686 files changed, 51154 insertions, 28605 deletions
diff --git a/CLOBBER b/CLOBBER
index 12431db71..481f9e1dd 100644
--- a/CLOBBER
+++ b/CLOBBER
@@ -22,4 +22,4 @@
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Clobber for updating ffvpx to 4.0.2
+Clobber for NSPR+NSS update
diff --git a/application/basilisk/installer/package-manifest.in b/application/basilisk/installer/package-manifest.in
index 35060ea5e..485bc4917 100644
--- a/application/basilisk/installer/package-manifest.in
+++ b/application/basilisk/installer/package-manifest.in
@@ -140,13 +140,6 @@
 @RESPATH@/run-mozilla.sh
 #endif
 #endif
-#ifdef XP_WIN
-#ifdef _AMD64_
-@BINPATH@/@DLL_PREFIX@qipcap64@DLL_SUFFIX@
-#else
-@BINPATH@/@DLL_PREFIX@qipcap@DLL_SUFFIX@
-#endif
-#endif
 
 ; [Components]
 #ifdef MOZ_ARTIFACT_BUILDS
diff --git a/application/palemoon/branding/shared/pref/uaoverrides.inc b/application/palemoon/branding/shared/pref/uaoverrides.inc
index b33758ea9..567956640 100644
--- a/application/palemoon/branding/shared/pref/uaoverrides.inc
+++ b/application/palemoon/branding/shared/pref/uaoverrides.inc
@@ -40,8 +40,8 @@ pref("@GUAO_PREF@.gstatic.com","Mozilla/5.0 (@OS_SLICE@ rv:31.9) @GK_SLICE@ @GRE
 pref("@GUAO_PREF@.yahoo.com","Mozilla/5.0 (@OS_SLICE@ rv:99.9) @GK_SLICE@ Firefox/99.9 (Pale Moon)");
 pref("@GUAO_PREF@.youtube.com","Mozilla/5.0 (@OS_SLICE@ rv:42.0) @GK_SLICE@ Firefox/42.0 @PM_SLICE@");
 pref("@GUAO_PREF@.gaming.youtube.com","Mozilla/5.0 (@OS_SLICE@ rv:42.0) @GK_SLICE@ Firefox/42.0");
+pref("@GUAO_PREF@.dropbox.com","Mozilla/5.0 (@OS_SLICE@ rv:99.9) @GK_SLICE@ Firefox/99.9 (Pale Moon)");
 
-pref("@GUAO_PREF@.dropbox.com","Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko");
 pref("@GUAO_PREF@.players.brightcove.net","Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko");
 
 // The never-ending Facebook debacle...
diff --git a/application/palemoon/installer/package-manifest.in b/application/palemoon/installer/package-manifest.in
index 656e60cb7..a218a3487 100644
--- a/application/palemoon/installer/package-manifest.in
+++ b/application/palemoon/installer/package-manifest.in
@@ -141,13 +141,6 @@
 @RESPATH@/run-mozilla.sh
 #endif
 #endif
-#ifdef XP_WIN
-#ifdef _AMD64_
-@BINPATH@/@DLL_PREFIX@qipcap64@DLL_SUFFIX@
-#else
-@BINPATH@/@DLL_PREFIX@qipcap@DLL_SUFFIX@
-#endif
-#endif
 
 ; [Components]
 @RESPATH@/components/*
diff --git a/build/moz.configure/old.configure b/build/moz.configure/old.configure
index f112e6bdf..59dc8b57b 100644
--- a/build/moz.configure/old.configure
+++ b/build/moz.configure/old.configure
@@ -157,7 +157,6 @@ def old_configure_options(*options):
     '--enable-accessibility',
     '--enable-address-sanitizer',
     '--enable-alsa',
-    '--enable-android-omx',
     '--enable-b2g-bt',
     '--enable-b2g-camera',
     '--enable-b2g-ril',
@@ -206,7 +205,6 @@ def old_configure_options(*options):
     '--enable-nspr-build',
     '--enable-official-branding',
     '--enable-official-vendor',
-    '--enable-omx-plugin',
     '--enable-oom-breakpoint',
     '--enable-optimize',
     '--enable-parental-controls',
diff --git a/config/milestone.txt b/config/milestone.txt
index 752d23fca..776b58af7 100644
--- a/config/milestone.txt
+++ b/config/milestone.txt
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-4.1.7
+4.1.8
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index ae307431d..e6fa5a200 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1263,6 +1263,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
   nsCOMPtr<nsIURI> referrer;
   nsCOMPtr<nsIURI> originalURI;
   bool loadReplace = false;
+  bool isFromProcessingFrameAttributes = false;
   nsCOMPtr<nsIInputStream> postStream;
   nsCOMPtr<nsIInputStream> headersStream;
   nsCOMPtr<nsIPrincipal> triggeringPrincipal;
@@ -1292,6 +1293,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
     aLoadInfo->GetReferrer(getter_AddRefs(referrer));
     aLoadInfo->GetOriginalURI(getter_AddRefs(originalURI));
     aLoadInfo->GetLoadReplace(&loadReplace);
+    aLoadInfo->GetIsFromProcessingFrameAttributes(&isFromProcessingFrameAttributes);
     nsDocShellInfoLoadType lt = nsIDocShellLoadInfo::loadNormal;
     aLoadInfo->GetLoadType(&lt);
     // Get the appropriate loadType from nsIDocShellLoadInfo type
@@ -1571,6 +1573,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
   return InternalLoad(aURI,
                       originalURI,
                       loadReplace,
+                      isFromProcessingFrameAttributes,
                       referrer,
                       referrerPolicy,
                       triggeringPrincipal,
@@ -5340,8 +5343,8 @@ nsDocShell::LoadErrorPage(nsIURI* aURI, const char16_t* aURL,
   rv = NS_NewURI(getter_AddRefs(errorPageURI), errorPageUrl);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  return InternalLoad(errorPageURI, nullptr, false, nullptr,
-                      mozilla::net::RP_Default,
+  return InternalLoad(errorPageURI, nullptr, false, false,
+                      nullptr, mozilla::net::RP_Default,
                       nsContentUtils::GetSystemPrincipal(), nullptr,
                       INTERNAL_LOAD_FLAGS_NONE, EmptyString(),
                       nullptr, NullString(), nullptr, nullptr, LOAD_ERROR_PAGE,
@@ -5427,6 +5430,7 @@ nsDocShell::Reload(uint32_t aReloadFlags)
     rv = InternalLoad(currentURI,
                       originalURI,
                       loadReplace,
+                      false,           // Is from processing frame attributes
                       referrerURI,
                       referrerPolicy,
                       triggeringPrincipal,
@@ -9578,6 +9582,7 @@ class InternalLoadEvent : public Runnable
 public:
   InternalLoadEvent(nsDocShell* aDocShell, nsIURI* aURI,
                     nsIURI* aOriginalURI, bool aLoadReplace,
+                    bool aIsFromProcessingFrameAttributes,
                     nsIURI* aReferrer, uint32_t aReferrerPolicy,
                     nsIPrincipal* aTriggeringPrincipal,
                     nsIPrincipal* aPrincipalToInherit, uint32_t aFlags,
@@ -9591,6 +9596,7 @@ public:
     , mURI(aURI)
     , mOriginalURI(aOriginalURI)
     , mLoadReplace(aLoadReplace)
+    , mIsFromProcessingFrameAttributes(aIsFromProcessingFrameAttributes)
     , mReferrer(aReferrer)
     , mReferrerPolicy(aReferrerPolicy)
     , mTriggeringPrincipal(aTriggeringPrincipal)
@@ -9615,6 +9621,7 @@ public:
   {
     return mDocShell->InternalLoad(mURI, mOriginalURI,
                                    mLoadReplace,
+                                   mIsFromProcessingFrameAttributes,
                                    mReferrer,
                                    mReferrerPolicy,
                                    mTriggeringPrincipal, mPrincipalToInherit,
@@ -9635,6 +9642,7 @@ private:
   nsCOMPtr<nsIURI> mURI;
   nsCOMPtr<nsIURI> mOriginalURI;
   bool mLoadReplace;
+  bool mIsFromProcessingFrameAttributes;
   nsCOMPtr<nsIURI> mReferrer;
   uint32_t mReferrerPolicy;
   nsCOMPtr<nsIPrincipal> mTriggeringPrincipal;
@@ -9703,6 +9711,7 @@ NS_IMETHODIMP
 nsDocShell::InternalLoad(nsIURI* aURI,
                          nsIURI* aOriginalURI,
                          bool aLoadReplace,
+                         bool aIsFromProcessingFrameAttributes,
                          nsIURI* aReferrer,
                          uint32_t aReferrerPolicy,
                          nsIPrincipal* aTriggeringPrincipal,
@@ -10005,6 +10014,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
                                     INTERNAL_LOAD_FLAGS_DONT_SEND_REFERRER));
         loadInfo->SetOriginalURI(aOriginalURI);
         loadInfo->SetLoadReplace(aLoadReplace);
+        loadInfo->SetIsFromProcessingFrameAttributes(aIsFromProcessingFrameAttributes);
         loadInfo->SetTriggeringPrincipal(aTriggeringPrincipal);
         loadInfo->SetInheritPrincipal(
           aFlags & INTERNAL_LOAD_FLAGS_INHERIT_PRINCIPAL);
@@ -10053,6 +10063,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
       rv = targetDocShell->InternalLoad(aURI,
                                         aOriginalURI,
                                         aLoadReplace,
+                                        aIsFromProcessingFrameAttributes,
                                         aReferrer,
                                         aReferrerPolicy,
                                         aTriggeringPrincipal,
@@ -10135,6 +10146,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
       // Do this asynchronously
       nsCOMPtr<nsIRunnable> ev =
         new InternalLoadEvent(this, aURI, aOriginalURI, aLoadReplace,
+                              aIsFromProcessingFrameAttributes,
                               aReferrer, aReferrerPolicy,
                               aTriggeringPrincipal, principalToInherit,
                               aFlags, aTypeHint, aPostData, aHeadersData,
@@ -10661,7 +10673,8 @@ nsDocShell::InternalLoad(nsIURI* aURI,
                         nsINetworkPredictor::PREDICT_LOAD, this, nullptr);
 
   nsCOMPtr<nsIRequest> req;
-  rv = DoURILoad(aURI, aOriginalURI, aLoadReplace, loadFromExternal,
+  rv = DoURILoad(aURI, aOriginalURI, aLoadReplace, 
+                 aIsFromProcessingFrameAttributes, loadFromExternal,
                  (aFlags & INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI),
                  aReferrer,
                  !(aFlags & INTERNAL_LOAD_FLAGS_DONT_SEND_REFERRER),
@@ -10743,6 +10756,7 @@ nsresult
 nsDocShell::DoURILoad(nsIURI* aURI,
                       nsIURI* aOriginalURI,
                       bool aLoadReplace,
+                      bool aIsFromProcessingFrameAttributes,
                       bool aLoadFromExternal,
                       bool aForceAllowDataURI,
                       nsIURI* aReferrerURI,
@@ -10903,7 +10917,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     securityFlags |= nsILoadInfo::SEC_SANDBOXED;
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo =
+  RefPtr<LoadInfo> loadInfo =
     (aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) ?
       new LoadInfo(loadingWindow, aTriggeringPrincipal, topLevelLoadingContext,
                    securityFlags) :
@@ -10929,6 +10943,10 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     return rv;
   }
 
+  if (aIsFromProcessingFrameAttributes) {
+    loadInfo->SetIsFromProcessingFrameAttributes();
+  }
+
   if (!isSrcdoc) {
     rv = NS_NewChannelInternal(getter_AddRefs(channel),
                                aURI,
@@ -12581,6 +12599,7 @@ nsDocShell::LoadHistoryEntry(nsISHEntry* aEntry, uint32_t aLoadType)
   rv = InternalLoad(uri,
                     originalURI,
                     loadReplace,
+                    false,              // Is from processing frame attributes
                     referrerURI,
                     referrerPolicy,
                     triggeringPrincipal,
@@ -14084,6 +14103,7 @@ nsDocShell::OnLinkClickSync(nsIContent* aContent,
   nsresult rv = InternalLoad(clonedURI,                 // New URI
                              nullptr,                   // Original URI
                              false,                     // LoadReplace
+                             false,                     // From frame attributes
                              referer,                   // Referer URI
                              refererPolicy,             // Referer policy
                              triggeringPrincipal,
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index f510a15b0..8de3995fc 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -371,6 +371,7 @@ protected:
   nsresult DoURILoad(nsIURI* aURI,
                      nsIURI* aOriginalURI,
                      bool aLoadReplace,
+                     bool aIsFromProcessingFrameAttributes,
                      bool aLoadFromExternal,
                      bool aForceAllowDataURI,
                      nsIURI* aReferrer,
diff --git a/docshell/base/nsDocShellLoadInfo.cpp b/docshell/base/nsDocShellLoadInfo.cpp
index b00e8e360..b1a990267 100644
--- a/docshell/base/nsDocShellLoadInfo.cpp
+++ b/docshell/base/nsDocShellLoadInfo.cpp
@@ -20,6 +20,7 @@ nsDocShellLoadInfo::nsDocShellLoadInfo()
   , mReferrerPolicy(mozilla::net::RP_Default)
   , mLoadType(nsIDocShellLoadInfo::loadNormal)
   , mIsSrcdocLoad(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
 }
 
@@ -310,3 +311,19 @@ nsDocShellLoadInfo::SetBaseURI(nsIURI* aBaseURI)
   mBaseURI = aBaseURI;
   return NS_OK;
 }
+
+NS_IMETHODIMP
+nsDocShellLoadInfo::GetIsFromProcessingFrameAttributes(bool* aIsFromProcessingFrameAttributes)
+{
+  NS_ENSURE_ARG_POINTER(aIsFromProcessingFrameAttributes);
+
+  *aIsFromProcessingFrameAttributes = mIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsDocShellLoadInfo::SetIsFromProcessingFrameAttributes(bool aIsFromProcessingFrameAttributes)
+{
+  mIsFromProcessingFrameAttributes = aIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
diff --git a/docshell/base/nsDocShellLoadInfo.h b/docshell/base/nsDocShellLoadInfo.h
index f3ddcca1e..09479683b 100644
--- a/docshell/base/nsDocShellLoadInfo.h
+++ b/docshell/base/nsDocShellLoadInfo.h
@@ -49,6 +49,10 @@ protected:
   nsString mSrcdocData;
   nsCOMPtr<nsIDocShell> mSourceDocShell;
   nsCOMPtr<nsIURI> mBaseURI;
+
+  // This will be true if this load is triggered by attribute changes.
+  // See nsILoadInfo.isFromProcessingFrameAttributes
+  bool mIsFromProcessingFrameAttributes;
 };
 
 #endif /* nsDocShellLoadInfo_h__ */
diff --git a/docshell/base/nsIDocShell.idl b/docshell/base/nsIDocShell.idl
index e34e6adfd..d205e5b0c 100644
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@@ -133,6 +133,10 @@ interface nsIDocShell : nsIDocShellTreeItem
    * @param aLoadReplace         - If set LOAD_REPLACE flag will be set on the
    *                               channel. aOriginalURI is null, this argument is
    *                               ignored.
+   * @param aIsFromProcessingFrameAttributes
+   *                             - If this is a load triggered by changing frame
+   *                               attributes.
+   *                               See nsILoadInfo.isFromProcessingFrameAttributes
    * @param aReferrer            - Referring URI
    * @param aReferrerPolicy      - Referrer policy
    * @param aTriggeringPrincipal - A non-null principal that initiated that load.
@@ -178,6 +182,7 @@ interface nsIDocShell : nsIDocShellTreeItem
   [noscript]void internalLoad(in nsIURI aURI,
                               in nsIURI aOriginalURI,
                               in boolean aLoadReplace,
+                              in boolean aIsFromProcessingFrameAttributes,
                               in nsIURI aReferrer,
                               in unsigned long aReferrerPolicy,
                               in nsIPrincipal aTriggeringPrincipal,
diff --git a/docshell/base/nsIDocShellLoadInfo.idl b/docshell/base/nsIDocShellLoadInfo.idl
index 8804f63a3..2f52ef0aa 100644
--- a/docshell/base/nsIDocShellLoadInfo.idl
+++ b/docshell/base/nsIDocShellLoadInfo.idl
@@ -128,4 +128,10 @@ interface nsIDocShellLoadInfo : nsISupports
      * URI as this information isn't embedded in the load's URI.
      */
     attribute nsIURI baseURI;
+
+    /**
+     * This will be true if this load is triggered by attribute changes.
+     * See nsILoadInfo.isFromProcessingFrameAttributes
+     */
+    attribute boolean isFromProcessingFrameAttributes;
 };
diff --git a/dom/base/Location.cpp b/dom/base/Location.cpp
index 7b3722f09..e312cffe0 100644
--- a/dom/base/Location.cpp
+++ b/dom/base/Location.cpp
@@ -33,6 +33,7 @@
 #include "nsCycleCollectionParticipant.h"
 #include "nsNullPrincipal.h"
 #include "ScriptSettings.h"
+#include "mozilla/Unused.h"
 #include "mozilla/dom/LocationBinding.h"
 
 namespace mozilla {
@@ -716,9 +717,15 @@ Location::SetProtocol(const nsAString& aProtocol)
     return rv;
   }
 
-  rv = uri->SetScheme(NS_ConvertUTF16toUTF8(aProtocol));
+  nsAString::const_iterator start, end;
+  aProtocol.BeginReading(start);
+  aProtocol.EndReading(end);
+  nsAString::const_iterator iter(start);
+  Unused << FindCharInReadable(':', iter, end);
+
+  rv = uri->SetScheme(NS_ConvertUTF16toUTF8(Substring(start, iter)));
   if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+    return NS_ERROR_DOM_SYNTAX_ERR;
   }
   nsAutoCString newSpec;
   rv = uri->GetSpec(newSpec);
@@ -728,8 +735,28 @@ Location::SetProtocol(const nsAString& aProtocol)
   // We may want a new URI class for the new URI, so recreate it:
   rv = NS_NewURI(getter_AddRefs(uri), newSpec);
   if (NS_FAILED(rv)) {
+    if (rv == NS_ERROR_MALFORMED_URI) {
+      rv = NS_ERROR_DOM_SYNTAX_ERR;
+    }
     return rv;
   }
+  
+  bool isHttp;
+  rv = uri->SchemeIs("http", &isHttp);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  bool isHttps;
+  rv = uri->SchemeIs("https", &isHttps);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  if (!isHttp && !isHttps) {
+    // No-op, per spec.
+    return NS_OK;
+  }
 
   return SetURI(uri);
 }
diff --git a/dom/base/nsFrameLoader.cpp b/dom/base/nsFrameLoader.cpp
index 23067becd..2804f2d4c 100644
--- a/dom/base/nsFrameLoader.cpp
+++ b/dom/base/nsFrameLoader.cpp
@@ -588,6 +588,9 @@ nsFrameLoader::ReallyStartLoadingInternal()
     flags = nsIWebNavigation::LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP |
             nsIWebNavigation::LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL;
   }
+  
+  // Notify that this load resulted from attribute changes.
+  loadInfo->SetIsFromProcessingFrameAttributes(true);
 
   // Kick off the load...
   bool tmpState = mNeedsAsyncDestroy;
diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp
index 18af28e9f..e3406fc02 100644
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -783,6 +783,15 @@ public:
   : mCanvas(aCanvas)
   {}
 
+  void OnShutdown() {
+    if(!mCanvas) {
+      return;
+    }
+    
+    mCanvas = nullptr;
+    nsContentUtils::UnregisterShutdownObserver(this);
+  }
+  
   NS_DECL_ISUPPORTS
   NS_DECL_NSIOBSERVER
 private:
@@ -800,7 +809,7 @@ CanvasShutdownObserver::Observe(nsISupports* aSubject,
 {
   if (mCanvas && strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     mCanvas->OnShutdown();
-    nsContentUtils::UnregisterShutdownObserver(this);
+    OnShutdown();
   }
 
   return NS_OK;
@@ -1218,7 +1227,7 @@ void
 CanvasRenderingContext2D::RemoveShutdownObserver()
 {
   if (mShutdownObserver) {
-    nsContentUtils::UnregisterShutdownObserver(mShutdownObserver);
+    mShutdownObserver->OnShutdown();
     mShutdownObserver = nullptr;
   }
 }
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index c4cc7080d..e5f5882e9 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -584,7 +584,7 @@ public:
 
       mMechanism = CKM_AES_CBC_PAD;
       telemetryAlg = TA_AES_CBC;
-      AesCbcParams params;
+      RootedDictionary<AesCbcParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_INVALID_ACCESS_ERR;
@@ -601,7 +601,7 @@ public:
 
       mMechanism = CKM_AES_CTR;
       telemetryAlg = TA_AES_CTR;
-      AesCtrParams params;
+      RootedDictionary<AesCtrParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_SYNTAX_ERR;
@@ -620,7 +620,7 @@ public:
 
       mMechanism = CKM_AES_GCM;
       telemetryAlg = TA_AES_GCM;
-      AesGcmParams params;
+      RootedDictionary<AesGcmParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_SYNTAX_ERR;
diff --git a/dom/html/HTMLOptionsCollection.cpp b/dom/html/HTMLOptionsCollection.cpp
index 294493c0c..67de97fc4 100644
--- a/dom/html/HTMLOptionsCollection.cpp
+++ b/dom/html/HTMLOptionsCollection.cpp
@@ -35,23 +35,8 @@ namespace mozilla {
 namespace dom {
 
 HTMLOptionsCollection::HTMLOptionsCollection(HTMLSelectElement* aSelect)
-{
-  // Do not maintain a reference counted reference. When
-  // the select goes away, it will let us know.
-  mSelect = aSelect;
-}
-
-HTMLOptionsCollection::~HTMLOptionsCollection()
-{
-  DropReference();
-}
-
-void
-HTMLOptionsCollection::DropReference()
-{
-  // Drop our (non ref-counted) reference
-  mSelect = nullptr;
-}
+  : mSelect(aSelect)
+{}
 
 nsresult
 HTMLOptionsCollection::GetOptionIndex(Element* aOption,
@@ -88,7 +73,9 @@ HTMLOptionsCollection::GetOptionIndex(Element* aOption,
 }
 
 
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(HTMLOptionsCollection, mElements)
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(HTMLOptionsCollection,
+                                      mElements,
+                                      mSelect)
 
 // nsISupports
 
@@ -124,10 +111,6 @@ HTMLOptionsCollection::GetLength(uint32_t* aLength)
 NS_IMETHODIMP
 HTMLOptionsCollection::SetLength(uint32_t aLength)
 {
-  if (!mSelect) {
-    return NS_ERROR_UNEXPECTED;
-  }
-
   return mSelect->SetLength(aLength);
 }
 
@@ -135,10 +118,6 @@ NS_IMETHODIMP
 HTMLOptionsCollection::SetOption(uint32_t aIndex,
                                  nsIDOMHTMLOptionElement* aOption)
 {
-  if (!mSelect) {
-    return NS_OK;
-  }
-
   // if the new option is null, just remove this option.  Note that it's safe
   // to pass a too-large aIndex in here.
   if (!aOption) {
@@ -187,11 +166,6 @@ HTMLOptionsCollection::SetOption(uint32_t aIndex,
 int32_t
 HTMLOptionsCollection::GetSelectedIndex(ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return 0;
-  }
-
   int32_t selectedIndex;
   aError = mSelect->GetSelectedIndex(&selectedIndex);
   return selectedIndex;
@@ -209,11 +183,6 @@ void
 HTMLOptionsCollection::SetSelectedIndex(int32_t aSelectedIndex,
                                         ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return;
-  }
-
   aError = mSelect->SetSelectedIndex(aSelectedIndex);
 }
 
@@ -339,22 +308,12 @@ HTMLOptionsCollection::Add(const HTMLOptionOrOptGroupElement& aElement,
                            const Nullable<HTMLElementOrLong>& aBefore,
                            ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_NOT_INITIALIZED);
-    return;
-  }
-
   mSelect->Add(aElement, aBefore, aError);
 }
 
 void
 HTMLOptionsCollection::Remove(int32_t aIndex, ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return;
-  }
-
   uint32_t len = 0;
   mSelect->GetLength(&len);
   if (aIndex < 0 || (uint32_t)aIndex >= len)
diff --git a/dom/html/HTMLOptionsCollection.h b/dom/html/HTMLOptionsCollection.h
index 21123b3d2..496919555 100644
--- a/dom/html/HTMLOptionsCollection.h
+++ b/dom/html/HTMLOptionsCollection.h
@@ -46,7 +46,7 @@ public:
   using nsWrapperCache::GetWrapper;
   virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
 protected:
-  virtual ~HTMLOptionsCollection();
+  virtual ~HTMLOptionsCollection() = default;
 
   virtual JSObject* GetWrapperPreserveColorInternal() override
   {
@@ -113,11 +113,6 @@ public:
   }
 
   /**
-   * Drop the reference to the select.  Called during select destruction.
-   */
-  void DropReference();
-
-  /**
    * Finds the index of a given option element.
    * If the option isn't part of the collection, return NS_ERROR_FAILURE
    * without setting aIndex.
@@ -161,7 +156,7 @@ private:
    * various members such as InsertOptionAt are also infallible. */
   nsTArray<RefPtr<mozilla::dom::HTMLOptionElement> > mElements;
   /** The select element that contains this array */
-  HTMLSelectElement* mSelect;
+  RefPtr<HTMLSelectElement> mSelect;
 };
 
 } // namespace dom
diff --git a/dom/html/HTMLSelectElement.cpp b/dom/html/HTMLSelectElement.cpp
index 53f42317a..9ba0a1efe 100644
--- a/dom/html/HTMLSelectElement.cpp
+++ b/dom/html/HTMLSelectElement.cpp
@@ -130,11 +130,6 @@ HTMLSelectElement::HTMLSelectElement(already_AddRefed<mozilla::dom::NodeInfo>& a
                     NS_EVENT_STATE_VALID);
 }
 
-HTMLSelectElement::~HTMLSelectElement()
-{
-  mOptions->DropReference();
-}
-
 // ISupports
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(HTMLSelectElement)
diff --git a/dom/html/HTMLSelectElement.h b/dom/html/HTMLSelectElement.h
index 8a25385de..dc1075cd7 100644
--- a/dom/html/HTMLSelectElement.h
+++ b/dom/html/HTMLSelectElement.h
@@ -436,7 +436,7 @@ public:
   void SetOpenInParentProcess(bool aVal);
 
 protected:
-  virtual ~HTMLSelectElement();
+  virtual ~HTMLSelectElement() = default;
 
   friend class SafeOptionListMutation;
 
diff --git a/dom/html/TextTrackManager.cpp b/dom/html/TextTrackManager.cpp
index 4266575f7..cc14858b6 100644
--- a/dom/html/TextTrackManager.cpp
+++ b/dom/html/TextTrackManager.cpp
@@ -29,6 +29,13 @@ namespace dom {
 
 NS_IMPL_ISUPPORTS(TextTrackManager::ShutdownObserverProxy, nsIObserver);
 
+void
+TextTrackManager::ShutdownObserverProxy::Unregister()
+{
+  nsContentUtils::UnregisterShutdownObserver(this);
+  mManager = nullptr;
+}
+
 CompareTextTracks::CompareTextTracks(HTMLMediaElement* aMediaElement)
 {
   mMediaElement = aMediaElement;
@@ -137,7 +144,7 @@ TextTrackManager::TextTrackManager(HTMLMediaElement *aMediaElement)
 TextTrackManager::~TextTrackManager()
 {
   WEBVTT_LOG("%p ~TextTrackManager",this);
-  nsContentUtils::UnregisterShutdownObserver(mShutdownProxy);
+  mShutdownProxy->Unregister();
 }
 
 TextTrackList*
diff --git a/dom/html/TextTrackManager.h b/dom/html/TextTrackManager.h
index d20707346..4ad1a57a7 100644
--- a/dom/html/TextTrackManager.h
+++ b/dom/html/TextTrackManager.h
@@ -170,11 +170,15 @@ private:
     {
       MOZ_ASSERT(NS_IsMainThread());
       if (strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
-        nsContentUtils::UnregisterShutdownObserver(this);
-        mManager->NotifyShutdown();
+        if (mManager) {
+          mManager->NotifyShutdown();
+        }
+        Unregister();
       }
       return NS_OK;
     }
+    
+    void Unregister();
 
   private:
     ~ShutdownObserverProxy() {};
diff --git a/dom/media/DecoderTraits.cpp b/dom/media/DecoderTraits.cpp
index 477ecf358..f8cb4fd0e 100644
--- a/dom/media/DecoderTraits.cpp
+++ b/dom/media/DecoderTraits.cpp
@@ -18,11 +18,6 @@
 #include "WebMDecoder.h"
 #include "WebMDemuxer.h"
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaReader.h"
-#include "AndroidMediaPluginHost.h"
-#endif
 #ifdef MOZ_FMP4
 #include "MP4Decoder.h"
 #include "MP4Demuxer.h"
@@ -106,21 +101,6 @@ IsHttpLiveStreamingType(const nsACString& aType)
   return CodecListContains(gHttpLiveStreamingTypes, aType);
 }
 
-#ifdef MOZ_ANDROID_OMX
-static bool
-IsAndroidMediaType(const nsACString& aType)
-{
-  if (!MediaDecoder::IsAndroidMediaPluginEnabled()) {
-    return false;
-  }
-
-  static const char* supportedTypes[] = {
-    "audio/mpeg", "audio/mp4", "video/mp4", "video/x-m4v", nullptr
-  };
-  return CodecListContains(supportedTypes, aType);
-}
-#endif
-
 #ifdef MOZ_FMP4
 static bool
 IsMP4SupportedType(const MediaContentType& aParsedType,
@@ -235,11 +215,6 @@ CanHandleCodecsType(const MediaContentType& aType,
   if (IsFlacSupportedType(aType.GetMIMEType(), aType.GetCodecs())) {
     return CANPLAY_YES;
   }
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled()) {
-    EnsureAndroidMediaPluginHost()->FindDecoder(aType.GetMIMEType(), &codecList);
-  }
-#endif
   if (!codecList) {
     return CANPLAY_MAYBE;
   }
@@ -305,12 +280,6 @@ CanHandleMediaType(const MediaContentType& aType,
   if (IsFlacSupportedType(aType.GetMIMEType())) {
     return CANPLAY_MAYBE;
   }
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType.GetMIMEType(), nullptr)) {
-    return CANPLAY_MAYBE;
-  }
-#endif
   return CANPLAY_NO;
 }
 
@@ -391,13 +360,6 @@ InstantiateDecoder(const nsACString& aType,
     decoder = new FlacDecoder(aOwner);
     return decoder.forget();
   }
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType, nullptr)) {
-    decoder = new AndroidMediaDecoder(aOwner, aType);
-    return decoder.forget();
-  }
-#endif
 
   if (IsWebMSupportedType(aType)) {
     decoder = new WebMDecoder(aOwner);
@@ -446,12 +408,6 @@ MediaDecoderReader* DecoderTraits::CreateReader(const nsACString& aType, Abstrac
   if (IsOggSupportedType(aType)) {
     decoderReader = new MediaFormatReader(aDecoder, new OggDemuxer(aDecoder->GetResource()));
   } else
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType, nullptr)) {
-    decoderReader = new AndroidMediaReader(aDecoder, aType);
-  } else
-#endif
   if (IsWebMSupportedType(aType)) {
     decoderReader =
       new MediaFormatReader(aDecoder, new WebMDemuxer(aDecoder->GetResource()));
@@ -474,9 +430,6 @@ bool DecoderTraits::IsSupportedInVideoDocument(const nsACString& aType)
   return
     IsOggSupportedType(aType) ||
     IsWebMSupportedType(aType) ||
-#ifdef MOZ_ANDROID_OMX
-    (MediaDecoder::IsAndroidMediaPluginEnabled() && IsAndroidMediaType(aType)) ||
-#endif
 #ifdef MOZ_FMP4
     IsMP4SupportedType(aType, /* DecoderDoctorDiagnostics* */ nullptr) ||
 #endif
diff --git a/dom/media/MediaDecoder.cpp b/dom/media/MediaDecoder.cpp
index d027818de..cf2266bf6 100644
--- a/dom/media/MediaDecoder.cpp
+++ b/dom/media/MediaDecoder.cpp
@@ -35,10 +35,6 @@
 #include "Layers.h"
 #include "mozilla/layers/ShadowLayers.h"
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidBridge.h"
-#endif
-
 using namespace mozilla::dom;
 using namespace mozilla::layers;
 using namespace mozilla::media;
@@ -1617,16 +1613,6 @@ MediaDecoder::IsWebMEnabled()
   return Preferences::GetBool("media.webm.enabled");
 }
 
-#ifdef MOZ_ANDROID_OMX
-bool
-MediaDecoder::IsAndroidMediaPluginEnabled()
-{
-  return AndroidBridge::Bridge() &&
-         AndroidBridge::Bridge()->GetAPIVersion() < 16 &&
-         Preferences::GetBool("media.plugins.enabled");
-}
-#endif
-
 NS_IMETHODIMP
 MediaMemoryTracker::CollectReports(nsIHandleReportCallback* aHandleReport,
                                    nsISupports* aData, bool aAnonymize)
diff --git a/dom/media/MediaDecoder.h b/dom/media/MediaDecoder.h
index a4edcbe72..7e93de044 100644
--- a/dom/media/MediaDecoder.h
+++ b/dom/media/MediaDecoder.h
@@ -447,10 +447,6 @@ private:
   static bool IsWaveEnabled();
   static bool IsWebMEnabled();
 
