Backed out changeset f5abeef3c07e (bug 1957519) for causing bc failures on browser_clientAuthRememberService.js. UPGRADE_NSS_RELEASE CLOSED TREE

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,21 @@
+
+3 Added functions:
+
+  'function const char* SECMOD_FlagsToPolicyString(PRUint32, PRBool)'    {SECMOD_FlagsToPolicyString@@NSS_3.110}
+  'function SECOidTag SECMOD_PolicyStringToOid(const char*, const char*)'    {SECMOD_PolicyStringToOid@@NSS_3.110}
+  'function PRUint32 SECMOD_PolicyStringToOpt(const char*)'    {SECMOD_PolicyStringToOpt@@NSS_3.110}
+  
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        1 enumerator insertion:
+          '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1
+
+
+

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -0,0 +1,15 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:149:1 has some indirect sub-type changes:
+    return type changed:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        1 enumerator insertion:
+          '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1
+
+
+

security/nss/automation/abi-check/expected-report-libsmime3.so.txt

@@ -0,0 +1,45 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
+    parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+      in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+        underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+          type size hasn't changed
+          1 data member changes (2 filtered):
+           type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+             underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+               type size hasn't changed
+               1 data member changes (3 filtered):
+                type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+                  in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+                    underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:470:1 changed:
+                      type size hasn't changed
+                      1 data member changes (1 filtered):
+                       type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+                         in pointed to type 'NSSCMSAttribute*':
+                           in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+                             underlying type 'struct NSSCMSAttributeStr' at cmst.h:489:1 changed:
+                               type size hasn't changed
+                               1 data member change:
+                                type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+                                  in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+                                    underlying type 'struct SECOidDataStr' at secoidt.h:553:1 changed:
+                                      type size hasn't changed
+                                      1 data member change:
+                                       type of 'SECOidTag SECOidDataStr::offset' changed:
+                                         underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+                                           type size hasn't changed
+                                           1 enumerator insertion:
+                                             '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
+
+                                           1 enumerator change:
+                                             '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1
+
+
+
+
+
+
+
+

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_110_BRANCH
+NSS_3_109_BRANCH

security/nss/automation/taskcluster/scripts/cryptofuzz.sh

@@ -29,7 +29,7 @@ popd
 # Run Cryptofuzz.
 # Decrease the default ASAN quarantine size of 256 MB as we tend to run
 # out of memory on 32-bit.
-ASAN_OPTIONS="quarantine_size_mb=64" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@"
+ASAN_OPTIONS="quarantine_size_mb=128" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@"
 
 # Alert if version is older than half a year.
 cryptofuzz_timestamp=$(git -C cryptofuzz show -s --format=%ct $CRYPTOFUZZ_VERSION)

security/nss/cmd/dbtool/dbtool.c

@@ -309,7 +309,7 @@ makeNSSVendorName(CK_ATTRIBUTE_TYPE attribute, const char *nameType)
     static char nss_name[256];
     const char *name = NULL;
     if ((attribute >= CKA_NSS) && (attribute < 0xffffffffUL)) {
-        snprintf(nss_name, sizeof(nss_name), "%s+%d", nameType, (int)(attribute - CKA_NSS));
+        sprintf(nss_name, "%s+%d", nameType, (int)(attribute - CKA_NSS));
         name = nss_name;
     }
     return name;
@@ -546,7 +546,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey,
     if (!force && !isAuthenticatedAttribute(attribute)) {
         return;
     }
-    snprintf(id, sizeof(id), META_SIG_TEMPLATE,
+    sprintf(id, META_SIG_TEMPLATE,
             isKey ? "key" : "cert",
             (unsigned int)objectID, (unsigned int)attribute);
     printf("        Signature %s:", id);
@@ -555,7 +555,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey,
 
     crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL);
     if ((crv != CKR_OK) && isKey) {
-        snprintf(id, sizeof(id), META_SIG_TEMPLATE,
+        sprintf(id, META_SIG_TEMPLATE,
                 isKey ? "key" : "cert", (unsigned int)(objectID | SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE),
                 (unsigned int)attribute);
         crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL);
@@ -730,11 +730,11 @@ secu_ConfigDirectory(const char *base)
             home = "";
 
         if (*home && home[strlen(home) - 1] == '/')
-            snprintf(buf, sizeof(buf), "%.900s%s", home, dir);
+            sprintf(buf, "%.900s%s", home, dir);
         else
-            snprintf(buf, sizeof(buf), "%.900s/%s", home, dir);
+            sprintf(buf, "%.900s/%s", home, dir);
     } else {
-        snprintf(buf, sizeof(buf), "%.900s", base);
+        sprintf(buf, "%.900s", base);
         if (buf[strlen(buf) - 1] == '/')
             buf[strlen(buf) - 1] = 0;
     }

security/nss/cmd/selfserv/Makefile

@@ -24,7 +24,6 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 include ../platlibs.mk
-include $(CORE_DEPTH)/coreconf/zlib.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #

security/nss/cmd/selfserv/selfserv.c

@@ -43,7 +43,6 @@
 #include "certt.h"
 #include "ocsp.h"
 #include "nssb64.h"
-#include "zlib.h"
 
 #ifndef PORT_Strstr
 #define PORT_Strstr strstr
@@ -168,7 +167,7 @@ PrintUsageHeader(const char *progName)
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
             "         [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
             "         [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
-            "         -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk] -q\n"
+            "         -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk]\n"
             "\n",
             progName);
 }
@@ -254,8 +253,7 @@ PrintParameterUsage()
         "         \"publicname:\". For example, \"publicname:example.com\". In this mode,\n"
         "         an ephemeral ECH keypair is generated and ECHConfigs are printed to stdout.\n"
         "      2. As a Base64 tuple of <ECHRawPrivateKey> || <ECHConfigs>. In this mode, the\n"
-        "         raw private key is used to bootstrap the HPKE context.\n"
+        "         raw private key is used to bootstrap the HPKE context.\n",
-        "-q Enable zlib certificate compression\n",
         stderr);
 }
 
