- if (di == NULL) goto loser;
+- if (di->digest.len != digestLen) goto loser;
++ if (di == NULL) {
++ goto loser;
++ }
++ if (di->digest.len != hashLen) {
++ goto loser;
++ }
+
+ /* make sure the tag is OK */
+ if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) {
+@@ -2616,7 +2870,7 @@
+ goto loser;
+ }
+ /* Now check the signature */
+- if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
++ if (PORT_Memcmp(hash, di->digest.data, di->digest.len) == 0) {
+ goto done;
+ }
+
+@@ -2625,18 +2879,64 @@
+ rv = SECFailure;
+
+ done:
+- if (it.data != NULL) PORT_Free(it.data);
+- if (di != NULL) SGN_DestroyDigestInfo(di);
++ if (it.data != NULL) {
++ PORT_Free(it.data);
++ }
++ if (di != NULL) {
++ SGN_DestroyDigestInfo(di);
++ }
+
+ return rv;
+ }
+
+ static SECStatus
+-sftk_CheckSignPSS(SFTKHashVerifyInfo *info, unsigned char *sig,
+- unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
++sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig,
++ unsigned int sigLen, const unsigned char *digest,
++ unsigned int digestLen)
+ {
+- return RSA_CheckSignPSS(info->params, info->key, sig, sigLen,
+- digest, digestLen);
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_CheckSign(&key->u.rsa, sig, sigLen, digest, digestLen);
++}
++
++static SECStatus
++sftk_RSACheckSignRaw(NSSLOWKEYPublicKey *key, const unsigned char *sig,
++ unsigned int sigLen, const unsigned char *digest,
++ unsigned int digestLen)
++{
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_CheckSignRaw(&key->u.rsa, sig, sigLen, digest, digestLen);
++}
++
++static SECStatus
++sftk_RSACheckSignPSS(SFTKHashVerifyInfo *info, const unsigned char *sig,
++ unsigned int sigLen, const unsigned char *digest,
++ unsigned int digestLen)
++{
++ HASH_HashType hashAlg;
++ HASH_HashType maskHashAlg;
++ CK_RSA_PKCS_PSS_PARAMS *params = (CK_RSA_PKCS_PSS_PARAMS *)info->params;
++
++ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
++ if (info->key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ hashAlg = GetHashTypeFromMechanism(params->hashAlg);
++ maskHashAlg = GetHashTypeFromMechanism(params->mgf);
++
++ return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg,
++ params->sLen, sig, sigLen, digest, digestLen);
+ }
+
+ /* NSC_VerifyInit initializes a verification operation,
+@@ -2691,10 +2991,10 @@
+ INIT_RSA_VFY_MECH(SHA512)
+
+ case CKM_RSA_PKCS:
+- context->verify = (SFTKVerify) RSA_CheckSign;
++ context->verify = (SFTKVerify) sftk_RSACheckSign;
+ goto finish_rsa;
+ case CKM_RSA_X_509:
+- context->verify = (SFTKVerify) RSA_CheckSignRaw;
++ context->verify = (SFTKVerify) sftk_RSACheckSignRaw;
+ finish_rsa:
+ if (key_type != CKK_RSA) {
+ if (info) PORT_Free(info);
+@@ -2740,7 +3040,7 @@
+ }
+ context->cipherInfo = info;
+ context->destroy = (SFTKDestroy) sftk_Space;
+- context->verify = (SFTKVerify) sftk_CheckSignPSS;
++ context->verify = (SFTKVerify) sftk_RSACheckSignPSS;
+ break;
+ case CKM_DSA_SHA1:
+ context->multi = PR_TRUE;
+@@ -2920,6 +3220,35 @@
+ /*
+ ************** Crypto Functions: Verify Recover ************************
+ */
++static SECStatus
++sftk_RSACheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
++ unsigned int *dataLen, unsigned int maxDataLen,
++ const unsigned char *sig, unsigned int sigLen)
++{
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_CheckSignRecover(&key->u.rsa, data, dataLen, maxDataLen,
++ sig, sigLen);
++}
++
++static SECStatus
++sftk_RSACheckSignRecoverRaw(NSSLOWKEYPublicKey *key, unsigned char *data,
++ unsigned int *dataLen, unsigned int maxDataLen,
++ const unsigned char *sig, unsigned int sigLen)
++{
++ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
++ if (key->keyType != NSSLOWKEYRSAKey) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return SECFailure;
++ }
++
++ return RSA_CheckSignRecoverRaw(&key->u.rsa, data, dataLen, maxDataLen,
++ sig, sigLen);
++}
+
+ /* NSC_VerifyRecoverInit initializes a signature verification operation,
+ * where the data is recovered from the signature.
+@@ -2962,7 +3291,7 @@
+ }
+ context->cipherInfo = pubKey;
+ context->update = (SFTKCipher) (pMechanism->mechanism == CKM_RSA_X_509
+- ? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
++ ? sftk_RSACheckSignRecoverRaw : sftk_RSACheckSignRecover);
+ context->destroy = sftk_Null;
+ break;
+ default:
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/rsawrapr.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/rsawrapr.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/rsawrapr.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/rsawrapr.c 1970-01-01 03:00:00.000000000 +0300
+@@ -1,1448 +0,0 @@
+-/*
+- * PKCS#1 encoding and decoding functions.
+- * This file is believed to contain no code licensed from other parties.
+- *
+- * This Source Code Form is subject to the terms of the Mozilla Public
+- * License, v. 2.0. If a copy of the MPL was not distributed with this
+- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+-
+-#include "blapi.h"
+-#include "softoken.h"
+-
+-#include "lowkeyi.h"
+-#include "secerr.h"
+-
+-#define RSA_BLOCK_MIN_PAD_LEN 8
+-#define RSA_BLOCK_FIRST_OCTET 0x00
+-#define RSA_BLOCK_PRIVATE0_PAD_OCTET 0x00
+-#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
+-#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
+-
+-/* Needed for RSA-PSS functions */
+-static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+-
+-/* Constant time comparison of a single byte.
+- * Returns 1 iff a == b, otherwise returns 0.
+- * Note: For ranges of bytes, use constantTimeCompare.
+- */
+-static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
+- unsigned char c = ~(a - b | b - a);
+- c >>= 7;
+- return c;
+-}
+-
+-/* Constant time comparison of a range of bytes.
+- * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
+- * returns 0.
+- */
+-static unsigned char constantTimeCompare(const unsigned char *a,
+- const unsigned char *b,
+- unsigned int len) {
+- unsigned char tmp = 0;
+- unsigned int i;
+- for (i = 0; i < len; ++i, ++a, ++b)
+- tmp |= *a ^ *b;
+- return constantTimeEQ8(0x00, tmp);
+-}
+-
+-/* Constant time conditional.
+- * Returns a if c is 1, or b if c is 0. The result is undefined if c is
+- * not 0 or 1.
+- */
+-static unsigned int constantTimeCondition(unsigned int c,
+- unsigned int a,
+- unsigned int b)
+-{
+- return (~(c - 1) & a) | ((c - 1) & b);
+-}
+-
+-/*
+- * Format one block of data for public/private key encryption using
+- * the rules defined in PKCS #1.
+- */
+-static unsigned char *
+-rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
+- SECItem *data)
+-{
+- unsigned char *block;
+- unsigned char *bp;
+- int padLen;
+- int i, j;
+- SECStatus rv;
+-
+- block = (unsigned char *) PORT_Alloc(modulusLen);
+- if (block == NULL)
+- return NULL;
+-
+- bp = block;
+-
+- /*
+- * All RSA blocks start with two octets:
+- * 0x00 || BlockType
+- */
+- *bp++ = RSA_BLOCK_FIRST_OCTET;
+- *bp++ = (unsigned char) blockType;
+-
+- switch (blockType) {
+-
+- /*
+- * Blocks intended for private-key operation.
+- */
+- case RSA_BlockPrivate0: /* essentially unused */
+- case RSA_BlockPrivate: /* preferred method */
+- /*
+- * 0x00 || BT || Pad || 0x00 || ActualData
+- * 1 1 padLen 1 data->len
+- * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+- */
+- padLen = modulusLen - data->len - 3;
+- PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+- PORT_Free (block);
+- return NULL;
+- }
+- PORT_Memset (bp,
+- blockType == RSA_BlockPrivate0
+- ? RSA_BLOCK_PRIVATE0_PAD_OCTET
+- : RSA_BLOCK_PRIVATE_PAD_OCTET,
+- padLen);
+- bp += padLen;
+- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+- PORT_Memcpy (bp, data->data, data->len);
+- break;
+-
+- /*
+- * Blocks intended for public-key operation.
+- */
+- case RSA_BlockPublic:
+-
+- /*
+- * 0x00 || BT || Pad || 0x00 || ActualData
+- * 1 1 padLen 1 data->len
+- * Pad is all non-zero random bytes.
+- *
+- * Build the block left to right.
+- * Fill the entire block from Pad to the end with random bytes.
+- * Use the bytes after Pad as a supply of extra random bytes from
+- * which to find replacements for the zero bytes in Pad.
+- * If we need more than that, refill the bytes after Pad with
+- * new random bytes as necessary.
+- */
+- padLen = modulusLen - (data->len + 3);
+- PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+- PORT_Free (block);
+- return NULL;
+- }
+- j = modulusLen - 2;
+- rv = RNG_GenerateGlobalRandomBytes(bp, j);
+- if (rv == SECSuccess) {
+- for (i = 0; i < padLen; ) {
+- unsigned char repl;
+- /* Pad with non-zero random data. */
+- if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+- ++i;
+- continue;
+- }
+- if (j <= padLen) {
+- rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
+- modulusLen - (2 + padLen));
+- if (rv != SECSuccess)
+- break;
+- j = modulusLen - 2;
+- }
+- do {
+- repl = bp[--j];
+- } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
+- if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
+- bp[i++] = repl;
+- }
+- }
+- }
+- if (rv != SECSuccess) {
+- sftk_fatalError = PR_TRUE;
+- PORT_Free (block);
+- return NULL;
+- }
+- bp += padLen;
+- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+- PORT_Memcpy (bp, data->data, data->len);
+- break;
+-
+- default:
+- PORT_Assert (0);
+- PORT_Free (block);
+- return NULL;
+- }
+-
+- return block;
+-}
+-
+-static SECStatus
+-rsa_FormatBlock(SECItem *result, unsigned modulusLen,
+- RSA_BlockType blockType, SECItem *data)
+-{
+- /*
+- * XXX For now assume that the data length fits in a single
+- * XXX encryption block; the ASSERTs below force this.
+- * XXX To fix it, each case will have to loop over chunks whose
+- * XXX lengths satisfy the assertions, until all data is handled.
+- * XXX (Unless RSA has more to say about how to handle data
+- * XXX which does not fit in a single encryption block?)
+- * XXX And I do not know what the result is supposed to be,
+- * XXX so the interface to this function may need to change
+- * XXX to allow for returning multiple blocks, if they are
+- * XXX not wanted simply concatenated one after the other.
+- */
+-
+- switch (blockType) {
+- case RSA_BlockPrivate0:
+- case RSA_BlockPrivate:
+- case RSA_BlockPublic:
+- /*
+- * 0x00 || BT || Pad || 0x00 || ActualData
+- *
+- * The "3" below is the first octet + the second octet + the 0x00
+- * octet that always comes just before the ActualData.
+- */
+- PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+-
+- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+- if (result->data == NULL) {
+- result->len = 0;
+- return SECFailure;
+- }
+- result->len = modulusLen;
+-
+- break;
+-
+- case RSA_BlockRaw:
+- /*
+- * Pad || ActualData
+- * Pad is zeros. The application is responsible for recovering
+- * the actual data.
+- */
+- if (data->len > modulusLen ) {
+- return SECFailure;
+- }
+- result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+- result->len = modulusLen;
+- PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
+- break;
+-
+- default:
+- PORT_Assert (0);
+- result->data = NULL;
+- result->len = 0;
+- return SECFailure;
+- }
+-
+- return SECSuccess;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_Sign(NSSLOWKEYPrivateKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int maxOutputLen,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv = SECSuccess;
+- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+- SECItem formatted;
+- SECItem unformatted;
+-
+- if (maxOutputLen < modulus_len)
+- return SECFailure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- return SECFailure;
+-
+- unformatted.len = input_len;
+- unformatted.data = input;
+- formatted.data = NULL;
+- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
+- &unformatted);
+- if (rv != SECSuccess)
+- goto done;
+-
+- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- }
+- *output_len = modulus_len;
+-
+- goto done;
+-
+-done:
+- if (formatted.data != NULL)
+- PORT_ZFree(formatted.data, modulus_len);
+- return rv;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_CheckSign(NSSLOWKEYPublicKey *key,
+- unsigned char * sign,
+- unsigned int sign_len,
+- unsigned char * hash,
+- unsigned int hash_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- unsigned int i;
+- unsigned char * buffer;
+-
+- modulus_len = nsslowkey_PublicModulusLen(key);
+- if (sign_len != modulus_len)
+- goto failure;
+- /*
+- * 0x00 || BT || Pad || 0x00 || ActualData
+- *
+- * The "3" below is the first octet + the second octet + the 0x00
+- * octet that always comes just before the ActualData.
+- */
+- if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN))
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+- if (!buffer)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+- if (rv != SECSuccess)
+- goto loser;
+-
+- /*
+- * check the padding that was used
+- */
+- if (buffer[0] != 0 || buffer[1] != 1)
+- goto loser;
+- for (i = 2; i < modulus_len - hash_len - 1; i++) {
+- if (buffer[i] != 0xff)
+- goto loser;
+- }
+- if (buffer[i] != 0)
+- goto loser;
+-
+- /*
+- * make sure we get the same results
+- */
+- if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
+- goto loser;
+-
+- PORT_Free(buffer);
+- return SECSuccess;
+-
+-loser:
+- PORT_Free(buffer);
+-failure:
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
+- unsigned char * data,
+- unsigned int * data_len,
+- unsigned int max_output_len,
+- unsigned char * sign,
+- unsigned int sign_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- unsigned int i;
+- unsigned char * buffer;
+-
+- if (sign_len != modulus_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+- if (!buffer)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+- if (rv != SECSuccess)
+- goto loser;
+- *data_len = 0;
+-
+- /*
+- * check the padding that was used
+- */
+- if (buffer[0] != 0 || buffer[1] != 1)
+- goto loser;
+- for (i = 2; i < modulus_len; i++) {
+- if (buffer[i] == 0) {
+- *data_len = modulus_len - i - 1;
+- break;
+- }
+- if (buffer[i] != 0xff)
+- goto loser;
+- }
+- if (*data_len == 0)
+- goto loser;
+- if (*data_len > max_output_len)
+- goto loser;
+-
+- /*
+- * make sure we get the same results
+- */
+- PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
+-
+- PORT_Free(buffer);
+- return SECSuccess;
+-
+-loser:
+- PORT_Free(buffer);
+-failure:
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_EncryptBlock(NSSLOWKEYPublicKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int max_output_len,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- SECItem formatted;
+- SECItem unformatted;
+-
+- formatted.data = NULL;
+- if (max_output_len < modulus_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- unformatted.len = input_len;
+- unformatted.data = input;
+- formatted.data = NULL;
+- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
+- &unformatted);
+- if (rv != SECSuccess)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+- if (rv != SECSuccess)
+- goto failure;
+-
+- PORT_ZFree(formatted.data, modulus_len);
+- *output_len = modulus_len;
+- return SECSuccess;
+-
+-failure:
+- if (formatted.data != NULL)
+- PORT_ZFree(formatted.data, modulus_len);
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_DecryptBlock(NSSLOWKEYPrivateKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int max_output_len,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+- unsigned int i;
+- unsigned char * buffer;
+-
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+- if (input_len != modulus_len)
+- goto failure;
+-
+- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+- if (!buffer)
+- goto failure;
+-
+- rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
+- if (rv != SECSuccess) {
+- if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- }
+- goto loser;
+- }
+-
+- if (buffer[0] != 0 || buffer[1] != 2)
+- goto loser;
+- *output_len = 0;
+- for (i = 2; i < modulus_len; i++) {
+- if (buffer[i] == 0) {
+- *output_len = modulus_len - i - 1;
+- break;
+- }
+- }
+- if (*output_len == 0)
+- goto loser;
+- if (*output_len > max_output_len)
+- goto loser;
+-
+- PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
+-
+- PORT_Free(buffer);
+- return SECSuccess;
+-
+-loser:
+- PORT_Free(buffer);
+-failure:
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-/*
+- * added to make pkcs #11 happy
+- * RAW is RSA_X_509
+- */
+-SECStatus
+-RSA_SignRaw(NSSLOWKEYPrivateKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int maxOutputLen,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv = SECSuccess;
+- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+- SECItem formatted;
+- SECItem unformatted;
+-
+- if (maxOutputLen < modulus_len)
+- return SECFailure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- return SECFailure;
+-
+- unformatted.len = input_len;
+- unformatted.data = input;
+- formatted.data = NULL;
+- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+- if (rv != SECSuccess)
+- goto done;
+-
+- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- }
+- *output_len = modulus_len;
+-
+-done:
+- if (formatted.data != NULL)
+- PORT_ZFree(formatted.data, modulus_len);
+- return rv;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
+- unsigned char * sign,
+- unsigned int sign_len,
+- unsigned char * hash,
+- unsigned int hash_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- unsigned char * buffer;
+-
+- if (sign_len != modulus_len)
+- goto failure;
+- if (hash_len > modulus_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+- if (!buffer)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+- if (rv != SECSuccess)
+- goto loser;
+-
+- /*
+- * make sure we get the same results
+- */
+- /* NOTE: should we verify the leading zeros? */
+- if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
+- goto loser;
+-
+- PORT_Free(buffer);
+- return SECSuccess;
+-
+-loser:
+- PORT_Free(buffer);
+-failure:
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
+- unsigned char * data,
+- unsigned int * data_len,
+- unsigned int max_output_len,
+- unsigned char * sign,
+- unsigned int sign_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+-
+- if (sign_len != modulus_len)
+- goto failure;
+- if (max_output_len < modulus_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
+- if (rv != SECSuccess)
+- goto failure;
+-
+- *data_len = modulus_len;
+- return SECSuccess;
+-
+-failure:
+- return SECFailure;
+-}
+-
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_EncryptRaw(NSSLOWKEYPublicKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int max_output_len,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- SECItem formatted;
+- SECItem unformatted;
+-
+- formatted.data = NULL;
+- if (max_output_len < modulus_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+-
+- unformatted.len = input_len;
+- unformatted.data = input;
+- formatted.data = NULL;
+- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+- if (rv != SECSuccess)
+- goto failure;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+- if (rv != SECSuccess)
+- goto failure;
+-
+- PORT_ZFree(formatted.data, modulus_len);
+- *output_len = modulus_len;
+- return SECSuccess;
+-
+-failure:
+- if (formatted.data != NULL)
+- PORT_ZFree(formatted.data, modulus_len);
+- return SECFailure;
+-}
+-
+-/* XXX Doesn't set error code */
+-SECStatus
+-RSA_DecryptRaw(NSSLOWKEYPrivateKey *key,
+- unsigned char * output,
+- unsigned int * output_len,
+- unsigned int max_output_len,
+- unsigned char * input,
+- unsigned int input_len)
+-{
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+-
+- if (modulus_len <= 0)
+- goto failure;
+- if (modulus_len > max_output_len)
+- goto failure;
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey)
+- goto failure;
+- if (input_len != modulus_len)
+- goto failure;
+-
+- rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
+- if (rv != SECSuccess) {
+- if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- }
+- goto failure;
+- }
+-
+- *output_len = modulus_len;
+- return SECSuccess;
+-
+-failure:
+- return SECFailure;
+-}
+-
+-/*
+- * Mask generation function MGF1 as defined in PKCS #1 v2.1 / RFC 3447.
+- */
+-static SECStatus
+-MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
+- const unsigned char *mgfSeed, unsigned int mgfSeedLen)
+-{
+- unsigned int digestLen;
+- PRUint32 counter, rounds;
+- unsigned char *tempHash, *temp;
+- const SECHashObject *hash;
+- void *hashContext;
+- unsigned char C[4];
+-
+- hash = HASH_GetRawHashObject(hashAlg);
+- if (hash == NULL)
+- return SECFailure;
+-
+- hashContext = (*hash->create)();
+- rounds = (maskLen + hash->length - 1) / hash->length;
+- for (counter = 0; counter < rounds; counter++) {
+- C[0] = (unsigned char)((counter >> 24) & 0xff);
+- C[1] = (unsigned char)((counter >> 16) & 0xff);
+- C[2] = (unsigned char)((counter >> 8) & 0xff);
+- C[3] = (unsigned char)(counter & 0xff);
+-
+- /* This could be optimized when the clone functions in
+- * rawhash.c are implemented. */
+- (*hash->begin)(hashContext);
+- (*hash->update)(hashContext, mgfSeed, mgfSeedLen);
+- (*hash->update)(hashContext, C, sizeof C);
+-
+- tempHash = mask + counter * hash->length;
+- if (counter != (rounds-1)) {
+- (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
+- } else { /* we're in the last round and need to cut the hash */
+- temp = PORT_Alloc(hash->length);
+- (*hash->end)(hashContext, temp, &digestLen, hash->length);
+- PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
+- PORT_Free(temp);
+- }
+- }
+- (*hash->destroy)(hashContext, PR_TRUE);
+-
+- return SECSuccess;
+-}
+-
+-/*
+- * Decodes an EME-OAEP encoded block, validating the encoding in constant
+- * time.
+- * Described in RFC 3447, section 7.1.2.
+- * input contains the encoded block, after decryption.
+- * label is the optional value L that was associated with the message.
+- * On success, the original message and message length will be stored in
+- * output and outputLen.
