initial commit for Enea Linux 5.0 arm

Signed-off-by: Tudor Florea <tudor.florea@enea.com>

15 files changed, 2396 insertions, 0 deletions

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
new file mode 100644
index 0000000000..1a159c3934
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
@@ -0,0 +1,81 @@
+Upstream-Status: Backport
+Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
+
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -10509,7 +10509,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *pla
+     /* SSLv3 padding bytes are random and cannot be checked. */
+     t = plaintext->len;
+     t -= paddingLength+overhead;
+-    /* If len >= padding_length+overhead then the MSB of t is zero. */
++    /* If len >= paddingLength+overhead then the MSB of t is zero. */
+     good = DUPLICATE_MSB_TO_ALL(~t);
+     /* SSLv3 requires that the padding is minimal. */
+     t = blockSize - (paddingLength+1);
+@@ -10742,7 +10742,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+        }
+     }
+ 
+-    good = (unsigned)-1;
++    good = ~0U;
+     minLength = crSpec->mac_size;
+     if (cipher_def->type == type_block) {
+        /* CBC records have a padding length byte at the end. */
+@@ -10756,14 +10756,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+     /* We can perform this test in variable time because the record's total
+      * length and the ciphersuite are both public knowledge. */
+     if (cText->buf->len < minLength) {
+-       SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.",
+-                SSL_GETPID(), ss->fd));
+-       /* must not hold spec lock when calling SSL3_SendAlert. */
+-       ssl_ReleaseSpecReadLock(ss);
+-       SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+-       /* always log mac error, in case attacker can read server logs. */
+-       PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+-       return SECFailure;
++       goto decrypt_loser;
+     }
+ 
+     if (cipher_def->type == type_block &&
+@@ -10831,11 +10824,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+        return SECFailure;
+     }
+ 
++    if (cipher_def->type == type_block &&
++       ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
++       goto decrypt_loser;
++    }
++
+     /* decrypt from cText buf to plaintext. */
+     rv = crSpec->decode(
+        crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
+        plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
+-    good &= SECStatusToMask(rv);
++    if (rv != SECSuccess) {
++       goto decrypt_loser;
++    }
+ 
+     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
+ 
+@@ -10843,7 +10843,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+ 
+     /* If it's a block cipher, check and strip the padding. */
+     if (cipher_def->type == type_block) {
+-       const unsigned int blockSize = cipher_def->iv_size;
++       const unsigned int blockSize = cipher_def->block_size;
+        const unsigned int macSize = crSpec->mac_size;
+ 
+        if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
+@@ -10899,10 +10899,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+     }
+ 
+     if (good == 0) {
++decrypt_loser:
+        /* must not hold spec lock when calling SSL3_SendAlert. */
+        ssl_ReleaseSpecReadLock(ss);
+ 
+-       SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
++       SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
+ 
+        if (!IS_DTLS(ss)) {
+            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000000..21da0c03b5
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
+Upstream-Status: backport
+yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/nss/lib/util/secport.c
++++ b/nss/lib/util/secport.c
+@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
+ PORTCharConversionFunc ucs2Utf8ConvertFunc;
+ PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+ 
++/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
++ * use the PRUint32 type for the size parameter. Before we pass a size_t or
++ * unsigned long size to these functions, we need to ensure it is <= half of
++ * the maximum PRUint32 value to avoid truncation and catch a negative size.
++ */
++#define MAX_SIZE (PR_UINT32_MAX >> 1)
++
+ void *
+ PORT_Alloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++       /* Always allocate a non-zero amount of bytes */
++       rv = PR_Malloc(bytes ? bytes : 1);
++    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
+ void *
+ PORT_Realloc(void *oldptr, size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    rv = (void *)PR_Realloc(oldptr, bytes);
++    if (bytes <= MAX_SIZE) {
++       rv = PR_Realloc(oldptr, bytes);
++    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
+ void *
+ PORT_ZAlloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++       /* Always allocate a non-zero amount of bytes */
++       rv = PR_Calloc(1, bytes ? bytes : 1);
++    }
+     if (!rv) {
+        ++port_allocFailures;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
+ {
+     PORTArenaPool *pool;
+     
++    if (chunksize > MAX_SIZE) {
++       PORT_SetError(SEC_ERROR_NO_MEMORY);
++       return NULL;
++    }
+     pool = PORT_ZNew(PORTArenaPool);
+     if (!pool) {
+        return NULL;
+@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
+     return(&pool->arena);
+ }
+ 
+-#define MAX_SIZE 0x7fffffffUL
+-
+ void *
+ PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+ {
+@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
+     PORTArenaPool *pool = (PORTArenaPool *)arena;
+     PORT_Assert(newsize >= oldsize);
+     
++    if (newsize > MAX_SIZE) {
++       PORT_SetError(SEC_ERROR_NO_MEMORY);
++       return NULL;
++    }
++
+     if (ARENAPOOL_MAGIC == pool->magic ) {
+        PZ_Lock(pool->lock);
+        /* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
new file mode 100644
index 0000000000..7203d02c78
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
@@ -0,0 +1,18 @@
+signed-off-by: Ryan Sleevi <ryan.sleevi@gmail.com>
+Upstream-Status: Backport
+reference:https://hg.mozilla.org/projects/nss/rev/e79a09364b5e
+
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -781,6 +781,11 @@ static SECStatus
+ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
+            const unsigned char *input, int inputLen)
+ {
++    if (inputLen > maxOutputLen) {
++        *outputLen = 0;  /* Match PK11_CipherOp in setting outputLen */
++        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++        return SECFailure;
++    }
+     *outputLen = inputLen;
+     if (input != output)
+        PORT_Memcpy(output, input, inputLen);
diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch b/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch
new file mode 100644
index 0000000000..db3d6f9103
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch
@@ -0,0 +1,916 @@
+nss: CVE-2013-1740
+
+Upstream-Status: Backport
+
+the patch comes from:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740
+https://bugzilla.mozilla.org/show_bug.cgi?id=919877
+https://bugzilla.mozilla.org/show_bug.cgi?id=713933
+
+changeset:   10946:f28426e944ae
+user:        Wan-Teh Chang <wtc@google.com>
+date:        Tue Nov 26 16:44:39 2013 -0800
+summary:     Bug 713933: Handle the return value of both ssl3_HandleRecord calls
+
+changeset:   10945:774c7dec7565
+user:        Wan-Teh Chang <wtc@google.com>
+date:        Mon Nov 25 19:16:23 2013 -0800
+summary:     Bug 713933: Declare the |falseStart| local variable in the smallest
+
+changeset:   10848:141fae8fb2e8
+user:        Wan-Teh Chang <wtc@google.com>
+date:        Mon Sep 23 11:25:41 2013 -0700
+summary:     Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org
+
+changeset:   10898:1b9c43d28713
+user:        Brian Smith <brian@briansmith.org>
+date:        Thu Oct 31 15:40:42 2013 -0700
+summary:     Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/ssl/ssl.def     |    7 ++
+ nss/lib/ssl/ssl.h       |   54 +++++++++++---
+ nss/lib/ssl/ssl3con.c   |  188 +++++++++++++++++++++++++++++++++++------------
+ nss/lib/ssl/ssl3gthr.c  |   63 ++++++++++++----
+ nss/lib/ssl/sslauth.c   |   10 +--
+ nss/lib/ssl/sslimpl.h   |   22 +++++-
+ nss/lib/ssl/sslinfo.c   |   10 +--
+ nss/lib/ssl/sslreveal.c |    9 +--
+ nss/lib/ssl/sslsecur.c  |  139 ++++++++++++++++++++++++++++-------
+ nss/lib/ssl/sslsock.c   |   12 ++-
+ 10 files changed, 386 insertions(+), 128 deletions(-)
+
+diff --git a/nss/lib/ssl/ssl.def b/nss/lib/ssl/ssl.def
+index fbf7fc5..e937bd4 100644
+--- a/nss/lib/ssl/ssl.def
++++ b/nss/lib/ssl/ssl.def
+@@ -163,3 +163,10 @@ SSL_SetStapledOCSPResponses;
+ ;+    local:
+ ;+*;
+ ;+};
++;+NSS_3.15.3 {    # NSS 3.15.3 release
++;+    global:
++SSL_RecommendedCanFalseStart;
++SSL_SetCanFalseStartCallback;
++;+    local:
++;+*;
++;+};
+diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
+index 6db0e34..ddeaaef 100644
+--- a/nss/lib/ssl/ssl.h
++++ b/nss/lib/ssl/ssl.h
+@@ -121,14 +121,17 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
+ #define SSL_ENABLE_FALSE_START         22 /* Enable SSL false start (off by */
+                                           /* default, applies only to       */
+                                           /* clients). False start is a     */
+-/* mode where an SSL client will start sending application data before      */
+-/* verifying the server's Finished message. This means that we could end up */
+-/* sending data to an imposter. However, the data will be encrypted and     */
+-/* only the true server can derive the session key. Thus, so long as the    */
+-/* cipher isn't broken this is safe. Because of this, False Start will only */
+-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
+-/* bits. The advantage of False Start is that it saves a round trip for     */
+-/* client-speaks-first protocols when performing a full handshake.          */
++/* mode where an SSL client will start sending application data before
++ * verifying the server's Finished message. This means that we could end up
++ * sending data to an imposter. However, the data will be encrypted and
++ * only the true server can derive the session key. Thus, so long as the
++ * cipher isn't broken this is safe. The advantage of false start is that
++ * it saves a round trip for client-speaks-first protocols when performing a
++ * full handshake.
++ *
++ * In addition to enabling this option, the application must register a
++ * callback using the SSL_SetCanFalseStartCallback function.
++ */
+ 
+ /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
+  * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
+@@ -653,14 +656,45 @@ SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
+ SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
+ 
+ /*
+-** Set the callback on a particular socket that gets called when we finish
+-** performing a handshake.
++** Set the callback that gets called when a TLS handshake is complete. The
++** handshake callback is called after verifying the peer's Finished message and
++** before processing incoming application data.
++**
++** For the initial handshake: If the handshake false started (see
++** SSL_ENABLE_FALSE_START), then application data may already have been sent
++** before the handshake callback is called. If we did not false start then the
++** callback will get called before any application data is sent.