@@ -823,7 +821,6 @@ PRBool NoReuse = PR_FALSE;
 PRBool hasSidCache = PR_FALSE;
 PRBool disableLocking = PR_FALSE;
 PRBool enableSessionTickets = PR_FALSE;
-PRBool enableZlibCertificateCompression = PR_FALSE;
 PRBool failedToNegotiateName = PR_FALSE;
 PRBool enableExtendedMasterSecret = PR_FALSE;
 PRBool zeroRTT = PR_FALSE;
@@ -2070,57 +2067,6 @@ configureEch(PRFileDesc *model_sock)
     return configureEchWithData(model_sock);
 }
 
-static SECStatus
-zlibCertificateDecode(const SECItem *input,
-                      unsigned char *output, size_t outputLen,
-                      size_t *usedLen)
-{
-    if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
-        PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
-        return SECFailure;
-    }
-
-    *usedLen = outputLen;
-
-    int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
-    if (ret != Z_OK) {
-        PR_SetError(SEC_ERROR_BAD_DATA, 0);
-        return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-zlibCertificateEncode(const SECItem *input, SECItem *output)
-{
-    if (!input || !input->data || input->len == 0 || !output) {
-        PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
-        return SECFailure;
-    }
-
-    unsigned long maxCompressedLen = compressBound(input->len);
-    SECITEM_AllocItem(NULL, output, maxCompressedLen);
-
-    int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
-    if (ret != Z_OK) {
-        PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
-        return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-configureZlibCompression(PRFileDesc *model_sock)
-{
-    SSLCertificateCompressionAlgorithm zlibAlg = { 1, "zlib",
-                                                   zlibCertificateEncode,
-                                                   zlibCertificateDecode };
-
-    return SSL_SetCertificateCompressionAlgorithm(model_sock, zlibAlg);
-}
-
 void
 server_main(
     PRFileDesc *listen_sock,
@@ -2177,13 +2123,6 @@ server_main(
         }
     }
 
-    if (enableZlibCertificateCompression) {
-        rv = configureZlibCompression(model_sock);
-        if (rv != SECSuccess) {
-            errExit("error enabling Zlib Certificate Compression");
-        }
-    }
-
     if (virtServerNameIndex > 1) {
         rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
                                      (void *)&virtServerNameArray);
@@ -2594,7 +2533,7 @@ main(int argc, char **argv)
     ** XXX: 'B', and 'q' were used in the past but removed
     **      in 3.28, please leave some time before resuing those. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:x:yz:");
+                                 "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:yz:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         ++optionsFound;
         switch (optstate->option) {
@@ -2779,10 +2718,6 @@ main(int argc, char **argv)
                 port = PORT_Atoi(optstate->value);
                 break;
 
-            case 'q':
-                enableZlibCertificateCompression = PR_TRUE;
-                break;
-
             case 'r':
                 ++requestCert;
                 break;

security/nss/cmd/selfserv/selfserv.gyp

@@ -15,8 +15,7 @@
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:dbm_exports',
-        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/exports.gyp:nss_exports'
-        '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib'
       ]
     }
   ],
@@ -28,4 +27,4 @@
   'variables': {
     'module': 'nss'
   }
-}
+}

security/nss/coreconf/config.mk

@@ -259,22 +259,3 @@ DEFINES += -DNO_NSPR_10_SUPPORT
 
 # Hide old, deprecated, TLS cipher suite names when building NSS
 DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
-
-
-# By default the PKCS5_PBKD2_PARAMS(structure) version is determined based on the
-# cryptokiVersion of the token, PKCS5_PBKD2_PARAMS2 structure is used for version
-# 2.40 or later, PKCS5_PBKD2_PARAMS structure is used otherwise.
-# This define allows to force the use of PKCS5_PBKD2_PARAMS2 structure only.
-ifeq ($(SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY),1)
-    DEFINES += -DSOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
-endif
-
-# By default the PKCS5_PBKD2_PARAMS(structure) version is auto-detected based on
-# the difference between the two structures, in this case the password length is
-# limited to 8192 bytes.
-# Using this define, only PKCS5_PBKD2_PARAMS2 structure is expected, this can cause
-# segmentation fault if PKCS5_PBKD2_PARAMS structure is provided!).
-# Additional the password length is not limited with this option.
-ifeq ($(NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY),1)
-    DEFINES += -DNSS_USE_PKCS5_PBKD2_PARAMS2_ONLY
-endif

security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc

@@ -324,26 +324,6 @@ TEST_P(TlsConnectClientAuth, ClientAuth) {
   client_->CheckClientAuthCompleted();
 }
 
-TEST_F(TlsConnectStreamTls13, ClientAuthWithMultipleTickets) {
-  client_->SetupClientAuth();
-  server_->RequestClientAuth(true);
-
-  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
-  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
-
-  auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len,
-               void* arg) -> SECStatus { return SECSuccess; };
-  EXPECT_EQ(SECSuccess,
-            SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, nullptr));
-
-  Connect();
-  SendReceive(50);
-  CheckKeys();
-  // An automatic ticket has already been sent. This sends another one.
-  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
-  SendReceive(100);
-}
-
 // All stream only tests; PostHandshakeAuth isn't supported for DTLS.
 
 TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuth) {

security/nss/lib/ckfw/builtins/certdata.txt

@@ -200,7 +200,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\025\113\132\303\224
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -366,7 +366,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\070\143\336\370
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -500,7 +500,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\002\000\000\271
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -946,7 +946,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -1452,7 +1452,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
 \240\255
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -1598,8 +1598,8 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
@@ -1745,8 +1745,8 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 

security/nss/lib/ckfw/builtins/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 76
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74
-#define NSS_BUILTINS_LIBRARY_VERSION "2.76"
+#define NSS_BUILTINS_LIBRARY_VERSION "2.74"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.111" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.110" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 111
+#define NSS_VMINOR 110
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 

security/nss/lib/pk11wrap/pk11pbe.c

@@ -940,15 +940,15 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech)
      * based on the algorithm. */
     if (algorithm == SEC_OID_PKCS5_PBKDF2) {
         SECOidTag prfAlgTag;
-        CK_PKCS5_PBKD2_PARAMS2 *pbeV2_params =
+        CK_PKCS5_PBKD2_PARAMS *pbeV2_params =
-            (CK_PKCS5_PBKD2_PARAMS2 *)PORT_ZAlloc(
+            (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc(
-                PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS)) + salt->len);
+                sizeof(CK_PKCS5_PBKD2_PARAMS) + salt->len);
 
         if (pbeV2_params == NULL) {
             goto loser;
         }
         paramData = (unsigned char *)pbeV2_params;
-        paramLen = PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS));
+        paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS);
 
         /* set the prf */
         prfAlgTag = SEC_OID_HMAC_SHA1;
@@ -981,7 +981,7 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech)
         pbeV2_params->pPrfData = NULL;
         pbeV2_params->ulPrfDataLen = 0;
         pbeV2_params->saltSource = CKZ_SALT_SPECIFIED;
-        pSalt = ((CK_CHAR_PTR)pbeV2_params) + PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS));
+        pSalt = ((CK_CHAR_PTR)pbeV2_params) + sizeof(CK_PKCS5_PBKD2_PARAMS);
         if (salt->data) {
             PORT_Memcpy(pSalt, salt->data, salt->len);
         }
@@ -1420,12 +1420,7 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                              SECItem *params, CK_KEY_TYPE keyType, int keyLen,
                              SECItem *pwitem, void *wincx)
 {
-#ifndef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
-    SECItem _params = { 0, NULL, 0 };
-    CK_PKCS5_PBKD2_PARAMS pbev2_1_params;
     CK_ULONG pwLen;
-#endif
-
     /* do some sanity checks */
     if ((params == NULL) || (params->data == NULL)) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1439,39 +1434,15 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
 
     /* set the password pointer in the parameters... */
     if (type == CKM_PKCS5_PBKD2) {
-        CK_PKCS5_PBKD2_PARAMS2 *pbev2_params;
+        CK_PKCS5_PBKD2_PARAMS *pbev2_params;
-
+        if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) {
-        if ((params->len < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS))) ||
-            pwitem->len > CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             return NULL;
         }
-        pbev2_params = (CK_PKCS5_PBKD2_PARAMS2 *)params->data;
+        pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data;
         pbev2_params->pPassword = pwitem->data;
-
+        pwLen = pwitem->len;
-#ifdef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
+        pbev2_params->ulPasswordLen = &pwLen;
-        pbev2_params->ulPasswordLen = pwitem->len;
-#else
-        CK_VERSION cryptokiVersion = slot->module->cryptokiVersion;
-        if (cryptokiVersion.major < 2 ||
-            (cryptokiVersion.major == 2 && cryptokiVersion.minor < 40)) {
-            /* CK_PKCS5_PBKD2_PARAMS */
-            _params.type = params->type;
-            _params.data = (CK_CHAR_PTR)&pbev2_1_params;
-            _params.len = sizeof(CK_PKCS5_PBKD2_PARAMS);
-            params = &_params;
-            memcpy(&pbev2_1_params, pbev2_params,
-                   PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2),
-                          sizeof(CK_PKCS5_PBKD2_PARAMS)));
-
-            pwLen = pwitem->len;
-            pbev2_1_params.ulPasswordLen = &pwLen;
-        } else {
-            /* CK_PKCS5_PBKD2_PARAMS2 */
-            pbev2_params->ulPasswordLen = pwitem->len;
-        }
-#endif
-
     } else {
         CK_PBE_PARAMS *pbe_params;
         if (params->len < sizeof(CK_PBE_PARAMS)) {
@@ -1484,7 +1455,8 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
     }
 
     /* generate the key (and sometimes the IV as a side effect...) */
-    return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, keyLen, NULL,
+    return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType,
+                                               keyLen, NULL,
                                                CKF_SIGN | CKF_ENCRYPT | CKF_DECRYPT | CKF_UNWRAP | CKF_WRAP,
                                                0, wincx);
 }

security/nss/lib/softoken/pkcs11c.c

@@ -4220,47 +4220,20 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
 {
     SECItem *pbe_key = NULL, iv, pwitem;
     CK_PBE_PARAMS *pbe_params = NULL;
-    CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL;
+    CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
 