+- */
+-static SECStatus
+-eme_oaep_decode(unsigned char *output, unsigned int *outputLen,
+- unsigned int maxOutputLen,
+- const unsigned char *input, unsigned int inputLen,
+- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
+- const unsigned char *label, unsigned int labelLen)
+-{
+- const SECHashObject *hash;
+- void *hashContext;
+- SECStatus rv = SECFailure;
+- unsigned char labelHash[HASH_LENGTH_MAX];
+- unsigned int i, maskLen, paddingOffset;
+- unsigned char *mask = NULL, *tmpOutput = NULL;
+- unsigned char isGood, foundPaddingEnd;
+-
+- hash = HASH_GetRawHashObject(hashAlg);
+-
+- /* 1.c */
+- if (inputLen < (hash->length * 2) + 2) {
+- PORT_SetError(SEC_ERROR_INPUT_LEN);
+- return SECFailure;
+- }
+-
+- /* Step 3.a - Generate lHash */
+- hashContext = (*hash->create)();
+- if (hashContext == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- (*hash->begin)(hashContext);
+- if (labelLen > 0)
+- (*hash->update)(hashContext, label, labelLen);
+- (*hash->end)(hashContext, labelHash, &i, sizeof(labelHash));
+- (*hash->destroy)(hashContext, PR_TRUE);
+-
+- tmpOutput = (unsigned char*)PORT_Alloc(inputLen);
+- if (tmpOutput == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- goto done;
+- }
+-
+- maskLen = inputLen - hash->length - 1;
+- mask = (unsigned char*)PORT_Alloc(maskLen);
+- if (mask == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- goto done;
+- }
+-
+- PORT_Memcpy(tmpOutput, input, inputLen);
+-
+- /* 3.c - Generate seedMask */
+- MGF1(maskHashAlg, mask, hash->length, &tmpOutput[1 + hash->length],
+- inputLen - hash->length - 1);
+- /* 3.d - Unmask seed */
+- for (i = 0; i < hash->length; ++i)
+- tmpOutput[1 + i] ^= mask[i];
+-
+- /* 3.e - Generate dbMask */
+- MGF1(maskHashAlg, mask, maskLen, &tmpOutput[1], hash->length);
+- /* 3.f - Unmask DB */
+- for (i = 0; i < maskLen; ++i)
+- tmpOutput[1 + hash->length + i] ^= mask[i];
+-
+- /* 3.g - Compare Y, lHash, and PS in constant time
+- * Warning: This code is timing dependent and must not disclose which of
+- * these were invalid.
+- */
+- paddingOffset = 0;
+- isGood = 1;
+- foundPaddingEnd = 0;
+-
+- /* Compare Y */
+- isGood &= constantTimeEQ8(0x00, tmpOutput[0]);
+-
+- /* Compare lHash and lHash' */
+- isGood &= constantTimeCompare(&labelHash[0],
+- &tmpOutput[1 + hash->length],
+- hash->length);
+-
+- /* Compare that the padding is zero or more zero octets, followed by a
+- * 0x01 octet */
+- for (i = 1 + (hash->length * 2); i < inputLen; ++i) {
+- unsigned char isZero = constantTimeEQ8(0x00, tmpOutput[i]);
+- unsigned char isOne = constantTimeEQ8(0x01, tmpOutput[i]);
+- /* non-constant time equivalent:
+- * if (tmpOutput[i] == 0x01 && !foundPaddingEnd)
+- * paddingOffset = i;
+- */
+- paddingOffset = constantTimeCondition(isOne & ~foundPaddingEnd, i,
+- paddingOffset);
+- /* non-constant time equivalent:
+- * if (tmpOutput[i] == 0x01)
+- * foundPaddingEnd = true;
+- *
+- * Note: This may yield false positives, as it will be set whenever
+- * a 0x01 byte is encountered. If there was bad padding (eg:
+- * 0x03 0x02 0x01), foundPaddingEnd will still be set to true, and
+- * paddingOffset will still be set to 2.
+- */
+- foundPaddingEnd = constantTimeCondition(isOne, 1, foundPaddingEnd);
+- /* non-constant time equivalent:
+- * if (tmpOutput[i] != 0x00 && tmpOutput[i] != 0x01 &&
+- * !foundPaddingEnd) {
+- * isGood = false;
+- * }
+- *
+- * Note: This may yield false positives, as a message (and padding)
+- * that is entirely zeros will result in isGood still being true. Thus
+- * it's necessary to check foundPaddingEnd is positive below.
+- */
+- isGood = constantTimeCondition(~foundPaddingEnd & ~isZero, 0, isGood);
+- }
+-
+- /* While both isGood and foundPaddingEnd may have false positives, they
+- * cannot BOTH have false positives. If both are not true, then an invalid
+- * message was received. Note, this comparison must still be done in constant
+- * time so as not to leak either condition.
+- */
+- if (!(isGood & foundPaddingEnd)) {
+- PORT_SetError(SEC_ERROR_BAD_DATA);
+- goto done;
+- }
+-
+- /* End timing dependent code */
+-
+- ++paddingOffset; /* Skip the 0x01 following the end of PS */
+-
+- *outputLen = inputLen - paddingOffset;
+- if (*outputLen > maxOutputLen) {
+- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+- goto done;
+- }
+-
+- if (*outputLen)
+- PORT_Memcpy(output, &tmpOutput[paddingOffset], *outputLen);
+- rv = SECSuccess;
+-
+-done:
+- if (mask)
+- PORT_ZFree(mask, maskLen);
+- if (tmpOutput)
+- PORT_ZFree(tmpOutput, inputLen);
+- return rv;
+-}
+-
+-/*
+- * Generate an EME-OAEP encoded block for encryption
+- * Described in RFC 3447, section 7.1.1
+- * We use input instead of M for the message to be encrypted
+- * label is the optional value L to be associated with the message.
+- */
+-static SECStatus
+-eme_oaep_encode(unsigned char *em, unsigned int emLen,
+- const unsigned char *input, unsigned int inputLen,
+- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
+- const unsigned char *label, unsigned int labelLen)
+-{
+- const SECHashObject *hash;
+- void *hashContext;
+- SECStatus rv;
+- unsigned char *mask;
+- unsigned int reservedLen, dbMaskLen, i;
+-
+- hash = HASH_GetRawHashObject(hashAlg);
+-
+- /* Step 1.b */
+- reservedLen = (2 * hash->length) + 2;
+- if (emLen < reservedLen || inputLen > (emLen - reservedLen)) {
+- PORT_SetError(SEC_ERROR_INPUT_LEN);
+- return SECFailure;
+- }
+-
+- /*
+- * From RFC 3447, Section 7.1
+- * +----------+---------+-------+
+- * DB = | lHash | PS | M |
+- * +----------+---------+-------+
+- * |
+- * +----------+ V
+- * | seed |--> MGF ---> xor
+- * +----------+ |
+- * | |
+- * +--+ V |
+- * |00| xor <----- MGF <-----|
+- * +--+ | |
+- * | | |
+- * V V V
+- * +--+----------+----------------------------+
+- * EM = |00|maskedSeed| maskedDB |
+- * +--+----------+----------------------------+
+- *
+- * We use mask to hold the result of the MGF functions, and all other
+- * values are generated in their final resting place.
+- */
+- *em = 0x00;
+-
+- /* Step 2.a - Generate lHash */
+- hashContext = (*hash->create)();
+- if (hashContext == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- (*hash->begin)(hashContext);
+- if (labelLen > 0)
+- (*hash->update)(hashContext, label, labelLen);
+- (*hash->end)(hashContext, &em[1 + hash->length], &i, hash->length);
+- (*hash->destroy)(hashContext, PR_TRUE);
+-
+- /* Step 2.b - Generate PS */
+- if (emLen - reservedLen - inputLen > 0) {
+- PORT_Memset(em + 1 + (hash->length * 2), 0x00,
+- emLen - reservedLen - inputLen);
+- }
+-
+- /* Step 2.c. - Generate DB
+- * DB = lHash || PS || 0x01 || M
+- * Note that PS and lHash have already been placed into em at their
+- * appropriate offsets. This just copies M into place
+- */
+- em[emLen - inputLen - 1] = 0x01;
+- if (inputLen)
+- PORT_Memcpy(em + emLen - inputLen, input, inputLen);
+-
+- /* Step 2.d - Generate seed */
+- rv = RNG_GenerateGlobalRandomBytes(em + 1, hash->length);
+- if (rv != SECSuccess) {
+- return rv;
+- }
+-
+- /* Step 2.e - Generate dbMask*/
+- dbMaskLen = emLen - hash->length - 1;
+- mask = (unsigned char*)PORT_Alloc(dbMaskLen);
+- if (mask == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- MGF1(maskHashAlg, mask, dbMaskLen, em + 1, hash->length);
+- /* Step 2.f - Compute maskedDB*/
+- for (i = 0; i < dbMaskLen; ++i)
+- em[1 + hash->length + i] ^= mask[i];
+-
+- /* Step 2.g - Generate seedMask */
+- MGF1(maskHashAlg, mask, hash->length, &em[1 + hash->length], dbMaskLen);
+- /* Step 2.h - Compute maskedSeed */
+- for (i = 0; i < hash->length; ++i)
+- em[1 + i] ^= mask[i];
+-
+- PORT_ZFree(mask, dbMaskLen);
+- return SECSuccess;
+-}
+-
+-/*
+- * Encode a RSA-PSS signature.
+- * Described in RFC 3447, section 9.1.1.
+- * We use mHash instead of M as input.
+- * emBits from the RFC is just modBits - 1, see section 8.1.1.
+- * We only support MGF1 as the MGF.
+- *
+- * NOTE: this code assumes modBits is a multiple of 8.
+- */
+-static SECStatus
+-emsa_pss_encode(unsigned char *em, unsigned int emLen,
+- const unsigned char *mHash, HASH_HashType hashAlg,
+- HASH_HashType maskHashAlg, unsigned int sLen)
+-{
+- const SECHashObject *hash;
+- void *hash_context;
+- unsigned char *dbMask;
+- unsigned int dbMaskLen, i;
+- SECStatus rv;
+-
+- hash = HASH_GetRawHashObject(hashAlg);
+- dbMaskLen = emLen - hash->length - 1;
+-
+- /* Step 3 */
+- if (emLen < hash->length + sLen + 2) {
+- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+- return SECFailure;
+- }
+-
+- /* Step 4 */
+- rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - sLen], sLen);
+- if (rv != SECSuccess) {
+- return rv;
+- }
+-
+- /* Step 5 + 6 */
+- /* Compute H and store it at its final location &em[dbMaskLen]. */
+- hash_context = (*hash->create)();
+- if (hash_context == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- (*hash->begin)(hash_context);
+- (*hash->update)(hash_context, eightZeros, 8);
+- (*hash->update)(hash_context, mHash, hash->length);
+- (*hash->update)(hash_context, &em[dbMaskLen - sLen], sLen);
+- (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
+- (*hash->destroy)(hash_context, PR_TRUE);
+-
+- /* Step 7 + 8 */
+- PORT_Memset(em, 0, dbMaskLen - sLen - 1);
+- em[dbMaskLen - sLen - 1] = 0x01;
+-
+- /* Step 9 */
+- dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
+- if (dbMask == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
+-
+- /* Step 10 */
+- for (i = 0; i < dbMaskLen; i++)
+- em[i] ^= dbMask[i];
+- PORT_Free(dbMask);
+-
+- /* Step 11 */
+- em[0] &= 0x7f;
+-
+- /* Step 12 */
+- em[emLen - 1] = 0xbc;
+-
+- return SECSuccess;
+-}
+-
+-/*
+- * Verify a RSA-PSS signature.
+- * Described in RFC 3447, section 9.1.2.
+- * We use mHash instead of M as input.
+- * emBits from the RFC is just modBits - 1, see section 8.1.2.
+- * We only support MGF1 as the MGF.
+- *
+- * NOTE: this code assumes modBits is a multiple of 8.
+- */
+-static SECStatus
+-emsa_pss_verify(const unsigned char *mHash,
+- const unsigned char *em, unsigned int emLen,
+- HASH_HashType hashAlg, HASH_HashType maskHashAlg,
+- unsigned int sLen)
+-{
+- const SECHashObject *hash;
+- void *hash_context;
+- unsigned char *db;
+- unsigned char *H_; /* H' from the RFC */
+- unsigned int i, dbMaskLen;
+- SECStatus rv;
+-
+- hash = HASH_GetRawHashObject(hashAlg);
+- dbMaskLen = emLen - hash->length - 1;
+-
+- /* Step 3 + 4 + 6 */
+- if ((emLen < (hash->length + sLen + 2)) ||
+- (em[emLen - 1] != 0xbc) ||
+- ((em[0] & 0x80) != 0)) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- return SECFailure;
+- }
+-
+- /* Step 7 */
+- db = (unsigned char *)PORT_Alloc(dbMaskLen);
+- if (db == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- /* &em[dbMaskLen] points to H, used as mgfSeed */
+- MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
+-
+- /* Step 8 */
+- for (i = 0; i < dbMaskLen; i++) {
+- db[i] ^= em[i];
+- }
+-
+- /* Step 9 */
+- db[0] &= 0x7f;
+-
+- /* Step 10 */
+- for (i = 0; i < (dbMaskLen - sLen - 1); i++) {
+- if (db[i] != 0) {
+- PORT_Free(db);
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- return SECFailure;
+- }
+- }
+- if (db[dbMaskLen - sLen - 1] != 0x01) {
+- PORT_Free(db);
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- return SECFailure;
+- }
+-
+- /* Step 12 + 13 */
+- H_ = (unsigned char *)PORT_Alloc(hash->length);
+- if (H_ == NULL) {
+- PORT_Free(db);
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- hash_context = (*hash->create)();
+- if (hash_context == NULL) {
+- PORT_Free(db);
+- PORT_Free(H_);
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- (*hash->begin)(hash_context);
+- (*hash->update)(hash_context, eightZeros, 8);
+- (*hash->update)(hash_context, mHash, hash->length);
+- (*hash->update)(hash_context, &db[dbMaskLen - sLen], sLen);
+- (*hash->end)(hash_context, H_, &i, hash->length);
+- (*hash->destroy)(hash_context, PR_TRUE);
+-
+- PORT_Free(db);
+-
+- /* Step 14 */
+- if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- rv = SECFailure;
+- } else {
+- rv = SECSuccess;
+- }
+-
+- PORT_Free(H_);
+- return rv;
+-}
+-
+-static HASH_HashType
+-GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
+-{
+- switch (mech) {
+- case CKM_SHA_1:
+- case CKG_MGF1_SHA1:
+- return HASH_AlgSHA1;
+- case CKM_SHA224:
+- case CKG_MGF1_SHA224:
+- return HASH_AlgSHA224;
+- case CKM_SHA256:
+- case CKG_MGF1_SHA256:
+- return HASH_AlgSHA256;
+- case CKM_SHA384:
+- case CKG_MGF1_SHA384:
+- return HASH_AlgSHA384;
+- case CKM_SHA512:
+- case CKG_MGF1_SHA512:
+- return HASH_AlgSHA512;
+- default:
+- return HASH_AlgNULL;
+- }
+-}
+-
+-/* MGF1 is the only supported MGF. */
+-SECStatus
+-RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+- NSSLOWKEYPublicKey *key,
+- const unsigned char *sign, unsigned int sign_len,
+- const unsigned char *hash, unsigned int hash_len)
+-{
+- HASH_HashType hashAlg;
+- HASH_HashType maskHashAlg;
+- SECStatus rv;
+- unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+- unsigned char *buffer;
+-
+- if (sign_len != modulus_len) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- return SECFailure;
+- }
+-
+- hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
+- maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
+- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- buffer = (unsigned char *)PORT_Alloc(modulus_len);
+- if (!buffer) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+- if (rv != SECSuccess) {
+- PORT_Free(buffer);
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- return SECFailure;
+- }
+-
+- rv = emsa_pss_verify(hash, buffer, modulus_len, hashAlg,
+- maskHashAlg, pss_params->sLen);
+- PORT_Free(buffer);
+-
+- return rv;
+-}
+-
+-/* MGF1 is the only supported MGF. */
+-SECStatus
+-RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, NSSLOWKEYPrivateKey *key,
+- unsigned char *output, unsigned int *output_len,
+- unsigned int max_output_len,
+- const unsigned char *input, unsigned int input_len)
+-{
+- SECStatus rv = SECSuccess;
+- unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+- unsigned char *pss_encoded = NULL;
+- HASH_HashType hashAlg;
+- HASH_HashType maskHashAlg;
+-
+- if (max_output_len < modulus_len) {
+- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+- return SECFailure;
+- }
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey) {
+- PORT_SetError(SEC_ERROR_INVALID_KEY);
+- return SECFailure;
+- }
+-
+- hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
+- maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
+- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- pss_encoded = (unsigned char *)PORT_Alloc(modulus_len);
+- if (pss_encoded == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- rv = emsa_pss_encode(pss_encoded, modulus_len, input, hashAlg,
+- maskHashAlg, pss_params->sLen);
+- if (rv != SECSuccess)
+- goto done;
+-
+- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, pss_encoded);
+- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- }
+- *output_len = modulus_len;
+-
+-done:
+- PORT_Free(pss_encoded);
+- return rv;
+-}
+-
+-/* MGF1 is the only supported MGF. */
+-SECStatus
+-RSA_EncryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
+- NSSLOWKEYPublicKey *key,
+- unsigned char *output, unsigned int *outputLen,
+- unsigned int maxOutputLen,
+- const unsigned char *input, unsigned int inputLen)
+-{
+- SECStatus rv = SECFailure;
+- unsigned int modulusLen = nsslowkey_PublicModulusLen(key);
+- unsigned char *oaepEncoded = NULL;
+- unsigned char *sourceData = NULL;
+- unsigned int sourceDataLen = 0;
+-
+- HASH_HashType hashAlg;
+- HASH_HashType maskHashAlg;
+-
+- if (maxOutputLen < modulusLen) {
+- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+- return SECFailure;
+- }
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey) {
+- PORT_SetError(SEC_ERROR_INVALID_KEY);
+- return SECFailure;
+- }
+-
+- hashAlg = GetHashTypeFromMechanism(oaepParams->hashAlg);
+- maskHashAlg = GetHashTypeFromMechanism(oaepParams->mgf);
+- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- /* The PKCS#11 source parameter is the "source" of the label parameter.
+- * The only defined source is explicitly specified, in which case, the
+- * label is an optional byte string in pSourceData. If ulSourceDataLen is
+- * zero, then pSourceData MUST be NULL - otherwise, it must be non-NULL.
+- */
+- if (oaepParams->source != CKZ_DATA_SPECIFIED) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+- sourceData = (unsigned char*)oaepParams->pSourceData;
+- sourceDataLen = oaepParams->ulSourceDataLen;
+- if ((sourceDataLen == 0 && sourceData != NULL) ||
+- (sourceDataLen > 0 && sourceData == NULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+- if (oaepEncoded == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+- rv = eme_oaep_encode(oaepEncoded, modulusLen, input, inputLen,
+- hashAlg, maskHashAlg, sourceData, sourceDataLen);
+- if (rv != SECSuccess)
+- goto done;
+-
+- rv = RSA_PublicKeyOp(&key->u.rsa, output, oaepEncoded);
+- if (rv != SECSuccess)
+- goto done;
+- *outputLen = modulusLen;
+-
+-done:
+- PORT_Free(oaepEncoded);
+- return rv;
+-}
+-
+-/* MGF1 is the only supported MGF. */
+-SECStatus
+-RSA_DecryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
+- NSSLOWKEYPrivateKey *key,
+- unsigned char *output, unsigned int *outputLen,
+- unsigned int maxOutputLen,
+- const unsigned char *input, unsigned int inputLen)
+-{
+- SECStatus rv = SECFailure;
+- unsigned int modulusLen = nsslowkey_PrivateModulusLen(key);
+- unsigned char *oaepEncoded = NULL;
+- unsigned char *sourceData = NULL;
+- unsigned int sourceDataLen = 0;
+-
+- HASH_HashType hashAlg = GetHashTypeFromMechanism(oaepParams->hashAlg);
+- HASH_HashType maskHashAlg = GetHashTypeFromMechanism(oaepParams->mgf);
+-
+- if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- if (inputLen != modulusLen) {
+- PORT_SetError(SEC_ERROR_INPUT_LEN);
+- return SECFailure;
+- }
+- PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+- if (key->keyType != NSSLOWKEYRSAKey) {
+- PORT_SetError(SEC_ERROR_INVALID_KEY);
+- return SECFailure;
+- }
+-
+- /* The PKCS#11 source parameter is the "source" of the label parameter.
+- * The only defined source is explicitly specified, in which case, the
+- * label is an optional byte string in pSourceData. If ulSourceDataLen is
+- * zero, then pSourceData MUST be NULL - otherwise, it must be non-NULL.
+- */
+- if (oaepParams->source != CKZ_DATA_SPECIFIED) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+- sourceData = (unsigned char*)oaepParams->pSourceData;
+- sourceDataLen = oaepParams->ulSourceDataLen;
+- if ((sourceDataLen == 0 && sourceData != NULL) ||
+- (sourceDataLen > 0 && sourceData == NULL)) {
+- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- return SECFailure;
+- }
+-
+- oaepEncoded = (unsigned char *)PORT_Alloc(modulusLen);
+- if (oaepEncoded == NULL) {
+- PORT_SetError(SEC_ERROR_NO_MEMORY);
+- return SECFailure;
+- }
+-
+- rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, oaepEncoded, input);
+- if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+- sftk_fatalError = PR_TRUE;
+- goto done;
+- }
+-
+- rv = eme_oaep_decode(output, outputLen, maxOutputLen, oaepEncoded,
+- modulusLen, hashAlg, maskHashAlg, sourceData,
+- sourceDataLen);
+-
+-done:
+- if (oaepEncoded)
+- PORT_ZFree(oaepEncoded, modulusLen);
+- return rv;
+-}
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softkver.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softkver.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softkver.h 2014-02-10 01:12:14.137908477 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softkver.h 2014-02-10 01:13:33.087518695 +0400
+@@ -25,11 +25,11 @@
+ * The format of the version string should be
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
+ */
+-#define SOFTOKEN_VERSION "3.15.3.1" SOFTOKEN_ECC_STRING
++#define SOFTOKEN_VERSION "3.15.4" SOFTOKEN_ECC_STRING
+ #define SOFTOKEN_VMAJOR 3
+ #define SOFTOKEN_VMINOR 15
+-#define SOFTOKEN_VPATCH 3
+-#define SOFTOKEN_VBUILD 1
++#define SOFTOKEN_VPATCH 4
++#define SOFTOKEN_VBUILD 0
+ #define SOFTOKEN_BETA PR_FALSE
+
+ #endif /* _SOFTKVER_H_ */
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softoken.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softoken.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softoken.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softoken.h 2014-02-10 01:13:33.088518678 +0400
+@@ -18,121 +18,23 @@
+ SEC_BEGIN_PROTOS
+
+ /*
+-** RSA encryption/decryption. When encrypting/decrypting the output
+-** buffer must be at least the size of the public key modulus.