-#ifdef MOZ_ANDROID_OMX
-  static bool IsAndroidMediaPluginEnabled();
-#endif
-
 #ifdef MOZ_WMF
   static bool IsWMFEnabled();
 #endif
diff --git a/dom/media/android/AndroidMediaDecoder.cpp b/dom/media/android/AndroidMediaDecoder.cpp
deleted file mode 100644
index 41ef3fcb0..000000000
--- a/dom/media/android/AndroidMediaDecoder.cpp
+++ /dev/null
@@ -1,25 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "MediaDecoderStateMachine.h"
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaReader.h"
-
-namespace mozilla {
-
-AndroidMediaDecoder::AndroidMediaDecoder(MediaDecoderOwner* aOwner,
-                                         const nsACString& aType)
-  : MediaDecoder(aOwner), mType(aType)
-{
-}
-
-MediaDecoderStateMachine* AndroidMediaDecoder::CreateStateMachine()
-{
-  return new MediaDecoderStateMachine(this, new AndroidMediaReader(this, mType));
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/android/AndroidMediaDecoder.h b/dom/media/android/AndroidMediaDecoder.h
deleted file mode 100644
index 88b5a243f..000000000
--- a/dom/media/android/AndroidMediaDecoder.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaDecoder_h_)
-#define AndroidMediaDecoder_h_
-
-#include "MediaDecoder.h"
-#include "AndroidMediaDecoder.h"
-
-namespace mozilla {
-
-class AndroidMediaDecoder : public MediaDecoder
-{
-  nsCString mType;
-public:
-  AndroidMediaDecoder(MediaDecoderOwner* aOwner, const nsACString& aType);
-
-  MediaDecoder* Clone(MediaDecoderOwner* aOwner) override {
-    return new AndroidMediaDecoder(aOwner, mType);
-  }
-  MediaDecoderStateMachine* CreateStateMachine() override;
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaPluginHost.cpp b/dom/media/android/AndroidMediaPluginHost.cpp
deleted file mode 100644
index d4c4fc59e..000000000
--- a/dom/media/android/AndroidMediaPluginHost.cpp
+++ /dev/null
@@ -1,305 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Preferences.h"
-#include "MediaResource.h"
-#include "mozilla/dom/HTMLMediaElement.h"
-#include "mozilla/Services.h"
-#include "AndroidMediaPluginHost.h"
-#include "nsAutoPtr.h"
-#include "nsXPCOMStrings.h"
-#include "nsISeekableStream.h"
-#include "nsIGfxInfo.h"
-#include "prmem.h"
-#include "prlink.h"
-#include "AndroidMediaResourceServer.h"
-#include "nsServiceManagerUtils.h"
-
-#include "MPAPI.h"
-
-#include "nsIPropertyBag2.h"
-
-#if defined(ANDROID)
-#include "android/log.h"
-#define ALOG(args...)  __android_log_print(ANDROID_LOG_INFO, "AndroidMediaPluginHost" , ## args)
-#else
-#define ALOG(args...) /* do nothing */
-#endif
-
-using namespace MPAPI;
-
-Decoder::Decoder() :
-  mResource(nullptr), mPrivate(nullptr)
-{
-}
-
-namespace mozilla {
-
-static char* GetResource(Decoder *aDecoder)
-{
-  return static_cast<char*>(aDecoder->mResource);
-}
-
-class GetIntPrefEvent : public Runnable {
-public:
-  GetIntPrefEvent(const char* aPref, int32_t* aResult)
-    : mPref(aPref), mResult(aResult) {}
-  NS_IMETHOD Run() override {
-    return Preferences::GetInt(mPref, mResult);
-  }
-private:
-  const char* mPref;
-  int32_t*    mResult;
-};
-
-static bool GetIntPref(const char* aPref, int32_t* aResult)
-{
-  // GetIntPref() is called on the decoder thread, but the Preferences API
-  // can only be called on the main thread. Post a runnable and wait.
-  NS_ENSURE_TRUE(aPref, false);
-  NS_ENSURE_TRUE(aResult, false);
-  nsCOMPtr<nsIRunnable> event = new GetIntPrefEvent(aPref, aResult);
-  return NS_SUCCEEDED(NS_DispatchToMainThread(event, NS_DISPATCH_SYNC));
-}
-
-static bool
-GetSystemInfoString(const char *aKey, char *aResult, size_t aResultLength)
-{
-  NS_ENSURE_TRUE(aKey, false);
-  NS_ENSURE_TRUE(aResult, false);
-
-  nsCOMPtr<nsIPropertyBag2> infoService = do_GetService("@mozilla.org/system-info;1");
-  NS_ASSERTION(infoService, "Could not find a system info service");
-
-  nsAutoCString key(aKey);
-  nsAutoCString info;
-  nsresult rv = infoService->GetPropertyAsACString(NS_ConvertUTF8toUTF16(key),
-                                                  info);
-
-  NS_ENSURE_SUCCESS(rv, false);
-
-  strncpy(aResult, info.get(), aResultLength);
-
-  return true;
-}
-
-static PluginHost sPluginHost = {
-  nullptr,
-  nullptr,
-  nullptr,
-  nullptr,
-  GetIntPref,
-  GetSystemInfoString
-};
-
-// Return true if Omx decoding is supported on the device. This checks the
-// built in whitelist/blacklist and preferences to see if that is overridden.
-static bool IsOmxSupported()
-{
-  bool forceEnabled =
-      Preferences::GetBool("stagefright.force-enabled", false);
-  bool disabled =
-      Preferences::GetBool("stagefright.disabled", false);
-
-  if (disabled) {
-    NS_WARNING("XXX stagefright disabled\n");
-    return false;
-  }
-
-  if (!forceEnabled) {
-    nsCOMPtr<nsIGfxInfo> gfxInfo = services::GetGfxInfo();
-    if (gfxInfo) {
-      int32_t status;
-      nsCString discardFailure;
-      if (NS_SUCCEEDED(gfxInfo->GetFeatureStatus(nsIGfxInfo::FEATURE_STAGEFRIGHT, discardFailure, &status))) {
-        if (status != nsIGfxInfo::FEATURE_STATUS_OK) {
-          NS_WARNING("XXX stagefright blacklisted\n");
-          return false;
-        }
-      }
-    }
-  }
-
-  return true;
-}
-
-// Return the name of the shared library that implements Omx based decoding. This varies
-// depending on libstagefright version installed on the device and whether it is B2G vs Android.
-// nullptr is returned if Omx decoding is not supported on the device,
-static const char* GetOmxLibraryName()
-{
-#if defined(ANDROID)
-  nsCOMPtr<nsIPropertyBag2> infoService = do_GetService("@mozilla.org/system-info;1");
-  NS_ASSERTION(infoService, "Could not find a system info service");
-
-  int32_t version;
-  nsresult rv = infoService->GetPropertyAsInt32(NS_LITERAL_STRING("version"), &version);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Version is: %d", version);
-  }
-
-  nsAutoString release_version;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("release_version"), release_version);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Release Version is: %s", NS_LossyConvertUTF16toASCII(release_version).get());
-  }
-
-  nsAutoString device;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("device"), device);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Device is: %s", NS_LossyConvertUTF16toASCII(device).get());
-  }
-
-  nsAutoString manufacturer;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("manufacturer"), manufacturer);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Manufacturer is: %s", NS_LossyConvertUTF16toASCII(manufacturer).get());
-  }
-
-  nsAutoString hardware;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("hardware"), hardware);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Hardware is: %s", NS_LossyConvertUTF16toASCII(hardware).get());
-  }
-#endif
-
-  if (!IsOmxSupported())
-    return nullptr;
-
-#if defined(ANDROID)
-  if (version >= 17) {
-    return "libomxpluginkk.so";
-  }
-
-  // Ice Cream Sandwich and Jellybean
-  return "libomxplugin.so";
-
-#else
-  return nullptr;
-#endif
-}
-
-AndroidMediaPluginHost::AndroidMediaPluginHost() {
-  MOZ_COUNT_CTOR(AndroidMediaPluginHost);
-  MOZ_ASSERT(NS_IsMainThread());
-
-  mResourceServer = AndroidMediaResourceServer::Start();
-
-  const char* name = GetOmxLibraryName();
-  ALOG("Loading OMX Plugin: %s", name ? name : "nullptr");
-  if (name) {
-    char *path = PR_GetLibraryFilePathname("libxul.so", (PRFuncPtr) GetOmxLibraryName);
-    PRLibrary *lib = nullptr;
-    if (path) {
-      nsAutoCString libpath(path);
-      PR_Free(path);
-      int32_t slash = libpath.RFindChar('/');
-      if (slash != kNotFound) {
-        libpath.Truncate(slash + 1);
-        libpath.Append(name);
-        lib = PR_LoadLibrary(libpath.get());
-      }
-    }
-    if (!lib)
-      lib = PR_LoadLibrary(name);
-
-    if (lib) {
-      Manifest *manifest = static_cast<Manifest *>(PR_FindSymbol(lib, "MPAPI_MANIFEST"));
-      if (manifest) {
-        mPlugins.AppendElement(manifest);
-        ALOG("OMX plugin successfully loaded");
-     }
-    }
-  }
-}
-
-AndroidMediaPluginHost::~AndroidMediaPluginHost() {
-  mResourceServer->Stop();
-  MOZ_COUNT_DTOR(AndroidMediaPluginHost);
-}
-
-bool AndroidMediaPluginHost::FindDecoder(const nsACString& aMimeType, const char* const** aCodecs)
-{
-  const char *chars;
-  size_t len = NS_CStringGetData(aMimeType, &chars, nullptr);
-  for (size_t n = 0; n < mPlugins.Length(); ++n) {
-    Manifest *plugin = mPlugins[n];
-    const char* const *codecs;
-    if (plugin->CanDecode(chars, len, &codecs)) {
-      if (aCodecs)
-        *aCodecs = codecs;
-      return true;
-    }
-  }
-  return false;
-}
-
-MPAPI::Decoder *AndroidMediaPluginHost::CreateDecoder(MediaResource *aResource, const nsACString& aMimeType)
-{
-  NS_ENSURE_TRUE(aResource, nullptr);
-
-  nsAutoPtr<Decoder> decoder(new Decoder());
-  if (!decoder) {
-    return nullptr;
-  }
-
-  const char *chars;
-  size_t len = NS_CStringGetData(aMimeType, &chars, nullptr);
-  for (size_t n = 0; n < mPlugins.Length(); ++n) {
-    Manifest *plugin = mPlugins[n];
-    const char* const *codecs;
-    if (!plugin->CanDecode(chars, len, &codecs)) {
-      continue;
-    }
-
-    nsCString url;
-    nsresult rv = mResourceServer->AddResource(aResource, url);
-    if (NS_FAILED (rv)) continue;
-
-    decoder->mResource = strdup(url.get());
-    if (plugin->CreateDecoder(&sPluginHost, decoder, chars, len)) {
-      return decoder.forget();
-    }
-  }
-
-  return nullptr;
-}
-
-void AndroidMediaPluginHost::DestroyDecoder(Decoder *aDecoder)
-{
-  aDecoder->DestroyDecoder(aDecoder);
-  char* resource = GetResource(aDecoder);
-  if (resource) {
-    // resource *shouldn't* be null, but check anyway just in case the plugin
-    // decoder does something stupid.
-    mResourceServer->RemoveResource(nsCString(resource));
-    free(resource);
-  }
-  delete aDecoder;
-}
-
-AndroidMediaPluginHost *sAndroidMediaPluginHost = nullptr;
-AndroidMediaPluginHost *EnsureAndroidMediaPluginHost()
-{
-  MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
-  if (!sAndroidMediaPluginHost) {
-    sAndroidMediaPluginHost = new AndroidMediaPluginHost();
-  }
-  return sAndroidMediaPluginHost;
-}
-
-AndroidMediaPluginHost *GetAndroidMediaPluginHost()
-{
-  MOZ_ASSERT(sAndroidMediaPluginHost);
-  return sAndroidMediaPluginHost;
-}
-
-void AndroidMediaPluginHost::Shutdown()
-{
-  delete sAndroidMediaPluginHost;
-  sAndroidMediaPluginHost = nullptr;
-}
-
-} // namespace mozilla
diff --git a/dom/media/android/AndroidMediaPluginHost.h b/dom/media/android/AndroidMediaPluginHost.h
deleted file mode 100644
index 854b7f21e..000000000
--- a/dom/media/android/AndroidMediaPluginHost.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaPluginHost_h_)
-#define AndroidMediaPluginHost_h_
-
-#include "nsTArray.h"
-#include "MediaResource.h"
-#include "MPAPI.h"
-#include "AndroidMediaResourceServer.h"
-
-namespace mozilla {
-
-class AndroidMediaPluginHost {
-  RefPtr<AndroidMediaResourceServer> mResourceServer;
-  nsTArray<MPAPI::Manifest *> mPlugins;
-
-  MPAPI::Manifest *FindPlugin(const nsACString& aMimeType);
-public:
-  AndroidMediaPluginHost();
-  ~AndroidMediaPluginHost();
-
-  static void Shutdown();
-
-  bool FindDecoder(const nsACString& aMimeType, const char* const** aCodecs);
-  MPAPI::Decoder *CreateDecoder(mozilla::MediaResource *aResource, const nsACString& aMimeType);
-  void DestroyDecoder(MPAPI::Decoder *aDecoder);
-};
-
-// Must be called on the main thread. Creates the plugin host if it doesn't
-// already exist.
-AndroidMediaPluginHost *EnsureAndroidMediaPluginHost();
-
-// May be called on any thread after EnsureAndroidMediaPluginHost has been called.
-AndroidMediaPluginHost *GetAndroidMediaPluginHost();
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaReader.cpp b/dom/media/android/AndroidMediaReader.cpp
deleted file mode 100644
index 12afacbc9..000000000
--- a/dom/media/android/AndroidMediaReader.cpp
+++ /dev/null
@@ -1,449 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "AndroidMediaReader.h"
-#include "mozilla/TimeStamp.h"
-#include "mozilla/gfx/Point.h"
-#include "MediaResource.h"
-#include "VideoUtils.h"
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaPluginHost.h"
-#include "MediaDecoderStateMachine.h"
-#include "ImageContainer.h"
-#include "AbstractMediaDecoder.h"
-#include "gfx2DGlue.h"
-#include "VideoFrameContainer.h"
-#include "mozilla/CheckedInt.h"
-
-namespace mozilla {
-
-using namespace mozilla::gfx;
-using namespace mozilla::media;
-
-typedef mozilla::layers::Image Image;
-typedef mozilla::layers::PlanarYCbCrImage PlanarYCbCrImage;
-
-AndroidMediaReader::AndroidMediaReader(AbstractMediaDecoder *aDecoder,
-                                       const nsACString& aContentType) :
-  MediaDecoderReader(aDecoder),
-  mType(aContentType),
-  mPlugin(nullptr),
-  mHasAudio(false),
-  mHasVideo(false),
-  mVideoSeekTimeUs(-1),
-  mAudioSeekTimeUs(-1)
-{
-}
-
-nsresult AndroidMediaReader::ReadMetadata(MediaInfo* aInfo,
-                                          MetadataTags** aTags)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  if (!mPlugin) {
-    mPlugin = GetAndroidMediaPluginHost()->CreateDecoder(mDecoder->GetResource(), mType);
-    if (!mPlugin) {
-      return NS_ERROR_FAILURE;
-    }
-  }
-
-  // Set the total duration (the max of the audio and video track).
-  int64_t durationUs;
-  mPlugin->GetDuration(mPlugin, &durationUs);
-  if (durationUs) {
-    mInfo.mMetadataDuration.emplace(TimeUnit::FromMicroseconds(durationUs));
-  }
-
-  if (mPlugin->HasVideo(mPlugin)) {
-    int32_t width, height;
-    mPlugin->GetVideoParameters(mPlugin, &width, &height);
-    nsIntRect pictureRect(0, 0, width, height);
-
-    // Validate the container-reported frame and pictureRect sizes. This ensures
-    // that our video frame creation code doesn't overflow.
-    nsIntSize displaySize(width, height);
-    nsIntSize frameSize(width, height);
-    if (!IsValidVideoRegion(frameSize, pictureRect, displaySize)) {
-      return NS_ERROR_FAILURE;
-    }
-
-    // Video track's frame sizes will not overflow. Activate the video track.
-    mHasVideo = true;
-    mInfo.mVideo.mDisplay = displaySize;
-    mPicture = pictureRect;
-    mInitialFrame = frameSize;
-    VideoFrameContainer* container = mDecoder->GetVideoFrameContainer();
-    if (container) {
-      container->ClearCurrentFrame(IntSize(displaySize.width, displaySize.height));
-    }
-  }
-
-  if (mPlugin->HasAudio(mPlugin)) {
-    int32_t numChannels, sampleRate;
-    mPlugin->GetAudioParameters(mPlugin, &numChannels, &sampleRate);
-    mHasAudio = true;
-    mInfo.mAudio.mChannels = numChannels;
-    mInfo.mAudio.mRate = sampleRate;
-  }
-
- *aInfo = mInfo;
- *aTags = nullptr;
-  return NS_OK;
-}
-
-RefPtr<ShutdownPromise>
-AndroidMediaReader::Shutdown()
-{
-  ResetDecode();
-  if (mPlugin) {
-    GetAndroidMediaPluginHost()->DestroyDecoder(mPlugin);
-    mPlugin = nullptr;
-  }
-
-  return MediaDecoderReader::Shutdown();
-}
-
-// Resets all state related to decoding, emptying all buffers etc.
-nsresult AndroidMediaReader::ResetDecode(TrackSet aTracks)
-{
-  if (mLastVideoFrame) {
-    mLastVideoFrame = nullptr;
-  }
-  mSeekRequest.DisconnectIfExists();
-  mSeekPromise.RejectIfExists(NS_OK, __func__);
-  return MediaDecoderReader::ResetDecode(aTracks);
-}
-
-bool AndroidMediaReader::DecodeVideoFrame(bool &aKeyframeSkip,
-                                          int64_t aTimeThreshold)
-{
-  // Record number of frames decoded and parsed. Automatically update the
-  // stats counters using the AutoNotifyDecoded stack-based class.
-  AbstractMediaDecoder::AutoNotifyDecoded a(mDecoder);
-
-  // Throw away the currently buffered frame if we are seeking.
-  if (mLastVideoFrame && mVideoSeekTimeUs != -1) {
-    mLastVideoFrame = nullptr;
-  }
-
-  ImageBufferCallback bufferCallback(mDecoder->GetImageContainer());
-  RefPtr<Image> currentImage;
-
-  // Read next frame
-  while (true) {
-    MPAPI::VideoFrame frame;
-    if (!mPlugin->ReadVideo(mPlugin, &frame, mVideoSeekTimeUs, &bufferCallback)) {
-      // We reached the end of the video stream. If we have a buffered
-      // video frame, push it the video queue using the total duration
-      // of the video as the end time.
-      if (mLastVideoFrame) {
-        int64_t durationUs;
-        mPlugin->GetDuration(mPlugin, &durationUs);
-        durationUs = std::max<int64_t>(durationUs - mLastVideoFrame->mTime, 0);
-        RefPtr<VideoData> data = VideoData::ShallowCopyUpdateDuration(mLastVideoFrame,
-                                                                        durationUs);
-        mVideoQueue.Push(data);
-        mLastVideoFrame = nullptr;
-      }
-      return false;
-    }
-    mVideoSeekTimeUs = -1;
-
-    if (aKeyframeSkip) {
-      // Disable keyframe skipping for now as
-      // stagefright doesn't seem to be telling us
-      // when a frame is a keyframe.
-#if 0
-      if (!frame.mKeyFrame) {
-        ++a.mStats.mParsedFrames;
-        ++a.mStats.mDroppedFrames;
-        continue;
-      }
-#endif
-      aKeyframeSkip = false;
-    }
-
-    if (frame.mSize == 0)
-      return true;
-
-    currentImage = bufferCallback.GetImage();
-    int64_t pos = mDecoder->GetResource()->Tell();
-    IntRect picture = mPicture;
-
-    RefPtr<VideoData> v;
-    if (currentImage) {
-      gfx::IntSize frameSize = currentImage->GetSize();
-      if (frameSize.width != mInitialFrame.width ||
-          frameSize.height != mInitialFrame.height) {
-        // Frame size is different from what the container reports. This is legal,
-        // and we will preserve the ratio of the crop rectangle as it
-        // was reported relative to the picture size reported by the container.
-        picture.x = (mPicture.x * frameSize.width) / mInitialFrame.width;
-        picture.y = (mPicture.y * frameSize.height) / mInitialFrame.height;
-        picture.width = (frameSize.width * mPicture.width) / mInitialFrame.width;
-        picture.height = (frameSize.height * mPicture.height) / mInitialFrame.height;
-      }
-
-      v = VideoData::CreateFromImage(mInfo.mVideo,
-                                     pos,
-                                     frame.mTimeUs,
-                                     1, // We don't know the duration yet.
-                                     currentImage,
-                                     frame.mKeyFrame,
-                                     -1,
-                                     picture);
-    } else {
-      // Assume YUV
-      VideoData::YCbCrBuffer b;
-      b.mPlanes[0].mData = static_cast<uint8_t *>(frame.Y.mData);
-      b.mPlanes[0].mStride = frame.Y.mStride;
-      b.mPlanes[0].mHeight = frame.Y.mHeight;
-      b.mPlanes[0].mWidth = frame.Y.mWidth;
-      b.mPlanes[0].mOffset = frame.Y.mOffset;
-      b.mPlanes[0].mSkip = frame.Y.mSkip;
-
-      b.mPlanes[1].mData = static_cast<uint8_t *>(frame.Cb.mData);
-      b.mPlanes[1].mStride = frame.Cb.mStride;
-      b.mPlanes[1].mHeight = frame.Cb.mHeight;
-      b.mPlanes[1].mWidth = frame.Cb.mWidth;
-      b.mPlanes[1].mOffset = frame.Cb.mOffset;
-      b.mPlanes[1].mSkip = frame.Cb.mSkip;
-
-      b.mPlanes[2].mData = static_cast<uint8_t *>(frame.Cr.mData);
-      b.mPlanes[2].mStride = frame.Cr.mStride;
-      b.mPlanes[2].mHeight = frame.Cr.mHeight;
-      b.mPlanes[2].mWidth = frame.Cr.mWidth;
-      b.mPlanes[2].mOffset = frame.Cr.mOffset;
-      b.mPlanes[2].mSkip = frame.Cr.mSkip;
-
-      if (frame.Y.mWidth != mInitialFrame.width ||
-          frame.Y.mHeight != mInitialFrame.height) {
-
-        // Frame size is different from what the container reports. This is legal,
-        // and we will preserve the ratio of the crop rectangle as it
-        // was reported relative to the picture size reported by the container.
-        picture.x = (mPicture.x * frame.Y.mWidth) / mInitialFrame.width;
-        picture.y = (mPicture.y * frame.Y.mHeight) / mInitialFrame.height;
-        picture.width = (frame.Y.mWidth * mPicture.width) / mInitialFrame.width;
-        picture.height = (frame.Y.mHeight * mPicture.height) / mInitialFrame.height;
-      }
-
-      // This is the approximate byte position in the stream.
-      v = VideoData::CreateAndCopyData(mInfo.mVideo,
-                                       mDecoder->GetImageContainer(),
-                                       pos,
-                                       frame.mTimeUs,
-                                       1, // We don't know the duration yet.
-                                       b,
-                                       frame.mKeyFrame,
-                                       -1,
-                                       picture);
-    }
-
-    if (!v) {
-      return false;
-    }
-    a.mStats.mParsedFrames++;
-    a.mStats.mDecodedFrames++;
-    NS_ASSERTION(a.mStats.mDecodedFrames <= a.mStats.mParsedFrames, "Expect to decode fewer frames than parsed in AndroidMedia...");
-
-    // Since MPAPI doesn't give us the end time of frames, we keep one frame
-    // buffered in AndroidMediaReader and push it into the queue as soon
-    // we read the following frame so we can use that frame's start time as
-    // the end time of the buffered frame.
-    if (!mLastVideoFrame) {
-      mLastVideoFrame = v;
-      continue;
-    }
-
-    // Calculate the duration as the timestamp of the current frame minus the
-    // timestamp of the previous frame. We can then return the previously
-    // decoded frame, and it will have a valid timestamp.
-    int64_t duration = v->mTime - mLastVideoFrame->mTime;
-    mLastVideoFrame = VideoData::ShallowCopyUpdateDuration(mLastVideoFrame, duration);
-
-    // We have the start time of the next frame, so we can push the previous
-    // frame into the queue, except if the end time is below the threshold,
-    // in which case it wouldn't be displayed anyway.
-    if (mLastVideoFrame->GetEndTime() < aTimeThreshold) {
-      mLastVideoFrame = nullptr;
-      continue;
-    }
-
-    // Buffer the current frame we just decoded.
-    mVideoQueue.Push(mLastVideoFrame);
-    mLastVideoFrame = v;
-
-    break;
-  }
-
-  return true;
-}
-
-bool AndroidMediaReader::DecodeAudioData()
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  // This is the approximate byte position in the stream.
-  int64_t pos = mDecoder->GetResource()->Tell();
-
-  // Read next frame
-  MPAPI::AudioFrame source;
-  if (!mPlugin->ReadAudio(mPlugin, &source, mAudioSeekTimeUs)) {
-    return false;
-  }
-  mAudioSeekTimeUs = -1;
-
-  // Ignore empty buffers which stagefright media read will sporadically return
-  if (source.mSize == 0)
-    return true;
-
-  uint32_t frames = source.mSize / (source.mAudioChannels *
-                                    sizeof(AudioDataValue));
-
-  typedef AudioCompactor::NativeCopy MPCopy;
-  return mAudioCompactor.Push(pos,
-                              source.mTimeUs,
-                              source.mAudioSampleRate,
-                              frames,
-                              source.mAudioChannels,
-                              MPCopy(static_cast<uint8_t *>(source.mData),
-                                     source.mSize,
-                                     source.mAudioChannels));
-}
-
-RefPtr<MediaDecoderReader::SeekPromise>
-AndroidMediaReader::Seek(SeekTarget aTarget, int64_t aEndTime)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  RefPtr<SeekPromise> p = mSeekPromise.Ensure(__func__);
-  if (mHasAudio && mHasVideo) {
-    // The decoder seeks/demuxes audio and video streams separately. So if
-    // we seek both audio and video to aTarget, the audio stream can typically
-    // seek closer to the seek target, since typically every audio block is
-    // a sync point, whereas for video there are only keyframes once every few
-    // seconds. So if we have both audio and video, we must seek the video
-    // stream to the preceeding keyframe first, get the stream time, and then
-    // seek the audio stream to match the video stream's time. Otherwise, the
-    // audio and video streams won't be in sync after the seek.
-    mVideoSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-
-    RefPtr<AndroidMediaReader> self = this;
-    mSeekRequest.Begin(DecodeToFirstVideoData()->Then(OwnerThread(), __func__, [self] (MediaData* v) {
-      self->mSeekRequest.Complete();
-      self->mAudioSeekTimeUs = v->mTime;
-      self->mSeekPromise.Resolve(media::TimeUnit::FromMicroseconds(self->mAudioSeekTimeUs), __func__);
-    }, [self, aTarget] () {
-      self->mSeekRequest.Complete();
-      self->mAudioSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-      self->mSeekPromise.Resolve(aTarget.GetTime(), __func__);
-    }));
-  } else {
-    mAudioSeekTimeUs = mVideoSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-    mSeekPromise.Resolve(aTarget.GetTime(), __func__);
-  }
-
-  return p;
-}
-
-AndroidMediaReader::ImageBufferCallback::ImageBufferCallback(mozilla::layers::ImageContainer *aImageContainer) :
-  mImageContainer(aImageContainer)
-{
-}
-
-void *
-AndroidMediaReader::ImageBufferCallback::operator()(size_t aWidth, size_t aHeight,
-                                                    MPAPI::ColorFormat aColorFormat)
-{
-  if (!mImageContainer) {
-    NS_WARNING("No image container to construct an image");
-    return nullptr;
-  }
-
-  RefPtr<Image> image;
-  switch(aColorFormat) {
-    case MPAPI::RGB565:
-      image = mozilla::layers::CreateSharedRGBImage(mImageContainer,
-                                                    nsIntSize(aWidth, aHeight),
-                                                    SurfaceFormat::R5G6B5_UINT16);
-      if (!image) {
-        NS_WARNING("Could not create rgb image");
-        return nullptr;
-      }
-
-      mImage = image;
-      return image->GetBuffer();
-    case MPAPI::I420:
-      return CreateI420Image(aWidth, aHeight);
-    default:
-      NS_NOTREACHED("Color format not supported");
-      return nullptr;
-  }
-}
-
-uint8_t *
-AndroidMediaReader::ImageBufferCallback::CreateI420Image(size_t aWidth,
-                                                         size_t aHeight)
-{
-  RefPtr<PlanarYCbCrImage> yuvImage = mImageContainer->CreatePlanarYCbCrImage();
-  mImage = yuvImage;
-
-  if (!yuvImage) {
-    NS_WARNING("Could not create I420 image");
-    return nullptr;
-  }
-
-  // Use uint32_t throughout to match AllocateAndGetNewBuffer's param
-  const auto checkedFrameSize =
-    CheckedInt<uint32_t>(aWidth) * aHeight;
-
-  // Allocate enough for one full resolution Y plane
-  // and two quarter resolution Cb/Cr planes.
-  const auto checkedBufferSize =
-    checkedFrameSize + checkedFrameSize / 2;
-
-  if (!checkedBufferSize.isValid()) { // checks checkedFrameSize too
-    NS_WARNING("Could not create I420 image");
-    return nullptr;
-  }
-
-  const auto frameSize = checkedFrameSize.value();
-
-  uint8_t *buffer =
-    yuvImage->AllocateAndGetNewBuffer(checkedBufferSize.value());
-
-  mozilla::layers::PlanarYCbCrData frameDesc;
-
-  frameDesc.mYChannel = buffer;
-  frameDesc.mCbChannel = buffer + frameSize;
-  frameDesc.mCrChannel = frameDesc.mCbChannel + frameSize / 4;
-
-  frameDesc.mYSize = IntSize(aWidth, aHeight);
-  frameDesc.mCbCrSize = IntSize(aWidth / 2, aHeight / 2);
-
-  frameDesc.mYStride = aWidth;
-  frameDesc.mCbCrStride = aWidth / 2;
-
-  frameDesc.mYSkip = 0;
-  frameDesc.mCbSkip = 0;
-  frameDesc.mCrSkip = 0;
-
-  frameDesc.mPicX = 0;
-  frameDesc.mPicY = 0;
-  frameDesc.mPicSize = IntSize(aWidth, aHeight);
-
-  yuvImage->AdoptData(frameDesc);
-
-  return buffer;
-}
-
-already_AddRefed<Image>
-AndroidMediaReader::ImageBufferCallback::GetImage()
-{
-  return mImage.forget();
-}
-
-} // namespace mozilla
diff --git a/dom/media/android/AndroidMediaReader.h b/dom/media/android/AndroidMediaReader.h
deleted file mode 100644
index def85a343..000000000
--- a/dom/media/android/AndroidMediaReader.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaReader_h_)
-#define AndroidMediaReader_h_
-
-#include "mozilla/Attributes.h"
-#include "MediaResource.h"
-#include "MediaDecoderReader.h"
-#include "ImageContainer.h"
-#include "mozilla/layers/SharedRGBImage.h"
-
-#include "MPAPI.h"
-
-class nsACString;
-
-namespace mozilla {
-
-class AbstractMediaDecoder;
-
-namespace layers {
-class ImageContainer;
-}
-
-class AndroidMediaReader : public MediaDecoderReader
-{
-  nsCString mType;
-  MPAPI::Decoder *mPlugin;
-  bool mHasAudio;
-  bool mHasVideo;
-  nsIntRect mPicture;
-  nsIntSize mInitialFrame;
-  int64_t mVideoSeekTimeUs;
-  int64_t mAudioSeekTimeUs;
-  RefPtr<VideoData> mLastVideoFrame;
-  MozPromiseHolder<MediaDecoderReader::SeekPromise> mSeekPromise;
-  MozPromiseRequestHolder<MediaDecoderReader::MediaDataPromise> mSeekRequest;
-public:
-  AndroidMediaReader(AbstractMediaDecoder* aDecoder,
-                     const nsACString& aContentType);
-
-  nsresult ResetDecode(TrackSet aTracks = TrackSet(TrackInfo::kAudioTrack,
-                                                   TrackInfo::kVideoTrack)) override;
-
-  bool DecodeAudioData() override;
-  bool DecodeVideoFrame(bool &aKeyframeSkip, int64_t aTimeThreshold) override;
-
-  nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
-  RefPtr<SeekPromise> Seek(SeekTarget aTarget, int64_t aEndTime) override;
-
-  RefPtr<ShutdownPromise> Shutdown() override;
-
-  class ImageBufferCallback : public MPAPI::BufferCallback {
-    typedef mozilla::layers::Image Image;
-
-  public:
-    ImageBufferCallback(mozilla::layers::ImageContainer *aImageContainer);
-    void *operator()(size_t aWidth, size_t aHeight,
-                     MPAPI::ColorFormat aColorFormat) override;
-    already_AddRefed<Image> GetImage();
-
-  private:
-    uint8_t *CreateI420Image(size_t aWidth, size_t aHeight);
-
-    mozilla::layers::ImageContainer *mImageContainer;
-    RefPtr<Image> mImage;
-  };
-
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaResourceServer.cpp b/dom/media/android/AndroidMediaResourceServer.cpp
deleted file mode 100644
index bd76a8c68..000000000
--- a/dom/media/android/AndroidMediaResourceServer.cpp
+++ /dev/null
@@ -1,503 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Assertions.h"
-#include "mozilla/Base64.h"
-#include "mozilla/IntegerPrintfMacros.h"
-#include "mozilla/UniquePtr.h"
-#include "nsThreadUtils.h"
-#include "nsIServiceManager.h"
-#include "nsISocketTransport.h"
-#include "nsIOutputStream.h"
-#include "nsIInputStream.h"
-#include "nsIRandomGenerator.h"
-#include "nsReadLine.h"
-#include "nsNetCID.h"
-#include "VideoUtils.h"
-#include "MediaResource.h"
-#include "AndroidMediaResourceServer.h"
-
-#if defined(_MSC_VER)
-#define strtoll _strtoi64
-#endif
-
-using namespace mozilla;
-
-/*
-  ReadCRLF is a variant of NS_ReadLine from nsReadLine.h that deals
-  with the carriage return/line feed requirements of HTTP requests.
-*/
-template<typename CharT, class StreamType, class StringType>
-nsresult
-ReadCRLF (StreamType* aStream, nsLineBuffer<CharT> * aBuffer,
-          StringType & aLine, bool *aMore)
-{
-  // eollast is true if the last character in the buffer is a '\r',
-  // signaling a potential '\r\n' sequence split between reads.
-  bool eollast = false;
-
-  aLine.Truncate();
-
-  while (1) { // will be returning out of this loop on eol or eof
-    if (aBuffer->start == aBuffer->end) { // buffer is empty.  Read into it.
-      uint32_t bytesRead;
-      nsresult rv = aStream->Read(aBuffer->buf, kLineBufferSize, &bytesRead);
-      if (NS_FAILED(rv) || bytesRead == 0) {
-        *aMore = false;
-        return rv;
-      }
-      aBuffer->start = aBuffer->buf;
-      aBuffer->end = aBuffer->buf + bytesRead;
-      *(aBuffer->end) = '\0';
-    }
-
-    /*
-     * Walk the buffer looking for an end-of-line.
-     * There are 4 cases to consider:
-     *  1. the CR char is the last char in the buffer
-     *  2. the CRLF sequence are the last characters in the buffer
-     *  3. the CRLF sequence + one or more chars at the end of the buffer
-     *      we need at least one char after the first CRLF sequence to
-     *      set |aMore| correctly.
-     *  4. The LF character is the first char in the buffer when eollast is
-     *      true.
-     */
-    CharT* current = aBuffer->start;
-    if (eollast) { // Case 4
-      if (*current == '\n') {
-        aBuffer->start = ++current;
-        *aMore = true;
-        return NS_OK;
-      }
-      else {
-        eollast = false;
-        aLine.Append('\r');
-      }
-    }
-    // Cases 2 and 3
-    for ( ; current < aBuffer->end-1; ++current) {
-      if (*current == '\r' && *(current+1) == '\n') {
-        *current++ = '\0';
-        *current++ = '\0';
-        aLine.Append(aBuffer->start);
-        aBuffer->start = current;
-        *aMore = true;
-        return NS_OK;
-      }
-    }
-    // Case 1
-    if (*current == '\r') {
-      eollast = true;
-      *current++ = '\0';
-    }
-
-    aLine.Append(aBuffer->start);
-    aBuffer->start = aBuffer->end; // mark the buffer empty
-  }
-}
-
-// Each client HTTP request results in a thread being spawned to process it.
-// That thread has a single event dispatched to it which handles the HTTP
-// protocol. It parses the headers and forwards data from the MediaResource
-// associated with the URL back to client. When the request is complete it will
-// shutdown the thread.
-class ServeResourceEvent : public Runnable {
-private:
-  // Reading from this reads the data sent from the client.
-  nsCOMPtr<nsIInputStream> mInput;
-
-  // Writing to this sends data to the client.
-  nsCOMPtr<nsIOutputStream> mOutput;
-
-  // The AndroidMediaResourceServer that owns the MediaResource instances
-  // served. This is used to lookup the MediaResource from the URL.
-  RefPtr<AndroidMediaResourceServer> mServer;
-
-  // Write 'aBufferLength' bytes from 'aBuffer' to 'mOutput'. This
-  // method ensures all the data is written by checking the number
-  // of bytes returned from the output streams 'Write' method and
-  // looping until done.
-  nsresult WriteAll(char const* aBuffer, int32_t aBufferLength);
-
-public:
-  ServeResourceEvent(nsIInputStream* aInput, nsIOutputStream* aOutput,
-                     AndroidMediaResourceServer* aServer)
-    : mInput(aInput), mOutput(aOutput), mServer(aServer) {}
-
-  // This method runs on the thread and exits when it has completed the
-  // HTTP request.
-  NS_IMETHOD Run();
-
-  // Given the first line of an HTTP request, parse the URL requested and
-  // return the MediaResource for that URL.
-  already_AddRefed<MediaResource> GetMediaResource(nsCString const& aHTTPRequest);
-
-  // Gracefully shutdown the thread and cleanup resources
-  void Shutdown();
-};
-
-nsresult
-ServeResourceEvent::WriteAll(char const* aBuffer, int32_t aBufferLength)
-{
-  while (aBufferLength > 0) {
-    uint32_t written = 0;
-    nsresult rv = mOutput->Write(aBuffer, aBufferLength, &written);
-    if (NS_FAILED (rv)) return rv;
-
-    aBufferLength -= written;
-    aBuffer += written;
-  }
-
-  return NS_OK;
-}
-
-already_AddRefed<MediaResource>
-ServeResourceEvent::GetMediaResource(nsCString const& aHTTPRequest)
-{
-  // Check that the HTTP method is GET
-  const char* HTTP_METHOD = "GET ";
-  if (strncmp(aHTTPRequest.get(), HTTP_METHOD, strlen(HTTP_METHOD)) != 0) {
-    return nullptr;
-  }
-
-  const char* url_start = strchr(aHTTPRequest.get(), ' ');
-  if (!url_start) {
-    return nullptr;
-  }
-
-  const char* url_end = strrchr(++url_start, ' ');
-  if (!url_end) {
-    return nullptr;
-  }
-
-  // The path extracted from the HTTP request is used as a key in hash
-  // table. It is not related to retrieving data from the filesystem so
-  // we don't need to do any sanity checking on ".." paths and similar
-  // exploits.
-  nsCString relative(url_start, url_end - url_start);
-  RefPtr<MediaResource> resource =
-    mServer->GetResource(mServer->GetURLPrefix() + relative);
-  return resource.forget();
-}
-
-NS_IMETHODIMP
-ServeResourceEvent::Run() {
-  bool more = false; // Are there HTTP headers to read after the first line
-  nsCString line;    // Contains the current line read from input stream
-  nsLineBuffer<char>* buffer = new nsLineBuffer<char>();
-  nsresult rv = ReadCRLF(mInput.get(), buffer, line, &more);
-  if (NS_FAILED(rv)) { Shutdown(); return rv; }
-
-  // First line contains the HTTP GET request. Extract the URL and obtain
-  // the MediaResource for it.
-  RefPtr<MediaResource> resource = GetMediaResource(line);
-  if (!resource) {
-    const char* response_404 = "HTTP/1.1 404 Not Found\r\n"
-                               "Content-Length: 0\r\n\r\n";
-    rv = WriteAll(response_404, strlen(response_404));
-    Shutdown();
-    return rv;
-  }
-
-  // Offset in bytes to start reading from resource.
-  // This is zero by default but can be set to another starting value if
-  // this HTTP request includes a byte range request header.
-  int64_t start = 0;
-
-  // Keep reading lines until we get a zero length line, which is the HTTP
-  // protocol's way of signifying the end of headers and start of body, or
-  // until we have no more data to read.
-  while (more && line.Length() > 0) {
-    rv = ReadCRLF(mInput.get(), buffer, line, &more);
-    if (NS_FAILED(rv)) { Shutdown(); return rv; }
-
-    // Look for a byte range request header. If there is one, set the
-    // media resource offset to start from to that requested. Here we
-    // only check for the range request format used by Android rather
-    // than implementing all possibilities in the HTTP specification.
-    // That is, the range request is of the form:
-    //   Range: bytes=nnnn-
-    // Were 'nnnn' is an integer number.
-    // The end of the range is not checked, instead we return up to
-    // the end of the resource and the client is informed of this via
-    // the content-range header.
-    NS_NAMED_LITERAL_CSTRING(byteRange, "Range: bytes=");
-    const char* s = strstr(line.get(), byteRange.get());
-    if (s) {
-      start = strtoll(s+byteRange.Length(), nullptr, 10);
-
-      // Clamp 'start' to be between 0 and the resource length.
-      start = std::max(int64_t(0), std::min(resource->GetLength(), start));
-    }
-  }
-
-  // HTTP response to use if this is a non byte range request
-  const char* response_normal = "HTTP/1.1 200 OK\r\n";
-
-  // HTTP response to use if this is a byte range request
-  const char* response_range = "HTTP/1.1 206 Partial Content\r\n";
-
-  // End of HTTP reponse headers is indicated by an empty line.
-  const char* response_end = "\r\n";
-
-  // If the request was a byte range request, we need to read from the
-  // requested offset. If the resource is non-seekable, or the seek
-  // fails, then the start offset is set back to zero. This results in all
-  // HTTP response data being as if the byte range request was not made.
-  if (start > 0 && !resource->IsTransportSeekable()) {
-    start = 0;
-  }
-
-  const char* response_line = start > 0 ?
-                                response_range :
-                                response_normal;
-  rv = WriteAll(response_line, strlen(response_line));
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  // Buffer used for reading from the input stream and writing to
-  // the output stream. The buffer size should be big enough for the
-  // HTTP response headers sent below. A static_assert ensures
-  // this where the buffer is used.
-  const int buffer_size = 32768;
-  auto b = MakeUnique<char[]>(buffer_size);
-
-  // If we know the length of the resource, send a Content-Length header.
-  int64_t contentlength = resource->GetLength() - start;
-  if (contentlength > 0) {
-    static_assert (buffer_size > 1024,
-                   "buffer_size must be large enough "
-                   "to hold response headers");
-    snprintf(b.get(), buffer_size, "Content-Length: %" PRId64 "\r\n", contentlength);
-    rv = WriteAll(b.get(), strlen(b.get()));
-    if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-  }
-
-  // If the request was a byte range request, respond with a Content-Range
-  // header which details the extent of the data returned.
-  if (start > 0) {
-    static_assert (buffer_size > 1024,
-                   "buffer_size must be large enough "
-                   "to hold response headers");
-    snprintf(b.get(), buffer_size, "Content-Range: "
-             "bytes %" PRId64 "-%" PRId64 "/%" PRId64 "\r\n",
-             start, resource->GetLength() - 1, resource->GetLength());
-    rv = WriteAll(b.get(), strlen(b.get()));
-    if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-  }
-
-  rv = WriteAll(response_end, strlen(response_end));
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  rv = mOutput->Flush();
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  // Read data from media resource
-  uint32_t bytesRead = 0; // Number of bytes read/written to streams
-  rv = resource->ReadAt(start, b.get(), buffer_size, &bytesRead);
-  while (NS_SUCCEEDED(rv) && bytesRead != 0) {
-    // Keep track of what we think the starting position for the next read
-    // is. This is used in subsequent ReadAt calls to ensure we are reading
-    // from the correct offset in the case where another thread is reading
-    // from th same MediaResource.
-    start += bytesRead;
-
-    // Write data obtained from media resource to output stream
-    rv = WriteAll(b.get(), bytesRead);
-    if (NS_FAILED (rv)) break;
-
-    rv = resource->ReadAt(start, b.get(), 32768, &bytesRead);
-  }
-
-  Shutdown();
-  return NS_OK;
-}
-
-void
-ServeResourceEvent::Shutdown()
-{
-  // Cleanup resources and exit.
-  mInput->Close();
-  mOutput->Close();
-
-  // To shutdown the current thread we need to first exit this event.
-  // The Shutdown event below is posted to the main thread to do this.
-  nsCOMPtr<nsIRunnable> event = new ShutdownThreadEvent(NS_GetCurrentThread());
-  NS_DispatchToMainThread(event);
-}
-
-/*
-  This is the listener attached to the server socket. When an HTTP
-  request is made by the client the OnSocketAccepted method is
-  called. This method will spawn a thread to process the request.
-  The thread receives a single event which does the parsing of
-  the HTTP request and forwarding the data from the MediaResource
-  to the output stream of the request.
-
-  The MediaResource used for providing the request data is obtained
-  from the AndroidMediaResourceServer that created this listener, using the
-  URL the client requested.
-*/
-class ResourceSocketListener : public nsIServerSocketListener
-{
-public:
-  // The AndroidMediaResourceServer used to look up the MediaResource
-  // on requests.
-  RefPtr<AndroidMediaResourceServer> mServer;
-
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSISERVERSOCKETLISTENER
-
-  ResourceSocketListener(AndroidMediaResourceServer* aServer) :
-    mServer(aServer)
-  {
-  }
-
-private:
-  virtual ~ResourceSocketListener() { }
-};
-
-NS_IMPL_ISUPPORTS(ResourceSocketListener, nsIServerSocketListener)
-
-NS_IMETHODIMP
-ResourceSocketListener::OnSocketAccepted(nsIServerSocket* aServ,
-                                         nsISocketTransport* aTrans)
-{
-  nsCOMPtr<nsIInputStream> input;
-  nsCOMPtr<nsIOutputStream> output;
-  nsresult rv;
-
-  rv = aTrans->OpenInputStream(nsITransport::OPEN_BLOCKING, 0, 0, getter_AddRefs(input));
-  if (NS_FAILED(rv)) return rv;
-
-  rv = aTrans->OpenOutputStream(nsITransport::OPEN_BLOCKING, 0, 0, getter_AddRefs(output));
-  if (NS_FAILED(rv)) return rv;
-
-  nsCOMPtr<nsIThread> thread;
-  rv = NS_NewThread(getter_AddRefs(thread));
-  if (NS_FAILED(rv)) return rv;
-
-  nsCOMPtr<nsIRunnable> event = new ServeResourceEvent(input.get(), output.get(), mServer);
-  return thread->Dispatch(event, NS_DISPATCH_NORMAL);
-}
-
-NS_IMETHODIMP
-ResourceSocketListener::OnStopListening(nsIServerSocket* aServ, nsresult aStatus)
-{
-  return NS_OK;
-}
-
-AndroidMediaResourceServer::AndroidMediaResourceServer() :
-  mMutex("AndroidMediaResourceServer")
-{
-}
-
-NS_IMETHODIMP
-AndroidMediaResourceServer::Run()
-{
-  MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
-  MutexAutoLock lock(mMutex);
-
-  nsresult rv;
-  mSocket = do_CreateInstance(NS_SERVERSOCKET_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
-
-  rv = mSocket->InitSpecialConnection(-1,
-                                      nsIServerSocket::LoopbackOnly
-                                      | nsIServerSocket::KeepWhenOffline,
-                                      -1);
-  if (NS_FAILED(rv)) return rv;
-
-  rv = mSocket->AsyncListen(new ResourceSocketListener(this));
-  if (NS_FAILED(rv)) return rv;
-
-  return NS_OK;
-}
-
-/* static */
-already_AddRefed<AndroidMediaResourceServer>
-AndroidMediaResourceServer::Start()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  RefPtr<AndroidMediaResourceServer> server = new AndroidMediaResourceServer();
-  server->Run();
-  return server.forget();
-}
-
-void
-AndroidMediaResourceServer::Stop()
-{
-  MutexAutoLock lock(mMutex);
-  mSocket->Close();
-  mSocket = nullptr;
-}
-
-nsresult
-AndroidMediaResourceServer::AppendRandomPath(nsCString& aUrl)
-{
-  // Use a cryptographic quality PRNG to generate raw random bytes
-  // and convert that to a base64 string for use as an URL path. This
-  // is based on code from nsExternalAppHandler::SetUpTempFile.
-  nsresult rv;
-  nsAutoCString salt;
-  rv = GenerateRandomPathName(salt, 16);
-  if (NS_FAILED(rv)) return rv;
-  aUrl += "/";
-  aUrl += salt;
-  return NS_OK;
-}
-
-nsresult
-AndroidMediaResourceServer::AddResource(mozilla::MediaResource* aResource, nsCString& aUrl)
-{
-  nsCString url = GetURLPrefix();
-  nsresult rv = AppendRandomPath(url);
-  if (NS_FAILED (rv)) return rv;
-
-  {
-    MutexAutoLock lock(mMutex);
-
-    // Adding a resource URL that already exists is considered an error.
-    if (mResources.find(url) != mResources.end()) return NS_ERROR_FAILURE;
-    mResources[url] = aResource;
-  }
-
-  aUrl = url;
-
-  return NS_OK;
-}
-
-void
-AndroidMediaResourceServer::RemoveResource(nsCString const& aUrl)
-{
-  MutexAutoLock lock(mMutex);
-  mResources.erase(aUrl);
-}
-
-nsCString
-AndroidMediaResourceServer::GetURLPrefix()
-{
-  MutexAutoLock lock(mMutex);
-
-  int32_t port = 0;
-  nsresult rv = mSocket->GetPort(&port);
-  if (NS_FAILED (rv) || port < 0) {
-    return nsCString("");
-  }
-
-  char buffer[256];
-  snprintf(buffer, sizeof(buffer), "http://127.0.0.1:%d", port >= 0 ? port : 0);
-  return nsCString(buffer);
-}
-
-already_AddRefed<MediaResource>
-AndroidMediaResourceServer::GetResource(nsCString const& aUrl)
-{
-  MutexAutoLock lock(mMutex);
-  ResourceMap::const_iterator it = mResources.find(aUrl);
-  if (it == mResources.end()) return nullptr;
-
-  RefPtr<MediaResource> resource = it->second;
-  return resource.forget();
-}
diff --git a/dom/media/android/AndroidMediaResourceServer.h b/dom/media/android/AndroidMediaResourceServer.h
deleted file mode 100644
index 68200f9c0..000000000
--- a/dom/media/android/AndroidMediaResourceServer.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaResourceServer_h_)
-#define AndroidMediaResourceServer_h_
-
-#include <map>
-#include "nsIServerSocket.h"
-#include "MediaResource.h"
-
-namespace mozilla {
-
-class MediaResource;
-
-/*
-  AndroidMediaResourceServer instantiates a socket server that understands
-  HTTP requests for MediaResource instances. The server runs on an
-  automatically selected port and MediaResource instances are registered.
-  The registration returns a string URL than can be used to fetch the
-  resource. That URL contains a randomly generated path to make it
-  difficult for other local applications on the device to guess it.
-
-  The HTTP protocol is limited in that it supports only what the
-  Android DataSource implementation uses to fetch media. It
-  understands HTTP GET and byte range requests.
-
-  The intent of this class is to be used in Media backends that
-  have a system component that does its own network requests. These
-  requests are made against this server which then uses standard
-  Gecko network requests and media cache usage.
-
-  The AndroidMediaResourceServer can be instantiated on any thread and
-  its methods are threadsafe - they can be called on any thread.
-  The server socket itself is always run on the main thread and
-  this is done by the Start() static method by synchronously
-  dispatching to the main thread.
-*/
-class AndroidMediaResourceServer : public Runnable
-{
-private:
-  // Mutex protecting private members of AndroidMediaResourceServer.
-  // All member variables below this point in the class definition
-  // must acquire the mutex before access.
-  mozilla::Mutex mMutex;
-
-  // Server socket used to listen for incoming connections
-  nsCOMPtr<nsIServerSocket> mSocket;
-
-  // Mapping between MediaResource URL's to the MediaResource
-  // object served at that URL.
-  typedef std::map<nsCString,
-                  RefPtr<mozilla::MediaResource> > ResourceMap;
-  ResourceMap mResources;
-
-  // Create a AndroidMediaResourceServer that will listen on an automatically
-  // selected port when started. This is private as it should only be
-  // called internally from the public 'Start' method.
-  AndroidMediaResourceServer();
-  NS_IMETHOD Run();
-
-  // Append a random URL path to a string. This is used for creating a
-  // unique URl for a resource which helps prevent malicious software
-  // running on the same machine as the server from guessing the URL
-  // and accessing video data.
-  nsresult AppendRandomPath(nsCString& aURL);
-
-public:
-  // Create a AndroidMediaResourceServer and start it listening. This call will
-  // perform a synchronous request on the main thread.
-  static already_AddRefed<AndroidMediaResourceServer> Start();
-
-  // Stops the server from listening and accepting further connections.
-  void Stop();
-
-  // Add a MediaResource to be served by this server. Stores the
-  // absolute URL that can be used to access the resource in 'aUrl'.
-  nsresult AddResource(mozilla::MediaResource* aResource, nsCString& aUrl);
-
-  // Remove a MediaResource so it is no longer served by this server.
-  // The URL provided must match exactly that provided by a previous
-  // call to "AddResource".
-  void RemoveResource(nsCString const& aUrl);
-
-  // Returns the prefix for HTTP requests to the server. This plus
-  // the result of AddResource results in an Absolute URL.
-  nsCString GetURLPrefix();
-
-  // Returns the resource asociated with a given URL
-  already_AddRefed<mozilla::MediaResource> GetResource(nsCString const& aUrl);
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/MPAPI.h b/dom/media/android/MPAPI.h
deleted file mode 100644
index 9b289ca09..000000000
--- a/dom/media/android/MPAPI.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(MPAPI_h_)
-#define MPAPI_h_
-
-#include <stdint.h>
-
-namespace MPAPI {
-
-enum ColorFormat {
-  I420,
-  RGB565
-};
-
-/*
- * A callback for the plugin to use to request a buffer owned by gecko. This can
- * save us a copy or two down the line.
- */
-class BufferCallback {
-public:
-  virtual void *operator()(size_t aWidth, size_t aHeight,
-                           ColorFormat aColorFormat) = 0;
-};
-
-struct VideoPlane {
-  VideoPlane() :
-    mData(0),
-    mStride(0),
-    mWidth(0),
-    mHeight(0),
-    mOffset(0),
-    mSkip(0)
-  {}
-
-  void *mData;
-  int32_t mStride;
-  int32_t mWidth;
-  int32_t mHeight;
-  int32_t mOffset;
-  int32_t mSkip;
-};
-
-struct VideoFrame {
-  int64_t mTimeUs;
-  bool mKeyFrame;
-  void *mData;
-  size_t mSize;
-  int32_t mStride;
-  int32_t mSliceHeight;
-  int32_t mRotation;
-  VideoPlane Y;
-  VideoPlane Cb;
-  VideoPlane Cr;
-
-  VideoFrame() :
-    mTimeUs(0),
-    mKeyFrame(false),
-    mData(0),
-    mSize(0),
-    mStride(0),
-    mSliceHeight(0),
-    mRotation(0)
-  {}
-
-  void Set(int64_t aTimeUs, bool aKeyFrame,
-           void *aData, size_t aSize, int32_t aStride, int32_t aSliceHeight, int32_t aRotation,
-           void *aYData, int32_t aYStride, int32_t aYWidth, int32_t aYHeight, int32_t aYOffset, int32_t aYSkip,
-           void *aCbData, int32_t aCbStride, int32_t aCbWidth, int32_t aCbHeight, int32_t aCbOffset, int32_t aCbSkip,
-           void *aCrData, int32_t aCrStride, int32_t aCrWidth, int32_t aCrHeight, int32_t aCrOffset, int32_t aCrSkip)
-  {
-    mTimeUs = aTimeUs;
-    mKeyFrame = aKeyFrame;
-    mData = aData;
-    mSize = aSize;
-    mStride = aStride;
-    mSliceHeight = aSliceHeight;
-    mRotation = aRotation;
-    Y.mData = aYData;
-    Y.mStride = aYStride;
-    Y.mWidth = aYWidth;
-    Y.mHeight = aYHeight;
-    Y.mOffset = aYOffset;
-    Y.mSkip = aYSkip;
-    Cb.mData = aCbData;
-    Cb.mStride = aCbStride;
-    Cb.mWidth = aCbWidth;
-    Cb.mHeight = aCbHeight;
-    Cb.mOffset = aCbOffset;
-    Cb.mSkip = aCbSkip;
-    Cr.mData = aCrData;
-    Cr.mStride = aCrStride;
-    Cr.mWidth = aCrWidth;
-    Cr.mHeight = aCrHeight;
-    Cr.mOffset = aCrOffset;
-    Cr.mSkip = aCrSkip;
-  }
-};
-
-struct AudioFrame {
-  int64_t mTimeUs;
-  void *mData; // 16PCM interleaved
-  size_t mSize; // Size of mData in bytes
-  int32_t mAudioChannels;
-  int32_t mAudioSampleRate;
-
-  AudioFrame() :
-    mTimeUs(0),
-    mData(0),
-    mSize(0),
-    mAudioChannels(0),
-    mAudioSampleRate(0)
-  {
-  }
-
-  void Set(int64_t aTimeUs,
-           void *aData, size_t aSize,
-           int32_t aAudioChannels, int32_t aAudioSampleRate)
-  {
-    mTimeUs = aTimeUs;
-    mData = aData;
-    mSize = aSize;
-    mAudioChannels = aAudioChannels;
-    mAudioSampleRate = aAudioSampleRate;
-  }
-};
-
-struct Decoder;
-
-struct PluginHost {
-  bool (*Read)(Decoder *aDecoder, char *aBuffer, int64_t aOffset, uint32_t aCount, uint32_t* aBytes);
-  uint64_t (*GetLength)(Decoder *aDecoder);
-  void (*SetMetaDataReadMode)(Decoder *aDecoder);
-  void (*SetPlaybackReadMode)(Decoder *aDecoder);
-  bool (*GetIntPref)(const char *aPref, int32_t *aResult);
-  bool (*GetSystemInfoString)(const char *aKey, char *aResult, size_t aResultLen);
-};
-
-struct Decoder {
-  void *mResource;
-  void *mPrivate;
-
-  Decoder();
-
-  void (*GetDuration)(Decoder *aDecoder, int64_t *durationUs);
-  void (*GetVideoParameters)(Decoder *aDecoder, int32_t *aWidth, int32_t *aHeight);
-  void (*GetAudioParameters)(Decoder *aDecoder, int32_t *aNumChannels, int32_t *aSampleRate);
-  bool (*HasVideo)(Decoder *aDecoder);
-  bool (*HasAudio)(Decoder *aDecoder);
-  bool (*ReadVideo)(Decoder *aDecoder, VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback);
-  bool (*ReadAudio)(Decoder *aDecoder, AudioFrame *aFrame, int64_t aSeekTimeUs);
-  void (*DestroyDecoder)(Decoder *);
-};
-
-struct Manifest {
-  bool (*CanDecode)(const char *aMimeChars, size_t aMimeLen, const char* const**aCodecs);
-  bool (*CreateDecoder)(PluginHost *aPluginHost, Decoder *aDecoder,
-                        const char *aMimeChars, size_t aMimeLen);
-};
-
-}
-
-#endif
diff --git a/dom/media/android/moz.build b/dom/media/android/moz.build
deleted file mode 100644
index 3ad43cd50..000000000
--- a/dom/media/android/moz.build
+++ /dev/null
@@ -1,27 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS += [
-    'AndroidMediaDecoder.h',
-    'AndroidMediaPluginHost.h',
-    'AndroidMediaReader.h',
-    'AndroidMediaResourceServer.h',
-    'MPAPI.h',
-]
-
-UNIFIED_SOURCES += [
-    'AndroidMediaDecoder.cpp',
-    'AndroidMediaPluginHost.cpp',
-    'AndroidMediaReader.cpp',
-    'AndroidMediaResourceServer.cpp',
-]
-
-LOCAL_INCLUDES += [
-    '/dom/base',
-    '/dom/html',
-]
-
-FINAL_LIBRARY = 'xul'
diff --git a/dom/media/moz.build b/dom/media/moz.build
index 6d2c71f2d..df8cb619d 100644
--- a/dom/media/moz.build
+++ b/dom/media/moz.build
@@ -43,9 +43,6 @@ DIRS += [
     'standalone',
 ]
 
-if CONFIG['MOZ_ANDROID_OMX']:
-    DIRS += ['android']
-
 if CONFIG['MOZ_FMP4']:
     DIRS += ['fmp4']
 
diff --git a/gfx/thebes/gfxFT2FontList.cpp b/gfx/thebes/gfxFT2FontList.cpp
index 8a652df0d..09c938a24 100644
--- a/gfx/thebes/gfxFT2FontList.cpp
+++ b/gfx/thebes/gfxFT2FontList.cpp
@@ -812,6 +812,15 @@ public:
         : mFontList(aFontList)
     { }
 
+    void Remove()
+    {
+        nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+        if (obs) {
+            obs->RemoveObserver(this, NS_XPCOM_WILL_SHUTDOWN_OBSERVER_ID);
+        }
+        mFontList = nullptr;
+    }
+
 protected:
     virtual ~WillShutdownObserver()
     { }
@@ -847,11 +856,7 @@ gfxFT2FontList::gfxFT2FontList()
 gfxFT2FontList::~gfxFT2FontList()
 {
     if (mObserver) {
-        nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
-        if (obs) {
-            obs->RemoveObserver(mObserver, NS_XPCOM_WILL_SHUTDOWN_OBSERVER_ID);
-        }
-        mObserver = nullptr;
+        mObserver->Remove();
     }
 }
 
diff --git a/gfx/thebes/gfxFT2FontList.h b/gfx/thebes/gfxFT2FontList.h
index 63187ba26..9fb566c15 100644
--- a/gfx/thebes/gfxFT2FontList.h
+++ b/gfx/thebes/gfxFT2FontList.h
@@ -19,6 +19,7 @@ using mozilla::dom::FontListEntry;
 class FontNameCache;
 typedef struct FT_FaceRec_* FT_Face;
 class nsZipArchive;
+class WillShutdownObserver;
 
 class FT2FontEntry : public gfxFontEntry
 {
@@ -194,7 +195,7 @@ private:
 
     mozilla::UniquePtr<FontNameCache> mFontNameCache;
     int64_t mJarModifiedTime;
-    nsCOMPtr<nsIObserver> mObserver;
+    RefPtr<WillShutdownObserver> mObserver;
 };
 
 #endif /* GFX_FT2FONTLIST_H */
diff --git a/image/encoders/png/nsPNGEncoder.cpp b/image/encoders/png/nsPNGEncoder.cpp
index 66294146d..abe6f35b4 100644
--- a/image/encoders/png/nsPNGEncoder.cpp
+++ b/image/encoders/png/nsPNGEncoder.cpp
@@ -9,6 +9,7 @@
 #include "nsStreamUtils.h"
 #include "nsString.h"
 #include "prprf.h"
+#include "mozilla/CheckedInt.h"
 
 using namespace mozilla;
 
@@ -703,30 +704,55 @@ nsPNGEncoder::WriteCallback(png_structp png, png_bytep data,
     return;
   }
 
-  if (that->mImageBufferUsed + size > that->mImageBufferSize) {
+  CheckedUint32 sizeNeeded = CheckedUint32(that->mImageBufferUsed) + size;
+  if (!sizeNeeded.isValid()) {
+    // Take the lock to ensure that nobody is trying to read from the buffer
+    // we are destroying
+    ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor);
+
+    that->NullOutImageBuffer();
+    return;
+  }
+
+  if (sizeNeeded.value() > that->mImageBufferSize) {
     // When we're reallocing the buffer we need to take the lock to ensure
     // that nobody is trying to read from the buffer we are destroying
     ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor);
 
-    // expand buffer, just double each time
-    that->mImageBufferSize *= 2;
-    uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
-                                        that->mImageBufferSize);
-    if (!newBuf) {
-      // can't resize, just zero (this will keep us from writing more)
-      free(that->mImageBuffer);
-      that->mImageBuffer = nullptr;
-      that->mImageBufferSize = 0;
-      that->mImageBufferUsed = 0;
-      return;
+    while (sizeNeeded.value() > that->mImageBufferSize) {
+      // expand buffer, just double each time
+      CheckedUint32 bufferSize = CheckedUint32(that->mImageBufferSize) * 2;
+      if (!bufferSize.isValid()) {
+        that->NullOutImageBuffer();
+        return;
+      }
+      that->mImageBufferSize *= 2;
+      uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
+                                          that->mImageBufferSize);
+      if (!newBuf) {
+        // can't resize, just zero (this will keep us from writing more)
+        that->NullOutImageBuffer();
+        return;
+      }
+      that->mImageBuffer = newBuf;
     }
-    that->mImageBuffer = newBuf;
   }
+
   memcpy(&that->mImageBuffer[that->mImageBufferUsed], data, size);
   that->mImageBufferUsed += size;
   that->NotifyListener();
 }
 
+void nsPNGEncoder::NullOutImageBuffer()
+{
+  mReentrantMonitor.AssertCurrentThreadIn();
+
+  free(mImageBuffer);
+  mImageBuffer = nullptr;
+  mImageBufferSize = 0;
+  mImageBufferUsed = 0;
+}
+
 void
 nsPNGEncoder::NotifyListener()
 {
diff --git a/image/encoders/png/nsPNGEncoder.h b/image/encoders/png/nsPNGEncoder.h
index 95e7d5c19..8c2239c11 100644
--- a/image/encoders/png/nsPNGEncoder.h
+++ b/image/encoders/png/nsPNGEncoder.h
@@ -54,6 +54,7 @@ protected:
   static void WarningCallback(png_structp png_ptr, png_const_charp warning_msg);
   static void ErrorCallback(png_structp png_ptr, png_const_charp error_msg);
   static void WriteCallback(png_structp png, png_bytep data, png_size_t size);
+  void NullOutImageBuffer();
   void NotifyListener();
 
   png_struct* mPNG;
diff --git a/ipc/glue/BackgroundUtils.cpp b/ipc/glue/BackgroundUtils.cpp
index 44f988efd..6f7501f70 100644
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -295,7 +295,8 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
       aLoadInfo->CorsUnsafeHeaders(),
       aLoadInfo->GetForcePreflight(),
       aLoadInfo->GetIsPreflight(),
-      aLoadInfo->GetLoadTriggeredFromExternal()
+      aLoadInfo->GetLoadTriggeredFromExternal(),
+      aLoadInfo->GetIsFromProcessingFrameAttributes()
       );
 
   return NS_OK;
@@ -347,7 +348,7 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
     redirectChain.AppendElement(redirectedPrincipal.forget());
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo =
+  RefPtr<mozilla::LoadInfo> loadInfo =
     new mozilla::LoadInfo(loadingPrincipal,
                           triggeringPrincipal,
                           principalToInherit,
@@ -375,8 +376,12 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
                           loadInfoArgs.loadTriggeredFromExternal()
                           );
 
-   loadInfo.forget(outLoadInfo);
-   return NS_OK;
+  if (loadInfoArgs.isFromProcessingFrameAttributes()) {
+    loadInfo->SetIsFromProcessingFrameAttributes();
+  }
+
+  loadInfo.forget(outLoadInfo);
+  return NS_OK;
 }
 
 } // namespace ipc
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index 2c9ffb607..b163d5818 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -2306,7 +2306,7 @@ jit::RemoveUnmarkedBlocks(MIRGenerator* mir, MIRGraph& graph, uint32_t numMarked
         // bailout.
         for (PostorderIterator it(graph.poBegin()); it != graph.poEnd();) {
             MBasicBlock* block = *it++;
-            if (!block->isMarked())
+            if (block->isMarked())
                 continue;
 
             FlagAllOperandsAsHavingRemovedUses(mir, block);
diff --git a/js/src/jit/RangeAnalysis.cpp b/js/src/jit/RangeAnalysis.cpp
index 95484c249..d64f9b8ca 100644
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -2167,7 +2167,7 @@ RangeAnalysis::analyzeLoopPhi(MBasicBlock* header, LoopIterationBound* loopBound
     if (initial->block()->isMarked())
         return;
 
-    SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand());
+    SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand(), MathSpace::Infinite);
 
     if (modified.term != phi || modified.constant == 0)
         return;
diff --git a/js/src/jsfun.h b/js/src/jsfun.h
index 7da831aa2..1c7da57ec 100644
--- a/js/src/jsfun.h
+++ b/js/src/jsfun.h
@@ -460,6 +460,19 @@ class JSFunction : public js::NativeObject
         return nonLazyScript();
     }
 
+    // If this is a scripted function, returns its canonical function (the
+    // original function allocated by the frontend). Note that lazy self-hosted
+    // builtins don't have a lazy script so in that case we also return nullptr.
+    JSFunction* maybeCanonicalFunction() const {
+        if (hasScript()) {
+            return nonLazyScript()->functionNonDelazifying();
+        }
+        if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
+            return lazyScript()->functionNonDelazifying();
+        }
+        return nullptr;
+    }
+
     // The state of a JSFunction whose script errored out during bytecode
     // compilation. Such JSFunctions are only reachable via GC iteration and
     // not from script.
diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
index d6a8fcaa4..1fbf8976b 100644
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -496,12 +496,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
 
             // Canonicalize new functions to use the original one associated with its script.
             JSFunction* fun = &associated->as<JSFunction>();
-            if (fun->hasScript())
-                associated = fun->nonLazyScript()->functionNonDelazifying();
-            else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
-                associated = fun->lazyScript()->functionNonDelazifying();
-            else
-                associated = nullptr;
+            associated = associated->as<JSFunction>().maybeCanonicalFunction();
 
             // If we have previously cleared the 'new' script information for this
             // function, don't try to construct another one.
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index c86345d9c..4775a2dea 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
     MOZ_ASSERT(!group->newScript());
     MOZ_ASSERT(!group->maybeUnboxedLayout());
 
+    // rollbackPartiallyInitializedObjects expects function_ to be
+    // canonicalized.
+    MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
     if (group->unknownProperties())
         return true;
 
@@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
                 oomUnsafe.crash("rollbackPartiallyInitializedObjects");
         }
 
-        if (!iter.isConstructing() || !iter.matchCallee(cx, function))
+        if (!iter.isConstructing()) {
+            continue;
+        }
+
+        MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+        if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
             continue;
+        }
 
         // Derived class constructors initialize their this-binding later and
         // we shouldn't run the definite properties analysis on them.
diff --git a/layout/build/nsLayoutStatics.cpp b/layout/build/nsLayoutStatics.cpp
index 0306626c4..0f4560afe 100644
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -92,10 +92,6 @@
 #include "nsSynthVoiceRegistry.h"
 #endif
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidMediaPluginHost.h"
-#endif
-
 #include "CubebUtils.h"
 #include "Latency.h"
 #include "WebAudioUtils.h"
@@ -381,11 +377,6 @@ nsLayoutStatics::Shutdown()
   nsAutoCopyListener::Shutdown();
   FrameLayerBuilder::Shutdown();
 
-
-#ifdef MOZ_ANDROID_OMX
-  AndroidMediaPluginHost::Shutdown();
-#endif
-
   CubebUtils::ShutdownLibrary();
   AsyncLatencyLogger::ShutdownLogger();
   WebAudioUtils::Shutdown();
diff --git a/layout/forms/nsComboboxControlFrame.cpp b/layout/forms/nsComboboxControlFrame.cpp
index f69198cc7..5a9438939 100644
--- a/layout/forms/nsComboboxControlFrame.cpp
+++ b/layout/forms/nsComboboxControlFrame.cpp
@@ -1040,6 +1040,9 @@ nsComboboxControlFrame::HandleRedisplayTextEvent()
   mRedisplayTextEvent.Forget();
 