     *key_length = 0;
     iv.data = NULL;
     iv.len = 0;
 
     if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
-        pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter;
+        if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
-        if (!pMechanism->pParameter) {
             return CKR_MECHANISM_PARAM_INVALID;
         }
-
+        pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
-#ifdef NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY
-        if (pMechanism->ulParameterLen < sizeof(CK_PKCS5_PBKD2_PARAMS2)) {
-            return CKR_MECHANISM_PARAM_INVALID;
-        }
-        pwitem.len = pbkd2_params->ulPasswordLen;
-#else
-        int v2;
-        if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS),
-                                                sizeof(CK_PKCS5_PBKD2_PARAMS2))) {
-            return CKR_MECHANISM_PARAM_INVALID;
-        }
-
-        if (sizeof(CK_PKCS5_PBKD2_PARAMS2) != sizeof(CK_PKCS5_PBKD2_PARAMS)) {
-            if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS)) {
-                v2 = 0;
-            } else if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS2)) {
-                v2 = 1;
-            } else {
-                return CKR_MECHANISM_PARAM_INVALID;
-            }
-        } else {
-            /* it's unlikely that the password will be longer than 2048 bytes, if so it is
-             * most likely a pointer => CK_PKCS5_PBKD2_PARAMS */
-            v2 = pbkd2_params->ulPasswordLen <= CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN;
-        }
-        pwitem.len = v2 ? pbkd2_params->ulPasswordLen : *((CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter)->ulPasswordLen;
-#endif
-
         pwitem.data = (unsigned char *)pbkd2_params->pPassword;
+        /* was this a typo in the PKCS #11 spec? */
+        pwitem.len = *pbkd2_params->ulPasswordLen;
     } else {
         if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) {
             return CKR_MECHANISM_PARAM_INVALID;
@@ -4649,7 +4622,7 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
     CK_PBE_PARAMS *pbe_params = NULL;
     NSSPKCS5PBEParameter *params = NULL;
     HASH_HashType hashType = HASH_AlgSHA1;
-    CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL;
+    CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
     SECItem salt;
     CK_ULONG iteration = 0;
 
@@ -4661,11 +4634,10 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
     }
 
     if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
-        if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2),
+        if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
-                                                sizeof(CK_PKCS5_PBKD2_PARAMS))) {
             return CKR_MECHANISM_PARAM_INVALID;
         }
-        pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter;
+        pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
         switch (pbkd2_params->prf) {
             case CKP_PKCS5_PBKD2_HMAC_SHA1:
                 hashType = HASH_AlgSHA1;

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.111" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.110" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 111
+#define SOFTOKEN_VMINOR 110
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/ssl/ssl3con.c

@@ -12492,9 +12492,6 @@ ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid, PK11SymKey *secret)
     sid->sigScheme = ss->sec.signatureScheme;
     sid->lastAccessTime = sid->creationTime = ssl_Time(ss);
     sid->expirationTime = sid->creationTime + (ssl_ticket_lifetime * PR_USEC_PER_SEC);
-    if (sid->localCert) {
-        CERT_DestroyCertificate(sid->localCert);
-    }
     sid->localCert = CERT_DupCertificate(ss->sec.localCert);
     if (ss->sec.isServer) {
         sid->namedCurve = ss->sec.serverCert->namedCurve;

security/nss/lib/ssl/sslsock.c

@@ -313,13 +313,6 @@ ssl_DupSocket(sslSocket *os)
 
     ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
 
-    PORT_Memcpy(ss->ssl3.supportedCertCompressionAlgorithms,
-                os->ssl3.supportedCertCompressionAlgorithms,
-                sizeof(ss->ssl3.supportedCertCompressionAlgorithms[0]) *
-                    os->ssl3.supportedCertCompressionAlgorithmsCount);
-    ss->ssl3.supportedCertCompressionAlgorithmsCount =
-        os->ssl3.supportedCertCompressionAlgorithmsCount;
-
     if (ss->opt.useSecurity) {
         PRCList *cursor;
 

security/nss/lib/ssl/tls13con.c

@@ -2369,7 +2369,6 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
             }
             tls13_RestoreCipherInfo(ss, sid);
 
-            PORT_Assert(!ss->sec.localCert);
             ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert);
             if (sid->peerCert != NULL) {
                 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.111 Beta"
+#define NSSUTIL_VERSION "3.110"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 111
+#define NSSUTIL_VMINOR 110
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS
 

security/nss/lib/util/pkcs11n.h

@@ -411,31 +411,90 @@ typedef struct CK_NSS_HKDFParams {
 /*
  * CK_NSS_IKE_PRF_PLUS_PARAMS is a structure that provides the parameters to
  * the CKM_NSS_IKE_PRF_PLUS_DERIVE mechanism.
- * It is now standardized, so The struct is just an alias for the standard
+ * The fields of the structure have the following meanings:
- * struct in pkcs11t.h.
+ *      prfMechanism    underlying MAC mechanism used to generate the prf.
+ *      bHasSeedKey     hSeed key is present.
+ *      hSeedKey        optional seed from key
+ *      pSeedData       optional seed from data.
+ *      ulSeedDataLen   length of optional seed data.
+ *        If no seed data is present this value is NULL.
  */
-typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS;
+typedef struct CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS {
+    CK_MECHANISM_TYPE prfMechanism;
+    CK_BBOOL bHasSeedKey;
+    CK_OBJECT_HANDLE hSeedKey;
+    CK_BYTE_PTR pSeedData;
+    CK_ULONG ulSeedDataLen;
+} CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS;
 