+-*/
+-
+-/*
+-** Format some data into a PKCS#1 encryption block, preparing the
+-** data for RSA encryption.
+-** "result" where the formatted block is stored (memory is allocated)
+-** "modulusLen" the size of the formatted block
+-** "blockType" what block type to use (SEC_RSABlock*)
+-** "data" the data to format
+-*/
+-extern SECStatus RSA_FormatBlock(SECItem *result,
+- unsigned int modulusLen,
+- RSA_BlockType blockType,
+- SECItem *data);
+-/*
+-** Similar, but just returns a pointer to the allocated memory, *and*
+-** will *only* format one block, even if we (in the future) modify
+-** RSA_FormatBlock() to loop over multiples of modulusLen.
+-*/
+-extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
+- RSA_BlockType blockType,
+- SECItem *data);
+-
+-
+-
+-/*
+- * convenience wrappers for doing single RSA operations. They create the
+- * RSA context internally and take care of the formatting
+- * requirements. Blinding happens automagically within RSA_Sign and
+- * RSA_DecryptBlock.
++ * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the
++ * encoded digest info is computed internally, rather than by the caller.
++ *
++ * The HashSign variants expect as input the value of H, the computed hash
++ * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded
++ * DigestInfo structure internally prior to signing/verifying.
+ */
+-extern
+-SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+- unsigned int *outputLen, unsigned int maxOutputLen,
+- unsigned char *input, unsigned int inputLen);
+-extern
+-SECStatus RSA_HashSign(SECOidTag hashOid,
+- NSSLOWKEYPrivateKey *key, unsigned char *sig,
+- unsigned int *sigLen, unsigned int maxLen,
+- unsigned char *hash, unsigned int hashLen);
+-extern
+-SECStatus RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+- NSSLOWKEYPrivateKey *key,
+- unsigned char *output, unsigned int *output_len,
+- unsigned int max_output_len, const unsigned char *input,
+- unsigned int input_len);
+-extern
+-SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
+- unsigned int signLength, unsigned char *hash,
+- unsigned int hashLength);
+-extern
+-SECStatus RSA_HashCheckSign(SECOidTag hashOid,
+- NSSLOWKEYPublicKey *key, unsigned char *sig,
+- unsigned int sigLen, unsigned char *digest,
+- unsigned int digestLen);
+-extern
+-SECStatus RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+- NSSLOWKEYPublicKey *key,
+- const unsigned char *sign, unsigned int sign_len,
+- const unsigned char *hash, unsigned int hash_len);
+-extern
+-SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+- unsigned int *data_len,unsigned int max_output_len,
+- unsigned char *sign, unsigned int sign_len);
+-extern
+-SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
+- unsigned int *outputLen, unsigned int maxOutputLen,
+- unsigned char *input, unsigned int inputLen);
+-extern
+-SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
+- unsigned int *outputLen, unsigned int maxOutputLen,
+- unsigned char *input, unsigned int inputLen);
+-
+-extern
+-SECStatus RSA_EncryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
+- NSSLOWKEYPublicKey *key,
+- unsigned char *output, unsigned int *outputLen,
+- unsigned int maxOutputLen,
+- const unsigned char *input, unsigned int inputLen);
+-
+-extern
+-SECStatus RSA_DecryptOAEP(CK_RSA_PKCS_OAEP_PARAMS *oaepParams,
+- NSSLOWKEYPrivateKey *key,
+- unsigned char *output, unsigned int *outputLen,
+- unsigned int maxOutputLen,
+- const unsigned char *input, unsigned int inputLen);
++extern SECStatus
++RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
++ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
++ const unsigned char *hash, unsigned int hashLen);
++
++extern SECStatus
++RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
++ const unsigned char *sig, unsigned int sigLen,
++ const unsigned char *hash, unsigned int hashLen);
+
+-/*
+- * added to make pkcs #11 happy
+- * RAW is RSA_X_509
+- */
+-extern
+-SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
+- unsigned int *output_len, unsigned int maxOutputLen,
+- unsigned char *input, unsigned int input_len);
+-extern
+-SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign,
+- unsigned int sign_len, unsigned char *hash,
+- unsigned int hash_len);
+-extern
+-SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
+- unsigned int *data_len, unsigned int max_output_len,
+- unsigned char *sign, unsigned int sign_len);
+-extern
+-SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
+- unsigned int *output_len,
+- unsigned int max_output_len,
+- unsigned char *input, unsigned int input_len);
+-extern
+-SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+- unsigned int *output_len,
+- unsigned int max_output_len,
+- unsigned char *input, unsigned int input_len);
+ #ifdef NSS_ENABLE_ECC
+ /*
+ ** pepare an ECParam structure from DEREncoded params
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softoknt.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softoknt.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/softoken/softoknt.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/softoken/softoknt.h 2014-02-10 01:13:33.088518678 +0400
+@@ -8,21 +8,6 @@
+ #ifndef _SOFTOKNT_H_
+ #define _SOFTOKNT_H_
+
+-/*
+- * RSA block types
+- *
+- * The actual values are important -- they are fixed, *not* arbitrary.
+- * The explicit value assignments are not needed (because C would give
+- * us those same values anyway) but are included as a reminder...
+- */
+-typedef enum {
+- RSA_BlockPrivate0 = 0, /* unused, really */
+- RSA_BlockPrivate = 1, /* pad for a private-key operation */
+- RSA_BlockPublic = 2, /* pad for a public-key operation */
+- RSA_BlockRaw = 4, /* simply justify the block appropriately */
+- RSA_BlockTotal
+-} RSA_BlockType;
+-
+ #define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
+
+ /*
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl.def seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl.def
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl.def 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl.def 2014-02-10 01:13:33.088518678 +0400
+@@ -163,3 +163,11 @@
+ ;+ local:
+ ;+*;
+ ;+};
++;+NSS_3.15.4 { # NSS 3.15.4 release
++;+ global:
++SSL_PeerCertificateChain;
++SSL_RecommendedCanFalseStart;
++SSL_SetCanFalseStartCallback;
++;+ local:
++;+*;
++;+};
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl.h 2014-02-10 01:12:09.961982501 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl.h 2014-02-10 01:13:33.088518678 +0400
+@@ -121,14 +121,17 @@
+ #define SSL_ENABLE_FALSE_START 22 /* Enable SSL false start (off by */
+ /* default, applies only to */
+ /* clients). False start is a */
+-/* mode where an SSL client will start sending application data before */
+-/* verifying the server's Finished message. This means that we could end up */
+-/* sending data to an imposter. However, the data will be encrypted and */
+-/* only the true server can derive the session key. Thus, so long as the */
+-/* cipher isn't broken this is safe. Because of this, False Start will only */
+-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80 */
+-/* bits. The advantage of False Start is that it saves a round trip for */
+-/* client-speaks-first protocols when performing a full handshake. */
++/* mode where an SSL client will start sending application data before
++ * verifying the server's Finished message. This means that we could end up
++ * sending data to an imposter. However, the data will be encrypted and
++ * only the true server can derive the session key. Thus, so long as the
++ * cipher isn't broken this is safe. The advantage of false start is that
++ * it saves a round trip for client-speaks-first protocols when performing a
++ * full handshake.
++ *
++ * In addition to enabling this option, the application must register a
++ * callback using the SSL_SetCanFalseStartCallback function.
++ */
+
+ /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
+ * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
+@@ -397,6 +400,15 @@
+ */
+ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+
++/*
++** Return the certificates presented by the SSL peer. If the SSL peer
++** did not present certificates, return NULL with the
++** SSL_ERROR_NO_CERTIFICATE error. On failure, return NULL with an error
++** code other than SSL_ERROR_NO_CERTIFICATE.
++** "fd" the socket "file" descriptor
++*/
++SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
++
+ /* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
+ * by the TLS server. The return value is a pointer to an internal SECItemArray
+ * that contains the returned OCSP responses; it is only valid until the
+@@ -653,14 +665,45 @@
+ SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
+
+ /*
+-** Set the callback on a particular socket that gets called when we finish
+-** performing a handshake.
++** Set the callback that gets called when a TLS handshake is complete. The
++** handshake callback is called after verifying the peer's Finished message and
++** before processing incoming application data.
++**
++** For the initial handshake: If the handshake false started (see
++** SSL_ENABLE_FALSE_START), then application data may already have been sent
++** before the handshake callback is called. If we did not false start then the
++** callback will get called before any application data is sent.
+ */
+ typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
+ void *client_data);
+ SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd,
+ SSLHandshakeCallback cb, void *client_data);
+
++/* Applications that wish to enable TLS false start must set this callback
++** function. NSS will invoke the functon to determine if a particular
++** connection should use false start or not. SECSuccess indicates that the
++** callback completed successfully, and if so *canFalseStart indicates if false
++** start can be used. If the callback does not return SECSuccess then the
++** handshake will be canceled. NSS's recommended criteria can be evaluated by
++** calling SSL_RecommendedCanFalseStart.
++**
++** If no false start callback is registered then false start will never be
++** done, even if the SSL_ENABLE_FALSE_START option is enabled.
++**/
++typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
++ PRFileDesc *fd, void *arg, PRBool *canFalseStart);
++
++SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
++ PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
++
++/* This function sets *canFalseStart according to the recommended criteria for
++** false start. These criteria may change from release to release and may depend
++** on which handshake features have been negotiated and/or properties of the
++** certifciates/keys used on the connection.
++*/
++SSL_IMPORT SECStatus SSL_RecommendedCanFalseStart(PRFileDesc *fd,
++ PRBool *canFalseStart);
++
+ /*
+ ** For the server, request a new handshake. For the client, begin a new
+ ** handshake. If flushCache is non-zero, the SSL3 cache entry will be
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3con.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3con.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3con.c 2014-02-10 01:12:11.054963124 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3con.c 2014-02-10 01:13:33.090518643 +0400
+@@ -82,84 +82,86 @@
+ * precedence (desirability). It only includes cipher suites we implement.
+ * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
+ * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
++ *
++ * Important: See bug 946147 before enabling, reordering, or adding any cipher
++ * suites to this list.
+ */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
++
+ #ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-#endif /* NSS_ENABLE_ECC */
+- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+-#ifdef NSS_ENABLE_ECC
++ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
++ * bug 946147.
++ */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-#endif /* NSS_ENABLE_ECC */
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-#ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-#endif /* NSS_ENABLE_ECC */
+- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+-#ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++
++ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++
+ #ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_ENABLE_ECC */
+- { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++
++ /* RSA */
++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+-#ifdef NSS_ENABLE_ECC
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-#endif /* NSS_ENABLE_ECC */
+- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-#ifdef NSS_ENABLE_ECC
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-#endif /* NSS_ENABLE_ECC */
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+
+-
++ /* 56-bit DES "domestic" cipher suites */
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++
++ /* export ciphersuites with 1024-bit public key exchange keys */
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
++ /* export ciphersuites with 512-bit public key exchange keys */
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
++ /* ciphersuites with no encryption */
+ #ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -171,6 +173,24 @@
+ { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ };
+
++/* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
++ */
++#ifdef DEBUG
++void ssl3_CheckCipherSuiteOrderConsistency()
++{
++ unsigned int i;
++
++ /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
++ * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
++ */
++ PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
++
++ for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
++ PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
++ }
++}
++#endif
++
+ /* This list of SSL3 compression methods is sorted in descending order of
+ * precedence (desirability). It only includes compression methods we
+ * implement.
+@@ -865,16 +885,10 @@
+ static SECStatus
+ ssl3_GetNewRandom(SSL3Random *random)
+ {
+- PRUint32 gmt = ssl_Time();
+ SECStatus rv;
+
+- random->rand[0] = (unsigned char)(gmt >> 24);
+- random->rand[1] = (unsigned char)(gmt >> 16);
+- random->rand[2] = (unsigned char)(gmt >> 8);
+- random->rand[3] = (unsigned char)(gmt);
+-
+ /* first 4 bytes are reserverd for time */
+- rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
++ rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
+ if (rv != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+ }
+@@ -1012,7 +1026,7 @@
+ }
+ /* Allow DER encoded DSA signatures in SSL 3.0 */
+ if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
+- signature = DSAU_DecodeDerSig(buf);
++ signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
+ if (!signature) {
+ PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+ return SECFailure;
+@@ -1597,7 +1611,7 @@
+
+ calg = cipher_def->calg;
+
+- if (calg == calg_aes_gcm) {
++ if (calg == ssl_calg_aes_gcm) {
+ pwSpec->encode = NULL;
+ pwSpec->decode = NULL;
+ pwSpec->destroy = NULL;
+@@ -1713,6 +1727,7 @@
+ case ssl_calg_rc2:
+ case ssl_calg_idea:
+ case ssl_calg_fortezza:
++ case ssl_calg_aes_gcm:
+ break;
+ }
+
+@@ -2716,7 +2731,9 @@
+ * ClientHello.client_version and use the record layer version number
+ * (TLSPlaintext.version) instead when negotiating protocol versions. In
+ * addition, if the record layer version number of ClientHello is { 3, 2 }
+- * (TLS 1.1) or higher, these servers reset the TCP connections. Set this
++ * (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
++ * some F5 BIG-IP servers hang if a record containing a ClientHello has a
++ * version greater than { 3, 1 } and a length greater than 255. Set this
+ * flag to work around such servers.
+ */
+ PRInt32
+@@ -2735,7 +2752,7 @@
+ SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
+ SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+ nIn));
+- PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
++ PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+
+@@ -3853,6 +3870,28 @@
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ return SECFailure;
+ }
++
++ /* Create a backup SHA-1 hash for a potential client auth
++ * signature.
++ *
++ * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
++ * handshake hash function (SHA-256). If the server or the client
++ * does not support SHA-256 as a signature hash, we can either
++ * maintain a backup SHA-1 handshake hash or buffer all handshake
++ * messages.
++ */
++ if (!ss->sec.isServer) {
++ ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
++ if (ss->ssl3.hs.backupHash == NULL) {
++ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
++ return SECFailure;
++ }
++
++ if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
++ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
++ return SECFailure;
++ }
++ }
+ } else {
+ /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
+ * created successfully. */
+@@ -3963,6 +4002,13 @@
+ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+ return rv;
+ }
++ if (ss->ssl3.hs.backupHash) {
++ rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
++ if (rv != SECSuccess) {
++ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
++ return rv;
++ }
++ }
+ } else {
+ rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
+ if (rv != SECSuccess) {
+@@ -4711,6 +4757,31 @@
+ return rv;
+ }
+
++static SECStatus
++ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
++ SSL3Hashes * hashes) /* output goes here. */
++{
++ SECStatus rv = SECSuccess;
++
++ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++ PORT_Assert( !ss->sec.isServer );
++ PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
++
++ rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
++ sizeof(hashes->u.raw));
++ if (rv != SECSuccess) {
++ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ hashes->hashAlg = SEC_OID_SHA1;
++
++loser:
++ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
++ ss->ssl3.hs.backupHash = NULL;
++ return rv;
++}
++
+ /*
+ * SSL 2 based implementations pass in the initial outbound buffer
+ * so that the handshake hash can contain the included information.
+@@ -4768,7 +4839,6 @@
+ int num_suites;
+ int actual_count = 0;
+ PRBool isTLS = PR_FALSE;
+- PRBool requestingResume = PR_FALSE;
+ PRInt32 total_exten_len = 0;
+ unsigned numCompressionMethods;
+ PRInt32 flags;
+@@ -4786,6 +4856,9 @@
+ ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
+ PORT_Assert(IS_DTLS(ss) || !resending);
+
++ SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
++ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
++
+ /* We might be starting a session renegotiation in which case we should
+ * clear previous state.
+ */
+@@ -4907,14 +4980,8 @@
+ }
+
+ if (sid) {
+- requestingResume = PR_TRUE;
+ SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
+
+- /* Are we attempting a stateless session resume? */
+- if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
+- sid->u.ssl3.sessionTicket.ticket.data)
+- SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
+-
+ PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
+ sid->u.ssl3.sessionIDLength));
+
+@@ -4974,21 +5041,33 @@
+ return SECFailure; /* ssl3_config_match_init has set error code. */
+
+ /* HACK for SCSV in SSL 3.0. On initial handshake, prepend SCSV,
+- * only if we're willing to complete an SSL 3.0 handshake.
++ * only if TLS is disabled.
+ */
+- if (!ss->firstHsDone && ss->vrange.min == SSL_LIBRARY_VERSION_3_0) {
++ if (!ss->firstHsDone && !isTLS) {
+ /* Must set this before calling Hello Extension Senders,
+ * to suppress sending of empty RI extension.
+ */
+ ss->ssl3.hs.sendingSCSV = PR_TRUE;
+ }
+
++ /* When we attempt session resumption (only), we must lock the sid to
++ * prevent races with other resumption connections that receive a
++ * NewSessionTicket that will cause the ticket in the sid to be replaced.
++ * Once we've copied the session ticket into our ClientHello message, it
++ * is OK for the ticket to change, so we just need to make sure we hold
++ * the lock across the calls to ssl3_CallHelloExtensionSenders.
++ */
++ if (sid->u.ssl3.lock) {
++ PR_RWLock_Rlock(sid->u.ssl3.lock);
++ }
++
+ if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
+ PRUint32 maxBytes = 65535; /* 2^16 - 1 */
+ PRInt32 extLen;
+
+ extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
+ if (extLen < 0) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return SECFailure;
+ }
+ maxBytes -= extLen;
+@@ -5011,8 +5090,10 @@
+
+ /* how many suites are permitted by policy and user preference? */
+ num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
+- if (!num_suites)
++ if (!num_suites) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return SECFailure; /* count_cipher_suites has set error code. */
++ }
+ if (ss->ssl3.hs.sendingSCSV) {
+ ++num_suites; /* make room for SCSV */
+ }
+@@ -5034,6 +5115,7 @@
+
+ rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+
+@@ -5052,18 +5134,21 @@
+ rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+ }
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+
+ if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
+ rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by GetNewRandom. */
+ }
+ }
+ rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
+ SSL3_RANDOM_LENGTH);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+
+@@ -5073,6 +5158,7 @@
+ else
+ rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+
+@@ -5080,12 +5166,14 @@
+ rv = ssl3_AppendHandshakeVariable(
+ ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+ }
+
+ rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+
+@@ -5094,6 +5182,7 @@
+ rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+ sizeof(ssl3CipherSuite));
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+ actual_count++;
+@@ -5103,6 +5192,7 @@
+ if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
+ actual_count++;
+ if (actual_count > num_suites) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ /* set error card removal/insertion error */
+ PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+ return SECFailure;
+@@ -5110,6 +5200,7 @@
+ rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
+ sizeof(ssl3CipherSuite));
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+ }
+@@ -5120,12 +5211,14 @@
+ * the server.. */
+ if (actual_count != num_suites) {
+ /* Card removal/insertion error */
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+ return SECFailure;
+ }
+
+ rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+ for (i = 0; i < compressionMethodsCount; i++) {
+@@ -5133,6 +5226,7 @@
+ continue;
+ rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by ssl3_AppendHandshake* */
+ }
+ }
+@@ -5143,16 +5237,27 @@
+
+ rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
+ if (rv != SECSuccess) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return rv; /* err set by AppendHandshake. */
+ }
+
+ extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
+ if (extLen < 0) {
++ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
+ return SECFailure;
+ }
+ maxBytes -= extLen;
+ PORT_Assert(!maxBytes);
+ }
++
++ if (sid->u.ssl3.lock) {
++ PR_RWLock_Unlock(sid->u.ssl3.lock);
++ }
++
++ if (ss->xtnData.sentSessionTicketInClientHello) {
++ SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
++ }
++
+ if (ss->ssl3.hs.sendingSCSV) {
+ /* Since we sent the SCSV, pretend we sent empty RI extension. */
+ TLSExtensionData *xtnData = &ss->xtnData;
+@@ -5161,7 +5266,7 @@
+ }
+
+ flags = 0;
+- if (!ss->firstHsDone && !requestingResume && !IS_DTLS(ss)) {
++ if (!ss->firstHsDone && !IS_DTLS(ss)) {
+ flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
+ }
+ rv = ssl3_FlushHandshake(ss, flags);
+@@ -5960,7 +6065,13 @@
+ SSL_GETPID(), ss->fd));
+
+ ssl_GetSpecReadLock(ss);
++ if (ss->ssl3.hs.hashType == handshake_hash_single &&
++ ss->ssl3.hs.backupHash) {
++ rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
++ PORT_Assert(!ss->ssl3.hs.backupHash);
++ } else {
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
++ }
+ ssl_ReleaseSpecReadLock(ss);
+ if (rv != SECSuccess) {
+ goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
+@@ -6003,11 +6114,6 @@
+ if (rv != SECSuccess) {
+ goto done;
+ }
+- /* We always sign using the handshake hash function. It's possible that
+- * a server could support SHA-256 as the handshake hash but not as a
+- * signature hash. In that case we wouldn't be able to do client
+- * certificates with it. The alternative is to buffer all handshake
+- * messages. */
+ sigAndHash.hashAlg = hashes.hashAlg;
+
+ rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
+@@ -6332,8 +6438,7 @@
+ SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
+
+ /* If we sent a session ticket, then this is a stateless resume. */
+- if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
+- sid->u.ssl3.sessionTicket.ticket.data != NULL)
++ if (ss->xtnData.sentSessionTicketInClientHello)
+ SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
+
+ if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
+@@ -6674,6 +6779,102 @@
+ }
+
+
++/*
++ * Returns the TLS signature algorithm for the client authentication key and
++ * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
++ */
++static SECStatus
++ssl3_ExtractClientKeyInfo(sslSocket *ss,
++ TLSSignatureAlgorithm *sigAlg,
++ PRBool *preferSha1)
++{
++ SECStatus rv = SECSuccess;
++ SECKEYPublicKey *pubk;
++
++ pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
++ if (pubk == NULL) {
++ rv = SECFailure;
++ goto done;
++ }
++
++ rv = ssl3_TLSSignatureAlgorithmForKeyType(pubk->keyType, sigAlg);
++ if (rv != SECSuccess) {
++ goto done;
++ }
++
++ /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
++ * it may be unable to sign SHA-256 hashes. This is the case for older
++ * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
++ * older, DSA key size is at most 1024 bits and the hash function must
++ * be SHA-1.