   ActuallyDisplayText(true);
+  if (!weakThis.IsAlive())
+    return;
+
   // XXXbz This should perhaps be eResize.  Check.
   PresContext()->PresShell()->FrameNeedsReflow(mDisplayFrame,
                                                nsIPresShell::eStyleChange,
diff --git a/media/omx-plugin/OmxPlugin.cpp b/media/omx-plugin/OmxPlugin.cpp
deleted file mode 100644
index ce132b8e2..000000000
--- a/media/omx-plugin/OmxPlugin.cpp
+++ /dev/null
@@ -1,1078 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <stagefright/ColorConverter.h>
-#include <stagefright/DataSource.h>
-#include <stagefright/MediaExtractor.h>
-#include <stagefright/MetaData.h>
-#include <stagefright/OMXCodec.h>
-#include <media/stagefright/MediaErrors.h>
-#include <stagefright/OMXClient.h>
-#include <algorithm>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/Types.h"
-#include "MPAPI.h"
-
-#include "android/log.h"
-
-#define MAX_DECODER_NAME_LEN 256
-#define AVC_MIME_TYPE "video/avc"
-
-#define DEFAULT_STAGEFRIGHT_FLAGS OMXCodec::kClientNeedsFramebuffer
-
-#undef LOG
-#define LOG(args...)  __android_log_print(ANDROID_LOG_INFO, "OmxPlugin" , ## args)
-
-#include <I420ColorConverter.h>
-
-using namespace MPAPI;
-
-#if !defined(MOZ_STAGEFRIGHT_OFF_T)
-#define MOZ_STAGEFRIGHT_OFF_T off64_t
-#endif
-
-using namespace android;
-
-namespace OmxPlugin {
-
-const int OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka = 0x7FA30C01;
-const int OMX_QCOM_COLOR_FormatYVU420SemiPlanar = 0x7FA30C00;
-const int OMX_TI_COLOR_FormatYUV420PackedSemiPlanar = 0x7F000100;
-
-class OmxDecoder {
-  PluginHost *mPluginHost;
-  Decoder *mDecoder;
-  sp<MediaSource> mVideoTrack;
-  sp<MediaSource> mVideoSource;
-  sp<MediaSource> mAudioTrack;
-  sp<MediaSource> mAudioSource;
-  int32_t mVideoWidth;
-  int32_t mVideoHeight;
-  int32_t mVideoColorFormat;
-  int32_t mVideoStride;
-  int32_t mVideoSliceHeight;
-  int32_t mVideoCropLeft;
-  int32_t mVideoCropTop;
-  int32_t mVideoCropRight;
-  int32_t mVideoCropBottom;
-  int32_t mVideoRotation;
-  int32_t mAudioChannels;
-  int32_t mAudioSampleRate;
-  int64_t mDurationUs;
-  MediaBuffer *mVideoBuffer;
-  VideoFrame mVideoFrame;
-  MediaBuffer *mAudioBuffer;
-  AudioFrame mAudioFrame;
-  ColorConverter *mColorConverter;
-
-  // 'true' if a read from the audio stream was done while reading the metadata
-  bool mAudioMetadataRead;
-
-  void ReleaseVideoBuffer();
-  void ReleaseAudioBuffer();
-
-  void ToVideoFrame_YUV420Planar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_CbYCrY(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YUV420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YVU420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YUV420PackedSemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YVU420PackedSemiPlanar32m4ka(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  bool ToVideoFrame_RGB565(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame_ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame_I420ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToAudioFrame(AudioFrame *aFrame, int64_t aTimeUs, void *aData, size_t aDataOffset, size_t aSize,
-                    int32_t aAudioChannels, int32_t aAudioSampleRate);
-public:
-  OmxDecoder(PluginHost *aPluginHost, Decoder *aDecoder);
-  ~OmxDecoder();
-
-  bool Init();
-  bool SetVideoFormat();
-  bool SetAudioFormat();
-
-  void GetDuration(int64_t *durationUs) {
-    *durationUs = mDurationUs;
-  }
-
-  void GetVideoParameters(int32_t *width, int32_t *height) {
-    *width = mVideoWidth;
-    *height = mVideoHeight;
-  }
-
-  void GetAudioParameters(int32_t *numChannels, int32_t *sampleRate) {
-    *numChannels = mAudioChannels;
-    *sampleRate = mAudioSampleRate;
-  }
-
-  bool HasVideo() {
-    return mVideoSource != nullptr;
-  }
-
-  bool HasAudio() {
-    return mAudioSource != nullptr;
-  }
-
-  bool ReadVideo(VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback);
-  bool ReadAudio(AudioFrame *aFrame, int64_t aSeekTimeUs);
-};
-
-static class OmxClientInstance {
-public:
-  OmxClientInstance()
-    : mClient(new OMXClient())
-    , mStatus(mClient->connect())
-  {
-  }
-
-  status_t IsValid()
-  {
-    return mStatus == OK;
-  }
-
-  OMXClient *get()
-  {
-    return mClient;
-  }
-
-  ~OmxClientInstance()
-  {
-    if (mStatus == OK) {
-      mClient->disconnect();
-    }
-    delete mClient;
-  }
-
-private:
-  OMXClient *mClient;
-  status_t mStatus;
-} sClientInstance;
-
-OmxDecoder::OmxDecoder(PluginHost *aPluginHost, Decoder *aDecoder) :
-  mPluginHost(aPluginHost),
-  mDecoder(aDecoder),
-  mVideoWidth(0),
-  mVideoHeight(0),
-  mVideoColorFormat(0),
-  mVideoStride(0),
-  mVideoSliceHeight(0),
-  mVideoCropLeft(0),
-  mVideoCropTop(0),
-  mVideoCropRight(0),
-  mVideoCropBottom(0),
-  mVideoRotation(0),
-  mAudioChannels(-1),
-  mAudioSampleRate(-1),
-  mDurationUs(-1),
-  mVideoBuffer(nullptr),
-  mAudioBuffer(nullptr),
-  mColorConverter(nullptr),
-  mAudioMetadataRead(false)
-{
-}
-
-OmxDecoder::~OmxDecoder()
-{
-  ReleaseVideoBuffer();
-  ReleaseAudioBuffer();
-
-  if (mVideoSource.get()) {
-    mVideoSource->stop();
-  }
-
-  if (mAudioSource.get()) {
-    mAudioSource->stop();
-  }
-
-  if (mColorConverter) {
-    delete mColorConverter;
-  }
-}
-
-class AutoStopMediaSource {
-  sp<MediaSource> mMediaSource;
-public:
-  AutoStopMediaSource(sp<MediaSource> aMediaSource) : mMediaSource(aMediaSource) {
-  }
-
-  ~AutoStopMediaSource() {
-    mMediaSource->stop();
-  }
-};
-
-static uint32_t
-GetDefaultStagefrightFlags(PluginHost *aPluginHost)
-{
-  uint32_t flags = DEFAULT_STAGEFRIGHT_FLAGS;
-
-  char hardware[256] = "";
-  aPluginHost->GetSystemInfoString("hardware", hardware, sizeof(hardware));
-
-  if (!strcmp("qcom", hardware) ||
-      !strncmp("mt", hardware, 2)) {
-    // Qualcomm's OMXCodec implementation interprets this flag to mean that we
-    // only want a thumbnail and therefore only need one frame. After the first
-    // frame it returns EOS.
-    // Some MediaTek chipsets have also been found to do the same.
-    // All other OMXCodec implementations seen so far interpret this flag
-    // sanely; some do not return full framebuffers unless this flag is passed.
-    flags &= ~OMXCodec::kClientNeedsFramebuffer;
-  }
-
-  LOG("Hardware %s; using default flags %#x\n", hardware, flags);
-
-  return flags;
-}
-
-static uint32_t GetVideoCreationFlags(PluginHost* aPluginHost)
-{
-  // Check whether the user has set a pref to override our default OMXCodec
-  // CreationFlags flags. This is useful for A/B testing hardware and software
-  // decoders for performance and bugs. The interesting flag values are:
-  //  0 = Let Stagefright choose hardware or software decoding (default)
-  //  8 = Force software decoding
-  // 16 = Force hardware decoding
-  int32_t flags = 0;
-  aPluginHost->GetIntPref("media.stagefright.omxcodec.flags", &flags);
-  if (flags != 0) {
-    LOG("media.stagefright.omxcodec.flags=%d", flags);
-    if ((flags & OMXCodec::kHardwareCodecsOnly) != 0) {
-      LOG("FORCE HARDWARE DECODING");
-    } else if ((flags & OMXCodec::kSoftwareCodecsOnly) != 0) {
-      LOG("FORCE SOFTWARE DECODING");
-    }
-  }
-
-  flags |= GetDefaultStagefrightFlags(aPluginHost);
-
-  return static_cast<uint32_t>(flags);
-}
-
-enum ColorFormatSupport {
-  ColorFormatNotSupported = 0,
-  ColorFormatSupportOK,
-  ColorFormatSupportPreferred,
-};
-
-static ColorFormatSupport
-IsColorFormatSupported(OMX_COLOR_FORMATTYPE aColorFormat)
-{
-  switch (static_cast<int>(aColorFormat)) {
-    case OMX_COLOR_FormatCbYCrY:
-    case OMX_COLOR_FormatYUV420Planar:
-    case OMX_COLOR_FormatYUV420SemiPlanar:
-    case OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka:
-    case OMX_QCOM_COLOR_FormatYVU420SemiPlanar:
-    case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar:
-      LOG("Colour format %#x supported natively.", aColorFormat);
-      // Prefer natively supported colour formats over formats that need another
-      // slow software conversion.
-      return ColorFormatSupportPreferred;
-    default:
-      break;
-  }
-
-  // These formats are okay if we can't find a better one; Android provides a
-  // software conversion to a sane colour format.
-  if (ColorConverter(aColorFormat, OMX_COLOR_Format16bitRGB565).isValid()) {
-    LOG("Colour format %#x supported by Android ColorConverter.", aColorFormat);
-    return ColorFormatSupportOK;
-  }
-
-  I420ColorConverter yuvConverter;
-
-  if (yuvConverter.isLoaded() &&
-      yuvConverter.getDecoderOutputFormat() == aColorFormat) {
-    LOG("Colour format %#x supported by Android I420ColorConverter.", aColorFormat);
-    return ColorFormatSupportOK;
-  }
-
-  return ColorFormatNotSupported;
-}
-
-#if defined(MOZ_ANDROID_KK)
-/**
- * Look for a decoder that supports a colour format that we support.
- */
-static bool
-FindPreferredDecoderAndColorFormat(const sp<IOMX>& aOmx,
-                                   char *aDecoderName,
-                                   size_t aDecoderLen,
-                                   OMX_COLOR_FORMATTYPE *aColorFormat)
-{
-  Vector<CodecCapabilities> codecs;
-
-  // Get all AVC decoder/colour format pairs that this device supports.
-  QueryCodecs(aOmx, AVC_MIME_TYPE, true /* queryDecoders */, &codecs);
-
-  // We assume that faster (hardware accelerated) decoders come first in the
-  // list, so we choose the first decoder with a colour format we can use.
-  for (uint32_t i = 0; i < codecs.size(); i++) {
-    const CodecCapabilities &caps = codecs[i];
-    const Vector<OMX_U32> &colors = caps.mColorFormats;
-
-    bool found = false;
-    for (uint32_t j = 0; j < colors.size(); j++) {
-      OMX_COLOR_FORMATTYPE color = (OMX_COLOR_FORMATTYPE)colors[j];
-
-      LOG("Decoder %s can output colour format %#x.\n",
-          caps.mComponentName.string(), color);
-
-      ColorFormatSupport supported = IsColorFormatSupported(color);
-
-      if (supported) {
-        strncpy(aDecoderName, caps.mComponentName.string(), aDecoderLen);
-        *aColorFormat = color;
-        found = true;
-      }
-
-      if (supported == ColorFormatSupportPreferred) {
-        // The colour format is natively supported -- that's as good as we're
-        // going to get.
-        break;
-      }
-    }
-
-    if (found) {
-      return true;
-    }
-  }
-
-  return false;
-}
-#endif
-
-static sp<MediaSource> CreateVideoSource(PluginHost* aPluginHost,
-                                         const sp<IOMX>& aOmx,
-                                         const sp<MediaSource>& aVideoTrack)
-{
-  uint32_t flags = GetVideoCreationFlags(aPluginHost);
-
-  char decoderName[MAX_DECODER_NAME_LEN] = "";
-  sp<MetaData> videoFormat = aVideoTrack->getFormat();
-
-#if defined(MOZ_ANDROID_KK)
-  OMX_COLOR_FORMATTYPE colorFormat = (OMX_COLOR_FORMATTYPE)0;
-  if (FindPreferredDecoderAndColorFormat(aOmx,
-                                         decoderName, sizeof(decoderName),
-                                         &colorFormat)) {
-    // We found a colour format that we can handle. Tell OMXCodec to use it in
-    // case it isn't the default.
-    videoFormat->setInt32(kKeyColorFormat, colorFormat);
-
-    LOG("Found compatible decoder %s with colour format %#x.\n",
-        decoderName, colorFormat);
-  }
-#endif
-
-  if (flags == DEFAULT_STAGEFRIGHT_FLAGS) {
-    // Let Stagefright choose hardware or software decoder.
-    sp<MediaSource> videoSource = OMXCodec::Create(aOmx, videoFormat,
-                                                   false, aVideoTrack,
-                                                   decoderName[0] ? decoderName : nullptr,
-                                                   flags);
-    if (videoSource == nullptr)
-      return nullptr;
-
-    // Now that OMXCodec has parsed the video's AVCDecoderConfigurationRecord,
-    // check whether we know how to decode this video.
-    int32_t videoColorFormat;
-    if (videoSource->getFormat()->findInt32(kKeyColorFormat, &videoColorFormat)) {
-
-      if (IsColorFormatSupported((OMX_COLOR_FORMATTYPE)videoColorFormat)) {
-        return videoSource;
-      }
-
-      // We need to implement a ToVideoFrame_*() color conversion
-      // function for this video color format.
-      LOG("Unknown video color format: %#x", videoColorFormat);
-    } else {
-      LOG("Video color format not found");
-    }
-
-    // Throw away the videoSource and try again with new flags.
-    LOG("Falling back to software decoder");
-    videoSource.clear();
-    flags = DEFAULT_STAGEFRIGHT_FLAGS | OMXCodec::kSoftwareCodecsOnly;
-  }
-
-  MOZ_ASSERT(flags != DEFAULT_STAGEFRIGHT_FLAGS);
-  return OMXCodec::Create(aOmx, aVideoTrack->getFormat(), false, aVideoTrack,
-                          nullptr, flags);
-}
-
-bool OmxDecoder::Init()
-{
-#if defined(MOZ_WIDGET_ANDROID)
-  // OMXClient::connect() always returns OK and aborts fatally if
-  // it can't connect. We may need to implement the connect functionality
-  // ourselves if this proves to be an issue.
-  if (!sClientInstance.IsValid()) {
-    LOG("OMXClient failed to connect");
-    return false;
-  }
-#endif
-
-  //register sniffers, if they are not registered in this process.
-  DataSource::RegisterDefaultSniffers();
-
-  sp<DataSource> dataSource =
-    DataSource::CreateFromURI(static_cast<char*>(mDecoder->mResource));
-  if (!dataSource.get() || dataSource->initCheck()) {
-    return false;
-  }
-
-  sp<MediaExtractor> extractor = MediaExtractor::Create(dataSource);
-  if (extractor == nullptr) {
-    return false;
-  }
-
-  ssize_t audioTrackIndex = -1;
-  ssize_t videoTrackIndex = -1;
-  const char *audioMime = nullptr;
-  const char *videoMime = nullptr;
-
-  for (size_t i = 0; i < extractor->countTracks(); ++i) {
-    sp<MetaData> meta = extractor->getTrackMetaData(i);
-
-    const char *mime;
-    if (!meta->findCString(kKeyMIMEType, &mime)) {
-      continue;
-    }
-
-    if (videoTrackIndex == -1 && !strncasecmp(mime, "video/", 6)) {
-      videoTrackIndex = i;
-      videoMime = mime;
-    } else if (audioTrackIndex == -1 && !strncasecmp(mime, "audio/", 6)) {
-      audioTrackIndex = i;
-      audioMime = mime;
-    }
-  }
-
-  if (videoTrackIndex == -1 && audioTrackIndex == -1) {
-    return false;
-  }
-
-  int64_t totalDurationUs = 0;
-
-  sp<IOMX> omx = sClientInstance.get()->interface();
-
-  sp<MediaSource> videoTrack;
-  sp<MediaSource> videoSource;
-  if (videoTrackIndex != -1 && (videoTrack = extractor->getTrack(videoTrackIndex)) != nullptr) {
-    videoSource = CreateVideoSource(mPluginHost, omx, videoTrack);
-    if (videoSource == nullptr) {
-      LOG("OMXCodec failed to initialize video decoder for \"%s\"", videoMime);
-      return false;
-    }
-    status_t status = videoSource->start();
-    if (status != OK) {
-      LOG("videoSource->start() failed with status %#x", status);
-      return false;
-    }
-    int64_t durationUs;
-    if (videoTrack->getFormat()->findInt64(kKeyDuration, &durationUs)) {
-      if (durationUs < 0)
-        LOG("video duration %lld should be nonnegative", durationUs);
-      if (durationUs > totalDurationUs)
-        totalDurationUs = durationUs;
-    }
-  }
-
-  sp<MediaSource> audioTrack;
-  sp<MediaSource> audioSource;
-  if (audioTrackIndex != -1 && (audioTrack = extractor->getTrack(audioTrackIndex)) != nullptr)
-  {
-    if (!strcasecmp(audioMime, "audio/raw")) {
-      audioSource = audioTrack;
-    } else {
-      audioSource = OMXCodec::Create(omx,
-                                     audioTrack->getFormat(),
-                                     false, // decoder
-                                     audioTrack);
-    }
-
-    if (audioSource == nullptr) {
-      LOG("OMXCodec failed to initialize audio decoder for \"%s\"", audioMime);
-      return false;
-    }
-
-    status_t status = audioSource->start();
-    if (status != OK) {
-      LOG("audioSource->start() failed with status %#x", status);
-      return false;
-    }
-
-    int64_t durationUs;
-    if (audioTrack->getFormat()->findInt64(kKeyDuration, &durationUs)) {
-      if (durationUs < 0)
-        LOG("audio duration %lld should be nonnegative", durationUs);
-      if (durationUs > totalDurationUs)
-        totalDurationUs = durationUs;
-    }
-  }
-
-  // set decoder state
-  mVideoTrack = videoTrack;
-  mVideoSource = videoSource;
-  mAudioTrack = audioTrack;
-  mAudioSource = audioSource;
-  mDurationUs = totalDurationUs;
-
-  if (mVideoSource.get() && !SetVideoFormat())
-    return false;
-
-  // To reliably get the channel and sample rate data we need to read from the
-  // audio source until we get a INFO_FORMAT_CHANGE status
-  if (mAudioSource.get()) {
-    if (mAudioSource->read(&mAudioBuffer) != INFO_FORMAT_CHANGED) {
-      sp<MetaData> meta = mAudioSource->getFormat();
-      if (!meta->findInt32(kKeyChannelCount, &mAudioChannels) ||
-          !meta->findInt32(kKeySampleRate, &mAudioSampleRate)) {
-        return false;
-      }
-      mAudioMetadataRead = true;
-
-      if (mAudioChannels < 0) {
-        LOG("audio channel count %d must be nonnegative", mAudioChannels);
-        return false;
-      }
-
-      if (mAudioSampleRate < 0) {
-        LOG("audio sample rate %d must be nonnegative", mAudioSampleRate);
-        return false;
-      }
-    }
-    else if (!SetAudioFormat()) {
-        return false;
-    }
-  }
-  return true;
-}
-
-bool OmxDecoder::SetVideoFormat() {
-  sp<MetaData> format = mVideoSource->getFormat();
-
-  // Stagefright's kKeyWidth and kKeyHeight are what MPAPI calls stride and
-  // slice height. Stagefright only seems to use its kKeyStride and
-  // kKeySliceHeight to initialize camera video formats.
-
-#if defined(DEBUG)
-  int32_t unexpected;
-  if (format->findInt32(kKeyStride, &unexpected))
-    LOG("Expected kKeyWidth, but found kKeyStride %d", unexpected);
-  if (format->findInt32(kKeySliceHeight, &unexpected))
-    LOG("Expected kKeyHeight, but found kKeySliceHeight %d", unexpected);
-#endif // DEBUG
-
-  const char *componentName;
-
-  if (!format->findInt32(kKeyWidth, &mVideoStride) ||
-      !format->findInt32(kKeyHeight, &mVideoSliceHeight) ||
-      !format->findCString(kKeyDecoderComponent, &componentName) ||
-      !format->findInt32(kKeyColorFormat, &mVideoColorFormat) ) {
-    return false;
-  }
-
-  if (mVideoStride <= 0) {
-    LOG("stride %d must be positive", mVideoStride);
-    return false;
-  }
-
-  if (mVideoSliceHeight <= 0) {
-    LOG("slice height %d must be positive", mVideoSliceHeight);
-    return false;
-  }
-
-  // Gingerbread does not support the kKeyCropRect key
-  if (!format->findRect(kKeyCropRect, &mVideoCropLeft, &mVideoCropTop,
-                                      &mVideoCropRight, &mVideoCropBottom)) {
-    mVideoCropLeft = 0;
-    mVideoCropTop = 0;
-    mVideoCropRight = mVideoStride - 1;
-    mVideoCropBottom = mVideoSliceHeight - 1;
-    LOG("crop rect not available, assuming no cropping");
-  }
-
-  if (mVideoCropLeft < 0 || mVideoCropLeft >= mVideoCropRight || mVideoCropRight >= mVideoStride ||
-      mVideoCropTop < 0 || mVideoCropTop >= mVideoCropBottom || mVideoCropBottom >= mVideoSliceHeight) {
-    LOG("invalid crop rect %d,%d-%d,%d", mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom);
-    return false;
-  }
-
-  mVideoWidth = mVideoCropRight - mVideoCropLeft + 1;
-  mVideoHeight = mVideoCropBottom - mVideoCropTop + 1;
-  MOZ_ASSERT(mVideoWidth > 0 && mVideoWidth <= mVideoStride);
-  MOZ_ASSERT(mVideoHeight > 0 && mVideoHeight <= mVideoSliceHeight);
-
-  if (!format->findInt32(kKeyRotation, &mVideoRotation)) {
-    mVideoRotation = 0;
-    LOG("rotation not available, assuming 0");
-  }
-
-  if (mVideoRotation != 0 && mVideoRotation != 90 &&
-      mVideoRotation != 180 && mVideoRotation != 270) {
-    LOG("invalid rotation %d, assuming 0", mVideoRotation);
-  }
-
-  LOG("width: %d height: %d component: %s format: %#x stride: %d sliceHeight: %d rotation: %d crop: %d,%d-%d,%d",
-      mVideoWidth, mVideoHeight, componentName, mVideoColorFormat,
-      mVideoStride, mVideoSliceHeight, mVideoRotation,
-      mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom);
-
-  return true;
-}
-
-bool OmxDecoder::SetAudioFormat() {
-  // If the format changed, update our cached info.
-  if (!mAudioSource->getFormat()->findInt32(kKeyChannelCount, &mAudioChannels) ||
-      !mAudioSource->getFormat()->findInt32(kKeySampleRate, &mAudioSampleRate)) {
-    return false;
-  }
-
-  LOG("channelCount: %d sampleRate: %d", mAudioChannels, mAudioSampleRate);
-
-  if (mAudioChannels < 0) {
-    LOG("audio channel count %d must be nonnegative", mAudioChannels);
-    return false;
-  }
-
-  if (mAudioSampleRate < 0) {
-    LOG("audio sample rate %d must be nonnegative", mAudioSampleRate);
-    return false;
-  }
-
-  return true;
-}
-
-void OmxDecoder::ReleaseVideoBuffer() {
-  if (mVideoBuffer) {
-    mVideoBuffer->release();
-    mVideoBuffer = nullptr;
-  }
-}
-
-void OmxDecoder::ReleaseAudioBuffer() {
-  if (mAudioBuffer) {
-    mAudioBuffer->release();
-    mAudioBuffer = nullptr;
-  }
-}
-
-void OmxDecoder::ToVideoFrame_YUV420Planar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  void *y = aData;
-  void *u = static_cast<uint8_t *>(y) + mVideoStride * mVideoSliceHeight;
-  void *v = static_cast<uint8_t *>(u) + mVideoStride/2 * mVideoSliceHeight/2;
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              u, mVideoStride/2, mVideoWidth/2, mVideoHeight/2, 0, 0,
-              v, mVideoStride/2, mVideoWidth/2, mVideoHeight/2, 0, 0);
-}
-
-void OmxDecoder::ToVideoFrame_CbYCrY(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              aData, mVideoStride, mVideoWidth, mVideoHeight, 1, 1,
-              aData, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 3,
-              aData, mVideoStride, mVideoWidth/2, mVideoHeight/2, 2, 3);
-}
-
-void OmxDecoder::ToVideoFrame_YUV420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  int32_t videoStride = mVideoStride;
-  int32_t videoSliceHeight = mVideoSliceHeight;
-
-  // OMX.SEC.avcdec rounds mVideoStride and mVideoSliceHeight up to the nearest
-  // multiple of 16 but the data itself is too small to fit. What we do is check
-  // to see if the video size patches the raw width and height. If so we can
-  // use those figures instead.
-
-  if (static_cast<int>(aSize) == mVideoWidth * mVideoHeight * 3 / 2) {
-    videoStride = mVideoWidth;
-    videoSliceHeight = mVideoHeight;
-  }
-
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + (videoStride * videoSliceHeight);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, videoStride, videoSliceHeight, mVideoRotation,
-              y, videoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, videoStride, mVideoWidth/2, mVideoHeight/2, 0, 1,
-              uv, videoStride, mVideoWidth/2, mVideoHeight/2, 1, 1);
-}
-
-void OmxDecoder::ToVideoFrame_YVU420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  ToVideoFrame_YUV420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-  aFrame->Cb.mOffset = 1;
-  aFrame->Cr.mOffset = 0;
-}
-
-void OmxDecoder::ToVideoFrame_YUV420PackedSemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + mVideoStride * (mVideoSliceHeight - mVideoCropTop/2);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 1,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 1, 1);
-}
-
-void OmxDecoder::ToVideoFrame_YVU420PackedSemiPlanar32m4ka(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  size_t roundedSliceHeight = (mVideoSliceHeight + 31) & ~31;
-  size_t roundedStride = (mVideoStride + 31) & ~31;
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + (roundedStride * roundedSliceHeight);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 1, 1,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 1);
-}
-
-bool OmxDecoder::ToVideoFrame_RGB565(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::RGB565);
-
-  if (!buffer) {
-    return false;
-  }
-
-  aFrame->mTimeUs = aTimeUs;
-
-  memcpy(buffer, aData, mVideoWidth * mVideoHeight * 2);
-
-  aFrame->mSize = mVideoWidth * mVideoHeight * 2;
-
-  return true;
-}
-
-bool OmxDecoder::ToVideoFrame_ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  if (!mColorConverter) {
-    mColorConverter = new ColorConverter((OMX_COLOR_FORMATTYPE)mVideoColorFormat,
-                                         OMX_COLOR_Format16bitRGB565);
-  }
-
-  if (!mColorConverter->isValid()) {
-    return false;
-  }
-
-  aFrame->mTimeUs = aTimeUs;
-
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::RGB565);
-
-  if (!buffer) {
-    return false;
-  }
-
-  aFrame->mSize = mVideoWidth * mVideoHeight * 2;
-
-  mColorConverter->convert(aData, mVideoStride, mVideoSliceHeight,
-                           mVideoCropLeft, mVideoCropTop,
-                           mVideoCropLeft + mVideoWidth - 1,
-                           mVideoCropTop + mVideoHeight - 1,
-                           buffer, mVideoWidth, mVideoHeight,
-                           0, 0, mVideoWidth - 1, mVideoHeight - 1);
-
-  return true;
-}
-
-bool OmxDecoder::ToVideoFrame_I420ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback)
-{
-  I420ColorConverter yuvConverter;
-
-  if (!yuvConverter.isLoaded()) {
-    return false;
-  }
-
-  if (yuvConverter.getDecoderOutputFormat() != mVideoColorFormat) {
-    return false;
-  }
-
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::I420);
-
-  ARect crop = { mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom };
-  int result = yuvConverter.convertDecoderOutputToI420(aData,
-                                                       mVideoWidth,
-                                                       mVideoHeight,
-                                                       crop,
-                                                       buffer);
-
-  // result is 0 on success, -1 otherwise.
-  if (result == OK) {
-    aFrame->mTimeUs = aTimeUs;
-    aFrame->mSize = mVideoWidth * mVideoHeight * 3 / 2;
-  }
-
-  return result == OK;
-}
-
-bool OmxDecoder::ToVideoFrame(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  switch (mVideoColorFormat) {
-  case OMX_COLOR_FormatYUV420Planar: // e.g. Asus Transformer, Stagefright's software decoder
-    ToVideoFrame_YUV420Planar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_FormatCbYCrY: // e.g. Droid 1
-    ToVideoFrame_CbYCrY(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_FormatYUV420SemiPlanar: // e.g. Galaxy S III
-    ToVideoFrame_YUV420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_QCOM_COLOR_FormatYVU420SemiPlanar: // e.g. Nexus One
-    ToVideoFrame_YVU420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka: // e.g. Otoro
-    ToVideoFrame_YVU420PackedSemiPlanar32m4ka(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar: // e.g. Galaxy Nexus
-    ToVideoFrame_YUV420PackedSemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_Format16bitRGB565:
-    return ToVideoFrame_RGB565(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback);
-    break;
-  default:
-    if (!ToVideoFrame_ColorConverter(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback) &&
-        !ToVideoFrame_I420ColorConverter(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback)) {
-      LOG("Unknown video color format: %#x", mVideoColorFormat);
-      return false;
-    }
-  }
-  return true;
-}
-
-bool OmxDecoder::ToAudioFrame(AudioFrame *aFrame, int64_t aTimeUs, void *aData, size_t aDataOffset, size_t aSize, int32_t aAudioChannels, int32_t aAudioSampleRate)
-{
-  aFrame->Set(aTimeUs, reinterpret_cast<char *>(aData) + aDataOffset, aSize, aAudioChannels, aAudioSampleRate);
-  return true;
-}
-
-class ReadOptions : public MediaSource::ReadOptions
-{
-  // HTC have their own version of ReadOptions with extra fields. If we don't
-  // have this here, HTCOMXCodec will corrupt our stack.
-  uint32_t sadface[16];
-};
-
-bool OmxDecoder::ReadVideo(VideoFrame *aFrame, int64_t aSeekTimeUs,
-                           BufferCallback *aBufferCallback)
-{
-  MOZ_ASSERT(aSeekTimeUs >= -1);
-
-  if (!mVideoSource.get())
-    return false;
-
-  ReleaseVideoBuffer();
-
-  status_t err;
-
-  if (aSeekTimeUs != -1) {
-    ReadOptions options;
-    options.setSeekTo(aSeekTimeUs);
-    err = mVideoSource->read(&mVideoBuffer, &options);
-  } else {
-    err = mVideoSource->read(&mVideoBuffer);
-  }
-
-  aFrame->mSize = 0;
-
-  if (err == OK && mVideoBuffer->range_length() > 0) {
-    int64_t timeUs;
-    int32_t keyFrame;
-
-    if (!mVideoBuffer->meta_data()->findInt64(kKeyTime, &timeUs) ) {
-      LOG("no frame time");
-      return false;
-    }
-
-    if (timeUs < 0) {
-      LOG("frame time %lld must be nonnegative", timeUs);
-      return false;
-    }
-
-    if (!mVideoBuffer->meta_data()->findInt32(kKeyIsSyncFrame, &keyFrame)) {
-       keyFrame = 0;
-    }
-
-    char *data = reinterpret_cast<char *>(mVideoBuffer->data()) + mVideoBuffer->range_offset();
-    size_t length = mVideoBuffer->range_length();
-
-    if (!ToVideoFrame(aFrame, timeUs, data, length, keyFrame, aBufferCallback)) {
-      return false;
-    }
-  }
-  else if (err == INFO_FORMAT_CHANGED) {
-    // If the format changed, update our cached info.
-    LOG("mVideoSource INFO_FORMAT_CHANGED");
-    if (!SetVideoFormat())
-      return false;
-    else
-      return ReadVideo(aFrame, aSeekTimeUs, aBufferCallback);
-  }
-  else if (err == ERROR_END_OF_STREAM) {
-    LOG("mVideoSource END_OF_STREAM");
-  }
-  else if (err != OK) {
-    LOG("mVideoSource ERROR %#x", err);
-  }
-
-  return err == OK;
-}
-
-bool OmxDecoder::ReadAudio(AudioFrame *aFrame, int64_t aSeekTimeUs)
-{
-  MOZ_ASSERT(aSeekTimeUs >= -1);
-
-  status_t err;
-  if (mAudioMetadataRead && aSeekTimeUs == -1) {
-    // Use the data read into the buffer during metadata time
-    err = OK;
-  }
-  else {
-    ReleaseAudioBuffer();
-    if (aSeekTimeUs != -1) {
-      ReadOptions options;
-      options.setSeekTo(aSeekTimeUs);
-      err = mAudioSource->read(&mAudioBuffer, &options);
-    } else {
-      err = mAudioSource->read(&mAudioBuffer);
-    }
-  }
-  mAudioMetadataRead = false;
-
-  aSeekTimeUs = -1;
-
-  if (err == OK && mAudioBuffer->range_length() != 0) {
-    int64_t timeUs;
-    if (!mAudioBuffer->meta_data()->findInt64(kKeyTime, &timeUs)) {
-      LOG("no frame time");
-      return false;
-    }
-
-    if (timeUs < 0) {
-      LOG("frame time %lld must be nonnegative", timeUs);
-      return false;
-    }
-
-    return ToAudioFrame(aFrame, timeUs,
-                        mAudioBuffer->data(),
-                        mAudioBuffer->range_offset(),
-                        mAudioBuffer->range_length(),
-                        mAudioChannels, mAudioSampleRate);
-  }
-  else if (err == INFO_FORMAT_CHANGED) {
-    // If the format changed, update our cached info.
-    LOG("mAudioSource INFO_FORMAT_CHANGED");
-    if (!SetAudioFormat())
-      return false;
-    else
-      return ReadAudio(aFrame, aSeekTimeUs);
-  }
-  else if (err == ERROR_END_OF_STREAM) {
-    LOG("mAudioSource END_OF_STREAM");
-  }
-  else if (err != OK) {
-    LOG("mAudioSource ERROR %#x", err);
-  }
-
-  return err == OK;
-}
-
-static OmxDecoder *cast(Decoder *decoder) {
-  return reinterpret_cast<OmxDecoder *>(decoder->mPrivate);
-}
-
-static void GetDuration(Decoder *aDecoder, int64_t *durationUs) {
-  cast(aDecoder)->GetDuration(durationUs);
-}
-
-static void GetVideoParameters(Decoder *aDecoder, int32_t *width, int32_t *height) {
-  cast(aDecoder)->GetVideoParameters(width, height);
-}
-
-static void GetAudioParameters(Decoder *aDecoder, int32_t *numChannels, int32_t *sampleRate) {
-  cast(aDecoder)->GetAudioParameters(numChannels, sampleRate);
-}
-
-static bool HasVideo(Decoder *aDecoder) {
-  return cast(aDecoder)->HasVideo();
-}
-
-static bool HasAudio(Decoder *aDecoder) {
-  return cast(aDecoder)->HasAudio();
-}
-
-static bool ReadVideo(Decoder *aDecoder, VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback)
-{
-  return cast(aDecoder)->ReadVideo(aFrame, aSeekTimeUs, aBufferCallback);
-}
-
-static bool ReadAudio(Decoder *aDecoder, AudioFrame *aFrame, int64_t aSeekTimeUs)
-{
-  return cast(aDecoder)->ReadAudio(aFrame, aSeekTimeUs);
-}
-
-static void DestroyDecoder(Decoder *aDecoder)
-{
-  if (aDecoder->mPrivate)
-    delete reinterpret_cast<OmxDecoder *>(aDecoder->mPrivate);
-}
-
-static bool Match(const char *aMimeChars, size_t aMimeLen, const char *aNeedle)
-{
-  return !strncmp(aMimeChars, aNeedle, aMimeLen);
-}
-
-static const char* const gCodecs[] = {
-  "avc1.42E01E",  // H.264 Constrained Baseline Profile Level 3.0
-  "avc1.42001E",  // H.264 Baseline Profile Level 3.0
-  "avc1.42001F",  // H.264 Baseline Profile Level 3.1
-  "avc1.4D401E",  // H.264 Main Profile Level 3.0
-  "avc1.4D401F",  // H.264 Main Profile Level 3.1
-  "mp4a.40.2",    // AAC-LC
-  nullptr
-};
-
-static bool CanDecode(const char *aMimeChars, size_t aMimeLen, const char* const**aCodecs)
-{
-  if (!Match(aMimeChars, aMimeLen, "video/mp4") &&
-      !Match(aMimeChars, aMimeLen, "audio/mp4") &&
-      !Match(aMimeChars, aMimeLen, "audio/mpeg") &&
-      !Match(aMimeChars, aMimeLen, "application/octet-stream")) { // file urls
-    return false;
-  }
-  *aCodecs = gCodecs;
-
-  return true;
-}
-
-static bool CreateDecoder(PluginHost *aPluginHost, Decoder *aDecoder, const char *aMimeChars, size_t aMimeLen)
-{
-  OmxDecoder *omx = new OmxDecoder(aPluginHost, aDecoder);
-  if (!omx || !omx->Init()) {
-    if (omx)
-      delete omx;
-    return false;
-  }
-
-  aDecoder->mPrivate = omx;
-  aDecoder->GetDuration = GetDuration;
-  aDecoder->GetVideoParameters = GetVideoParameters;
-  aDecoder->GetAudioParameters = GetAudioParameters;
-  aDecoder->HasVideo = HasVideo;
-  aDecoder->HasAudio = HasAudio;
-  aDecoder->ReadVideo = ReadVideo;
-  aDecoder->ReadAudio = ReadAudio;
-  aDecoder->DestroyDecoder = DestroyDecoder;
-
-  return true;
-}
-
-} // namespace OmxPlugin
-
-// Export the manifest so MPAPI can find our entry points.
-Manifest MOZ_EXPORT MPAPI_MANIFEST = {
-  OmxPlugin::CanDecode,
-  OmxPlugin::CreateDecoder
-};
diff --git a/media/omx-plugin/include/ics/I420ColorConverter.h b/media/omx-plugin/include/ics/I420ColorConverter.h
deleted file mode 100644
index 8d48e44b4..000000000
--- a/media/omx-plugin/include/ics/I420ColorConverter.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef I420_COLOR_CONVERTER_H
-#define I420_COLOR_CONVERTER_H
-
-#include <II420ColorConverter.h>
-
-// This is a wrapper around the I420 color converter functions in
-// II420ColorConverter, which is loaded from a shared library.
-class I420ColorConverter: public II420ColorConverter {
-public:
-    I420ColorConverter();
-    ~I420ColorConverter();
-
-    // Returns true if the converter functions are successfully loaded.
-    bool isLoaded();
-private:
-    void* mHandle;
-};
-
-#endif /* I420_COLOR_CONVERTER_H */
diff --git a/media/omx-plugin/include/ics/II420ColorConverter.h b/media/omx-plugin/include/ics/II420ColorConverter.h
deleted file mode 100644
index 0e3fe8285..000000000
--- a/media/omx-plugin/include/ics/II420ColorConverter.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef II420_COLOR_CONVERTER_H
-
-#define II420_COLOR_CONVERTER_H
-
-#include <stdint.h>
-#include <android/rect.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct II420ColorConverter {
-
-    /*
-     * getDecoderOutputFormat
-     * Returns the color format (OMX_COLOR_FORMATTYPE) of the decoder output.
-     * If it is I420 (OMX_COLOR_FormatYUV420Planar), no conversion is needed,
-     * and convertDecoderOutputToI420() can be a no-op.
-     */
-    int (*getDecoderOutputFormat)();
-
-    /*
-     * convertDecoderOutputToI420
-     * @Desc     Converts from the decoder output format to I420 format.
-     * @note     Caller (e.g. VideoEditor) owns the buffers
-     * @param    decoderBits   (IN) Pointer to the buffer contains decoder output
-     * @param    decoderWidth  (IN) Buffer width, as reported by the decoder
-     *                              metadata (kKeyWidth)
-     * @param    decoderHeight (IN) Buffer height, as reported by the decoder
-     *                              metadata (kKeyHeight)
-     * @param    decoderRect   (IN) The rectangle of the actual frame, as
-     *                              reported by decoder metadata (kKeyCropRect)
-     * @param    dstBits      (OUT) Pointer to the output I420 buffer
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*convertDecoderOutputToI420)(
-        void* decoderBits, int decoderWidth, int decoderHeight,
-        ARect decoderRect, void* dstBits);
-
-    /*
-     * getEncoderIntputFormat
-     * Returns the color format (OMX_COLOR_FORMATTYPE) of the encoder input.
-     * If it is I420 (OMX_COLOR_FormatYUV420Planar), no conversion is needed,
-     * and convertI420ToEncoderInput() and getEncoderInputBufferInfo() can
-     * be no-ops.
-     */
-    int (*getEncoderInputFormat)();
-
-    /* convertI420ToEncoderInput
-     * @Desc     This function converts from I420 to the encoder input format
-     * @note     Caller (e.g. VideoEditor) owns the buffers
-     * @param    srcBits       (IN) Pointer to the input I420 buffer
-     * @param    srcWidth      (IN) Width of the I420 frame
-     * @param    srcHeight     (IN) Height of the I420 frame
-     * @param    encoderWidth  (IN) Encoder buffer width, as calculated by
-     *                              getEncoderBufferInfo()
-     * @param    encoderHeight (IN) Encoder buffer height, as calculated by
-     *                              getEncoderBufferInfo()
-     * @param    encoderRect   (IN) Rect coordinates of the actual frame inside
-     *                              the encoder buffer, as calculated by
-     *                              getEncoderBufferInfo().
-     * @param    encoderBits  (OUT) Pointer to the output buffer. The size of
-     *                              this buffer is calculated by
-     *                              getEncoderBufferInfo()
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*convertI420ToEncoderInput)(
-        void* srcBits, int srcWidth, int srcHeight,
-        int encoderWidth, int encoderHeight, ARect encoderRect,
-        void* encoderBits);
-
-    /* getEncoderInputBufferInfo
-     * @Desc     This function returns metadata for the encoder input buffer
-     *           based on the actual I420 frame width and height.
-     * @note     This API should be be used to obtain the necessary information
-     *           before calling convertI420ToEncoderInput().
-     *           VideoEditor knows only the width and height of the I420 buffer,
-     *           but it also needs know the width, height, and size of the
-     *           encoder input buffer. The encoder input buffer width and height
-     *           are used to set the metadata for the encoder.
-     * @param    srcWidth      (IN) Width of the I420 frame
-     * @param    srcHeight     (IN) Height of the I420 frame
-     * @param    encoderWidth  (OUT) Encoder buffer width needed
-     * @param    encoderHeight (OUT) Encoder buffer height needed
-     * @param    encoderRect   (OUT) Rect coordinates of the actual frame inside
-     *                               the encoder buffer
-     * @param    encoderBufferSize  (OUT) The size of the buffer that need to be
-     *                              allocated by the caller before invoking
-     *                              convertI420ToEncoderInput().
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*getEncoderInputBufferInfo)(
-        int srcWidth, int srcHeight,
-        int* encoderWidth, int* encoderHeight,
-        ARect* encoderRect, int* encoderBufferSize);
-
-} II420ColorConverter;
-
-/* The only function that the shared library needs to expose: It fills the
-   function pointers in II420ColorConverter */
-void getI420ColorConverter(II420ColorConverter *converter);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#endif  // II420_COLOR_CONVERTER_H
-
diff --git a/media/omx-plugin/include/ics/README_MOZILLA b/media/omx-plugin/include/ics/README_MOZILLA
deleted file mode 100644
index be389e6d6..000000000
--- a/media/omx-plugin/include/ics/README_MOZILLA
+++ /dev/null
@@ -1,4 +0,0 @@
-The source from this directory was copied from the Android OS source.
-Patches have been applied on top of the original source.
-
-The git branch used from AOSP was android-4.0.4_r2.1.
diff --git a/media/omx-plugin/include/ics/android/native_window.h b/media/omx-plugin/include/ics/android/native_window.h
deleted file mode 100644
index 2f4f2d33b..000000000
--- a/media/omx-plugin/include/ics/android/native_window.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_NATIVE_WINDOW_H
-#define ANDROID_NATIVE_WINDOW_H
-
-#include <android/rect.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Pixel formats that a window can use.
- */
-enum {
-    WINDOW_FORMAT_RGBA_8888          = 1,
-    WINDOW_FORMAT_RGBX_8888          = 2,
-    WINDOW_FORMAT_RGB_565            = 4,
-};
-
-struct ANativeWindow;
-typedef struct ANativeWindow ANativeWindow;
-
-typedef struct ANativeWindow_Buffer {
-    // The number of pixels that are show horizontally.
-    int32_t width;
-
-    // The number of pixels that are shown vertically.
-    int32_t height;
-
-    // The number of *pixels* that a line in the buffer takes in
-    // memory.  This may be >= width.
-    int32_t stride;
-
-    // The format of the buffer.  One of WINDOW_FORMAT_*
-    int32_t format;
-
-    // The actual bits.
-    void* bits;
-    
-    // Do not touch.
-    uint32_t reserved[6];
-} ANativeWindow_Buffer;
-
-/**
- * Acquire a reference on the given ANativeWindow object.  This prevents the object
- * from being deleted until the reference is removed.
- */
-void ANativeWindow_acquire(ANativeWindow* window);
-
-/**
- * Remove a reference that was previously acquired with ANativeWindow_acquire().
- */
-void ANativeWindow_release(ANativeWindow* window);
-
-/*
- * Return the current width in pixels of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getWidth(ANativeWindow* window);
-
-/*
- * Return the current height in pixels of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getHeight(ANativeWindow* window);
-
-/*
- * Return the current pixel format of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getFormat(ANativeWindow* window);
-
-/*
- * Change the format and size of the window buffers.
- *
- * The width and height control the number of pixels in the buffers, not the
- * dimensions of the window on screen.  If these are different than the
- * window's physical size, then it buffer will be scaled to match that size
- * when compositing it to the screen.
- *
- * For all of these parameters, if 0 is supplied then the window's base
- * value will come back in force.
- *
- * width and height must be either both zero or both non-zero.
- *
- */
-int32_t ANativeWindow_setBuffersGeometry(ANativeWindow* window,
-        int32_t width, int32_t height, int32_t format);
-
-/**
- * Lock the window's next drawing surface for writing.
- * inOutDirtyBounds is used as an in/out parameter, upon entering the
- * function, it contains the dirty region, that is, the region the caller
- * intends to redraw. When the function returns, inOutDirtyBounds is updated
- * with the actual area the caller needs to redraw -- this region is often
- * extended by ANativeWindow_lock.
- */
-int32_t ANativeWindow_lock(ANativeWindow* window, ANativeWindow_Buffer* outBuffer,
-        ARect* inOutDirtyBounds);
-
-/**
- * Unlock the window's drawing surface after previously locking it,
- * posting the new buffer to the display.
- */
-int32_t ANativeWindow_unlockAndPost(ANativeWindow* window);
-
-#ifdef __cplusplus
-};
-#endif
-
-#endif // ANDROID_NATIVE_WINDOW_H
diff --git a/media/omx-plugin/include/ics/android/rect.h b/media/omx-plugin/include/ics/android/rect.h
deleted file mode 100644
index 64d487dc2..000000000
--- a/media/omx-plugin/include/ics/android/rect.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_RECT_H
-#define ANDROID_RECT_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct ARect {
-#ifdef __cplusplus
-    typedef int32_t value_type;
-#endif
-    int32_t left;
-    int32_t top;
-    int32_t right;
-    int32_t bottom;
-} ARect;
-
-#ifdef __cplusplus
-};
-#endif
-
-#endif // ANDROID_RECT_H
diff --git a/media/omx-plugin/include/ics/binder/Binder.h b/media/omx-plugin/include/ics/binder/Binder.h
deleted file mode 100644
index ba3ac4b99..000000000
--- a/media/omx-plugin/include/ics/binder/Binder.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_BINDER_H
-#define ANDROID_BINDER_H
-
-#include <binder/IBinder.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class BBinder : public IBinder
-{
-public:
-                        BBinder();
-
-    virtual const String16& getInterfaceDescriptor() const;
-    virtual bool        isBinderAlive() const;
-    virtual status_t    pingBinder();
-    virtual status_t    dump(int fd, const Vector<String16>& args);
-
-    virtual status_t    transact(   uint32_t code,
-                                    const Parcel& data,
-                                    Parcel* reply,
-                                    uint32_t flags = 0);
-
-    virtual status_t    linkToDeath(const sp<DeathRecipient>& recipient,
-                                    void* cookie = NULL,
-                                    uint32_t flags = 0);
-
-    virtual status_t    unlinkToDeath(  const wp<DeathRecipient>& recipient,
-                                        void* cookie = NULL,
-                                        uint32_t flags = 0,
-                                        wp<DeathRecipient>* outRecipient = NULL);
-
-    virtual void        attachObject(   const void* objectID,
-                                        void* object,
-                                        void* cleanupCookie,
-                                        object_cleanup_func func);
-    virtual void*       findObject(const void* objectID) const;
-    virtual void        detachObject(const void* objectID);
-
-    virtual BBinder*    localBinder();
-
-protected:
-    virtual             ~BBinder();
-
-    virtual status_t    onTransact( uint32_t code,
-                                    const Parcel& data,
-                                    Parcel* reply,
-                                    uint32_t flags = 0);
-
-private:
-                        BBinder(const BBinder& o);
-            BBinder&    operator=(const BBinder& o);
-
-    class Extras;
-
-            Extras*     mExtras;
-            void*       mReserved0;
-};
-
-// ---------------------------------------------------------------------------
-
-class BpRefBase : public virtual RefBase
-{
-protected:
-                            BpRefBase(const sp<IBinder>& o);
-    virtual                 ~BpRefBase();
-    virtual void            onFirstRef();
-    virtual void            onLastStrongRef(const void* id);
-    virtual bool            onIncStrongAttempted(uint32_t flags, const void* id);
-
-    inline  IBinder*        remote()                { return mRemote; }
-    inline  IBinder*        remote() const          { return mRemote; }
-
-private:
-                            BpRefBase(const BpRefBase& o);
-    BpRefBase&              operator=(const BpRefBase& o);
-
-    IBinder* const          mRemote;
-    RefBase::weakref_type*  mRefs;
-    volatile int32_t        mState;
-};
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_BINDER_H
diff --git a/media/omx-plugin/include/ics/binder/IBinder.h b/media/omx-plugin/include/ics/binder/IBinder.h
deleted file mode 100644
index 81b56c2b2..000000000
--- a/media/omx-plugin/include/ics/binder/IBinder.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_IBINDER_H
-#define ANDROID_IBINDER_H
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-#include <utils/String16.h>
-#include <utils/Vector.h>
-
-
-#define B_PACK_CHARS(c1, c2, c3, c4) \
-    ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class BBinder;
-class BpBinder;
-class IInterface;
-class Parcel;
-
-/**
- * Base class and low-level protocol for a remotable object.
- * You can derive from this class to create an object for which other
- * processes can hold references to it.  Communication between processes
- * (method calls, property get and set) is down through a low-level
- * protocol implemented on top of the transact() API.
- */
-class IBinder : public virtual RefBase
-{
-public:
-    enum {
-        FIRST_CALL_TRANSACTION  = 0x00000001,
-        LAST_CALL_TRANSACTION   = 0x00ffffff,
-
-        PING_TRANSACTION        = B_PACK_CHARS('_','P','N','G'),
-        DUMP_TRANSACTION        = B_PACK_CHARS('_','D','M','P'),
-        INTERFACE_TRANSACTION   = B_PACK_CHARS('_', 'N', 'T', 'F'),
-
-        // Corresponds to TF_ONE_WAY -- an asynchronous call.
-        FLAG_ONEWAY             = 0x00000001
-    };
-
-                          IBinder();
-
-    /**
-     * Check if this IBinder implements the interface named by
-     * @a descriptor.  If it does, the base pointer to it is returned,
-     * which you can safely static_cast<> to the concrete C++ interface.
-     */
-    virtual sp<IInterface>  queryLocalInterface(const String16& descriptor);
-
-    /**
-     * Return the canonical name of the interface provided by this IBinder
-     * object.
-     */
-    virtual const String16& getInterfaceDescriptor() const = 0;
-
-    virtual bool            isBinderAlive() const = 0;
-    virtual status_t        pingBinder() = 0;
-    virtual status_t        dump(int fd, const Vector<String16>& args) = 0;
-
-    virtual status_t        transact(   uint32_t code,
-                                        const Parcel& data,
-                                        Parcel* reply,
-                                        uint32_t flags = 0) = 0;
-
-    /**
-     * This method allows you to add data that is transported through
-     * IPC along with your IBinder pointer.  When implementing a Binder
-     * object, override it to write your desired data in to @a outData.
-     * You can then call getConstantData() on your IBinder to retrieve
-     * that data, from any process.  You MUST return the number of bytes
-     * written in to the parcel (including padding).
-     */
-    class DeathRecipient : public virtual RefBase
-    {
-    public:
-        virtual void binderDied(const wp<IBinder>& who) = 0;
-    };
-
-    /**
-     * Register the @a recipient for a notification if this binder
-     * goes away.  If this binder object unexpectedly goes away
-     * (typically because its hosting process has been killed),
-     * then DeathRecipient::binderDied() will be called with a reference
-     * to this.
-     *
-     * The @a cookie is optional -- if non-NULL, it should be a
-     * memory address that you own (that is, you know it is unique).
-     *
-     * @note You will only receive death notifications for remote binders,
-     * as local binders by definition can't die without you dying as well.
-     * Trying to use this function on a local binder will result in an
-     * INVALID_OPERATION code being returned and nothing happening.
-     *
-     * @note This link always holds a weak reference to its recipient.
-     *
-     * @note You will only receive a weak reference to the dead
-     * binder.  You should not try to promote this to a strong reference.
-     * (Nor should you need to, as there is nothing useful you can
-     * directly do with it now that it has passed on.)
-     */
-    virtual status_t        linkToDeath(const sp<DeathRecipient>& recipient,
-                                        void* cookie = NULL,
-                                        uint32_t flags = 0) = 0;
-
-    /**
-     * Remove a previously registered death notification.
-     * The @a recipient will no longer be called if this object
-     * dies.  The @a cookie is optional.  If non-NULL, you can
-     * supply a NULL @a recipient, and the recipient previously
-     * added with that cookie will be unlinked.
-     */
-    virtual status_t        unlinkToDeath(  const wp<DeathRecipient>& recipient,
-                                            void* cookie = NULL,
-                                            uint32_t flags = 0,
-                                            wp<DeathRecipient>* outRecipient = NULL) = 0;
-
-    virtual bool            checkSubclass(const void* subclassID) const;
-
-    typedef void (*object_cleanup_func)(const void* id, void* obj, void* cleanupCookie);
-
-    virtual void            attachObject(   const void* objectID,
-                                            void* object,
-                                            void* cleanupCookie,
-                                            object_cleanup_func func) = 0;
-    virtual void*           findObject(const void* objectID) const = 0;
-    virtual void            detachObject(const void* objectID) = 0;
-
-    virtual BBinder*        localBinder();
-    virtual BpBinder*       remoteBinder();
-
-protected:
-    virtual          ~IBinder();
-
-private:
-};
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_IBINDER_H
diff --git a/media/omx-plugin/include/ics/binder/IInterface.h b/media/omx-plugin/include/ics/binder/IInterface.h
deleted file mode 100644
index 5f9f69c04..000000000
--- a/media/omx-plugin/include/ics/binder/IInterface.h
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-#ifndef ANDROID_IINTERFACE_H
-#define ANDROID_IINTERFACE_H
-
-#include <binder/Binder.h>
-
-namespace android {
-
-// ----------------------------------------------------------------------
-
-class IInterface : public virtual RefBase
-{
-public:
-            IInterface();
-            sp<IBinder>         asBinder();
-            sp<const IBinder>   asBinder() const;
-            
-protected:
-    virtual                     ~IInterface();
-    virtual IBinder*            onAsBinder() = 0;
-};
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj)
-{
-    return INTERFACE::asInterface(obj);
-}
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-class BnInterface : public INTERFACE, public BBinder
-{
-public:
-    virtual sp<IInterface>      queryLocalInterface(const String16& _descriptor);
-    virtual const String16&     getInterfaceDescriptor() const;
-
-protected:
-    virtual IBinder*            onAsBinder();
-};
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-class BpInterface : public INTERFACE, public BpRefBase
-{
-public:
-                                BpInterface(const sp<IBinder>& remote);
-
-protected:
-    virtual IBinder*            onAsBinder();
-};
-
-// ----------------------------------------------------------------------
-
-#define DECLARE_META_INTERFACE(INTERFACE)                               \
-    static const android::String16 descriptor;                          \
-    static android::sp<I##INTERFACE> asInterface(                       \
-            const android::sp<android::IBinder>& obj);                  \
-    virtual const android::String16& getInterfaceDescriptor() const;    \
-    I##INTERFACE();                                                     \
-    virtual ~I##INTERFACE();                                            \
-
-
-#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME)                       \
-    const android::String16 I##INTERFACE::descriptor(NAME);             \
-    const android::String16&                                            \
-            I##INTERFACE::getInterfaceDescriptor() const {              \
-        return I##INTERFACE::descriptor;                                \
-    }                                                                   \
-    android::sp<I##INTERFACE> I##INTERFACE::asInterface(                \
-            const android::sp<android::IBinder>& obj)                   \
-    {                                                                   \
-        android::sp<I##INTERFACE> intr;                                 \
-        if (obj != NULL) {                                              \
-            intr = static_cast<I##INTERFACE*>(                          \
-                obj->queryLocalInterface(                               \
-                        I##INTERFACE::descriptor).get());               \
-            if (intr == NULL) {                                         \
-                intr = new Bp##INTERFACE(obj);                          \
-            }                                                           \
-        }                                                               \
-        return intr;                                                    \
-    }                                                                   \
-    I##INTERFACE::I##INTERFACE() { }                                    \
-    I##INTERFACE::~I##INTERFACE() { }                                   \
-
-
-#define CHECK_INTERFACE(interface, data, reply)                         \
-    if (!data.checkInterface(this)) { return PERMISSION_DENIED; }       \
-
-
-// ----------------------------------------------------------------------