 /* CK_NSS_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to
- * the CKM_NSS_IKE_PRF_DERIVE mechanism.
+ *  the CKM_NSS_IKE_PRF_DERIVE mechanism.
- * It is now standardized, so The struct is just an alias for the standard
+ *
- * struct in pkcs11t.h.
+ * The fields of the structure have the following meanings:
+ *     prfMechanism underlying MAC mechanism used to generate the prf.
+ *     bRekey       hNewKey is present.
+ *     pNi          Ni value
+ *     ulNiLen      length of Ni
+ *     pNr          Nr value
+ *     ulNrLen      length of Nr
+ *     hNewKey      New key value to drive the rekey.
  */
-typedef struct CK_IKE_PRF_DERIVE_PARAMS CK_NSS_IKE_PRF_DERIVE_PARAMS;
+typedef struct CK_NSS_IKE_PRF_DERIVE_PARAMS {
+    CK_MECHANISM_TYPE prfMechanism;
+    CK_BBOOL bDataAsKey;
+    CK_BBOOL bRekey;
+    CK_BYTE_PTR pNi;
+    CK_ULONG ulNiLen;
+    CK_BYTE_PTR pNr;
+    CK_ULONG ulNrLen;
+    CK_OBJECT_HANDLE hNewKey;
+} CK_NSS_IKE_PRF_DERIVE_PARAMS;
 
 /* CK_NSS_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters
  * to the CKM_NSS_IKE_PRF_DERIVE mechanism.
- * It is now standardized, so The struct is just an alias for the standard
+ *
- * struct in pkcs11t.h.
+ * The fields of the structure have the following meanings:
+ *     prfMechanism  underlying MAC mechanism used to generate the prf.
+ *     bRekey        hNewKey is present.
+ *     pCKYi         CKYi value
+ *     ulCKYiLen     length of CKYi
+ *     pCKYr         CKYr value
+ *     ulCKYrLen     length of CKYr
+ *     hNewKey       New key value to drive the rekey.
  */
-typedef struct CK_IKE1_PRF_DERIVE_PARAMS CK_NSS_IKE1_PRF_DERIVE_PARAMS;
+typedef struct CK_NSS_IKE1_PRF_DERIVE_PARAMS {
+    CK_MECHANISM_TYPE prfMechanism;
+    CK_BBOOL bHasPrevKey;
+    CK_OBJECT_HANDLE hKeygxy;
+    CK_OBJECT_HANDLE hPrevKey;
+    CK_BYTE_PTR pCKYi;
+    CK_ULONG ulCKYiLen;
+    CK_BYTE_PTR pCKYr;
+    CK_ULONG ulCKYrLen;
+    CK_BYTE keyNumber;
+} CK_NSS_IKE1_PRF_DERIVE_PARAMS;
 
 /* CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS is a structure that provides the
  * parameters to the CKM_NSS_IKE_APP_B_PRF_DERIVE mechanism.
- * It is now standardized, so The struct is just an alias for the standard
+ *
- * struct in pkcs11t.h.
+ * The fields of the structure have the following meanings:
+ *     prfMechanism  underlying MAC mechanism used to generate the prf.
+ *     bHasKeygxy    hKeygxy exists
+ *     hKeygxy       optional key to hash in the prf
+ *     pExtraData    optional extra data to hash in the prf
+ *     ulExtraData   length of the optional extra data.
+ *
+ * CK_NSS_IKE_APP_B_PRF_DERIVE can take wither CK_NSS_IKE1_APP_B_PRF_DRIVE_PARAMS
+ * or a single CK_MECHANISM_TYPE. In the latter cases bHashKeygx is assumed to
+ * be false and ulExtraDataLen is assumed to be '0'.
  */
-typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS;
+typedef struct CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS {
+    CK_MECHANISM_TYPE prfMechanism;
+    CK_BBOOL bHasKeygxy;
+    CK_OBJECT_HANDLE hKeygxy;
+    CK_BYTE_PTR pExtraData;
+    CK_ULONG ulExtraDataLen;
+} CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS;
 
 /*
  * Parameter for the TLS extended master secret key derivation mechanisms:

security/nss/lib/util/pkcs11t.h

@@ -35,7 +35,7 @@
 #endif
 
 #define CRYPTOKI_VERSION_MAJOR 3
-#define CRYPTOKI_VERSION_MINOR 1
+#define CRYPTOKI_VERSION_MINOR 0
 #define CRYPTOKI_VERSION_AMENDMENT 0
 
 /* an unsigned 8-bit value */
@@ -93,6 +93,7 @@ typedef struct CK_INFO {
     CK_VERSION cryptokiVersion;     /* PKCS #11 interface ver */
     CK_UTF8CHAR manufacturerID[32]; /* blank padded */
     CK_FLAGS flags;                 /* must be zero */
+
     /* libraryDescription and libraryVersion are new for v2.0 */
     CK_UTF8CHAR libraryDescription[32]; /* blank padded */
     CK_VERSION libraryVersion;          /* version of library */
@@ -106,7 +107,6 @@ typedef CK_INFO CK_PTR CK_INFO_PTR;
  * for v2.0 */
 typedef CK_ULONG CK_NOTIFICATION;
 #define CKN_SURRENDER 0
-#define CKN_OTP_CHANGED 1
 
 typedef CK_ULONG CK_SLOT_ID;
 
@@ -330,7 +330,6 @@ typedef CK_ULONG CK_OBJECT_CLASS;
 #define CKO_HW_FEATURE 0x00000005UL
 #define CKO_DOMAIN_PARAMETERS 0x00000006UL
 #define CKO_MECHANISM 0x00000007UL
-#define CKO_OTP_KEY 0x00000008UL
 #define CKO_PROFILE 0x00000009UL
 #define CKO_VENDOR_DEFINED 0x80000000UL
 
@@ -339,7 +338,6 @@ typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
 /* CK_PROFILE_ID is new for v3.00. CK_PROFILE_ID is a value that
  * identifies the profile that the token supports. */
 typedef CK_ULONG CK_PROFILE_ID;
-typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR;
 