++ */
++ if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
++ *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
++ } else {
++ *preferSha1 = PR_FALSE;
++ }
++
++done:
++ if (pubk)
++ SECKEY_DestroyPublicKey(pubk);
++ return rv;
++}
++
++/* Destroys the backup handshake hash context if we don't need it. Note that
++ * this function selects the hash algorithm for client authentication
++ * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
++ * to determine whether to use SHA-1 or SHA-256. */
++static void
++ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
++ const SECItem *algorithms)
++{
++ SECStatus rv;
++ TLSSignatureAlgorithm sigAlg;
++ PRBool preferSha1;
++ PRBool supportsSha1 = PR_FALSE;
++ PRBool supportsSha256 = PR_FALSE;
++ PRBool needBackupHash = PR_FALSE;
++ unsigned int i;
++
++#ifndef NO_PKCS11_BYPASS
++ /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
++ if (ss->opt.bypassPKCS11) {
++ PORT_Assert(!ss->ssl3.hs.backupHash);
++ return;
++ }
++#endif
++ PORT_Assert(ss->ssl3.hs.backupHash);
++
++ /* Determine the key's signature algorithm and whether it prefers SHA-1. */
++ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
++ if (rv != SECSuccess) {
++ goto done;
++ }
++
++ /* Determine the server's hash support for that signature algorithm. */
++ for (i = 0; i < algorithms->len; i += 2) {
++ if (algorithms->data[i+1] == sigAlg) {
++ if (algorithms->data[i] == tls_hash_sha1) {
++ supportsSha1 = PR_TRUE;
++ } else if (algorithms->data[i] == tls_hash_sha256) {
++ supportsSha256 = PR_TRUE;
++ }
++ }
++ }
++
++ /* If either the server does not support SHA-256 or the client key prefers
++ * SHA-1, leave the backup hash. */
++ if (supportsSha1 && (preferSha1 || !supportsSha256)) {
++ needBackupHash = PR_TRUE;
++ }
++
++done:
++ if (!needBackupHash) {
++ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
++ ss->ssl3.hs.backupHash = NULL;
++ }
++}
++
+ typedef struct dnameNode {
+ struct dnameNode *next;
+ SECItem name;
+@@ -6831,16 +7032,15 @@
+ ss->ssl3.clientCertificate,
+ certUsageSSLClient, PR_FALSE);
+ if (ss->ssl3.clientCertChain == NULL) {
+- if (ss->ssl3.clientCertificate != NULL) {
+ CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+ ss->ssl3.clientCertificate = NULL;
+- }
+- if (ss->ssl3.clientPrivateKey != NULL) {
+ SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+ ss->ssl3.clientPrivateKey = NULL;
+- }
+ goto send_no_certificate;
+ }
++ if (ss->ssl3.hs.hashType == handshake_hash_single) {
++ ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
++ }
+ break; /* not an error */
+
+ case SECFailure:
+@@ -6874,36 +7074,72 @@
+ return rv;
+ }
+
+-PRBool
+-ssl3_CanFalseStart(sslSocket *ss) {
+- PRBool rv;
+-
++static SECStatus
++ssl3_CheckFalseStart(sslSocket *ss)
++{
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++ PORT_Assert( !ss->ssl3.hs.authCertificatePending );
++ PORT_Assert( !ss->ssl3.hs.canFalseStart );
+
+- /* XXX: does not take into account whether we are waiting for
+- * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
+- * that is done, this function could return different results each time it
+- * would be called.
+- */
+-
+- ssl_GetSpecReadLock(ss);
+- rv = ss->opt.enableFalseStart &&
+- !ss->sec.isServer &&
+- !ss->ssl3.hs.isResuming &&
+- ss->ssl3.cwSpec &&
++ if (!ss->canFalseStartCallback) {
++ SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
++ SSL_GETPID(), ss->fd));
++ } else {
++ PRBool maybeFalseStart;
++ SECStatus rv;
+
+ /* An attacker can control the selected ciphersuite so we only wish to
+ * do False Start in the case that the selected ciphersuite is
+ * sufficiently strong that the attack can gain no advantage.
+- * Therefore we require an 80-bit cipher and a forward-secret key
+- * exchange. */
+- ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
+- (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+- ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+- ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+- ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
++ * Therefore we always require an 80-bit cipher. */
++ ssl_GetSpecReadLock(ss);
++ maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
+ ssl_ReleaseSpecReadLock(ss);
++
++ if (!maybeFalseStart) {
++ SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
++ SSL_GETPID(), ss->fd));
++ } else {
++ rv = (ss->canFalseStartCallback)(ss->fd,
++ ss->canFalseStartCallbackData,
++ &ss->ssl3.hs.canFalseStart);
++ if (rv == SECSuccess) {
++ SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
++ SSL_GETPID(), ss->fd,
++ ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
++ } else {
++ SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
++ SSL_GETPID(), ss->fd,
++ PR_ErrorToName(PR_GetError())));
++ }
+ return rv;
++ }
++ }
++
++ ss->ssl3.hs.canFalseStart = PR_FALSE;
++ return SECSuccess;
++}
++
++PRBool
++ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
++{
++ PRBool result;
++
++ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++
++ switch (ss->ssl3.hs.ws) {
++ case wait_new_session_ticket:
++ result = PR_TRUE;
++ break;
++ case wait_change_cipher:
++ result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
++ break;
++ default:
++ result = PR_FALSE;
++ break;
++ }
++
++ return result;
+ }
+
+ static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
+@@ -6954,6 +7190,14 @@
+ ss->ssl3.clientCertChain != NULL &&
+ ss->ssl3.clientPrivateKey != NULL;
+
++ if (!sendClientCert &&
++ ss->ssl3.hs.hashType == handshake_hash_single &&
++ ss->ssl3.hs.backupHash) {
++ /* Don't need the backup handshake hash. */
++ PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
++ ss->ssl3.hs.backupHash = NULL;
++ }
++
+ /* We must wait for the server's certificate to be authenticated before
+ * sending the client certificate in order to disclosing the client
+ * certificate to an attacker that does not have a valid cert for the
+@@ -6985,6 +7229,9 @@
+ }
+ if (ss->ssl3.hs.authCertificatePending &&
+ (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
++ SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
++ " certificate authentication is still pending.",
++ SSL_GETPID(), ss->fd));
+ ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
+ return SECWouldBlock;
+ }
+@@ -7022,14 +7269,50 @@
+ goto loser; /* err code was set. */
+ }
+
++ /* This must be done after we've set ss->ssl3.cwSpec in
++ * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
++ * from cwSpec. This must be done before we call ssl3_CheckFalseStart
++ * because the false start callback (if any) may need the information from
++ * the functions that depend on this being set.
++ */
++ ss->enoughFirstHsDone = PR_TRUE;
++
++ if (!ss->firstHsDone) {
+ /* XXX: If the server's certificate hasn't been authenticated by this
+ * point, then we may be leaking this NPN message to an attacker.
+ */
+- if (!ss->firstHsDone) {
+ rv = ssl3_SendNextProto(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err code was set. */
+ }
++
++ if (ss->opt.enableFalseStart) {
++ if (!ss->ssl3.hs.authCertificatePending) {
++ /* When we fix bug 589047, we will need to know whether we are
++ * false starting before we try to flush the client second
++ * round to the network. With that in mind, we purposefully
++ * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
++ * which includes a call to ssl3_FlushHandshake, so that
++ * no application develops a reliance on such flushing being
++ * done before its false start callback is called.
++ */
++ ssl_ReleaseXmitBufLock(ss);
++ rv = ssl3_CheckFalseStart(ss);
++ ssl_GetXmitBufLock(ss);
++ if (rv != SECSuccess) {
++ goto loser;
++ }
++ } else {
++ /* The certificate authentication and the server's Finished
++ * message are racing each other. If the certificate
++ * authentication wins, then we will try to false start in
++ * ssl3_AuthCertificateComplete.
++ */
++ SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
++ " certificate authentication is still pending.",
++ SSL_GETPID(), ss->fd));
++ }
++ }
+ }
+
+ rv = ssl3_SendFinished(ss, 0);
+@@ -7044,10 +7327,7 @@
+ else
+ ss->ssl3.hs.ws = wait_change_cipher;
+
+- /* Do the handshake callback for sslv3 here, if we can false start. */
+- if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
+- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+- }
++ PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
+
+ return SECSuccess;
+
+@@ -9075,7 +9355,7 @@
+ ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ {
+ SECStatus rv;
+- NewSessionTicket session_ticket;
++ SECItem ticketData;
+
+ SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
+ SSL_GETPID(), ss->fd));
+@@ -9083,35 +9363,41 @@
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
++ PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
++ PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
++
+ if (ss->ssl3.hs.ws != wait_new_session_ticket) {
+ SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
+ return SECFailure;
+ }
+
+- session_ticket.received_timestamp = ssl_Time();
++ /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
++ * until it has verified the server's Finished message." See the comment in
++ * ssl3_FinishHandshake for more details.
++ */
++ ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
+ if (length < 4) {
+ (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
+ return SECFailure;
+ }
+- session_ticket.ticket_lifetime_hint =
++ ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
+ (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
+
+- rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
+- &b, &length);
++ rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
+ if (length != 0 || rv != SECSuccess) {
+ (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
+ return SECFailure; /* malformed */
+ }
+-
+- rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
++ rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
++ &ticketData);
+ if (rv != SECSuccess) {
+- (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+- PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
+- return SECFailure;
++ return rv;
+ }
++ ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
++
+ ss->ssl3.hs.ws = wait_change_cipher;
+ return SECSuccess;
+ }
+@@ -9622,13 +9908,6 @@
+
+ ss->ssl3.hs.authCertificatePending = PR_TRUE;
+ rv = SECSuccess;
+-
+- /* XXX: Async cert validation and False Start don't work together
+- * safely yet; if we leave False Start enabled, we may end up false
+- * starting (sending application data) before we
+- * SSL_AuthCertificateComplete has been called.
+- */
+- ss->opt.enableFalseStart = PR_FALSE;
+ }
+
+ if (rv != SECSuccess) {
+@@ -9752,6 +10031,12 @@
+ } else if (ss->ssl3.hs.restartTarget != NULL) {
+ sslRestartTarget target = ss->ssl3.hs.restartTarget;
+ ss->ssl3.hs.restartTarget = NULL;
++
++ if (target == ssl3_FinishHandshake) {
++ SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
++ " with peer's finished message", SSL_GETPID(), ss->fd));
++ }
++
+ rv = target(ss);
+ /* Even if we blocked here, we have accomplished enough to claim
+ * success. Any remaining work will be taken care of by subsequent
+@@ -9761,8 +10046,25 @@
+ rv = SECSuccess;
+ }
+ } else {
++ SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
++ " peer's finished message", SSL_GETPID(), ss->fd));
++
++ PORT_Assert(!ss->ssl3.hs.isResuming);
++ PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
++
++ if (ss->opt.enableFalseStart &&
++ !ss->firstHsDone &&
++ !ss->ssl3.hs.isResuming &&
++ ssl3_WaitingForStartOfServerSecondRound(ss)) {
++ /* ssl3_SendClientSecondRound deferred the false start check because
++ * certificate authentication was pending, so we do it now if we still
++ * haven't received any of the server's second round yet.
++ */
++ rv = ssl3_CheckFalseStart(ss);
++ } else {
+ rv = SECSuccess;
+ }
++ }
+
+ done:
+ ssl_ReleaseSSL3HandshakeLock(ss);
+@@ -9850,7 +10152,8 @@
+ return rv;
+ }
+
+-/* called from ssl3_HandleServerHelloDone
++/* called from ssl3_SendClientSecondRound
++ * ssl3_HandleFinished
+ */
+ static SECStatus
+ ssl3_SendNextProto(sslSocket *ss)
+@@ -9943,7 +10246,7 @@
+ return;
+ }
+
+-/* called from ssl3_HandleServerHelloDone
++/* called from ssl3_SendClientSecondRound
+ * ssl3_HandleClientHello
+ * ssl3_HandleFinished
+ */
+@@ -10179,6 +10482,11 @@
+ */
+ if (isServer && !ss->ssl3.hs.isResuming &&
+ ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
++ /* RFC 5077 Section 3.3: "In the case of a full handshake, the
++ * server MUST verify the client's Finished message before sending
++ * the ticket." Presumably, this also means that the client's
++ * certificate, if any, must be verified beforehand too.
++ */
+ rv = ssl3_SendNewSessionTicket(ss);
+ if (rv != SECSuccess) {
+ goto xmit_loser;
+@@ -10221,9 +10529,6 @@
+ return rv;
+ }
+
+- ss->gs.writeOffset = 0;
+- ss->gs.readOffset = 0;
+-
+ if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+ effectiveExchKeyType = kt_rsa;
+ } else {
+@@ -10288,6 +10593,9 @@
+ return rv;
+ }
+
++/* The return type is SECStatus instead of void because this function needs
++ * to have type sslRestartTarget.
++ */
+ SECStatus
+ ssl3_FinishHandshake(sslSocket * ss)
+ {
+@@ -10297,19 +10605,36 @@
+
+ /* The first handshake is now completed. */
+ ss->handshake = NULL;
+- ss->firstHsDone = PR_TRUE;
++
++ /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
++ * until it has verified the server's Finished message." When the server
++ * sends a NewSessionTicket in a resumption handshake, we must wait until
++ * the handshake is finished (we have verified the server's Finished
++ * AND the server's certificate) before we update the ticket in the sid.
++ *
++ * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
++ * because CacheSID requires the session ticket to already be set, and also
++ * because of the lazy lock creation scheme used by CacheSID and
++ * ssl3_SetSIDSessionTicket.
++ */
++ if (ss->ssl3.hs.receivedNewSessionTicket) {
++ PORT_Assert(!ss->sec.isServer);
++ ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
++ /* The sid took over the ticket data */
++ PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
++ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
++ }
+
+ if (ss->ssl3.hs.cacheSID) {
++ PORT_Assert(ss->sec.ci.sid->cached == never_cached);
+ (*ss->sec.cache)(ss->sec.ci.sid);
+ ss->ssl3.hs.cacheSID = PR_FALSE;
+ }
+
++ ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
+ ss->ssl3.hs.ws = idle_handshake;
+
+- /* Do the handshake callback for sslv3 here, if we cannot false start. */
+- if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
+- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+- }
++ ssl_FinishHandshake(ss);
+
+ return SECSuccess;
+ }
+@@ -11274,7 +11599,6 @@
+
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ return rv;
+-
+ }
+
+ /*
+@@ -11373,6 +11697,10 @@
+ ss->ssl3.hs.messages.buf = NULL;
+ ss->ssl3.hs.messages.space = 0;
+
++ ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
++ PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
++ sizeof(ss->ssl3.hs.newSessionTicket));
++
+ ss->ssl3.initialized = PR_TRUE;
+ return SECSuccess;
+ }
+@@ -11696,6 +12024,8 @@
+ /* free the SSL3Buffer (msg_body) */
+ PORT_Free(ss->ssl3.hs.msg_body.buf);
+
++ SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
++
+ /* free up the CipherSpecs */
+ ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
+ ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3ext.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3ext.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3ext.c 2014-02-10 01:12:09.963982465 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3ext.c 2014-02-10 01:13:33.090518643 +0400
+@@ -479,6 +479,7 @@
+ {
+ PRInt32 extension_length;
+ NewSessionTicket *session_ticket = NULL;
++ sslSessionID *sid = ss->sec.ci.sid;
+
+ /* Ignore the SessionTicket extension if processing is disabled. */
+ if (!ss->opt.enableSessionTickets)
+@@ -494,8 +495,15 @@
+ * the extension always respond with an empty extension.
+ */
+ if (!ss->sec.isServer) {
+- sslSessionID *sid = ss->sec.ci.sid;
+- session_ticket = &sid->u.ssl3.sessionTicket;
++ /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
++ * just acquire and release the lock within this function because the
++ * caller will call this function twice, and we need the inputs to be
++ * consistent between the two calls. Note that currently the caller
++ * will only be holding the lock when we are the client and when we're
++ * attempting to resume an existing session.
++ */
++
++ session_ticket = &sid->u.ssl3.locked.sessionTicket;
+ if (session_ticket->ticket.data) {
+ if (ss->xtnData.ticketTimestampVerified) {
+ extension_length += session_ticket->ticket.len;
+@@ -520,6 +528,7 @@
+ rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
+ session_ticket->ticket.len, 2);
+ ss->xtnData.ticketTimestampVerified = PR_FALSE;
++ ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
+ } else {
+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3gthr.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3gthr.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/ssl3gthr.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/ssl3gthr.c 2014-02-10 01:13:33.090518643 +0400
+@@ -275,11 +275,17 @@
+ {
+ SSL3Ciphertext cText;
+ int rv;
+- PRBool canFalseStart = PR_FALSE;
++ PRBool keepGoing = PR_TRUE;
+
+ SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
+
++ /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
++ * which requires the 1stHandshakeLock, which must be acquired before the
++ * RecvBufLock.
++ */
++ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
+ do {
+ PRBool handleRecordNow = PR_FALSE;
+
+@@ -319,6 +325,12 @@
+ rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+ } else {
+ /* bring in the next sslv3 record. */
++ if (ss->recvdCloseNotify) {
++ /* RFC 5246 Section 7.2.1:
++ * Any data received after a closure alert is ignored.
++ */
++ return 0;
++ }
+ if (!IS_DTLS(ss)) {
+ rv = ssl3_GatherData(ss, &ss->gs, flags);
+ } else {
+@@ -368,20 +380,47 @@
+ if (rv < 0) {
+ return ss->recvdCloseNotify ? 0 : rv;
+ }
+-
+- /* If we kicked off a false start in ssl3_HandleServerHelloDone, break
+- * out of this loop early without finishing the handshake.
++ if (ss->gs.buf.len > 0) {
++ /* We have application data to return to the application. This
++ * prioritizes returning application data to the application over
++ * completing any renegotiation handshake we may be doing.
+ */
+- if (ss->opt.enableFalseStart) {
++ PORT_Assert(ss->firstHsDone);
++ PORT_Assert(cText.type == content_application_data);
++ break;
++ }
++
++ PORT_Assert(keepGoing);
+ ssl_GetSSL3HandshakeLock(ss);
+- canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
+- ss->ssl3.hs.ws == wait_new_session_ticket) &&
+- ssl3_CanFalseStart(ss);
+- ssl_ReleaseSSL3HandshakeLock(ss);
++ if (ss->ssl3.hs.ws == idle_handshake) {
++ /* We are done with the current handshake so stop trying to
++ * handshake. Note that it would be safe to test ss->firstHsDone
++ * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
++ * we prioritize completing a renegotiation handshake over sending
++ * application data.
++ */
++ PORT_Assert(ss->firstHsDone);
++ PORT_Assert(!ss->ssl3.hs.canFalseStart);
++ keepGoing = PR_FALSE;
++ } else if (ss->ssl3.hs.canFalseStart) {
++ /* Prioritize sending application data over trying to complete
++ * the handshake if we're false starting.
++ *
++ * If we were to do this check at the beginning of the loop instead
++ * of here, then this function would become be a no-op after
++ * receiving the ServerHelloDone in the false start case, and we
++ * would never complete the handshake.