+ */
+ typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
+                                                  void *client_data);
+ SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
+                                  SSLHandshakeCallback cb, void *client_data);
+ 
++/* Applications that wish to enable TLS false start must set this callback
++** function. NSS will invoke the functon to determine if a particular
++** connection should use false start or not. SECSuccess indicates that the
++** callback completed successfully, and if so *canFalseStart indicates if false
++** start can be used. If the callback does not return SECSuccess then the
++** handshake will be canceled. NSS's recommended criteria can be evaluated by
++** calling SSL_RecommendedCanFalseStart.
++**
++** If no false start callback is registered then false start will never be
++** done, even if the SSL_ENABLE_FALSE_START option is enabled.
++**/
++typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
++    PRFileDesc *fd, void *arg, PRBool *canFalseStart);
++
++SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
++    PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
++
++/* This function sets *canFalseStart according to the recommended criteria for
++** false start. These criteria may change from release to release and may depend
++** on which handshake features have been negotiated and/or properties of the
++** certifciates/keys used on the connection.
++*/
++SSL_IMPORT SECStatus SSL_RecommendedCanFalseStart(PRFileDesc *fd,
++                                                  PRBool *canFalseStart);
++
+ /*
+ ** For the server, request a new handshake.  For the client, begin a new
+ ** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+index 61d24d9..f39ba09 100644
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -2535,7 +2535,7 @@ ssl3_SendRecord(   sslSocket *        ss,
+     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
+                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+                nIn));
+-    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
++    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+ 
+@@ -6674,36 +6674,73 @@ done:
+     return rv;
+ }
+ 
++static SECStatus
++ssl3_CheckFalseStart(sslSocket *ss)
++{
++    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
++    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
++    PORT_Assert( !ss->ssl3.hs.canFalseStart );
++
++    if (!ss->canFalseStartCallback) {
++       SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
++                   SSL_GETPID(), ss->fd));
++    } else {
++       PRBool maybeFalseStart;
++       SECStatus rv;
++
++       /* An attacker can control the selected ciphersuite so we only wish to
++        * do False Start in the case that the selected ciphersuite is
++        * sufficiently strong that the attack can gain no advantage.
++        * Therefore we always require an 80-bit cipher. */
++        ssl_GetSpecReadLock(ss);
++        maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
++        ssl_ReleaseSpecReadLock(ss);
++
++       if (!maybeFalseStart) {
++           SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
++                       SSL_GETPID(), ss->fd));
++       } else {
++           rv = (ss->canFalseStartCallback)(ss->fd,
++                                            ss->canFalseStartCallbackData,
++                                            &ss->ssl3.hs.canFalseStart);
++           if (rv == SECSuccess) {
++               SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
++                           SSL_GETPID(), ss->fd,
++                           ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
++           } else {
++               SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
++                           SSL_GETPID(), ss->fd,
++                           PR_ErrorToName(PR_GetError())));
++           }
++           return rv;
++       }
++    }
++
++    ss->ssl3.hs.canFalseStart = PR_FALSE;
++    return SECSuccess;
++}
++
+ PRBool
+-ssl3_CanFalseStart(sslSocket *ss) {
+-    PRBool rv;
++ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
++{
++    PRBool result = PR_FALSE;
+ 
+     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+ 
+-    /* XXX: does not take into account whether we are waiting for
+-     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
+-     * that is done, this function could return different results each time it
+-     * would be called.
+-     */
++    switch (ss->ssl3.hs.ws) {
++    case wait_new_session_ticket:
++        result = PR_TRUE;
++        break;
++    case wait_change_cipher:
++        result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
++        break;
++    case wait_finished:
++        break;
++    default:
++        PR_NOT_REACHED("ssl3_WaitingForStartOfServerSecondRound");
++    }
+ 
+-    ssl_GetSpecReadLock(ss);
+-    rv = ss->opt.enableFalseStart &&
+-        !ss->sec.isServer &&
+-        !ss->ssl3.hs.isResuming &&
+-        ss->ssl3.cwSpec &&
+-
+-        /* An attacker can control the selected ciphersuite so we only wish to
+-         * do False Start in the case that the selected ciphersuite is
+-         * sufficiently strong that the attack can gain no advantage.
+-         * Therefore we require an 80-bit cipher and a forward-secret key
+-         * exchange. */
+-        ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
+-       (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
+-        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
+-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
+-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
+-    ssl_ReleaseSpecReadLock(ss);
+-    return rv;
++    return result;
+ }
+ 
+ static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
+@@ -6785,6 +6822,9 @@ ssl3_SendClientSecondRound(sslSocket *ss)
+     }
+     if (ss->ssl3.hs.authCertificatePending &&
+        (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
++        SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
++                    " certificate authentication is still pending.",
++                    SSL_GETPID(), ss->fd));
+        ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
+        return SECWouldBlock;
+     }
+@@ -6822,14 +6862,50 @@ ssl3_SendClientSecondRound(sslSocket *ss)
+        goto loser;     /* err code was set. */
+     }
+ 
+-    /* XXX: If the server's certificate hasn't been authenticated by this
+-     * point, then we may be leaking this NPN message to an attacker.
++    /* This must be done after we've set ss->ssl3.cwSpec in
++     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
++     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
++     * because the false start callback (if any) may need the information from
++     * the functions that depend on this being set.
+      */
++    ss->enoughFirstHsDone = PR_TRUE;
++
+     if (!ss->firstHsDone) {
++        /* XXX: If the server's certificate hasn't been authenticated by this
++         * point, then we may be leaking this NPN message to an attacker.
++         */
+        rv = ssl3_SendNextProto(ss);
+        if (rv != SECSuccess) {
+            goto loser; /* err code was set. */
+        }
++
++        if (ss->opt.enableFalseStart) {
++            if (!ss->ssl3.hs.authCertificatePending) {
++                /* When we fix bug 589047, we will need to know whether we are
++                 * false starting before we try to flush the client second
++                 * round to the network. With that in mind, we purposefully
++                 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
++                 * which includes a call to ssl3_FlushHandshake, so that
++                 * no application develops a reliance on such flushing being
++                 * done before its false start callback is called.
++                 */
++                ssl_ReleaseXmitBufLock(ss);
++                rv = ssl3_CheckFalseStart(ss);
++                ssl_GetXmitBufLock(ss);
++                if (rv != SECSuccess) {
++                    goto loser;
++                }
++            } else {
++                /* The certificate authentication and the server's Finished
++                 * message are racing each other. If the certificate
++                 * authentication wins, then we will try to false start in
++                 * ssl3_AuthCertificateComplete.
++                 */
++                SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
++                            " certificate authentication is still pending.",
++                            SSL_GETPID(), ss->fd));
++            }
++        }
+     }
+ 
+     rv = ssl3_SendFinished(ss, 0);
+@@ -6844,10 +6920,7 @@ ssl3_SendClientSecondRound(sslSocket *ss)
+     else
+        ss->ssl3.hs.ws = wait_change_cipher;
+ 
+-    /* Do the handshake callback for sslv3 here, if we can false start. */
+-    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
+-       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+-    }
++    PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
+ 
+     return SECSuccess;
+ 
+@@ -9421,13 +9494,6 @@ ssl3_AuthCertificate(sslSocket *ss)
+ 
+            ss->ssl3.hs.authCertificatePending = PR_TRUE;
+            rv = SECSuccess;
+-
+-           /* XXX: Async cert validation and False Start don't work together
+-            * safely yet; if we leave False Start enabled, we may end up false
+-            * starting (sending application data) before we
+-            * SSL_AuthCertificateComplete has been called.
+-            */
+-           ss->opt.enableFalseStart = PR_FALSE;
+        }
+ 
+        if (rv != SECSuccess) {
+@@ -9551,6 +9617,12 @@ ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
+     } else if (ss->ssl3.hs.restartTarget != NULL) {
+        sslRestartTarget target = ss->ssl3.hs.restartTarget;
+        ss->ssl3.hs.restartTarget = NULL;
++
++        if (target == ssl3_FinishHandshake) {
++            SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
++                       " with peer's finished message", SSL_GETPID(), ss->fd));
++        }
++
+        rv = target(ss);
+        /* Even if we blocked here, we have accomplished enough to claim
+         * success. Any remaining work will be taken care of by subsequent
+@@ -9560,7 +9632,29 @@ ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
+            rv = SECSuccess;
+        }
+     } else {
+-       rv = SECSuccess;
++        SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
++                    " peer's finished message", SSL_GETPID(), ss->fd));
++
++        PORT_Assert(!ss->firstHsDone);
++        PORT_Assert(!ss->sec.isServer);
++        PORT_Assert(!ss->ssl3.hs.isResuming);
++        PORT_Assert(ss->ssl3.hs.ws == wait_new_session_ticket ||
++                    ss->ssl3.hs.ws == wait_change_cipher ||
++                    ss->ssl3.hs.ws == wait_finished);
++ 
++        /* ssl3_SendClientSecondRound deferred the false start check because
++         * certificate authentication was pending, so we do it now if we still
++          * haven't received any of the server's second round yet.
++         */
++        if (ss->opt.enableFalseStart &&
++            !ss->firstHsDone &&
++            !ss->sec.isServer &&
++            !ss->ssl3.hs.isResuming &&
++            ssl3_WaitingForStartOfServerSecondRound(ss)) {
++            rv = ssl3_CheckFalseStart(ss);
++        } else {
++            rv = SECSuccess;
++        }
+     }
+ 
+ done:
+@@ -10023,9 +10117,6 @@ xmit_loser:
+         return rv;
+     }
+ 
+-    ss->gs.writeOffset = 0;
+-    ss->gs.readOffset  = 0;
+-
+     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+        effectiveExchKeyType = kt_rsa;
+     } else {
+@@ -10090,6 +10181,9 @@ xmit_loser:
+     return rv;
+ }
+ 
++/* The return type is SECStatus instead of void because this function needs
++ * to have type sslRestartTarget.