 /* Profile ID's */
 #define CKP_INVALID_ID 0x00000000UL
@@ -347,9 +345,6 @@ typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR;
 #define CKP_EXTENDED_PROVIDER 0x00000002UL
 #define CKP_AUTHENTICATION_TOKEN 0x00000003UL
 #define CKP_PUBLIC_CERTIFICATES_TOKEN 0x00000004UL
-#define CKP_COMPLETE_PROVIDER 0x00000005UL
-#define CKP_HKDF_TLS_TOKEN 0x00000006UL
-
 #define CKP_VENDOR_DEFINED 0x80000000UL
 
 /* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
@@ -405,11 +400,6 @@ typedef CK_ULONG CK_KEY_TYPE;
 #define CKK_BLOWFISH 0x00000020UL
 #define CKK_TWOFISH 0x00000021UL
 
-/* New for v3.1 */
-#define CKK_SECURID 0x00000022UL
-#define CKK_ACTI 0x00000024UL
-#define CKK_HOTP 0x00000023UL
-
 /* Camellia is proposed for v2.20 Amendment 3 */
 #define CKK_CAMELLIA 0x00000025UL
 
@@ -452,9 +442,6 @@ typedef CK_ULONG CK_KEY_TYPE;
 #define CKK_SHA512_256_HMAC 0x00000044UL
 #define CKK_SHA512_T_HMAC 0x00000045UL
 
-/* New for v3.1 */
-#define CKK_HSS 0x00000046UL
-
 #define CKK_VENDOR_DEFINED 0x80000000UL
 
 /* CK_CERTIFICATE_TYPE is a value that identifies a certificate
@@ -679,16 +666,6 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
 #define CKA_X2RATCHET_PNS 0x00000611UL
 #define CKA_X2RATCHET_RK 0x00000612UL
 
-/* new for v3.1 */
-#define CKA_HSS_KEYS_REMAINING 0x0000061cUL
-#define CKA_HSS_LEVELS 0x00000617UL
-#define CKA_HSS_LMOTS_TYPE 0x00000619UL
-#define CKA_HSS_LMOTS_TYPES 0x0000061bUL
-#define CKA_HSS_LMS_TYPE 0x00000618UL
-#define CKA_HSS_LMS_TYPES 0x0000061aUL
-#define CKA_NAME_HASH_ALGORITHM 0x0000008cUL
-#define CKA_UNIQUE_ID 0x00000004UL
-
 #define CKA_VENDOR_DEFINED 0x80000000UL
 
 /* CK_ATTRIBUTE is a structure that includes the type, length
@@ -696,6 +673,7 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
 typedef struct CK_ATTRIBUTE {
     CK_ATTRIBUTE_TYPE type;
     CK_VOID_PTR pValue;
+
     /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
     CK_ULONG ulValueLen; /* in bytes */
 } CK_ATTRIBUTE;
@@ -1140,7 +1118,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_CAMELLIA_CBC_PAD 0x00000555UL
 #define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL
 #define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL
-#define CKM_CAMELLIA_CTR 0x00000558UL
 
 /* new for v2.40 */
 #define CKM_ARIA_KEY_GEN 0x00000560UL
@@ -1161,9 +1138,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL
 #define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL
 
-/* new for v3.1 */
-#define CKM_KEA_DERIVE 0x00001012UL
-
 /* new for v2.40 */
 #define CKM_ECDSA_SHA3_224 0x00001047UL
 #define CKM_ECDSA_SHA3_256 0x00001048UL
@@ -1173,11 +1147,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_EC_MONTGOMERY_KEY_PAIR_GEN 0x00001056UL
 #define CKM_EDDSA 0x00001057UL
 
-/* new for v3.1 */
-#define CKM_AES_XTS 0x00001071UL
-#define CKM_AES_XTS_KEY_GEN 0x00001072UL
-#define CKM_AES_GMAC 0x0000108eUL
-
 /* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
 #define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL
 #define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL
@@ -1205,50 +1174,24 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_POLY1305_KEY_GEN 0x00001227UL
 #define CKM_POLY1305 0x00001228UL
 
-/* new for v3.1 */
-#define CKM_DES3_CMAC 0x00000138UL
-#define CKM_DES3_CMAC_GENERAL 0x00000137UL
-
 #define CKM_DSA_PARAMETER_GEN 0x00002000UL
 #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL
 #define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL
 
 /* new for v2.40 */
 #define CKM_DSA_PROBABILISTIC_PARAMETER_GEN 0x00002003UL
-#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL
 #define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL
 #define CKM_DSA_FIPS_G_GEN 0x00002005UL
-
-/* new for v3.1 */
-#define CKM_AES_OFB 0x00002104UL
-#define CKM_AES_CFB64 0x00002105UL
-#define CKM_AES_CFB8 0x00002106UL
-#define CKM_AES_CFB128 0x00002107UL
-#define CKM_AES_KEY_WRAP_PKCS7 0x0000210cUL
-
-/* new for v2.40 */
 #define CKM_AES_CFB1 0x00002108UL
 #define CKM_AES_KEY_WRAP 0x00002109UL
 #define CKM_AES_KEY_WRAP_PAD 0x0000210AUL
 #define CKM_AES_KEY_WRAP_KWP 0x0000210BUL
 