++ */
++ PORT_Assert(!ss->firstHsDone);
++
++ if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
++ keepGoing = PR_FALSE;
++ } else {
++ ss->ssl3.hs.canFalseStart = PR_FALSE;
+ }
+- } while (ss->ssl3.hs.ws != idle_handshake &&
+- !canFalseStart &&
+- ss->gs.buf.len == 0);
++ }
++ ssl_ReleaseSSL3HandshakeLock(ss);
++ } while (keepGoing);
+
+ ss->gs.readOffset = 0;
+ ss->gs.writeOffset = ss->gs.buf.len;
+@@ -404,7 +443,10 @@
+ {
+ int rv;
+
++ /* ssl3_GatherCompleteHandshake requires both of these locks. */
++ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
+ do {
+ rv = ssl3_GatherCompleteHandshake(ss, flags);
+ } while (rv > 0 && ss->gs.buf.len == 0);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslauth.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslauth.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslauth.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslauth.c 2014-02-10 01:13:33.090518644 +0400
+@@ -28,6 +28,46 @@
+ }
+
+ /* NEED LOCKS IN HERE. */
++CERTCertList *
++SSL_PeerCertificateChain(PRFileDesc *fd)
++{
++ sslSocket *ss;
++ CERTCertList *chain = NULL;
++ CERTCertificate *cert;
++ ssl3CertNode *cur;
++
++ ss = ssl_FindSocket(fd);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificateChain",
++ SSL_GETPID(), fd));
++ return NULL;
++ }
++ if (!ss->opt.useSecurity || !ss->sec.peerCert) {
++ PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
++ return NULL;
++ }
++ chain = CERT_NewCertList();
++ if (!chain) {
++ return NULL;
++ }
++ cert = CERT_DupCertificate(ss->sec.peerCert);
++ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
++ goto loser;
++ }
++ for (cur = ss->ssl3.peerCertChain; cur; cur = cur->next) {
++ cert = CERT_DupCertificate(cur->cert);
++ if (CERT_AddCertToListTail(chain, cert) != SECSuccess) {
++ goto loser;
++ }
++ }
++ return chain;
++
++loser:
++ CERT_DestroyCertList(chain);
++ return NULL;
++}
++
++/* NEED LOCKS IN HERE. */
+ CERTCertificate *
+ SSL_LocalCertificate(PRFileDesc *fd)
+ {
+@@ -60,7 +100,6 @@
+ sslSocket *ss;
+ const char *cipherName;
+ PRBool isDes = PR_FALSE;
+- PRBool enoughFirstHsDone = PR_FALSE;
+
+ ss = ssl_FindSocket(fd);
+ if (!ss) {
+@@ -78,14 +117,7 @@
+ *op = SSL_SECURITY_STATUS_OFF;
+ }
+
+- if (ss->firstHsDone) {
+- enoughFirstHsDone = PR_TRUE;
+- } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+- ssl3_CanFalseStart(ss)) {
+- enoughFirstHsDone = PR_TRUE;
+- }
+-
+- if (ss->opt.useSecurity && enoughFirstHsDone) {
++ if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+ cipherName = ssl_cipherName[ss->sec.cipherType];
+ } else {
+@@ -227,9 +259,14 @@
+ certStatusArray = &ss->sec.ci.sid->peerCertStatus;
+
+ if (certStatusArray->len) {
+- CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,
+- now, &certStatusArray->items[0],
+- ss->pkcs11PinArg);
++ PORT_SetError(0);
++ if (CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert, now,
++ &certStatusArray->items[0],
++ ss->pkcs11PinArg)
++ != SECSuccess) {
++ PRErrorCode error = PR_GetError();
++ PORT_Assert(error != 0);
++ }
+ }
+
+ /* this may seem backwards, but isn't. */
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslcon.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslcon.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslcon.c 2014-02-10 01:12:09.964982448 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslcon.c 2014-02-10 01:13:33.090518644 +0400
+@@ -627,8 +627,9 @@
+ (*ss->sec.uncache)(sid);
+ rv = (SECStatus)sent;
+ } else if (!ss->opt.noCache) {
+- /* Put the sid in session-id cache, (may already be there) */
++ if (sid->cached == never_cached) {
+ (*ss->sec.cache)(sid);
++ }
+ rv = SECSuccess;
+ }
+ ssl_FreeSID(sid);
+@@ -2170,7 +2171,7 @@
+ sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+ }
+- if (!ss->opt.noCache)
++ if (!ss->opt.noCache && sid->cached == never_cached)
+ (*ss->sec.cache)(sid);
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslenum.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslenum.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslenum.c 2014-02-10 01:12:11.059963037 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslenum.c 2014-02-10 01:13:33.090518644 +0400
+@@ -10,16 +10,6 @@
+ #include "sslproto.h"
+
+ /*
+- * The ciphers are listed in the following order:
+- * - stronger ciphers before weaker ciphers
+- * - national ciphers before international ciphers
+- * - faster ciphers before slower ciphers
+- *
+- * National ciphers such as Camellia are listed before international ciphers
+- * such as AES and RC4 to allow servers that prefer Camellia to negotiate
+- * Camellia without having to disable AES and RC4, which are needed for
+- * interoperability with clients that don't yet implement Camellia.
+- *
+ * The ordering of cipher suites in this table must match the ordering in
+ * the cipherSuites table in ssl3con.c.
+ *
+@@ -27,75 +17,92 @@
+ * in ssl3ecc.c.
+ *
+ * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
++ *
++ * The ordering is as follows:
++ * * No-encryption cipher suites last
++ * * Export/weak/obsolete cipher suites before no-encryption cipher suites
++ * * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
++ * * Within key agreement sections, order by symmetric encryption algorithm:
++ * AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
++ * then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
++ * strong cipher internationally, and is often hardware-accelerated.
++ * Camellia also has wide international support across standards
++ * organizations. SEED is only recommended by the Korean government. 3DES
++ * only provides 112 bits of security. RC4 is now deprecated or forbidden
++ * by many standards organizations.
++ * * Within symmetric algorithm sections, order by message authentication
++ * algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
++ * * Within message authentication algorithm sections, order by asymmetric
++ * signature algorithm: ECDSA, then RSA, then DSS.
++ *
++ * Exception: Because some servers ignore the high-order byte of the cipher
++ * suite ID, we must be careful about adding cipher suites with IDs larger
++ * than 0x00ff; see bug 946147. For these broken servers, the first four cipher
++ * suites, with the MSB zeroed, look like:
++ * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }
++ * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
++ * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
++ * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
++ * The broken server only supports the third and fourth ones and will select
++ * the third one.
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+- /* AES-GCM */
+ #ifdef NSS_ENABLE_ECC
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+-#endif /* NSS_ENABLE_ECC */
+- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_RSA_WITH_AES_128_GCM_SHA256,
+-
+- /* 256-bit */
+-#ifdef NSS_ENABLE_ECC
++ /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
++ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
++ */
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+-#endif /* NSS_ENABLE_ECC */
+- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+-#ifdef NSS_ENABLE_ECC
+- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+-#endif /* NSS_ENABLE_ECC */
+- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_RSA_WITH_AES_256_CBC_SHA,
+- TLS_RSA_WITH_AES_256_CBC_SHA256,
+-
+- /* 128-bit */
+-#ifdef NSS_ENABLE_ECC
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_ENABLE_ECC */
+- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
++ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
++ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
++
+ #ifdef NSS_ENABLE_ECC
+- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDH_RSA_WITH_RC4_128_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+ #endif /* NSS_ENABLE_ECC */
+- TLS_RSA_WITH_SEED_CBC_SHA,
+- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
++
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA256,
+- SSL_RSA_WITH_RC4_128_SHA,
+- SSL_RSA_WITH_RC4_128_MD5,
+-
+- /* 112-bit 3DES */
+-#ifdef NSS_ENABLE_ECC
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+-#endif /* NSS_ENABLE_ECC */
+- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+-#ifdef NSS_ENABLE_ECC
+- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+-#endif /* NSS_ENABLE_ECC */
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
++ TLS_RSA_WITH_AES_256_CBC_SHA,
++ TLS_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_RSA_WITH_SEED_CBC_SHA,
+ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+ SSL_RSA_WITH_3DES_EDE_CBC_SHA,
++ SSL_RSA_WITH_RC4_128_SHA,
++ SSL_RSA_WITH_RC4_128_MD5,
+
+ /* 56-bit DES "domestic" cipher suites */
+ SSL_DHE_RSA_WITH_DES_CBC_SHA,
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslimpl.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslimpl.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslimpl.h 2014-02-10 01:12:09.964982448 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslimpl.h 2014-02-10 01:13:33.093518591 +0400
+@@ -587,7 +587,17 @@
+ } Cached;
+
+ struct sslSessionIDStr {
++ /* The global cache lock must be held when accessing these members when the
++ * sid is in any cache.
++ */
+ sslSessionID * next; /* chain used for client sockets, only */
++ Cached cached;
++ int references;
++ PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
++
++ /* The rest of the members, except for the members of u.ssl3.locked, may
++ * be modified only when the sid is not in any cache.
++ */
+
+ CERTCertificate * peerCert;
+ SECItemArray peerCertStatus; /* client only */
+@@ -601,10 +611,7 @@
+ SSL3ProtocolVersion version;
+
+ PRUint32 creationTime; /* seconds since Jan 1, 1970 */
+- PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
+ PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
+- Cached cached;
+- int references;
+
+ SSLSignType authAlgorithm;
+ PRUint32 authKeyBits;
+@@ -670,16 +677,29 @@
+ char masterValid;
+ char clAuthValid;
+
+- /* Session ticket if we have one, is sent as an extension in the
+- * ClientHello message. This field is used by clients.
++ SECItem srvName;
++
++ /* This lock is lazily initialized by CacheSID when a sid is first
++ * cached. Before then, there is no need to lock anything because
++ * the sid isn't being shared by anything.
++ */
++ PRRWLock *lock;
++
++ /* The lock must be held while reading or writing these members
++ * because they change while the sid is cached.
++ */
++ struct {
++ /* The session ticket, if we have one, is sent as an extension
++ * in the ClientHello message. This field is used only by
++ * clients. It is protected by lock when lock is non-null
++ * (after the sid has been added to the client session cache).
+ */
+ NewSessionTicket sessionTicket;
+- SECItem srvName;
++ } locked;
+ } ssl3;
+ } u;
+ };
+
+-
+ typedef struct ssl3CipherSuiteDefStr {
+ ssl3CipherSuite cipher_suite;
+ SSL3BulkCipher bulk_cipher_alg;
+@@ -759,6 +779,7 @@
+ /* SessionTicket Extension related data. */
+ PRBool ticketTimestampVerified;
+ PRBool emptySessionTicket;
++ PRBool sentSessionTicketInClientHello;
+
+ /* SNI Extension related data
+ * Names data is not coppied from the input buffer. It can not be
+@@ -817,6 +838,10 @@
+ * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
+ * |sha| for SHA-1.
+ * TLS 1.2 and later use only |sha|, for SHA-256. */
++ /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
++ * handshake hash for generating client auth signatures. Confusingly, the
++ * backup hash function is SHA-1. */
++#define backupHash md5
+ PK11Context * md5;
+ PK11Context * sha;
+
+@@ -837,6 +862,14 @@
+ PRBool sendingSCSV; /* instead of empty RI */
+ sslBuffer msgState; /* current state for handshake messages*/
+ /* protected by recvBufLock */
++
++ /* The session ticket received in a NewSessionTicket message is temporarily
++ * stored in newSessionTicket until the handshake is finished; then it is
++ * moved to the sid.
++ */
++ PRBool receivedNewSessionTicket;
++ NewSessionTicket newSessionTicket;
++
+ PRUint16 finishedBytes; /* size of single finished below */
+ union {
+ TLSFinished tFinished[2]; /* client, then server */
+@@ -855,6 +888,8 @@
+ /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
+ PRBool cacheSID;
+
++ PRBool canFalseStart; /* Can/did we False Start */
++
+ /* clientSigAndHash contains the contents of the signature_algorithms
+ * extension (if any) from the client. This is only valid for TLS 1.2
+ * or later. */
+@@ -1129,6 +1164,10 @@
+ unsigned long clientAuthRequested;
+ unsigned long delayDisabled; /* Nagle delay disabled */
+ unsigned long firstHsDone; /* first handshake is complete. */
++ unsigned long enoughFirstHsDone; /* enough of the first handshake is
++ * done for callbacks to be able to
++ * retrieve channel security
++ * parameters from the SSL socket. */
+ unsigned long handshakeBegun;
+ unsigned long lastWriteBlocked;
+ unsigned long recvdCloseNotify; /* received SSL EOF. */
+@@ -1169,6 +1208,8 @@
+ void *badCertArg;
+ SSLHandshakeCallback handshakeCallback;
+ void *handshakeCallbackData;
++ SSLCanFalseStartCallback canFalseStartCallback;
++ void *canFalseStartCallbackData;
+ void *pkcs11PinArg;
+ SSLNextProtoCallback nextProtoCallback;
+ void *nextProtoArg;
+@@ -1371,7 +1412,19 @@
+
+ extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+
+-extern PRBool ssl3_CanFalseStart(sslSocket *ss);
++extern void ssl_FinishHandshake(sslSocket *ss);
++
++/* Returns PR_TRUE if we are still waiting for the server to respond to our
++ * client second round. Once we've received any part of the server's second
++ * round then we don't bother trying to false start since it is almost always
++ * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
++ * were sent in the same packet and we want to process them all at the same
++ * time. If we were to try to false start in the middle of the server's second
++ * round, then we would increase the number of I/O operations
++ * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
++ */
++extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
++
+ extern SECStatus
+ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
+ PRBool isServer,
+@@ -1722,8 +1775,8 @@
+
+ /* Hello Extension related routines. */
+ extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
+-extern SECStatus ssl3_SetSIDSessionTicket(sslSessionID *sid,
+- NewSessionTicket *session_ticket);
++extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
++ /*in/out*/ NewSessionTicket *session_ticket);
+ extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
+ extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
+ unsigned char *encKey, unsigned char *macKey);
+@@ -1826,6 +1879,10 @@
+
+ /********************** misc calls *********************/
+
++#ifdef DEBUG
++extern void ssl3_CheckCipherSuiteOrderConsistency();
++#endif
++
+ extern int ssl_MapLowLevelError(int hiLevelError);
+
+ extern PRUint32 ssl_Time(void);
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslinfo.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslinfo.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslinfo.c 2014-02-10 01:12:09.964982448 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslinfo.c 2014-02-10 01:13:33.094518573 +0400
+@@ -26,7 +26,6 @@
+ sslSocket * ss;
+ SSLChannelInfo inf;
+ sslSessionID * sid;
+- PRBool enoughFirstHsDone = PR_FALSE;
+
+ if (!info || len < sizeof inf.length) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -43,14 +42,7 @@
+ memset(&inf, 0, sizeof inf);
+ inf.length = PR_MIN(sizeof inf, len);
+
+- if (ss->firstHsDone) {
+- enoughFirstHsDone = PR_TRUE;
+- } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+- ssl3_CanFalseStart(ss)) {
+- enoughFirstHsDone = PR_TRUE;
+- }
+-
+- if (ss->opt.useSecurity && enoughFirstHsDone) {
++ if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+ sid = ss->sec.ci.sid;
+ inf.protocolVersion = ss->version;
+ inf.authKeyBits = ss->sec.authKeyBits;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslinit.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslinit.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslinit.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslinit.c 2014-02-10 01:13:33.094518573 +0400
+@@ -22,6 +22,11 @@
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (SECFailure);
+ }
++
++#ifdef DEBUG
++ ssl3_CheckCipherSuiteOrderConsistency();
++#endif
++
+ ssl_inited = 1;
+ }
+ return SECSuccess;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslnonce.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslnonce.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslnonce.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslnonce.c 2014-02-10 01:13:33.094518573 +0400
+@@ -173,7 +173,20 @@
+ if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+ SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
+ SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
++ } else {
++ if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
++ SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
++ PR_FALSE);
++ }
++ if (sid->u.ssl3.srvName.data) {
++ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+ }
++
++ if (sid->u.ssl3.lock) {
++ PR_DestroyRWLock(sid->u.ssl3.lock);
++ }
++ }
++
+ if (sid->peerID != NULL)
+ PORT_Free((void *)sid->peerID); /* CONST */
+
+@@ -190,12 +203,6 @@
+ if ( sid->localCert ) {
+ CERT_DestroyCertificate(sid->localCert);
+ }
+- if (sid->u.ssl3.sessionTicket.ticket.data) {
+- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+- }
+- if (sid->u.ssl3.srvName.data) {
+- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+- }
+
+ PORT_ZFree(sid, sizeof(sslSessionID));
+ }
+@@ -307,6 +314,9 @@
+ CacheSID(sslSessionID *sid)
+ {
+ PRUint32 expirationPeriod;
++
++ PORT_Assert(sid->cached == never_cached);
++
+ SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
+ "time=%x cached=%d",
+ sid, sid->cached, sid->addr.pr_s6_addr32[0],
+@@ -314,9 +324,6 @@
+ sid->addr.pr_s6_addr32[3], sid->port, sid->creationTime,
+ sid->cached));
+
+- if (sid->cached == in_client_cache)
+- return;
+-
+ if (!sid->urlSvrName) {
+ /* don't cache this SID because it can never be matched */
+ return;
+@@ -333,8 +340,9 @@
+ sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
+ } else {
+ if (sid->u.ssl3.sessionIDLength == 0 &&
+- sid->u.ssl3.sessionTicket.ticket.data == NULL)
++ sid->u.ssl3.locked.sessionTicket.ticket.data == NULL)
+ return;
++
+ /* Client generates the SessionID if this was a stateless resume. */
+ if (sid->u.ssl3.sessionIDLength == 0) {
+ SECStatus rv;
+@@ -347,6 +355,11 @@
+ expirationPeriod = ssl3_sid_timeout;
+ PRINT_BUF(8, (0, "sessionID:",
+ sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
++
++ sid->u.ssl3.lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, NULL);
++ if (!sid->u.ssl3.lock) {
++ return;
++ }
+ }
+ PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
+ if (!sid->creationTime)
+@@ -470,35 +483,38 @@
+ return myTime;
+ }
+
+-SECStatus
+-ssl3_SetSIDSessionTicket(sslSessionID *sid, NewSessionTicket *session_ticket)
++void
++ssl3_SetSIDSessionTicket(sslSessionID *sid,
++ /*in/out*/ NewSessionTicket *newSessionTicket)
+ {
+- SECStatus rv;
++ PORT_Assert(sid);
++ PORT_Assert(newSessionTicket);
+
+- /* We need to lock the cache, as this sid might already be in the cache. */
+- LOCK_CACHE;
++ /* if sid->u.ssl3.lock, we are updating an existing entry that is already
++ * cached or was once cached, so we need to acquire and release the write
++ * lock. Otherwise, this is a new session that isn't shared with anything
++ * yet, so no locking is needed.
++ */
++ if (sid->u.ssl3.lock) {
++ PR_RWLock_Wlock(sid->u.ssl3.lock);
+
+ /* A server might have sent us an empty ticket, which has the
+ * effect of clearing the previously known ticket.
+ */
+- if (sid->u.ssl3.sessionTicket.ticket.data)
+- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
+- if (session_ticket->ticket.len > 0) {
+- rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.sessionTicket.ticket,
+- &session_ticket->ticket);
+- if (rv != SECSuccess) {
+- UNLOCK_CACHE;
+- return rv;
++ if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
++ SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
++ PR_FALSE);
+ }
+- } else {
+- sid->u.ssl3.sessionTicket.ticket.data = NULL;
+- sid->u.ssl3.sessionTicket.ticket.len = 0;
+ }
+- sid->u.ssl3.sessionTicket.received_timestamp =
+- session_ticket->received_timestamp;
+- sid->u.ssl3.sessionTicket.ticket_lifetime_hint =
+- session_ticket->ticket_lifetime_hint;
+
+- UNLOCK_CACHE;
+- return SECSuccess;
++ PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
++
++ /* Do a shallow copy, moving the ticket data. */
++ sid->u.ssl3.locked.sessionTicket = *newSessionTicket;
++ newSessionTicket->ticket.data = NULL;
++ newSessionTicket->ticket.len = 0;
++
++ if (sid->u.ssl3.lock) {
++ PR_RWLock_Unlock(sid->u.ssl3.lock);
++ }
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslsecur.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslsecur.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslsecur.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslsecur.c 2014-02-10 01:13:33.095518555 +0400
+@@ -97,23 +97,13 @@
+ ss->securityHandshake = 0;
+ }
+ if (ss->handshake == 0) {
++ /* for v3 this is done in ssl3_FinishHandshake */
++ if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
+ ssl_GetRecvBufLock(ss);
+ ss->gs.recordLen = 0;
++ ssl_FinishHandshake(ss);
+ ssl_ReleaseRecvBufLock(ss);
+-
+- SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
+- SSL_GETPID(), ss->fd));
+- /* call handshake callback for ssl v2 */
+- /* for v3 this is done in ssl3_HandleFinished() */
+- if ((ss->handshakeCallback != NULL) && /* has callback */
+- (!ss->firstHsDone) && /* only first time */
+- (ss->version < SSL_LIBRARY_VERSION_3_0)) { /* not ssl3 */
+- ss->firstHsDone = PR_TRUE;
+- (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+ }
+- ss->firstHsDone = PR_TRUE;
+- ss->gs.writeOffset = 0;
+- ss->gs.readOffset = 0;
+ break;
+ }
+ rv = (*ss->handshake)(ss);
+@@ -134,6 +124,24 @@
+ return rv;
+ }
+
++void
++ssl_FinishHandshake(sslSocket *ss)
++{
++ PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
++ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
++ SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
++
++ ss->firstHsDone = PR_TRUE;
++ ss->enoughFirstHsDone = PR_TRUE;
++ ss->gs.writeOffset = 0;
++ ss->gs.readOffset = 0;
++
++ if (ss->handshakeCallback) {
++ (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
++ }
++}
++
+ /*
+ * Handshake function that blocks. Used to force a
+ * retry on a connection on the next read/write.
+@@ -206,6 +214,7 @@
+ ssl_Get1stHandshakeLock(ss);
+
+ ss->firstHsDone = PR_FALSE;
++ ss->enoughFirstHsDone = PR_FALSE;
+ if ( asServer ) {
+ ss->handshake = ssl2_BeginServerHandshake;
+ ss->handshaking = sslHandshakingAsServer;
+@@ -221,6 +230,8 @@
+ ssl_ReleaseRecvBufLock(ss);
+
+ ssl_GetSSL3HandshakeLock(ss);
++ ss->ssl3.hs.canFalseStart = PR_FALSE;
++ ss->ssl3.hs.restartTarget = NULL;
+
+ /*
+ ** Blow away old security state and get a fresh setup.
+@@ -266,7 +277,7 @@
+
+ /* SSL v2 protocol does not support subsequent handshakes. */
+ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+- PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
+ rv = SECFailure;
+ } else {
+ ssl_GetSSL3HandshakeLock(ss);
+@@ -331,6 +342,71 @@
+ return SECSuccess;
+ }
+
++/* Register an application callback to be called when false start may happen.
++** Acquires and releases HandshakeLock.