++ */
+ SECStatus
+ ssl3_FinishHandshake(sslSocket * ss)
+ {
+@@ -10099,19 +10193,16 @@ ssl3_FinishHandshake(sslSocket * ss)
+ 
+     /* The first handshake is now completed. */
+     ss->handshake           = NULL;
+-    ss->firstHsDone         = PR_TRUE;
+ 
+     if (ss->ssl3.hs.cacheSID) {
+        (*ss->sec.cache)(ss->sec.ci.sid);
+        ss->ssl3.hs.cacheSID = PR_FALSE;
+     }
+ 
++    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
+     ss->ssl3.hs.ws = idle_handshake;
+ 
+-    /* Do the handshake callback for sslv3 here, if we cannot false start. */
+-    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
+-       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+-    }
++    ssl_FinishHandshake(ss);
+ 
+     return SECSuccess;
+ }
+@@ -11045,7 +11136,6 @@ process_it:
+ 
+     ssl_ReleaseSSL3HandshakeLock(ss);
+     return rv;
+-
+ }
+ 
+ /*
+diff --git a/nss/lib/ssl/ssl3gthr.c b/nss/lib/ssl/ssl3gthr.c
+index 6d62515..03e369d 100644
+--- a/nss/lib/ssl/ssl3gthr.c
++++ b/nss/lib/ssl/ssl3gthr.c
+@@ -275,11 +275,17 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+ {
+     SSL3Ciphertext cText;
+     int            rv;
+-    PRBool         canFalseStart = PR_FALSE;
++    PRBool         keepGoing = PR_TRUE;
+ 
+     SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
+ 
++    /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
++     * which requires the 1stHandshakeLock, which must be acquired before the
++     * RecvBufLock.
++     */
++    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
+     do {
+        PRBool handleRecordNow = PR_FALSE;
+ 
+@@ -368,20 +374,48 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+        if (rv < 0) {
+            return ss->recvdCloseNotify ? 0 : rv;
+        }
++        if (rv == (int) SECSuccess && ss->gs.buf.len > 0) {
++            /* We have application data to return to the application. This
++             * prioritizes returning application data to the application over
++             * completing any renegotiation handshake we may be doing.
++             */
++            PORT_Assert(ss->firstHsDone);
++            PORT_Assert(cText.type == content_application_data);
++            break;
++        }
+ 
+-       /* If we kicked off a false start in ssl3_HandleServerHelloDone, break
+-        * out of this loop early without finishing the handshake.
+-        */
+-       if (ss->opt.enableFalseStart) {
+-           ssl_GetSSL3HandshakeLock(ss);
+-           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
+-                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
+-                           ssl3_CanFalseStart(ss);
+-           ssl_ReleaseSSL3HandshakeLock(ss);
++        PORT_Assert(keepGoing);
++        ssl_GetSSL3HandshakeLock(ss);
++        if (ss->ssl3.hs.ws == idle_handshake) {
++            /* We are done with the current handshake so stop trying to
++             * handshake. Note that it would be safe to test ss->firstHsDone
++             * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
++             * we prioritize completing a renegotiation handshake over sending
++             * application data.
++             */
++            PORT_Assert(ss->firstHsDone);
++            PORT_Assert(!ss->ssl3.hs.canFalseStart);
++            keepGoing = PR_FALSE;
++        } else if (ss->ssl3.hs.canFalseStart) {
++            /* Prioritize sending application data over trying to complete
++             * the handshake if we're false starting.
++             *
++             * If we were to do this check at the beginning of the loop instead
++             * of here, then this function would become be a no-op after
++             * receiving the ServerHelloDone in the false start case, and we
++             * would never complete the handshake.
++             */
++            PORT_Assert(!ss->firstHsDone);
++ 
++            if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
++                keepGoing = PR_FALSE;
++            } else {
++                ss->ssl3.hs.canFalseStart = PR_FALSE;
++            }
+        }
+-    } while (ss->ssl3.hs.ws != idle_handshake &&
+-             !canFalseStart &&
+-             ss->gs.buf.len == 0);
++        ssl_ReleaseSSL3HandshakeLock(ss);
++     } while (keepGoing);
++
+ 
+     ss->gs.readOffset = 0;
+     ss->gs.writeOffset = ss->gs.buf.len;
+@@ -404,7 +438,10 @@ ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
+ {
+     int            rv;
+ 
++    /* ssl3_GatherCompleteHandshake requires both of these locks. */
++    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
+     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
+     do {
+        rv = ssl3_GatherCompleteHandshake(ss, flags);
+     } while (rv > 0 && ss->gs.buf.len == 0);
+diff --git a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
+index d2f57bf..cb956d4 100644
+--- a/nss/lib/ssl/sslauth.c
++++ b/nss/lib/ssl/sslauth.c
+@@ -60,7 +60,6 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
+     sslSocket *ss;
+     const char *cipherName;
+     PRBool isDes = PR_FALSE;
+-    PRBool enoughFirstHsDone = PR_FALSE;
+ 
+     ss = ssl_FindSocket(fd);
+     if (!ss) {
+@@ -78,14 +77,7 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
+        *op = SSL_SECURITY_STATUS_OFF;
+     }
+ 
+-    if (ss->firstHsDone) {
+-       enoughFirstHsDone = PR_TRUE;
+-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+-              ssl3_CanFalseStart(ss)) {
+-       enoughFirstHsDone = PR_TRUE;
+-    }
+-
+-    if (ss->opt.useSecurity && enoughFirstHsDone) {
++    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+        if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+            cipherName = ssl_cipherName[ss->sec.cipherType];
+        } else {
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
+index 90e9567..bf0d67f 100644
+--- a/nss/lib/ssl/sslimpl.h
++++ b/nss/lib/ssl/sslimpl.h
+@@ -842,6 +842,8 @@ const ssl3CipherSuiteDef *suite_def;
+     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
+     PRBool                cacheSID;
+ 
++    PRBool                canFalseStart;   /* Can/did we False Start */
++
+     /* clientSigAndHash contains the contents of the signature_algorithms
+      * extension (if any) from the client. This is only valid for TLS 1.2
+      * or later. */
+@@ -1116,6 +1118,10 @@ struct sslSocketStr {
+     unsigned long    clientAuthRequested;
+     unsigned long    delayDisabled;       /* Nagle delay disabled */
+     unsigned long    firstHsDone;         /* first handshake is complete. */
++    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
++                                           * done for callbacks to be able to
++                                           * retrieve channel security
++                                           * parameters from the SSL socket. */
+     unsigned long    handshakeBegun;     
+     unsigned long    lastWriteBlocked;   
+     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
+@@ -1156,6 +1162,8 @@ const unsigned char *  preferredCipher;
+     void                     *badCertArg;
+     SSLHandshakeCallback      handshakeCallback;
+     void                     *handshakeCallbackData;
++    SSLCanFalseStartCallback  canFalseStartCallback;
++    void                     *canFalseStartCallbackData;
+     void                     *pkcs11PinArg;
+     SSLNextProtoCallback      nextProtoCallback;
+     void                     *nextProtoArg;
+@@ -1358,7 +1366,19 @@ extern void      ssl3_SetAlwaysBlock(sslSocket *ss);
+ 
+ extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+ 
+-extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
++extern void      ssl_FinishHandshake(sslSocket *ss);
++
++/* Returns PR_TRUE if we are still waiting for the server to respond to our
++ * client second round. Once we've received any part of the server's second
++ * round then we don't bother trying to false start since it is almost always
++ * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
++ * were sent in the same packet and we want to process them all at the same
++ * time. If we were to try to false start in the middle of the server's second
++ * round, then we would increase the number of I/O operations
++ * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
++ */
++extern PRBool    ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
++
+ extern SECStatus
+ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
+                              PRBool             isServer,
+diff --git a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
+index 9f2597e..d0c23b7 100644
+--- a/nss/lib/ssl/sslinfo.c
++++ b/nss/lib/ssl/sslinfo.c
+@@ -26,7 +26,6 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
+     sslSocket *      ss;
+     SSLChannelInfo   inf;
+     sslSessionID *   sid;
+-    PRBool           enoughFirstHsDone = PR_FALSE;
+ 
+     if (!info || len < sizeof inf.length) { 
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -43,14 +42,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
+     memset(&inf, 0, sizeof inf);
+     inf.length = PR_MIN(sizeof inf, len);
+ 
+-    if (ss->firstHsDone) {
+-       enoughFirstHsDone = PR_TRUE;
+-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+-              ssl3_CanFalseStart(ss)) {
+-       enoughFirstHsDone = PR_TRUE;
+-    }
+-
+-    if (ss->opt.useSecurity && enoughFirstHsDone) {
++    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
+         sid = ss->sec.ci.sid;
+        inf.protocolVersion  = ss->version;
+        inf.authKeyBits      = ss->sec.authKeyBits;
+diff --git a/nss/lib/ssl/sslreveal.c b/nss/lib/ssl/sslreveal.c
+index dc14794..d972998 100644
+--- a/nss/lib/ssl/sslreveal.c
++++ b/nss/lib/ssl/sslreveal.c
+@@ -77,7 +77,6 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
+ {
+   /* some decisions derived from SSL_GetChannelInfo */
+   sslSocket * sslsocket = NULL;
+-  PRBool enoughFirstHsDone = PR_FALSE;
+ 
+   if (!pYes) {
+     PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -93,14 +92,8 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
+ 
+   *pYes = PR_FALSE;
+ 
+-  if (sslsocket->firstHsDone) {
+-    enoughFirstHsDone = PR_TRUE;
+-  } else if (sslsocket->ssl3.initialized && ssl3_CanFalseStart(sslsocket)) {
+-    enoughFirstHsDone = PR_TRUE;
+-  }
+-
+   /* according to public API SSL_GetChannelInfo, this doesn't need a lock */
+-  if (sslsocket->opt.useSecurity && enoughFirstHsDone) {
++  if (sslsocket->opt.useSecurity) {
+     if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */
+       /* now we know this socket went through ssl3_InitState() and
+        * ss->xtnData got initialized, which is the only member accessed by
+diff --git a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
+index 49bb42b..d0df442 100644
+--- a/nss/lib/ssl/sslsecur.c
++++ b/nss/lib/ssl/sslsecur.c
+@@ -97,23 +97,13 @@ ssl_Do1stHandshake(sslSocket *ss)
+            ss->securityHandshake = 0;
+        }
+        if (ss->handshake == 0) {
+-           ssl_GetRecvBufLock(ss);
+-           ss->gs.recordLen = 0;
+-           ssl_ReleaseRecvBufLock(ss);
+-
+-           SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
+-                       SSL_GETPID(), ss->fd));
+-            /* call handshake callback for ssl v2 */
+-           /* for v3 this is done in ssl3_HandleFinished() */
+-           if ((ss->handshakeCallback != NULL) && /* has callback */
+-               (!ss->firstHsDone) &&              /* only first time */
+-               (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
+-               ss->firstHsDone     = PR_TRUE;
+-               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
++            /* for v3 this is done in ssl3_FinishHandshake */
++            if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
++                ssl_GetRecvBufLock(ss);
++                ss->gs.recordLen = 0;
++                ssl_FinishHandshake(ss);
++                ssl_ReleaseRecvBufLock(ss);
+            }
+-           ss->firstHsDone         = PR_TRUE;
+-           ss->gs.writeOffset = 0;
+-           ss->gs.readOffset  = 0;
+            break;
+        }
+        rv = (*ss->handshake)(ss);
+@@ -134,6 +124,24 @@ ssl_Do1stHandshake(sslSocket *ss)
+     return rv;
+ }
+ 
++void
++ssl_FinishHandshake(sslSocket *ss)
++{
++    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
++    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
++
++    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
++
++    ss->firstHsDone = PR_TRUE;
++    ss->enoughFirstHsDone = PR_TRUE;
++    ss->gs.writeOffset = 0;
++    ss->gs.readOffset  = 0;
++
++    if (ss->handshakeCallback) {
++       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
++    }
++}
++
+ /*
+  * Handshake function that blocks.  Used to force a
+  * retry on a connection on the next read/write.