-// No user-serviceable parts after this...
-
-template<typename INTERFACE>
-inline sp<IInterface> BnInterface<INTERFACE>::queryLocalInterface(
-        const String16& _descriptor)
-{
-    if (_descriptor == INTERFACE::descriptor) return this;
-    return NULL;
-}
-
-template<typename INTERFACE>
-inline const String16& BnInterface<INTERFACE>::getInterfaceDescriptor() const
-{
-    return INTERFACE::getInterfaceDescriptor();
-}
-
-template<typename INTERFACE>
-IBinder* BnInterface<INTERFACE>::onAsBinder()
-{
-    return this;
-}
-
-template<typename INTERFACE>
-inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote)
-    : BpRefBase(remote)
-{
-}
-
-template<typename INTERFACE>
-inline IBinder* BpInterface<INTERFACE>::onAsBinder()
-{
-    return remote();
-}
-    
-// ----------------------------------------------------------------------
-
-}; // namespace android
-
-#endif // ANDROID_IINTERFACE_H
diff --git a/media/omx-plugin/include/ics/cutils/atomic.h b/media/omx-plugin/include/ics/cutils/atomic.h
deleted file mode 100644
index ae42eb8a0..000000000
--- a/media/omx-plugin/include/ics/cutils/atomic.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_CUTILS_ATOMIC_H
-#define ANDROID_CUTILS_ATOMIC_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * A handful of basic atomic operations.  The appropriate pthread
- * functions should be used instead of these whenever possible.
- *
- * The "acquire" and "release" terms can be defined intuitively in terms
- * of the placement of memory barriers in a simple lock implementation:
- *   - wait until compare-and-swap(lock-is-free --> lock-is-held) succeeds
- *   - barrier
- *   - [do work]
- *   - barrier
- *   - store(lock-is-free)
- * In very crude terms, the initial (acquire) barrier prevents any of the
- * "work" from happening before the lock is held, and the later (release)
- * barrier ensures that all of the work happens before the lock is released.
- * (Think of cached writes, cache read-ahead, and instruction reordering
- * around the CAS and store instructions.)
- *
- * The barriers must apply to both the compiler and the CPU.  Note it is
- * legal for instructions that occur before an "acquire" barrier to be
- * moved down below it, and for instructions that occur after a "release"
- * barrier to be moved up above it.
- *
- * The ARM-driven implementation we use here is short on subtlety,
- * and actually requests a full barrier from the compiler and the CPU.
- * The only difference between acquire and release is in whether they
- * are issued before or after the atomic operation with which they
- * are associated.  To ease the transition to C/C++ atomic intrinsics,
- * you should not rely on this, and instead assume that only the minimal
- * acquire/release protection is provided.
- *
- * NOTE: all int32_t* values are expected to be aligned on 32-bit boundaries.
- * If they are not, atomicity is not guaranteed.
- */
-
-/*
- * Basic arithmetic and bitwise operations.  These all provide a
- * barrier with "release" ordering, and return the previous value.
- *
- * These have the same characteristics (e.g. what happens on overflow)
- * as the equivalent non-atomic C operations.
- */
-int32_t android_atomic_inc(volatile int32_t* addr);
-int32_t android_atomic_dec(volatile int32_t* addr);
-int32_t android_atomic_add(int32_t value, volatile int32_t* addr);
-int32_t android_atomic_and(int32_t value, volatile int32_t* addr);
-int32_t android_atomic_or(int32_t value, volatile int32_t* addr);
-
-/*
- * Perform an atomic load with "acquire" or "release" ordering.
- *
- * This is only necessary if you need the memory barrier.  A 32-bit read
- * from a 32-bit aligned address is atomic on all supported platforms.
- */
-int32_t android_atomic_acquire_load(volatile const int32_t* addr);
-int32_t android_atomic_release_load(volatile const int32_t* addr);
-
-/*
- * Perform an atomic store with "acquire" or "release" ordering.
- *
- * This is only necessary if you need the memory barrier.  A 32-bit write
- * to a 32-bit aligned address is atomic on all supported platforms.
- */
-void android_atomic_acquire_store(int32_t value, volatile int32_t* addr);
-void android_atomic_release_store(int32_t value, volatile int32_t* addr);
-
-/*
- * Compare-and-set operation with "acquire" or "release" ordering.
- *
- * This returns zero if the new value was successfully stored, which will
- * only happen when *addr == oldvalue.
- *
- * (The return value is inverted from implementations on other platforms,
- * but matches the ARM ldrex/strex result.)
- *
- * Implementations that use the release CAS in a loop may be less efficient
- * than possible, because we re-issue the memory barrier on each iteration.
- */
-int android_atomic_acquire_cas(int32_t oldvalue, int32_t newvalue,
-        volatile int32_t* addr);
-int android_atomic_release_cas(int32_t oldvalue, int32_t newvalue,
-        volatile int32_t* addr);
-
-/*
- * Aliases for code using an older version of this header.  These are now
- * deprecated and should not be used.  The definitions will be removed
- * in a future release.
- */
-#define android_atomic_write android_atomic_release_store
-#define android_atomic_cmpxchg android_atomic_release_cas
-
-#ifdef __cplusplus
-} // extern "C"
-#endif
-
-#endif // ANDROID_CUTILS_ATOMIC_H
diff --git a/media/omx-plugin/include/ics/cutils/log.h b/media/omx-plugin/include/ics/cutils/log.h
deleted file mode 100644
index 42d738296..000000000
--- a/media/omx-plugin/include/ics/cutils/log.h
+++ /dev/null
@@ -1,482 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// C/C++ logging functions.  See the logging documentation for API details.
-//
-// We'd like these to be available from C code (in case we import some from
-// somewhere), so this has a C interface.
-//
-// The output will be correct when the log file is shared between multiple
-// threads and/or multiple processes so long as the operating system
-// supports O_APPEND.  These calls have mutex-protected data structures
-// and so are NOT reentrant.  Do not use LOG in a signal handler.
-//
-#ifndef _LIBS_CUTILS_LOG_H
-#define _LIBS_CUTILS_LOG_H
-
-#include <stdio.h>
-#include <time.h>
-#include <sys/types.h>
-#include <unistd.h>
-#ifdef HAVE_PTHREADS
-#include <pthread.h>
-#endif
-#include <stdarg.h>
-
-#include <cutils/uio.h>
-#include <cutils/logd.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Normally we strip LOGV (VERBOSE messages) from release builds.
- * You can modify this (for example with "#define LOG_NDEBUG 0"
- * at the top of your source file) to change that behavior.
- */
-#ifndef LOG_NDEBUG
-#ifdef NDEBUG
-#define LOG_NDEBUG 1
-#else
-#define LOG_NDEBUG 0
-#endif
-#endif
-
-/*
- * This is the local tag used for the following simplified
- * logging macros.  You can change this preprocessor definition
- * before using the other macros to change the tag.
- */
-#ifndef LOG_TAG
-#define LOG_TAG NULL
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Simplified macro to send a verbose log message using the current LOG_TAG.
- */
-#ifndef LOGV
-#if LOG_NDEBUG
-#define LOGV(...)   ((void)0)
-#else
-#define LOGV(...) ((void)LOG(LOG_VERBOSE, LOG_TAG, __VA_ARGS__))
-#endif
-#endif
-
-#define CONDITION(cond)     (__builtin_expect((cond)!=0, 0))
-
-#ifndef LOGV_IF
-#if LOG_NDEBUG
-#define LOGV_IF(cond, ...)   ((void)0)
-#else
-#define LOGV_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_VERBOSE, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-#endif
-
-/*
- * Simplified macro to send a debug log message using the current LOG_TAG.
- */
-#ifndef LOGD
-#define LOGD(...) ((void)LOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGD_IF
-#define LOGD_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an info log message using the current LOG_TAG.
- */
-#ifndef LOGI
-#define LOGI(...) ((void)LOG(LOG_INFO, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGI_IF
-#define LOGI_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_INFO, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send a warning log message using the current LOG_TAG.
- */
-#ifndef LOGW
-#define LOGW(...) ((void)LOG(LOG_WARN, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGW_IF
-#define LOGW_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_WARN, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an error log message using the current LOG_TAG.
- */
-#ifndef LOGE
-#define LOGE(...) ((void)LOG(LOG_ERROR, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGE_IF
-#define LOGE_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_ERROR, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * verbose priority.
- */
-#ifndef IF_LOGV
-#if LOG_NDEBUG
-#define IF_LOGV() if (false)
-#else
-#define IF_LOGV() IF_LOG(LOG_VERBOSE, LOG_TAG)
-#endif
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * debug priority.
- */
-#ifndef IF_LOGD
-#define IF_LOGD() IF_LOG(LOG_DEBUG, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * info priority.
- */
-#ifndef IF_LOGI
-#define IF_LOGI() IF_LOG(LOG_INFO, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * warn priority.
- */
-#ifndef IF_LOGW
-#define IF_LOGW() IF_LOG(LOG_WARN, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * error priority.
- */
-#ifndef IF_LOGE
-#define IF_LOGE() IF_LOG(LOG_ERROR, LOG_TAG)
-#endif
-
-
-// ---------------------------------------------------------------------
-
-/*
- * Simplified macro to send a verbose system log message using the current LOG_TAG.
- */
-#ifndef SLOGV
-#if LOG_NDEBUG
-#define SLOGV(...)   ((void)0)
-#else
-#define SLOGV(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__))
-#endif
-#endif
-
-#define CONDITION(cond)     (__builtin_expect((cond)!=0, 0))
-
-#ifndef SLOGV_IF
-#if LOG_NDEBUG
-#define SLOGV_IF(cond, ...)   ((void)0)
-#else
-#define SLOGV_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-#endif
-
-/*
- * Simplified macro to send a debug system log message using the current LOG_TAG.
- */
-#ifndef SLOGD
-#define SLOGD(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGD_IF
-#define SLOGD_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an info system log message using the current LOG_TAG.
- */
-#ifndef SLOGI
-#define SLOGI(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGI_IF
-#define SLOGI_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send a warning system log message using the current LOG_TAG.
- */
-#ifndef SLOGW
-#define SLOGW(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGW_IF
-#define SLOGW_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an error system log message using the current LOG_TAG.
- */
-#ifndef SLOGE
-#define SLOGE(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGE_IF
-#define SLOGE_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-    
-
-// ---------------------------------------------------------------------
-
-/*
- * Log a fatal error.  If the given condition fails, this stops program
- * execution like a normal assertion, but also generating the given message.
- * It is NOT stripped from release builds.  Note that the condition test
- * is -inverted- from the normal assert() semantics.
- */
-#ifndef LOG_ALWAYS_FATAL_IF
-#define LOG_ALWAYS_FATAL_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)android_printAssert(#cond, LOG_TAG, ## __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-#ifndef LOG_ALWAYS_FATAL
-#define LOG_ALWAYS_FATAL(...) \
-    ( ((void)android_printAssert(NULL, LOG_TAG, ## __VA_ARGS__)) )
-#endif
-
-/*
- * Versions of LOG_ALWAYS_FATAL_IF and LOG_ALWAYS_FATAL that
- * are stripped out of release builds.
- */
-#if LOG_NDEBUG
-
-#ifndef LOG_FATAL_IF
-#define LOG_FATAL_IF(cond, ...) ((void)0)
-#endif
-#ifndef LOG_FATAL
-#define LOG_FATAL(...) ((void)0)
-#endif
-
-#else
-
-#ifndef LOG_FATAL_IF
-#define LOG_FATAL_IF(cond, ...) LOG_ALWAYS_FATAL_IF(cond, ## __VA_ARGS__)
-#endif
-#ifndef LOG_FATAL
-#define LOG_FATAL(...) LOG_ALWAYS_FATAL(__VA_ARGS__)
-#endif
-
-#endif
-
-/*
- * Assertion that generates a log message when the assertion fails.
- * Stripped out of release builds.  Uses the current LOG_TAG.
- */
-#ifndef LOG_ASSERT
-#define LOG_ASSERT(cond, ...) LOG_FATAL_IF(!(cond), ## __VA_ARGS__)
-//#define LOG_ASSERT(cond) LOG_FATAL_IF(!(cond), "Assertion failed: " #cond)
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Basic log message macro.
- *
- * Example:
- *  LOG(LOG_WARN, NULL, "Failed with error %d", errno);
- *
- * The second argument may be NULL or "" to indicate the "global" tag.
- */
-#ifndef LOG
-#define LOG(priority, tag, ...) \
-    LOG_PRI(ANDROID_##priority, tag, __VA_ARGS__)
-#endif
-
-/*
- * Log macro that allows you to specify a number for the priority.
- */
-#ifndef LOG_PRI
-#define LOG_PRI(priority, tag, ...) \
-    android_printLog(priority, tag, __VA_ARGS__)
-#endif
-
-/*
- * Log macro that allows you to pass in a varargs ("args" is a va_list).
- */
-#ifndef LOG_PRI_VA
-#define LOG_PRI_VA(priority, tag, fmt, args) \
-    android_vprintLog(priority, NULL, tag, fmt, args)
-#endif
-
-/*
- * Conditional given a desired logging priority and tag.
- */
-#ifndef IF_LOG
-#define IF_LOG(priority, tag) \
-    if (android_testLog(ANDROID_##priority, tag))
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Event logging.
- */
-
-/*
- * Event log entry types.  These must match up with the declarations in
- * java/android/android/util/EventLog.java.
- */
-typedef enum {
-    EVENT_TYPE_INT      = 0,
-    EVENT_TYPE_LONG     = 1,
-    EVENT_TYPE_STRING   = 2,
-    EVENT_TYPE_LIST     = 3,
-} AndroidEventLogType;
-
-
-#ifndef LOG_EVENT_INT
-#define LOG_EVENT_INT(_tag, _value) {                                       \
-        int intBuf = _value;                                                \
-        (void) android_btWriteLog(_tag, EVENT_TYPE_INT, &intBuf,            \
-            sizeof(intBuf));                                                \
-    }
-#endif
-#ifndef LOG_EVENT_LONG
-#define LOG_EVENT_LONG(_tag, _value) {                                      \
-        long long longBuf = _value;                                         \
-        (void) android_btWriteLog(_tag, EVENT_TYPE_LONG, &longBuf,          \
-            sizeof(longBuf));                                               \
-    }
-#endif
-#ifndef LOG_EVENT_STRING
-#define LOG_EVENT_STRING(_tag, _value)                                      \
-    ((void) 0)  /* not implemented -- must combine len with string */
-#endif
-/* TODO: something for LIST */
-
-/*
- * ===========================================================================
- *
- * The stuff in the rest of this file should not be used directly.
- */
-
-#define android_printLog(prio, tag, fmt...) \
-    __android_log_print(prio, tag, fmt)
-
-#define android_vprintLog(prio, cond, tag, fmt...) \
-    __android_log_vprint(prio, tag, fmt)
-
-/* XXX Macros to work around syntax errors in places where format string
- * arg is not passed to LOG_ASSERT, LOG_ALWAYS_FATAL or LOG_ALWAYS_FATAL_IF
- * (happens only in debug builds).
- */
-
-/* Returns 2nd arg.  Used to substitute default value if caller's vararg list
- * is empty.
- */
-#define __android_second(dummy, second, ...)     second
-
-/* If passed multiple args, returns ',' followed by all but 1st arg, otherwise
- * returns nothing.
- */
-#define __android_rest(first, ...)               , ## __VA_ARGS__
-
-#define android_printAssert(cond, tag, fmt...) \
-    __android_log_assert(cond, tag, \
-        __android_second(0, ## fmt, NULL) __android_rest(fmt))
-
-#define android_writeLog(prio, tag, text) \
-    __android_log_write(prio, tag, text)
-
-#define android_bWriteLog(tag, payload, len) \
-    __android_log_bwrite(tag, payload, len)
-#define android_btWriteLog(tag, type, payload, len) \
-    __android_log_btwrite(tag, type, payload, len)
-
-// TODO: remove these prototypes and their users
-#define android_testLog(prio, tag) (1)
-#define android_writevLog(vec,num) do{}while(0)
-#define android_write1Log(str,len) do{}while (0)
-#define android_setMinPriority(tag, prio) do{}while(0)
-//#define android_logToCallback(func) do{}while(0)
-#define android_logToFile(tag, file) (0)
-#define android_logToFd(tag, fd) (0)
-
-typedef enum {
-    LOG_ID_MAIN = 0,
-    LOG_ID_RADIO = 1,
-    LOG_ID_EVENTS = 2,
-    LOG_ID_SYSTEM = 3,
-
-    LOG_ID_MAX
-} log_id_t;
-
-/*
- * Send a simple string to the log.
- */
-int __android_log_buf_write(int bufID, int prio, const char *tag, const char *text);
-int __android_log_buf_print(int bufID, int prio, const char *tag, const char *fmt, ...);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _LIBS_CUTILS_LOG_H
diff --git a/media/omx-plugin/include/ics/cutils/logd.h b/media/omx-plugin/include/ics/cutils/logd.h
deleted file mode 100644
index 8737639cc..000000000
--- a/media/omx-plugin/include/ics/cutils/logd.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _ANDROID_CUTILS_LOGD_H
-#define _ANDROID_CUTILS_LOGD_H
-
-/* the stable/frozen log-related definitions have been
- * moved to this header, which is exposed by the NDK
- */
-#include <android/log.h>
-
-/* the rest is only used internally by the system */
-#include <time.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <stdint.h>
-#include <sys/types.h>
-#ifdef HAVE_PTHREADS
-#include <pthread.h>
-#endif
-#include <cutils/uio.h>
-#include <stdarg.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-int __android_log_bwrite(int32_t tag, const void *payload, size_t len);
-int __android_log_btwrite(int32_t tag, char type, const void *payload,
-    size_t len);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _LOGD_H */
diff --git a/media/omx-plugin/include/ics/cutils/native_handle.h b/media/omx-plugin/include/ics/cutils/native_handle.h
deleted file mode 100644
index 268c5d3f5..000000000
--- a/media/omx-plugin/include/ics/cutils/native_handle.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef NATIVE_HANDLE_H_
-#define NATIVE_HANDLE_H_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct native_handle
-{
-    int version;        /* sizeof(native_handle_t) */
-    int numFds;         /* number of file-descriptors at &data[0] */
-    int numInts;        /* number of ints at &data[numFds] */
-    int data[0];        /* numFds + numInts ints */
-} native_handle_t;
-
-/*
- * native_handle_close
- * 
- * closes the file descriptors contained in this native_handle_t
- * 
- * return 0 on success, or a negative error code on failure
- * 
- */
-int native_handle_close(const native_handle_t* h);
-
-
-/*
- * native_handle_create
- * 
- * creates a native_handle_t and initializes it. must be destroyed with
- * native_handle_delete().
- * 
- */
-native_handle_t* native_handle_create(int numFds, int numInts);
-
-/*
- * native_handle_delete
- * 
- * frees a native_handle_t allocated with native_handle_create().
- * This ONLY frees the memory allocated for the native_handle_t, but doesn't
- * close the file descriptors; which can be achieved with native_handle_close().
- * 
- * return 0 on success, or a negative error code on failure
- * 
- */
-int native_handle_delete(native_handle_t* h);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* NATIVE_HANDLE_H_ */
diff --git a/media/omx-plugin/include/ics/cutils/uio.h b/media/omx-plugin/include/ics/cutils/uio.h
deleted file mode 100644
index 01a74d26f..000000000
--- a/media/omx-plugin/include/ics/cutils/uio.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// implementation of sys/uio.h for platforms that don't have it (Win32)
-//
-#ifndef _LIBS_CUTILS_UIO_H
-#define _LIBS_CUTILS_UIO_H
-
-#ifdef HAVE_SYS_UIO_H
-#include <sys/uio.h>
-#else
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <stddef.h>
-
-struct iovec {
-    const void*  iov_base;
-    size_t       iov_len;
-};
-
-extern int  readv( int  fd, struct iovec*  vecs, int  count );
-extern int  writev( int  fd, const struct iovec*  vecs, int  count );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* !HAVE_SYS_UIO_H */
-
-#endif /* _LIBS_UTILS_UIO_H */
-
diff --git a/media/omx-plugin/include/ics/drm/DrmManagerClient.h b/media/omx-plugin/include/ics/drm/DrmManagerClient.h
deleted file mode 100644
index b8fe46d08..000000000
--- a/media/omx-plugin/include/ics/drm/DrmManagerClient.h
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef __DRM_MANAGER_CLIENT_H__
-#define __DRM_MANAGER_CLIENT_H__
-
-#include <utils/threads.h>
-#include <binder/IInterface.h>
-#include "drm_framework_common.h"
-
-namespace android {
-
-class DrmInfo;
-class DrmRights;
-class DrmMetadata;
-class DrmInfoEvent;
-class DrmInfoStatus;
-class DrmInfoRequest;
-class DrmSupportInfo;
-class DrmConstraints;
-class DrmConvertedStatus;
-class DrmManagerClientImpl;
-
-/**
- * The Native application will instantiate this class and access DRM Framework
- * services through this class.
- *
- */
-class DrmManagerClient {
-public:
-    DrmManagerClient();
-
-    virtual ~DrmManagerClient();
-
-public:
-    class OnInfoListener: virtual public RefBase {
-
-    public:
-        virtual ~OnInfoListener() {}
-
-    public:
-        virtual void onInfo(const DrmInfoEvent& event) = 0;
-    };
-
-/**
- * APIs which will be used by native modules (e.g. StageFright)
- *
- */
-public:
-    /**
-     * Open the decrypt session to decrypt the given protected content
-     *
-     * @param[in] fd File descriptor of the protected content to be decrypted
-     * @param[in] offset Start position of the content
-     * @param[in] length The length of the protected content
-     * @return
-     *     Handle for the decryption session
-     */
-    sp<DecryptHandle> openDecryptSession(int fd, off64_t offset, off64_t length);
-
-    /**
-     * Open the decrypt session to decrypt the given protected content
-     *
-     * @param[in] uri Path of the protected content to be decrypted
-     * @return
-     *     Handle for the decryption session
-     */
-    sp<DecryptHandle> openDecryptSession(const char* uri);
-
-    /**
-     * Close the decrypt session for the given handle
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t closeDecryptSession(sp<DecryptHandle> &decryptHandle);
-
-    /**
-     * Consumes the rights for a content.
-     * If the reserve parameter is true the rights is reserved until the same
-     * application calls this api again with the reserve parameter set to false.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] action Action to perform. (Action::DEFAULT, Action::PLAY, etc)
-     * @param[in] reserve True if the rights should be reserved.
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure.
-     *     In case license has been expired, DRM_ERROR_LICENSE_EXPIRED will be returned.
-     */
-    status_t consumeRights(sp<DecryptHandle> &decryptHandle, int action, bool reserve);
-
-    /**
-     * Informs the DRM engine about the playback actions performed on the DRM files.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] playbackStatus Playback action (Playback::START, Playback::STOP, Playback::PAUSE)
-     * @param[in] position Position in the file (in milliseconds) where the start occurs.
-     *                     Only valid together with Playback::START.
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t setPlaybackStatus(
-            sp<DecryptHandle> &decryptHandle, int playbackStatus, int64_t position);
-
-    /**
-     * Initialize decryption for the given unit of the protected content
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @param[in] headerInfo Information for initializing decryption of this decrypUnit
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t initializeDecryptUnit(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId, const DrmBuffer* headerInfo);
-
-    /**
-     * Decrypt the protected content buffers for the given unit
-     * This method will be called any number of times, based on number of
-     * encrypted streams received from application.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @param[in] encBuffer Encrypted data block
-     * @param[out] decBuffer Decrypted data block
-     * @param[in] IV Optional buffer
-     * @return status_t
-     *     Returns the error code for this API
-     *     DRM_NO_ERROR for success, and one of DRM_ERROR_UNKNOWN, DRM_ERROR_LICENSE_EXPIRED
-     *     DRM_ERROR_SESSION_NOT_OPENED, DRM_ERROR_DECRYPT_UNIT_NOT_INITIALIZED,
-     *     DRM_ERROR_DECRYPT for failure.
-     */
-    status_t decrypt(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId,
-            const DrmBuffer* encBuffer, DrmBuffer** decBuffer, DrmBuffer* IV = NULL);
-
-    /**
-     * Finalize decryption for the given unit of the protected content
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t finalizeDecryptUnit(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId);
-
-    /**
-     * Reads the specified number of bytes from an open DRM file.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[out] buffer Reference to the buffer that should receive the read data.
-     * @param[in] numBytes Number of bytes to read.
-     * @param[in] offset Offset with which to update the file position.
-     *
-     * @return Number of bytes read. Returns -1 for Failure.
-     */
-    ssize_t pread(sp<DecryptHandle> &decryptHandle,
-            void* buffer, ssize_t numBytes, off64_t offset);
-
-    /**
-     * Validates whether an action on the DRM content is allowed or not.
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Action to validate. (Action::DEFAULT, Action::PLAY, etc)
-     * @param[in] description Detailed description of the action
-     * @return true if the action is allowed.
-     */
-    bool validateAction(const String8& path, int action, const ActionDescription& description);
-
-/**
- * APIs which are just the underlying implementation for the Java API
- *
- */
-public:
-    /**
-     * Register a callback to be invoked when the caller required to
-     * receive necessary information
-     *
-     * @param[in] infoListener Listener
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t setOnInfoListener(const sp<DrmManagerClient::OnInfoListener>& infoListener);
-
-    /**
-     * Get constraint information associated with input content
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Actions defined such as,
-     *             Action::DEFAULT, Action::PLAY, etc
-     * @return DrmConstraints
-     *     key-value pairs of constraint are embedded in it
-     * @note
-     *     In case of error, return NULL
-     */
-    DrmConstraints* getConstraints(const String8* path, const int action);
-
-    /**
-     * Get metadata information associated with input content
-     *
-     * @param[in] path Path of the protected content
-     * @return DrmMetadata
-     *         key-value pairs of metadata
-     * @note
-     *     In case of error, return NULL
-     */
-    DrmMetadata* getMetadata(const String8* path);
-
-    /**
-     * Check whether the given mimetype or path can be handled
-     *
-     * @param[in] path Path of the content needs to be handled
-     * @param[in] mimetype Mimetype of the content needs to be handled
-     * @return
-     *     True if DrmManager can handle given path or mime type.
-     */
-    bool canHandle(const String8& path, const String8& mimeType);
-
-    /**
-     * Executes given drm information based on its type
-     *
-     * @param[in] drmInfo Information needs to be processed
-     * @return DrmInfoStatus
-     *     instance as a result of processing given input
-     */
-    DrmInfoStatus* processDrmInfo(const DrmInfo* drmInfo);
-
-    /**
-     * Retrieves necessary information for registration, unregistration or rights
-     * acquisition information.
-     *
-     * @param[in] drmInfoRequest Request information to retrieve drmInfo
-     * @return DrmInfo
-     *     instance as a result of processing given input
-     */
-    DrmInfo* acquireDrmInfo(const DrmInfoRequest* drmInfoRequest);
-
-    /**
-     * Save DRM rights to specified rights path
-     * and make association with content path
-     *
-     * @param[in] drmRights DrmRights to be saved
-     * @param[in] rightsPath File path where rights to be saved
-     * @param[in] contentPath File path where content was saved
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t saveRights(
-        const DrmRights& drmRights, const String8& rightsPath, const String8& contentPath);
-
-    /**
-     * Retrieves the mime type embedded inside the original content
-     *
-     * @param[in] path the path of the protected content
-     * @return String8
-     *     Returns mime-type of the original content, such as "video/mpeg"
-     */
-    String8 getOriginalMimeType(const String8& path);
-
-    /**
-     * Retrieves the type of the protected object (content, rights, etc..)
-     * by using specified path or mimetype. At least one parameter should be non null
-     * to retrieve DRM object type
-     *
-     * @param[in] path Path of the content or null.
-     * @param[in] mimeType Mime type of the content or null.
-     * @return type of the DRM content,
-     *     such as DrmObjectType::CONTENT, DrmObjectType::RIGHTS_OBJECT
-     */
-    int getDrmObjectType(const String8& path, const String8& mimeType);
-
-    /**
-     * Check whether the given content has valid rights or not
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Action to perform
-     * @return the status of the rights for the protected content,
-     *     such as RightsStatus::RIGHTS_VALID, RightsStatus::RIGHTS_EXPIRED, etc.
-     */
-    int checkRightsStatus(const String8& path, int action);
-
-    /**
-     * Removes the rights associated with the given protected content
-     *
-     * @param[in] path Path of the protected content
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t removeRights(const String8& path);
-
-    /**
-     * Removes all the rights information of each plug-in associated with
-     * DRM framework. Will be used in master reset
-     *
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t removeAllRights();
-
-    /**
-     * This API is for Forward Lock DRM.
-     * Each time the application tries to download a new DRM file
-     * which needs to be converted, then the application has to
-     * begin with calling this API.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @param[in] mimeType Description/MIME type of the input data packet
-     * @return Return handle for the convert session
-     */
-    int openConvertSession(const String8& mimeType);
-
-    /**
-     * Passes the input data which need to be converted. The resultant
-     * converted data and the status is returned in the DrmConvertedInfo
-     * object. This method will be called each time there are new block
-     * of data received by the application.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @param[in] inputData Input Data which need to be converted
-     * @return Return object contains the status of the data conversion,
-     *     the output converted data and offset. In this case the
-     *     application will ignore the offset information.
-     */
-    DrmConvertedStatus* convertData(int convertId, const DrmBuffer* inputData);
-
-    /**
-     * When there is no more data which need to be converted or when an
-     * error occurs that time the application has to inform the Drm agent
-     * via this API. Upon successful conversion of the complete data,
-     * the agent will inform that where the header and body signature
-     * should be added. This signature appending is needed to integrity
-     * protect the converted file.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @return Return object contains the status of the data conversion,
-     *     the header and body signature data. It also informs
-     *     the application on which offset these signature data
-     *     should be appended.
-     */
-    DrmConvertedStatus* closeConvertSession(int convertId);
-
-    /**
-     * Retrieves all DrmSupportInfo instance that native DRM framework can handle.
-     * This interface is meant to be used by JNI layer
-     *
-     * @param[out] length Number of elements in drmSupportInfoArray
-     * @param[out] drmSupportInfoArray Array contains all DrmSupportInfo
-     *     that native DRM framework can handle
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t getAllSupportInfo(int* length, DrmSupportInfo** drmSupportInfoArray);
-
-private:
-    int mUniqueId;
-    sp<DrmManagerClientImpl> mDrmManagerClientImpl;
-};
-
-};
-
-#endif /* __DRM_MANAGER_CLIENT_H__ */
-
diff --git a/media/omx-plugin/include/ics/drm/drm_framework_common.h b/media/omx-plugin/include/ics/drm/drm_framework_common.h
deleted file mode 100644
index 2632cbd29..000000000
--- a/media/omx-plugin/include/ics/drm/drm_framework_common.h
+++ /dev/null
@@ -1,336 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef __DRM_FRAMEWORK_COMMON_H__
-#define __DRM_FRAMEWORK_COMMON_H__
-
-#include <utils/Vector.h>
-#include <utils/KeyedVector.h>
-#include <utils/RefBase.h>
-#include <utils/String8.h>
-#include <utils/Errors.h>
-
-#define INVALID_VALUE -1
-
-namespace android {
-
-/**
- * Error code for DRM Frameowrk
- */
-enum {
-    // The following constant values should be in sync with
-    // media/stagefright/MediaErrors.h
-    ERROR_BASE = -2000,
-
-    DRM_ERROR_UNKNOWN                       = ERROR_BASE,
-    DRM_ERROR_NO_LICENSE                    = ERROR_BASE - 1,
-    DRM_ERROR_LICENSE_EXPIRED               = ERROR_BASE - 2,
-    DRM_ERROR_SESSION_NOT_OPENED            = ERROR_BASE - 3,
-    DRM_ERROR_DECRYPT_UNIT_NOT_INITIALIZED  = ERROR_BASE - 4,
-    DRM_ERROR_DECRYPT                       = ERROR_BASE - 5,
-    DRM_ERROR_CANNOT_HANDLE                 = ERROR_BASE - 6,
-    DRM_ERROR_TAMPER_DETECTED               = ERROR_BASE - 7,
-
-    DRM_NO_ERROR                            = NO_ERROR
-};
-
-/**
- * copy control settings used in DecryptHandle::copyControlVector
- */
-enum DrmCopyControl {
-    DRM_COPY_CONTROL_BASE = 1000,
-    // the key used to set the value for HDCP
-    // if the associated value is 1, then HDCP is required
-    // otherwise, HDCP is not required
-    DRM_COPY_CONTROL_HDCP = DRM_COPY_CONTROL_BASE
-};
-
-/**
- * Defines DRM Buffer
- */
-class DrmBuffer {
-public:
-    char* data;
-    int length;
-
-    DrmBuffer() :
-        data(NULL),
-        length(0) {
-    }
-
-    DrmBuffer(char* dataBytes, int dataLength) :
-        data(dataBytes),
-        length(dataLength) {
-    }
-
-};
-
-/**
- * Defines detailed description of the action
- */
-class ActionDescription {
-public:
-    ActionDescription(int _outputType, int _configuration) :
-        outputType(_outputType),
-        configuration(_configuration) {
-    }
-
-public:
-    int outputType;   /* BLUETOOTH , HDMI*/
-    int configuration; /* RESOLUTION_720_480 , RECORDABLE etc.*/
-};
-
-/**
- * Defines constants related to DRM types
- */
-class DrmObjectType {
-private:
-    DrmObjectType();
-
-public:
-    /**
-     * Field specifies the unknown type
-     */
-    static const int UNKNOWN = 0x00;
-    /**
-     * Field specifies the protected content type
-     */
-    static const int CONTENT = 0x01;
-    /**
-     * Field specifies the rights information
-     */
-    static const int RIGHTS_OBJECT = 0x02;
-    /**
-     * Field specifies the trigger information
-     */
-    static const int TRIGGER_OBJECT = 0x03;
-};
-
-/**
- * Defines constants related to play back
- */
-class Playback {
-private:
-    Playback();
-
-public:
-    /**
-     * Constant field signifies playback start
-     */
-    static const int START = 0x00;
-    /**
-     * Constant field signifies playback stop
-     */
-    static const int STOP = 0x01;
-    /**
-     * Constant field signifies playback paused
-     */
-    static const int PAUSE = 0x02;
-    /**
-     * Constant field signifies playback resumed
-     */
-    static const int RESUME = 0x03;
-};
-
-/**
- * Defines actions that can be performed on protected content
- */
-class Action {
-private:
-    Action();
-
-public:
-    /**
-     * Constant field signifies that the default action
-     */
-    static const int DEFAULT = 0x00;
-    /**
-     * Constant field signifies that the content can be played
-     */
-    static const int PLAY = 0x01;
-    /**
-     * Constant field signifies that the content can be set as ring tone
-     */
-    static const int RINGTONE = 0x02;
-    /**
-     * Constant field signifies that the content can be transfered
-     */
-    static const int TRANSFER = 0x03;
-    /**
-     * Constant field signifies that the content can be set as output
-     */
-    static const int OUTPUT = 0x04;
-    /**
-     * Constant field signifies that preview is allowed
-     */
-    static const int PREVIEW = 0x05;
-    /**
-     * Constant field signifies that the content can be executed
-     */
-    static const int EXECUTE = 0x06;
-    /**
-     * Constant field signifies that the content can displayed
-     */
-    static const int DISPLAY = 0x07;
-};
-
-/**
- * Defines constants related to status of the rights
- */
-class RightsStatus {
-private:
-    RightsStatus();
-
-public:
-    /**
-     * Constant field signifies that the rights are valid
-     */
-    static const int RIGHTS_VALID = 0x00;
-    /**
-     * Constant field signifies that the rights are invalid
-     */
-    static const int RIGHTS_INVALID = 0x01;
-    /**
-     * Constant field signifies that the rights are expired for the content
-     */
-    static const int RIGHTS_EXPIRED = 0x02;
-    /**
-     * Constant field signifies that the rights are not acquired for the content
-     */
-    static const int RIGHTS_NOT_ACQUIRED = 0x03;
-};
-
-/**
- * Defines API set for decryption
- */
-class DecryptApiType {
-private:
-    DecryptApiType();
-
-public:
-    /**
-     * Decrypt API set for non encrypted content
-     */
-    static const int NON_ENCRYPTED = 0x00;
-    /**
-     * Decrypt API set for ES based DRM
-     */
-    static const int ELEMENTARY_STREAM_BASED = 0x01;
-    /**
-     * POSIX based Decrypt API set for container based DRM
-     */
-    static const int CONTAINER_BASED = 0x02;
-    /**
-     * Decrypt API for Widevine streams
-     */
-    static const int WV_BASED = 0x3;
-};
-
-/**
- * Defines decryption information
- */
-class DecryptInfo {
-public:
-    /**
-     * size of memory to be allocated to get the decrypted content.
-     */
-    int decryptBufferLength;
-    /**
-     * reserved for future purpose
-     */
-};
-
-/**
- * Defines decryption handle
- */
-class DecryptHandle : public RefBase {
-public:
-    /**
-     * Decryption session Handle
-     */
-    int decryptId;
-    /**
-     * Mimetype of the content to be used to select the media extractor
-     * For e.g., "video/mpeg" or "audio/mp3"
-     */
-    String8 mimeType;
-    /**
-     * Defines which decryption pattern should be used to decrypt the given content
-     * DrmFramework provides two different set of decryption APIs.
-     *   1. Decrypt APIs for elementary stream based DRM
-     *      (file format is not encrypted but ES is encrypted)
-     *         e.g., Marlin DRM (MP4 file format), WM-DRM (asf file format)
-     *
-     *         DecryptApiType::ELEMENTARY_STREAM_BASED
-     *             Decryption API set for ES based DRM
-     *                 initializeDecryptUnit(), decrypt(), and finalizeDecryptUnit()
-     *   2. Decrypt APIs for container based DRM (file format itself is encrypted)
-     *         e.g., OMA DRM (dcf file format)
-     *
-     *         DecryptApiType::CONTAINER_BASED
-     *             POSIX based Decryption API set for container based DRM
-     *                 pread()
-     */
-    int decryptApiType;
-    /**
-     * Defines the status of the rights like
-     *     RIGHTS_VALID, RIGHTS_INVALID, RIGHTS_EXPIRED or RIGHTS_NOT_ACQUIRED
-     */
-    int status;
-    /**
-     * Information required to decrypt content
-     * e.g. size of memory to be allocated to get the decrypted content.
-     */
-    DecryptInfo* decryptInfo;
-    /**
-     * Defines a vector for the copy control settings sent from the DRM plugin
-     * to the player
-     */
-    KeyedVector<DrmCopyControl, int> copyControlVector;
-
-    /**
-     * Defines a vector for any extra data the DRM plugin wants to send
-     * to the native code
-     */
-    KeyedVector<String8, String8> extendedData;
-
-public:
-    DecryptHandle():
-            decryptId(INVALID_VALUE),
-            mimeType(""),
-            decryptApiType(INVALID_VALUE),
-            status(INVALID_VALUE),
-            decryptInfo(NULL) {
-
-    }
-
-    ~DecryptHandle() {
-        delete decryptInfo; decryptInfo = NULL;
-    }
-
-    bool operator<(const DecryptHandle& handle) const {
-        return (decryptId < handle.decryptId);
-    }
-
-    bool operator==(const DecryptHandle& handle) const {
-        return (decryptId == handle.decryptId);
-    }
-};
-
-};
-
-#endif /* __DRM_FRAMEWORK_COMMON_H__ */
-
diff --git a/media/omx-plugin/include/ics/hardware/fb.h b/media/omx-plugin/include/ics/hardware/fb.h
deleted file mode 100644
index ba2f286d0..000000000
--- a/media/omx-plugin/include/ics/hardware/fb.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_FB_INTERFACE_H
-#define ANDROID_FB_INTERFACE_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <sys/types.h>
-
-#include <cutils/native_handle.h>
-
-#include <hardware/hardware.h>
-
-__BEGIN_DECLS
-
-#define GRALLOC_HARDWARE_FB0 "fb0"
-
-/*****************************************************************************/
-
-
-/*****************************************************************************/
-
-typedef struct framebuffer_device_t {
-    struct hw_device_t common;
-
-    /* flags describing some attributes of the framebuffer */
-    const uint32_t  flags;
-
-    /* dimensions of the framebuffer in pixels */
-    const uint32_t  width;
-    const uint32_t  height;
-
-    /* frambuffer stride in pixels */
-    const int       stride;
-
-    /* framebuffer pixel format */
-    const int       format;
-
-    /* resolution of the framebuffer's display panel in pixel per inch*/
-    const float     xdpi;
-    const float     ydpi;
-
-    /* framebuffer's display panel refresh rate in frames per second */
-    const float     fps;
-
-    /* min swap interval supported by this framebuffer */
-    const int       minSwapInterval;
-
-    /* max swap interval supported by this framebuffer */
-    const int       maxSwapInterval;
-
-    int reserved[8];
-
-    /*
-     * requests a specific swap-interval (same definition than EGL)
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*setSwapInterval)(struct framebuffer_device_t* window,
-            int interval);
-
-    /*
-     * This hook is OPTIONAL.
-     *
-     * It is non NULL If the framebuffer driver supports "update-on-demand"
-     * and the given rectangle is the area of the screen that gets
-     * updated during (*post)().
-     *
-     * This is useful on devices that are able to DMA only a portion of
-     * the screen to the display panel, upon demand -- as opposed to
-     * constantly refreshing the panel 60 times per second, for instance.
-     *
-     * Only the area defined by this rectangle is guaranteed to be valid, that
-     * is, the driver is not allowed to post anything outside of this
-     * rectangle.
-     *
-     * The rectangle evaluated during (*post)() and specifies which area
-     * of the buffer passed in (*post)() shall to be posted.
-     *
-     * return -EINVAL if width or height <=0, or if left or top < 0
-     */
-    int (*setUpdateRect)(struct framebuffer_device_t* window,
-            int left, int top, int width, int height);
-
-    /*
-     * Post <buffer> to the display (display it on the screen)
-     * The buffer must have been allocated with the
-     *   GRALLOC_USAGE_HW_FB usage flag.
-     * buffer must be the same width and height as the display and must NOT
-     * be locked.
-     *
-     * The buffer is shown during the next VSYNC.
-     *
-     * If the same buffer is posted again (possibly after some other buffer),
-     * post() will block until the the first post is completed.
-     *
-     * Internally, post() is expected to lock the buffer so that a
-     * subsequent call to gralloc_module_t::(*lock)() with USAGE_RENDER or
-     * USAGE_*_WRITE will block until it is safe; that is typically once this
-     * buffer is shown and another buffer has been posted.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*post)(struct framebuffer_device_t* dev, buffer_handle_t buffer);
-
-
-    /*
-     * The (*compositionComplete)() method must be called after the
-     * compositor has finished issuing GL commands for client buffers.
-     */
-
-    int (*compositionComplete)(struct framebuffer_device_t* dev);
-
-    /*
-     * This hook is OPTIONAL.
-     *
-     * If non NULL it will be caused by SurfaceFlinger on dumpsys
-     */
-    void (*dump)(struct framebuffer_device_t* dev, char *buff, int buff_len);
-
-    /*
-     * (*enableScreen)() is used to either blank (enable=0) or
-     * unblank (enable=1) the screen this framebuffer is attached to.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*enableScreen)(struct framebuffer_device_t* dev, int enable);
-
-    void* reserved_proc[6];
-
-} framebuffer_device_t;
-
-
-/** convenience API for opening and closing a supported device */
-
-static inline int framebuffer_open(const struct hw_module_t* module,
-        struct framebuffer_device_t** device) {
-    return module->methods->open(module,
-            GRALLOC_HARDWARE_FB0, (struct hw_device_t**)device);
-}
-
-static inline int framebuffer_close(struct framebuffer_device_t* device) {
-    return device->common.close(&device->common);
-}
-
-
-__END_DECLS
-
-#endif  // ANDROID_FB_INTERFACE_H
diff --git a/media/omx-plugin/include/ics/hardware/gralloc.h b/media/omx-plugin/include/ics/hardware/gralloc.h
deleted file mode 100644
index f8beb5efb..000000000
--- a/media/omx-plugin/include/ics/hardware/gralloc.h
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_GRALLOC_INTERFACE_H
-#define ANDROID_GRALLOC_INTERFACE_H
-
-#include <system/window.h>
-#include <hardware/hardware.h>
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <sys/types.h>
-
-#include <cutils/native_handle.h>
-
-#include <hardware/hardware.h>
-#include <hardware/fb.h>
-
-__BEGIN_DECLS
-
-#define GRALLOC_API_VERSION 1
-
-/**
- * The id of this module
- */
-#define GRALLOC_HARDWARE_MODULE_ID "gralloc"
-
-/**
- * Name of the graphics device to open
- */
-
-#define GRALLOC_HARDWARE_GPU0 "gpu0"
-
-enum {
-    /* buffer is never read in software */
-    GRALLOC_USAGE_SW_READ_NEVER         = 0x00000000,
-    /* buffer is rarely read in software */
-    GRALLOC_USAGE_SW_READ_RARELY        = 0x00000002,
-    /* buffer is often read in software */
-    GRALLOC_USAGE_SW_READ_OFTEN         = 0x00000003,
-    /* mask for the software read values */
-    GRALLOC_USAGE_SW_READ_MASK          = 0x0000000F,
-    
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_NEVER        = 0x00000000,
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_RARELY       = 0x00000020,
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_OFTEN        = 0x00000030,
-    /* mask for the software write values */
-    GRALLOC_USAGE_SW_WRITE_MASK         = 0x000000F0,
-
-    /* buffer will be used as an OpenGL ES texture */
-    GRALLOC_USAGE_HW_TEXTURE            = 0x00000100,
-    /* buffer will be used as an OpenGL ES render target */
-    GRALLOC_USAGE_HW_RENDER             = 0x00000200,
-    /* buffer will be used by the 2D hardware blitter */
-    GRALLOC_USAGE_HW_2D                 = 0x00000400,
-    /* buffer will be used by the HWComposer HAL module */
-    GRALLOC_USAGE_HW_COMPOSER           = 0x00000800,
-    /* buffer will be used with the framebuffer device */
-    GRALLOC_USAGE_HW_FB                 = 0x00001000,
-    /* buffer will be used with the HW video encoder */
-    GRALLOC_USAGE_HW_VIDEO_ENCODER      = 0x00010000,
-    /* mask for the software usage bit-mask */
-    GRALLOC_USAGE_HW_MASK               = 0x00011F00,
-
-    /* buffer should be displayed full-screen on an external display when
-     * possible
-     */
-    GRALLOC_USAGE_EXTERNAL_DISP         = 0x00002000,
-
-    /* Must have a hardware-protected path to external display sink for
-     * this buffer.  If a hardware-protected path is not available, then
-     * either don't composite only this buffer (preferred) to the
-     * external sink, or (less desirable) do not route the entire
-     * composition to the external sink.
-     */
-    GRALLOC_USAGE_PROTECTED             = 0x00004000,
-
-    /* implementation-specific private usage flags */
-    GRALLOC_USAGE_PRIVATE_0             = 0x10000000,
-    GRALLOC_USAGE_PRIVATE_1             = 0x20000000,
-    GRALLOC_USAGE_PRIVATE_2             = 0x40000000,
-    GRALLOC_USAGE_PRIVATE_3             = 0x80000000,
-    GRALLOC_USAGE_PRIVATE_MASK          = 0xF0000000,
-};
-
-/*****************************************************************************/
-
-/**
- * Every hardware module must have a data structure named HAL_MODULE_INFO_SYM
- * and the fields of this data structure must begin with hw_module_t
- * followed by module specific information.
- */
-typedef struct gralloc_module_t {
-    struct hw_module_t common;
-    
-    /*
-     * (*registerBuffer)() must be called before a buffer_handle_t that has not
-     * been created with (*alloc_device_t::alloc)() can be used.
-     * 
-     * This is intended to be used with buffer_handle_t's that have been
-     * received in this process through IPC.
-     * 
-     * This function checks that the handle is indeed a valid one and prepares
-     * it for use with (*lock)() and (*unlock)().
-     * 
-     * It is not necessary to call (*registerBuffer)() on a handle created 
-     * with (*alloc_device_t::alloc)().
-     * 
-     * returns an error if this buffer_handle_t is not valid.
-     */
-    int (*registerBuffer)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-
-    /*
-     * (*unregisterBuffer)() is called once this handle is no longer needed in
-     * this process. After this call, it is an error to call (*lock)(),
-     * (*unlock)(), or (*registerBuffer)().
-     * 
-     * This function doesn't close or free the handle itself; this is done
-     * by other means, usually through libcutils's native_handle_close() and
-     * native_handle_free(). 
-     * 
-     * It is an error to call (*unregisterBuffer)() on a buffer that wasn't
-     * explicitly registered first.
-     */
-    int (*unregisterBuffer)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-    
-    /*
-     * The (*lock)() method is called before a buffer is accessed for the 
-     * specified usage. This call may block, for instance if the h/w needs
-     * to finish rendering or if CPU caches need to be synchronized.
-     * 
-     * The caller promises to modify only pixels in the area specified 
-     * by (l,t,w,h).
-     * 
-     * The content of the buffer outside of the specified area is NOT modified
-     * by this call.
-     *
-     * If usage specifies GRALLOC_USAGE_SW_*, vaddr is filled with the address
-     * of the buffer in virtual memory.
-     *
-     * THREADING CONSIDERATIONS:
-     *
-     * It is legal for several different threads to lock a buffer from 
-     * read access, none of the threads are blocked.
-     * 
-     * However, locking a buffer simultaneously for write or read/write is
-     * undefined, but:
-     * - shall not result in termination of the process
-     * - shall not block the caller
-     * It is acceptable to return an error or to leave the buffer's content
-     * into an indeterminate state.
-     *
-     * If the buffer was created with a usage mask incompatible with the
-     * requested usage flags here, -EINVAL is returned. 
-     * 
-     */
-    
-    int (*lock)(struct gralloc_module_t const* module,
-            buffer_handle_t handle, int usage,
-            int l, int t, int w, int h,
-            void** vaddr);
-
-    
-    /*
-     * The (*unlock)() method must be called after all changes to the buffer
-     * are completed.
-     */
-    
-    int (*unlock)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-
-
-    /* reserved for future use */
-    int (*perform)(struct gralloc_module_t const* module,
-            int operation, ... );
-
-    /* reserved for future use */
-    void* reserved_proc[7];
-} gralloc_module_t;
-
-/*****************************************************************************/
-
-/**
- * Every device data structure must begin with hw_device_t
- * followed by module specific public methods and attributes.
- */
-
-typedef struct alloc_device_t {
-    struct hw_device_t common;
-
-    /* 
-     * (*alloc)() Allocates a buffer in graphic memory with the requested
-     * parameters and returns a buffer_handle_t and the stride in pixels to
-     * allow the implementation to satisfy hardware constraints on the width
-     * of a pixmap (eg: it may have to be multiple of 8 pixels). 
-     * The CALLER TAKES OWNERSHIP of the buffer_handle_t.
-     * 
-     * Returns 0 on success or -errno on error.
-     */
-    
-    int (*alloc)(struct alloc_device_t* dev,
-            int w, int h, int format, int usage,
-            buffer_handle_t* handle, int* stride);
-
-    /*
-     * (*free)() Frees a previously allocated buffer. 
-     * Behavior is undefined if the buffer is still mapped in any process,
-     * but shall not result in termination of the program or security breaches
-     * (allowing a process to get access to another process' buffers).
-     * THIS FUNCTION TAKES OWNERSHIP of the buffer_handle_t which becomes
-     * invalid after the call. 
-     * 
-     * Returns 0 on success or -errno on error.
-     */
-    int (*free)(struct alloc_device_t* dev,
-            buffer_handle_t handle);
-
-    /* This hook is OPTIONAL.
-     *
-     * If non NULL it will be caused by SurfaceFlinger on dumpsys
-     */
-    void (*dump)(struct alloc_device_t *dev, char *buff, int buff_len);
-
-    void* reserved_proc[7];
-} alloc_device_t;
-
-
-/** convenience API for opening and closing a supported device */
-
-static inline int gralloc_open(const struct hw_module_t* module, 
-        struct alloc_device_t** device) {
-    return module->methods->open(module, 
-            GRALLOC_HARDWARE_GPU0, (struct hw_device_t**)device);
-}
-
-static inline int gralloc_close(struct alloc_device_t* device) {
-    return device->common.close(&device->common);
-}
-
-__END_DECLS
-
-#endif  // ANDROID_ALLOC_INTERFACE_H
diff --git a/media/omx-plugin/include/ics/hardware/hardware.h b/media/omx-plugin/include/ics/hardware/hardware.h
deleted file mode 100644
index 7774b2b64..000000000
--- a/media/omx-plugin/include/ics/hardware/hardware.h
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_INCLUDE_HARDWARE_HARDWARE_H
-#define ANDROID_INCLUDE_HARDWARE_HARDWARE_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-
-#include <cutils/native_handle.h>
-#include <system/graphics.h>
-
-__BEGIN_DECLS
-
-/*
- * Value for the hw_module_t.tag field
- */
-
-#define MAKE_TAG_CONSTANT(A,B,C,D) (((A) << 24) | ((B) << 16) | ((C) << 8) | (D))
-
-#define HARDWARE_MODULE_TAG MAKE_TAG_CONSTANT('H', 'W', 'M', 'T')
-#define HARDWARE_DEVICE_TAG MAKE_TAG_CONSTANT('H', 'W', 'D', 'T')
-
-struct hw_module_t;
-struct hw_module_methods_t;
-struct hw_device_t;
-
-/**
- * Every hardware module must have a data structure named HAL_MODULE_INFO_SYM
- * and the fields of this data structure must begin with hw_module_t
- * followed by module specific information.
- */
-typedef struct hw_module_t {
-    /** tag must be initialized to HARDWARE_MODULE_TAG */
-    uint32_t tag;
-
-    /** major version number for the module */
-    uint16_t version_major;
-
-    /** minor version number of the module */
-    uint16_t version_minor;
-
-    /** Identifier of module */
-    const char *id;
-
-    /** Name of this module */
-    const char *name;
-
-    /** Author/owner/implementor of the module */
-    const char *author;
-
-    /** Modules methods */
-    struct hw_module_methods_t* methods;
-
-    /** module's dso */
-    void* dso;
-
-    /** padding to 128 bytes, reserved for future use */
-    uint32_t reserved[32-7];
-
-} hw_module_t;
-
-typedef struct hw_module_methods_t {
-    /** Open a specific device */
-    int (*open)(const struct hw_module_t* module, const char* id,
-            struct hw_device_t** device);
-
-} hw_module_methods_t;
-
-/**
- * Every device data structure must begin with hw_device_t
- * followed by module specific public methods and attributes.
- */
-typedef struct hw_device_t {
-    /** tag must be initialized to HARDWARE_DEVICE_TAG */
-    uint32_t tag;
-
-    /** version number for hw_device_t */
-    uint32_t version;
-
-    /** reference to the module this device belongs to */
-    struct hw_module_t* module;
-
-    /** padding reserved for future use */
-    uint32_t reserved[12];
-
-    /** Close this device */
-    int (*close)(struct hw_device_t* device);