++*/
++SECStatus
++SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
++ void *arg)
++{
++ sslSocket *ss;
++
++ ss = ssl_FindSocket(fd);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
++ SSL_GETPID(), fd));
++ return SECFailure;
++ }
++
++ if (!ss->opt.useSecurity) {
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return SECFailure;
++ }
++
++ ssl_Get1stHandshakeLock(ss);
++ ssl_GetSSL3HandshakeLock(ss);
++
++ ss->canFalseStartCallback = cb;
++ ss->canFalseStartCallbackData = arg;
++
++ ssl_ReleaseSSL3HandshakeLock(ss);
++ ssl_Release1stHandshakeLock(ss);
++
++ return SECSuccess;
++}
++
++SECStatus
++SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
++{
++ sslSocket *ss;
++
++ *canFalseStart = PR_FALSE;
++ ss = ssl_FindSocket(fd);
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
++ SSL_GETPID(), fd));
++ return SECFailure;
++ }
++
++ if (!ss->ssl3.initialized) {
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return SECFailure;
++ }
++
++ if (ss->version < SSL_LIBRARY_VERSION_3_0) {
++ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
++ return SECFailure;
++ }
++
++ /* Require a forward-secret key exchange. */
++ *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
++ ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
++ ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
++ ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
++
++ return SECSuccess;
++}
++
+ /* Try to make progress on an SSL handshake by attempting to read the
+ ** next handshake from the peer, and sending any responses.
+ ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK if it cannot
+@@ -524,6 +600,9 @@
+ int amount;
+ int available;
+
++ /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
++ * 1stHandshakeLock. */
++ ssl_Get1stHandshakeLock(ss);
+ ssl_GetRecvBufLock(ss);
+
+ available = ss->gs.writeOffset - ss->gs.readOffset;
+@@ -590,6 +669,7 @@
+
+ done:
+ ssl_ReleaseRecvBufLock(ss);
++ ssl_Release1stHandshakeLock(ss);
+ return rv;
+ }
+
+@@ -1191,19 +1271,15 @@
+ ss->writerThread = PR_GetCurrentThread();
+ /* If any of these is non-zero, the initial handshake is not done. */
+ if (!ss->firstHsDone) {
+- PRBool canFalseStart = PR_FALSE;
++ PRBool falseStart = PR_FALSE;
+ ssl_Get1stHandshakeLock(ss);
+- if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
++ if (ss->opt.enableFalseStart &&
++ ss->version >= SSL_LIBRARY_VERSION_3_0) {
+ ssl_GetSSL3HandshakeLock(ss);
+- if ((ss->ssl3.hs.ws == wait_change_cipher ||
+- ss->ssl3.hs.ws == wait_finished ||
+- ss->ssl3.hs.ws == wait_new_session_ticket) &&
+- ssl3_CanFalseStart(ss)) {
+- canFalseStart = PR_TRUE;
+- }
++ falseStart = ss->ssl3.hs.canFalseStart;
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ }
+- if (!canFalseStart &&
++ if (!falseStart &&
+ (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
+ rv = ssl_Do1stHandshake(ss);
+ }
+@@ -1228,6 +1304,17 @@
+ goto done;
+ }
+
++ if (!ss->firstHsDone) {
++ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
++#ifdef DEBUG
++ ssl_GetSSL3HandshakeLock(ss);
++ PORT_Assert(ss->ssl3.hs.canFalseStart);
++ ssl_ReleaseSSL3HandshakeLock(ss);
++#endif
++ SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
++ SSL_GETPID(), ss->fd));
++ }
++
+ /* Send out the data using one of these functions:
+ * ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock,
+ * ssl3_SendApplicationData
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslsock.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslsock.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/ssl/sslsock.c 2014-02-10 01:12:09.965982431 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/ssl/sslsock.c 2014-02-10 01:13:33.095518555 +0400
+@@ -267,6 +267,8 @@
+ ss->badCertArg = os->badCertArg;
+ ss->handshakeCallback = os->handshakeCallback;
+ ss->handshakeCallbackData = os->handshakeCallbackData;
++ ss->canFalseStartCallback = os->canFalseStartCallback;
++ ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
+ ss->pkcs11PinArg = os->pkcs11PinArg;
+
+ /* Create security data */
+@@ -2259,9 +2261,13 @@
+ } else if (new_flags & PR_POLL_WRITE) {
+ /* The caller is trying to write, but the handshake is
+ ** blocked waiting for data to read, and the first
+- ** handshake has been sent. so do NOT to poll on write.
++ ** handshake has been sent. So do NOT to poll on write
++ ** unless we did false start.
+ */
++ if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
++ ss->ssl3.hs.canFalseStart)) {
+ new_flags ^= PR_POLL_WRITE; /* don't select on write. */
++ }
+ new_flags |= PR_POLL_READ; /* do select on read. */
+ }
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/nssutil.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/nssutil.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/nssutil.h 2014-02-10 01:12:14.137908477 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/nssutil.h 2014-02-10 01:13:33.095518555 +0400
+@@ -19,11 +19,11 @@
+ * The format of the version string should be
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
+ */
+-#define NSSUTIL_VERSION "3.15.3.1"
++#define NSSUTIL_VERSION "3.15.4"
+ #define NSSUTIL_VMAJOR 3
+ #define NSSUTIL_VMINOR 15
+-#define NSSUTIL_VPATCH 3
+-#define NSSUTIL_VBUILD 1
++#define NSSUTIL_VPATCH 4
++#define NSSUTIL_VBUILD 0
+ #define NSSUTIL_BETA PR_FALSE
+
+ SEC_BEGIN_PROTOS
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/secdig.c seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/secdig.c
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/secdig.c 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/secdig.c 2014-02-10 01:13:33.095518555 +0400
+@@ -29,7 +29,8 @@
+ }
+
+ SGNDigestInfo *
+-SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
++SGN_CreateDigestInfo(SECOidTag algorithm, const unsigned char *sig,
++ unsigned len)
+ {
+ SGNDigestInfo *di;
+ SECStatus rv;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/secdig.h seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/secdig.h
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/lib/util/secdig.h 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/lib/util/secdig.h 2014-02-10 01:13:33.095518555 +0400
+@@ -40,7 +40,7 @@
+ ** I think that is all anybody ever wants to do anyway.
+ */
+ extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
+- unsigned char *sig,
++ const unsigned char *sig,
+ unsigned int sigLen);
+
+ /*
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/chains.sh seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/chains.sh
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/chains.sh 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/chains.sh 2014-02-10 01:13:33.096518537 +0400
+@@ -111,13 +111,22 @@
+ ########################################################################
+ start_httpserv()
+ {
++ HTTP_METHOD=$1
++
+ if [ -n "$testname" ] ; then
+ echo "$SCRIPTNAME: $testname ----"
+ fi
+ echo "httpserv starting at `date`"
++ ODDIR="${HOSTDIR}/chains/OCSPD"
+ echo "httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \\"
++ echo " -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \\"
++ echo " -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \\"
++ echo " -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \\"
+ echo " -i ${HTTPPID} $verbose &"
+ ${PROFTOOL} ${BINDIR}/httpserv -D -p ${NSS_AIA_PORT} ${SERVER_OPTIONS} \
++ -A OCSPRoot -C ${ODDIR}/OCSPRoot.crl -A OCSPCA1 -C ${ODDIR}/OCSPCA1.crl \
++ -A OCSPCA2 -C ${ODDIR}/OCSPCA2.crl -A OCSPCA3 -C ${ODDIR}/OCSPCA3.crl \
++ -O ${HTTP_METHOD} -d ${ODDIR}/ServerDB/ -f ${ODDIR}/ServerDB/dbpasswd \
+ -i ${HTTPPID} $verbose &
+ RET=$?
+
+@@ -180,8 +189,19 @@
+
+ DEFAULT_AIA_BASE_PORT=$(expr ${PORT:-8631} + 10)
+ NSS_AIA_PORT=${NSS_AIA_PORT:-$DEFAULT_AIA_BASE_PORT}
++ DEFAULT_UNUSED_PORT=$(expr ${PORT:-8631} + 11)
++ NSS_UNUSED_PORT=${NSS_UNUSED_PORT:-$DEFAULT_UNUSED_PORT}
+ NSS_AIA_HTTP=${NSS_AIA_HTTP:-"http://${HOSTADDR}:${NSS_AIA_PORT}"}
+ NSS_AIA_PATH=${NSS_AIA_PATH:-$HOSTDIR/aiahttp}
++ NSS_AIA_OCSP=${NSS_AIA_OCSP:-$NSS_AIA_HTTP/ocsp}
++ NSS_OCSP_UNUSED=${NSS_AIA_OCSP_UNUSED:-"http://${HOSTADDR}:${NSS_UNUSED_PORT}"}
++
++ html_head "Certificate Chains Tests"
++}
++
++chains_run_httpserv()
++{
++ HTTP_METHOD=$1
+
+ if [ -n "${NSS_AIA_PATH}" ]; then
+ HTTPPID=${NSS_AIA_PATH}/http_pid.$$
+@@ -191,11 +211,16 @@
+ # Start_httpserv sets environment variables, which are required for
+ # correct cleanup. (Running it in a subshell doesn't work, the
+ # value of $SHELL_HTTPPID wouldn't arrive in this scope.)
+- start_httpserv
++ start_httpserv ${HTTP_METHOD}
+ cd "${SAVEPWD}"
+ fi
++}
+
+- html_head "Certificate Chains Tests"
++chains_stop_httpserv()
++{
++ if [ -n "${NSS_AIA_PATH}" ]; then
++ kill_httpserv
++ fi
+ }
+
+ ############################ chains_cleanup ############################
+@@ -204,10 +229,6 @@
+ ########################################################################
+ chains_cleanup()
+ {
+- if [ -n "${NSS_AIA_PATH}" ]; then
+- kill_httpserv
+- fi
+-
+ html "</TABLE><BR>"
+ cd ${QADIR}
+ . common/cleanup.sh
+@@ -514,9 +535,15 @@
+ if [ -n "${OCSP}" ]; then
+ OPTIONS="${OPTIONS} --extAIA"
+
++ if [ "${OCSP}" = "offline" ]; then
++ MY_OCSP_URL=${NSS_OCSP_UNUSED}
++ else
++ MY_OCSP_URL=${NSS_AIA_OCSP}
++ fi
++
+ DATA="${DATA}2
+ 7
+-${NSS_AIA_OCSP}:${OCSP}
++${MY_OCSP_URL}
+ 0
+ n
+ n
+@@ -669,7 +696,7 @@
+ KEY_NAME=$1.p12
+ DB=$2
+
+- KEY_FILE=${QADIR}/libpkix/certs/${KEY_NAME}
++ KEY_FILE=../OCSPD/${KEY_NAME}
+
+ TESTNAME="Importing p12 key ${KEY_NAME} to ${DB} database"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+@@ -678,6 +705,18 @@
+ html_msg $? 0 "${SCENARIO}${TESTNAME}"
+ }
+
++export_key()
++{
++ KEY_NAME=$1.p12
++ DB=$2
++
++ TESTNAME="Exporting $1 as ${KEY_NAME} from ${DB} database"
++ echo "${SCRIPTNAME}: ${TESTNAME}"
++ echo "${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss"
++ ${BINDIR}/pk12util -d ${DB} -o ${KEY_NAME} -n $1 -k ${DB}/dbpasswd -W nssnss
++ html_msg $? 0 "${SCENARIO}${TESTNAME}"
++}
++
+ ############################# import_cert ##############################
+ # local shell function to import certificate into database
+ ########################################################################
+@@ -694,6 +733,10 @@
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
++ elif [ "${CERT_ISSUER}" = "d" ]; then
++ CERT_ISSUER=
++ CERT=${CERT_NICK}.der
++ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+@@ -805,6 +848,8 @@
+ ########################################################################
+ verify_cert()
+ {
++ ENGINE=$1
++
+ DB_OPT=
+ FETCH_OPT=
+ POLICY_OPT=
+@@ -854,6 +899,10 @@
+ CERT="${QADIR}/libpkix/certs/${CERT_NICK}.cert"
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
++ elif [ "${CERT_ISSUER}" = "d" ]; then
++ CERT="../OCSPD/${CERT_NICK}.der"
++ VFY_CERTS="${VFY_CERTS} ${CERT}"
++ VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ VFY_CERTS="${VFY_CERTS} ${CERT}"
+@@ -861,8 +910,8 @@
+ fi
+ done
+
+- VFY_OPTS_TNAME="${TRUST_AND_DB_OPT} ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+- VFY_OPTS_ALL="${DB_OPT} -pp -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
++ VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
++ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+
+ TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+ echo "${SCRIPTNAME}: ${TESTNAME}"
+@@ -911,6 +960,10 @@
+ CERT_ISSUER=
+ CERT=${CERT_NICK}.cert
+ CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
++ elif [ "${CERT_ISSUER}" = "d" ]; then
++ CERT_ISSUER=
++ CERT=${CERT_NICK}.der
++ CERT_FILE="../OCSPD/${CERT}"
+ else
+ CERT=${CERT_NICK}${CERT_ISSUER}.der
+ CERT_FILE=${CERT}
+@@ -918,9 +971,10 @@
+
+ # sample line:
+ # URI: "http://ocsp.server:2601"
+- OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+- OCSP_PORT=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:.*:\([0-9]*\)\"/\1/")
++ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
++ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
++ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ return $?
+ }
+@@ -983,6 +1037,7 @@
+ EXT_NS=
+ EXT_EKU=
+ SERIAL=
++ EXPORT_KEY=
+ ;;
+ "type")
+ TYPE="${VALUE}"
+@@ -1048,6 +1103,9 @@
+ "serial")
+ SERIAL="${VALUE}"
+ ;;
++ "export_key")
++ EXPORT_KEY=1
++ ;;
+ "copycrl")
+ COPYCRL="${VALUE}"
+ copy_crl "${COPYCRL}"
+@@ -1148,11 +1206,18 @@
+ if [ "${TYPE}" = "Bridge" ]; then
+ create_pkcs7 "${ENTITY}"
+ fi
++ if [ -n "${EXPORT_KEY}" ]; then
++ export_key "${ENTITY}" "${DB}"
++ fi
+ ENTITY=
+ fi
+
+ if [ -n "${VERIFY}" ]; then
+- verify_cert
++ verify_cert "-pp"
++ if [ -n "${VERIFY_CLASSIC_ENGINE_TOO}" ]; then
++ verify_cert ""
++ verify_cert "-p"
++ fi
+ VERIFY=
+ fi
+
+@@ -1176,30 +1241,66 @@
+ fi
+ }
+
+-############################# chains_main ##############################
+-# local shell function to process all testing scenarios
+-########################################################################
+-chains_main()
++process_scenario()
+ {
+- while read LINE
+- do
+- [ `echo ${LINE} | cut -b 1` != "#" ] || continue
++ SCENARIO_FILE=$1
+
+ > ${AIA_FILES}
+
+- parse_config < "${QADIR}/chains/scenarios/${LINE}"
++ parse_config < "${QADIR}/chains/scenarios/${SCENARIO_FILE}"
+
+ while read AIA_FILE
+ do
+ rm ${AIA_FILE} 2> /dev/null
+ done < ${AIA_FILES}
+ rm ${AIA_FILES}
++}
++
++# process ocspd.cfg separately
++chains_ocspd()
++{
++ process_scenario "ocspd.cfg"
++}
++
++# process ocsp.cfg separately
++chains_method()
++{
++ process_scenario "method.cfg"
++}
++
++############################# chains_main ##############################
++# local shell function to process all testing scenarios
++########################################################################
++chains_main()
++{
++ while read LINE
++ do
++ [ `echo ${LINE} | cut -b 1` != "#" ] || continue
++
++ [ ${LINE} != 'ocspd.cfg' ] || continue
++ [ ${LINE} != 'method.cfg' ] || continue
++
++ process_scenario ${LINE}
+ done < "${CHAINS_SCENARIOS}"
+ }
+
+ ################################ main ##################################
+
+ chains_init
++VERIFY_CLASSIC_ENGINE_TOO=
++chains_ocspd
++VERIFY_CLASSIC_ENGINE_TOO=1
++chains_run_httpserv get
++chains_method
++chains_stop_httpserv
++chains_run_httpserv post
++chains_method
++chains_stop_httpserv
++VERIFY_CLASSIC_ENGINE_TOO=
++chains_run_httpserv random
++chains_main
++chains_stop_httpserv
++chains_run_httpserv get-unknown
+ chains_main
++chains_stop_httpserv
+ chains_cleanup
+-
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/ocspd-config/readme seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/ocspd-config/readme
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/ocspd-config/readme 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/ocspd-config/readme 2014-02-10 01:13:33.096518537 +0400
+@@ -1,18 +1,3 @@
+-This script is used to generate certificates used by ocspd.
+-
+-Some steps to run (only once - before all OCSP testing):
+-1. Edit security/nss/tests/chains/scenarios/scenarios to have there only ocspd.cfg
+-2. Set environment variable to run only chains tests: export NSS_TESTS=chains.sh
+-3. Set environment variable to have the correct URI in the certificates: export NSS_AIA_OCSP=http://dochinups.us.oracle.com
+-4. Run tests: ./all.sh
+-5. Go to results directory: cd tests_results/security/${HOST}.${ID}/chains
+-6. Copy ocspd-certs.sh and ocspd.conf.template to this directory
+-7. Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}:
+- Example: ./ocspd-certs.sh OCSPD /export/iopr/openca-ocsp-responder/etc/ocspdPKIX \
+- ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
+-8. Commit the new certificates that have been generated under ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
+-9. Copy config files and keys/certs/crls to ocspd etc directory:
+- cp *.conf /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX
+- cp *.pem *.key /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX/OCSPD
+-10. Start ocsp deamons on dochinups (for all configs).
++OBSOLETE
+
++tests have been changed to use a local ocsp server (using httpserv)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/method.cfg seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/method.cfg
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/method.cfg 1970-01-01 03:00:00.000000000 +0300
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/method.cfg 2014-02-10 01:13:33.096518537 +0400
+@@ -0,0 +1,25 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++scenario Method
++
++check_ocsp OCSPEE11OCSPCA1:d
++
++testdb ../OCSPD/Client
++
++#EE - OK, CA - OK
++verify OCSPEE11OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
++ rev_type leaf
++ rev_flags requireFreshInfo
++ rev_mtype ocsp
++ result pass
++
++#EE - revoked, CA - OK
++verify OCSPEE12OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
++ rev_type leaf
++ rev_flags requireFreshInfo
++ rev_mtype ocsp
++ result fail
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg 2014-02-10 01:13:33.096518537 +0400
+@@ -4,10 +4,10 @@
+
+ scenario OCSP
+
+-check_ocsp OCSPEE11:x
++check_ocsp OCSPEE11OCSPCA1:d
+
+ db OCSPRoot
+-import OCSPRoot:x:CT,C,C
++import OCSPRoot:d:CT,C,C
+
+ db OCSPCA1
+ import_key OCSPCA1
+@@ -23,8 +23,8 @@
+ testdb OCSPRoot
+
+ #EE - OK, CA - OK
+-verify OCSPEE11:x
+- cert OCSPCA1:x
++verify OCSPEE11OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+@@ -32,8 +32,8 @@
+ result pass
+
+ #EE - revoked, CA - OK
+-verify OCSPEE12:x
+- cert OCSPCA1:x
++verify OCSPEE12OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+@@ -41,16 +41,16 @@
+ result fail
+
+ #EE - unknown
+-verify OCSPEE15:x
+- cert OCSPCA1:x
++verify OCSPEE15OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+ #EE - unknown, requireFreshInfo
+-verify OCSPEE15:x
+- cert OCSPCA1:x
++verify OCSPEE15OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+@@ -58,16 +58,16 @@
+ result fail
+
+ #EE - OK, CA - revoked, leaf, no fresh info
+-verify OCSPEE21:x
+- cert OCSPCA2:x
++verify OCSPEE21OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+ #EE - OK, CA - revoked, leaf, requireFreshInfo
+-verify OCSPEE21:x
+- cert OCSPCA2:x
++verify OCSPEE21OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+@@ -75,8 +75,8 @@
+ result fail
+
+ #EE - OK, CA - revoked, chain, requireFreshInfo
+-verify OCSPEE21:x
+- cert OCSPCA2:x
++verify OCSPEE21OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_flags requireFreshInfo
+@@ -84,16 +84,16 @@
+ result fail
+
+ #EE - OK, CA - unknown
+-verify OCSPEE31:x
+- cert OCSPCA3:x
++verify OCSPEE31OCSPCA3:d
++ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+ #EE - OK, CA - unknown, requireFreshInfo
+-verify OCSPEE31:x
+- cert OCSPCA3:x
++verify OCSPEE31OCSPCA3:d
++ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+@@ -101,8 +101,8 @@
+ result fail
+
+ #EE - revoked, doNotUse
+-verify OCSPEE12:x
+- cert OCSPCA1:x
++verify OCSPEE12OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+@@ -110,8 +110,8 @@
+ result pass
+
+ #EE - revoked, forbidFetching
+-verify OCSPEE12:x
+- cert OCSPCA1:x
++verify OCSPEE12OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+@@ -119,8 +119,8 @@
+ result pass
+
+ #EE - unknown status, failIfNoInfo
+-verify OCSPEE15:x
+- cert OCSPCA1:x
++verify OCSPEE15OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+@@ -128,8 +128,8 @@
+ result fail
+
+ #EE - OK, CA - revoked, leaf, failIfNoInfo
+-verify OCSPEE21:x
+- cert OCSPCA2:x
++verify OCSPEE21OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+@@ -141,8 +141,8 @@
+ #EE - OK on OCSP, revoked locally - should fail ??
+ # two things about this test: crl is not imported into the db and
+ # cert 13 is not revoked by crl.