+@@ -206,6 +214,7 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
+     ssl_Get1stHandshakeLock(ss);
+ 
+     ss->firstHsDone = PR_FALSE;
++    ss->enoughFirstHsDone = PR_FALSE;
+     if ( asServer ) {
+        ss->handshake = ssl2_BeginServerHandshake;
+        ss->handshaking = sslHandshakingAsServer;
+@@ -221,6 +230,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
+     ssl_ReleaseRecvBufLock(ss);
+ 
+     ssl_GetSSL3HandshakeLock(ss);
++    ss->ssl3.hs.canFalseStart = PR_FALSE;
++    ss->ssl3.hs.restartTarget = NULL;
+ 
+     /*
+     ** Blow away old security state and get a fresh setup.
+@@ -331,6 +342,71 @@ SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
+     return SECSuccess;
+ }
+ 
++/* Register an application callback to be called when false start may happen.
++** Acquires and releases HandshakeLock.
++*/
++SECStatus
++SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
++                            void *arg)
++{
++    sslSocket *ss;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
++                SSL_GETPID(), fd));
++       return SECFailure;
++    }
++
++    if (!ss->opt.useSecurity) {
++       PORT_SetError(SEC_ERROR_INVALID_ARGS);
++       return SECFailure;
++    }
++
++    ssl_Get1stHandshakeLock(ss);
++    ssl_GetSSL3HandshakeLock(ss);
++
++    ss->canFalseStartCallback     = cb;
++    ss->canFalseStartCallbackData = arg;
++
++    ssl_ReleaseSSL3HandshakeLock(ss);
++    ssl_Release1stHandshakeLock(ss);
++
++    return SECSuccess;
++}
++
++SECStatus
++SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
++{
++    sslSocket *ss;
++
++    *canFalseStart = PR_FALSE;
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
++                SSL_GETPID(), fd));
++       return SECFailure;
++    }
++
++    if (!ss->ssl3.initialized) {
++       PORT_SetError(SEC_ERROR_INVALID_ARGS);
++       return SECFailure;
++    }
++
++    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
++       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
++       return SECFailure;
++    }
++
++    /* Require a forward-secret key exchange. */
++    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
++                    ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
++                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
++                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
++
++    return SECSuccess;
++}
++
+ /* Try to make progress on an SSL handshake by attempting to read the 
+ ** next handshake from the peer, and sending any responses.
+ ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
+@@ -524,6 +600,9 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
+     int              amount;
+     int              available;
+ 
++    /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
++     * 1stHandshakeLock. */
++    ssl_Get1stHandshakeLock(ss);
+     ssl_GetRecvBufLock(ss);
+ 
+     available = ss->gs.writeOffset - ss->gs.readOffset;
+@@ -590,6 +669,7 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
+ 
+ done:
+     ssl_ReleaseRecvBufLock(ss);
++    ssl_Release1stHandshakeLock(ss);
+     return rv;
+ }
+ 
+@@ -1156,7 +1236,7 @@ ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
+ int
+ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+ {
+-    int              rv                = 0;
++    int rv = 0;
+ 
+     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
+                SSL_GETPID(), ss->fd, len));
+@@ -1191,19 +1271,15 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+        ss->writerThread = PR_GetCurrentThread();
+     /* If any of these is non-zero, the initial handshake is not done. */
+     if (!ss->firstHsDone) {
+-       PRBool canFalseStart = PR_FALSE;
++        PRBool falseStart = PR_FALSE;
+        ssl_Get1stHandshakeLock(ss);
+-       if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
++        if (ss->opt.enableFalseStart &&
++            ss->version >= SSL_LIBRARY_VERSION_3_0) {
+            ssl_GetSSL3HandshakeLock(ss);
+-           if ((ss->ssl3.hs.ws == wait_change_cipher ||
+-               ss->ssl3.hs.ws == wait_finished ||
+-               ss->ssl3.hs.ws == wait_new_session_ticket) &&
+-               ssl3_CanFalseStart(ss)) {
+-               canFalseStart = PR_TRUE;
+-           }
++           falseStart = ss->ssl3.hs.canFalseStart;
+            ssl_ReleaseSSL3HandshakeLock(ss);
+        }
+-       if (!canFalseStart &&
++       if (!falseStart &&
+            (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
+            rv = ssl_Do1stHandshake(ss);
+        }
+@@ -1228,6 +1304,17 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+        goto done;
+     }
+ 
++    if (!ss->firstHsDone) {
++       PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
++#ifdef DEBUG
++       ssl_GetSSL3HandshakeLock(ss);
++       PORT_Assert(ss->ssl3.hs.canFalseStart);
++       ssl_ReleaseSSL3HandshakeLock(ss);
++#endif
++       SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
++                   SSL_GETPID(), ss->fd));
++    }
++
+     /* Send out the data using one of these functions:
+      * ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
+      *  ssl3_SendApplicationData
+diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
+index cd4a7a7..73e069b 100644
+--- a/nss/lib/ssl/sslsock.c
++++ b/nss/lib/ssl/sslsock.c
+@@ -349,6 +349,8 @@ ssl_DupSocket(sslSocket *os)
+            ss->badCertArg            = os->badCertArg;
+            ss->handshakeCallback     = os->handshakeCallback;
+            ss->handshakeCallbackData = os->handshakeCallbackData;
++            ss->canFalseStartCallback = os->canFalseStartCallback;
++            ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
+            ss->pkcs11PinArg          = os->pkcs11PinArg;
+     
+            /* Create security data */
+@@ -2341,10 +2343,14 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
+            } else if (new_flags & PR_POLL_WRITE) {
+                    /* The caller is trying to write, but the handshake is 
+                    ** blocked waiting for data to read, and the first 
+-                   ** handshake has been sent.  so do NOT to poll on write.
++                    ** handshake has been sent.  So do NOT to poll on write
++                    ** unless we did false start.
+                    */
+-                   new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
+-                   new_flags |=  PR_POLL_READ;    /* do    select on read. */
++                    if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
++                        ss->ssl3.hs.canFalseStart)) {
++                        new_flags ^= PR_POLL_WRITE; /* don't select on write. */
++                    }
++                    new_flags |= PR_POLL_READ;      /* do    select on read. */
+            }
+        }
+     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
new file mode 100644
index 0000000000..f30475b16b
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
@@ -0,0 +1,48 @@
+nss: CVE-2013-5606
+
+Upstream-Status: Backport
+
+the patch comes from:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
+https://bugzilla.mozilla.org/show_bug.cgi?id=910438
+http://hg.mozilla.org/projects/nss/rev/d29898e0981c
+
+The CERT_VerifyCert function in lib/certhigh/certvfy.c in
+Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
+an unexpected return value for an incompatible key-usage certificate
+when the CERTVerifyLog argument is valid, which might allow remote
+attackers to bypass intended access restrictions via a crafted certificate.
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/certhigh/certvfy.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
+index f364ceb..f450205 100644
+--- a/nss/lib/certhigh/certvfy.c
++++ b/nss/lib/certhigh/certvfy.c
+@@ -1312,7 +1312,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+        PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+        LOG_ERROR_OR_EXIT(log,cert,0,flags);
+     } else if (trusted) {
+-       goto winner;
++       goto done;
+     }
+ 
+ 
+@@ -1340,7 +1340,10 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+        }
+     }
+ 
+-winner:
++done:
++    if (log && log->head) {
++        return SECFailure;
++    }
+     return(SECSuccess);
+ 
+ loser:
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
new file mode 100644
index 0000000000..1be8a17870
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
@@ -0,0 +1,68 @@
+nss: CVE-2014-1492
+
+Upstream-Status: Backport
+
+the patch comes from:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
+https://bugzilla.mozilla.org/show_bug.cgi?id=903885
+
+changeset:   11063:709d4e597979
+user:        Kai Engert <kaie@kuix.de>
+date:        Wed Mar 05 18:38:55 2014 +0100
+summary:     Bug 903885, address requests to clarify comments from wtc
+
+changeset:   11046:2ffa40a3ff55
+tag:         tip
+user:        Wan-Teh Chang <wtc@google.com>
+date:        Tue Feb 25 18:17:08 2014 +0100
+summary:     Bug 903885, fix IDNA wildcard handling v4, r=kaie
+
+changeset:   11045:15ea62260c21
+user:        Christian Heimes <sites@cheimes.de>
+date:        Mon Feb 24 17:50:25 2014 +0100
+summary:     Bug 903885, fix IDNA wildcard handling, r=kaie
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/certdb/certdb.c |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c
+index b7d22bd..91877b7 100644
+--- a/nss/lib/certdb/certdb.c
++++ b/nss/lib/certdb/certdb.c
+@@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn)
+            return rv;
+        }
+     } else {
+-       /* New approach conforms to RFC 2818. */
++       /* New approach conforms to RFC 6125. */
+        char *wildcard    = PORT_Strchr(cn, '*');
+        char *firstcndot  = PORT_Strchr(cn, '.');
+        char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
+@@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn)
+        /* For a cn pattern to be considered valid, the wildcard character...