-
-} hw_device_t;
-
-/**
- * Name of the hal_module_info
- */
-#define HAL_MODULE_INFO_SYM         HMI
-
-/**
- * Name of the hal_module_info as a string
- */
-#define HAL_MODULE_INFO_SYM_AS_STR  "HMI"
-
-/**
- * Get the module info associated with a module by id.
- *
- * @return: 0 == success, <0 == error and *module == NULL
- */
-int hw_get_module(const char *id, const struct hw_module_t **module);
-
-/**
- * Get the module info associated with a module instance by class 'class_id'
- * and instance 'inst'.
- *
- * Some modules types necessitate multiple instances. For example audio supports
- * multiple concurrent interfaces and thus 'audio' is the module class
- * and 'primary' or 'a2dp' are module interfaces. This implies that the files
- * providing these modules would be named audio.primary.<variant>.so and
- * audio.a2dp.<variant>.so
- *
- * @return: 0 == success, <0 == error and *module == NULL
- */
-int hw_get_module_by_class(const char *class_id, const char *inst,
-                           const struct hw_module_t **module);
-
-__END_DECLS
-
-#endif  /* ANDROID_INCLUDE_HARDWARE_HARDWARE_H */
diff --git a/media/omx-plugin/include/ics/media/IOMX.h b/media/omx-plugin/include/ics/media/IOMX.h
deleted file mode 100644
index c4cc947a8..000000000
--- a/media/omx-plugin/include/ics/media/IOMX.h
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_IOMX_H_
-
-#define ANDROID_IOMX_H_
-
-#include <binder/IInterface.h>
-#include <ui/GraphicBuffer.h>
-#include <utils/List.h>
-#include <utils/String8.h>
-
-#include <OMX_Core.h>
-#include <OMX_Video.h>
-
-#include "jni.h"
-
-namespace android {
-
-class IMemory;
-class IOMXObserver;
-class IOMXRenderer;
-class Surface;
-
-class IOMX : public IInterface {
-public:
-    DECLARE_META_INTERFACE(OMX);
-
-    typedef void *buffer_id;
-    typedef void *node_id;
-
-    // Given the calling process' pid, returns true iff
-    // the implementation of the OMX interface lives in the same
-    // process.
-    virtual bool livesLocally(pid_t pid) = 0;
-
-    struct ComponentInfo {
-        String8 mName;
-        List<String8> mRoles;
-    };
-    virtual status_t listNodes(List<ComponentInfo> *list) = 0;
-
-    virtual status_t allocateNode(
-            const char *name, const sp<IOMXObserver> &observer,
-            node_id *node) = 0;
-
-    virtual status_t freeNode(node_id node) = 0;
-
-    virtual status_t sendCommand(
-            node_id node, OMX_COMMANDTYPE cmd, OMX_S32 param) = 0;
-
-    virtual status_t getParameter(
-            node_id node, OMX_INDEXTYPE index,
-            void *params, size_t size) = 0;
-
-    virtual status_t setParameter(
-            node_id node, OMX_INDEXTYPE index,
-            const void *params, size_t size) = 0;
-
-    virtual status_t getConfig(
-            node_id node, OMX_INDEXTYPE index,
-            void *params, size_t size) = 0;
-
-    virtual status_t setConfig(
-            node_id node, OMX_INDEXTYPE index,
-            const void *params, size_t size) = 0;
-
-    virtual status_t getState(
-            node_id node, OMX_STATETYPE* state) = 0;
-
-    virtual status_t storeMetaDataInBuffers(
-            node_id node, OMX_U32 port_index, OMX_BOOL enable) = 0;
-
-    virtual status_t enableGraphicBuffers(
-            node_id node, OMX_U32 port_index, OMX_BOOL enable) = 0;
-
-    virtual status_t getGraphicBufferUsage(
-            node_id node, OMX_U32 port_index, OMX_U32* usage) = 0;
-
-    virtual status_t useBuffer(
-            node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer) = 0;
-
-    virtual status_t useGraphicBuffer(
-            node_id node, OMX_U32 port_index,
-            const sp<GraphicBuffer> &graphicBuffer, buffer_id *buffer) = 0;
-
-    // This API clearly only makes sense if the caller lives in the
-    // same process as the callee, i.e. is the media_server, as the
-    // returned "buffer_data" pointer is just that, a pointer into local
-    // address space.
-    virtual status_t allocateBuffer(
-            node_id node, OMX_U32 port_index, size_t size,
-            buffer_id *buffer, void **buffer_data) = 0;
-
-    virtual status_t allocateBufferWithBackup(
-            node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer) = 0;
-
-    virtual status_t freeBuffer(
-            node_id node, OMX_U32 port_index, buffer_id buffer) = 0;
-
-    virtual status_t fillBuffer(node_id node, buffer_id buffer) = 0;
-
-    virtual status_t emptyBuffer(
-            node_id node,
-            buffer_id buffer,
-            OMX_U32 range_offset, OMX_U32 range_length,
-            OMX_U32 flags, OMX_TICKS timestamp) = 0;
-
-    virtual status_t getExtensionIndex(
-            node_id node,
-            const char *parameter_name,
-            OMX_INDEXTYPE *index) = 0;
-};
-
-struct omx_message {
-    enum {
-        EVENT,
-        EMPTY_BUFFER_DONE,
-        FILL_BUFFER_DONE,
-
-    } type;
-
-    IOMX::node_id node;
-
-    union {
-        // if type == EVENT
-        struct {
-            OMX_EVENTTYPE event;
-            OMX_U32 data1;
-            OMX_U32 data2;
-        } event_data;
-
-        // if type == EMPTY_BUFFER_DONE
-        struct {
-            IOMX::buffer_id buffer;
-        } buffer_data;
-
-        // if type == FILL_BUFFER_DONE
-        struct {
-            IOMX::buffer_id buffer;
-            OMX_U32 range_offset;
-            OMX_U32 range_length;
-            OMX_U32 flags;
-            OMX_TICKS timestamp;
-            OMX_PTR platform_private;
-            OMX_PTR data_ptr;
-        } extended_buffer_data;
-
-    } u;
-};
-
-class IOMXObserver : public IInterface {
-public:
-    DECLARE_META_INTERFACE(OMXObserver);
-
-    virtual void onMessage(const omx_message &msg) = 0;
-};
-
-////////////////////////////////////////////////////////////////////////////////
-
-class BnOMX : public BnInterface<IOMX> {
-public:
-    virtual status_t onTransact(
-            uint32_t code, const Parcel &data, Parcel *reply,
-            uint32_t flags = 0);
-};
-
-class BnOMXObserver : public BnInterface<IOMXObserver> {
-public:
-    virtual status_t onTransact(
-            uint32_t code, const Parcel &data, Parcel *reply,
-            uint32_t flags = 0);
-};
-
-struct CodecProfileLevel {
-    OMX_U32 mProfile;
-    OMX_U32 mLevel;
-};
-
-}  // namespace android
-
-#endif  // ANDROID_IOMX_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h b/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h
deleted file mode 100644
index 3d79596f3..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_BUFFER_H_
-
-#define MEDIA_BUFFER_H_
-
-#include <pthread.h>
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-
-namespace android {
-
-struct ABuffer;
-class GraphicBuffer;
-class MediaBuffer;
-class MediaBufferObserver;
-class MetaData;
-
-class MediaBufferObserver {
-public:
-    MediaBufferObserver() {}
-    virtual ~MediaBufferObserver() {}
-
-    virtual void signalBufferReturned(MediaBuffer *buffer) = 0;
-
-private:
-    MediaBufferObserver(const MediaBufferObserver &);
-    MediaBufferObserver &operator=(const MediaBufferObserver &);
-};
-
-class MediaBuffer {
-public:
-    // The underlying data remains the responsibility of the caller!
-    MediaBuffer(void *data, size_t size);
-
-    MediaBuffer(size_t size);
-
-    MediaBuffer(const sp<GraphicBuffer>& graphicBuffer);
-
-    MediaBuffer(const sp<ABuffer> &buffer);
-
-    // Decrements the reference count and returns the buffer to its
-    // associated MediaBufferGroup if the reference count drops to 0.
-    void release();
-
-    // Increments the reference count.
-    void add_ref();
-
-    void *data() const;
-    size_t size() const;
-
-    size_t range_offset() const;
-    size_t range_length() const;
-
-    void set_range(size_t offset, size_t length);
-
-    sp<GraphicBuffer> graphicBuffer() const;
-
-    sp<MetaData> meta_data();
-
-    // Clears meta data and resets the range to the full extent.
-    void reset();
-
-    void setObserver(MediaBufferObserver *group);
-
-    // Returns a clone of this MediaBuffer increasing its reference count.
-    // The clone references the same data but has its own range and
-    // MetaData.
-    MediaBuffer *clone();
-
-    int refcount() const;
-
-protected:
-    virtual ~MediaBuffer();
-
-private:
-    friend class MediaBufferGroup;
-    friend class OMXDecoder;
-
-    // For use by OMXDecoder, reference count must be 1, drop reference
-    // count to 0 without signalling the observer.
-    void claim();
-
-    MediaBufferObserver *mObserver;
-    MediaBuffer *mNextBuffer;
-    int mRefCount;
-
-    void *mData;
-    size_t mSize, mRangeOffset, mRangeLength;
-    sp<GraphicBuffer> mGraphicBuffer;
-    sp<ABuffer> mBuffer;
-
-    bool mOwnsData;
-
-    sp<MetaData> mMetaData;
-
-    MediaBuffer *mOriginal;
-
-    void setNextBuffer(MediaBuffer *buffer);
-    MediaBuffer *nextBuffer();
-
-    MediaBuffer(const MediaBuffer &);
-    MediaBuffer &operator=(const MediaBuffer &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_BUFFER_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h b/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h
deleted file mode 100644
index 21d00b8c5..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_ERRORS_H_
-
-#define MEDIA_ERRORS_H_
-
-#include <utils/Errors.h>
-
-namespace android {
-
-enum {
-    MEDIA_ERROR_BASE        = -1000,
-
-    ERROR_ALREADY_CONNECTED = MEDIA_ERROR_BASE,
-    ERROR_NOT_CONNECTED     = MEDIA_ERROR_BASE - 1,
-    ERROR_UNKNOWN_HOST      = MEDIA_ERROR_BASE - 2,
-    ERROR_CANNOT_CONNECT    = MEDIA_ERROR_BASE - 3,
-    ERROR_IO                = MEDIA_ERROR_BASE - 4,
-    ERROR_CONNECTION_LOST   = MEDIA_ERROR_BASE - 5,
-    ERROR_MALFORMED         = MEDIA_ERROR_BASE - 7,
-    ERROR_OUT_OF_RANGE      = MEDIA_ERROR_BASE - 8,
-    ERROR_BUFFER_TOO_SMALL  = MEDIA_ERROR_BASE - 9,
-    ERROR_UNSUPPORTED       = MEDIA_ERROR_BASE - 10,
-    ERROR_END_OF_STREAM     = MEDIA_ERROR_BASE - 11,
-
-    // Not technically an error.
-    INFO_FORMAT_CHANGED    = MEDIA_ERROR_BASE - 12,
-    INFO_DISCONTINUITY     = MEDIA_ERROR_BASE - 13,
-
-    // The following constant values should be in sync with
-    // drm/drm_framework_common.h
-    DRM_ERROR_BASE = -2000,
-
-    ERROR_DRM_UNKNOWN                       = DRM_ERROR_BASE,
-    ERROR_DRM_NO_LICENSE                    = DRM_ERROR_BASE - 1,
-    ERROR_DRM_LICENSE_EXPIRED               = DRM_ERROR_BASE - 2,
-    ERROR_DRM_SESSION_NOT_OPENED            = DRM_ERROR_BASE - 3,
-    ERROR_DRM_DECRYPT_UNIT_NOT_INITIALIZED  = DRM_ERROR_BASE - 4,
-    ERROR_DRM_DECRYPT                       = DRM_ERROR_BASE - 5,
-    ERROR_DRM_CANNOT_HANDLE                 = DRM_ERROR_BASE - 6,
-    ERROR_DRM_TAMPER_DETECTED               = DRM_ERROR_BASE - 7,
-
-    // Heartbeat Error Codes
-    HEARTBEAT_ERROR_BASE = -3000,
-
-    ERROR_HEARTBEAT_AUTHENTICATION_FAILURE                  = HEARTBEAT_ERROR_BASE,
-    ERROR_HEARTBEAT_NO_ACTIVE_PURCHASE_AGREEMENT            = HEARTBEAT_ERROR_BASE - 1,
-    ERROR_HEARTBEAT_CONCURRENT_PLAYBACK                     = HEARTBEAT_ERROR_BASE - 2,
-    ERROR_HEARTBEAT_UNUSUAL_ACTIVITY                        = HEARTBEAT_ERROR_BASE - 3,
-    ERROR_HEARTBEAT_STREAMING_UNAVAILABLE                   = HEARTBEAT_ERROR_BASE - 4,
-    ERROR_HEARTBEAT_CANNOT_ACTIVATE_RENTAL                  = HEARTBEAT_ERROR_BASE - 5,
-    ERROR_HEARTBEAT_TERMINATE_REQUESTED                     = HEARTBEAT_ERROR_BASE - 6,
-};
-
-}  // namespace android
-
-#endif  // MEDIA_ERRORS_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaSource.h b/media/omx-plugin/include/ics/media/stagefright/MediaSource.h
deleted file mode 100644
index 3818e63ff..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaSource.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_SOURCE_H_
-
-#define MEDIA_SOURCE_H_
-
-#include <sys/types.h>
-
-#include <media/stagefright/MediaErrors.h>
-#include <utils/RefBase.h>
-#include <utils/Vector.h>
-
-namespace android {
-
-class MediaBuffer;
-class MetaData;
-
-struct MediaSource : public virtual RefBase {
-    MediaSource();
-
-    // To be called before any other methods on this object, except
-    // getFormat().
-    virtual status_t start(MetaData *params = NULL) = 0;
-
-    // Any blocking read call returns immediately with a result of NO_INIT.
-    // It is an error to call any methods other than start after this call
-    // returns. Any buffers the object may be holding onto at the time of
-    // the stop() call are released.
-    // Also, it is imperative that any buffers output by this object and
-    // held onto by callers be released before a call to stop() !!!
-    virtual status_t stop() = 0;
-
-    // Returns the format of the data output by this media source.
-    virtual sp<MetaData> getFormat() = 0;
-
-    struct ReadOptions;
-
-    // Returns a new buffer of data. Call blocks until a
-    // buffer is available, an error is encountered of the end of the stream
-    // is reached.
-    // End of stream is signalled by a result of ERROR_END_OF_STREAM.
-    // A result of INFO_FORMAT_CHANGED indicates that the format of this
-    // MediaSource has changed mid-stream, the client can continue reading
-    // but should be prepared for buffers of the new configuration.
-    virtual status_t read(
-            MediaBuffer **buffer, const ReadOptions *options = NULL) = 0;
-
-    // Options that modify read() behaviour. The default is to
-    // a) not request a seek
-    // b) not be late, i.e. lateness_us = 0
-    struct ReadOptions {
-        enum SeekMode {
-            SEEK_PREVIOUS_SYNC,
-            SEEK_NEXT_SYNC,
-            SEEK_CLOSEST_SYNC,
-            SEEK_CLOSEST,
-        };
-
-        ReadOptions();
-
-        // Reset everything back to defaults.
-        void reset();
-
-        void setSeekTo(int64_t time_us, SeekMode mode = SEEK_CLOSEST_SYNC);
-        void clearSeekTo();
-        bool getSeekTo(int64_t *time_us, SeekMode *mode) const;
-
-        void setLateBy(int64_t lateness_us);
-        int64_t getLateBy() const;
-
-    private:
-        enum Options {
-            kSeekTo_Option      = 1,
-        };
-
-        uint32_t mOptions;
-        int64_t mSeekTimeUs;
-        SeekMode mSeekMode;
-        int64_t mLatenessUs;
-    };
-
-    // Causes this source to suspend pulling data from its upstream source
-    // until a subsequent read-with-seek. Currently only supported by
-    // OMXCodec.
-    virtual status_t pause() {
-        return ERROR_UNSUPPORTED;
-    }
-
-    // The consumer of this media source requests that the given buffers
-    // are to be returned exclusively in response to read calls.
-    // This will be called after a successful start() and before the
-    // first read() call.
-    // Callee assumes ownership of the buffers if no error is returned.
-    virtual status_t setBuffers(const Vector<MediaBuffer *> &buffers) {
-        return ERROR_UNSUPPORTED;
-    }
-
-protected:
-    virtual ~MediaSource();
-
-private:
-    MediaSource(const MediaSource &);
-    MediaSource &operator=(const MediaSource &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_SOURCE_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h
deleted file mode 100644
index 9fb0f6fdb..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h
+++ /dev/null
@@ -1,1448 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** OMX_Core.h - OpenMax IL version 1.1.2
- *  The OMX_Core header file contains the definitions used by both the
- *  application and the component to access common items.
- */
-
-#ifndef OMX_Core_h
-#define OMX_Core_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/* Each OMX header shall include all required header files to allow the
- *  header to compile without errors.  The includes below are required
- *  for this header file to compile successfully 
- */
-
-#include <OMX_Index.h>
-
-
-/** The OMX_COMMANDTYPE enumeration is used to specify the action in the
- *  OMX_SendCommand macro.  
- *  @ingroup core
- */
-typedef enum OMX_COMMANDTYPE
-{
-    OMX_CommandStateSet,    /**< Change the component state */
-    OMX_CommandFlush,       /**< Flush the data queue(s) of a component */
-    OMX_CommandPortDisable, /**< Disable a port on a component. */
-    OMX_CommandPortEnable,  /**< Enable a port on a component. */
-    OMX_CommandMarkBuffer,  /**< Mark a component/buffer for observation */
-    OMX_CommandKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_CommandVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_CommandMax = 0X7FFFFFFF
-} OMX_COMMANDTYPE;
-
-
-
-/** The OMX_STATETYPE enumeration is used to indicate or change the component
- *  state.  This enumeration reflects the current state of the component when
- *  used with the OMX_GetState macro or becomes the parameter in a state change
- *  command when used with the OMX_SendCommand macro.
- *
- *  The component will be in the Loaded state after the component is initially
- *  loaded into memory.  In the Loaded state, the component is not allowed to
- *  allocate or hold resources other than to build it's internal parameter
- *  and configuration tables.  The application will send one or more
- *  SetParameters/GetParameters and SetConfig/GetConfig commands to the
- *  component and the component will record each of these parameter and
- *  configuration changes for use later.  When the application sends the
- *  Idle command, the component will acquire the resources needed for the
- *  specified configuration and will transition to the idle state if the
- *  allocation is successful.  If the component cannot successfully
- *  transition to the idle state for any reason, the state of the component
- *  shall be fully rolled back to the Loaded state (e.g. all allocated 
- *  resources shall be released).  When the component receives the command
- *  to go to the Executing state, it shall begin processing buffers by
- *  sending all input buffers it holds to the application.  While
- *  the component is in the Idle state, the application may also send the
- *  Pause command.  If the component receives the pause command while in the
- *  Idle state, the component shall send all input buffers it holds to the 
- *  application, but shall not begin processing buffers.  This will allow the
- *  application to prefill buffers.
- * 
- *  @ingroup comp
- */
-
-typedef enum OMX_STATETYPE
-{
-    OMX_StateInvalid,      /**< component has detected that it's internal data 
-                                structures are corrupted to the point that
-                                it cannot determine it's state properly */
-    OMX_StateLoaded,      /**< component has been loaded but has not completed
-                                initialization.  The OMX_SetParameter macro
-                                and the OMX_GetParameter macro are the only 
-                                valid macros allowed to be sent to the 
-                                component in this state. */
-    OMX_StateIdle,        /**< component initialization has been completed
-                                successfully and the component is ready to
-                                to start. */
-    OMX_StateExecuting,   /**< component has accepted the start command and
-                                is processing data (if data is available) */
-    OMX_StatePause,       /**< component has received pause command */
-    OMX_StateWaitForResources, /**< component is waiting for resources, either after 
-                                preemption or before it gets the resources requested.
-                                See specification for complete details. */
-    OMX_StateKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_StateVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_StateMax = 0X7FFFFFFF
-} OMX_STATETYPE;
-
-/** The OMX_ERRORTYPE enumeration defines the standard OMX Errors.  These 
- *  errors should cover most of the common failure cases.  However, 
- *  vendors are free to add additional error messages of their own as 
- *  long as they follow these rules:
- *  1.  Vendor error messages shall be in the range of 0x90000000 to
- *      0x9000FFFF.
- *  2.  Vendor error messages shall be defined in a header file provided
- *      with the component.  No error messages are allowed that are
- *      not defined.
- */
-typedef enum OMX_ERRORTYPE
-{
-  OMX_ErrorNone = 0,
-
-  /** There were insufficient resources to perform the requested operation */
-  OMX_ErrorInsufficientResources = (OMX_S32) 0x80001000,
-
-  /** There was an error, but the cause of the error could not be determined */
-  OMX_ErrorUndefined = (OMX_S32) 0x80001001,
-
-  /** The component name string was not valid */
-  OMX_ErrorInvalidComponentName = (OMX_S32) 0x80001002,
-
-  /** No component with the specified name string was found */
-  OMX_ErrorComponentNotFound = (OMX_S32) 0x80001003,
-
-  /** The component specified did not have a "OMX_ComponentInit" or
-      "OMX_ComponentDeInit entry point */
-  OMX_ErrorInvalidComponent = (OMX_S32) 0x80001004,
-
-  /** One or more parameters were not valid */
-  OMX_ErrorBadParameter = (OMX_S32) 0x80001005,
-
-  /** The requested function is not implemented */
-  OMX_ErrorNotImplemented = (OMX_S32) 0x80001006,
-
-  /** The buffer was emptied before the next buffer was ready */
-  OMX_ErrorUnderflow = (OMX_S32) 0x80001007,
-
-  /** The buffer was not available when it was needed */
-  OMX_ErrorOverflow = (OMX_S32) 0x80001008,
-
-  /** The hardware failed to respond as expected */
-  OMX_ErrorHardware = (OMX_S32) 0x80001009,
-
-  /** The component is in the state OMX_StateInvalid */
-  OMX_ErrorInvalidState = (OMX_S32) 0x8000100A,
-
-  /** Stream is found to be corrupt */
-  OMX_ErrorStreamCorrupt = (OMX_S32) 0x8000100B,
-
-  /** Ports being connected are not compatible */
-  OMX_ErrorPortsNotCompatible = (OMX_S32) 0x8000100C,
-
-  /** Resources allocated to an idle component have been
-      lost resulting in the component returning to the loaded state */
-  OMX_ErrorResourcesLost = (OMX_S32) 0x8000100D,
-
-  /** No more indicies can be enumerated */
-  OMX_ErrorNoMore = (OMX_S32) 0x8000100E,
-
-  /** The component detected a version mismatch */
-  OMX_ErrorVersionMismatch = (OMX_S32) 0x8000100F,
-
-  /** The component is not ready to return data at this time */
-  OMX_ErrorNotReady = (OMX_S32) 0x80001010,
-
-  /** There was a timeout that occurred */
-  OMX_ErrorTimeout = (OMX_S32) 0x80001011,
-
-  /** This error occurs when trying to transition into the state you are already in */
-  OMX_ErrorSameState = (OMX_S32) 0x80001012,
-
-  /** Resources allocated to an executing or paused component have been 
-      preempted, causing the component to return to the idle state */
-  OMX_ErrorResourcesPreempted = (OMX_S32) 0x80001013, 
-
-  /** A non-supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the allocation of buffers (on a transition from the LOADED to the IDLE state or
-      on a port restart) when it deems that it has waited an unusually long time for the supplier 
-      to send it an allocated buffer via a UseBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringAllocation = (OMX_S32) 0x80001014,
-
-  /** A non-supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the deallocation of buffers (on a transition from the IDLE to LOADED state or 
-      on a port stop) when it deems that it has waited an unusually long time for the supplier 
-      to request the deallocation of a buffer header via a FreeBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringDeallocation = (OMX_S32) 0x80001015,
-
-  /** A supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the stopping of a port (either on a transition from the IDLE to LOADED 
-      state or a port stop) when it deems that it has waited an unusually long time for 
-      the non-supplier to return a buffer via an EmptyThisBuffer or FillThisBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringStop = (OMX_S32) 0x80001016,
-
-  /** Attempting a state transtion that is not allowed */
-  OMX_ErrorIncorrectStateTransition = (OMX_S32) 0x80001017,
-
-  /* Attempting a command that is not allowed during the present state. */
-  OMX_ErrorIncorrectStateOperation = (OMX_S32) 0x80001018, 
-
-  /** The values encapsulated in the parameter or config structure are not supported. */
-  OMX_ErrorUnsupportedSetting = (OMX_S32) 0x80001019,
-
-  /** The parameter or config indicated by the given index is not supported. */
-  OMX_ErrorUnsupportedIndex = (OMX_S32) 0x8000101A,
-
-  /** The port index supplied is incorrect. */
-  OMX_ErrorBadPortIndex = (OMX_S32) 0x8000101B,
-
-  /** The port has lost one or more of its buffers and it thus unpopulated. */
-  OMX_ErrorPortUnpopulated = (OMX_S32) 0x8000101C,
-
-  /** Component suspended due to temporary loss of resources */
-  OMX_ErrorComponentSuspended = (OMX_S32) 0x8000101D,
-
-  /** Component suspended due to an inability to acquire dynamic resources */
-  OMX_ErrorDynamicResourcesUnavailable = (OMX_S32) 0x8000101E,
-
-  /** When the macroblock error reporting is enabled the component returns new error 
-  for every frame that has errors */
-  OMX_ErrorMbErrorsInFrame = (OMX_S32) 0x8000101F,
-
-  /** A component reports this error when it cannot parse or determine the format of an input stream. */
-  OMX_ErrorFormatNotDetected = (OMX_S32) 0x80001020, 
-
-  /** The content open operation failed. */
-  OMX_ErrorContentPipeOpenFailed = (OMX_S32) 0x80001021,
-
-  /** The content creation operation failed. */
-  OMX_ErrorContentPipeCreationFailed = (OMX_S32) 0x80001022,
-
-  /** Separate table information is being used */
-  OMX_ErrorSeperateTablesUsed = (OMX_S32) 0x80001023,
-
-  /** Tunneling is unsupported by the component*/
-  OMX_ErrorTunnelingUnsupported = (OMX_S32) 0x80001024,
-
-  OMX_ErrorKhronosExtensions = (OMX_S32)0x8F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-  OMX_ErrorVendorStartUnused = (OMX_S32)0x90000000, /**< Reserved region for introducing Vendor Extensions */
-  OMX_ErrorMax = 0x7FFFFFFF
-} OMX_ERRORTYPE;
-
-/** @ingroup core */
-typedef OMX_ERRORTYPE (* OMX_COMPONENTINITTYPE)(OMX_IN  OMX_HANDLETYPE hComponent);
-
-/** @ingroup core */
-typedef struct OMX_COMPONENTREGISTERTYPE
-{
-  const char          * pName;       /* Component name, 128 byte limit (including '\0') applies */
-  OMX_COMPONENTINITTYPE pInitialize; /* Component instance initialization function */
-} OMX_COMPONENTREGISTERTYPE;
-
-/** @ingroup core */
-extern OMX_COMPONENTREGISTERTYPE OMX_ComponentRegistered[];
-
-/** @ingroup rpm */
-typedef struct OMX_PRIORITYMGMTTYPE {
- OMX_U32 nSize;             /**< size of the structure in bytes */
- OMX_VERSIONTYPE nVersion;  /**< OMX specification version information */
- OMX_U32 nGroupPriority;            /**< Priority of the component group */
- OMX_U32 nGroupID;                  /**< ID of the component group */
-} OMX_PRIORITYMGMTTYPE;
-
-/* Component name and Role names are limited to 128 characters including the terminating '\0'. */
-#define OMX_MAX_STRINGNAME_SIZE 128
-
-/** @ingroup comp */
-typedef struct OMX_PARAM_COMPONENTROLETYPE {
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U8 cRole[OMX_MAX_STRINGNAME_SIZE];  /**< name of standard component which defines component role */
-} OMX_PARAM_COMPONENTROLETYPE;
-
-/** End of Stream Buffer Flag: 
-  *
-  * A component sets EOS when it has no more data to emit on a particular 
-  * output port. Thus an output port shall set EOS on the last buffer it 
-  * emits. A component's determination of when an output port should 
-  * cease sending data is implemenation specific.
-  * @ingroup buf
-  */
-
-#define OMX_BUFFERFLAG_EOS 0x00000001 
-
-/** Start Time Buffer Flag: 
- *
- * The source of a stream (e.g. a demux component) sets the STARTTIME
- * flag on the buffer that contains the starting timestamp for the
- * stream. The starting timestamp corresponds to the first data that
- * should be displayed at startup or after a seek.
- * The first timestamp of the stream is not necessarily the start time.
- * For instance, in the case of a seek to a particular video frame, 
- * the target frame may be an interframe. Thus the first buffer of 
- * the stream will be the intra-frame preceding the target frame and
- * the starttime will occur with the target frame (with any other
- * required frames required to reconstruct the target intervening).
- *
- * The STARTTIME flag is directly associated with the buffer's 
- * timestamp ' thus its association to buffer data and its 
- * propagation is identical to the timestamp's.
- *
- * When a Sync Component client receives a buffer with the 
- * STARTTIME flag it shall perform a SetConfig on its sync port 
- * using OMX_ConfigTimeClientStartTime and passing the buffer's
- * timestamp.
- * 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_STARTTIME 0x00000002
-
- 
-
-/** Decode Only Buffer Flag: 
- *
- * The source of a stream (e.g. a demux component) sets the DECODEONLY
- * flag on any buffer that should shall be decoded but should not be
- * displayed. This flag is used, for instance, when a source seeks to 
- * a target interframe that requires the decode of frames preceding the 
- * target to facilitate the target's reconstruction. In this case the 
- * source would emit the frames preceding the target downstream 
- * but mark them as decode only.
- *
- * The DECODEONLY is associated with buffer data and propagated in a 
- * manner identical to the buffer timestamp.
- *
- * A component that renders data should ignore all buffers with 
- * the DECODEONLY flag set.
- * 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_DECODEONLY 0x00000004
-
-
-/* Data Corrupt Flag: This flag is set when the IL client believes the data in the associated buffer is corrupt 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_DATACORRUPT 0x00000008
-
-/* End of Frame: The buffer contains exactly one end of frame and no data
- *  occurs after the end of frame. This flag is an optional hint. The absence
- *  of this flag does not imply the absence of an end of frame within the buffer. 
- * @ingroup buf
-*/
-#define OMX_BUFFERFLAG_ENDOFFRAME 0x00000010
-
-/* Sync Frame Flag: This flag is set when the buffer content contains a coded sync frame ' 
- *  a frame that has no dependency on any other frame information 
- *  @ingroup buf
- */
-#define OMX_BUFFERFLAG_SYNCFRAME 0x00000020
-
-/* Extra data present flag: there is extra data appended to the data stream
- * residing in the buffer 
- * @ingroup buf  
- */
-#define OMX_BUFFERFLAG_EXTRADATA 0x00000040
-
-/** Codec Config Buffer Flag: 
-* OMX_BUFFERFLAG_CODECCONFIG is an optional flag that is set by an
-* output port when all bytes in the buffer form part or all of a set of
-* codec specific configuration data.  Examples include SPS/PPS nal units
-* for OMX_VIDEO_CodingAVC or AudioSpecificConfig data for
-* OMX_AUDIO_CodingAAC.  Any component that for a given stream sets 
-* OMX_BUFFERFLAG_CODECCONFIG shall not mix codec configuration bytes
-* with frame data in the same buffer, and shall send all buffers
-* containing codec configuration bytes before any buffers containing
-* frame data that those configurations bytes describe.
-* If the stream format for a particular codec has a frame specific
-* header at the start of each frame, for example OMX_AUDIO_CodingMP3 or
-* OMX_AUDIO_CodingAAC in ADTS mode, then these shall be presented as
-* normal without setting OMX_BUFFERFLAG_CODECCONFIG.
- * @ingroup buf
- */
-#define OMX_BUFFERFLAG_CODECCONFIG 0x00000080
-
-
-
-/** @ingroup buf */
-typedef struct OMX_BUFFERHEADERTYPE
-{
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U8* pBuffer;            /**< Pointer to actual block of memory 
-                                     that is acting as the buffer */
-    OMX_U32 nAllocLen;          /**< size of the buffer allocated, in bytes */
-    OMX_U32 nFilledLen;         /**< number of bytes currently in the 
-                                     buffer */
-    OMX_U32 nOffset;            /**< start offset of valid data in bytes from
-                                     the start of the buffer */
-    OMX_PTR pAppPrivate;        /**< pointer to any data the application
-                                     wants to associate with this buffer */
-    OMX_PTR pPlatformPrivate;   /**< pointer to any data the platform
-                                     wants to associate with this buffer */ 
-    OMX_PTR pInputPortPrivate;  /**< pointer to any data the input port
-                                     wants to associate with this buffer */
-    OMX_PTR pOutputPortPrivate; /**< pointer to any data the output port
-                                     wants to associate with this buffer */
-    OMX_HANDLETYPE hMarkTargetComponent; /**< The component that will generate a 
-                                              mark event upon processing this buffer. */
-    OMX_PTR pMarkData;          /**< Application specific data associated with 
-                                     the mark sent on a mark event to disambiguate 
-                                     this mark from others. */
-    OMX_U32 nTickCount;         /**< Optional entry that the component and
-                                     application can update with a tick count
-                                     when they access the component.  This
-                                     value should be in microseconds.  Since
-                                     this is a value relative to an arbitrary
-                                     starting point, this value cannot be used 
-                                     to determine absolute time.  This is an
-                                     optional entry and not all components
-                                     will update it.*/
- OMX_TICKS nTimeStamp;          /**< Timestamp corresponding to the sample 
-                                     starting at the first logical sample 
-                                     boundary in the buffer. Timestamps of 
-                                     successive samples within the buffer may
-                                     be inferred by adding the duration of the 
-                                     of the preceding buffer to the timestamp
-                                     of the preceding buffer.*/
-  OMX_U32     nFlags;           /**< buffer specific flags */
-  OMX_U32 nOutputPortIndex;     /**< The index of the output port (if any) using 
-                                     this buffer */
-  OMX_U32 nInputPortIndex;      /**< The index of the input port (if any) using
-                                     this buffer */
-} OMX_BUFFERHEADERTYPE;
-
-/** The OMX_EXTRADATATYPE enumeration is used to define the 
- * possible extra data payload types.
- * NB: this enum is binary backwards compatible with the previous
- * OMX_EXTRADATA_QUANT define.  This should be replaced with
- * OMX_ExtraDataQuantization.
- */
-typedef enum OMX_EXTRADATATYPE
-{
-   OMX_ExtraDataNone = 0,                       /**< Indicates that no more extra data sections follow */        
-   OMX_ExtraDataQuantization,                   /**< The data payload contains quantization data */
-   OMX_ExtraDataKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-   OMX_ExtraDataVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-   OMX_ExtraDataMax = 0x7FFFFFFF
-} OMX_EXTRADATATYPE;
-
-
-typedef struct OMX_OTHER_EXTRADATATYPE  {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;
-    OMX_EXTRADATATYPE eType;       /* Extra Data type */
-    OMX_U32 nDataSize;   /* Size of the supporting data to follow */
-    OMX_U8  data[1];     /* Supporting data hint  */
-} OMX_OTHER_EXTRADATATYPE;
-
-/** @ingroup comp */
-typedef struct OMX_PORT_PARAM_TYPE {
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U32 nPorts;             /**< The number of ports for this component */
-    OMX_U32 nStartPortNumber;   /** first port number for this type of port */
-} OMX_PORT_PARAM_TYPE; 
-
-/** @ingroup comp */
-typedef enum OMX_EVENTTYPE
-{
-    OMX_EventCmdComplete,         /**< component has sucessfully completed a command */
-    OMX_EventError,               /**< component has detected an error condition */
-    OMX_EventMark,                /**< component has detected a buffer mark */
-    OMX_EventPortSettingsChanged, /**< component is reported a port settings change */
-    OMX_EventBufferFlag,          /**< component has detected an EOS */ 
-    OMX_EventResourcesAcquired,   /**< component has been granted resources and is
-                                       automatically starting the state change from
-                                       OMX_StateWaitForResources to OMX_StateIdle. */
-   OMX_EventComponentResumed,     /**< Component resumed due to reacquisition of resources */
-   OMX_EventDynamicResourcesAvailable, /**< Component has acquired previously unavailable dynamic resources */
-   OMX_EventPortFormatDetected,      /**< Component has detected a supported format. */
-   OMX_EventKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-   OMX_EventVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-   OMX_EventMax = 0x7FFFFFFF
-} OMX_EVENTTYPE;
-
-typedef struct OMX_CALLBACKTYPE
-{
-    /** The EventHandler method is used to notify the application when an
-        event of interest occurs.  Events are defined in the OMX_EVENTTYPE
-        enumeration.  Please see that enumeration for details of what will
-        be returned for each type of event. Callbacks should not return
-        an error to the component, so if an error occurs, the application 
-        shall handle it internally.  This is a blocking call.
-
-        The application should return from this call within 5 msec to avoid
-        blocking the component for an excessively long period of time.
-
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param eEvent
-            Event that the component wants to notify the application about.
-        @param nData1
-            nData will be the OMX_ERRORTYPE for an error event and will be 
-            an OMX_COMMANDTYPE for a command complete event and OMX_INDEXTYPE for a OMX_PortSettingsChanged event.
-         @param nData2
-            nData2 will hold further information related to the event. Can be OMX_STATETYPE for
-            a OMX_CommandStateSet command or port index for a OMX_PortSettingsChanged event.
-            Default value is 0 if not used. )
-        @param pEventData
-            Pointer to additional event-specific data (see spec for meaning).
-      */
-
-   OMX_ERRORTYPE (*EventHandler)(
-        OMX_IN OMX_HANDLETYPE hComponent,
-        OMX_IN OMX_PTR pAppData,
-        OMX_IN OMX_EVENTTYPE eEvent,
-        OMX_IN OMX_U32 nData1,
-        OMX_IN OMX_U32 nData2,
-        OMX_IN OMX_PTR pEventData);
-
-    /** The EmptyBufferDone method is used to return emptied buffers from an
-        input port back to the application for reuse.  This is a blocking call 
-        so the application should not attempt to refill the buffers during this
-        call, but should queue them and refill them in another thread.  There
-        is no error return, so the application shall handle any errors generated
-        internally.  
-        
-        The application should return from this call within 5 msec.
-        
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param pBuffer
-            pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-            or AllocateBuffer indicating the buffer that was emptied.
-        @ingroup buf
-     */
-    OMX_ERRORTYPE (*EmptyBufferDone)(
-        OMX_IN OMX_HANDLETYPE hComponent,
-        OMX_IN OMX_PTR pAppData,
-        OMX_IN OMX_BUFFERHEADERTYPE* pBuffer);
-
-    /** The FillBufferDone method is used to return filled buffers from an
-        output port back to the application for emptying and then reuse.  
-        This is a blocking call so the application should not attempt to 
-        empty the buffers during this call, but should queue the buffers 
-        and empty them in another thread.  There is no error return, so 
-        the application shall handle any errors generated internally.  The 
-        application shall also update the buffer header to indicate the
-        number of bytes placed into the buffer.  
-
-        The application should return from this call within 5 msec.
-        
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param pBuffer
-            pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-            or AllocateBuffer indicating the buffer that was filled.
-        @ingroup buf
-     */
-    OMX_ERRORTYPE (*FillBufferDone)(
-        OMX_OUT OMX_HANDLETYPE hComponent,
-        OMX_OUT OMX_PTR pAppData,
-        OMX_OUT OMX_BUFFERHEADERTYPE* pBuffer);
-
-} OMX_CALLBACKTYPE;
-
-/** The OMX_BUFFERSUPPLIERTYPE enumeration is used to dictate port supplier
-    preference when tunneling between two ports.
-    @ingroup tun buf
-*/
-typedef enum OMX_BUFFERSUPPLIERTYPE
-{
-    OMX_BufferSupplyUnspecified = 0x0, /**< port supplying the buffers is unspecified,
-                                              or don't care */
-    OMX_BufferSupplyInput,             /**< input port supplies the buffers */
-    OMX_BufferSupplyOutput,            /**< output port supplies the buffers */
-    OMX_BufferSupplyKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_BufferSupplyVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_BufferSupplyMax = 0x7FFFFFFF
-} OMX_BUFFERSUPPLIERTYPE;
-
-
-/** buffer supplier parameter 
- * @ingroup tun
- */
-typedef struct OMX_PARAM_BUFFERSUPPLIERTYPE {
-    OMX_U32 nSize; /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex; /**< port that this structure applies to */
-    OMX_BUFFERSUPPLIERTYPE eBufferSupplier; /**< buffer supplier */
-} OMX_PARAM_BUFFERSUPPLIERTYPE;
-
-
-/**< indicates that buffers received by an input port of a tunnel 
-     may not modify the data in the buffers 
-     @ingroup tun
- */
-#define OMX_PORTTUNNELFLAG_READONLY 0x00000001 
-
-
-/** The OMX_TUNNELSETUPTYPE structure is used to pass data from an output
-    port to an input port as part the two ComponentTunnelRequest calls
-    resulting from a OMX_SetupTunnel call from the IL Client. 
-    @ingroup tun
- */   
-typedef struct OMX_TUNNELSETUPTYPE
-{
-    OMX_U32 nTunnelFlags;             /**< bit flags for tunneling */
-    OMX_BUFFERSUPPLIERTYPE eSupplier; /**< supplier preference */
-} OMX_TUNNELSETUPTYPE; 
-
-/* OMX Component headers is included to enable the core to use
-   macros for functions into the component for OMX release 1.0.  
-   Developers should not access any structures or data from within
-   the component header directly */
-/* TO BE REMOVED - #include <OMX_Component.h> */
-
-/** GetComponentVersion will return information about the component.  
-    This is a blocking call.  This macro will go directly from the
-    application to the component (via a core macro).  The
-    component will return from this call within 5 msec.
-    @param [in] hComponent
-        handle of component to execute the command
-    @param [out] pComponentName
-        pointer to an empty string of length 128 bytes.  The component 
-        will write its name into this string.  The name will be 
-        terminated by a single zero byte.  The name of a component will 
-        be 127 bytes or less to leave room for the trailing zero byte.  
-        An example of a valid component name is "OMX.ABC.ChannelMixer\0".
-    @param [out] pComponentVersion
-        pointer to an OMX Version structure that the component will fill 
-        in.  The component will fill in a value that indicates the 
-        component version.  NOTE: the component version is NOT the same 
-        as the OMX Specification version (found in all structures).  The 
-        component version is defined by the vendor of the component and 
-        its value is entirely up to the component vendor.
-    @param [out] pSpecVersion
-        pointer to an OMX Version structure that the component will fill 
-        in.  The SpecVersion is the version of the specification that the 
-        component was built against.  Please note that this value may or 
-        may not match the structure's version.  For example, if the 
-        component was built against the 2.0 specification, but the 
-        application (which creates the structure is built against the 
-        1.0 specification the versions would be different.
-    @param [out] pComponentUUID
-        pointer to the UUID of the component which will be filled in by 
-        the component.  The UUID is a unique identifier that is set at 
-        RUN time for the component and is unique to each instantion of 
-        the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetComponentVersion(                            \
-        hComponent,                                         \
-        pComponentName,                                     \
-        pComponentVersion,                                  \
-        pSpecVersion,                                       \
-        pComponentUUID)                                     \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetComponentVersion(  \
-        hComponent,                                         \
-        pComponentName,                                     \
-        pComponentVersion,                                  \
-        pSpecVersion,                                       \
-        pComponentUUID)                 /* Macro End */
-
-
-/** Send a command to the component.  This call is a non-blocking call.
-    The component should check the parameters and then queue the command
-    to the component thread to be executed.  The component thread shall 
-    send the EventHandler() callback at the conclusion of the command. 
-    This macro will go directly from the application to the component (via
-    a core macro).  The component will return from this call within 5 msec.
-    
-    When the command is "OMX_CommandStateSet" the component will queue a
-    state transition to the new state idenfied in nParam.
-    
-    When the command is "OMX_CommandFlush", to flush a port's buffer queues,
-    the command will force the component to return all buffers NOT CURRENTLY 
-    BEING PROCESSED to the application, in the order in which the buffers 
-    were received.
-    
-    When the command is "OMX_CommandPortDisable" or 
-    "OMX_CommandPortEnable", the component's port (given by the value of
-    nParam) will be stopped or restarted. 
-    
-    When the command "OMX_CommandMarkBuffer" is used to mark a buffer, the
-    pCmdData will point to a OMX_MARKTYPE structure containing the component
-    handle of the component to examine the buffer chain for the mark.  nParam1
-    contains the index of the port on which the buffer mark is applied.
-
-    Specification text for more details. 
-    
-    @param [in] hComponent
-        handle of component to execute the command
-    @param [in] Cmd
-        Command for the component to execute
-    @param [in] nParam
-        Parameter for the command to be executed.  When Cmd has the value 
-        OMX_CommandStateSet, value is a member of OMX_STATETYPE.  When Cmd has 
-        the value OMX_CommandFlush, value of nParam indicates which port(s) 
-        to flush. -1 is used to flush all ports a single port index will 
-        only flush that port.  When Cmd has the value "OMX_CommandPortDisable"
-        or "OMX_CommandPortEnable", the component's port is given by 
-        the value of nParam.  When Cmd has the value "OMX_CommandMarkBuffer"
-        the components pot is given by the value of nParam.
-    @param [in] pCmdData
-        Parameter pointing to the OMX_MARKTYPE structure when Cmd has the value
-        "OMX_CommandMarkBuffer".     
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SendCommand(                                    \
-         hComponent,                                        \
-         Cmd,                                               \
-         nParam,                                            \
-         pCmdData)                                          \
-     ((OMX_COMPONENTTYPE*)hComponent)->SendCommand(         \
-         hComponent,                                        \
-         Cmd,                                               \
-         nParam,                                            \
-         pCmdData)                          /* Macro End */
-
-
-/** The OMX_GetParameter macro will get one of the current parameter 
-    settings from the component.  This macro cannot only be invoked when 
-    the component is in the OMX_StateInvalid state.  The nParamIndex
-    parameter is used to indicate which structure is being requested from
-    the component.  The application shall allocate the correct structure 
-    and shall fill in the structure size and version information before 
-    invoking this macro.  When the parameter applies to a port, the
-    caller shall fill in the appropriate nPortIndex value indicating the
-    port on which the parameter applies. If the component has not had 
-    any settings changed, then the component should return a set of 
-    valid DEFAULT  parameters for the component.  This is a blocking 
-    call.  
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nParamIndex
-        Index of the structure to be filled.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in,out] pComponentParameterStructure
-        Pointer to application allocated structure to be filled by the 
-        component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetParameter(                                   \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetParameter(         \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)    /* Macro End */
-
-
-/** The OMX_SetParameter macro will send an initialization parameter
-    structure to a component.  Each structure shall be sent one at a time,
-    in a separate invocation of the macro.  This macro can only be
-    invoked when the component is in the OMX_StateLoaded state, or the
-    port is disabled (when the parameter applies to a port). The 
-    nParamIndex parameter is used to indicate which structure is being
-    passed to the component.  The application shall allocate the 
-    correct structure and shall fill in the structure size and version 
-    information (as well as the actual data) before invoking this macro.
-    The application is free to dispose of this structure after the call
-    as the component is required to copy any data it shall retain.  This 
-    is a blocking call.  
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nIndex
-        Index of the structure to be sent.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in] pComponentParameterStructure
-        pointer to application allocated structure to be used for
-        initialization by the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SetParameter(                                   \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->SetParameter(         \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)    /* Macro End */
-
-
-/** The OMX_GetConfig macro will get one of the configuration structures 
-    from a component.  This macro can be invoked anytime after the 
-    component has been loaded.  The nParamIndex call parameter is used to 
-    indicate which structure is being requested from the component.  The 
-    application shall allocate the correct structure and shall fill in the 
-    structure size and version information before invoking this macro.  
-    If the component has not had this configuration parameter sent before, 
-    then the component should return a set of valid DEFAULT values for the 
-    component.  This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nIndex
-        Index of the structure to be filled.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in,out] pComponentConfigStructure
-        pointer to application allocated structure to be filled by the 
-        component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
-*/        
-#define OMX_GetConfig(                                      \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)                           \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetConfig(            \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)       /* Macro End */
-
-
-/** The OMX_SetConfig macro will send one of the configuration 
-    structures to a component.  Each structure shall be sent one at a time,
-    each in a separate invocation of the macro.  This macro can be invoked 
-    anytime after the component has been loaded.  The application shall 
-    allocate the correct structure and shall fill in the structure size 
-    and version information (as well as the actual data) before invoking 
-    this macro.  The application is free to dispose of this structure after 
-    the call as the component is required to copy any data it shall retain.  
-    This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nConfigIndex
-        Index of the structure to be sent.  This value is from the
-        OMX_INDEXTYPE enumeration above.
-    @param [in] pComponentConfigStructure
-        pointer to application allocated structure to be used for
-        initialization by the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SetConfig(                                      \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)                           \
-    ((OMX_COMPONENTTYPE*)hComponent)->SetConfig(            \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)       /* Macro End */
-
-
-/** The OMX_GetExtensionIndex macro will invoke a component to translate 
-    a vendor specific configuration or parameter string into an OMX 
-    structure index.  There is no requirement for the vendor to support 
-    this command for the indexes already found in the OMX_INDEXTYPE 
-    enumeration (this is done to save space in small components).  The 
-    component shall support all vendor supplied extension indexes not found
-    in the master OMX_INDEXTYPE enumeration.  This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the GetHandle function.
-    @param [in] cParameterName
-        OMX_STRING that shall be less than 128 characters long including
-        the trailing null byte.  This is the string that will get 
-        translated by the component into a configuration index.
-    @param [out] pIndexType
-        a pointer to a OMX_INDEXTYPE to receive the index value.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetExtensionIndex(                              \
-        hComponent,                                         \
-        cParameterName,                                     \
-        pIndexType)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetExtensionIndex(    \
-        hComponent,                                         \
-        cParameterName,                                     \
-        pIndexType)                     /* Macro End */
-
-
-/** The OMX_GetState macro will invoke the component to get the current 
-    state of the component and place the state value into the location
-    pointed to by pState.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] pState
-        pointer to the location to receive the state.  The value returned
-        is one of the OMX_STATETYPE members 
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetState(                                       \
-        hComponent,                                         \
-        pState)                                             \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetState(             \
-        hComponent,                                         \
-        pState)                         /* Macro End */
-
-
-/** The OMX_UseBuffer macro will request that the component use
-    a buffer (and allocate its own buffer header) already allocated 
-    by another component, or by the IL Client. This is a blocking 
-    call.
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive the 
-        pointer to the buffer header
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-
-#define OMX_UseBuffer(                                      \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           nSizeBytes,                                      \
-           pBuffer)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->UseBuffer(            \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           nSizeBytes,                                      \
-           pBuffer)
-
-
-/** The OMX_AllocateBuffer macro will request that the component allocate 
-    a new buffer and buffer header.  The component will allocate the 
-    buffer and the buffer header and return a pointer to the buffer 
-    header.  This is a blocking call.
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive 