+-verify OCSPEE13:x
+- cert OCSPCA1:x
++verify OCSPEE13OCSPCA1:d
++ cert OCSPCA1OCSPRoot:d
+ trust OCSPCA1
+ rev_type leaf
+ rev_flags testLocalInfoFirst
+@@ -150,10 +150,10 @@
+ result pass
+
+ db OCSPRoot1
+-import OCSPRoot:x:CT,C,C
++import OCSPRoot:d:CT,C,C
+
+-verify OCSPEE23:x
+- cert OCSPCA2:x
++verify OCSPEE23OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+@@ -162,12 +162,12 @@
+ result fail
+
+ db OCSPRoot2
+-import OCSPRoot:x:T,,
++import OCSPRoot:d:T,,
+
+ # bug 527438
+ # expected result of this test is FAIL
+-verify OCSPEE23:x
+- cert OCSPCA2:x
++verify OCSPEE23OCSPCA2:d
++ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg 2014-02-10 01:13:33.096518537 +0400
+@@ -7,104 +7,108 @@
+ #root CA
+ entity OCSPRoot
+ type Root
++ export_key
+
+ #CA - OK
+ entity OCSPCA1
+ type Intermediate
+ issuer OCSPRoot
+ serial 1
+- ocsp 2600
++ ocsp online
++ export_key
+
+ #CA - revoked
+ entity OCSPCA2
+ type Intermediate
+ issuer OCSPRoot
+ serial 2
+- ocsp 2600
++ ocsp online
++ export_key
+
+ #CA - unknown status
+ entity OCSPCA3
+ type Intermediate
+ issuer OCSPRoot
+ serial 3
+- ocsp 2599
++ ocsp offline
++ export_key
+
+ #EE - OK
+ entity OCSPEE11
+ type EE
+ issuer OCSPCA1
+ serial 1
+- ocsp 2601
++ ocsp online
+
+ #EE - revoked on OCSP
+ entity OCSPEE12
+ type EE
+ issuer OCSPCA1
+ serial 2
+- ocsp 2601
++ ocsp online
+
+ #EE - revoked on CRL
+ entity OCSPEE13
+ type EE
+ issuer OCSPCA1
+ serial 3
+- ocsp 2601
++ ocsp online
+
+ #EE - revoked on OCSP and CRL
+ entity OCSPEE14
+ type EE
+ issuer OCSPCA1
+ serial 4
+- ocsp 2601
++ ocsp online
+
+ #EE - unknown status
+ entity OCSPEE15
+ type EE
+ issuer OCSPCA1
+ serial 5
+- ocsp 2599
++ ocsp offline
+
+ #EE - valid EE, revoked CA
+ entity OCSPEE21
+ type EE
+ issuer OCSPCA2
+ serial 1
+- ocsp 2602
++ ocsp online
+
+ #EE - revoked EE, revoked CA
+ entity OCSPEE22
+ type EE
+ issuer OCSPCA2
+ serial 2
+- ocsp 2602
++ ocsp online
+
+ #EE - revoked EE, CA pointing to invalid OCSP
+ entity OCSPEE23
+ type EE
+ issuer OCSPCA2
+ serial 3
+- ocsp 2599
++ ocsp offline
+
+ #EE - valid EE, CA pointing to invalid OCSP
+ entity OCSPEE31
+ type EE
+ issuer OCSPCA3
+ serial 1
+- ocsp 2603
++ ocsp online
+
+ #EE - revoked EE, CA pointing to invalid OCSP
+ entity OCSPEE32
+ type EE
+ issuer OCSPCA3
+ serial 2
+- ocsp 2603
++ ocsp online
+
+ #EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+ entity OCSPEE33
+ type EE
+ issuer OCSPCA3
+ serial 3
+- ocsp 2599
++ ocsp offline
+
+ crl OCSPRoot
+
+@@ -135,3 +139,34 @@
+ revoke OCSPCA3
+ serial 3
+
++# Used for running a single OCSP server (httpserv) instance that can
++# handle multiple CAs, e.g.:
++# httpserv -p 8641 -d . -f dbpasswd \
++# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
++# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
++db Server
++import OCSPRoot::CT,C,C
++import_key OCSPRoot
++import_key OCSPCA1
++import_key OCSPCA2
++import_key OCSPCA3
++
++# A DB containing all certs, but no keys.
++# Useful for manual OCSP client testing, e.g.:
++# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s
++db Client
++import OCSPRoot::CT,C,C
++import OCSPCA1OCSPRoot::
++import OCSPCA2OCSPRoot::
++import OCSPCA3OCSPRoot::
++import OCSPEE11OCSPCA1::
++import OCSPEE12OCSPCA1::
++import OCSPEE13OCSPCA1::
++import OCSPEE14OCSPCA1::
++import OCSPEE15OCSPCA1::
++import OCSPEE21OCSPCA2::
++import OCSPEE22OCSPCA2::
++import OCSPEE23OCSPCA2::
++import OCSPEE31OCSPCA3::
++import OCSPEE32OCSPCA3::
++import OCSPEE33OCSPCA3::
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/scenarios seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/scenarios
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/chains/scenarios/scenarios 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/chains/scenarios/scenarios 2014-02-10 01:13:33.097518519 +0400
+@@ -34,6 +34,15 @@
+ # the terms of any one of the MPL, the GPL or the LGPL.
+ #
+ # ***** END LICENSE BLOCK *****
++#
++# Scenario ocspd.cfg will always be processed first,
++# regardless of its presence in this list.
++#
++# Scenario method.cfg will always be processed, regardless of its presence
++# in this list, and will be processed twice, once with httpserv -O get
++# and once with -O post. Because method.cfg will be executed with both
++# classic and libpkix engines, it must not contain any policy checks.
++#
+ bridge.cfg
+ megabridge_3_2.cfg
+ extension.cfg
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/cipher/cipher.txt seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/cipher/cipher.txt
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/cipher/cipher.txt 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/cipher/cipher.txt 2014-02-10 01:13:33.097518519 +0400
+@@ -39,6 +39,10 @@
+ 0 rc4_-D RC4_Decrypt
+ 0 rsa_-E RSA_Encrypt
+ 0 rsa_-D RSA_Decrypt
++ 0 rsa_oaep_-E RSA_EncryptOAEP
++ 0 rsa_oaep_-D RSA_DecryptOAEP
++ 0 rsa_pss_-S RSA_SignPSS
++ 0 rsa_pss_-V RSA_CheckSignPSS
+ 0 dsa_-S DSA_Sign
+ 0 dsa_-V DSA_Verify
+ 0 md2_-H MD2_Hash
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/ocsp/ocsp.sh seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/ocsp/ocsp.sh
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/ocsp/ocsp.sh 2014-02-10 01:12:09.966982413 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/ocsp/ocsp.sh 2014-02-10 01:13:33.097518519 +0400
+@@ -49,73 +49,6 @@
+ cd ${CLIENTDIR}
+ }
+
+-ocsp_stapling()
+-{
+- # Parameter -4 is used as a temporary workaround for lack of IPv6 connectivity
+- # on some build bot slaves.
+-
+- TESTNAME="startssl valid, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}
+- html_msg $? 0 "$TESTNAME"
+-
+- TESTNAME="startssl revoked, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
+- html_msg $? 3 "$TESTNAME"
+-
+- TESTNAME="comodo trial test expired revoked, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}
+- html_msg $? 1 "$TESTNAME"
+-
+- TESTNAME="thawte (expired) valid, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}
+- html_msg $? 1 "$TESTNAME"
+-
+- TESTNAME="thawte (expired) revoked, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}
+- html_msg $? 1 "$TESTNAME"
+-
+- TESTNAME="digicert valid, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}
+- html_msg $? 0 "$TESTNAME"
+-
+- TESTNAME="digicert revoked, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}
+- html_msg $? 3 "$TESTNAME"
+-
+- TESTNAME="live valid, supports OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}
+- html_msg $? 0 "$TESTNAME"
+-
+- TESTNAME="startssl valid, doesn't support OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}
+- html_msg $? 2 "$TESTNAME"
+-
+- TESTNAME="cacert untrusted, doesn't support OCSP stapling"
+- echo "$SCRIPTNAME: $TESTNAME"
+- echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}"
+- ${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}
+- html_msg $? 1 "$TESTNAME"
+-}
+-
+ ################## main #################################################
+ ocsp_init
+ ocsp_iopr_run
+-ocsp_stapling
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/run_niscc.sh seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/run_niscc.sh
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/security/nss/tests/run_niscc.sh 2013-09-16 22:26:57.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/security/nss/tests/run_niscc.sh 2014-02-10 01:13:33.097518519 +0400
+@@ -36,8 +36,8 @@
+ --threads X set thread number to X (max. 10, default 10)
+ --out DIR set DIR as output directory (default '/out')
+ --mail ADDRESS send mail with test result to ADDRESS
+- --nss DIR set NSS directory to DIR (default '~/cvs/nss')
+- --nss-hack DIR set hacked NSS directory to DIR (default '~/cvs/nss_hack')
++ --nss DIR set NSS directory to DIR (default '~/niscc-hg/nss')
++ --nss-hack DIR set hacked NSS directory to DIR (default '~/niscc-hg/nss_hack')
+ --log-store store all the logs (only summary by default)
+ --no-build-test don't pull and build tested NSS
+ --no-build-hack don't pull and build hacked NSS
+@@ -169,13 +169,13 @@
+ export NISCC_HOME=${NISCC_HOME:-/niscc}
+
+ # Base location of NSS
+- export CVS=${CVS:-"$HOME/cvs"}
++ export HG=${HG:-"$HOME/niscc-hg"}
+
+ # NSS being tested
+- export LOCALDIST=${LOCALDIST:-"${CVS}/nss"}
++ export LOCALDIST=${LOCALDIST:-"${HG}/nss"}
+
+ # Hacked NSS - built with "NISCC_TEST=1"
+- export NSS_HACK=${NSS_HACK:-"${CVS}/nss_hack"}
++ export NSS_HACK=${NSS_HACK:-"${HG}/nss_hack"}
+
+ # Hostname of the testmachine
+ export HOST=${HOST:-127.0.0.1}
+@@ -237,30 +237,34 @@
+ }
+
+ ################################################################################
+-# Do a cvs pull of NSS
++# Do a HG pull of NSS
+ ################################################################################
+-cvs_pull()
++hg_pull()
+ {
+- # Tested NSS - by default using current CVS HEAD
++ # Tested NSS - by default using HG default tip
+ if [ "$NO_BUILD_TEST" = "false" ]; then
+- echo "cloning NSS sources to be tested from CVS"
++ echo "cloning NSS sources to be tested from HG"
+ [ ! -d "$LOCALDIST" ] && mkdir -p "$LOCALDIST"
+ cd "$LOCALDIST"
+- cvs -d :pserver:anonymous at cvs-mirror.mozilla.org:/cvsroot co -r HEAD NSPR &>> $TEST_OUTPUT/nisccBuildLog
+- cvs -d :pserver:anonymous at cvs-mirror.mozilla.org:/cvsroot co -r HEAD NSS &>> $TEST_OUTPUT/nisccBuildLog
++ [ ! -d "$LOCALDIST/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
++ cd nspr; hg pull; hg update -C -r default; cd ..
++ [ ! -d "$LOCALDIST/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
++ cd nss; hg pull; hg update -C -r default; cd ..
+ #find . -exec touch {} \;
+ fi
+
+ # Hacked NSS - by default using some RTM version.
+ # Do not use HEAD for hacked NSS - it needs to be stable and bug-free
+ if [ "$NO_BUILD_HACK" = "false" ]; then
+- echo "cloning NSS sources for a hacked build from CVS"
++ echo "cloning NSS sources for a hacked build from HG"
+ [ ! -d "$NSS_HACK" ] && mkdir -p "$NSS_HACK"
+ cd "$NSS_HACK"
+- NSPR_TAG=`curl http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | awk '{print $1}'`
+- NSS_TAG=`curl http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | awk '{print $1}'`
+- cvs -d :pserver:anonymous at cvs-mirror.mozilla.org:/cvsroot co -r $NSPR_TAG NSPR &>> $TEST_OUTPUT/nisccBuildLogHack
+- cvs -d :pserver:anonymous at cvs-mirror.mozilla.org:/cvsroot co -r $NSS_TAG NSS &>> $TEST_OUTPUT/nisccBuildLogHack
++ NSPR_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/nsprpub/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
++ NSS_TAG=`curl --silent http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/TAG-INFO | head -1 | sed --regexp-extended 's/[[:space:]]//g' | awk '{print $1}'`
++ [ ! -d "$NSS_HACK/nspr" ] && hg clone --noupdate https://hg.mozilla.org/projects/nspr
++ cd nspr; hg pull; hg update -C -r "$NSPR_TAG"; cd ..
++ [ ! -d "$NSS_HACK/nss" ] && hg clone --noupdate https://hg.mozilla.org/projects/nss
++ cd nss; hg pull; hg update -C -r "$NSS_TAG"; cd ..
+ #find . -exec touch {} \;
+ fi
+ }
+@@ -275,7 +279,7 @@
+ echo "building NSS to be tested"
+ cd "$LOCALDIST"
+ unset NISCC_TEST
+- cd mozilla/security/nss
++ cd nss
+ gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLog
+ gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLog
+ fi
+@@ -285,7 +289,7 @@
+ echo "building hacked NSS"
+ cd "$NSS_HACK"
+ export NISCC_TEST=1
+- cd mozilla/security/nss
++ cd nss
+ gmake nss_clean_all &>> $TEST_OUTPUT/nisccBuildLogHack
+ gmake nss_build_all &>> $TEST_OUTPUT/nisccBuildLogHack
+ fi
+@@ -308,17 +312,17 @@
+ echo "PATH $PATH" >> "$TEST_OUTPUT/nisccLog00"
+
+ # Find out hacked NSS version
+- DISTTYPE=`cd "$NSS_HACK/mozilla/security/nss/tests/common"; gmake objdir_name`
++ DISTTYPE=`cd "$NSS_HACK/nss/tests/common"; gmake objdir_name`
+ echo "NSS_HACK DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+- export HACKBIN="$NSS_HACK/mozilla/dist/$DISTTYPE/bin"
+- export HACKLIB="$NSS_HACK/mozilla/dist/$DISTTYPE/lib"
++ export HACKBIN="$NSS_HACK/dist/$DISTTYPE/bin"
++ export HACKLIB="$NSS_HACK/dist/$DISTTYPE/lib"
+
+ if [ "$TEST_SYSTEM" = "false" ]; then
+ # Find out nss version
+- DISTTYPE=`cd "$LOCALDIST/mozilla/security/nss/tests/common"; gmake objdir_name`
++ DISTTYPE=`cd "$LOCALDIST/nss/tests/common"; gmake objdir_name`
+ echo "NSS DISTTYPE $DISTTYPE" >> "$TEST_OUTPUT/nisccLog00"
+- export TESTBIN="$LOCALDIST/mozilla/dist/$DISTTYPE/bin"
+- export TESTLIB="$LOCALDIST/mozilla/dist/$DISTTYPE/lib"
++ export TESTBIN="$LOCALDIST/dist/$DISTTYPE/bin"
++ export TESTLIB="$LOCALDIST/dist/$DISTTYPE/lib"
+ export TESTTOOLS="$TESTBIN"
+ else
+ # Using system installed NSS
+@@ -951,7 +955,7 @@
+ ################################################################################
+ process_args $*
+ create_environment
+-cvs_pull
++hg_pull
+ build_NSS
+ init
+ niscc_smime
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/storage/src/TelemetryVFS.cpp seamonkey-2.21-esr3.0/comm-release/mozilla/storage/src/TelemetryVFS.cpp
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/storage/src/TelemetryVFS.cpp 2013-09-16 22:26:58.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/storage/src/TelemetryVFS.cpp 2014-02-10 01:13:33.098518502 +0400
+@@ -14,6 +14,12 @@
+ #include "mozilla/dom/quota/QuotaObject.h"
+ #include "mozilla/SQLiteInterposer.h"
+
++// The last VFS version for which this file has been updated.
++#define LAST_KNOWN_VFS_VERSION 3
++
++// The last io_methods version for which this file has been updated.
++#define LAST_KNOWN_IOMETHODS_VERSION 3
++
+ /**
+ * This preference is a workaround to allow users/sysadmins to identify
+ * that the profile exists on an NFS share whose implementation
+@@ -367,10 +373,11 @@
+ sqlite3_io_methods *pNew = new sqlite3_io_methods;
+ const sqlite3_io_methods *pSub = p->pReal->pMethods;
+ memset(pNew, 0, sizeof(*pNew));
+- // If you update this version number, you must add appropriate IO methods
+- // for any methods added in the version change.
+- pNew->iVersion = 3;
+- MOZ_ASSERT(pNew->iVersion >= pSub->iVersion);
++ // If the io_methods version is higher than the last known one, you should
++ // update this VFS adding appropriate IO methods for any methods added in
++ // the version change.
++ pNew->iVersion = pSub->iVersion;
++ MOZ_ASSERT(pNew->iVersion <= LAST_KNOWN_IOMETHODS_VERSION);
+ pNew->xClose = xClose;
+ pNew->xRead = xRead;
+ pNew->xWrite = xWrite;
+@@ -383,11 +390,14 @@
+ pNew->xFileControl = xFileControl;
+ pNew->xSectorSize = xSectorSize;
+ pNew->xDeviceCharacteristics = xDeviceCharacteristics;
++ if (pNew->iVersion >= 2) {
+ // Methods added in version 2.
+ pNew->xShmMap = pSub->xShmMap ? xShmMap : 0;
+ pNew->xShmLock = pSub->xShmLock ? xShmLock : 0;
+ pNew->xShmBarrier = pSub->xShmBarrier ? xShmBarrier : 0;
+ pNew->xShmUnmap = pSub->xShmUnmap ? xShmUnmap : 0;
++ }
++ if (pNew->iVersion >= 3) {
+ // Methods added in version 3.
+ // SQLite 3.7.17 calls these methods without checking for NULL first,
+ // so we always define them. Verify that we're not going to call
+@@ -396,6 +406,7 @@
+ pNew->xFetch = xFetch;
+ MOZ_ASSERT(pSub->xUnfetch);
+ pNew->xUnfetch = xUnfetch;
++ }
+ pFile->pMethods = pNew;
+ }
+ return rc;
+@@ -539,10 +550,11 @@
+
+ sqlite3_vfs *tvfs = new ::sqlite3_vfs;
+ memset(tvfs, 0, sizeof(::sqlite3_vfs));
+- // If you update this version number, you must add appropriate VFS methods
+- // for any methods added in the version change.
+- tvfs->iVersion = 3;
+- MOZ_ASSERT(vfs->iVersion == tvfs->iVersion);
++ // If the VFS version is higher than the last known one, you should update
++ // this VFS adding appropriate methods for any methods added in the version
++ // change.
++ tvfs->iVersion = vfs->iVersion;
++ MOZ_ASSERT(vfs->iVersion <= LAST_KNOWN_VFS_VERSION);
+ tvfs->szOsFile = sizeof(telemetry_file) - sizeof(sqlite3_file) + vfs->szOsFile;
+ tvfs->mxPathname = vfs->mxPathname;
+ tvfs->zName = "telemetry-vfs";
+@@ -559,13 +571,16 @@
+ tvfs->xSleep = xSleep;
+ tvfs->xCurrentTime = xCurrentTime;
+ tvfs->xGetLastError = xGetLastError;
++ if (tvfs->iVersion >= 2) {
+ // Methods added in version 2.
+ tvfs->xCurrentTimeInt64 = xCurrentTimeInt64;
++ }
++ if (tvfs->iVersion >= 3) {
+ // Methods added in version 3.
+ tvfs->xSetSystemCall = xSetSystemCall;
+ tvfs->xGetSystemCall = xGetSystemCall;
+ tvfs->xNextSystemCall = xNextSystemCall;
+-
++ }
+ return tvfs;
+ }
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/Makefile.in 2013-09-16 22:26:58.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/Makefile.in 2014-02-10 01:13:33.098518502 +0400
+@@ -20,9 +20,6 @@
+
+ XPI_NAME = mochijar
+
+-# we turn this off for UNIVERSAL_BINARY
+-CHROME_JAR = 1
+-
+ include $(topsrcdir)/config/rules.mk
+ # We're installing to _tests/testing/mochitest, so this is the depth
+ # necessary for relative objdir paths.
+@@ -176,25 +173,6 @@
+ PKG_STAGE = $(DIST)/test-package-stage
+ DIST_BIN = $(DIST)/bin
+
+-PKG_CHROMEJAR = $(PKG_STAGE)/mochitest/content/
+-
+-ifdef CHROME_JAR
+-stage-chromejar:
+- $(NSINSTALL) -D $(PKG_CHROMEJAR)
+- cp -RL $(DEPTH)/_tests/testing/mochitest/browser $(PKG_CHROMEJAR)
+- cp -RL $(DEPTH)/_tests/testing/mochitest/chrome $(PKG_CHROMEJAR)
+-ifdef MOZ_METRO
+- cp -RL $(DEPTH)/_tests/testing/mochitest/metro $(PKG_CHROMEJAR)
+-endif
+-ifdef ACCESSIBILITY
+- cp -RL $(DEPTH)/_tests/testing/mochitest/a11y $(PKG_CHROMEJAR)
+-endif
+- (cd $(PKG_STAGE)/mochitest && zip -rq tests.jar content/)
+- @(rm -rf $(PKG_CHROMEJAR))
+-
+-stage-package: stage-chromejar
+-endif
+-
+ $(_DEST_DIR):
+ $(NSINSTALL) -D $@
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/runtests.py seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/runtests.py
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/runtests.py 2014-02-10 01:12:09.967982395 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/runtests.py 2014-02-10 01:13:33.098518502 +0400
+@@ -899,13 +899,8 @@
+ with open(os.path.join(options.profilePath, "userChrome.css"), "a") as chromeFile:
+ chromeFile.write(chrome)
+
+- # Call copyTestsJarToProfile(), Write tests.manifest.
+ manifest = os.path.join(options.profilePath, "tests.manifest")
+ with open(manifest, "w") as manifestFile:
+- if self.copyTestsJarToProfile(options):
+- # Register tests.jar.
+- manifestFile.write("content mochitests jar:tests.jar!/content/\n");
+- else:
+ # Register chrome directory.