+         * - may occur only in a DNS name with at least 3 components, and
+         * - may occur only as last character in the first component, and
+-        * - may be preceded by additional characters
++         * - may be preceded by additional characters, and
++         * - must not be preceded by an IDNA ACE prefix (xn--)
+         */
+        if (wildcard && secondcndot && secondcndot[1] && firsthndot 
+-           && firstcndot  - wildcard  == 1
+-           && secondcndot - firstcndot > 1
+-           && PORT_Strrchr(cn, '*') == wildcard
++            && firstcndot  - wildcard  == 1 /* wildcard is last char in first component */
++            && secondcndot - firstcndot > 1 /* second component is non-empty */
++            && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
+            && !PORT_Strncasecmp(cn, hn, wildcard - cn)
+-           && !PORT_Strcasecmp(firstcndot, firsthndot)) {
++            && !PORT_Strcasecmp(firstcndot, firsthndot)
++               /* If hn starts with xn--, then cn must start with wildcard */
++            && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
+            /* valid wildcard pattern match */
+            return SECSuccess;
+        }
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
new file mode 100644
index 0000000000..d6434dfe23
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
@@ -0,0 +1,41 @@
+nss: CVE-2014-1544
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
+https://hg.mozilla.org/projects/nss/rev/204f22c527f8
+
+author  Robert Relyea <rrelyea@redhat.com>
+https://bugzilla.mozilla.org/show_bug.cgi?id=963150
+Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
+to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
+freeing the CERTCertificate associated with the NSSCertificate. r=wtc.
+
+Upstream-Status: Pending
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/pk11wrap/pk11cert.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c
+index 39168b9..3f3edb1 100644
+--- a/nss/lib/pk11wrap/pk11cert.c
++++ b/nss/lib/pk11wrap/pk11cert.c
+@@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+      * CERTCertificate, and finish
+      */
+     nssPKIObject_AddInstance(&c->object, certobj);
++    /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
++     * replace 'c' by a different value. So we add a reference to 'c' to
++     * prevent 'c' from being destroyed. */
++    nssCertificate_AddRef(c);
+     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
++    /* XXX should we pass the original value of 'c' to
++     * STAN_ForceCERTCertificateUpdate? */
+     (void)STAN_ForceCERTCertificateUpdate(c);
++    nssCertificate_Destroy(c);
+     SECITEM_FreeItem(keyID,PR_TRUE);
+     return SECSuccess;
+ loser:
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1568.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1568.patch
new file mode 100644
index 0000000000..dbdb00ce2b
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2014-1568.patch
@@ -0,0 +1,670 @@
+nss: CVE-2014-1568
+
+the patch comes from:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568
+https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
+nss ng log:
+=====
+changeset:   11252:ad411fb64046
+user:        Kai Engert <kaie@kuix.de>
+date:        Tue Sep 23 19:28:34 2014 +0200
+summary:     Fix bug 1064636, patch part 2, r=rrelyea
+=====
+changeset:   11253:4e90910ad2f9
+user:        Kai Engert <kaie@kuix.de>
+date:        Tue Sep 23 19:28:45 2014 +0200
+summary:     Fix bug    1064636, patch part 3, r=rrelyea
+=====
+changeset:   11254:fb7208e91ae8
+user:        Kai Engert <kaie@kuix.de>
+date:        Tue Sep 23 19:28:52 2014 +0200
+summary:     Fix bug    1064636, patch part 1, r=rrelyea
+=====
+changeset:   11255:8dd6c6ac977d
+user:        Kai Engert <kaie@kuix.de>
+date:        Tue Sep 23 19:39:40 2014 +0200
+summary:     Bug 1064636, follow up commit to fix Windows build bustage
+
+Upstream-Status: Backport
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/cryptohi/secvfy.c  |  202 +++++++++++++++++++++++++++-----------------
+ nss/lib/softoken/pkcs11c.c |   69 +++++++--------
+ nss/lib/util/manifest.mn   |    2 +
+ nss/lib/util/nssutil.def   |    6 ++
+ nss/lib/util/pkcs1sig.c    |  169 ++++++++++++++++++++++++++++++++++++
+ nss/lib/util/pkcs1sig.h    |   30 +++++++
+ 6 files changed, 360 insertions(+), 118 deletions(-)
+ create mode 100644 nss/lib/util/pkcs1sig.c
+ create mode 100644 nss/lib/util/pkcs1sig.h
+
+diff --git a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c
+index c1ac39b..0a20672 100644
+--- a/nss/lib/cryptohi/secvfy.c
++++ b/nss/lib/cryptohi/secvfy.c
+@@ -12,78 +12,111 @@
+ #include "secasn1.h"
+ #include "secoid.h"
+ #include "pk11func.h"
++#include "pkcs1sig.h"
+ #include "secdig.h"
+ #include "secerr.h"
+ #include "keyi.h"
+ 
+ /*
+-** Decrypt signature block using public key
+-** Store the hash algorithm oid tag in *tagp
+-** Store the digest in the digest buffer
+-** Store the digest length in *digestlen
++** Recover the DigestInfo from an RSA PKCS#1 signature.
++**
++** If givenDigestAlg != SEC_OID_UNKNOWN, copy givenDigestAlg to digestAlgOut.
++** Otherwise, parse the DigestInfo structure and store the decoded digest
++** algorithm into digestAlgOut.
++**
++** Store the encoded DigestInfo into digestInfo.
++** Store the DigestInfo length into digestInfoLen.
++**
++** This function does *not* verify that the AlgorithmIdentifier in the
++** DigestInfo identifies givenDigestAlg or that the DigestInfo is encoded
++** correctly; verifyPKCS1DigestInfo does that.
++**
+ ** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
+ */
+ static SECStatus
+-DecryptSigBlock(SECOidTag *tagp, unsigned char *digest,
+-               unsigned int *digestlen, unsigned int maxdigestlen,
+-               SECKEYPublicKey *key, const SECItem *sig, char *wincx)
++recoverPKCS1DigestInfo(SECOidTag givenDigestAlg,
++                       /*out*/ SECOidTag* digestAlgOut,
++                       /*out*/ unsigned char** digestInfo,
++                       /*out*/ unsigned int* digestInfoLen,
++                       SECKEYPublicKey* key,
++                       const SECItem* sig, void* wincx)
+ {
+-    SGNDigestInfo *di   = NULL;
+-    unsigned char *buf  = NULL;
+-    SECStatus      rv;
+-    SECOidTag      tag;
+-    SECItem        it;
+-
+-    if (key == NULL) goto loser;
+-
++    SGNDigestInfo* di = NULL;
++    SECItem it;
++    PRBool rv = SECSuccess;
++
++    PORT_Assert(digestAlgOut);
++    PORT_Assert(digestInfo);
++    PORT_Assert(digestInfoLen);
++    PORT_Assert(key);
++    PORT_Assert(key->keyType == rsaKey);
++    PORT_Assert(sig);
++
++    it.data = NULL;
+     it.len  = SECKEY_PublicKeyStrength(key);
+-    if (!it.len) goto loser;
+-    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
+-    if (!buf) goto loser;
++    if (it.len != 0) {
++        it.data = (unsigned char *)PORT_Alloc(it.len);
++    }
++    if (it.len == 0 || it.data == NULL ) {
++        rv = SECFailure;
++    }
+ 
+-    /* decrypt the block */
+-    rv = PK11_VerifyRecover(key, (SECItem *)sig, &it, wincx);
+-    if (rv != SECSuccess) goto loser;
++    if (rv == SECSuccess) {
++        /* decrypt the block */
++        rv = PK11_VerifyRecover(key, sig, &it, wincx);
++    }
+ 
+-    di = SGN_DecodeDigestInfo(&it);
+-    if (di == NULL) goto sigloser;
++    if (rv == SECSuccess) {
++        if (givenDigestAlg != SEC_OID_UNKNOWN) {
++            /* We don't need to parse the DigestInfo if the caller gave us the
++             * digest algorithm to use. Later verifyPKCS1DigestInfo will verify
++             * that the DigestInfo identifies the given digest algorithm and
++             * that the DigestInfo is encoded absolutely correctly.
++             */
++            *digestInfoLen = it.len;
++            *digestInfo = (unsigned char*)it.data;
++            *digestAlgOut = givenDigestAlg;
++            return SECSuccess;
++        }
++    }
+ 
+-    /*
+-    ** Finally we have the digest info; now we can extract the algorithm
+-    ** ID and the signature block
+-    */
+-    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
+-    /* Check that tag is an appropriate algorithm */
+-    if (tag == SEC_OID_UNKNOWN) {
+-       goto sigloser;
+-    }
+-    /* make sure the "parameters" are not too bogus. */
+-    if (di->digestAlgorithm.parameters.len > 2) {
+-       goto sigloser;
+-    }
+-    if (di->digest.len > maxdigestlen) {
+-       PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+-       goto loser;
++    if (rv == SECSuccess) {
++        /* The caller didn't specify a digest algorithm to use, so choose the
++         * digest algorithm by parsing the AlgorithmIdentifier within the
++         * DigestInfo.
++         */
++        di = SGN_DecodeDigestInfo(&it);
++        if (!di) {
++            rv = SECFailure;
++        }
+     }
+-    PORT_Memcpy(digest, di->digest.data, di->digest.len);
+-    *tagp = tag;
+-    *digestlen = di->digest.len;
+-    goto done;
+ 
+-  sigloser:
+-    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++    if (rv == SECSuccess) {
++        *digestAlgOut = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
++        if (*digestAlgOut == SEC_OID_UNKNOWN) {
++            rv = SECFailure;
++        }
++    }
+ 
+-  loser:
+-    rv = SECFailure;
++    if (di) {
++        SGN_DestroyDigestInfo(di);
++    }
++
++    if (rv == SECSuccess) {
++        *digestInfoLen = it.len;
++        *digestInfo = (unsigned char*)it.data;
++    } else {
++        if (it.data) {
++            PORT_Free(it.data);
++        }
++        *digestInfo = NULL;
++        *digestInfoLen = 0;
++        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++    }
+ 
+-  done:
+-    if (di   != NULL) SGN_DestroyDigestInfo(di);
+-    if (buf  != NULL) PORT_Free(buf);
+-    
+     return rv;
+ }
+ 
+-
+ struct VFYContextStr {
+     SECOidTag hashAlg;  /* the hash algorithm */
+     SECKEYPublicKey *key;
+@@ -99,14 +132,14 @@ struct VFYContextStr {
+     union {
+        unsigned char buffer[1];
+ 
+-       /* the digest in the decrypted RSA signature */
+-       unsigned char rsadigest[HASH_LENGTH_MAX];
+        /* the full DSA signature... 40 bytes */
+        unsigned char dsasig[DSA_MAX_SIGNATURE_LEN];
+        /* the full ECDSA signature */
+        unsigned char ecdsasig[2 * MAX_ECKEY_LEN];
+     } u;
+-    unsigned int rsadigestlen;
++    unsigned int pkcs1RSADigestInfoLen;
++    /* the encoded DigestInfo from a RSA PKCS#1 signature */
++    unsigned char *pkcs1RSADigestInfo;
+     void * wincx;
+     void *hashcx;
+     const SECHashObject *hashobj;
+@@ -117,6 +150,17 @@ struct VFYContextStr {
+                            * VFY_EndWithSignature call. */
+ };
+ 
++static SECStatus
++verifyPKCS1DigestInfo(const VFYContext* cx, const SECItem* digest)
++{
++  SECItem pkcs1DigestInfo;
++  pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
++  pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
++  return _SGN_VerifyPKCS1DigestInfo(
++           cx->hashAlg, digest, &pkcs1DigestInfo,
++           PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
++}
++
+ /*
+  * decode the ECDSA or DSA signature from it's DER wrapping.