-        the pointer to the buffer header
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.  The port can be found by using the nPortIndex
-        value as an index into the Port Definition array of the component.
-    @param [in] pAppPrivate
-        pAppPrivate is used to initialize the pAppPrivate member of the 
-        buffer header structure.
-    @param [in] nSizeBytes
-        size of the buffer to allocate.  Used when bAllocateNew is true.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */    
-#define OMX_AllocateBuffer(                                 \
-        hComponent,                                         \
-        ppBuffer,                                           \
-        nPortIndex,                                         \
-        pAppPrivate,                                        \
-        nSizeBytes)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->AllocateBuffer(       \
-        hComponent,                                         \
-        ppBuffer,                                           \
-        nPortIndex,                                         \
-        pAppPrivate,                                        \
-        nSizeBytes)                     /* Macro End */
-
-
-/** The OMX_FreeBuffer macro will release a buffer header from the component
-    which was allocated using either OMX_AllocateBuffer or OMX_UseBuffer. If  
-    the component allocated the buffer (see the OMX_UseBuffer macro) then 
-    the component shall free the buffer and buffer header. This is a 
-    blocking call. 
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_FreeBuffer(                                     \
-        hComponent,                                         \
-        nPortIndex,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->FreeBuffer(           \
-        hComponent,                                         \
-        nPortIndex,                                         \
-        pBuffer)                        /* Macro End */
-
-
-/** The OMX_EmptyThisBuffer macro will send a buffer full of data to an 
-    input port of a component.  The buffer will be emptied by the component
-    and returned to the application via the EmptyBufferDone call back.
-    This is a non-blocking call in that the component will record the buffer
-    and return immediately and then empty the buffer, later, at the proper 
-    time.  As expected, this macro may be invoked only while the component 
-    is in the OMX_StateExecuting.  If nPortIndex does not specify an input
-    port, the component shall return an error.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_EmptyThisBuffer(                                \
-        hComponent,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->EmptyThisBuffer(      \
-        hComponent,                                         \
-        pBuffer)                        /* Macro End */
-
-
-/** The OMX_FillThisBuffer macro will send an empty buffer to an 
-    output port of a component.  The buffer will be filled by the component
-    and returned to the application via the FillBufferDone call back.
-    This is a non-blocking call in that the component will record the buffer
-    and return immediately and then fill the buffer, later, at the proper 
-    time.  As expected, this macro may be invoked only while the component 
-    is in the OMX_ExecutingState.  If nPortIndex does not specify an output
-    port, the component shall return an error.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_FillThisBuffer(                                 \
-        hComponent,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->FillThisBuffer(       \
-        hComponent,                                         \
-        pBuffer)                        /* Macro End */
-
-
-
-/** The OMX_UseEGLImage macro will request that the component use
-    a EGLImage provided by EGL (and allocate its own buffer header)
-    This is a blocking call.
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive the 
-        pointer to the buffer header.  Note that the memory location used
-        for this buffer is NOT visible to the IL Client.
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.  The port can be found by using the nPortIndex
-        value as an index into the Port Definition array of the component.
-    @param [in] pAppPrivate
-        pAppPrivate is used to initialize the pAppPrivate member of the 
-        buffer header structure.
-    @param [in] eglImage
-        eglImage contains the handle of the EGLImage to use as a buffer on the
-        specified port.  The component is expected to validate properties of 
-        the EGLImage against the configuration of the port to ensure the component
-        can use the EGLImage as a buffer.          
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_UseEGLImage(                                    \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           eglImage)                                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->UseEGLImage(          \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           eglImage)
-
-/** The OMX_Init method is used to initialize the OMX core.  It shall be the
-    first call made into OMX and it should only be executed one time without
-    an interviening OMX_Deinit call.  
-    
-    The core should return from this call within 20 msec.
-
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_Init(void);
-
-
-/** The OMX_Deinit method is used to deinitialize the OMX core.  It shall be 
-    the last call made into OMX. In the event that the core determines that 
-    thare are components loaded when this call is made, the core may return 
-    with an error rather than try to unload the components.
-        
-    The core should return from this call within 20 msec.
-    
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_Deinit(void);
-
-
-/** The OMX_ComponentNameEnum method will enumerate through all the names of
-    recognised valid components in the system. This function is provided
-    as a means to detect all the components in the system run-time. There is
-    no strict ordering to the enumeration order of component names, although
-    each name will only be enumerated once.  If the OMX core supports run-time
-    installation of new components, it is only requried to detect newly
-    installed components when the first call to enumerate component names
-    is made (i.e. when nIndex is 0x0).
-    
-    The core should return from this call in 20 msec.
-    
-    @param [out] cComponentName
-        pointer to a null terminated string with the component name.  The
-        names of the components are strings less than 127 bytes in length
-        plus the trailing null for a maximum size of 128 bytes.  An example 
-        of a valid component name is "OMX.TI.AUDIO.DSP.MIXER\0".  Names are 
-        assigned by the vendor, but shall start with "OMX." and then have 
-        the Vendor designation next.
-    @param [in] nNameLength
-        number of characters in the cComponentName string.  With all 
-        component name strings restricted to less than 128 characters 
-        (including the trailing null) it is recomended that the caller
-        provide a input string for the cComponentName of 128 characters.
-    @param [in] nIndex
-        number containing the enumeration index for the component. 
-        Multiple calls to OMX_ComponentNameEnum with increasing values
-        of nIndex will enumerate through the component names in the
-        system until OMX_ErrorNoMore is returned.  The value of nIndex
-        is 0 to (N-1), where N is the number of valid installed components
-        in the system.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  When the value of nIndex exceeds the number of 
-        components in the system minus 1, OMX_ErrorNoMore will be
-        returned. Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_ComponentNameEnum(
-    OMX_OUT OMX_STRING cComponentName,
-    OMX_IN  OMX_U32 nNameLength,
-    OMX_IN  OMX_U32 nIndex);
-
-
-/** The OMX_GetHandle method will locate the component specified by the
-    component name given, load that component into memory and then invoke
-    the component's methods to create an instance of the component.  
-    
-    The core should return from this call within 20 msec.
-    
-    @param [out] pHandle
-        pointer to an OMX_HANDLETYPE pointer to be filled in by this method.
-    @param [in] cComponentName
-        pointer to a null terminated string with the component name.  The
-        names of the components are strings less than 127 bytes in length
-        plus the trailing null for a maximum size of 128 bytes.  An example 
-        of a valid component name is "OMX.TI.AUDIO.DSP.MIXER\0".  Names are 
-        assigned by the vendor, but shall start with "OMX." and then have 
-        the Vendor designation next.
-    @param [in] pAppData
-        pointer to an application defined value that will be returned
-        during callbacks so that the application can identify the source
-        of the callback.
-    @param [in] pCallBacks
-        pointer to a OMX_CALLBACKTYPE structure that will be passed to the
-        component to initialize it with.  
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_GetHandle(
-    OMX_OUT OMX_HANDLETYPE* pHandle, 
-    OMX_IN  OMX_STRING cComponentName,
-    OMX_IN  OMX_PTR pAppData,
-    OMX_IN  OMX_CALLBACKTYPE* pCallBacks);
-
-
-/** The OMX_FreeHandle method will free a handle allocated by the OMX_GetHandle 
-    method.  If the component reference count goes to zero, the component will
-    be unloaded from memory.  
-    
-    The core should return from this call within 20 msec when the component is 
-    in the OMX_StateLoaded state.
-
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the GetHandle function.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_FreeHandle(
-    OMX_IN  OMX_HANDLETYPE hComponent);
-
-
-
-/** The OMX_SetupTunnel method will handle the necessary calls to the components
-    to setup the specified tunnel the two components.  NOTE: This is
-    an actual method (not a #define macro).  This method will make calls into
-    the component ComponentTunnelRequest method to do the actual tunnel 
-    connection.  
-
-    The ComponentTunnelRequest method on both components will be called. 
-    This method shall not be called unless the component is in the 
-    OMX_StateLoaded state except when the ports used for the tunnel are
-    disabled. In this case, the component may be in the OMX_StateExecuting,
-    OMX_StatePause, or OMX_StateIdle states. 
-
-    The core should return from this call within 20 msec.
-    
-    @param [in] hOutput
-        Handle of the component to be accessed.  Also this is the handle
-        of the component whose port, specified in the nPortOutput parameter
-        will be used the source for the tunnel. This is the component handle
-        returned by the call to the OMX_GetHandle function.  There is a 
-        requirement that hOutput be the source for the data when
-        tunelling (i.e. nPortOutput is an output port).  If 0x0, the component
-        specified in hInput will have it's port specified in nPortInput
-        setup for communication with the application / IL client.
-    @param [in] nPortOutput
-        nPortOutput is used to select the source port on component to be
-        used in the tunnel. 
-    @param [in] hInput
-        This is the component to setup the tunnel with. This is the handle
-        of the component whose port, specified in the nPortInput parameter
-        will be used the destination for the tunnel. This is the component handle
-        returned by the call to the OMX_GetHandle function.  There is a 
-        requirement that hInput be the destination for the data when
-        tunelling (i.e. nPortInut is an input port).   If 0x0, the component
-        specified in hOutput will have it's port specified in nPortPOutput
-        setup for communication with the application / IL client.
-    @param [in] nPortInput
-        nPortInput is used to select the destination port on component to be
-        used in the tunnel.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-        When OMX_ErrorNotImplemented is returned, one or both components is 
-        a non-interop component and does not support tunneling.
-        
-        On failure, the ports of both components are setup for communication
-        with the application / IL Client.
-    @ingroup core tun
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_SetupTunnel(
-    OMX_IN  OMX_HANDLETYPE hOutput,
-    OMX_IN  OMX_U32 nPortOutput,
-    OMX_IN  OMX_HANDLETYPE hInput,
-    OMX_IN  OMX_U32 nPortInput);
-    
-/** @ingroup cp */
-OMX_API OMX_ERRORTYPE   OMX_GetContentPipe(
-    OMX_OUT OMX_HANDLETYPE *hPipe,
-    OMX_IN OMX_STRING szURI);
-
-/** The OMX_GetComponentsOfRole method will return the number of components that support the given
-    role and (if the compNames field is non-NULL) the names of those components. The call will fail if 
-    an insufficiently sized array of names is supplied. To ensure the array is sufficiently sized the
-    client should:
-        * first call this function with the compNames field NULL to determine the number of component names
-        * second call this function with the compNames field pointing to an array of names allocated 
-          according to the number returned by the first call.
-
-    The core should return from this call within 5 msec.
-    
-    @param [in] role
-        This is generic standard component name consisting only of component class 
-        name and the type within that class (e.g. 'audio_decoder.aac').
-    @param [inout] pNumComps
-        This is used both as input and output. 
- 
-        If compNames is NULL, the input is ignored and the output specifies how many components support
-        the given role.
-     
-        If compNames is not NULL, on input it bounds the size of the input structure and 
-        on output, it specifies the number of components string names listed within the compNames parameter.
-    @param [inout] compNames
-        If NULL this field is ignored. If non-NULL this points to an array of 128-byte strings which accepts 
-        a list of the names of all physical components that implement the specified standard component name. 
-        Each name is NULL terminated. numComps indicates the number of names.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_GetComponentsOfRole ( 
-	OMX_IN      OMX_STRING role,
-    OMX_INOUT   OMX_U32 *pNumComps,
-    OMX_INOUT   OMX_U8  **compNames);
-
-/** The OMX_GetRolesOfComponent method will return the number of roles supported by the given
-    component and (if the roles field is non-NULL) the names of those roles. The call will fail if 
-    an insufficiently sized array of names is supplied. To ensure the array is sufficiently sized the
-    client should:
-        * first call this function with the roles field NULL to determine the number of role names
-        * second call this function with the roles field pointing to an array of names allocated 
-          according to the number returned by the first call.
-
-    The core should return from this call within 5 msec.
-
-    @param [in] compName
-        This is the name of the component being queried about.
-    @param [inout] pNumRoles
-        This is used both as input and output. 
- 
-        If roles is NULL, the input is ignored and the output specifies how many roles the component supports.
-     
-        If compNames is not NULL, on input it bounds the size of the input structure and 
-        on output, it specifies the number of roles string names listed within the roles parameter.
-    @param [out] roles
-        If NULL this field is ignored. If non-NULL this points to an array of 128-byte strings 
-        which accepts a list of the names of all standard components roles implemented on the 
-        specified component name. numComps indicates the number of names.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_GetRolesOfComponent ( 
-	OMX_IN      OMX_STRING compName, 
-    OMX_INOUT   OMX_U32 *pNumRoles,
-    OMX_OUT     OMX_U8 **roles);
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
-
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h
deleted file mode 100644
index 8bb4dede8..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h
+++ /dev/null
@@ -1,947 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/**
- * Copyright (c) 2008 The Khronos Group Inc.
- *
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions:
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- *
- */
-
-/**
- * @file OMX_IVCommon.h - OpenMax IL version 1.1.2
- *  The structures needed by Video and Image components to exchange
- *  parameters and configuration data with the components.
- */
-#ifndef OMX_IVCommon_h
-#define OMX_IVCommon_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-/**
- * Each OMX header must include all required header files to allow the header
- * to compile without errors.  The includes below are required for this header
- * file to compile successfully
- */
-
-#include <OMX_Core.h>
-
-/** @defgroup iv OpenMAX IL Imaging and Video Domain
- * Common structures for OpenMAX IL Imaging and Video domains
- * @{
- */
-
-
-/**
- * Enumeration defining possible uncompressed image/video formats.
- *
- * ENUMS:
- *  Unused                 : Placeholder value when format is N/A
- *  Monochrome             : black and white
- *  8bitRGB332             : Red 7:5, Green 4:2, Blue 1:0
- *  12bitRGB444            : Red 11:8, Green 7:4, Blue 3:0
- *  16bitARGB4444          : Alpha 15:12, Red 11:8, Green 7:4, Blue 3:0
- *  16bitARGB1555          : Alpha 15, Red 14:10, Green 9:5, Blue 4:0
- *  16bitRGB565            : Red 15:11, Green 10:5, Blue 4:0
- *  16bitBGR565            : Blue 15:11, Green 10:5, Red 4:0
- *  18bitRGB666            : Red 17:12, Green 11:6, Blue 5:0
- *  18bitARGB1665          : Alpha 17, Red 16:11, Green 10:5, Blue 4:0
- *  19bitARGB1666          : Alpha 18, Red 17:12, Green 11:6, Blue 5:0
- *  24bitRGB888            : Red 24:16, Green 15:8, Blue 7:0
- *  24bitBGR888            : Blue 24:16, Green 15:8, Red 7:0
- *  24bitARGB1887          : Alpha 23, Red 22:15, Green 14:7, Blue 6:0
- *  25bitARGB1888          : Alpha 24, Red 23:16, Green 15:8, Blue 7:0
- *  32bitBGRA8888          : Blue 31:24, Green 23:16, Red 15:8, Alpha 7:0
- *  32bitARGB8888          : Alpha 31:24, Red 23:16, Green 15:8, Blue 7:0
- *  YUV411Planar           : U,Y are subsampled by a factor of 4 horizontally
- *  YUV411PackedPlanar     : packed per payload in planar slices
- *  YUV420Planar           : Three arrays Y,U,V.
- *  YUV420PackedPlanar     : packed per payload in planar slices
- *  YUV420SemiPlanar       : Two arrays, one is all Y, the other is U and V
- *  YUV422Planar           : Three arrays Y,U,V.
- *  YUV422PackedPlanar     : packed per payload in planar slices
- *  YUV422SemiPlanar       : Two arrays, one is all Y, the other is U and V
- *  YCbYCr                 : Organized as 16bit YUYV (i.e. YCbYCr)
- *  YCrYCb                 : Organized as 16bit YVYU (i.e. YCrYCb)
- *  CbYCrY                 : Organized as 16bit UYVY (i.e. CbYCrY)
- *  CrYCbY                 : Organized as 16bit VYUY (i.e. CrYCbY)
- *  YUV444Interleaved      : Each pixel contains equal parts YUV
- *  RawBayer8bit           : SMIA camera output format
- *  RawBayer10bit          : SMIA camera output format
- *  RawBayer8bitcompressed : SMIA camera output format
- */
-typedef enum OMX_COLOR_FORMATTYPE {
-    OMX_COLOR_FormatUnused,
-    OMX_COLOR_FormatMonochrome,
-    OMX_COLOR_Format8bitRGB332,
-    OMX_COLOR_Format12bitRGB444,
-    OMX_COLOR_Format16bitARGB4444,
-    OMX_COLOR_Format16bitARGB1555,
-    OMX_COLOR_Format16bitRGB565,
-    OMX_COLOR_Format16bitBGR565,
-    OMX_COLOR_Format18bitRGB666,
-    OMX_COLOR_Format18bitARGB1665,
-    OMX_COLOR_Format19bitARGB1666,
-    OMX_COLOR_Format24bitRGB888,
-    OMX_COLOR_Format24bitBGR888,
-    OMX_COLOR_Format24bitARGB1887,
-    OMX_COLOR_Format25bitARGB1888,
-    OMX_COLOR_Format32bitBGRA8888,
-    OMX_COLOR_Format32bitARGB8888,
-    OMX_COLOR_FormatYUV411Planar,
-    OMX_COLOR_FormatYUV411PackedPlanar,
-    OMX_COLOR_FormatYUV420Planar,
-    OMX_COLOR_FormatYUV420PackedPlanar,
-    OMX_COLOR_FormatYUV420SemiPlanar,
-    OMX_COLOR_FormatYUV422Planar,
-    OMX_COLOR_FormatYUV422PackedPlanar,
-    OMX_COLOR_FormatYUV422SemiPlanar,
-    OMX_COLOR_FormatYCbYCr,
-    OMX_COLOR_FormatYCrYCb,
-    OMX_COLOR_FormatCbYCrY,
-    OMX_COLOR_FormatCrYCbY,
-    OMX_COLOR_FormatYUV444Interleaved,
-    OMX_COLOR_FormatRawBayer8bit,
-    OMX_COLOR_FormatRawBayer10bit,
-    OMX_COLOR_FormatRawBayer8bitcompressed,
-    OMX_COLOR_FormatL2,
-    OMX_COLOR_FormatL4,
-    OMX_COLOR_FormatL8,
-    OMX_COLOR_FormatL16,
-    OMX_COLOR_FormatL24,
-    OMX_COLOR_FormatL32,
-    OMX_COLOR_FormatYUV420PackedSemiPlanar,
-    OMX_COLOR_FormatYUV422PackedSemiPlanar,
-    OMX_COLOR_Format18BitBGR666,
-    OMX_COLOR_Format24BitARGB6666,
-    OMX_COLOR_Format24BitABGR6666,
-    OMX_COLOR_FormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_COLOR_FormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    /**<Reserved android opaque colorformat. Tells the encoder that
-     * the actual colorformat will be  relayed by the
-     * Gralloc Buffers.
-     * FIXME: In the process of reserving some enum values for
-     * Android-specific OMX IL colorformats. Change this enum to
-     * an acceptable range once that is done.
-     * */
-    OMX_COLOR_FormatAndroidOpaque = 0x7F000789,
-    OMX_TI_COLOR_FormatYUV420PackedSemiPlanar = 0x7F000100,
-    OMX_QCOM_COLOR_FormatYVU420SemiPlanar = 0x7FA30C00,
-    OMX_COLOR_FormatMax = 0x7FFFFFFF
-} OMX_COLOR_FORMATTYPE;
-
-
-/**
- * Defines the matrix for conversion from RGB to YUV or vice versa.
- * iColorMatrix should be initialized with the fixed point values
- * used in converting between formats.
- */
-typedef struct OMX_CONFIG_COLORCONVERSIONTYPE {
-    OMX_U32 nSize;              /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version info */
-    OMX_U32 nPortIndex;         /**< Port that this struct applies to */
-    OMX_S32 xColorMatrix[3][3]; /**< Stored in signed Q16 format */
-    OMX_S32 xColorOffset[4];    /**< Stored in signed Q16 format */
-}OMX_CONFIG_COLORCONVERSIONTYPE;
-
-
-/**
- * Structure defining percent to scale each frame dimension.  For example:
- * To make the width 50% larger, use fWidth = 1.5 and to make the width
- * 1/2 the original size, use fWidth = 0.5
- */
-typedef struct OMX_CONFIG_SCALEFACTORTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version info */
-    OMX_U32 nPortIndex;       /**< Port that this struct applies to */
-    OMX_S32 xWidth;           /**< Fixed point value stored as Q16 */
-    OMX_S32 xHeight;          /**< Fixed point value stored as Q16 */
-}OMX_CONFIG_SCALEFACTORTYPE;
-
-
-/**
- * Enumeration of possible image filter types
- */
-typedef enum OMX_IMAGEFILTERTYPE {
-    OMX_ImageFilterNone,
-    OMX_ImageFilterNoise,
-    OMX_ImageFilterEmboss,
-    OMX_ImageFilterNegative,
-    OMX_ImageFilterSketch,
-    OMX_ImageFilterOilPaint,
-    OMX_ImageFilterHatch,
-    OMX_ImageFilterGpen,
-    OMX_ImageFilterAntialias,
-    OMX_ImageFilterDeRing,
-    OMX_ImageFilterSolarize,
-    OMX_ImageFilterKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ImageFilterVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ImageFilterMax = 0x7FFFFFFF
-} OMX_IMAGEFILTERTYPE;
-
-
-/**
- * Image filter configuration
- *
- * STRUCT MEMBERS:
- *  nSize        : Size of the structure in bytes
- *  nVersion     : OMX specification version information
- *  nPortIndex   : Port that this structure applies to
- *  eImageFilter : Image filter type enumeration
- */
-typedef struct OMX_CONFIG_IMAGEFILTERTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_IMAGEFILTERTYPE eImageFilter;
-} OMX_CONFIG_IMAGEFILTERTYPE;
-
-
-/**
- * Customized U and V for color enhancement
- *
- * STRUCT MEMBERS:
- *  nSize             : Size of the structure in bytes
- *  nVersion          : OMX specification version information
- *  nPortIndex        : Port that this structure applies to
- *  bColorEnhancement : Enable/disable color enhancement
- *  nCustomizedU      : Practical values: 16-240, range: 0-255, value set for
- *                      U component
- *  nCustomizedV      : Practical values: 16-240, range: 0-255, value set for
- *                      V component
- */
-typedef struct OMX_CONFIG_COLORENHANCEMENTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bColorEnhancement;
-    OMX_U8 nCustomizedU;
-    OMX_U8 nCustomizedV;
-} OMX_CONFIG_COLORENHANCEMENTTYPE;
-
-
-/**
- * Define color key and color key mask
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nARGBColor : 32bit Alpha, Red, Green, Blue Color
- *  nARGBMask  : 32bit Mask for Alpha, Red, Green, Blue channels
- */
-typedef struct OMX_CONFIG_COLORKEYTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nARGBColor;
-    OMX_U32 nARGBMask;
-} OMX_CONFIG_COLORKEYTYPE;
-
-
-/**
- * List of color blend types for pre/post processing
- *
- * ENUMS:
- *  None          : No color blending present
- *  AlphaConstant : Function is (alpha_constant * src) +
- *                  (1 - alpha_constant) * dst)
- *  AlphaPerPixel : Function is (alpha * src) + (1 - alpha) * dst)
- *  Alternate     : Function is alternating pixels from src and dst
- *  And           : Function is (src & dst)
- *  Or            : Function is (src | dst)
- *  Invert        : Function is ~src
- */
-typedef enum OMX_COLORBLENDTYPE {
-    OMX_ColorBlendNone,
-    OMX_ColorBlendAlphaConstant,
-    OMX_ColorBlendAlphaPerPixel,
-    OMX_ColorBlendAlternate,
-    OMX_ColorBlendAnd,
-    OMX_ColorBlendOr,
-    OMX_ColorBlendInvert,
-    OMX_ColorBlendKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ColorBlendVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ColorBlendMax = 0x7FFFFFFF
-} OMX_COLORBLENDTYPE;
-
-
-/**
- * Color blend configuration
- *
- * STRUCT MEMBERS:
- *  nSize             : Size of the structure in bytes
- *  nVersion          : OMX specification version information
- *  nPortIndex        : Port that this structure applies to
- *  nRGBAlphaConstant : Constant global alpha values when global alpha is used
- *  eColorBlend       : Color blend type enumeration
- */
-typedef struct OMX_CONFIG_COLORBLENDTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nRGBAlphaConstant;
-    OMX_COLORBLENDTYPE  eColorBlend;
-} OMX_CONFIG_COLORBLENDTYPE;
-
-
-/**
- * Hold frame dimension
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nWidth     : Frame width in pixels
- *  nHeight    : Frame height in pixels
- */
-typedef struct OMX_FRAMESIZETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nWidth;
-    OMX_U32 nHeight;
-} OMX_FRAMESIZETYPE;
-
-
-/**
- * Rotation configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nRotation  : +/- integer rotation value
- */
-typedef struct OMX_CONFIG_ROTATIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nRotation;
-} OMX_CONFIG_ROTATIONTYPE;
-
-
-/**
- * Possible mirroring directions for pre/post processing
- *
- * ENUMS:
- *  None       : No mirroring
- *  Vertical   : Vertical mirroring, flip on X axis
- *  Horizontal : Horizontal mirroring, flip on Y axis
- *  Both       : Both vertical and horizontal mirroring
- */
-typedef enum OMX_MIRRORTYPE {
-    OMX_MirrorNone = 0,
-    OMX_MirrorVertical,
-    OMX_MirrorHorizontal,
-    OMX_MirrorBoth,
-    OMX_MirrorKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_MirrorVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_MirrorMax = 0x7FFFFFFF
-} OMX_MIRRORTYPE;
-
-
-/**
- * Mirroring configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  eMirror    : Mirror type enumeration
- */
-typedef struct OMX_CONFIG_MIRRORTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_MIRRORTYPE  eMirror;
-} OMX_CONFIG_MIRRORTYPE;
-
-
-/**
- * Position information only
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nX         : X coordinate for the point
- *  nY         : Y coordinate for the point
- */
-typedef struct OMX_CONFIG_POINTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nX;
-    OMX_S32 nY;
-} OMX_CONFIG_POINTTYPE;
-
-
-/**
- * Frame size plus position
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nLeft      : X Coordinate of the top left corner of the rectangle
- *  nTop       : Y Coordinate of the top left corner of the rectangle
- *  nWidth     : Width of the rectangle
- *  nHeight    : Height of the rectangle
- */
-typedef struct OMX_CONFIG_RECTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nLeft;
-    OMX_S32 nTop;
-    OMX_U32 nWidth;
-    OMX_U32 nHeight;
-} OMX_CONFIG_RECTTYPE;
-
-
-/**
- * Deblocking state; it is required to be set up before starting the codec
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  bDeblocking : Enable/disable deblocking mode
- */
-typedef struct OMX_PARAM_DEBLOCKINGTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bDeblocking;
-} OMX_PARAM_DEBLOCKINGTYPE;
-
-
-/**
- * Stabilization state
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  bStab      : Enable/disable frame stabilization state
- */
-typedef struct OMX_CONFIG_FRAMESTABTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bStab;
-} OMX_CONFIG_FRAMESTABTYPE;
-
-
-/**
- * White Balance control type
- *
- * STRUCT MEMBERS:
- *  SunLight : Referenced in JSR-234
- *  Flash    : Optimal for device's integrated flash
- */
-typedef enum OMX_WHITEBALCONTROLTYPE {
-    OMX_WhiteBalControlOff = 0,
-    OMX_WhiteBalControlAuto,
-    OMX_WhiteBalControlSunLight,
-    OMX_WhiteBalControlCloudy,
-    OMX_WhiteBalControlShade,
-    OMX_WhiteBalControlTungsten,
-    OMX_WhiteBalControlFluorescent,
-    OMX_WhiteBalControlIncandescent,
-    OMX_WhiteBalControlFlash,
-    OMX_WhiteBalControlHorizon,
-    OMX_WhiteBalControlKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_WhiteBalControlVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_WhiteBalControlMax = 0x7FFFFFFF
-} OMX_WHITEBALCONTROLTYPE;
-
-
-/**
- * White Balance control configuration
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information
- *  nPortIndex       : Port that this structure applies to
- *  eWhiteBalControl : White balance enumeration
- */
-typedef struct OMX_CONFIG_WHITEBALCONTROLTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_WHITEBALCONTROLTYPE eWhiteBalControl;
-} OMX_CONFIG_WHITEBALCONTROLTYPE;
-
-
-/**
- * Exposure control type
- */
-typedef enum OMX_EXPOSURECONTROLTYPE {
-    OMX_ExposureControlOff = 0,
-    OMX_ExposureControlAuto,
-    OMX_ExposureControlNight,
-    OMX_ExposureControlBackLight,
-    OMX_ExposureControlSpotLight,
-    OMX_ExposureControlSports,
-    OMX_ExposureControlSnow,
-    OMX_ExposureControlBeach,
-    OMX_ExposureControlLargeAperture,
-    OMX_ExposureControlSmallApperture,
-    OMX_ExposureControlKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ExposureControlVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ExposureControlMax = 0x7FFFFFFF
-} OMX_EXPOSURECONTROLTYPE;
-
-
-/**
- * White Balance control configuration
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information
- *  nPortIndex       : Port that this structure applies to
- *  eExposureControl : Exposure control enumeration
- */
-typedef struct OMX_CONFIG_EXPOSURECONTROLTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_EXPOSURECONTROLTYPE eExposureControl;
-} OMX_CONFIG_EXPOSURECONTROLTYPE;
-
-
-/**
- * Defines sensor supported mode.
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nFrameRate : Single shot mode is indicated by a 0
- *  bOneShot   : Enable for single shot, disable for streaming
- *  sFrameSize : Framesize
- */
-typedef struct OMX_PARAM_SENSORMODETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nFrameRate;
-    OMX_BOOL bOneShot;
-    OMX_FRAMESIZETYPE sFrameSize;
-} OMX_PARAM_SENSORMODETYPE;
-
-
-/**
- * Defines contrast level
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nContrast  : Values allowed for contrast -100 to 100, zero means no change
- */
-typedef struct OMX_CONFIG_CONTRASTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nContrast;
-} OMX_CONFIG_CONTRASTTYPE;
-
-
-/**
- * Defines brightness level
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  nBrightness : 0-100%
- */
-typedef struct OMX_CONFIG_BRIGHTNESSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nBrightness;
-} OMX_CONFIG_BRIGHTNESSTYPE;
-
-
-/**
- * Defines backlight level configuration for a video sink, e.g. LCD panel
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nBacklight : Values allowed for backlight 0-100%
- *  nTimeout   : Number of milliseconds before backlight automatically turns
- *               off.  A value of 0x0 disables backight timeout
- */
-typedef struct OMX_CONFIG_BACKLIGHTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nBacklight;
-    OMX_U32 nTimeout;
-} OMX_CONFIG_BACKLIGHTTYPE;
-
-
-/**
- * Defines setting for Gamma
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nGamma     : Values allowed for gamma -100 to 100, zero means no change
- */
-typedef struct OMX_CONFIG_GAMMATYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nGamma;
-} OMX_CONFIG_GAMMATYPE;
-
-
-/**
- * Define for setting saturation
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  nSaturation : Values allowed for saturation -100 to 100, zero means
- *                no change
- */
-typedef struct OMX_CONFIG_SATURATIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nSaturation;
-} OMX_CONFIG_SATURATIONTYPE;
-
-
-/**
- * Define for setting Lightness
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nLightness : Values allowed for lightness -100 to 100, zero means no
- *               change
- */
-typedef struct OMX_CONFIG_LIGHTNESSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nLightness;
-} OMX_CONFIG_LIGHTNESSTYPE;
-
-
-/**
- * Plane blend configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Index of input port associated with the plane.
- *  nDepth     : Depth of the plane in relation to the screen. Higher
- *               numbered depths are "behind" lower number depths.
- *               This number defaults to the Port Index number.
- *  nAlpha     : Transparency blending component for the entire plane.
- *               See blending modes for more detail.
- */
-typedef struct OMX_CONFIG_PLANEBLENDTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nDepth;
-    OMX_U32 nAlpha;
-} OMX_CONFIG_PLANEBLENDTYPE;
-
-
-/**
- * Define interlace type
- *
- * STRUCT MEMBERS:
- *  nSize                 : Size of the structure in bytes
- *  nVersion              : OMX specification version information
- *  nPortIndex            : Port that this structure applies to
- *  bEnable               : Enable control variable for this functionality
- *                          (see below)
- *  nInterleavePortIndex  : Index of input or output port associated with
- *                          the interleaved plane.
- *  pPlanarPortIndexes[4] : Index of input or output planar ports.
- */
-typedef struct OMX_PARAM_INTERLEAVETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnable;
-    OMX_U32 nInterleavePortIndex;
-} OMX_PARAM_INTERLEAVETYPE;
-
-
-/**
- * Defines the picture effect used for an input picture
- */
-typedef enum OMX_TRANSITIONEFFECTTYPE {
-    OMX_EffectNone,
-    OMX_EffectFadeFromBlack,
-    OMX_EffectFadeToBlack,
-    OMX_EffectUnspecifiedThroughConstantColor,
-    OMX_EffectDissolve,
-    OMX_EffectWipe,
-    OMX_EffectUnspecifiedMixOfTwoScenes,
-    OMX_EffectKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_EffectVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_EffectMax = 0x7FFFFFFF
-} OMX_TRANSITIONEFFECTTYPE;
-
-
-/**
- * Structure used to configure current transition effect
- *
- * STRUCT MEMBERS:
- * nSize      : Size of the structure in bytes
- * nVersion   : OMX specification version information
- * nPortIndex : Port that this structure applies to
- * eEffect    : Effect to enable
- */
-typedef struct OMX_CONFIG_TRANSITIONEFFECTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_TRANSITIONEFFECTTYPE eEffect;
-} OMX_CONFIG_TRANSITIONEFFECTTYPE;
-
-
-/**
- * Defines possible data unit types for encoded video data. The data unit
- * types are used both for encoded video input for playback as well as
- * encoded video output from recording.
- */
-typedef enum OMX_DATAUNITTYPE {
-    OMX_DataUnitCodedPicture,
-    OMX_DataUnitVideoSegment,
-    OMX_DataUnitSeveralSegments,
-    OMX_DataUnitArbitraryStreamSection,
-    OMX_DataUnitKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DataUnitVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DataUnitMax = 0x7FFFFFFF
-} OMX_DATAUNITTYPE;
-
-
-/**
- * Defines possible encapsulation types for coded video data unit. The
- * encapsulation information is used both for encoded video input for
- * playback as well as encoded video output from recording.
- */
-typedef enum OMX_DATAUNITENCAPSULATIONTYPE {
-    OMX_DataEncapsulationElementaryStream,
-    OMX_DataEncapsulationGenericPayload,
-    OMX_DataEncapsulationRtpPayload,
-    OMX_DataEncapsulationKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DataEncapsulationVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DataEncapsulationMax = 0x7FFFFFFF
-} OMX_DATAUNITENCAPSULATIONTYPE;
-
-
-/**
- * Structure used to configure the type of being decoded/encoded
- */
-typedef struct OMX_PARAM_DATAUNITTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex;       /**< Port that this structure applies to */
-    OMX_DATAUNITTYPE eUnitType;
-    OMX_DATAUNITENCAPSULATIONTYPE eEncapsulationType;
-} OMX_PARAM_DATAUNITTYPE;
-
-
-/**
- * Defines dither types
- */
-typedef enum OMX_DITHERTYPE {
-    OMX_DitherNone,
-    OMX_DitherOrdered,
-    OMX_DitherErrorDiffusion,
-    OMX_DitherOther,
-    OMX_DitherKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DitherVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DitherMax = 0x7FFFFFFF
-} OMX_DITHERTYPE;
-
-
-/**
- * Structure used to configure current type of dithering
- */
-typedef struct OMX_CONFIG_DITHERTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex;       /**< Port that this structure applies to */
-    OMX_DITHERTYPE eDither;   /**< Type of dithering to use */
-} OMX_CONFIG_DITHERTYPE;
-
-typedef struct OMX_CONFIG_CAPTUREMODETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;     /**< Port that this structure applies to */
-    OMX_BOOL bContinuous;   /**< If true then ignore frame rate and emit capture
-                             *   data as fast as possible (otherwise obey port's frame rate). */
-    OMX_BOOL bFrameLimited; /**< If true then terminate capture after the port emits the
-                             *   specified number of frames (otherwise the port does not
-                             *   terminate the capture until instructed to do so by the client).
-                             *   Even if set, the client may manually terminate the capture prior
-                             *   to reaching the limit. */
-    OMX_U32 nFrameLimit;      /**< Limit on number of frames emitted during a capture (only
-                               *   valid if bFrameLimited is set). */
-} OMX_CONFIG_CAPTUREMODETYPE;
-
-typedef enum OMX_METERINGTYPE {
-
-    OMX_MeteringModeAverage,     /**< Center-weighted average metering. */
-    OMX_MeteringModeSpot,  	      /**< Spot (partial) metering. */
-    OMX_MeteringModeMatrix,      /**< Matrix or evaluative metering. */
-
-    OMX_MeteringKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_MeteringVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_EVModeMax = 0x7fffffff
-} OMX_METERINGTYPE;
-
-typedef struct OMX_CONFIG_EXPOSUREVALUETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_METERINGTYPE eMetering;
-    OMX_S32 xEVCompensation;      /**< Fixed point value stored as Q16 */
-    OMX_U32 nApertureFNumber;     /**< e.g. nApertureFNumber = 2 implies "f/2" - Q16 format */
-    OMX_BOOL bAutoAperture;		/**< Whether aperture number is defined automatically */
-    OMX_U32 nShutterSpeedMsec;    /**< Shutterspeed in milliseconds */
-    OMX_BOOL bAutoShutterSpeed;	/**< Whether shutter speed is defined automatically */
-    OMX_U32 nSensitivity;         /**< e.g. nSensitivity = 100 implies "ISO 100" */
-    OMX_BOOL bAutoSensitivity;	/**< Whether sensitivity is defined automatically */
-} OMX_CONFIG_EXPOSUREVALUETYPE;
-
-/**
- * Focus region configuration
- *
- * STRUCT MEMBERS:
- *  nSize           : Size of the structure in bytes
- *  nVersion        : OMX specification version information
- *  nPortIndex      : Port that this structure applies to
- *  bCenter         : Use center region as focus region of interest
- *  bLeft           : Use left region as focus region of interest
- *  bRight          : Use right region as focus region of interest
- *  bTop            : Use top region as focus region of interest
- *  bBottom         : Use bottom region as focus region of interest
- *  bTopLeft        : Use top left region as focus region of interest
- *  bTopRight       : Use top right region as focus region of interest
- *  bBottomLeft     : Use bottom left region as focus region of interest
- *  bBottomRight    : Use bottom right region as focus region of interest
- */
-typedef struct OMX_CONFIG_FOCUSREGIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bCenter;
-    OMX_BOOL bLeft;
-    OMX_BOOL bRight;
-    OMX_BOOL bTop;
-    OMX_BOOL bBottom;
-    OMX_BOOL bTopLeft;
-    OMX_BOOL bTopRight;
-    OMX_BOOL bBottomLeft;
-    OMX_BOOL bBottomRight;
-} OMX_CONFIG_FOCUSREGIONTYPE;
-
-/**
- * Focus Status type
- */
-typedef enum OMX_FOCUSSTATUSTYPE {
-    OMX_FocusStatusOff = 0,
-    OMX_FocusStatusRequest,
-    OMX_FocusStatusReached,
-    OMX_FocusStatusUnableToReach,
-    OMX_FocusStatusLost,
-    OMX_FocusStatusKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_FocusStatusVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_FocusStatusMax = 0x7FFFFFFF
-} OMX_FOCUSSTATUSTYPE;
-
-/**
- * Focus status configuration
- *
- * STRUCT MEMBERS:
- *  nSize               : Size of the structure in bytes
- *  nVersion            : OMX specification version information
- *  nPortIndex          : Port that this structure applies to
- *  eFocusStatus        : Specifies the focus status
- *  bCenterStatus       : Use center region as focus region of interest
- *  bLeftStatus         : Use left region as focus region of interest
- *  bRightStatus        : Use right region as focus region of interest
- *  bTopStatus          : Use top region as focus region of interest
- *  bBottomStatus       : Use bottom region as focus region of interest
- *  bTopLeftStatus      : Use top left region as focus region of interest
- *  bTopRightStatus     : Use top right region as focus region of interest
- *  bBottomLeftStatus   : Use bottom left region as focus region of interest
- *  bBottomRightStatus  : Use bottom right region as focus region of interest
- */
-typedef struct OMX_PARAM_FOCUSSTATUSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_FOCUSSTATUSTYPE eFocusStatus;
-    OMX_BOOL bCenterStatus;
-    OMX_BOOL bLeftStatus;
-    OMX_BOOL bRightStatus;
-    OMX_BOOL bTopStatus;
-    OMX_BOOL bBottomStatus;
-    OMX_BOOL bTopLeftStatus;
-    OMX_BOOL bTopRightStatus;
-    OMX_BOOL bBottomLeftStatus;
-    OMX_BOOL bBottomRightStatus;
-} OMX_PARAM_FOCUSSTATUSTYPE;
-
-/** @} */
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h
deleted file mode 100644
index c0b8d9296..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h
+++ /dev/null
@@ -1,275 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** @file OMX_Index.h - OpenMax IL version 1.1.2
- *  The OMX_Index header file contains the definitions for both applications
- *  and components .
- */
-
-
-#ifndef OMX_Index_h
-#define OMX_Index_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/* Each OMX header must include all required header files to allow the
- *  header to compile without errors.  The includes below are required
- *  for this header file to compile successfully 
- */
-#include <OMX_Types.h>
-
-
-/** The OMX_INDEXTYPE enumeration is used to select a structure when either
- *  getting or setting parameters and/or configuration data.  Each entry in 
- *  this enumeration maps to an OMX specified structure.  When the 
- *  OMX_GetParameter, OMX_SetParameter, OMX_GetConfig or OMX_SetConfig methods
- *  are used, the second parameter will always be an entry from this enumeration
- *  and the third entry will be the structure shown in the comments for the entry.
- *  For example, if the application is initializing a cropping function, the 
- *  OMX_SetConfig command would have OMX_IndexConfigCommonInputCrop as the second parameter 
- *  and would send a pointer to an initialized OMX_RECTTYPE structure as the 
- *  third parameter.
- *  
- *  The enumeration entries named with the OMX_Config prefix are sent using
- *  the OMX_SetConfig command and the enumeration entries named with the
- *  OMX_PARAM_ prefix are sent using the OMX_SetParameter command.
- */
-typedef enum OMX_INDEXTYPE {
-
-    OMX_IndexComponentStartUnused = 0x01000000,
-    OMX_IndexParamPriorityMgmt,             /**< reference: OMX_PRIORITYMGMTTYPE */
-    OMX_IndexParamAudioInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamImageInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamVideoInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamOtherInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamNumAvailableStreams,      /**< reference: OMX_PARAM_U32TYPE */
-    OMX_IndexParamActiveStream,             /**< reference: OMX_PARAM_U32TYPE */
-    OMX_IndexParamSuspensionPolicy,         /**< reference: OMX_PARAM_SUSPENSIONPOLICYTYPE */
-    OMX_IndexParamComponentSuspended,       /**< reference: OMX_PARAM_SUSPENSIONTYPE */
-    OMX_IndexConfigCapturing,               /**< reference: OMX_CONFIG_BOOLEANTYPE */ 
-    OMX_IndexConfigCaptureMode,             /**< reference: OMX_CONFIG_CAPTUREMODETYPE */ 
-    OMX_IndexAutoPauseAfterCapture,         /**< reference: OMX_CONFIG_BOOLEANTYPE */ 
-    OMX_IndexParamContentURI,               /**< reference: OMX_PARAM_CONTENTURITYPE */
-    OMX_IndexParamCustomContentPipe,        /**< reference: OMX_PARAM_CONTENTPIPETYPE */ 
-    OMX_IndexParamDisableResourceConcealment, /**< reference: OMX_RESOURCECONCEALMENTTYPE */
-    OMX_IndexConfigMetadataItemCount,       /**< reference: OMX_CONFIG_METADATAITEMCOUNTTYPE */
-    OMX_IndexConfigContainerNodeCount,      /**< reference: OMX_CONFIG_CONTAINERNODECOUNTTYPE */
-    OMX_IndexConfigMetadataItem,            /**< reference: OMX_CONFIG_METADATAITEMTYPE */
-    OMX_IndexConfigCounterNodeID,           /**< reference: OMX_CONFIG_CONTAINERNODEIDTYPE */
-    OMX_IndexParamMetadataFilterType,       /**< reference: OMX_PARAM_METADATAFILTERTYPE */
-    OMX_IndexParamMetadataKeyFilter,        /**< reference: OMX_PARAM_METADATAFILTERTYPE */
-    OMX_IndexConfigPriorityMgmt,            /**< reference: OMX_PRIORITYMGMTTYPE */
-    OMX_IndexParamStandardComponentRole,    /**< reference: OMX_PARAM_COMPONENTROLETYPE */
-
-    OMX_IndexPortStartUnused = 0x02000000,
-    OMX_IndexParamPortDefinition,           /**< reference: OMX_PARAM_PORTDEFINITIONTYPE */
-    OMX_IndexParamCompBufferSupplier,       /**< reference: OMX_PARAM_BUFFERSUPPLIERTYPE */ 
-    OMX_IndexReservedStartUnused = 0x03000000,
-
-    /* Audio parameters and configurations */
-    OMX_IndexAudioStartUnused = 0x04000000,
-    OMX_IndexParamAudioPortFormat,          /**< reference: OMX_AUDIO_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamAudioPcm,                 /**< reference: OMX_AUDIO_PARAM_PCMMODETYPE */
-    OMX_IndexParamAudioAac,                 /**< reference: OMX_AUDIO_PARAM_AACPROFILETYPE */
-    OMX_IndexParamAudioRa,                  /**< reference: OMX_AUDIO_PARAM_RATYPE */
-    OMX_IndexParamAudioMp3,                 /**< reference: OMX_AUDIO_PARAM_MP3TYPE */
-    OMX_IndexParamAudioAdpcm,               /**< reference: OMX_AUDIO_PARAM_ADPCMTYPE */
-    OMX_IndexParamAudioG723,                /**< reference: OMX_AUDIO_PARAM_G723TYPE */
-    OMX_IndexParamAudioG729,                /**< reference: OMX_AUDIO_PARAM_G729TYPE */
-    OMX_IndexParamAudioAmr,                 /**< reference: OMX_AUDIO_PARAM_AMRTYPE */
-    OMX_IndexParamAudioWma,                 /**< reference: OMX_AUDIO_PARAM_WMATYPE */
-    OMX_IndexParamAudioSbc,                 /**< reference: OMX_AUDIO_PARAM_SBCTYPE */
-    OMX_IndexParamAudioMidi,                /**< reference: OMX_AUDIO_PARAM_MIDITYPE */
-    OMX_IndexParamAudioGsm_FR,              /**< reference: OMX_AUDIO_PARAM_GSMFRTYPE */
-    OMX_IndexParamAudioMidiLoadUserSound,   /**< reference: OMX_AUDIO_PARAM_MIDILOADUSERSOUNDTYPE */
-    OMX_IndexParamAudioG726,                /**< reference: OMX_AUDIO_PARAM_G726TYPE */
-    OMX_IndexParamAudioGsm_EFR,             /**< reference: OMX_AUDIO_PARAM_GSMEFRTYPE */
-    OMX_IndexParamAudioGsm_HR,              /**< reference: OMX_AUDIO_PARAM_GSMHRTYPE */
-    OMX_IndexParamAudioPdc_FR,              /**< reference: OMX_AUDIO_PARAM_PDCFRTYPE */
-    OMX_IndexParamAudioPdc_EFR,             /**< reference: OMX_AUDIO_PARAM_PDCEFRTYPE */
-    OMX_IndexParamAudioPdc_HR,              /**< reference: OMX_AUDIO_PARAM_PDCHRTYPE */
-    OMX_IndexParamAudioTdma_FR,             /**< reference: OMX_AUDIO_PARAM_TDMAFRTYPE */
-    OMX_IndexParamAudioTdma_EFR,            /**< reference: OMX_AUDIO_PARAM_TDMAEFRTYPE */
-    OMX_IndexParamAudioQcelp8,              /**< reference: OMX_AUDIO_PARAM_QCELP8TYPE */
-    OMX_IndexParamAudioQcelp13,             /**< reference: OMX_AUDIO_PARAM_QCELP13TYPE */
-    OMX_IndexParamAudioEvrc,                /**< reference: OMX_AUDIO_PARAM_EVRCTYPE */
-    OMX_IndexParamAudioSmv,                 /**< reference: OMX_AUDIO_PARAM_SMVTYPE */
-    OMX_IndexParamAudioVorbis,              /**< reference: OMX_AUDIO_PARAM_VORBISTYPE */
-
-    OMX_IndexConfigAudioMidiImmediateEvent, /**< reference: OMX_AUDIO_CONFIG_MIDIIMMEDIATEEVENTTYPE */
-    OMX_IndexConfigAudioMidiControl,        /**< reference: OMX_AUDIO_CONFIG_MIDICONTROLTYPE */
-    OMX_IndexConfigAudioMidiSoundBankProgram, /**< reference: OMX_AUDIO_CONFIG_MIDISOUNDBANKPROGRAMTYPE */
-    OMX_IndexConfigAudioMidiStatus,         /**< reference: OMX_AUDIO_CONFIG_MIDISTATUSTYPE */
-    OMX_IndexConfigAudioMidiMetaEvent,      /**< reference: OMX_AUDIO_CONFIG_MIDIMETAEVENTTYPE */
-    OMX_IndexConfigAudioMidiMetaEventData,  /**< reference: OMX_AUDIO_CONFIG_MIDIMETAEVENTDATATYPE */
-    OMX_IndexConfigAudioVolume,             /**< reference: OMX_AUDIO_CONFIG_VOLUMETYPE */
-    OMX_IndexConfigAudioBalance,            /**< reference: OMX_AUDIO_CONFIG_BALANCETYPE */
-    OMX_IndexConfigAudioChannelMute,        /**< reference: OMX_AUDIO_CONFIG_CHANNELMUTETYPE */
-    OMX_IndexConfigAudioMute,               /**< reference: OMX_AUDIO_CONFIG_MUTETYPE */
-    OMX_IndexConfigAudioLoudness,           /**< reference: OMX_AUDIO_CONFIG_LOUDNESSTYPE */
-    OMX_IndexConfigAudioEchoCancelation,    /**< reference: OMX_AUDIO_CONFIG_ECHOCANCELATIONTYPE */
-    OMX_IndexConfigAudioNoiseReduction,     /**< reference: OMX_AUDIO_CONFIG_NOISEREDUCTIONTYPE */
-    OMX_IndexConfigAudioBass,               /**< reference: OMX_AUDIO_CONFIG_BASSTYPE */
-    OMX_IndexConfigAudioTreble,             /**< reference: OMX_AUDIO_CONFIG_TREBLETYPE */
-    OMX_IndexConfigAudioStereoWidening,     /**< reference: OMX_AUDIO_CONFIG_STEREOWIDENINGTYPE */
-    OMX_IndexConfigAudioChorus,             /**< reference: OMX_AUDIO_CONFIG_CHORUSTYPE */
-    OMX_IndexConfigAudioEqualizer,          /**< reference: OMX_AUDIO_CONFIG_EQUALIZERTYPE */
-    OMX_IndexConfigAudioReverberation,      /**< reference: OMX_AUDIO_CONFIG_REVERBERATIONTYPE */
-    OMX_IndexConfigAudioChannelVolume,      /**< reference: OMX_AUDIO_CONFIG_CHANNELVOLUMETYPE */
-
-    /* Image specific parameters and configurations */
-    OMX_IndexImageStartUnused = 0x05000000,
-    OMX_IndexParamImagePortFormat,          /**< reference: OMX_IMAGE_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamFlashControl,             /**< reference: OMX_IMAGE_PARAM_FLASHCONTROLTYPE */
-    OMX_IndexConfigFocusControl,            /**< reference: OMX_IMAGE_CONFIG_FOCUSCONTROLTYPE */
-    OMX_IndexParamQFactor,                  /**< reference: OMX_IMAGE_PARAM_QFACTORTYPE */
-    OMX_IndexParamQuantizationTable,        /**< reference: OMX_IMAGE_PARAM_QUANTIZATIONTABLETYPE */
-    OMX_IndexParamHuffmanTable,             /**< reference: OMX_IMAGE_PARAM_HUFFMANTTABLETYPE */
-    OMX_IndexConfigFlashControl,            /**< reference: OMX_IMAGE_PARAM_FLASHCONTROLTYPE */
-
-    /* Video specific parameters and configurations */
-    OMX_IndexVideoStartUnused = 0x06000000,
-    OMX_IndexParamVideoPortFormat,          /**< reference: OMX_VIDEO_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamVideoQuantization,        /**< reference: OMX_VIDEO_PARAM_QUANTIZATIONTYPE */
-    OMX_IndexParamVideoFastUpdate,          /**< reference: OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE */
-    OMX_IndexParamVideoBitrate,             /**< reference: OMX_VIDEO_PARAM_BITRATETYPE */
-    OMX_IndexParamVideoMotionVector,        /**< reference: OMX_VIDEO_PARAM_MOTIONVECTORTYPE */
-    OMX_IndexParamVideoIntraRefresh,        /**< reference: OMX_VIDEO_PARAM_INTRAREFRESHTYPE */
-    OMX_IndexParamVideoErrorCorrection,     /**< reference: OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE */
-    OMX_IndexParamVideoVBSMC,               /**< reference: OMX_VIDEO_PARAM_VBSMCTYPE */
-    OMX_IndexParamVideoMpeg2,               /**< reference: OMX_VIDEO_PARAM_MPEG2TYPE */
-    OMX_IndexParamVideoMpeg4,               /**< reference: OMX_VIDEO_PARAM_MPEG4TYPE */
-    OMX_IndexParamVideoWmv,                 /**< reference: OMX_VIDEO_PARAM_WMVTYPE */
-    OMX_IndexParamVideoRv,                  /**< reference: OMX_VIDEO_PARAM_RVTYPE */
-    OMX_IndexParamVideoAvc,                 /**< reference: OMX_VIDEO_PARAM_AVCTYPE */
-    OMX_IndexParamVideoH263,                /**< reference: OMX_VIDEO_PARAM_H263TYPE */
-    OMX_IndexParamVideoProfileLevelQuerySupported, /**< reference: OMX_VIDEO_PARAM_PROFILELEVELTYPE */
-    OMX_IndexParamVideoProfileLevelCurrent, /**< reference: OMX_VIDEO_PARAM_PROFILELEVELTYPE */
-    OMX_IndexConfigVideoBitrate,            /**< reference: OMX_VIDEO_CONFIG_BITRATETYPE */
-    OMX_IndexConfigVideoFramerate,          /**< reference: OMX_CONFIG_FRAMERATETYPE */
-    OMX_IndexConfigVideoIntraVOPRefresh,    /**< reference: OMX_CONFIG_INTRAREFRESHVOPTYPE */
-    OMX_IndexConfigVideoIntraMBRefresh,     /**< reference: OMX_CONFIG_MACROBLOCKERRORMAPTYPE */
-    OMX_IndexConfigVideoMBErrorReporting,   /**< reference: OMX_CONFIG_MBERRORREPORTINGTYPE */
-    OMX_IndexParamVideoMacroblocksPerFrame, /**< reference: OMX_PARAM_MACROBLOCKSTYPE */
-    OMX_IndexConfigVideoMacroBlockErrorMap, /**< reference: OMX_CONFIG_MACROBLOCKERRORMAPTYPE */
-    OMX_IndexParamVideoSliceFMO,            /**< reference: OMX_VIDEO_PARAM_AVCSLICEFMO */
-    OMX_IndexConfigVideoAVCIntraPeriod,     /**< reference: OMX_VIDEO_CONFIG_AVCINTRAPERIOD */
-    OMX_IndexConfigVideoNalSize,            /**< reference: OMX_VIDEO_CONFIG_NALSIZE */
-
-    /* Image & Video common Configurations */
-    OMX_IndexCommonStartUnused = 0x07000000,
-    OMX_IndexParamCommonDeblocking,         /**< reference: OMX_PARAM_DEBLOCKINGTYPE */
-    OMX_IndexParamCommonSensorMode,         /**< reference: OMX_PARAM_SENSORMODETYPE */
-    OMX_IndexParamCommonInterleave,         /**< reference: OMX_PARAM_INTERLEAVETYPE */
-    OMX_IndexConfigCommonColorFormatConversion, /**< reference: OMX_CONFIG_COLORCONVERSIONTYPE */
-    OMX_IndexConfigCommonScale,             /**< reference: OMX_CONFIG_SCALEFACTORTYPE */
-    OMX_IndexConfigCommonImageFilter,       /**< reference: OMX_CONFIG_IMAGEFILTERTYPE */
-    OMX_IndexConfigCommonColorEnhancement,  /**< reference: OMX_CONFIG_COLORENHANCEMENTTYPE */
-    OMX_IndexConfigCommonColorKey,          /**< reference: OMX_CONFIG_COLORKEYTYPE */
-    OMX_IndexConfigCommonColorBlend,        /**< reference: OMX_CONFIG_COLORBLENDTYPE */
-    OMX_IndexConfigCommonFrameStabilisation,/**< reference: OMX_CONFIG_FRAMESTABTYPE */
-    OMX_IndexConfigCommonRotate,            /**< reference: OMX_CONFIG_ROTATIONTYPE */
-    OMX_IndexConfigCommonMirror,            /**< reference: OMX_CONFIG_MIRRORTYPE */
-    OMX_IndexConfigCommonOutputPosition,    /**< reference: OMX_CONFIG_POINTTYPE */
-    OMX_IndexConfigCommonInputCrop,         /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonOutputCrop,        /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonDigitalZoom,       /**< reference: OMX_CONFIG_SCALEFACTORTYPE */