+ chrometestDir = os.path.abspath(".") + "/"
+ if self.automation.IS_WIN32:
+@@ -947,15 +942,6 @@
+ with open(os.path.join(options.profilePath, "extensions", "staged", "mochikit at mozilla.org", "chrome.manifest"), "a") as mfile:
+ mfile.write(chrome)
+
+- def copyTestsJarToProfile(self, options):
+- """ copy tests.jar to the profile directory so we can auto register it in the .xul harness """
+- testsJarFile = os.path.join(self.SCRIPT_DIRECTORY, "tests.jar")
+- if not os.path.isfile(testsJarFile):
+- return False
+-
+- shutil.copy2(testsJarFile, options.profilePath)
+- return True
+-
+ def copyExtraFilesToProfile(self, options):
+ "Copy extra files or dirs specified on the command line to the testing profile."
+ for f in options.extraProfileFiles:
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/runtestsremote.py seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/runtestsremote.py
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/runtestsremote.py 2014-02-10 01:12:09.967982395 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/runtestsremote.py 2014-02-10 01:13:33.098518502 +0400
+@@ -345,10 +345,6 @@
+ shutil.rmtree(os.path.join(options.profilePath, 'extensions', 'staged', 'worker-test at mozilla.org'))
+ shutil.rmtree(os.path.join(options.profilePath, 'extensions', 'staged', 'workerbootstrap-test at mozilla.org'))
+ os.remove(os.path.join(options.profilePath, 'userChrome.css'))
+- if os.path.exists(os.path.join(options.profilePath, 'tests.jar')):
+- os.remove(os.path.join(options.profilePath, 'tests.jar'))
+- if os.path.exists(os.path.join(options.profilePath, 'tests.manifest')):
+- os.remove(os.path.join(options.profilePath, 'tests.manifest'))
+
+ try:
+ self._dm.pushDir(options.profilePath, self.remoteProfile)
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/tests/SimpleTest/SimpleTest.js seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/tests/SimpleTest/SimpleTest.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/testing/mochitest/tests/SimpleTest/SimpleTest.js 2013-09-16 22:26:58.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/testing/mochitest/tests/SimpleTest/SimpleTest.js 2014-02-10 01:13:33.099518486 +0400
+@@ -767,9 +767,9 @@
+ /**
+ * Monitor console output from now until endMonitorConsole is called.
+ *
+- * Expect to receive as many console messages as there are elements of
+- * |msgs|, an array; each element is an object which may have any
+- * number of the following properties:
++ * Expect to receive all console messages described by the elements of
++ * |msgs|, an array, in the order listed in |msgs|; each element is an
++ * object which may have any number of the following properties:
+ * message, errorMessage, sourceName, sourceLine, category:
+ * string or regexp
+ * lineNumber, columnNumber: number
+@@ -778,42 +778,92 @@
+ * property of the Nth console message. Regexps must match. Any
+ * fields present in the message but not in the pattern object are ignored.
+ *
++ * In addition to the above properties, elements in |msgs| may have a |forbid|
++ * boolean property. When |forbid| is true, a failure is logged each time a
++ * matching message is received.
++ *
++ * If |forbidUnexpectedMsgs| is true, then the messages received in the console
++ * must exactly match the non-forbidden messages in |msgs|; for each received
++ * message not described by the next element in |msgs|, a failure is logged. If
++ * false, then other non-forbidden messages are ignored, but all expected
++ * messages must still be received.
++ *
+ * After endMonitorConsole is called, |continuation| will be called
+ * asynchronously. (Normally, you will want to pass |SimpleTest.finish| here.)
+ *
+ * It is incorrect to use this function in a test which has not called
+ * SimpleTest.waitForExplicitFinish.
+ */
+-SimpleTest.monitorConsole = function (continuation, msgs) {
++SimpleTest.monitorConsole = function (continuation, msgs, forbidUnexpectedMsgs) {
+ if (SimpleTest._stopOnLoad) {
+ ok(false, "Console monitoring requires use of waitForExplicitFinish.");
+ }
+
++ function msgMatches(msg, pat) {
++ for (k in pat) {
++ if (!(k in msg)) {
++ return false;
++ }
++ if (pat[k] instanceof RegExp && typeof(msg[k]) === 'string') {
++ if (!pat[k].test(msg[k])) {
++ return false;
++ }
++ } else if (msg[k] !== pat[k]) {
++ return false;
++ }
++ }
++ return true;
++ }
++
++ var forbiddenMsgs = [];
++ var i = 0;
++ while (i < msgs.length) {
++ var pat = msgs[i];
++ if ("forbid" in pat) {
++ var forbid = pat.forbid;
++ delete pat.forbid;
++ if (forbid) {
++ forbiddenMsgs.push(pat);
++ msgs.splice(i, 1);
++ continue;
++ }
++ }
++ i++;
++ }
++
+ var counter = 0;
+ function listener(msg) {
+ if (msg.message === "SENTINEL" && !msg.isScriptError) {
+ is(counter, msgs.length, "monitorConsole | number of messages");
+ SimpleTest.executeSoon(continuation);
+- } else if (counter >= msgs.length) {
+- ok(false, "monitorConsole | extra message | " + JSON.stringify(msg));
+- } else {
+- var pat = msgs[counter];
+- for (k in pat) {
+- ok(k in msg, "monitorConsole | [" + counter + "]." + k + " present");
+- if (k in msg) {
+- if (pat[k] instanceof RegExp && typeof(msg[k]) === 'string') {
+- ok(pat[k].test(msg[k]),
+- "monitorConsole | [" + counter + "]." + k + " value - " +
+- msg[k].quote() + " contains /" + pat[k].source + "/");
++ return;
++ }
++ for (var pat of forbiddenMsgs) {
++ if (msgMatches(msg, pat)) {
++ ok(false, "monitorConsole | observed forbidden message " +
++ JSON.stringify(msg));
++ return;
++ }
++ }
++ if (counter >= msgs.length) {
++ var str = "monitorConsole | extra message | " + JSON.stringify(msg);
++ if (forbidUnexpectedMsgs) {
++ ok(false, str);
+ } else {
+- ise(msg[k], pat[k],
+- "monitorConsole | [" + counter + "]." + k + " value");
++ info(str);
+ }
++ return;
+ }
++ var matches = msgMatches(msg, msgs[counter]);
++ if (forbidUnexpectedMsgs) {
++ ok(matches, "monitorConsole | [" + counter + "] must match " +
++ JSON.stringify(msg));
++ } else {
++ info("monitorConsole | [" + counter + "] " +
++ (matches ? "matched " : "did not match ") + JSON.stringify(msg));
+ }
+ counter++;
+ }
+- }
+ SpecialPowers.registerConsoleListener(listener);
+ };
+
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/testing/testsuite-targets.mk seamonkey-2.21-esr3.0/comm-release/mozilla/testing/testsuite-targets.mk
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/testing/testsuite-targets.mk 2013-09-16 22:26:58.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/testing/testsuite-targets.mk 2014-02-10 01:13:33.099518486 +0400
+@@ -412,9 +412,6 @@
+ @rm -f "$(DIST)/$(PKG_PATH)$(TEST_PACKAGE)"
+ ifndef UNIVERSAL_BINARY
+ $(NSINSTALL) -D $(DIST)/$(PKG_PATH)
+-else
+- #building tests.jar (bug 543800) fails on unify, so we build tests.jar after unify is run
+- $(MAKE) -C $(DEPTH)/testing/mochitest stage-chromejar PKG_STAGE=$(DIST)/universal
+ endif
+ find $(PKG_STAGE) -name "*.pyc" -exec rm {} \;
+ cd $(PKG_STAGE) && \
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/PlacesDBUtils.jsm seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/PlacesDBUtils.jsm
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/PlacesDBUtils.jsm 2014-02-10 01:12:14.137908477 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/PlacesDBUtils.jsm 2014-02-10 01:13:33.099518486 +0400
+@@ -965,8 +965,8 @@
+ function reportResult(aProbe, aValue) {
+ outstandingProbes--;
+
+- try {
+ let value = aValue;
++ try {
+ if ("callback" in aProbe) {
+ value = aProbe.callback(value);
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing_perwindowpb.js seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing_perwindowpb.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing_perwindowpb.js 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing_perwindowpb.js 2014-02-10 01:13:33.099518486 +0400
+@@ -18,6 +18,10 @@
+
+ function doTest(aIsPrivateMode, aWindow, aTestURI, aCallback) {
+ aWindow.gBrowser.selectedBrowser.addEventListener("load", function onLoad() {
++ if (aWindow.gBrowser.selectedBrowser.contentWindow.location != aTestURI) {
++ aWindow.gBrowser.selectedBrowser.contentWindow.location = aTestURI;
++ return;
++ }
+ aWindow.gBrowser.selectedBrowser.removeEventListener("load", onLoad, true);
+
+ if (aCallback) {
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/browser/head.js seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/browser/head.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/browser/head.js 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/browser/head.js 2014-02-10 01:13:33.100518469 +0400
+@@ -340,12 +340,18 @@
+ return gDBConn.connectionReady ? gDBConn : null;
+ }
+
++function whenDelayedStartupFinished(aWindow, aCallback) {
++ Services.obs.addObserver(function observer(aSubject, aTopic) {
++ if (aWindow == aSubject) {
++ Services.obs.removeObserver(observer, aTopic);
++ executeSoon(function() { aCallback(aWindow); });
++ }
++ }, "browser-delayed-startup-finished", false);
++}
++
+ function whenNewWindowLoaded(aOptions, aCallback) {
+ let win = OpenBrowserWindow(aOptions);
+- win.addEventListener("load", function onLoad() {
+- win.removeEventListener("load", onLoad, false);
+- aCallback(win);
+- }, false);
++ whenDelayedStartupFinished(win, aCallback);
+ }
+
+ /**
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/mochitest/test_bug_461710_perwindowpb.html seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/mochitest/test_bug_461710_perwindowpb.html
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/places/tests/mochitest/test_bug_461710_perwindowpb.html 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/places/tests/mochitest/test_bug_461710_perwindowpb.html 2014-02-10 01:13:33.100518469 +0400
+@@ -170,7 +170,7 @@
+ win.addEventListener("load", function onLoad() {
+ win.removeEventListener("load", onLoad, false);
+ win.addEventListener("DOMContentLoaded", function onInnerLoad() {
+- if (win.content.location.href == "about:privatebrowsing") {
++ if (win.content.location.href != contentPage) {
+ win.gBrowser.loadURI(contentPage);
+ return;
+ }
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/satchel/test/browser/browser_privbrowsing_perwindowpb.js seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/satchel/test/browser/browser_privbrowsing_perwindowpb.js
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/components/satchel/test/browser/browser_privbrowsing_perwindowpb.js 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/components/satchel/test/browser/browser_privbrowsing_perwindowpb.js 2014-02-10 01:13:33.100518469 +0400
+@@ -14,6 +14,10 @@
+
+ function doTest(aIsPrivateMode, aShouldValueExist, aWindow, aCallback) {
+ aWindow.gBrowser.selectedBrowser.addEventListener("load", function onLoad() {
++ if (aWindow.content.location != testURI) {
++ aWindow.gBrowser.selectedBrowser.loadURI(testURI);
++ return;
++ }
+ aWindow.gBrowser.selectedBrowser.removeEventListener("load", onLoad, true);
+
+ let checks = 0;
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/Makefile.in seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/Makefile.in
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/Makefile.in 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/Makefile.in 2014-02-10 01:13:33.100518469 +0400
+@@ -17,10 +17,8 @@
+ $(NULL)
+
+ MOCHITEST_FILES = \
+- test_contextmenu_nested.xul \
+ tree_shared.js \
+ test_mousecapture_area.html \
+- popup_shared.js \
+ test_videocontrols.html \
+ test_videocontrols_video_direction.html \
+ test_videocontrols_audio_direction.html \
+@@ -46,18 +44,22 @@
+
+ MOCHITEST_CHROME_FILES = \
+ tree_shared.js \
++ popup_shared.js \
+ test_tree_column_reorder.xul \
+ test_editor_currentURI.xul \
++ test_contextmenu_nested.xul \
+ $(NULL)
+
+ ifneq (cocoa,$(MOZ_WIDGET_TOOLKIT))
+-MOCHITEST_FILES += test_menubar.xul \
+- window_menubar.xul
++MOCHITEST_CHROME_FILES += \
++ test_menubar.xul \
++ window_menubar.xul \
++ $(NULL)
+ endif
+
+ # popup anchor tests don't work on android.
+ ifneq (android,$(MOZ_WIDGET_TOOLKIT))
+-MOCHITEST_FILES += \
++MOCHITEST_CHROME_FILES += \
+ test_popupanchor.xul \
+ $(NULL)
+ endif
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_contextmenu_nested.xul seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_contextmenu_nested.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_contextmenu_nested.xul 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_contextmenu_nested.xul 2014-02-10 01:13:33.100518469 +0400
+@@ -5,8 +5,8 @@
+ <window title="Nested Context Menu Tests"
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+
+- <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+- <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/EventUtils.js"></script>
+ <script type="application/javascript" src="popup_shared.js"></script>
+
+ <menupopup id="outercontext">
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar.xul seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar.xul 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar.xul 2014-02-10 01:13:33.100518469 +0400
+@@ -8,7 +8,7 @@
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+
+ <title>Menubar Popup Tests</title>
+- <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+
+ <script>
+ SimpleTest.waitForExplicitFinish();
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar_gtk.xul seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar_gtk.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar_gtk.xul 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_menubar_gtk.xul 1970-01-01 03:00:00.000000000 +0300
+@@ -1,30 +0,0 @@
+-<?xml version="1.0"?>
+-<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+-<?xml-stylesheet href="/tests/SimpleTest/test.css" type="text/css"?>
+-
+-<window title="Menubar Popup Tests"
+- onload="setTimeout(runTest, 0);"
+- xmlns:html="http://www.w3.org/1999/xhtml"
+- xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+-
+- <title>Menubar Popup Tests</title>
+- <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+-
+-<script>
+-SimpleTest.waitForExplicitFinish();
+-function runTest()
+-{
+- window.open("window_menubar_gtk.xul", "_blank", "width=600,height=600");
+-}
+-</script>
+-
+-<body xmlns="http://www.w3.org/1999/xhtml">
+-<p id="display">
+-</p>
+-<div id="content" style="display: none">
+-</div>
+-<pre id="test">
+-</pre>
+-</body>
+-
+-</window>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_popupanchor.xul seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_popupanchor.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/test_popupanchor.xul 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/test_popupanchor.xul 2014-02-10 01:13:33.101518451 +0400
+@@ -13,7 +13,7 @@
+ noautohide="true">
+ </panel>
+
+- <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+
+ <script>
+ <![CDATA[
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/window_menubar.xul seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/window_menubar.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/tests/widgets/window_menubar.xul 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/tests/widgets/window_menubar.xul 2014-02-10 01:13:33.101518451 +0400
+@@ -9,7 +9,7 @@
+ xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+
+ <title>Popup Tests</title>
+- <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
++ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/EventUtils.js"></script>
+ <script type="application/javascript" src="popup_shared.js"></script>
+
+ <!--
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/widgets/findbar.xml seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/widgets/findbar.xml
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/toolkit/content/widgets/findbar.xml 2013-09-16 22:26:59.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/toolkit/content/widgets/findbar.xml 2014-02-10 01:13:33.101518451 +0400
+@@ -1834,7 +1834,12 @@
+ </implementation>
+
+ <handlers>
+- <handler event="keypress" keycode="VK_ESCAPE" phase="capturing" action="this.close();" preventdefault="true"/>
++ <!--
++ - We have to guard against `this.close` being |null| due to an unknown
++ - issue, which is tracked in bug 957999.
++ -->
++ <handler event="keypress" keycode="VK_ESCAPE" phase="capturing"
++ action="if (this.close) this.close();" preventdefault="true"/>
+ </handlers>
+ </binding>
+ </bindings>
+diff -Nrbu seamonkey-2.21-esr2.0/comm-release/mozilla/widget/tests/test_bug462106_perwindow.xul seamonkey-2.21-esr3.0/comm-release/mozilla/widget/tests/test_bug462106_perwindow.xul
+--- seamonkey-2.21-esr2.0/comm-release/mozilla/widget/tests/test_bug462106_perwindow.xul 2013-09-16 22:27:02.000000000 +0400
++++ seamonkey-2.21-esr3.0/comm-release/mozilla/widget/tests/test_bug462106_perwindow.xul 2014-02-10 01:13:33.101518451 +0400
+@@ -25,6 +25,8 @@
+
+ const Cc = Components.classes;
+ const Ci = Components.interfaces;
++const Cu = Components.utils;
++Cu.import("resource://gre/modules/Services.jsm");
+
+ function copy(str, doc) {
+ if (!doc) {
+@@ -63,6 +65,15 @@
+ return str;
+ }
+
++function whenDelayedStartupFinished(aWindow, aCallback) {
++ Services.obs.addObserver(function observer(aSubject, aTopic) {
++ if (aWindow == aSubject) {
++ Services.obs.removeObserver(observer, aTopic);
++ setTimeout(aCallback, 0);
++ }
++ }, "browser-delayed-startup-finished", false);
++}
++
+ function testOnWindow(options, callback) {
+ var mainWindow = window.QueryInterface(Ci.nsIInterfaceRequestor)
+ .getInterface(Ci.nsIWebNavigation)
+@@ -72,10 +83,9 @@
+ .getInterface(Ci.nsIDOMWindow);
+
+ let win = mainWindow.OpenBrowserWindow(options);
+- win.addEventListener("load", function onLoad() {
+- win.removeEventListener("load", onLoad, false);
++ whenDelayedStartupFinished(win, function() {
+ callback(win);
+- }, false);
++ });
+ };
+
+ function initAndRunTests() {
+@@ -95,15 +105,28 @@
+
+ testOnWindow({private: true}, function (aPrivateWindow) {
+ copy(data2, aPrivateWindow.document); // copy the data inside the private browsing mode
+- setTimeout(function() { // without this, the test fails sporadically
++
++ function insidePBPaste() {
++ if (data2 != paste()) {
++ setTimeout(insidePBPaste, 100);
++ return;
++ }
+ // the data should be on the clipboard inside the private browsing mode
+ is(data2, paste(), "Data successfully copied inside the private browsing mode");
+ aPrivateWindow.close();
++
++ function afterClose() {
++ if (data2 == paste()) {
++ setTimeout(afterClose, 100);
++ return;
++ }
+ // the data should no longer be on the clipboard at this stage
+ isnot(data2, paste(), "Data no longer available after leaving the private browsing mode");
+-
+ SimpleTest.finish();
+- }, 0);
++ }
++ afterClose();
++ }
++ insidePBPaste();
+ });
+ });
+ }
diff --git a/seamonkey.spec b/seamonkey.spec
index 8dadf90..ae01b6e 100644
--- a/seamonkey.spec
+++ b/seamonkey.spec
@@ -9,7 +9,7 @@
%define cairo_version 0.5
%global minimum_build_nspr_version 4.10.2
-%global minimum_build_nss_version 3.15.0
+%global minimum_build_nss_version 3.15.3
%global minimum_build_vpx_version 1.0.0
%define build_langpacks 1
@@ -25,7 +25,7 @@
Name: seamonkey
Summary: Web browser, e-mail, news, IRC client, HTML editor
Version: 2.21
-Release: 3.esr2%{?dist}
+Release: 4.ESR_24.3.0%{?dist}
URL: http://www.mozilla.org/projects/seamonkey/
License: MPLv2.0
Group: Applications/Internet
@@ -56,15 +56,17 @@ Patch1: xulrunner-24.0-gcc47.patch
Patch2: xulrunner-24.0-jemalloc-ppc.patch
Patch5: seamonkey-8.0-enable-addons.patch
Patch10: seamonkey-idl-parser-cachepath.patch
-Patch20: seamonkey-2.21-c++0x.patch
+Patch20: seamonkey-2.21-ESR_24.3.0-c++0x.patch
Patch22: seamonkey-2.14-installdir.patch
Patch23: seamonkey-2.19-elfhack.patch
+Patch24: seamonkey-2.21-ESR_24.3.0-nss_3_15_3.patch
# ESR patches. Derived from the thunderbird ESR sources
# from ftp://ftp.mozilla.org/pub/mozilla.org/thunderburd/releases/24.*/
Patch2410: seamonkey-2.21-esr1.0.patch
Patch2411: seamonkey-2.21-esr1.0-1.1.patch
Patch2420: seamonkey-2.21-esr1.1-2.0.patch
+Patch2430: seamonkey-2.21-esr2.0-3.0.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if %{with system_nspr}
@@ -148,6 +150,7 @@ cd %{sources_subdir}
%patch2410 -p2
%patch2411 -p2
%patch2420 -p2
+%patch2430 -p2
pushd mozilla
%patch1 -p2 -b .gcc47
@@ -157,10 +160,14 @@ popd
%patch5 -p2 -b .addons
%patch10 -p2 -b .idl-parser-cachepath
-#%patch20 -p2 -b .c++0x
+%patch20 -p2 -b .c++0x
%patch22 -p2 -b .installdir
%patch23 -p2 -b .elfhack
+%if %{with system_nss}
+%patch24 -p2 -b .nss3153
+%endif
+
# fix obsoleted modifier in inspector
sed -i -e 's/ *xpcnativewrappers=no//' mozilla/extensions/inspector/jar.mn
@@ -501,6 +508,12 @@ fi
%changelog
+* Mon Feb 10 2014 Dmitry Butskoy <Dmitry at Butskoy.name> 2.21-4.ESR_24.3.0
+- apply Extended Support Release patches, derived from the thunderbird
+ esr24.3.0 tree
+- use exact ESR version in the release field
+- relax requirement of system nss to 3.15.3
+
* Wed Dec 18 2013 Dmitry Butskoy <Dmitry at Butskoy.name> 2.21-3.esr2
- apply Extended Support Release patches, derived from the thunderbird
esr24.2.0 tree
More information about the scm-commits
mailing list