+  * The unwrapped/raw signature is placed in the buffer pointed
+@@ -376,16 +420,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
+     cx->encAlg = encAlg;
+     cx->hashAlg = hashAlg;
+     cx->key = SECKEY_CopyPublicKey(key);
++    cx->pkcs1RSADigestInfo = NULL;
+     rv = SECSuccess;
+     if (sig) {
+        switch (type) {
+        case rsaKey:
+-           rv = DecryptSigBlock(&cx->hashAlg, cx->u.buffer, &cx->rsadigestlen,
+-                       HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
+-           if (cx->hashAlg != hashAlg && hashAlg != SEC_OID_UNKNOWN) {
+-               PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-               rv = SECFailure;        
+-           }
++            rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++                                        &cx->pkcs1RSADigestInfo,
++                                        &cx->pkcs1RSADigestInfoLen,
++                                        cx->key,
++                                        sig, wincx);
+            break;
+        case dsaKey:
+        case ecKey:
+@@ -469,6 +513,9 @@ VFY_DestroyContext(VFYContext *cx, PRBool freeit)
+        if (cx->key) {
+            SECKEY_DestroyPublicKey(cx->key);
+        }
++        if (cx->pkcs1RSADigestInfo) {
++            PORT_Free(cx->pkcs1RSADigestInfo);
++        }
+        if (freeit) {
+            PORT_ZFree(cx, sizeof(VFYContext));
+        }
+@@ -548,21 +595,25 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+        }
+        break;
+       case rsaKey:
++      {
++        SECItem digest;
++        digest.data = final;
++        digest.len = part;
+        if (sig) {
+-           SECOidTag hashid = SEC_OID_UNKNOWN;
+-           rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen,
+-                   HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx);
+-           if ((rv != SECSuccess) || (hashid != cx->hashAlg)) {
+-               PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++            SECOidTag hashid;
++            PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN);
++            rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid,
++                                        &cx->pkcs1RSADigestInfo,
++                                        &cx->pkcs1RSADigestInfoLen,
++                                        cx->key,
++                                        sig, cx->wincx);
++            PORT_Assert(cx->hashAlg == hashid);
++            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+        }
+-       if ((part != cx->rsadigestlen) ||
+-           PORT_Memcmp(final, cx->u.buffer, part)) {
+-           PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-           return SECFailure;
+-       }
+-       break;
++        return verifyPKCS1DigestInfo(cx, &digest);
++      }
+       default:
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        return SECFailure; /* shouldn't happen */
+@@ -595,12 +646,7 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
+     if (cx != NULL) {
+        switch (key->keyType) {
+        case rsaKey:
+-           if ((digest->len != cx->rsadigestlen) ||
+-               PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) {
+-               PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-           } else {
+-               rv = SECSuccess;
+-           }
++            rv = verifyPKCS1DigestInfo(cx, digest);
+            break;
+        case dsaKey:
+        case ecKey:
+diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
+index 89b5bd8..ba6dcfa 100644
+--- a/nss/lib/softoken/pkcs11c.c
++++ b/nss/lib/softoken/pkcs11c.c
+@@ -23,6 +23,7 @@
+ #include "blapi.h"
+ #include "pkcs11.h"
+ #include "pkcs11i.h"
++#include "pkcs1sig.h"
+ #include "lowkeyi.h"
+ #include "secder.h"
+ #include "secdig.h"
+@@ -2580,54 +2581,42 @@ sftk_hashCheckSign(SFTKHashVerifyInfo *info, unsigned char *sig,
+ }
+ 
+ SECStatus
+-RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
++RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
+        unsigned char *sig, unsigned int sigLen,
+-       unsigned char *digest, unsigned int digestLen)
++        unsigned char *digestData, unsigned int digestLen)
+ {
++    unsigned char *pkcs1DigestInfoData;
++    SECItem pkcs1DigestInfo;
++    SECItem digest;
++    unsigned int bufferSize;
++    SECStatus rv;
+ 
+-    SECItem it;
+-    SGNDigestInfo *di = NULL;
+-    SECStatus rv = SECSuccess;
+-    
+-    it.data = NULL;
+-
+-    if (key == NULL) goto loser;
+-
+-    it.len = nsslowkey_PublicModulusLen(key); 
+-    if (!it.len) goto loser;
++    /* pkcs1DigestInfo.data must be less than key->u.rsa.modulus.len */
++    bufferSize = key->u.rsa.modulus.len;
++    pkcs1DigestInfoData = PORT_ZAlloc(bufferSize);
++    if (!pkcs1DigestInfoData) {
++        PORT_SetError(SEC_ERROR_NO_MEMORY);
++        return SECFailure;
++    }
+ 
+-    it.data = (unsigned char *) PORT_Alloc(it.len);
+-    if (it.data == NULL) goto loser;
++    pkcs1DigestInfo.data = pkcs1DigestInfoData;
++    pkcs1DigestInfo.len = bufferSize;
+ 
+     /* decrypt the block */
+-    rv = RSA_CheckSignRecover(key, it.data, &it.len, it.len, sig, sigLen);
+-    if (rv != SECSuccess) goto loser;
+-
+-    di = SGN_DecodeDigestInfo(&it);
+-    if (di == NULL) goto loser;
+-    if (di->digest.len != digestLen)  goto loser; 
+-
+-    /* make sure the tag is OK */
+-    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) {
+-       goto loser;
+-    }
+-    /* make sure the "parameters" are not too bogus. */
+-    if (di->digestAlgorithm.parameters.len > 2) {
+-       goto loser;
+-    }
+-    /* Now check the signature */
+-    if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
+-       goto done;
++    rv = RSA_CheckSignRecover(key, pkcs1DigestInfo.data,
++                              &pkcs1DigestInfo.len, pkcs1DigestInfo.len,
++                              sig, sigLen);
++    if (rv != SECSuccess) {
++        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++    } else {
++        digest.data = (PRUint8*) digestData;
++        digest.len = digestLen;
++        rv = _SGN_VerifyPKCS1DigestInfo(
++                digestOid, &digest, &pkcs1DigestInfo,
++                PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+     }
+ 
+-  loser:
+-    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-    rv = SECFailure;
+-
+-  done:
+-    if (it.data != NULL) PORT_Free(it.data);
+-    if (di != NULL) SGN_DestroyDigestInfo(di);
+-    
++    PORT_Free(pkcs1DigestInfoData);
+     return rv;
+ }
+ 
+diff --git a/nss/lib/util/manifest.mn b/nss/lib/util/manifest.mn
+index ed54a16..9ff3758 100644
+--- a/nss/lib/util/manifest.mn
++++ b/nss/lib/util/manifest.mn
+@@ -22,6 +22,7 @@ EXPORTS = \
+        pkcs11t.h \
+        pkcs11n.h \
+        pkcs11u.h \
++       pkcs1sig.h \
+        portreg.h \
+        secasn1.h \
+        secasn1t.h \
+@@ -58,6 +59,7 @@ CSRCS = \
+        nssrwlk.c \
+        nssilock.c \
+        oidstring.c \
++       pkcs1sig.c \
+        portreg.c \
+        secalgid.c \
+        secasn1d.c \
+diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def
+index 86a0ad7..9d98df2 100644
+--- a/nss/lib/util/nssutil.def
++++ b/nss/lib/util/nssutil.def
+@@ -271,3 +271,9 @@ SECITEM_ZfreeArray;
+ ;+    local:
+ ;+       *;
+ ;+};
++;+NSSUTIL_3.17.1 {         # NSS Utilities 3.17.1 release
++;+    global:
++_SGN_VerifyPKCS1DigestInfo;
++;+    local:
++;+       *;
++;+};
+diff --git a/nss/lib/util/pkcs1sig.c b/nss/lib/util/pkcs1sig.c
+new file mode 100644
+index 0000000..03b16f5
+--- /dev/null
++++ b/nss/lib/util/pkcs1sig.c
+@@ -0,0 +1,169 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ */
++
++#include "pkcs1sig.h"
++#include "hasht.h"
++#include "secerr.h"
++#include "secasn1t.h"
++#include "secoid.h"
++
++typedef struct pkcs1PrefixStr pkcs1Prefix;
++struct pkcs1PrefixStr {
++    unsigned int len;
++    PRUint8 *data;
++};
++
++typedef struct pkcs1PrefixesStr pkcs1Prefixes;
++struct pkcs1PrefixesStr {
++    unsigned int digestLen;
++    pkcs1Prefix prefixWithParams;
++    pkcs1Prefix prefixWithoutParams;
++};
++
++/* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on
++ * the possible prefix encodings as explained below.