-    OMX_IndexConfigCommonOpticalZoom,       /**< reference: OMX_CONFIG_SCALEFACTORTYPE*/
-    OMX_IndexConfigCommonWhiteBalance,      /**< reference: OMX_CONFIG_WHITEBALCONTROLTYPE */
-    OMX_IndexConfigCommonExposure,          /**< reference: OMX_CONFIG_EXPOSURECONTROLTYPE */
-    OMX_IndexConfigCommonContrast,          /**< reference: OMX_CONFIG_CONTRASTTYPE */
-    OMX_IndexConfigCommonBrightness,        /**< reference: OMX_CONFIG_BRIGHTNESSTYPE */
-    OMX_IndexConfigCommonBacklight,         /**< reference: OMX_CONFIG_BACKLIGHTTYPE */
-    OMX_IndexConfigCommonGamma,             /**< reference: OMX_CONFIG_GAMMATYPE */
-    OMX_IndexConfigCommonSaturation,        /**< reference: OMX_CONFIG_SATURATIONTYPE */
-    OMX_IndexConfigCommonLightness,         /**< reference: OMX_CONFIG_LIGHTNESSTYPE */
-    OMX_IndexConfigCommonExclusionRect,     /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonDithering,         /**< reference: OMX_CONFIG_DITHERTYPE */
-    OMX_IndexConfigCommonPlaneBlend,        /**< reference: OMX_CONFIG_PLANEBLENDTYPE */
-    OMX_IndexConfigCommonExposureValue,     /**< reference: OMX_CONFIG_EXPOSUREVALUETYPE */
-    OMX_IndexConfigCommonOutputSize,        /**< reference: OMX_FRAMESIZETYPE */
-    OMX_IndexParamCommonExtraQuantData,     /**< reference: OMX_OTHER_EXTRADATATYPE */
-    OMX_IndexConfigCommonFocusRegion,       /**< reference: OMX_CONFIG_FOCUSREGIONTYPE */
-    OMX_IndexConfigCommonFocusStatus,       /**< reference: OMX_PARAM_FOCUSSTATUSTYPE */
-    OMX_IndexConfigCommonTransitionEffect,  /**< reference: OMX_CONFIG_TRANSITIONEFFECTTYPE */
-
-    /* Reserved Configuration range */
-    OMX_IndexOtherStartUnused = 0x08000000,
-    OMX_IndexParamOtherPortFormat,          /**< reference: OMX_OTHER_PARAM_PORTFORMATTYPE */
-    OMX_IndexConfigOtherPower,              /**< reference: OMX_OTHER_CONFIG_POWERTYPE */
-    OMX_IndexConfigOtherStats,              /**< reference: OMX_OTHER_CONFIG_STATSTYPE */
-
-
-    /* Reserved Time range */
-    OMX_IndexTimeStartUnused = 0x09000000,
-    OMX_IndexConfigTimeScale,               /**< reference: OMX_TIME_CONFIG_SCALETYPE */
-    OMX_IndexConfigTimeClockState,          /**< reference: OMX_TIME_CONFIG_CLOCKSTATETYPE */
-    OMX_IndexConfigTimeActiveRefClock,      /**< reference: OMX_TIME_CONFIG_ACTIVEREFCLOCKTYPE */
-    OMX_IndexConfigTimeCurrentMediaTime,    /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (read only) */
-    OMX_IndexConfigTimeCurrentWallTime,     /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (read only) */
-    OMX_IndexConfigTimeCurrentAudioReference, /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimeCurrentVideoReference, /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimeMediaTimeRequest,    /**< reference: OMX_TIME_CONFIG_MEDIATIMEREQUESTTYPE (write only) */
-    OMX_IndexConfigTimeClientStartTime,     /**<reference:  OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimePosition,            /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE */
-    OMX_IndexConfigTimeSeekMode,            /**< reference: OMX_TIME_CONFIG_SEEKMODETYPE */
-
-
-    OMX_IndexKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    /* Vendor specific area */
-    OMX_IndexVendorStartUnused = 0x7F000000,
-    /* Vendor specific structures should be in the range of 0x7F000000 
-       to 0x7FFFFFFE.  This range is not broken out by vendor, so
-       private indexes are not guaranteed unique and therefore should
-       only be sent to the appropriate component. */
-
-    OMX_IndexMax = 0x7FFFFFFF
-
-} OMX_INDEXTYPE;
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h
deleted file mode 100644
index 03fd4bcf5..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h
+++ /dev/null
@@ -1,365 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** OMX_Types.h - OpenMax IL version 1.1.2
- *  The OMX_Types header file contains the primitive type definitions used by 
- *  the core, the application and the component.  This file may need to be
- *  modified to be used on systems that do not have "char" set to 8 bits, 
- *  "short" set to 16 bits and "long" set to 32 bits.
- */
-
-#ifndef OMX_Types_h
-#define OMX_Types_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-/** The OMX_API and OMX_APIENTRY are platform specific definitions used
- *  to declare OMX function prototypes.  They are modified to meet the
- *  requirements for a particular platform */
-#ifdef __SYMBIAN32__   
-#   ifdef __OMX_EXPORTS
-#       define OMX_API __declspec(dllexport)
-#   else
-#       ifdef _WIN32
-#           define OMX_API __declspec(dllexport) 
-#       else
-#           define OMX_API __declspec(dllimport)
-#       endif
-#   endif
-#else
-#   ifdef _WIN32
-#      ifdef __OMX_EXPORTS
-#          define OMX_API __declspec(dllexport)
-#      else
-//#          define OMX_API __declspec(dllimport)
-#define OMX_API
-#      endif
-#   else
-#      ifdef __OMX_EXPORTS
-#          define OMX_API
-#      else
-#          define OMX_API extern
-#      endif
-#   endif
-#endif
-
-#ifndef OMX_APIENTRY
-#define OMX_APIENTRY 
-#endif 
-
-/** OMX_IN is used to identify inputs to an OMX function.  This designation 
-    will also be used in the case of a pointer that points to a parameter 
-    that is used as an output. */
-#ifndef OMX_IN
-#define OMX_IN
-#endif
-
-/** OMX_OUT is used to identify outputs from an OMX function.  This 
-    designation will also be used in the case of a pointer that points 
-    to a parameter that is used as an input. */
-#ifndef OMX_OUT
-#define OMX_OUT
-#endif
-
-
-/** OMX_INOUT is used to identify parameters that may be either inputs or
-    outputs from an OMX function at the same time.  This designation will 
-    also be used in the case of a pointer that  points to a parameter that 
-    is used both as an input and an output. */
-#ifndef OMX_INOUT
-#define OMX_INOUT
-#endif
-
-/** OMX_ALL is used to as a wildcard to select all entities of the same type
- *  when specifying the index, or referring to a object by an index.  (i.e.
- *  use OMX_ALL to indicate all N channels). When used as a port index
- *  for a config or parameter this OMX_ALL denotes that the config or
- *  parameter applies to the entire component not just one port. */
-#define OMX_ALL 0xFFFFFFFF
-
-/** In the following we define groups that help building doxygen documentation */
-
-/** @defgroup core OpenMAX IL core
- * Functions and structure related to the OMX IL core
- */
- 
- /** @defgroup comp OpenMAX IL component
- * Functions and structure related to the OMX IL component
- */
- 
-/** @defgroup rpm Resource and Policy Management 
- * Structures for resource and policy management of components
- */
-
-/** @defgroup buf Buffer Management
- * Buffer handling functions and structures
- */
-  
-/** @defgroup tun Tunneling
- * @ingroup core comp
- * Structures and functions to manage tunnels among component ports
- */
- 
-/** @defgroup cp Content Pipes
- *  @ingroup core
- */
- 
- /** @defgroup metadata Metadata handling
-  * 
-  */ 
-
-/** OMX_U8 is an 8 bit unsigned quantity that is byte aligned */
-typedef unsigned char OMX_U8;
-
-/** OMX_S8 is an 8 bit signed quantity that is byte aligned */
-typedef signed char OMX_S8;
-
-/** OMX_U16 is a 16 bit unsigned quantity that is 16 bit word aligned */
-typedef unsigned short OMX_U16;
-
-/** OMX_S16 is a 16 bit signed quantity that is 16 bit word aligned */
-typedef signed short OMX_S16;
-
-/** OMX_U32 is a 32 bit unsigned quantity that is 32 bit word aligned */
-typedef unsigned long OMX_U32;
-
-/** OMX_S32 is a 32 bit signed quantity that is 32 bit word aligned */
-typedef signed long OMX_S32;
-
-
-/* Users with compilers that cannot accept the "long long" designation should
-   define the OMX_SKIP64BIT macro.  It should be noted that this may cause 
-   some components to fail to compile if the component was written to require
-   64 bit integral types.  However, these components would NOT compile anyway
-   since the compiler does not support the way the component was written.
-*/
-#ifndef OMX_SKIP64BIT
-#ifdef __SYMBIAN32__
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */
-typedef unsigned long long OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed long long OMX_S64;
-
-#elif defined(WIN32)
-
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */   
-typedef unsigned __int64  OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed   __int64  OMX_S64;
-
-#else /* WIN32 */
-
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */
-typedef unsigned long long OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed long long OMX_S64;
-
-#endif /* WIN32 */
-#endif
-
-
-/** The OMX_BOOL type is intended to be used to represent a true or a false 
-    value when passing parameters to and from the OMX core and components.  The
-    OMX_BOOL is a 32 bit quantity and is aligned on a 32 bit word boundary.
- */
-typedef enum OMX_BOOL {
-    OMX_FALSE = 0,
-    OMX_TRUE = !OMX_FALSE,
-    OMX_BOOL_MAX = 0x7FFFFFFF
-} OMX_BOOL; 
- 
-/** The OMX_PTR type is intended to be used to pass pointers between the OMX
-    applications and the OMX Core and components.  This is a 32 bit pointer and
-    is aligned on a 32 bit boundary.
- */
-typedef void* OMX_PTR;
-
-/** The OMX_STRING type is intended to be used to pass "C" type strings between
-    the application and the core and component.  The OMX_STRING type is a 32 
-    bit pointer to a zero terminated string.  The  pointer is word aligned and 
-    the string is byte aligned.  
- */
-typedef char* OMX_STRING;
-
-/** The OMX_BYTE type is intended to be used to pass arrays of bytes such as
-    buffers between the application and the component and core.  The OMX_BYTE 
-    type is a 32 bit pointer to a zero terminated string.  The  pointer is word
-    aligned and the string is byte aligned.
- */
-typedef unsigned char* OMX_BYTE;
-
-/** OMX_UUIDTYPE is a very long unique identifier to uniquely identify
-    at runtime.  This identifier should be generated by a component in a way
-    that guarantees that every instance of the identifier running on the system
-    is unique. */
-typedef unsigned char OMX_UUIDTYPE[128];
-
-/** The OMX_DIRTYPE enumeration is used to indicate if a port is an input or
-    an output port.  This enumeration is common across all component types.    
- */
-typedef enum OMX_DIRTYPE
-{
-    OMX_DirInput,              /**< Port is an input port */
-    OMX_DirOutput,             /**< Port is an output port */
-    OMX_DirMax = 0x7FFFFFFF
-} OMX_DIRTYPE;
-
-/** The OMX_ENDIANTYPE enumeration is used to indicate the bit ordering 
-    for numerical data (i.e. big endian, or little endian).    
- */
-typedef enum OMX_ENDIANTYPE
-{
-    OMX_EndianBig, /**< big endian */
-    OMX_EndianLittle, /**< little endian */
-    OMX_EndianMax = 0x7FFFFFFF
-} OMX_ENDIANTYPE;
-
-
-/** The OMX_NUMERICALDATATYPE enumeration is used to indicate if data 
-    is signed or unsigned
- */
-typedef enum OMX_NUMERICALDATATYPE
-{
-    OMX_NumericalDataSigned, /**< signed data */
-    OMX_NumericalDataUnsigned, /**< unsigned data */
-    OMX_NumercialDataMax = 0x7FFFFFFF
-} OMX_NUMERICALDATATYPE;
-
-
-/** Unsigned bounded value type */
-typedef struct OMX_BU32 {
-    OMX_U32 nValue; /**< actual value */
-    OMX_U32 nMin;   /**< minimum for value (i.e. nValue >= nMin) */
-    OMX_U32 nMax;   /**< maximum for value (i.e. nValue <= nMax) */
-} OMX_BU32;
-
-
-/** Signed bounded value type */
-typedef struct OMX_BS32 {
-    OMX_S32 nValue; /**< actual value */
-    OMX_S32 nMin;   /**< minimum for value (i.e. nValue >= nMin) */
-    OMX_S32 nMax;   /**< maximum for value (i.e. nValue <= nMax) */
-} OMX_BS32;
-
-
-/** Structure representing some time or duration in microseconds. This structure
-  *  must be interpreted as a signed 64 bit value. The quantity is signed to accommodate 
-  *  negative deltas and preroll scenarios. The quantity is represented in microseconds 
-  *  to accomodate high resolution timestamps (e.g. DVD presentation timestamps based
-  *  on a 90kHz clock) and to allow more accurate and synchronized delivery (e.g. 
-  *  individual audio samples delivered at 192 kHz). The quantity is 64 bit to 
-  *  accommodate a large dynamic range (signed 32 bit values would allow only for plus
-  *  or minus 35 minutes).
-  *
-  *  Implementations with limited precision may convert the signed 64 bit value to 
-  *  a signed 32 bit value internally but risk loss of precision.  
-  */
-#ifndef OMX_SKIP64BIT
-typedef OMX_S64 OMX_TICKS;
-#else
-typedef struct OMX_TICKS
-{
-    OMX_U32 nLowPart;    /** low bits of the signed 64 bit tick value */
-    OMX_U32 nHighPart;   /** high bits of the signed 64 bit tick value */
-} OMX_TICKS;
-#endif
-#define OMX_TICKS_PER_SECOND 1000000
-
-/** Define the public interface for the OMX Handle.  The core will not use
-    this value internally, but the application should only use this value.
- */
-typedef void* OMX_HANDLETYPE;
-
-typedef struct OMX_MARKTYPE
-{
-    OMX_HANDLETYPE hMarkTargetComponent;   /**< The component that will 
-                                                generate a mark event upon 
-                                                processing the mark. */
-    OMX_PTR pMarkData;   /**< Application specific data associated with 
-                              the mark sent on a mark event to disambiguate 
-                              this mark from others. */
-} OMX_MARKTYPE;
-
-
-/** OMX_NATIVE_DEVICETYPE is used to map a OMX video port to the
- *  platform & operating specific object used to reference the display 
- *  or can be used by a audio port for native audio rendering */
-typedef void* OMX_NATIVE_DEVICETYPE;
-
-/** OMX_NATIVE_WINDOWTYPE is used to map a OMX video port to the
- *  platform & operating specific object used to reference the window */
-typedef void* OMX_NATIVE_WINDOWTYPE;
-
-/** The OMX_VERSIONTYPE union is used to specify the version for
-    a structure or component.  For a component, the version is entirely
-    specified by the component vendor.  Components doing the same function
-    from different vendors may or may not have the same version.  For 
-    structures, the version shall be set by the entity that allocates the
-    structure.  For structures specified in the OMX 1.1 specification, the
-    value of the version shall be set to 1.1.0.0 in all cases.  Access to the
-    OMX_VERSIONTYPE can be by a single 32 bit access (e.g. by nVersion) or
-    by accessing one of the structure elements to, for example, check only
-    the Major revision.
- */
-typedef union OMX_VERSIONTYPE
-{
-    struct
-    {
-        OMX_U8 nVersionMajor;   /**< Major version accessor element */
-        OMX_U8 nVersionMinor;   /**< Minor version accessor element */
-        OMX_U8 nRevision;       /**< Revision version accessor element */
-        OMX_U8 nStep;           /**< Step version accessor element */
-    } s;
-    OMX_U32 nVersion;           /**< 32 bit value to make accessing the
-                                    version easily done in a single word
-                                    size copy/compare operation */
-} OMX_VERSIONTYPE;
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h
deleted file mode 100644
index 4f8485d3f..000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h
+++ /dev/null
@@ -1,1078 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/**
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** 
- *  @file OMX_Video.h - OpenMax IL version 1.1.2
- *  The structures is needed by Video components to exchange parameters 
- *  and configuration data with OMX components.
- */
-#ifndef OMX_Video_h
-#define OMX_Video_h
-
-/** @defgroup video OpenMAX IL Video Domain
- * @ingroup iv
- * Structures for OpenMAX IL Video domain
- * @{
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/**
- * Each OMX header must include all required header files to allow the
- * header to compile without errors.  The includes below are required
- * for this header file to compile successfully 
- */
-
-#include <OMX_IVCommon.h>
-
-
-/**
- * Enumeration used to define the possible video compression codings.  
- * NOTE:  This essentially refers to file extensions. If the coding is 
- *        being used to specify the ENCODE type, then additional work 
- *        must be done to configure the exact flavor of the compression 
- *        to be used.  For decode cases where the user application can 
- *        not differentiate between MPEG-4 and H.264 bit streams, it is 
- *        up to the codec to handle this.
- */
-typedef enum OMX_VIDEO_CODINGTYPE {
-    OMX_VIDEO_CodingUnused,     /**< Value when coding is N/A */
-    OMX_VIDEO_CodingAutoDetect, /**< Autodetection of coding type */
-    OMX_VIDEO_CodingMPEG2,      /**< AKA: H.262 */
-    OMX_VIDEO_CodingH263,       /**< H.263 */
-    OMX_VIDEO_CodingMPEG4,      /**< MPEG-4 */
-    OMX_VIDEO_CodingWMV,        /**< all versions of Windows Media Video */
-    OMX_VIDEO_CodingRV,         /**< all versions of Real Video */
-    OMX_VIDEO_CodingAVC,        /**< H.264/AVC */
-    OMX_VIDEO_CodingMJPEG,      /**< Motion JPEG */
-    OMX_VIDEO_CodingVPX,        /**< Google VPX, formerly known as On2 VP8 */
-    OMX_VIDEO_CodingKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_CodingVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_CodingMax = 0x7FFFFFFF
-} OMX_VIDEO_CODINGTYPE;
-
-
-/**
- * Data structure used to define a video path.  The number of Video paths for 
- * input and output will vary by type of the Video component.  
- * 
- *    Input (aka Source) : zero Inputs, one Output,
- *    Splitter           : one Input, 2 or more Outputs,
- *    Processing Element : one Input, one output,
- *    Mixer              : 2 or more inputs, one output,
- *    Output (aka Sink)  : one Input, zero outputs.
- * 
- * The PortDefinition structure is used to define all of the parameters 
- * necessary for the compliant component to setup an input or an output video 
- * path.  If additional vendor specific data is required, it should be 
- * transmitted to the component using the CustomCommand function.  Compliant 
- * components will prepopulate this structure with optimal values during the 
- * GetDefaultInitParams command.
- *
- * STRUCT MEMBERS:
- *  cMIMEType             : MIME type of data for the port
- *  pNativeRender         : Platform specific reference for a display if a 
- *                          sync, otherwise this field is 0
- *  nFrameWidth           : Width of frame to be used on channel if 
- *                          uncompressed format is used.  Use 0 for unknown,
- *                          don't care or variable
- *  nFrameHeight          : Height of frame to be used on channel if 
- *                          uncompressed format is used. Use 0 for unknown,
- *                          don't care or variable
- *  nStride               : Number of bytes per span of an image 
- *                          (i.e. indicates the number of bytes to get
- *                          from span N to span N+1, where negative stride
- *                          indicates the image is bottom up
- *  nSliceHeight          : Height used when encoding in slices
- *  nBitrate              : Bit rate of frame to be used on channel if 
- *                          compressed format is used. Use 0 for unknown, 
- *                          don't care or variable
- *  xFramerate            : Frame rate to be used on channel if uncompressed 
- *                          format is used. Use 0 for unknown, don't care or 
- *                          variable.  Units are Q16 frames per second.
- *  bFlagErrorConcealment : Turns on error concealment if it is supported by 
- *                          the OMX component
- *  eCompressionFormat    : Compression format used in this instance of the 
- *                          component. When OMX_VIDEO_CodingUnused is 
- *                          specified, eColorFormat is used
- *  eColorFormat : Decompressed format used by this component
- *  pNativeWindow : Platform specific reference for a window object if a 
- *                          display sink , otherwise this field is 0x0. 
- */
-typedef struct OMX_VIDEO_PORTDEFINITIONTYPE {
-    OMX_STRING cMIMEType;
-    OMX_NATIVE_DEVICETYPE pNativeRender;
-    OMX_U32 nFrameWidth;
-    OMX_U32 nFrameHeight;
-    OMX_S32 nStride;
-    OMX_U32 nSliceHeight;
-    OMX_U32 nBitrate;
-    OMX_U32 xFramerate;
-    OMX_BOOL bFlagErrorConcealment;
-    OMX_VIDEO_CODINGTYPE eCompressionFormat;
-    OMX_COLOR_FORMATTYPE eColorFormat;
-    OMX_NATIVE_WINDOWTYPE pNativeWindow;
-} OMX_VIDEO_PORTDEFINITIONTYPE;
-
-/**  
- * Port format parameter.  This structure is used to enumerate the various 
- * data input/output format supported by the port.
- * 
- * STRUCT MEMBERS:
- *  nSize              : Size of the structure in bytes
- *  nVersion           : OMX specification version information
- *  nPortIndex         : Indicates which port to set
- *  nIndex             : Indicates the enumeration index for the format from 
- *                       0x0 to N-1
- *  eCompressionFormat : Compression format used in this instance of the 
- *                       component. When OMX_VIDEO_CodingUnused is specified, 
- *                       eColorFormat is used 
- *  eColorFormat       : Decompressed format used by this component
- *  xFrameRate         : Indicates the video frame rate in Q16 format
- */
-typedef struct OMX_VIDEO_PARAM_PORTFORMATTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nIndex;
-    OMX_VIDEO_CODINGTYPE eCompressionFormat; 
-    OMX_COLOR_FORMATTYPE eColorFormat;
-    OMX_U32 xFramerate;
-} OMX_VIDEO_PARAM_PORTFORMATTYPE;
-
-
-/**
- * This is a structure for configuring video compression quantization 
- * parameter values.  Codecs may support different QP values for different
- * frame types.
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version info
- *  nPortIndex : Port that this structure applies to
- *  nQpI       : QP value to use for index frames
- *  nQpP       : QP value to use for P frames
- *  nQpB       : QP values to use for bidirectional frames 
- */
-typedef struct OMX_VIDEO_PARAM_QUANTIZATIONTYPE {
-    OMX_U32 nSize;            
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nQpI;
-    OMX_U32 nQpP;
-    OMX_U32 nQpB;
-} OMX_VIDEO_PARAM_QUANTIZATIONTYPE;
-
-
-/** 
- * Structure for configuration of video fast update parameters. 
- *  
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version info 
- *  nPortIndex : Port that this structure applies to
- *  bEnableVFU : Enable/Disable video fast update
- *  nFirstGOB  : Specifies the number of the first macroblock row
- *  nFirstMB   : specifies the first MB relative to the specified first GOB
- *  nNumMBs    : Specifies the number of MBs to be refreshed from nFirstGOB 
- *               and nFirstMB
- */
-typedef struct OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE {
-    OMX_U32 nSize;            
-    OMX_VERSIONTYPE nVersion; 
-    OMX_U32 nPortIndex;       
-    OMX_BOOL bEnableVFU;      
-    OMX_U32 nFirstGOB;                            
-    OMX_U32 nFirstMB;                            
-    OMX_U32 nNumMBs;                                  
-} OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE;
-
-
-/** 
- * Enumeration of possible bitrate control types 
- */
-typedef enum OMX_VIDEO_CONTROLRATETYPE {
-    OMX_Video_ControlRateDisable,
-    OMX_Video_ControlRateVariable,
-    OMX_Video_ControlRateConstant,
-    OMX_Video_ControlRateVariableSkipFrames,
-    OMX_Video_ControlRateConstantSkipFrames,
-    OMX_Video_ControlRateKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_Video_ControlRateVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_Video_ControlRateMax = 0x7FFFFFFF
-} OMX_VIDEO_CONTROLRATETYPE;
-
-
-/** 
- * Structure for configuring bitrate mode of a codec. 
- *
- * STRUCT MEMBERS:
- *  nSize          : Size of the struct in bytes
- *  nVersion       : OMX spec version info
- *  nPortIndex     : Port that this struct applies to
- *  eControlRate   : Control rate type enum
- *  nTargetBitrate : Target bitrate to encode with
- */
-typedef struct OMX_VIDEO_PARAM_BITRATETYPE {
-    OMX_U32 nSize;                          
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;                     
-    OMX_VIDEO_CONTROLRATETYPE eControlRate; 
-    OMX_U32 nTargetBitrate;                 
-} OMX_VIDEO_PARAM_BITRATETYPE;
-
-
-/** 
- * Enumeration of possible motion vector (MV) types 
- */
-typedef enum OMX_VIDEO_MOTIONVECTORTYPE {
-    OMX_Video_MotionVectorPixel,
-    OMX_Video_MotionVectorHalfPel,
-    OMX_Video_MotionVectorQuarterPel,
-    OMX_Video_MotionVectorEighthPel,
-    OMX_Video_MotionVectorKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_Video_MotionVectorVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_Video_MotionVectorMax = 0x7FFFFFFF
-} OMX_VIDEO_MOTIONVECTORTYPE;
-
-
-/**
- * Structure for configuring the number of motion vectors used as well
- * as their accuracy.
- * 
- * STRUCT MEMBERS:
- *  nSize            : Size of the struct in bytes
- *  nVersion         : OMX spec version info
- *  nPortIndex       : port that this structure applies to
- *  eAccuracy        : Enumerated MV accuracy
- *  bUnrestrictedMVs : Allow unrestricted MVs
- *  bFourMV          : Allow use of 4 MVs
- *  sXSearchRange    : Search range in horizontal direction for MVs
- *  sYSearchRange    : Search range in vertical direction for MVs
- */
-typedef struct OMX_VIDEO_PARAM_MOTIONVECTORTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_MOTIONVECTORTYPE eAccuracy;
-    OMX_BOOL bUnrestrictedMVs;
-    OMX_BOOL bFourMV;
-    OMX_S32 sXSearchRange;
-    OMX_S32 sYSearchRange;
-} OMX_VIDEO_PARAM_MOTIONVECTORTYPE;
-
-
-/** 
- * Enumeration of possible methods to use for Intra Refresh 
- */
-typedef enum OMX_VIDEO_INTRAREFRESHTYPE {
-    OMX_VIDEO_IntraRefreshCyclic,
-    OMX_VIDEO_IntraRefreshAdaptive,
-    OMX_VIDEO_IntraRefreshBoth,
-    OMX_VIDEO_IntraRefreshKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_IntraRefreshVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_IntraRefreshMax = 0x7FFFFFFF
-} OMX_VIDEO_INTRAREFRESHTYPE;
-
-
-/**
- * Structure for configuring intra refresh mode 
- * 
- * STRUCT MEMBERS:
- *  nSize        : Size of the structure in bytes
- *  nVersion     : OMX specification version information
- *  nPortIndex   : Port that this structure applies to
- *  eRefreshMode : Cyclic, Adaptive, or Both
- *  nAirMBs      : Number of intra macroblocks to refresh in a frame when 
- *                 AIR is enabled
- *  nAirRef      : Number of times a motion marked macroblock has to be  
- *                 intra coded
- *  nCirMBs      : Number of consecutive macroblocks to be coded as "intra"  
- *                 when CIR is enabled
- */
-typedef struct OMX_VIDEO_PARAM_INTRAREFRESHTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_INTRAREFRESHTYPE eRefreshMode;
-    OMX_U32 nAirMBs;
-    OMX_U32 nAirRef;
-    OMX_U32 nCirMBs;
-} OMX_VIDEO_PARAM_INTRAREFRESHTYPE;
-
-
-/**
- * Structure for enabling various error correction methods for video 
- * compression.
- *
- * STRUCT MEMBERS:
- *  nSize                   : Size of the structure in bytes
- *  nVersion                : OMX specification version information 
- *  nPortIndex              : Port that this structure applies to 
- *  bEnableHEC              : Enable/disable header extension codes (HEC)
- *  bEnableResync           : Enable/disable resynchronization markers
- *  nResynchMarkerSpacing   : Resynch markers interval (in bits) to be 
- *                            applied in the stream 
- *  bEnableDataPartitioning : Enable/disable data partitioning 
- *  bEnableRVLC             : Enable/disable reversible variable length 
- *                            coding
- */
-typedef struct OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnableHEC;
-    OMX_BOOL bEnableResync;
-    OMX_U32  nResynchMarkerSpacing;
-    OMX_BOOL bEnableDataPartitioning;
-    OMX_BOOL bEnableRVLC;
-} OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE;
-
-
-/** 
- * Configuration of variable block-size motion compensation (VBSMC) 
- * 
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information 
- *  nPortIndex : Port that this structure applies to
- *  b16x16     : Enable inter block search 16x16
- *  b16x8      : Enable inter block search 16x8
- *  b8x16      : Enable inter block search 8x16
- *  b8x8       : Enable inter block search 8x8
- *  b8x4       : Enable inter block search 8x4
- *  b4x8       : Enable inter block search 4x8
- *  b4x4       : Enable inter block search 4x4
- */
-typedef struct OMX_VIDEO_PARAM_VBSMCTYPE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion; 
-    OMX_U32 nPortIndex;       
-    OMX_BOOL b16x16; 
-    OMX_BOOL b16x8; 
-    OMX_BOOL b8x16;
-    OMX_BOOL b8x8;
-    OMX_BOOL b8x4;
-    OMX_BOOL b4x8;
-    OMX_BOOL b4x4;
-} OMX_VIDEO_PARAM_VBSMCTYPE;
-
-
-/** 
- * H.263 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- *
- * ENUMS:
- *  Baseline           : Baseline Profile: H.263 (V1), no optional modes                                                    
- *  H320 Coding        : H.320 Coding Efficiency Backward Compatibility 
- *                       Profile: H.263+ (V2), includes annexes I, J, L.4
- *                       and T
- *  BackwardCompatible : Backward Compatibility Profile: H.263 (V1), 
- *                       includes annex F                                    
- *  ISWV2              : Interactive Streaming Wireless Profile: H.263+ 
- *                       (V2), includes annexes I, J, K and T                 
- *  ISWV3              : Interactive Streaming Wireless Profile: H.263++  
- *                       (V3), includes profile 3 and annexes V and W.6.3.8   
- *  HighCompression    : Conversational High Compression Profile: H.263++  
- *                       (V3), includes profiles 1 & 2 and annexes D and U   
- *  Internet           : Conversational Internet Profile: H.263++ (V3),  
- *                       includes profile 5 and annex K                       
- *  Interlace          : Conversational Interlace Profile: H.263++ (V3),  
- *                       includes profile 5 and annex W.6.3.11               
- *  HighLatency        : High Latency Profile: H.263++ (V3), includes  
- *                       profile 6 and annexes O.1 and P.5                       
- */
-typedef enum OMX_VIDEO_H263PROFILETYPE {
-    OMX_VIDEO_H263ProfileBaseline            = 0x01,        
-    OMX_VIDEO_H263ProfileH320Coding          = 0x02,          
-    OMX_VIDEO_H263ProfileBackwardCompatible  = 0x04,  
-    OMX_VIDEO_H263ProfileISWV2               = 0x08,               
-    OMX_VIDEO_H263ProfileISWV3               = 0x10,               
-    OMX_VIDEO_H263ProfileHighCompression     = 0x20,     
-    OMX_VIDEO_H263ProfileInternet            = 0x40,            
-    OMX_VIDEO_H263ProfileInterlace           = 0x80,           
-    OMX_VIDEO_H263ProfileHighLatency         = 0x100,         
-    OMX_VIDEO_H263ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_H263ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_H263ProfileMax                 = 0x7FFFFFFF  
-} OMX_VIDEO_H263PROFILETYPE;
-
-
-/** 
- * H.263 level types, each level indicates support for various frame sizes, 
- * bit rates, decoder frame rates.
- */
-typedef enum OMX_VIDEO_H263LEVELTYPE {
-    OMX_VIDEO_H263Level10  = 0x01,  
-    OMX_VIDEO_H263Level20  = 0x02,      
-    OMX_VIDEO_H263Level30  = 0x04,      
-    OMX_VIDEO_H263Level40  = 0x08,      
-    OMX_VIDEO_H263Level45  = 0x10,      
-    OMX_VIDEO_H263Level50  = 0x20,      
-    OMX_VIDEO_H263Level60  = 0x40,      
-    OMX_VIDEO_H263Level70  = 0x80, 
-    OMX_VIDEO_H263LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_H263LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_H263LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_H263LEVELTYPE;
-
-
-/** 
- * Specifies the picture type. These values should be OR'd to signal all 
- * pictures types which are allowed.
- *
- * ENUMS:
- *  Generic Picture Types:          I, P and B
- *  H.263 Specific Picture Types:   SI and SP
- *  H.264 Specific Picture Types:   EI and EP
- *  MPEG-4 Specific Picture Types:  S
- */
-typedef enum OMX_VIDEO_PICTURETYPE {
-    OMX_VIDEO_PictureTypeI   = 0x01,
-    OMX_VIDEO_PictureTypeP   = 0x02,
-    OMX_VIDEO_PictureTypeB   = 0x04,
-    OMX_VIDEO_PictureTypeSI  = 0x08,
-    OMX_VIDEO_PictureTypeSP  = 0x10,
-    OMX_VIDEO_PictureTypeEI  = 0x11,
-    OMX_VIDEO_PictureTypeEP  = 0x12,
-    OMX_VIDEO_PictureTypeS   = 0x14,
-    OMX_VIDEO_PictureTypeKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_PictureTypeVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_PictureTypeMax = 0x7FFFFFFF
-} OMX_VIDEO_PICTURETYPE;
-
-
-/** 
- * H.263 Params 
- *
- * STRUCT MEMBERS:
- *  nSize                    : Size of the structure in bytes
- *  nVersion                 : OMX specification version information 
- *  nPortIndex               : Port that this structure applies to
- *  nPFrames                 : Number of P frames between each I frame
- *  nBFrames                 : Number of B frames between each I frame
- *  eProfile                 : H.263 profile(s) to use
- *  eLevel                   : H.263 level(s) to use
- *  bPLUSPTYPEAllowed        : Indicating that it is allowed to use PLUSPTYPE 
- *                             (specified in the 1998 version of H.263) to 
- *                             indicate custom picture sizes or clock 
- *                             frequencies 
- *  nAllowedPictureTypes     : Specifies the picture types allowed in the 
- *                             bitstream
- *  bForceRoundingTypeToZero : value of the RTYPE bit (bit 6 of MPPTYPE) is 
- *                             not constrained. It is recommended to change 
- *                             the value of the RTYPE bit for each reference 
- *                             picture in error-free communication
- *  nPictureHeaderRepetition : Specifies the frequency of picture header 
- *                             repetition
- *  nGOBHeaderInterval       : Specifies the interval of non-empty GOB  
- *                             headers in units of GOBs
- */
-typedef struct OMX_VIDEO_PARAM_H263TYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nPFrames;
-    OMX_U32 nBFrames;
-    OMX_VIDEO_H263PROFILETYPE eProfile;
-	OMX_VIDEO_H263LEVELTYPE eLevel;
-    OMX_BOOL bPLUSPTYPEAllowed;
-    OMX_U32 nAllowedPictureTypes;
-    OMX_BOOL bForceRoundingTypeToZero;
-    OMX_U32 nPictureHeaderRepetition;
-    OMX_U32 nGOBHeaderInterval;
-} OMX_VIDEO_PARAM_H263TYPE;
-
-
-/** 
- * MPEG-2 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- */
-typedef enum OMX_VIDEO_MPEG2PROFILETYPE {
-    OMX_VIDEO_MPEG2ProfileSimple = 0,  /**< Simple Profile */
-    OMX_VIDEO_MPEG2ProfileMain,        /**< Main Profile */
-    OMX_VIDEO_MPEG2Profile422,         /**< 4:2:2 Profile */
-    OMX_VIDEO_MPEG2ProfileSNR,         /**< SNR Profile */
-    OMX_VIDEO_MPEG2ProfileSpatial,     /**< Spatial Profile */
-    OMX_VIDEO_MPEG2ProfileHigh,        /**< High Profile */
-    OMX_VIDEO_MPEG2ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG2ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG2ProfileMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG2PROFILETYPE;
-
-
-/** 
- * MPEG-2 level types, each level indicates support for various frame 
- * sizes, bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_MPEG2LEVELTYPE {
-    OMX_VIDEO_MPEG2LevelLL = 0,  /**< Low Level */ 
-    OMX_VIDEO_MPEG2LevelML,      /**< Main Level */ 
-    OMX_VIDEO_MPEG2LevelH14,     /**< High 1440 */ 
-    OMX_VIDEO_MPEG2LevelHL,      /**< High Level */   
-    OMX_VIDEO_MPEG2LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG2LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG2LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG2LEVELTYPE;
-
-
-/** 
- * MPEG-2 params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nPFrames   : Number of P frames between each I frame
- *  nBFrames   : Number of B frames between each I frame
- *  eProfile   : MPEG-2 profile(s) to use
- *  eLevel     : MPEG-2 levels(s) to use
- */
-typedef struct OMX_VIDEO_PARAM_MPEG2TYPE {
-    OMX_U32 nSize;           
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;      
-    OMX_U32 nPFrames;        
-    OMX_U32 nBFrames;        
-    OMX_VIDEO_MPEG2PROFILETYPE eProfile;
-	OMX_VIDEO_MPEG2LEVELTYPE eLevel;   
-} OMX_VIDEO_PARAM_MPEG2TYPE;
-
-
-/** 
- * MPEG-4 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- * 
- * ENUMS:
- *  - Simple Profile, Levels 1-3
- *  - Simple Scalable Profile, Levels 1-2
- *  - Core Profile, Levels 1-2
- *  - Main Profile, Levels 2-4
- *  - N-bit Profile, Level 2
- *  - Scalable Texture Profile, Level 1
- *  - Simple Face Animation Profile, Levels 1-2
- *  - Simple Face and Body Animation (FBA) Profile, Levels 1-2
- *  - Basic Animated Texture Profile, Levels 1-2
- *  - Hybrid Profile, Levels 1-2
- *  - Advanced Real Time Simple Profiles, Levels 1-4
- *  - Core Scalable Profile, Levels 1-3
- *  - Advanced Coding Efficiency Profile, Levels 1-4
- *  - Advanced Core Profile, Levels 1-2
- *  - Advanced Scalable Texture, Levels 2-3
- */
-typedef enum OMX_VIDEO_MPEG4PROFILETYPE {
-    OMX_VIDEO_MPEG4ProfileSimple           = 0x01,        
-    OMX_VIDEO_MPEG4ProfileSimpleScalable   = 0x02,    
-    OMX_VIDEO_MPEG4ProfileCore             = 0x04,              
-    OMX_VIDEO_MPEG4ProfileMain             = 0x08,             
-    OMX_VIDEO_MPEG4ProfileNbit             = 0x10,              
-    OMX_VIDEO_MPEG4ProfileScalableTexture  = 0x20,   
-    OMX_VIDEO_MPEG4ProfileSimpleFace       = 0x40,        
-    OMX_VIDEO_MPEG4ProfileSimpleFBA        = 0x80,         
-    OMX_VIDEO_MPEG4ProfileBasicAnimated    = 0x100,     
-    OMX_VIDEO_MPEG4ProfileHybrid           = 0x200,            
-    OMX_VIDEO_MPEG4ProfileAdvancedRealTime = 0x400,  
-    OMX_VIDEO_MPEG4ProfileCoreScalable     = 0x800,      
-    OMX_VIDEO_MPEG4ProfileAdvancedCoding   = 0x1000,    
-    OMX_VIDEO_MPEG4ProfileAdvancedCore     = 0x2000,      
-    OMX_VIDEO_MPEG4ProfileAdvancedScalable = 0x4000,
-    OMX_VIDEO_MPEG4ProfileAdvancedSimple   = 0x8000,
-    OMX_VIDEO_MPEG4ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG4ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG4ProfileMax              = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG4PROFILETYPE;
-
-
-/** 
- * MPEG-4 level types, each level indicates support for various frame 
- * sizes, bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_MPEG4LEVELTYPE {
-    OMX_VIDEO_MPEG4Level0  = 0x01,   /**< Level 0 */   
-    OMX_VIDEO_MPEG4Level0b = 0x02,   /**< Level 0b */   
-    OMX_VIDEO_MPEG4Level1  = 0x04,   /**< Level 1 */ 
-    OMX_VIDEO_MPEG4Level2  = 0x08,   /**< Level 2 */ 
-    OMX_VIDEO_MPEG4Level3  = 0x10,   /**< Level 3 */ 
-    OMX_VIDEO_MPEG4Level4  = 0x20,   /**< Level 4 */  
-    OMX_VIDEO_MPEG4Level4a = 0x40,   /**< Level 4a */  
-    OMX_VIDEO_MPEG4Level5  = 0x80,   /**< Level 5 */  
-    OMX_VIDEO_MPEG4LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG4LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG4LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG4LEVELTYPE;
-
-
-/** 
- * MPEG-4 configuration.  This structure handles configuration options
- * which are specific to MPEG4 algorithms
- *
- * STRUCT MEMBERS:
- *  nSize                : Size of the structure in bytes
- *  nVersion             : OMX specification version information
- *  nPortIndex           : Port that this structure applies to
- *  nSliceHeaderSpacing  : Number of macroblocks between slice header (H263+ 
- *                         Annex K). Put zero if not used
- *  bSVH                 : Enable Short Video Header mode
- *  bGov                 : Flag to enable GOV
- *  nPFrames             : Number of P frames between each I frame (also called 
- *                         GOV period)
- *  nBFrames             : Number of B frames between each I frame
- *  nIDCVLCThreshold     : Value of intra DC VLC threshold
- *  bACPred              : Flag to use ac prediction
- *  nMaxPacketSize       : Maximum size of packet in bytes.
- *  nTimeIncRes          : Used to pass VOP time increment resolution for MPEG4. 
- *                         Interpreted as described in MPEG4 standard.
- *  eProfile             : MPEG-4 profile(s) to use.
- *  eLevel               : MPEG-4 level(s) to use.
- *  nAllowedPictureTypes : Specifies the picture types allowed in the bitstream
- *  nHeaderExtension     : Specifies the number of consecutive video packet
- *                         headers within a VOP
- *  bReversibleVLC       : Specifies whether reversible variable length coding 
- *                         is in use
- */
-typedef struct OMX_VIDEO_PARAM_MPEG4TYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nSliceHeaderSpacing;
-    OMX_BOOL bSVH;
-    OMX_BOOL bGov;
-    OMX_U32 nPFrames;
-    OMX_U32 nBFrames;
-    OMX_U32 nIDCVLCThreshold;
-    OMX_BOOL bACPred;
-    OMX_U32 nMaxPacketSize;
-    OMX_U32 nTimeIncRes;
-    OMX_VIDEO_MPEG4PROFILETYPE eProfile;
-    OMX_VIDEO_MPEG4LEVELTYPE eLevel;
-    OMX_U32 nAllowedPictureTypes;
-    OMX_U32 nHeaderExtension;
-    OMX_BOOL bReversibleVLC;
-} OMX_VIDEO_PARAM_MPEG4TYPE;
-
-
-/** 
- * WMV Versions 
- */
-typedef enum OMX_VIDEO_WMVFORMATTYPE {
-    OMX_VIDEO_WMVFormatUnused = 0x01,   /**< Format unused or unknown */
-    OMX_VIDEO_WMVFormat7      = 0x02,   /**< Windows Media Video format 7 */
-    OMX_VIDEO_WMVFormat8      = 0x04,   /**< Windows Media Video format 8 */
-    OMX_VIDEO_WMVFormat9      = 0x08,   /**< Windows Media Video format 9 */
-    OMX_VIDEO_WMFFormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_WMFFormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_WMVFormatMax    = 0x7FFFFFFF
-} OMX_VIDEO_WMVFORMATTYPE;
-
-
-/** 
- * WMV Params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  eFormat    : Version of WMV stream / data
- */
-typedef struct OMX_VIDEO_PARAM_WMVTYPE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_WMVFORMATTYPE eFormat;
-} OMX_VIDEO_PARAM_WMVTYPE;
-
-
-/** 
- * Real Video Version 
- */
-typedef enum OMX_VIDEO_RVFORMATTYPE {
-    OMX_VIDEO_RVFormatUnused = 0, /**< Format unused or unknown */
-    OMX_VIDEO_RVFormat8,          /**< Real Video format 8 */
-    OMX_VIDEO_RVFormat9,          /**< Real Video format 9 */
-    OMX_VIDEO_RVFormatG2,         /**< Real Video Format G2 */
-    OMX_VIDEO_RVFormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_RVFormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_RVFormatMax = 0x7FFFFFFF
-} OMX_VIDEO_RVFORMATTYPE;
-
-
-/** 
- * Real Video Params 
- *
- * STUCT MEMBERS:
- *  nSize              : Size of the structure in bytes
- *  nVersion           : OMX specification version information 
- *  nPortIndex         : Port that this structure applies to
- *  eFormat            : Version of RV stream / data
- *  nBitsPerPixel      : Bits per pixel coded in the frame
- *  nPaddedWidth       : Padded width in pixel of a video frame
- *  nPaddedHeight      : Padded Height in pixels of a video frame
- *  nFrameRate         : Rate of video in frames per second
- *  nBitstreamFlags    : Flags which internal information about the bitstream
- *  nBitstreamVersion  : Bitstream version
- *  nMaxEncodeFrameSize: Max encoded frame size
- *  bEnablePostFilter  : Turn on/off post filter
- *  bEnableTemporalInterpolation : Turn on/off temporal interpolation
- *  bEnableLatencyMode : When enabled, the decoder does not display a decoded 
- *                       frame until it has detected that no enhancement layer 
- *  					 frames or dependent B frames will be coming. This 
- *  					 detection usually occurs when a subsequent non-B 
- *  					 frame is encountered 
- */
-typedef struct OMX_VIDEO_PARAM_RVTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_RVFORMATTYPE eFormat;
-    OMX_U16 nBitsPerPixel;
-    OMX_U16 nPaddedWidth;
-    OMX_U16 nPaddedHeight;
-    OMX_U32 nFrameRate;
-    OMX_U32 nBitstreamFlags;
-    OMX_U32 nBitstreamVersion;
-    OMX_U32 nMaxEncodeFrameSize;
-    OMX_BOOL bEnablePostFilter;
-    OMX_BOOL bEnableTemporalInterpolation;
-    OMX_BOOL bEnableLatencyMode;
-} OMX_VIDEO_PARAM_RVTYPE;
-
-
-/** 
- * AVC profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- */
-typedef enum OMX_VIDEO_AVCPROFILETYPE {
-    OMX_VIDEO_AVCProfileBaseline = 0x01,   /**< Baseline profile */
-    OMX_VIDEO_AVCProfileMain     = 0x02,   /**< Main profile */
-    OMX_VIDEO_AVCProfileExtended = 0x04,   /**< Extended profile */
-    OMX_VIDEO_AVCProfileHigh     = 0x08,   /**< High profile */
-    OMX_VIDEO_AVCProfileHigh10   = 0x10,   /**< High 10 profile */
-    OMX_VIDEO_AVCProfileHigh422  = 0x20,   /**< High 4:2:2 profile */
-    OMX_VIDEO_AVCProfileHigh444  = 0x40,   /**< High 4:4:4 profile */
-    OMX_VIDEO_AVCProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCProfileMax      = 0x7FFFFFFF  
-} OMX_VIDEO_AVCPROFILETYPE;
-
-
-/** 
- * AVC level types, each level indicates support for various frame sizes, 
- * bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_AVCLEVELTYPE {
-    OMX_VIDEO_AVCLevel1   = 0x01,     /**< Level 1 */
-    OMX_VIDEO_AVCLevel1b  = 0x02,     /**< Level 1b */
-    OMX_VIDEO_AVCLevel11  = 0x04,     /**< Level 1.1 */
-    OMX_VIDEO_AVCLevel12  = 0x08,     /**< Level 1.2 */
-    OMX_VIDEO_AVCLevel13  = 0x10,     /**< Level 1.3 */
-    OMX_VIDEO_AVCLevel2   = 0x20,     /**< Level 2 */
-    OMX_VIDEO_AVCLevel21  = 0x40,     /**< Level 2.1 */
-    OMX_VIDEO_AVCLevel22  = 0x80,     /**< Level 2.2 */
-    OMX_VIDEO_AVCLevel3   = 0x100,    /**< Level 3 */
-    OMX_VIDEO_AVCLevel31  = 0x200,    /**< Level 3.1 */
-    OMX_VIDEO_AVCLevel32  = 0x400,    /**< Level 3.2 */
-    OMX_VIDEO_AVCLevel4   = 0x800,    /**< Level 4 */
-    OMX_VIDEO_AVCLevel41  = 0x1000,   /**< Level 4.1 */
-    OMX_VIDEO_AVCLevel42  = 0x2000,   /**< Level 4.2 */
-    OMX_VIDEO_AVCLevel5   = 0x4000,   /**< Level 5 */
-    OMX_VIDEO_AVCLevel51  = 0x8000,   /**< Level 5.1 */
-    OMX_VIDEO_AVCLevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCLevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCLevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_AVCLEVELTYPE;
-
-
-/** 
- * AVC loop filter modes 
- *
- * OMX_VIDEO_AVCLoopFilterEnable               : Enable
- * OMX_VIDEO_AVCLoopFilterDisable              : Disable
- * OMX_VIDEO_AVCLoopFilterDisableSliceBoundary : Disabled on slice boundaries
- */
-typedef enum OMX_VIDEO_AVCLOOPFILTERTYPE {
-    OMX_VIDEO_AVCLoopFilterEnable = 0,
-    OMX_VIDEO_AVCLoopFilterDisable,
-    OMX_VIDEO_AVCLoopFilterDisableSliceBoundary,
-    OMX_VIDEO_AVCLoopFilterKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCLoopFilterVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCLoopFilterMax = 0x7FFFFFFF
-} OMX_VIDEO_AVCLOOPFILTERTYPE;
-
-
-/** 
- * AVC params 
- *
- * STRUCT MEMBERS:
- *  nSize                     : Size of the structure in bytes
- *  nVersion                  : OMX specification version information
- *  nPortIndex                : Port that this structure applies to
- *  nSliceHeaderSpacing       : Number of macroblocks between slice header, put  
- *                              zero if not used
- *  nPFrames                  : Number of P frames between each I frame
- *  nBFrames                  : Number of B frames between each I frame
- *  bUseHadamard              : Enable/disable Hadamard transform
- *  nRefFrames                : Max number of reference frames to use for inter
- *                              motion search (1-16)
- *  nRefIdxTrailing           : Pic param set ref frame index (index into ref
- *                              frame buffer of trailing frames list), B frame
- *                              support
- *  nRefIdxForward            : Pic param set ref frame index (index into ref
- *                              frame buffer of forward frames list), B frame
- *                              support
- *  bEnableUEP                : Enable/disable unequal error protection. This 
- *                              is only valid of data partitioning is enabled.
- *  bEnableFMO                : Enable/disable flexible macroblock ordering
- *  bEnableASO                : Enable/disable arbitrary slice ordering
- *  bEnableRS                 : Enable/disable sending of redundant slices
- *  eProfile                  : AVC profile(s) to use
- *  eLevel                    : AVC level(s) to use
- *  nAllowedPictureTypes      : Specifies the picture types allowed in the 
- *                              bitstream
- *  bFrameMBsOnly             : specifies that every coded picture of the 
- *                              coded video sequence is a coded frame 
- *                              containing only frame macroblocks
- *  bMBAFF                    : Enable/disable switching between frame and 
- *                              field macroblocks within a picture
- *  bEntropyCodingCABAC       : Entropy decoding method to be applied for the 
- *                              syntax elements for which two descriptors appear 
- *                              in the syntax tables
- *  bWeightedPPrediction      : Enable/disable weighted prediction shall not 
- *                              be applied to P and SP slices
- *  nWeightedBipredicitonMode : Default weighted prediction is applied to B 
- *                              slices 
- *  bconstIpred               : Enable/disable intra prediction
- *  bDirect8x8Inference       : Specifies the method used in the derivation 
- *                              process for luma motion vectors for B_Skip, 
- *                              B_Direct_16x16 and B_Direct_8x8 as specified 
- *                              in subclause 8.4.1.2 of the AVC spec 
- *  bDirectSpatialTemporal    : Flag indicating spatial or temporal direct
- *                              mode used in B slice coding (related to 
- *                              bDirect8x8Inference) . Spatial direct mode is 
- *                              more common and should be the default.
- *  nCabacInitIdx             : Index used to init CABAC contexts
- *  eLoopFilterMode           : Enable/disable loop filter
- */
-typedef struct OMX_VIDEO_PARAM_AVCTYPE {
-    OMX_U32 nSize;                 
-    OMX_VERSIONTYPE nVersion;      
-    OMX_U32 nPortIndex;            
-    OMX_U32 nSliceHeaderSpacing;  
-    OMX_U32 nPFrames;     
-    OMX_U32 nBFrames;     
-    OMX_BOOL bUseHadamard;
-    OMX_U32 nRefFrames;  
-	OMX_U32 nRefIdx10ActiveMinus1;
-	OMX_U32 nRefIdx11ActiveMinus1;
-    OMX_BOOL bEnableUEP;  
-    OMX_BOOL bEnableFMO;  
-    OMX_BOOL bEnableASO;  
-    OMX_BOOL bEnableRS;   
-    OMX_VIDEO_AVCPROFILETYPE eProfile;
-	OMX_VIDEO_AVCLEVELTYPE eLevel; 
-    OMX_U32 nAllowedPictureTypes;  
-	OMX_BOOL bFrameMBsOnly;        									
-    OMX_BOOL bMBAFF;               
-    OMX_BOOL bEntropyCodingCABAC;  
-    OMX_BOOL bWeightedPPrediction; 
-    OMX_U32 nWeightedBipredicitonMode; 
-    OMX_BOOL bconstIpred ;
-    OMX_BOOL bDirect8x8Inference;  
-	OMX_BOOL bDirectSpatialTemporal;
-	OMX_U32 nCabacInitIdc;
-	OMX_VIDEO_AVCLOOPFILTERTYPE eLoopFilterMode;
-} OMX_VIDEO_PARAM_AVCTYPE;
-
-typedef struct OMX_VIDEO_PARAM_PROFILELEVELTYPE {
-   OMX_U32 nSize;                 
-   OMX_VERSIONTYPE nVersion;      
-   OMX_U32 nPortIndex;            
-   OMX_U32 eProfile;      /**< type is OMX_VIDEO_AVCPROFILETYPE, OMX_VIDEO_H263PROFILETYPE, 
-                                 or OMX_VIDEO_MPEG4PROFILETYPE depending on context */
-   OMX_U32 eLevel;        /**< type is OMX_VIDEO_AVCLEVELTYPE, OMX_VIDEO_H263LEVELTYPE, 
-                                 or OMX_VIDEO_MPEG4PROFILETYPE depending on context */
-   OMX_U32 nProfileIndex; /**< Used to query for individual profile support information,
-                               This parameter is valid only for 
-                               OMX_IndexParamVideoProfileLevelQuerySupported index,
-                               For all other indices this parameter is to be ignored. */
-} OMX_VIDEO_PARAM_PROFILELEVELTYPE;
-
-/** 
- * Structure for dynamically configuring bitrate mode of a codec. 
- *
- * STRUCT MEMBERS:
- *  nSize          : Size of the struct in bytes
- *  nVersion       : OMX spec version info
- *  nPortIndex     : Port that this struct applies to
- *  nEncodeBitrate : Target average bitrate to be generated in bps
- */
-typedef struct OMX_VIDEO_CONFIG_BITRATETYPE {
-    OMX_U32 nSize;                          
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;                     
-    OMX_U32 nEncodeBitrate;                 
-} OMX_VIDEO_CONFIG_BITRATETYPE;
-
-/** 
- * Defines Encoder Frame Rate setting
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information 
- *  nPortIndex       : Port that this structure applies to
- *  xEncodeFramerate : Encoding framerate represented in Q16 format
- */
-typedef struct OMX_CONFIG_FRAMERATETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 xEncodeFramerate; /* Q16 format */
-} OMX_CONFIG_FRAMERATETYPE;
-
-typedef struct OMX_CONFIG_INTRAREFRESHVOPTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL IntraRefreshVOP;
-} OMX_CONFIG_INTRAREFRESHVOPTYPE;
-
-typedef struct OMX_CONFIG_MACROBLOCKERRORMAPTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nErrMapSize;           /* Size of the Error Map in bytes */
-    OMX_U8  ErrMap[1];             /* Error map hint */
-} OMX_CONFIG_MACROBLOCKERRORMAPTYPE;
-
-typedef struct OMX_CONFIG_MBERRORREPORTINGTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnabled;
-} OMX_CONFIG_MBERRORREPORTINGTYPE;
-
-typedef struct OMX_PARAM_MACROBLOCKSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nMacroblocks;
-} OMX_PARAM_MACROBLOCKSTYPE;
-
-/** 
- * AVC Slice Mode modes 
- *
- * OMX_VIDEO_SLICEMODE_AVCDefault   : Normal frame encoding, one slice per frame
- * OMX_VIDEO_SLICEMODE_AVCMBSlice   : NAL mode, number of MBs per frame
- * OMX_VIDEO_SLICEMODE_AVCByteSlice : NAL mode, number of bytes per frame
- */
-typedef enum OMX_VIDEO_AVCSLICEMODETYPE {
-    OMX_VIDEO_SLICEMODE_AVCDefault = 0,
-    OMX_VIDEO_SLICEMODE_AVCMBSlice,
-    OMX_VIDEO_SLICEMODE_AVCByteSlice,
-    OMX_VIDEO_SLICEMODE_AVCKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_SLICEMODE_AVCVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_SLICEMODE_AVCLevelMax = 0x7FFFFFFF
-} OMX_VIDEO_AVCSLICEMODETYPE;
-
-/** 
- * AVC FMO Slice Mode Params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nNumSliceGroups : Specifies the number of slice groups
- *  nSliceGroupMapType : Specifies the type of slice groups
- *  eSliceMode : Specifies the type of slice
- */
-typedef struct OMX_VIDEO_PARAM_AVCSLICEFMO {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U8 nNumSliceGroups;
-    OMX_U8 nSliceGroupMapType;
-    OMX_VIDEO_AVCSLICEMODETYPE eSliceMode;
-} OMX_VIDEO_PARAM_AVCSLICEFMO;
-
-/** 
- * AVC IDR Period Configs
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nIDRPeriod : Specifies periodicity of IDR frames
- *  nPFrames : Specifies internal of coding Intra frames
- */
-typedef struct OMX_VIDEO_CONFIG_AVCINTRAPERIOD {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nIDRPeriod;
-    OMX_U32 nPFrames;
-} OMX_VIDEO_CONFIG_AVCINTRAPERIOD;
-
-/** 
- * AVC NAL Size Configs
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nNaluBytes : Specifies the NAL unit size
- */
-typedef struct OMX_VIDEO_CONFIG_NALSIZE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nNaluBytes;
-} OMX_VIDEO_CONFIG_NALSIZE;
-
-/** @} */
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
-
diff --git a/media/omx-plugin/include/ics/pixelflinger/format.h b/media/omx-plugin/include/ics/pixelflinger/format.h
deleted file mode 100644
index 82eeca4d7..000000000
--- a/media/omx-plugin/include/ics/pixelflinger/format.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_PIXELFLINGER_FORMAT_H
-#define ANDROID_PIXELFLINGER_FORMAT_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-enum GGLPixelFormat {
-    // these constants need to match those
-    // in graphics/PixelFormat.java, ui/PixelFormat.h, BlitHardware.h
-    GGL_PIXEL_FORMAT_UNKNOWN    =   0,
-    GGL_PIXEL_FORMAT_NONE       =   0,
-
-    GGL_PIXEL_FORMAT_RGBA_8888   =   1,  // 4x8-bit ARGB
-    GGL_PIXEL_FORMAT_RGBX_8888   =   2,  // 3x8-bit RGB stored in 32-bit chunks
-    GGL_PIXEL_FORMAT_RGB_888     =   3,  // 3x8-bit RGB
-    GGL_PIXEL_FORMAT_RGB_565     =   4,  // 16-bit RGB
-    GGL_PIXEL_FORMAT_BGRA_8888   =   5,  // 4x8-bit BGRA
-    GGL_PIXEL_FORMAT_RGBA_5551   =   6,  // 16-bit RGBA
-    GGL_PIXEL_FORMAT_RGBA_4444   =   7,  // 16-bit RGBA
-
-    GGL_PIXEL_FORMAT_A_8         =   8,  // 8-bit A
-    GGL_PIXEL_FORMAT_L_8         =   9,  // 8-bit L (R=G=B = L)
-    GGL_PIXEL_FORMAT_LA_88       = 0xA,  // 16-bit LA
-    GGL_PIXEL_FORMAT_RGB_332     = 0xB,  // 8-bit RGB (non paletted)
-