-/* new for v3.1 */
-#define CKM_SHA3_256_KEY_DERIVE 0x00000397UL
-#define CKM_SHA3_224_KEY_DERIVE 0x00000398UL
-#define CKM_SHA3_384_KEY_DERIVE 0x00000399UL
-#define CKM_SHA3_512_KEY_DERIVE 0x0000039aUL
-#define CKM_SHAKE_128_KEY_DERIVE 0x0000039bUL
-#define CKM_SHAKE_256_KEY_DERIVE 0x0000039cUL
-
 /* CKM_SP800_108_xxx_KDF are new for v3.0 */
 #define CKM_SP800_108_COUNTER_KDF 0x000003acUL
 #define CKM_SP800_108_FEEDBACK_KDF 0x000003adUL
 #define CKM_SP800_108_DOUBLE_PIPELINE_KDF 0x000003aeUL
 
-/* new for v3.1 */
-#define CKM_TLS10_MAC_SERVER 0x000003d6UL
-#define CKM_TLS10_MAC_CLIENT 0x000003d7UL
-
 /* new for v2.4 */
 #define CKM_RSA_PKCS_TPM_1_1 0x00004001UL
 #define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL
@@ -1298,14 +1241,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_HKDF_KEY_GEN 0x0000402cUL
 #define CKM_SALSA20_KEY_GEN 0x0000402dUL
 
-/* new for v3.1 */
-#define CKM_HSS 0x00004033UL
-#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL
-#define CKM_IKE1_EXTENDED_DERIVE 0x00004031UL
-#define CKM_IKE1_PRF_DERIVE 0x00004030UL
-#define CKM_IKE2_PRF_PLUS_DERIVE 0x0000402eUL
-#define CKM_IKE_PRF_DERIVE 0x0000402fUL
-
 #define CKM_VENDOR_DEFINED 0x80000000UL
 
 typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
@@ -1374,7 +1309,6 @@ typedef struct CK_MECHANISM_INFO {
 #define CKF_EC_NAMEDCURVE CKF_EC_OID /* renamed in v3.0 */
 #define CKF_EC_UNCOMPRESS 0x01000000UL
 #define CKF_EC_COMPRESS 0x02000000UL
-#define CKF_EC_CURVENAME 0x04000000UL
 
 #define CKF_EXTENSION 0x80000000UL /* FALSE for this version */
 
@@ -1418,7 +1352,6 @@ typedef CK_ULONG CK_RV;
 #define CKR_DEVICE_REMOVED 0x00000032UL
 #define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL
 #define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL
-#define CKR_AEAD_DECRYPT_FAILED 0x00000042UL
 #define CKR_FUNCTION_CANCELED 0x00000050UL
 #define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL
 
@@ -1487,8 +1420,6 @@ typedef CK_ULONG CK_RV;
 #define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL
 #define CKR_USER_TYPE_INVALID 0x00000103UL
 
-#define CKR_KEY_EXHAUSTED 0x00000203UL
-
 /* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
  * are new to v2.01 */
 #define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL
@@ -1696,7 +1627,6 @@ typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
 
 /* CK_EC_KDF_TYPE is new for v2.11. */
 typedef CK_ULONG CK_EC_KDF_TYPE;
-typedef CK_EC_KDF_TYPE CK_PTR CK_EC_KDF_TYPE_PTR;
 
 /* The following EC Key Derivation Functions are defined */
 #define CKD_NULL 0x00000001UL
@@ -2003,7 +1933,7 @@ typedef struct CK_GCM_MESSAGE_PARAMS {
     CK_ULONG ulTagBits;
 } CK_GCM_MESSAGE_PARAMS;
 
-typedef CK_GCM_MESSAGE_PARAMS CK_PTR CK_GCM_MESSAGE_PARAMS_PTR;
+typedef CK_GCM_MESSAGE_PARAMS CK_GCM_MESSAGE_PARAMS_PTR;
 
 typedef struct CK_CCM_MESSAGE_PARAMS {
     CK_ULONG ulDataLen; /*plaintext or ciphertext*/
@@ -2015,7 +1945,7 @@ typedef struct CK_CCM_MESSAGE_PARAMS {
     CK_ULONG ulMACLen;
 } CK_CCM_MESSAGE_PARAMS;
 
-typedef CK_CCM_MESSAGE_PARAMS CK_PTR CK_CCM_MESSAGE_PARAMS_PTR;
+typedef CK_CCM_MESSAGE_PARAMS CK_CCM_MESSAGE_PARAMS_PTR;
 
 /* SALSA20/CHACHA20 doe not define IV generators */
 typedef struct CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS {
@@ -2045,7 +1975,7 @@ typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
 } CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
 
 typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR
-    CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
+    CK_SKIPJACK_PRIVATE_WRAP_PTR;
 
 /* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
  * CKM_SKIPJACK_RELAYX mechanism */
@@ -2225,8 +2155,6 @@ typedef struct CK_TLS_KDF_PARAMS {
     CK_ULONG ulContextDataLength;
 } CK_TLS_KDF_PARAMS;
 
-typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
-
 typedef struct CK_TLS_MAC_PARAMS {
     CK_MECHANISM_TYPE prfHashMechanism;
     CK_ULONG ulMacLength;
@@ -2253,101 +2181,6 @@ typedef CK_HKDF_PARAMS CK_PTR CK_HKDF_PARAMS_PTR;
 #define CKF_HKDF_SALT_DATA 0x00000002UL
 #define CKF_HKDF_SALT_KEY 0x00000004UL
 