++ */
++#define MAX_PREFIX_LEN_EXCLUDING_OID 10
++
++static SECStatus
++encodePrefix(const SECOidData *hashOid, unsigned int digestLen,
++             pkcs1Prefix *prefix, PRBool withParams)
++{
++    /* with params coding is:
++     *  Sequence (2 bytes) {
++     *      Sequence (2 bytes) {
++     *               Oid (2 bytes)  {
++     *                   Oid value (derOid->oid.len)
++     *               }
++     *               NULL (2 bytes)
++     *      }
++     *      OCTECT (2 bytes);
++     *
++     * without params coding is:
++     *  Sequence (2 bytes) {
++     *      Sequence (2 bytes) {
++     *               Oid (2 bytes)  {
++     *                   Oid value (derOid->oid.len)
++     *               }
++     *      }
++     *      OCTECT (2 bytes);
++     */
++
++    unsigned int innerSeqLen = 2 + hashOid->oid.len;
++    unsigned int outerSeqLen = 2 + innerSeqLen + 2 + digestLen;
++    unsigned int extra = 0;
++
++    if (withParams) {
++        innerSeqLen += 2;
++        outerSeqLen += 2;
++        extra = 2;
++    }
++
++    if (innerSeqLen >= 128 ||
++        outerSeqLen >= 128 ||
++        (outerSeqLen + 2 - digestLen) >
++            (MAX_PREFIX_LEN_EXCLUDING_OID + hashOid->oid.len)) {
++        /* this is actually a library failure, It shouldn't happen */
++        PORT_SetError(SEC_ERROR_INVALID_ARGS);
++        return SECFailure;
++    }
++
++    prefix->len = 6 + hashOid->oid.len + extra + 2;
++    prefix->data = PORT_Alloc(prefix->len);
++    if (!prefix->data) {
++        PORT_SetError(SEC_ERROR_NO_MEMORY);
++        return SECFailure;
++    }
++
++    prefix->data[0] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED;
++    prefix->data[1] = outerSeqLen;
++    prefix->data[2] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED;
++    prefix->data[3] = innerSeqLen;
++    prefix->data[4] = SEC_ASN1_OBJECT_ID;
++    prefix->data[5] = hashOid->oid.len;
++    PORT_Memcpy(&prefix->data[6], hashOid->oid.data, hashOid->oid.len);
++    if (withParams) {
++        prefix->data[6 + hashOid->oid.len] = SEC_ASN1_NULL;
++        prefix->data[6 + hashOid->oid.len + 1] = 0;
++    }
++    prefix->data[6 + hashOid->oid.len + extra] = SEC_ASN1_OCTET_STRING;
++    prefix->data[6 + hashOid->oid.len + extra + 1] = digestLen;
++
++    return SECSuccess;
++}
++
++SECStatus
++_SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
++                           const SECItem* digest,
++                           const SECItem* dataRecoveredFromSignature,
++                           PRBool unsafeAllowMissingParameters)
++{
++    SECOidData *hashOid;
++    pkcs1Prefixes pp;
++    const pkcs1Prefix* expectedPrefix;
++    SECStatus rv, rv2, rv3;
++
++    if (!digest || !digest->data ||
++        !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
++        PORT_SetError(SEC_ERROR_INVALID_ARGS);
++        return SECFailure;
++    }
++
++    hashOid = SECOID_FindOIDByTag(digestAlg);
++    if (hashOid == NULL) {
++        PORT_SetError(SEC_ERROR_INVALID_ARGS);
++        return SECFailure;
++    }
++
++    pp.digestLen = digest->len;
++    pp.prefixWithParams.data = NULL;
++    pp.prefixWithoutParams.data = NULL;
++
++    rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
++    rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
++
++    rv = SECSuccess;
++    if (rv2 != SECSuccess || rv3 != SECSuccess) {
++        rv = SECFailure;
++    }
++
++    if (rv == SECSuccess) {
++        /* We don't attempt to avoid timing attacks on these comparisons because
++         * signature verification is a public key operation, not a private key
++         * operation.
++         */
++
++        if (dataRecoveredFromSignature->len ==
++                pp.prefixWithParams.len + pp.digestLen) {
++            expectedPrefix = &pp.prefixWithParams;
++        } else if (unsafeAllowMissingParameters &&
++                   dataRecoveredFromSignature->len ==
++                      pp.prefixWithoutParams.len + pp.digestLen) {
++            expectedPrefix = &pp.prefixWithoutParams;
++        } else {
++            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++            rv = SECFailure;
++        }
++    }
++
++    if (rv == SECSuccess) {
++        if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
++                   expectedPrefix->len) ||
++            memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
++                   digest->data, digest->len)) {
++            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++            rv = SECFailure;
++        }
++    }
++
++    if (pp.prefixWithParams.data) {
++        PORT_Free(pp.prefixWithParams.data);
++    }
++    if (pp.prefixWithoutParams.data) {
++        PORT_Free(pp.prefixWithoutParams.data);
++    }
++
++    return rv;
++}
+diff --git a/nss/lib/util/pkcs1sig.h b/nss/lib/util/pkcs1sig.h
+new file mode 100644
+index 0000000..7c52b15
+--- /dev/null
++++ b/nss/lib/util/pkcs1sig.h
+@@ -0,0 +1,30 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ */
++
++#ifndef _PKCS1SIG_H_
++#define _PKCS1SIG_H_
++
++#include "hasht.h"
++#include "seccomon.h"
++#include "secoidt.h"
++
++/* SGN_VerifyPKCS1DigestInfo verifies that the length of the digest is correct
++ * for the given algorithm, then verifies that the recovered data from the
++ * PKCS#1 signature is a properly-formatted DigestInfo that identifies the
++ * given digest algorithm, then verifies that the digest in the DigestInfo
++ * matches the given digest.
++ *
++ * dataRecoveredFromSignature must be the result of calling PK11_VerifyRecover
++ * or equivalent.
++ *
++ * If unsafeAllowMissingParameters is true (not recommended), then a DigestInfo
++ * without the mandatory ASN.1 NULL parameter will also be accepted.
++ */
++SECStatus _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
++                                     const SECItem* digest,
++                                     const SECItem* dataRecoveredFromSignature,
++                                     PRBool unsafeAllowMissingParameters);
++
++#endif /* _PKCS1SIG_H_ */
+-- 
+1.7.9.5
diff --git a/meta/recipes-support/nss/files/nss-fix-incorrect-shebang-of-perl.patch b/meta/recipes-support/nss/files/nss-fix-incorrect-shebang-of-perl.patch
new file mode 100644
index 0000000000..547594d5b6
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-fix-incorrect-shebang-of-perl.patch
@@ -0,0 +1,110 @@
+nss: fix incorrect shebang of perl
+
+Replace incorrect shebang of perl with `#!/usr/bin/env perl'.
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Upstream-Status: Pending
+---
+ nss/cmd/smimetools/smime  | 2 +-
+ nss/coreconf/cpdist.pl    | 2 +-
+ nss/coreconf/import.pl    | 2 +-
+ nss/coreconf/jniregen.pl  | 2 +-
+ nss/coreconf/outofdate.pl | 2 +-
+ nss/coreconf/release.pl   | 2 +-
+ nss/coreconf/version.pl   | 2 +-
+ nss/tests/clean_tbx       | 2 +-
+ nss/tests/path_uniq       | 2 +-
+ 9 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/nss/cmd/smimetools/smime b/nss/cmd/smimetools/smime
+--- a/nss/cmd/smimetools/smime
++++ b/nss/cmd/smimetools/smime
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/env perl
+ 
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/cpdist.pl b/nss/coreconf/cpdist.pl
+index 800edfb..652187f 100755
+--- a/nss/coreconf/cpdist.pl
++++ b/nss/coreconf/cpdist.pl
+@@ -1,4 +1,4 @@
+-#! /usr/local/bin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/import.pl b/nss/coreconf/import.pl
+index dd2d177..428eaa5 100755
+--- a/nss/coreconf/import.pl
++++ b/nss/coreconf/import.pl
+@@ -1,4 +1,4 @@
+-#! /usr/local/bin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/jniregen.pl b/nss/coreconf/jniregen.pl
+index 2039180..5f4f69c 100755
+--- a/nss/coreconf/jniregen.pl
++++ b/nss/coreconf/jniregen.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/outofdate.pl b/nss/coreconf/outofdate.pl
+index 33d80bb..01fc097 100755
+--- a/nss/coreconf/outofdate.pl
++++ b/nss/coreconf/outofdate.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/release.pl b/nss/coreconf/release.pl
+index 7cde19d..b5df2f6 100755
+--- a/nss/coreconf/release.pl
++++ b/nss/coreconf/release.pl
+@@ -1,4 +1,4 @@
+-#! /usr/local/bin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/coreconf/version.pl b/nss/coreconf/version.pl
+index d2a4942..79359fe 100644
+--- a/nss/coreconf/version.pl
++++ b/nss/coreconf/version.pl
+@@ -1,4 +1,4 @@
+-#!/usr/sbin/perl
++#!/usr/bin/env perl
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+diff --git a/nss/tests/clean_tbx b/nss/tests/clean_tbx
+index 4de9555..a7def9f 100755
+--- a/nss/tests/clean_tbx
++++ b/nss/tests/clean_tbx
+@@ -1,4 +1,4 @@
+-#! /bin/perl
++#!/usr/bin/env perl
+ 
+ #######################################################################
+ #
+diff --git a/nss/tests/path_uniq b/nss/tests/path_uniq
+index f29f60a..08fbffa 100755
+--- a/nss/tests/path_uniq
++++ b/nss/tests/path_uniq
+@@ -1,4 +1,4 @@
+-#! /bin/perl
++#!/usr/bin/env perl
+ 
+ ########################################################################
+ #
+-- 
+1.8.1.2
+
diff --git a/meta/recipes-support/nss/files/nss-fix-support-cross-compiling.patch b/meta/recipes-support/nss/files/nss-fix-support-cross-compiling.patch
new file mode 100644
index 0000000000..f0b3550bff
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-fix-support-cross-compiling.patch
@@ -0,0 +1,71 @@
+nss: fix support cross compiling
+
+Let some make variables be assigned from outside makefile.
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Upstream-Status: Inappropriate [configuration]
+---
+ nss/coreconf/Linux.mk   | 12 +++++++++++-
+ nss/coreconf/arch.mk    |  2 +-
+ nss/lib/freebl/Makefile |  6 ++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/Linux.mk b/nss/coreconf/Linux.mk
+--- a/nss/coreconf/Linux.mk
++++ b/nss/coreconf/Linux.mk
+@@ -16,11 +16,21 @@ ifeq ($(USE_PTHREADS),1)
+        IMPL_STRATEGY = _PTH
+ endif
+ 
++ifndef CC
+ CC                     = gcc
++endif
++
++ifdef CXX
++CCC                    = $(CXX)
++else
+ CCC                    = g++
++endif
++
++ifndef RANLIB
+ RANLIB                 = ranlib
++endif
+ 
+-DEFAULT_COMPILER = gcc
++DEFAULT_COMPILER = $(CC)
+ 
+ ifeq ($(OS_TARGET),Android)
+ ifndef ANDROID_NDK
+diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk
+index 6557348..b722412 100644
+--- a/nss/coreconf/arch.mk
++++ b/nss/coreconf/arch.mk
+@@ -37,7 +37,7 @@ OS_TEST := $(shell uname -m)
+ ifeq ($(OS_TEST),i86pc)
+     OS_RELEASE := $(shell uname -r)_$(OS_TEST)
+ else
+-    OS_RELEASE := $(shell uname -r)
++    OS_RELEASE ?= $(shell uname -r)
+ endif
+ 
+ #
+diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile
+index 0d293f1..678f506 100644
+--- a/nss/lib/freebl/Makefile
++++ b/nss/lib/freebl/Makefile
+@@ -36,6 +36,12 @@ ifdef USE_64
+        DEFINES += -DNSS_USE_64
+ endif
+ 
++ifeq ($(OS_TEST),mips)
++ifndef USE_64
++       DEFINES += -DNS_PTR_LE_32
++endif
++endif
++
+ ifdef USE_ABI32_FPU
+        DEFINES += -DNSS_USE_ABI32_FPU
+ endif
+-- 
+1.8.1.2
+
diff --git a/meta/recipes-support/nss/files/nss-no-rpath-for-cross-compiling.patch b/meta/recipes-support/nss/files/nss-no-rpath-for-cross-compiling.patch
new file mode 100644
index 0000000000..7661dc93a0
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-no-rpath-for-cross-compiling.patch
@@ -0,0 +1,26 @@
+nss:no rpath for cross compiling
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Upstream-Status: Inappropriate [configuration]
+---
+ nss/cmd/platlibs.mk | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk
+--- a/nss/cmd/platlibs.mk
++++ b/nss/cmd/platlibs.mk
+@@ -18,9 +18,9 @@ endif
+ 
+ ifeq ($(OS_ARCH), Linux)
+ ifeq ($(USE_64), 1)
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
+ else
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
+ endif
+ endif
+ 
+-- 
+1.8.1.2
+
diff --git a/meta/recipes-support/nss/files/nss.pc.in b/meta/recipes-support/nss/files/nss.pc.in
new file mode 100644
index 0000000000..200f635c65
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=OEPREFIX
+exec_prefix=OEEXECPREFIX
+libdir=OELIBDIR
+includedir=OEINCDIR
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3
+Cflags: -IOEINCDIR
diff --git a/meta/recipes-support/nss/files/signlibs.sh b/meta/recipes-support/nss/files/signlibs.sh
new file mode 100644
index 0000000000..1ec79f4576
--- /dev/null
+++ b/meta/recipes-support/nss/files/signlibs.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# signlibs.sh
+#
+# (c)2010 Wind River Systems, Inc.
+#
+# regenerates the .chk files for the NSS libraries that require it
+# since the ones that are built have incorrect checksums that were
+# calculated on the host where they really need to be done on the
+# target
+
+CHK_FILES=`find /lib* /usr/lib* -name "*.chk"`
+SIGN_BINARY=`which shlibsign`
+for I in $CHK_FILES
+do
+       DN=`dirname $I`
+       BN=`basename $I .chk`
+       FN=$DN/$BN.so
+       $SIGN_BINARY -i $FN
+done
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
new file mode 100644
index 0000000000..008bdad5c7
--- /dev/null
+++ b/meta/recipes-support/nss/nss.inc
@@ -0,0 +1,215 @@
+SUMMARY = "Mozilla's SSL and TLS implementation"
+DESCRIPTION = "Network Security Services (NSS) is a set of libraries \
+designed to support cross-platform development of \
+security-enabled client and server applications. \
+Applications built with NSS can support SSL v2 and v3, \
+TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \
+v3 certificates, and other security standards."
+HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/"
+SECTION = "libs"
+
+LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)"
+
+LIC_FILES_CHKSUM = "file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
+                    file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=6bf96825e3d7ce4de25621ae886cc859"
+SRC_URI = "\
+    file://nss-fix-support-cross-compiling.patch \
+    file://nss-no-rpath-for-cross-compiling.patch \
+    file://nss-fix-incorrect-shebang-of-perl.patch \
+    file://nss-3.15.1-fix-CVE-2013-1741.patch \
+    file://nss-3.15.1-fix-CVE-2013-5605.patch \
+    file://nss-CVE-2014-1492.patch \
+    file://nss-CVE-2013-1740.patch \
+    file://nss-3.15.1-fix-CVE-2013-1739.patch \
+    file://nss-CVE-2013-5606.patch \
+    file://nss-CVE-2014-1544.patch \
+    file://nss-CVE-2014-1568.patch \
+"
+SRC_URI_append = "\
+    file://nss.pc.in \
+    file://signlibs.sh \
+"
+inherit siteinfo
+PR = "r0"
+DEPENDS = "sqlite3 nspr zlib nss-native"
+DEPENDS_class-native = "sqlite3-native nspr-native zlib-native"
+RDEPENDS_${PN} = "perl"
+
+TD = "${S}/tentative-dist"
+TDS = "${S}/tentative-dist-staging"
+
+TARGET_CC_ARCH += "${LDFLAGS}"
+
+do_compile_prepend_class-native() {
+    export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}
+    export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
+}
+
+do_compile_prepend_class-nativesdk() {
+    export LDFLAGS=""
+}
+
+do_compile() {
+    export CROSS_COMPILE=1
+    export NATIVE_CC="gcc"
+    export BUILD_OPT=1
+
+    export FREEBL_NO_DEPEND=1
+    export FREEBL_LOWHASH=1
+
+    export LIBDIR=${libdir}
+    export MOZILLA_CLIENT=1
+    export NS_USE_GCC=1
+    export NSS_USE_SYSTEM_SQLITE=1
+    export NSS_ENABLE_ECC=1
+
+    export OS_RELEASE=3.4
+    export OS_TARGET=Linux
+    export OS_ARCH=Linux
+
+    if [ "${TARGET_ARCH}" = "powerpc" ]; then
+        OS_TEST=ppc
+    elif [ "${TARGET_ARCH}" = "powerpc64" ]; then
+        OS_TEST=ppc64
+    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
+        OS_TEST=mips
+    else
+        OS_TEST="${TARGET_ARCH}"
+    fi
+
+    if [ "${SITEINFO_BITS}" = "64" ]; then
+        export USE_64=1
+    fi
+
+    make -C ./nss CCC="${CXX}" \
+        OS_TEST=${OS_TEST} \
+}
+
+
+do_install_prepend_class-nativesdk() {
+    export LDFLAGS=""
+}
+
+do_install() {
+    export CROSS_COMPILE=1
+    export NATIVE_CC="gcc"
+    export BUILD_OPT=1
+
+    export FREEBL_NO_DEPEND=1
+
+    export LIBDIR=${libdir}
+    export MOZILLA_CLIENT=1
+    export NS_USE_GCC=1
+    export NSS_USE_SYSTEM_SQLITE=1
+    export NSS_ENABLE_ECC=1
+
+    export OS_RELEASE=3.4
+    export OS_TARGET=Linux
+    export OS_ARCH=Linux
+
+    if [ "${TARGET_ARCH}" = "powerpc" ]; then
+        OS_TEST=ppc
+    elif [ "${TARGET_ARCH}" = "powerpc64" ]; then
+        OS_TEST=ppc64
+    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
+        OS_TEST=mips
+    else
+        OS_TEST="${TARGET_ARCH}"
+    fi
+    if [ "${SITEINFO_BITS}" = "64" ]; then
+        export USE_64=1
+    fi
+
+    make -C ./nss \
+        CCC="${CXX}" \
+        OS_TEST=${OS_TEST} \
+        SOURCE_LIB_DIR="${TD}/${libdir}" \
+        SOURCE_BIN_DIR="${TD}/${bindir}" \
+        install
+
+    install -d ${D}/${libdir}/
+    for file in ${S}/dist/*.OBJ/lib/*.so; do
+        echo "Installing `basename $file`..."
+        cp $file  ${D}/${libdir}/
+    done
+
+    for shared_lib in ${TD}/${libdir}/*.so.*; do
+        if [ -f $shared_lib ]; then
+            cp $shared_lib ${D}/${libdir}
+            ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe)
+        fi
+    done
+    for shared_lib in ${TD}/${libdir}/*.so; do
+        if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then
+            cp $shared_lib ${D}/${libdir}
+        fi
+    done
+
+    install -d ${D}/${includedir}/nss3
+    install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/*
+
+    install -d ${D}/${bindir}
+    for binary in ${TD}/${bindir}/*; do
+        install -m 755 -t ${D}/${bindir} $binary
+    done
+}
+
+do_install_append() {
+    # Create empty .chk files for the NSS libraries at build time. They could
+    # be regenerated at target's boot time.
+    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
+        touch ${D}/${libdir}/$file
+        chmod 755 ${D}/${libdir}/$file
+    done
+    install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
+
+    install -d ${D}${libdir}/pkgconfig/
+    sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
+}
+
+do_install_append_class-target() {
+    # Create a blank certificate
+    mkdir -p ${D}${sysconfdir}/pki/nssdb/
+    touch ./empty_password
+    certutil -N -d ${D}${sysconfdir}/pki/nssdb/ -f ./empty_password
+    chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db
+    rm ./empty_password
+}
+
+pkg_postinst_${PN} () {
+    if [ -n "$D" ]; then
+        for I in $D/${libdir}/lib*.chk; do
+            DN=`dirname $I`
+            BN=`basename $I .chk`
+            FN=$DN/$BN.so
+            shlibsign -i $FN
+            if [ $? -ne 0 ]; then
+               exit 1
+            fi
+        done
+        exit 0
+    fi
+    signlibs.sh
+}
+
+FILES_${PN} = "\
+    ${sysconfdir} \
+    ${bindir} \
+    ${libdir}/lib*.chk \
+    ${libdir}/lib*.so \
+    "
+FILES_${PN}-dev = "\
+    ${libdir}/nss \
+    ${libdir}/pkgconfig/* \
+    ${includedir}/* \
+    "
+FILES_${PN}-dbg = "\
+    ${bindir}/.debug/* \
+    ${libdir}/.debug/* \
+    "
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/nss/nss_3.15.1.bb b/meta/recipes-support/nss/nss_3.15.1.bb
new file mode 100644
index 0000000000..7b06f00cde
--- /dev/null
+++ b/meta/recipes-support/nss/nss_3.15.1.bb
@@ -0,0 +1,9 @@
+require nss.inc
+
+SRC_URI += "\
+    http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/${BPN}-${PV}.tar.gz \
+"
+
+SRC_URI[md5sum] = "fb68f4d210ac9397dd0d3c39c4f938eb"
+SRC_URI[sha256sum] = "f994106a33d1f3210f4151bbb3419a1c28fd1cb545caa7dc9afdebd6da626284"
+