-/* IKE is new for v3.1 */
-/*
- * CK_IKE2_PRF_PLUS_PARAMS is a structure that provides the parameters to
- * the CKM_IKE2_PRF_PLUS_DERIVE mechanism.
- * The fields of the structure have the following meanings:
- *      prfMechanism    underlying MAC mechanism used to generate the prf.
- *      bHasSeedKey     hSeed key is present.
- *      hSeedKey        optional seed from key
- *      pSeedData       optional seed from data.
- *      ulSeedDataLen   length of optional seed data.
- *        If no seed data is present this value is NULL.
- */
-typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS {
-    CK_MECHANISM_TYPE prfMechanism;
-    CK_BBOOL bHasSeedKey;
-    CK_OBJECT_HANDLE hSeedKey;
-    CK_BYTE_PTR pSeedData;
-    CK_ULONG ulSeedDataLen;
-} CK_IKE2_PRF_PLUS_DERIVE_PARAMS;
-
-typedef CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_PTR CK_IKE2_PRF_PLUS_DERIVE_PARAMS_PTR;
-
-/* CK_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to
- *  the CKM_IKE_PRF_DERIVE mechanism.
- *
- * The fields of the structure have the following meanings:
- *     prfMechanism underlying MAC mechanism used to generate the prf.
- *     bRekey       hNewKey is present.
- *     pNi          Ni value
- *     ulNiLen      length of Ni
- *     pNr          Nr value
- *     ulNrLen      length of Nr
- *     hNewKey      New key value to drive the rekey.
- */
-typedef struct CK_IKE_PRF_DERIVE_PARAMS {
-    CK_MECHANISM_TYPE prfMechanism;
-    CK_BBOOL bDataAsKey;
-    CK_BBOOL bRekey;
-    CK_BYTE_PTR pNi;
-    CK_ULONG ulNiLen;
-    CK_BYTE_PTR pNr;
-    CK_ULONG ulNrLen;
-    CK_OBJECT_HANDLE hNewKey;
-} CK_IKE_PRF_DERIVE_PARAMS;
-
-typedef CK_IKE_PRF_DERIVE_PARAMS CK_PTR CK_IKE_PRF_DERIVE_PARAMS_PTR;
-
-/* CK_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters
- * to the CKM_IKE1_PRF_DERIVE mechanism.
- *
- * The fields of the structure have the following meanings:
- *     prfMechanism  underlying MAC mechanism used to generate the prf.
- *     bHasPrevKey   there is a previous key to use
- *     hKeygxy       key to hash in the prf (usually a dhkey of sorts)
- *     hPrevKey      the previous ike1 key
- *     pCKYi         CKYi value
- *     ulCKYiLen     length of CKYi
- *     pCKYr         CKYr value
- *     ulCKYrLen     length of CKYr
- *     hNewKey       New key value to drive the rekey.
- */
-typedef struct CK_IKE1_PRF_DERIVE_PARAMS {
-    CK_MECHANISM_TYPE prfMechanism;
-    CK_BBOOL bHasPrevKey;
-    CK_OBJECT_HANDLE hKeygxy;
-    CK_OBJECT_HANDLE hPrevKey;
-    CK_BYTE_PTR pCKYi;
-    CK_ULONG ulCKYiLen;
-    CK_BYTE_PTR pCKYr;
-    CK_ULONG ulCKYrLen;
-    CK_BYTE keyNumber;
-} CK_IKE1_PRF_DERIVE_PARAMS;
-
-typedef CK_IKE1_PRF_DERIVE_PARAMS CK_PTR CK_IKE1_PRF_DERIVE_PARAMS_PTR;
-
-/* CK_IKE1_EXTENDED_DERIVE_PARAMS is a structure that provides the
- * parameters to the CKM_IKE1_EXTENDED_DERIVE mechanism.
- *
- * The fields of the structure have the following meanings:
- *     prfMechanism  underlying MAC mechanism used to generate the prf.
- *     bHasKeygxy    hKeygxy exists
- *     hKeygxy       optional key to hash in the prf
- *     pExtraData    optional extra data to hash in the prf
- *     ulExtraData   length of the optional extra data.
- */
-typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS {
-    CK_MECHANISM_TYPE prfMechanism;
-    CK_BBOOL bHasKeygxy;
-    CK_OBJECT_HANDLE hKeygxy;
-    CK_BYTE_PTR pExtraData;
-    CK_ULONG ulExtraDataLen;
-} CK_IKE1_EXTENDED_DERIVE_PARAMS;
-
-typedef CK_IKE1_EXTENDED_DERIVE_PARAMS CK_PTR CK_IKE1_EXTENDED_DERIVE_PARAMS_PTR;
-
 /* WTLS is new for version 2.20 */
 typedef struct CK_WTLS_RANDOM_DATA {
     CK_BYTE_PTR pClientRandom;
@@ -2580,13 +2413,6 @@ typedef struct CK_PKCS5_PBKD2_PARAMS2 {
 
 typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
 
-/* The following value is used to determines if a parameter is of type PARAMS or PARAMS2
- * based on the value of ulPasswordLen. If ulPasswordLen is greater that the value below,
- * it is most likely a memory address i.e. a pointer (PARAMS). Otherwise, it is considered
- * a length value (PARAMS2). This is ignored if NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY is defined.
- */
-#define CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN 8192
-
 /* OTP is new in v2.40 */
 typedef CK_ULONG CK_OTP_PARAM_TYPE;
 #define CK_OTP_VALUE 0UL
@@ -2692,7 +2518,6 @@ typedef struct CK_EDDSA_PARAMS {
     CK_BYTE_PTR pContextData;
 } CK_EDDSA_PARAMS;
 typedef CK_ULONG CK_XEDDSA_HASH_TYPE;
-typedef CK_EDDSA_PARAMS CK_PTR CK_EDDSA_PARAMS_PTR;
 typedef CK_XEDDSA_HASH_TYPE CK_PTR CK_XEDDSA_HASH_TYPE_PTR;
 
 typedef struct CK_XEDDSA_PARAMS {