-    // reserved range. don't use.
-    GGL_PIXEL_FORMAT_RESERVED_10 = 0x10,
-    GGL_PIXEL_FORMAT_RESERVED_11 = 0x11,
-    GGL_PIXEL_FORMAT_RESERVED_12 = 0x12,
-    GGL_PIXEL_FORMAT_RESERVED_13 = 0x13,
-    GGL_PIXEL_FORMAT_RESERVED_14 = 0x14,
-    GGL_PIXEL_FORMAT_RESERVED_15 = 0x15,
-    GGL_PIXEL_FORMAT_RESERVED_16 = 0x16,
-    GGL_PIXEL_FORMAT_RESERVED_17 = 0x17,
-
-    // reserved/special formats
-    GGL_PIXEL_FORMAT_Z_16       =  0x18,
-    GGL_PIXEL_FORMAT_S_8        =  0x19,
-    GGL_PIXEL_FORMAT_SZ_24      =  0x1A,
-    GGL_PIXEL_FORMAT_SZ_8       =  0x1B,
-
-    // reserved range. don't use.
-    GGL_PIXEL_FORMAT_RESERVED_20 = 0x20,
-    GGL_PIXEL_FORMAT_RESERVED_21 = 0x21,
-};
-
-enum GGLFormatComponents {
-	GGL_STENCIL_INDEX		= 0x1901,
-	GGL_DEPTH_COMPONENT		= 0x1902,
-	GGL_ALPHA				= 0x1906,
-	GGL_RGB					= 0x1907,
-	GGL_RGBA				= 0x1908,
-	GGL_LUMINANCE			= 0x1909,
-	GGL_LUMINANCE_ALPHA		= 0x190A,
-};
-
-enum GGLFormatComponentIndex {
-    GGL_INDEX_ALPHA   = 0,
-    GGL_INDEX_RED     = 1,
-    GGL_INDEX_GREEN   = 2,
-    GGL_INDEX_BLUE    = 3,
-    GGL_INDEX_STENCIL = 0,
-    GGL_INDEX_DEPTH   = 1,
-    GGL_INDEX_Y       = 0,
-    GGL_INDEX_CB      = 1,
-    GGL_INDEX_CR      = 2,
-};
-
-typedef struct {
-#ifdef __cplusplus
-    enum {
-        ALPHA   = GGL_INDEX_ALPHA,
-        RED     = GGL_INDEX_RED,
-        GREEN   = GGL_INDEX_GREEN,
-        BLUE    = GGL_INDEX_BLUE,
-        STENCIL = GGL_INDEX_STENCIL,
-        DEPTH   = GGL_INDEX_DEPTH,
-        LUMA    = GGL_INDEX_Y,
-        CHROMAB = GGL_INDEX_CB,
-        CHROMAR = GGL_INDEX_CR,
-    };
-    inline uint32_t mask(int i) const {
-            return ((1<<(c[i].h-c[i].l))-1)<<c[i].l;
-    }
-    inline uint32_t bits(int i) const {
-            return c[i].h - c[i].l;
-    }
-#endif
-	uint8_t     size;	// bytes per pixel
-    uint8_t     bitsPerPixel;
-    union {    
-        struct {
-            uint8_t     ah;		// alpha high bit position + 1
-            uint8_t     al;		// alpha low bit position
-            uint8_t     rh;		// red high bit position + 1
-            uint8_t     rl;		// red low bit position
-            uint8_t     gh;		// green high bit position + 1
-            uint8_t     gl;		// green low bit position
-            uint8_t     bh;		// blue high bit position + 1
-            uint8_t     bl;		// blue low bit position
-        };
-        struct {
-            uint8_t h;
-            uint8_t l;
-        } __attribute__((__packed__)) c[4];        
-    } __attribute__((__packed__));
-	uint16_t    components;	// GGLFormatComponents
-} GGLFormat;
-
-
-#ifdef __cplusplus
-extern "C" const GGLFormat* gglGetPixelFormatTable(size_t* numEntries = 0);
-#else
-const GGLFormat* gglGetPixelFormatTable(size_t* numEntries);
-#endif
-
-
-// ----------------------------------------------------------------------------
-
-#endif // ANDROID_PIXELFLINGER_FORMAT_H
diff --git a/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h b/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h
deleted file mode 100644
index 8a2b4421b..000000000
--- a/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_PIXELFLINGER_H
-#define ANDROID_PIXELFLINGER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <pixelflinger/format.h>
-
-// GGL types
-
-typedef int8_t			GGLbyte;		// b
-typedef int16_t			GGLshort;		// s
-typedef int32_t			GGLint;			// i
-typedef ssize_t			GGLsizei;		// i
-typedef int32_t			GGLfixed;		// x
-typedef int32_t			GGLclampx;		// x
-typedef float			GGLfloat;		// f
-typedef float			GGLclampf;		// f
-typedef double			GGLdouble;		// d
-typedef double			GGLclampd;		// d
-typedef uint8_t			GGLubyte;		// ub
-typedef uint8_t			GGLboolean;		// ub
-typedef uint16_t		GGLushort;		// us
-typedef uint32_t		GGLuint;		// ui
-typedef unsigned int	GGLenum;		// ui
-typedef unsigned int	GGLbitfield;	// ui
-typedef void			GGLvoid;
-typedef int32_t         GGLfixed32;
-typedef	int32_t         GGLcolor;
-typedef int32_t         GGLcoord;
-
-// ----------------------------------------------------------------------------
-
-#define GGL_MAX_VIEWPORT_DIMS           4096
-#define GGL_MAX_TEXTURE_SIZE            4096
-#define GGL_MAX_ALIASED_POINT_SIZE      0x7FFFFFF
-#define GGL_MAX_SMOOTH_POINT_SIZE       2048
-#define GGL_MAX_SMOOTH_LINE_WIDTH       2048
-
-// ----------------------------------------------------------------------------
-
-// All these names are compatible with their OpenGL equivalents
-// some of them are listed only for completeness
-enum GGLNames {
-	GGL_FALSE						= 0,
-	GGL_TRUE						= 1,
-
-	// enable/disable
-    GGL_SCISSOR_TEST                = 0x0C11,
-	GGL_TEXTURE_2D					= 0x0DE1,
-	GGL_ALPHA_TEST					= 0x0BC0,
-	GGL_BLEND						= 0x0BE2,
-	GGL_COLOR_LOGIC_OP				= 0x0BF2,
-	GGL_DITHER						= 0x0BD0,
-	GGL_STENCIL_TEST				= 0x0B90,
-	GGL_DEPTH_TEST					= 0x0B71,
-    GGL_AA                          = 0x80000001,
-    GGL_W_LERP                      = 0x80000004,
-    GGL_POINT_SMOOTH_NICE           = 0x80000005,
-
-    // buffers, pixel drawing/reading
-    GGL_COLOR                       = 0x1800,
-    
-    // fog
-    GGL_FOG                         = 0x0B60,
-    
-	// shade model
-	GGL_FLAT						= 0x1D00,
-	GGL_SMOOTH						= 0x1D01,
-
-	// Texture parameter name
-	GGL_TEXTURE_MIN_FILTER			= 0x2801,
-	GGL_TEXTURE_MAG_FILTER			= 0x2800,
-	GGL_TEXTURE_WRAP_S				= 0x2802,
-	GGL_TEXTURE_WRAP_T				= 0x2803,
-	GGL_TEXTURE_WRAP_R				= 0x2804,
-
-	// Texture Filter	
-	GGL_NEAREST						= 0x2600,
-	GGL_LINEAR						= 0x2601,
-	GGL_NEAREST_MIPMAP_NEAREST		= 0x2700,
-	GGL_LINEAR_MIPMAP_NEAREST		= 0x2701,
-	GGL_NEAREST_MIPMAP_LINEAR		= 0x2702,
-	GGL_LINEAR_MIPMAP_LINEAR		= 0x2703,
-
-	// Texture Wrap Mode
-	GGL_CLAMP						= 0x2900,
-	GGL_REPEAT						= 0x2901,
-    GGL_CLAMP_TO_EDGE               = 0x812F,
-
-	// Texture Env Mode
-	GGL_REPLACE						= 0x1E01,
-	GGL_MODULATE					= 0x2100,
-	GGL_DECAL						= 0x2101,
-	GGL_ADD							= 0x0104,
-
-	// Texture Env Parameter
-	GGL_TEXTURE_ENV_MODE			= 0x2200,
-	GGL_TEXTURE_ENV_COLOR			= 0x2201,
-
-	// Texture Env Target
-	GGL_TEXTURE_ENV					= 0x2300,
-
-    // Texture coord generation
-    GGL_TEXTURE_GEN_MODE            = 0x2500,
-    GGL_S                           = 0x2000,
-    GGL_T                           = 0x2001,
-    GGL_R                           = 0x2002,
-    GGL_Q                           = 0x2003,
-    GGL_ONE_TO_ONE                  = 0x80000002,
-    GGL_AUTOMATIC                   = 0x80000003,
-
-    // AlphaFunction
-    GGL_NEVER                       = 0x0200,
-    GGL_LESS                        = 0x0201,
-    GGL_EQUAL                       = 0x0202,
-    GGL_LEQUAL                      = 0x0203,
-    GGL_GREATER                     = 0x0204,
-    GGL_NOTEQUAL                    = 0x0205,
-    GGL_GEQUAL                      = 0x0206,
-    GGL_ALWAYS                      = 0x0207,
-
-    // LogicOp
-    GGL_CLEAR                       = 0x1500,   // 0
-    GGL_AND                         = 0x1501,   // s & d
-    GGL_AND_REVERSE                 = 0x1502,   // s & ~d
-    GGL_COPY                        = 0x1503,   // s
-    GGL_AND_INVERTED                = 0x1504,   // ~s & d
-    GGL_NOOP                        = 0x1505,   // d
-    GGL_XOR                         = 0x1506,   // s ^ d
-    GGL_OR                          = 0x1507,   // s | d
-    GGL_NOR                         = 0x1508,   // ~(s | d)
-    GGL_EQUIV                       = 0x1509,   // ~(s ^ d)
-    GGL_INVERT                      = 0x150A,   // ~d
-    GGL_OR_REVERSE                  = 0x150B,   // s | ~d
-    GGL_COPY_INVERTED               = 0x150C,   // ~s 
-    GGL_OR_INVERTED                 = 0x150D,   // ~s | d
-    GGL_NAND                        = 0x150E,   // ~(s & d)
-    GGL_SET                         = 0x150F,   // 1
-
-	// blending equation & function
-	GGL_ZERO                        = 0,		// SD
-	GGL_ONE                         = 1,		// SD
-	GGL_SRC_COLOR                   = 0x0300,	//  D
-	GGL_ONE_MINUS_SRC_COLOR         = 0x0301,	//	D
-	GGL_SRC_ALPHA                   = 0x0302,	// SD
-	GGL_ONE_MINUS_SRC_ALPHA			= 0x0303,	// SD
-	GGL_DST_ALPHA					= 0x0304,	// SD
-	GGL_ONE_MINUS_DST_ALPHA			= 0x0305,	// SD
-	GGL_DST_COLOR					= 0x0306,	// S
-	GGL_ONE_MINUS_DST_COLOR			= 0x0307,	// S
-	GGL_SRC_ALPHA_SATURATE			= 0x0308,	// S
-    
-    // clear bits
-    GGL_DEPTH_BUFFER_BIT            = 0x00000100,
-    GGL_STENCIL_BUFFER_BIT          = 0x00000400,
-    GGL_COLOR_BUFFER_BIT            = 0x00004000,
-
-    // errors
-    GGL_NO_ERROR                    = 0,
-    GGL_INVALID_ENUM                = 0x0500,
-    GGL_INVALID_VALUE               = 0x0501,
-    GGL_INVALID_OPERATION           = 0x0502,
-    GGL_STACK_OVERFLOW              = 0x0503,
-    GGL_STACK_UNDERFLOW             = 0x0504,
-    GGL_OUT_OF_MEMORY               = 0x0505
-};
-
-// ----------------------------------------------------------------------------
-
-typedef struct {
-    GGLsizei    version;    // always set to sizeof(GGLSurface)
-    GGLuint     width;      // width in pixels
-    GGLuint     height;     // height in pixels
-    GGLint      stride;     // stride in pixels
-    GGLubyte*   data;       // pointer to the bits
-    GGLubyte    format;     // pixel format
-    GGLubyte    rfu[3];     // must be zero
-    // these values are dependent on the used format
-    union {
-        GGLint  compressedFormat;
-        GGLint  vstride;
-    };
-    void*       reserved;
-} GGLSurface;
-
-
-typedef struct {
-    // immediate rendering
-    void (*pointx)(void *con, const GGLcoord* v, GGLcoord r);
-    void (*linex)(void *con, 
-            const GGLcoord* v0, const GGLcoord* v1, GGLcoord width);
-    void (*recti)(void* c, GGLint l, GGLint t, GGLint r, GGLint b); 
-    void (*trianglex)(void* c,
-            GGLcoord const* v0, GGLcoord const* v1, GGLcoord const* v2);
-
-    // scissor
-    void (*scissor)(void* c, GGLint x, GGLint y, GGLsizei width, GGLsizei height);
-
-    // Set the textures and color buffers
-    void (*activeTexture)(void* c, GGLuint tmu);
-    void (*bindTexture)(void* c, const GGLSurface* surface);
-    void (*colorBuffer)(void* c, const GGLSurface* surface);
-    void (*readBuffer)(void* c, const GGLSurface* surface);
-    void (*depthBuffer)(void* c, const GGLSurface* surface);
-    void (*bindTextureLod)(void* c, GGLuint tmu, const GGLSurface* surface);
-
-    // enable/disable features
-    void (*enable)(void* c, GGLenum name);
-    void (*disable)(void* c, GGLenum name);
-    void (*enableDisable)(void* c, GGLenum name, GGLboolean en);
-
-    // specify the fragment's color
-    void (*shadeModel)(void* c, GGLenum mode);
-    void (*color4xv)(void* c, const GGLclampx* color);
-    // specify color iterators (16.16)
-    void (*colorGrad12xv)(void* c, const GGLcolor* grad);
-
-    // specify Z coordinate iterators (0.32)
-    void (*zGrad3xv)(void* c, const GGLfixed32* grad);
-
-    // specify W coordinate iterators (16.16)
-    void (*wGrad3xv)(void* c, const GGLfixed* grad);
-
-    // specify fog iterator & color (16.16)
-    void (*fogGrad3xv)(void* c, const GGLfixed* grad);
-    void (*fogColor3xv)(void* c, const GGLclampx* color);
-
-    // specify blending parameters
-    void (*blendFunc)(void* c, GGLenum src, GGLenum dst);
-    void (*blendFuncSeparate)(void* c,  GGLenum src, GGLenum dst,
-                                        GGLenum srcAlpha, GGLenum dstAplha);
-
-    // texture environnement (REPLACE / MODULATE / DECAL / BLEND)
-    void (*texEnvi)(void* c,    GGLenum target,
-                                GGLenum pname,
-                                GGLint param);
-
-    void (*texEnvxv)(void* c, GGLenum target,
-            GGLenum pname, const GGLfixed* params);
-
-    // texture parameters (Wrapping, filter)
-    void (*texParameteri)(void* c,  GGLenum target,
-                                    GGLenum pname,
-                                    GGLint param);
-
-    // texture iterators (16.16)
-    void (*texCoord2i)(void* c, GGLint s, GGLint t);
-    void (*texCoord2x)(void* c, GGLfixed s, GGLfixed t);
-    
-    // s, dsdx, dsdy, scale, t, dtdx, dtdy, tscale
-    // This api uses block floating-point for S and T texture coordinates.
-    // All values are given in 16.16, scaled by 'scale'. In other words,
-    // set scale to 0, for 16.16 values.
-    void (*texCoordGradScale8xv)(void* c, GGLint tmu, const int32_t* grad8);
-    
-    void (*texGeni)(void* c, GGLenum coord, GGLenum pname, GGLint param);
-
-    // masking
-    void (*colorMask)(void* c,  GGLboolean red,
-                                GGLboolean green,
-                                GGLboolean blue,
-                                GGLboolean alpha);
-
-    void (*depthMask)(void* c, GGLboolean flag);
-
-    void (*stencilMask)(void* c, GGLuint mask);
-
-    // alpha func
-    void (*alphaFuncx)(void* c, GGLenum func, GGLclampx ref);
-
-    // depth func
-    void (*depthFunc)(void* c, GGLenum func);
-
-    // logic op
-    void (*logicOp)(void* c, GGLenum opcode); 
-
-    // clear
-    void (*clear)(void* c, GGLbitfield mask);
-    void (*clearColorx)(void* c,
-            GGLclampx r, GGLclampx g, GGLclampx b, GGLclampx a);
-    void (*clearDepthx)(void* c, GGLclampx depth);
-    void (*clearStencil)(void* c, GGLint s);
-
-    // framebuffer operations
-    void (*copyPixels)(void* c, GGLint x, GGLint y,
-            GGLsizei width, GGLsizei height, GGLenum type);
-    void (*rasterPos2x)(void* c, GGLfixed x, GGLfixed y);
-    void (*rasterPos2i)(void* c, GGLint x, GGLint y);
-} GGLContext;
-
-// ----------------------------------------------------------------------------
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-// construct / destroy the context
-ssize_t gglInit(GGLContext** context);
-ssize_t gglUninit(GGLContext* context);
-
-GGLint gglBitBlit(
-        GGLContext* c,
-        int tmu,
-        GGLint crop[4],
-        GGLint where[4]);
-
-#ifdef __cplusplus
-};
-#endif
-
-// ----------------------------------------------------------------------------
-
-#endif // ANDROID_PIXELFLINGER_H
diff --git a/media/omx-plugin/include/ics/stagefright/ColorConverter.h b/media/omx-plugin/include/ics/stagefright/ColorConverter.h
deleted file mode 100644
index 85ba92068..000000000
--- a/media/omx-plugin/include/ics/stagefright/ColorConverter.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef COLOR_CONVERTER_H_
-
-#define COLOR_CONVERTER_H_
-
-#include <sys/types.h>
-
-#include <stdint.h>
-#include <utils/Errors.h>
-
-#include <OMX_Video.h>
-
-namespace android {
-
-struct ColorConverter {
-    ColorConverter(OMX_COLOR_FORMATTYPE from, OMX_COLOR_FORMATTYPE to);
-    ~ColorConverter();
-
-    bool isValid() const;
-
-    status_t convert(
-            const void *srcBits,
-            size_t srcWidth, size_t srcHeight,
-            size_t srcCropLeft, size_t srcCropTop,
-            size_t srcCropRight, size_t srcCropBottom,
-            void *dstBits,
-            size_t dstWidth, size_t dstHeight,
-            size_t dstCropLeft, size_t dstCropTop,
-            size_t dstCropRight, size_t dstCropBottom);
-
-private:
-    struct BitmapParams {
-        BitmapParams(
-                void *bits,
-                size_t width, size_t height,
-                size_t cropLeft, size_t cropTop,
-                size_t cropRight, size_t cropBottom);
-
-        size_t cropWidth() const;
-        size_t cropHeight() const;
-
-        void *mBits;
-        size_t mWidth, mHeight;
-        size_t mCropLeft, mCropTop, mCropRight, mCropBottom;
-    };
-
-    OMX_COLOR_FORMATTYPE mSrcFormat, mDstFormat;
-    uint8_t *mClip;
-
-    uint8_t *initClip();
-
-    status_t convertCbYCrY(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertYUV420Planar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertQCOMYUV420SemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertYUV420SemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertTIYUV420PackedSemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    ColorConverter(const ColorConverter &);
-    ColorConverter &operator=(const ColorConverter &);
-};
-
-}  // namespace android
-
-#endif  // COLOR_CONVERTER_H_
diff --git a/media/omx-plugin/include/ics/stagefright/DataSource.h b/media/omx-plugin/include/ics/stagefright/DataSource.h
deleted file mode 100644
index 870d80571..000000000
--- a/media/omx-plugin/include/ics/stagefright/DataSource.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef DATA_SOURCE_H_
-
-#define DATA_SOURCE_H_
-
-#include <sys/types.h>
-
-#include <media/stagefright/MediaErrors.h>
-#include <utils/Errors.h>
-#include <utils/KeyedVector.h>
-#include <utils/List.h>
-#include <utils/RefBase.h>
-#include <utils/threads.h>
-#include <drm/DrmManagerClient.h>
-
-#if !defined(STAGEFRIGHT_EXPORT)
-#define STAGEFRIGHT_EXPORT
-#endif
-
-namespace android {
-
-struct AMessage;
-class String8;
-
-class STAGEFRIGHT_EXPORT DataSource : public RefBase {
-public:
-    enum Flags {
-        kWantsPrefetching      = 1,
-        kStreamedFromLocalHost = 2,
-        kIsCachingDataSource   = 4,
-        kIsHTTPBasedSource     = 8,
-    };
-
-    static sp<DataSource> CreateFromURI(
-            const char *uri,
-            const KeyedVector<String8, String8> *headers = NULL);
-
-    DataSource() {}
-
-    virtual status_t initCheck() const = 0;
-
-    virtual ssize_t readAt(off64_t offset, void *data, size_t size) = 0;
-
-    // Convenience methods:
-    bool getUInt16(off64_t offset, uint16_t *x);
-
-    // May return ERROR_UNSUPPORTED.
-    virtual status_t getSize(off64_t *size);
-
-    virtual uint32_t flags() {
-        return 0;
-    }
-
-    virtual status_t reconnectAtOffset(off64_t offset) {
-        return ERROR_UNSUPPORTED;
-    }
-
-    ////////////////////////////////////////////////////////////////////////////
-
-    bool sniff(String8 *mimeType, float *confidence, sp<AMessage> *meta);
-
-    // The sniffer can optionally fill in "meta" with an AMessage containing
-    // a dictionary of values that helps the corresponding extractor initialize
-    // its state without duplicating effort already exerted by the sniffer.
-    typedef bool (*SnifferFunc)(
-            const sp<DataSource> &source, String8 *mimeType,
-            float *confidence, sp<AMessage> *meta);
-
-    static void RegisterSniffer(SnifferFunc func);
-    static void RegisterDefaultSniffers();
-
-    // for DRM
-    virtual sp<DecryptHandle> DrmInitialization() {
-        return NULL;
-    }
-    virtual void getDrmInfo(sp<DecryptHandle> &handle, DrmManagerClient **client) {};
-
-    virtual String8 getUri() {
-        return String8();
-    }
-
-    virtual String8 getMIMEType() const;
-
-protected:
-    virtual ~DataSource() {}
-
-private:
-    static Mutex gSnifferMutex;
-    static List<SnifferFunc> gSniffers;
-
-    DataSource(const DataSource &);
-    DataSource &operator=(const DataSource &);
-};
-
-}  // namespace android
-
-#endif  // DATA_SOURCE_H_
diff --git a/media/omx-plugin/include/ics/stagefright/MediaExtractor.h b/media/omx-plugin/include/ics/stagefright/MediaExtractor.h
deleted file mode 100644
index 6d39131a9..000000000
--- a/media/omx-plugin/include/ics/stagefright/MediaExtractor.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_EXTRACTOR_H_
-
-#define MEDIA_EXTRACTOR_H_
-
-#include <utils/RefBase.h>
-
-namespace android {
-
-class DataSource;
-struct MediaSource;
-class MetaData;
-
-class MediaExtractor : public RefBase {
-public:
-    static sp<MediaExtractor> Create(
-            const sp<DataSource> &source, const char *mime = NULL);
-
-    virtual size_t countTracks() = 0;
-    virtual sp<MediaSource> getTrack(size_t index) = 0;
-
-    enum GetTrackMetaDataFlags {
-        kIncludeExtensiveMetaData = 1
-    };
-    virtual sp<MetaData> getTrackMetaData(
-            size_t index, uint32_t flags = 0) = 0;
-
-    // Return container specific meta-data. The default implementation
-    // returns an empty metadata object.
-    virtual sp<MetaData> getMetaData();
-
-    enum Flags {
-        CAN_SEEK_BACKWARD  = 1,  // the "seek 10secs back button"
-        CAN_SEEK_FORWARD   = 2,  // the "seek 10secs forward button"
-        CAN_PAUSE          = 4,
-        CAN_SEEK           = 8,  // the "seek bar"
-    };
-
-    // If subclasses do _not_ override this, the default is
-    // CAN_SEEK_BACKWARD | CAN_SEEK_FORWARD | CAN_SEEK | CAN_PAUSE
-    virtual uint32_t flags() const;
-
-    // for DRM
-    virtual void setDrmFlag(bool flag) {
-        mIsDrm = flag;
-    };
-    virtual bool getDrmFlag() {
-        return mIsDrm;
-    }
-    virtual char* getDrmTrackInfo(size_t trackID, int *len) {
-        return NULL;
-    }
-
-protected:
-    MediaExtractor() {}
-    virtual ~MediaExtractor() {}
-
-private:
-    bool mIsDrm;
-
-    MediaExtractor(const MediaExtractor &);
-    MediaExtractor &operator=(const MediaExtractor &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_EXTRACTOR_H_
diff --git a/media/omx-plugin/include/ics/stagefright/MetaData.h b/media/omx-plugin/include/ics/stagefright/MetaData.h
deleted file mode 100644
index 4cdee1702..000000000
--- a/media/omx-plugin/include/ics/stagefright/MetaData.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef META_DATA_H_
-
-#define META_DATA_H_
-
-#include <sys/types.h>
-
-#include <stdint.h>
-
-#include <utils/RefBase.h>
-#include <utils/KeyedVector.h>
-
-namespace android {
-
-// The following keys map to int32_t data unless indicated otherwise.
-enum {
-    kKeyMIMEType          = 'mime',  // cstring
-    kKeyWidth             = 'widt',  // int32_t, image pixel
-    kKeyHeight            = 'heig',  // int32_t, image pixel
-    kKeyDisplayWidth      = 'dWid',  // int32_t, display/presentation
-    kKeyDisplayHeight     = 'dHgt',  // int32_t, display/presentation
-
-    // a rectangle, if absent assumed to be (0, 0, width - 1, height - 1)
-    kKeyCropRect          = 'crop',
-
-    kKeyRotation          = 'rotA',  // int32_t (angle in degrees)
-    kKeyIFramesInterval   = 'ifiv',  // int32_t
-    kKeyStride            = 'strd',  // int32_t
-    kKeySliceHeight       = 'slht',  // int32_t
-    kKeyChannelCount      = '#chn',  // int32_t
-    kKeySampleRate        = 'srte',  // int32_t (audio sampling rate Hz)
-    kKeyFrameRate         = 'frmR',  // int32_t (video frame rate fps)
-    kKeyBitRate           = 'brte',  // int32_t (bps)
-    kKeyESDS              = 'esds',  // raw data
-    kKeyAVCC              = 'avcc',  // raw data
-    kKeyD263              = 'd263',  // raw data
-    kKeyVorbisInfo        = 'vinf',  // raw data
-    kKeyVorbisBooks       = 'vboo',  // raw data
-    kKeyWantsNALFragments = 'NALf',
-    kKeyIsSyncFrame       = 'sync',  // int32_t (bool)
-    kKeyIsCodecConfig     = 'conf',  // int32_t (bool)
-    kKeyTime              = 'time',  // int64_t (usecs)
-    kKeyDecodingTime      = 'decT',  // int64_t (decoding timestamp in usecs)
-    kKeyNTPTime           = 'ntpT',  // uint64_t (ntp-timestamp)
-    kKeyTargetTime        = 'tarT',  // int64_t (usecs)
-    kKeyDriftTime         = 'dftT',  // int64_t (usecs)
-    kKeyAnchorTime        = 'ancT',  // int64_t (usecs)
-    kKeyDuration          = 'dura',  // int64_t (usecs)
-    kKeyColorFormat       = 'colf',
-    kKeyPlatformPrivate   = 'priv',  // pointer
-    kKeyDecoderComponent  = 'decC',  // cstring
-    kKeyBufferID          = 'bfID',
-    kKeyMaxInputSize      = 'inpS',
-    kKeyThumbnailTime     = 'thbT',  // int64_t (usecs)
-    kKeyTrackID           = 'trID',
-    kKeyIsDRM             = 'idrm',  // int32_t (bool)
-
-    kKeyAlbum             = 'albu',  // cstring
-    kKeyArtist            = 'arti',  // cstring
-    kKeyAlbumArtist       = 'aart',  // cstring
-    kKeyComposer          = 'comp',  // cstring
-    kKeyGenre             = 'genr',  // cstring
-    kKeyTitle             = 'titl',  // cstring
-    kKeyYear              = 'year',  // cstring
-    kKeyAlbumArt          = 'albA',  // compressed image data
-    kKeyAlbumArtMIME      = 'alAM',  // cstring
-    kKeyAuthor            = 'auth',  // cstring
-    kKeyCDTrackNumber     = 'cdtr',  // cstring
-    kKeyDiscNumber        = 'dnum',  // cstring
-    kKeyDate              = 'date',  // cstring
-    kKeyWriter            = 'writ',  // cstring
-    kKeyCompilation       = 'cpil',  // cstring
-    kKeyLocation          = 'loc ',  // cstring
-    kKeyTimeScale         = 'tmsl',  // int32_t
-
-    // video profile and level
-    kKeyVideoProfile      = 'vprf',  // int32_t
-    kKeyVideoLevel        = 'vlev',  // int32_t
-
-    // Set this key to enable authoring files in 64-bit offset
-    kKey64BitFileOffset   = 'fobt',  // int32_t (bool)
-    kKey2ByteNalLength    = '2NAL',  // int32_t (bool)
-
-    // Identify the file output format for authoring
-    // Please see <media/mediarecorder.h> for the supported
-    // file output formats.
-    kKeyFileType          = 'ftyp',  // int32_t
-
-    // Track authoring progress status
-    // kKeyTrackTimeStatus is used to track progress in elapsed time
-    kKeyTrackTimeStatus   = 'tktm',  // int64_t
-
-    kKeyNotRealTime       = 'ntrt',  // bool (int32_t)
-
-    // Ogg files can be tagged to be automatically looping...
-    kKeyAutoLoop          = 'autL',  // bool (int32_t)
-
-    kKeyValidSamples      = 'valD',  // int32_t
-
-    kKeyIsUnreadable      = 'unre',  // bool (int32_t)
-
-    // An indication that a video buffer has been rendered.
-    kKeyRendered          = 'rend',  // bool (int32_t)
-
-    // The language code for this media
-    kKeyMediaLanguage     = 'lang',  // cstring
-
-    // To store the timed text format data
-    kKeyTextFormatData    = 'text',  // raw data
-
-    kKeyRequiresSecureBuffers = 'secu',  // bool (int32_t)
-};
-
-enum {
-    kTypeESDS        = 'esds',
-    kTypeAVCC        = 'avcc',
-    kTypeD263        = 'd263',
-};
-
-class MetaData : public RefBase {
-public:
-    MetaData();
-    MetaData(const MetaData &from);
-
-    enum Type {
-        TYPE_NONE     = 'none',
-        TYPE_C_STRING = 'cstr',
-        TYPE_INT32    = 'in32',
-        TYPE_INT64    = 'in64',
-        TYPE_FLOAT    = 'floa',
-        TYPE_POINTER  = 'ptr ',
-        TYPE_RECT     = 'rect',
-    };
-
-    void clear();
-    bool remove(uint32_t key);
-
-    bool setCString(uint32_t key, const char *value);
-    bool setInt32(uint32_t key, int32_t value);
-    bool setInt64(uint32_t key, int64_t value);
-    bool setFloat(uint32_t key, float value);
-    bool setPointer(uint32_t key, void *value);
-
-    bool setRect(
-            uint32_t key,
-            int32_t left, int32_t top,
-            int32_t right, int32_t bottom);
-
-    bool findCString(uint32_t key, const char **value);
-    bool findInt32(uint32_t key, int32_t *value);
-    bool findInt64(uint32_t key, int64_t *value);
-    bool findFloat(uint32_t key, float *value);
-    bool findPointer(uint32_t key, void **value);
-
-    bool findRect(
-            uint32_t key,
-            int32_t *left, int32_t *top,
-            int32_t *right, int32_t *bottom);
-
-    bool setData(uint32_t key, uint32_t type, const void *data, size_t size);
-
-    bool findData(uint32_t key, uint32_t *type,
-                  const void **data, size_t *size) const;
-
-protected:
-    virtual ~MetaData();
-
-private:
-    struct typed_data {
-        typed_data();
-        ~typed_data();
-
-        typed_data(const MetaData::typed_data &);
-        typed_data &operator=(const MetaData::typed_data &);
-
-        void clear();
-        void setData(uint32_t type, const void *data, size_t size);
-        void getData(uint32_t *type, const void **data, size_t *size) const;
-
-    private:
-        uint32_t mType;
-        size_t mSize;
-
-        union {
-            void *ext_data;
-            float reservoir;
-        } u;
-
-        bool usesReservoir() const {
-            return mSize <= sizeof(u.reservoir);
-        }
-
-        void allocateStorage(size_t size);
-        void freeStorage();
-
-        void *storage() {
-            return usesReservoir() ? &u.reservoir : u.ext_data;
-        }
-
-        const void *storage() const {
-            return usesReservoir() ? &u.reservoir : u.ext_data;
-        }
-    };
-
-    struct Rect {
-        int32_t mLeft, mTop, mRight, mBottom;
-    };
-
-    KeyedVector<uint32_t, typed_data> mItems;
-
-    // MetaData &operator=(const MetaData &);
-};
-
-}  // namespace android
-
-#endif  // META_DATA_H_
diff --git a/media/omx-plugin/include/ics/stagefright/OMXClient.h b/media/omx-plugin/include/ics/stagefright/OMXClient.h
deleted file mode 100644
index 2f14d06e8..000000000
--- a/media/omx-plugin/include/ics/stagefright/OMXClient.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef OMX_CLIENT_H_
-
-#define OMX_CLIENT_H_
-
-#include <media/IOMX.h>
-
-namespace android {
-
-class OMXClient {
-public:
-    OMXClient();
-
-    status_t connect();
-    void disconnect();
-
-    sp<IOMX> interface() {
-        return mOMX;
-    }
-
-private:
-    sp<IOMX> mOMX;
-
-    OMXClient(const OMXClient &);
-    OMXClient &operator=(const OMXClient &);
-};
-
-}  // namespace android
-
-#endif  // OMX_CLIENT_H_
diff --git a/media/omx-plugin/include/ics/stagefright/OMXCodec.h b/media/omx-plugin/include/ics/stagefright/OMXCodec.h
deleted file mode 100644
index 84f8282f6..000000000
--- a/media/omx-plugin/include/ics/stagefright/OMXCodec.h
+++ /dev/null
@@ -1,378 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef OMX_CODEC_H_
-
-#define OMX_CODEC_H_
-
-#include <android/native_window.h>
-#include <media/IOMX.h>
-#include <media/stagefright/MediaBuffer.h>
-#include <media/stagefright/MediaSource.h>
-#include <utils/threads.h>
-
-namespace android {
-
-class MemoryDealer;
-struct OMXCodecObserver;
-struct CodecProfileLevel;
-
-struct OMXCodec : public MediaSource,
-                  public MediaBufferObserver {
-    enum CreationFlags {
-        kPreferSoftwareCodecs    = 1,
-        kIgnoreCodecSpecificData = 2,
-
-        // The client wants to access the output buffer's video
-        // data for example for thumbnail extraction.
-        kClientNeedsFramebuffer  = 4,
-
-        // Request for software or hardware codecs. If request
-        // can not be fullfilled, Create() returns NULL.
-        kSoftwareCodecsOnly      = 8,
-        kHardwareCodecsOnly      = 16,
-
-        // Store meta data in video buffers
-        kStoreMetaDataInVideoBuffers = 32,
-
-        // Only submit one input buffer at one time.
-        kOnlySubmitOneInputBufferAtOneTime = 64,
-
-        // Enable GRALLOC_USAGE_PROTECTED for output buffers from native window
-        kEnableGrallocUsageProtected = 128,
-
-        // Secure decoding mode
-        kUseSecureInputBuffers = 256,
-    };
-    static sp<MediaSource> Create(
-            const sp<IOMX> &omx,
-            const sp<MetaData> &meta, bool createEncoder,
-            const sp<MediaSource> &source,
-            const char *matchComponentName = NULL,
-            uint32_t flags = 0,
-            const sp<ANativeWindow> &nativeWindow = NULL);
-
-    static void setComponentRole(
-            const sp<IOMX> &omx, IOMX::node_id node, bool isEncoder,
-            const char *mime);
-
-    virtual status_t start(MetaData *params = NULL);
-    virtual status_t stop();
-
-    virtual sp<MetaData> getFormat();
-
-    virtual status_t read(
-            MediaBuffer **buffer, const ReadOptions *options = NULL);
-
-    virtual status_t pause();
-
-    // from MediaBufferObserver
-    virtual void signalBufferReturned(MediaBuffer *buffer);
-
-    // for use by ACodec
-    static void findMatchingCodecs(
-            const char *mime,
-            bool createEncoder, const char *matchComponentName,
-            uint32_t flags,
-            Vector<String8> *matchingCodecs);
-
-protected:
-    virtual ~OMXCodec();
-
-private:
-
-    // Make sure mLock is accessible to OMXCodecObserver
-    friend class OMXCodecObserver;
-
-    // Call this with mLock hold
-    void on_message(const omx_message &msg);
-
-    enum State {
-        DEAD,
-        LOADED,
-        LOADED_TO_IDLE,
-        IDLE_TO_EXECUTING,
-        EXECUTING,
-        EXECUTING_TO_IDLE,
-        IDLE_TO_LOADED,
-        RECONFIGURING,
-        ERROR
-    };
-
-    enum {
-        kPortIndexInput  = 0,
-        kPortIndexOutput = 1
-    };
-
-    enum PortStatus {
-        ENABLED,
-        DISABLING,
-        DISABLED,
-        ENABLING,
-        SHUTTING_DOWN,
-    };
-
-    enum Quirks {
-        kNeedsFlushBeforeDisable              = 1,
-        kWantsNALFragments                    = 2,
-        kRequiresLoadedToIdleAfterAllocation  = 4,
-        kRequiresAllocateBufferOnInputPorts   = 8,
-        kRequiresFlushCompleteEmulation       = 16,
-        kRequiresAllocateBufferOnOutputPorts  = 32,
-        kRequiresFlushBeforeShutdown          = 64,
-        kDefersOutputBufferAllocation         = 128,
-        kDecoderLiesAboutNumberOfChannels     = 256,
-        kInputBufferSizesAreBogus             = 512,
-        kSupportsMultipleFramesPerInputBuffer = 1024,
-        kAvoidMemcopyInputRecordingFrames     = 2048,
-        kRequiresLargerEncoderOutputBuffer    = 4096,
-        kOutputBuffersAreUnreadable           = 8192,
-    };
-
-    enum BufferStatus {
-        OWNED_BY_US,
-        OWNED_BY_COMPONENT,
-        OWNED_BY_NATIVE_WINDOW,
-        OWNED_BY_CLIENT,
-    };
-
-    struct BufferInfo {
-        IOMX::buffer_id mBuffer;
-        BufferStatus mStatus;
-        sp<IMemory> mMem;
-        size_t mSize;
-        void *mData;
-        MediaBuffer *mMediaBuffer;
-    };
-
-    struct CodecSpecificData {
-        size_t mSize;
-        uint8_t mData[1];
-    };
-
-    sp<IOMX> mOMX;
-    bool mOMXLivesLocally;
-    IOMX::node_id mNode;
-    uint32_t mQuirks;
-
-    // Flags specified in the creation of the codec.
-    uint32_t mFlags;
-
-    bool mIsEncoder;
-    char *mMIME;
-    char *mComponentName;
-    sp<MetaData> mOutputFormat;
-    sp<MediaSource> mSource;
-    Vector<CodecSpecificData *> mCodecSpecificData;
-    size_t mCodecSpecificDataIndex;
-
-    sp<MemoryDealer> mDealer[2];
-
-    State mState;
-    Vector<BufferInfo> mPortBuffers[2];
-    PortStatus mPortStatus[2];
-    bool mInitialBufferSubmit;
-    bool mSignalledEOS;
-    status_t mFinalStatus;
-    bool mNoMoreOutputData;
-    bool mOutputPortSettingsHaveChanged;
-    int64_t mSeekTimeUs;
-    ReadOptions::SeekMode mSeekMode;
-    int64_t mTargetTimeUs;
-    bool mOutputPortSettingsChangedPending;
-
-    MediaBuffer *mLeftOverBuffer;
-
-    Mutex mLock;
-    Condition mAsyncCompletion;
-
-    bool mPaused;
-
-    sp<ANativeWindow> mNativeWindow;
-
-    // The index in each of the mPortBuffers arrays of the buffer that will be
-    // submitted to OMX next.  This only applies when using buffers from a
-    // native window.
-    size_t mNextNativeBufferIndex[2];
-
-    // A list of indices into mPortStatus[kPortIndexOutput] filled with data.
-    List<size_t> mFilledBuffers;
-    Condition mBufferFilled;
-
-    // Used to record the decoding time for an output picture from
-    // a video encoder.
-    List<int64_t> mDecodingTimeList;
-
-    OMXCodec(const sp<IOMX> &omx, IOMX::node_id node,
-             uint32_t quirks, uint32_t flags,
-             bool isEncoder, const char *mime, const char *componentName,
-             const sp<MediaSource> &source,
-             const sp<ANativeWindow> &nativeWindow);
-
-    void addCodecSpecificData(const void *data, size_t size);
-    void clearCodecSpecificData();
-
-    void setComponentRole();
-
-    void setAMRFormat(bool isWAMR, int32_t bitRate);
-    status_t setAACFormat(int32_t numChannels, int32_t sampleRate, int32_t bitRate);
-    void setG711Format(int32_t numChannels);
-
-    status_t setVideoPortFormatType(
-            OMX_U32 portIndex,
-            OMX_VIDEO_CODINGTYPE compressionFormat,
-            OMX_COLOR_FORMATTYPE colorFormat);
-
-    void setVideoInputFormat(
-            const char *mime, const sp<MetaData>& meta);
-
-    status_t setupBitRate(int32_t bitRate);
-    status_t setupErrorCorrectionParameters();
-    status_t setupH263EncoderParameters(const sp<MetaData>& meta);
-    status_t setupMPEG4EncoderParameters(const sp<MetaData>& meta);
-    status_t setupAVCEncoderParameters(const sp<MetaData>& meta);
-    status_t findTargetColorFormat(
-            const sp<MetaData>& meta, OMX_COLOR_FORMATTYPE *colorFormat);
-
-    status_t isColorFormatSupported(
-            OMX_COLOR_FORMATTYPE colorFormat, int portIndex);
-
-    // If profile/level is set in the meta data, its value in the meta
-    // data will be used; otherwise, the default value will be used.
-    status_t getVideoProfileLevel(const sp<MetaData>& meta,
-            const CodecProfileLevel& defaultProfileLevel,
-            CodecProfileLevel& profileLevel);
-
-    status_t setVideoOutputFormat(
-            const char *mime, OMX_U32 width, OMX_U32 height);
-
-    void setImageOutputFormat(
-            OMX_COLOR_FORMATTYPE format, OMX_U32 width, OMX_U32 height);
-
-    void setJPEGInputFormat(
-            OMX_U32 width, OMX_U32 height, OMX_U32 compressedSize);
-
-    void setMinBufferSize(OMX_U32 portIndex, OMX_U32 size);
-
-    void setRawAudioFormat(
-            OMX_U32 portIndex, int32_t sampleRate, int32_t numChannels);
-
-    status_t allocateBuffers();
-    status_t allocateBuffersOnPort(OMX_U32 portIndex);
-    status_t allocateOutputBuffersFromNativeWindow();
-
-    status_t queueBufferToNativeWindow(BufferInfo *info);
-    status_t cancelBufferToNativeWindow(BufferInfo *info);
-    BufferInfo* dequeueBufferFromNativeWindow();
-    status_t pushBlankBuffersToNativeWindow();
-
-    status_t freeBuffersOnPort(
-            OMX_U32 portIndex, bool onlyThoseWeOwn = false);
-
-    status_t freeBuffer(OMX_U32 portIndex, size_t bufIndex);
-
-    bool drainInputBuffer(IOMX::buffer_id buffer);
-    void fillOutputBuffer(IOMX::buffer_id buffer);
-    bool drainInputBuffer(BufferInfo *info);
-    void fillOutputBuffer(BufferInfo *info);
-
-    void drainInputBuffers();
-    void fillOutputBuffers();
-
-    bool drainAnyInputBuffer();
-    BufferInfo *findInputBufferByDataPointer(void *ptr);
-    BufferInfo *findEmptyInputBuffer();
-
-    // Returns true iff a flush was initiated and a completion event is
-    // upcoming, false otherwise (A flush was not necessary as we own all
-    // the buffers on that port).
-    // This method will ONLY ever return false for a component with quirk
-    // "kRequiresFlushCompleteEmulation".
-    bool flushPortAsync(OMX_U32 portIndex);
-
-    void disablePortAsync(OMX_U32 portIndex);
-    status_t enablePortAsync(OMX_U32 portIndex);
-
-    static size_t countBuffersWeOwn(const Vector<BufferInfo> &buffers);
-    static bool isIntermediateState(State state);
-
-    void onEvent(OMX_EVENTTYPE event, OMX_U32 data1, OMX_U32 data2);
-    void onCmdComplete(OMX_COMMANDTYPE cmd, OMX_U32 data);
-    void onStateChange(OMX_STATETYPE newState);
-    void onPortSettingsChanged(OMX_U32 portIndex);
-
-    void setState(State newState);
-
-    status_t init();
-    void initOutputFormat(const sp<MetaData> &inputFormat);
-    status_t initNativeWindow();
-
-    void initNativeWindowCrop();
-
-    void dumpPortStatus(OMX_U32 portIndex);
-
-    status_t configureCodec(const sp<MetaData> &meta);
-
-    static uint32_t getComponentQuirks(
-            const char *componentName, bool isEncoder);
-
-    void restorePatchedDataPointer(BufferInfo *info);
-
-    status_t applyRotation();
-    status_t waitForBufferFilled_l();
-
-    int64_t retrieveDecodingTimeUs(bool isCodecSpecific);
-
-    status_t parseAVCCodecSpecificData(
-            const void *data, size_t size,
-            unsigned *profile, unsigned *level);
-
-    OMXCodec(const OMXCodec &);
-    OMXCodec &operator=(const OMXCodec &);
-};
-
-struct CodecCapabilities {
-    String8 mComponentName;
-    Vector<CodecProfileLevel> mProfileLevels;
-    Vector<OMX_U32> mColorFormats;
-};
-
-// Return a vector of componentNames with supported profile/level pairs
-// supporting the given mime type, if queryDecoders==true, returns components
-// that decode content of the given type, otherwise returns components
-// that encode content of the given type.
-// profile and level indications only make sense for h.263, mpeg4 and avc
-// video.
-// If hwCodecOnly==true, only returns hardware-based components, software and
-// hardware otherwise.
-// The profile/level values correspond to
-// OMX_VIDEO_H263PROFILETYPE, OMX_VIDEO_MPEG4PROFILETYPE,
-// OMX_VIDEO_AVCPROFILETYPE, OMX_VIDEO_H263LEVELTYPE, OMX_VIDEO_MPEG4LEVELTYPE
-// and OMX_VIDEO_AVCLEVELTYPE respectively.
-
-status_t QueryCodecs(
-        const sp<IOMX> &omx,
-        const char *mimeType, bool queryDecoders, bool hwCodecOnly,
-        Vector<CodecCapabilities> *results);
-
-status_t QueryCodecs(
-        const sp<IOMX> &omx,
-        const char *mimeType, bool queryDecoders,
-        Vector<CodecCapabilities> *results);
-
-}  // namespace android
-
-#endif  // OMX_CODEC_H_
diff --git a/media/omx-plugin/include/ics/system/graphics.h b/media/omx-plugin/include/ics/system/graphics.h
deleted file mode 100644
index 729e92c78..000000000
--- a/media/omx-plugin/include/ics/system/graphics.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H
-#define SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * If the HAL needs to create service threads to handle graphics related
- * tasks, these threads need to run at HAL_PRIORITY_URGENT_DISPLAY priority
- * if they can block the main rendering thread in any way.
- *
- * the priority of the current thread can be set with:
- *
- *      #include <sys/resource.h>
- *      setpriority(PRIO_PROCESS, 0, HAL_PRIORITY_URGENT_DISPLAY);
- *
- */
-
-#define HAL_PRIORITY_URGENT_DISPLAY     (-8)
-
-/**
- * pixel format definitions
- */
-
-enum {
-    HAL_PIXEL_FORMAT_RGBA_8888          = 1,
-    HAL_PIXEL_FORMAT_RGBX_8888          = 2,
-    HAL_PIXEL_FORMAT_RGB_888            = 3,
-    HAL_PIXEL_FORMAT_RGB_565            = 4,
-    HAL_PIXEL_FORMAT_BGRA_8888          = 5,
-    HAL_PIXEL_FORMAT_RGBA_5551          = 6,
-    HAL_PIXEL_FORMAT_RGBA_4444          = 7,
-
-    /* 0x8 - 0xFF range unavailable */
-
-    /*
-     * 0x100 - 0x1FF
-     *
-     * This range is reserved for pixel formats that are specific to the HAL
-     * implementation.  Implementations can use any value in this range to
-     * communicate video pixel formats between their HAL modules.  These formats
-     * must not have an alpha channel.  Additionally, an EGLimage created from a
-     * gralloc buffer of one of these formats must be supported for use with the
-     * GL_OES_EGL_image_external OpenGL ES extension.
-     */
-
-    /*
-     * Android YUV format:
-     *
-     * This format is exposed outside of the HAL to software decoders and
-     * applications.  EGLImageKHR must support it in conjunction with the
-     * OES_EGL_image_external extension.
-     *
-     * YV12 is a 4:2:0 YCrCb planar format comprised of a WxH Y plane followed
-     * by (W/2) x (H/2) Cr and Cb planes.
-     *
-     * This format assumes
-     * - an even width
-     * - an even height
-     * - a horizontal stride multiple of 16 pixels
-     * - a vertical stride equal to the height
-     *
-     *   y_size = stride * height
-     *   c_size = ALIGN(stride/2, 16) * height/2
-     *   size = y_size + c_size * 2
-     *   cr_offset = y_size
-     *   cb_offset = y_size + c_size
-     *
-     */
-    HAL_PIXEL_FORMAT_YV12   = 0x32315659, // YCrCb 4:2:0 Planar
-
-
-
-    /* Legacy formats (deprecated), used by ImageFormat.java */
-    HAL_PIXEL_FORMAT_YCbCr_422_SP       = 0x10, // NV16
-    HAL_PIXEL_FORMAT_YCrCb_420_SP       = 0x11, // NV21
-    HAL_PIXEL_FORMAT_YCbCr_422_I        = 0x14, // YUY2
-};
-
-
-/**
- * Transformation definitions
- *
- * IMPORTANT NOTE:
- * HAL_TRANSFORM_ROT_90 is applied CLOCKWISE and AFTER HAL_TRANSFORM_FLIP_{H|V}.
- *
- */
-
-enum {
-    /* flip source image horizontally (around the vertical axis) */
-    HAL_TRANSFORM_FLIP_H    = 0x01,
-    /* flip source image vertically (around the horizontal axis)*/
-    HAL_TRANSFORM_FLIP_V    = 0x02,
-    /* rotate source image 90 degrees clockwise */
-    HAL_TRANSFORM_ROT_90    = 0x04,
-    /* rotate source image 180 degrees */
-    HAL_TRANSFORM_ROT_180   = 0x03,
-    /* rotate source image 270 degrees clockwise */
-    HAL_TRANSFORM_ROT_270   = 0x07,
-};
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H */
diff --git a/media/omx-plugin/include/ics/system/window.h b/media/omx-plugin/include/ics/system/window.h
deleted file mode 100644
index 1cc4a0a18..000000000
--- a/media/omx-plugin/include/ics/system/window.h
+++ /dev/null
@@ -1,632 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H
-#define SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <system/graphics.h>
-#include <cutils/native_handle.h>
-
-__BEGIN_DECLS
-
-/*****************************************************************************/
-
-#define ANDROID_NATIVE_MAKE_CONSTANT(a,b,c,d) \
-    (((unsigned)(a)<<24)|((unsigned)(b)<<16)|((unsigned)(c)<<8)|(unsigned)(d))
-
-#define ANDROID_NATIVE_WINDOW_MAGIC \
-    ANDROID_NATIVE_MAKE_CONSTANT('_','w','n','d')
-
-#define ANDROID_NATIVE_BUFFER_MAGIC \
-    ANDROID_NATIVE_MAKE_CONSTANT('_','b','f','r')
-
-// ---------------------------------------------------------------------------
-
-typedef const native_handle_t* buffer_handle_t;
-
-// ---------------------------------------------------------------------------
-
-typedef struct android_native_rect_t
-{
-    int32_t left;
-    int32_t top;
-    int32_t right;
-    int32_t bottom;
-} android_native_rect_t;
-
-// ---------------------------------------------------------------------------
-
-typedef struct android_native_base_t
-{
-    /* a magic value defined by the actual EGL native type */
-    int magic;
-
-    /* the sizeof() of the actual EGL native type */
-    int version;
-
-    void* reserved[4];
-
-    /* reference-counting interface */
-    void (*incRef)(struct android_native_base_t* base);
-    void (*decRef)(struct android_native_base_t* base);
-} android_native_base_t;
-
-typedef struct ANativeWindowBuffer
-{
-#ifdef __cplusplus
-    ANativeWindowBuffer() {
-        common.magic = ANDROID_NATIVE_BUFFER_MAGIC;
-        common.version = sizeof(ANativeWindowBuffer);
-        memset(common.reserved, 0, sizeof(common.reserved));
-    }
-
-    // Implement the methods that sp<ANativeWindowBuffer> expects so that it
-    // can be used to automatically refcount ANativeWindowBuffer's.
-    void incStrong(const void* id) const {
-        common.incRef(const_cast<android_native_base_t*>(&common));
-    }
-    void decStrong(const void* id) const {
-        common.decRef(const_cast<android_native_base_t*>(&common));
-    }
-#endif
-
-    struct android_native_base_t common;
-
-    int width;
-    int height;
-    int stride;
-    int format;
-    int usage;
-
-    void* reserved[2];
-
-    buffer_handle_t handle;
-
-    void* reserved_proc[8];
-} ANativeWindowBuffer_t;
-
-// Old typedef for backwards compatibility.
-typedef ANativeWindowBuffer_t android_native_buffer_t;
-
-// ---------------------------------------------------------------------------
-
-/* attributes queriable with query() */
-enum {
-    NATIVE_WINDOW_WIDTH     = 0,
-    NATIVE_WINDOW_HEIGHT    = 1,
-    NATIVE_WINDOW_FORMAT    = 2,
-
-    /* The minimum number of buffers that must remain un-dequeued after a buffer
-     * has been queued.  This value applies only if set_buffer_count was used to
-     * override the number of buffers and if a buffer has since been queued.
-     * Users of the set_buffer_count ANativeWindow method should query this
-     * value before calling set_buffer_count.  If it is necessary to have N
-     * buffers simultaneously dequeued as part of the steady-state operation,
-     * and this query returns M then N+M buffers should be requested via
-     * native_window_set_buffer_count.
-     *
-     * Note that this value does NOT apply until a single buffer has been
-     * queued.  In particular this means that it is possible to:
-     *
-     * 1. Query M = min undequeued buffers
-     * 2. Set the buffer count to N + M
-     * 3. Dequeue all N + M buffers
-     * 4. Cancel M buffers
-     * 5. Queue, dequeue, queue, dequeue, ad infinitum
-     */
-    NATIVE_WINDOW_MIN_UNDEQUEUED_BUFFERS = 3,
-
-    /* Check whether queueBuffer operations on the ANativeWindow send the buffer
-     * to the window compositor.  The query sets the returned 'value' argument
-     * to 1 if the ANativeWindow DOES send queued buffers directly to the window
-     * compositor and 0 if the buffers do not go directly to the window
-     * compositor.
-     *
-     * This can be used to determine whether protected buffer content should be
-     * sent to the ANativeWindow.  Note, however, that a result of 1 does NOT
-     * indicate that queued buffers will be protected from applications or users
-     * capturing their contents.  If that behavior is desired then some other
-     * mechanism (e.g. the GRALLOC_USAGE_PROTECTED flag) should be used in
-     * conjunction with this query.
-     */
-    NATIVE_WINDOW_QUEUES_TO_WINDOW_COMPOSER = 4,
-
-    /* Get the concrete type of a ANativeWindow.  See below for the list of
-     * possible return values.
-     *
-     * This query should not be used outside the Android framework and will
-     * likely be removed in the near future.
-     */
-    NATIVE_WINDOW_CONCRETE_TYPE = 5,
-
-
-    /*
-     * Default width and height of the ANativeWindow, these are the dimensions
-     * of the window irrespective of the NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS
-     * call.
-     */
-    NATIVE_WINDOW_DEFAULT_WIDTH = 6,
-    NATIVE_WINDOW_DEFAULT_HEIGHT = 7,
-
-    /*
-     * transformation that will most-likely be applied to buffers. This is only
-     * a hint, the actual transformation applied might be different.
-     *
-     * INTENDED USE:
-     *
-     * The transform hint can be used by a producer, for instance the GLES
-     * driver, to pre-rotate the rendering such that the final transformation
-     * in the composer is identity. This can be very useful when used in
-     * conjunction with the h/w composer HAL, in situations where it
-     * cannot handle arbitrary rotations.
-     *
-     * 1. Before dequeuing a buffer, the GL driver (or any other ANW client)
-     *    queries the ANW for NATIVE_WINDOW_TRANSFORM_HINT.
-     *
-     * 2. The GL driver overrides the width and height of the ANW to
-     *    account for NATIVE_WINDOW_TRANSFORM_HINT. This is done by querying
-     *    NATIVE_WINDOW_DEFAULT_{WIDTH | HEIGHT}, swapping the dimensions
-     *    according to NATIVE_WINDOW_TRANSFORM_HINT and calling
-     *    native_window_set_buffers_dimensions().
-     *
-     * 3. The GL driver dequeues a buffer of the new pre-rotated size.
-     *
-     * 4. The GL driver renders to the buffer such that the image is
-     *    already transformed, that is applying NATIVE_WINDOW_TRANSFORM_HINT
-     *    to the rendering.
-     *
-     * 5. The GL driver calls native_window_set_transform to apply
-     *    inverse transformation to the buffer it just rendered.
-     *    In order to do this, the GL driver needs
-     *    to calculate the inverse of NATIVE_WINDOW_TRANSFORM_HINT, this is
-     *    done easily:
-     *
-     *        int hintTransform, inverseTransform;
-     *        query(..., NATIVE_WINDOW_TRANSFORM_HINT, &hintTransform);
-     *        inverseTransform = hintTransform;
-     *        if (hintTransform & HAL_TRANSFORM_ROT_90)
-     *            inverseTransform ^= HAL_TRANSFORM_ROT_180;
-     *
-     *
-     * 6. The GL driver queues the pre-transformed buffer.
-     *
-     * 7. The composer combines the buffer transform with the display
-     *    transform.  If the buffer transform happens to cancel out the
-     *    display transform then no rotation is needed.
-     *
-     */
-    NATIVE_WINDOW_TRANSFORM_HINT = 8,
-};
-
-/* valid operations for the (*perform)() hook */
-enum {
-    NATIVE_WINDOW_SET_USAGE                 =  0,
-    NATIVE_WINDOW_CONNECT                   =  1,   /* deprecated */
-    NATIVE_WINDOW_DISCONNECT                =  2,   /* deprecated */
-    NATIVE_WINDOW_SET_CROP                  =  3,
-    NATIVE_WINDOW_SET_BUFFER_COUNT          =  4,
-    NATIVE_WINDOW_SET_BUFFERS_GEOMETRY      =  5,   /* deprecated */
-    NATIVE_WINDOW_SET_BUFFERS_TRANSFORM     =  6,
-    NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP     =  7,
-    NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS    =  8,
-    NATIVE_WINDOW_SET_BUFFERS_FORMAT        =  9,
-    NATIVE_WINDOW_SET_SCALING_MODE          = 10,
-    NATIVE_WINDOW_LOCK                      = 11,   /* private */
-    NATIVE_WINDOW_UNLOCK_AND_POST           = 12,   /* private */
-    NATIVE_WINDOW_API_CONNECT               = 13,   /* private */
-    NATIVE_WINDOW_API_DISCONNECT            = 14,   /* private */
-};
-
-/* parameter for NATIVE_WINDOW_[API_][DIS]CONNECT */
-enum {
-    /* Buffers will be queued by EGL via eglSwapBuffers after being filled using
-     * OpenGL ES.
-     */
-    NATIVE_WINDOW_API_EGL = 1,
-
-    /* Buffers will be queued after being filled using the CPU
-     */
-    NATIVE_WINDOW_API_CPU = 2,
-
-    /* Buffers will be queued by Stagefright after being filled by a video
-     * decoder.  The video decoder can either be a software or hardware decoder.
-     */
-    NATIVE_WINDOW_API_MEDIA = 3,
-
-    /* Buffers will be queued by the the camera HAL.
-     */
-    NATIVE_WINDOW_API_CAMERA = 4,
-};
-
-/* parameter for NATIVE_WINDOW_SET_BUFFERS_TRANSFORM */
-enum {
-    /* flip source image horizontally */
-    NATIVE_WINDOW_TRANSFORM_FLIP_H = HAL_TRANSFORM_FLIP_H ,
-    /* flip source image vertically */
-    NATIVE_WINDOW_TRANSFORM_FLIP_V = HAL_TRANSFORM_FLIP_V,
-    /* rotate source image 90 degrees clock-wise */
-    NATIVE_WINDOW_TRANSFORM_ROT_90 = HAL_TRANSFORM_ROT_90,
-    /* rotate source image 180 degrees */
-    NATIVE_WINDOW_TRANSFORM_ROT_180 = HAL_TRANSFORM_ROT_180,
-    /* rotate source image 270 degrees clock-wise */
-    NATIVE_WINDOW_TRANSFORM_ROT_270 = HAL_TRANSFORM_ROT_270,
-};
-
-/* parameter for NATIVE_WINDOW_SET_SCALING_MODE */
-enum {
-    /* the window content is not updated (frozen) until a buffer of
-     * the window size is received (enqueued)
-     */
-    NATIVE_WINDOW_SCALING_MODE_FREEZE           = 0,
-    /* the buffer is scaled in both dimensions to match the window size */
-    NATIVE_WINDOW_SCALING_MODE_SCALE_TO_WINDOW  = 1,
-};
-
-/* values returned by the NATIVE_WINDOW_CONCRETE_TYPE query */
-enum {
-    NATIVE_WINDOW_FRAMEBUFFER               = 0, /* FramebufferNativeWindow */
-    NATIVE_WINDOW_SURFACE                   = 1, /* Surface */
-    NATIVE_WINDOW_SURFACE_TEXTURE_CLIENT    = 2, /* SurfaceTextureClient */
-};
-
-/* parameter for NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP
- *
- * Special timestamp value to indicate that timestamps should be auto-generated
- * by the native window when queueBuffer is called.  This is equal to INT64_MIN,
- * defined directly to avoid problems with C99/C++ inclusion of stdint.h.
- */
-static const int64_t NATIVE_WINDOW_TIMESTAMP_AUTO = (-9223372036854775807LL-1);
-
-struct ANativeWindow
-{
-#ifdef __cplusplus
-    ANativeWindow()
-        : flags(0), minSwapInterval(0), maxSwapInterval(0), xdpi(0), ydpi(0)
-    {
-        common.magic = ANDROID_NATIVE_WINDOW_MAGIC;
-        common.version = sizeof(ANativeWindow);
-        memset(common.reserved, 0, sizeof(common.reserved));
-    }
-
-    /* Implement the methods that sp<ANativeWindow> expects so that it
-       can be used to automatically refcount ANativeWindow's. */
-    void incStrong(const void* id) const {
-        common.incRef(const_cast<android_native_base_t*>(&common));
-    }
-    void decStrong(const void* id) const {
-        common.decRef(const_cast<android_native_base_t*>(&common));
-    }
-#endif
-
-    struct android_native_base_t common;
-
-    /* flags describing some attributes of this surface or its updater */
-    const uint32_t flags;
-
-    /* min swap interval supported by this updated */
-    const int   minSwapInterval;
-
-    /* max swap interval supported by this updated */
-    const int   maxSwapInterval;
-
-    /* horizontal and vertical resolution in DPI */
-    const float xdpi;
-    const float ydpi;
-
-    /* Some storage reserved for the OEM's driver. */
-    intptr_t    oem[4];
-
-    /*
-     * Set the swap interval for this surface.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*setSwapInterval)(struct ANativeWindow* window,
-                int interval);
-
-    /*
-     * Hook called by EGL to acquire a buffer. After this call, the buffer
-     * is not locked, so its content cannot be modified. This call may block if
-     * no buffers are available.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*dequeueBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer** buffer);
-
-    /*
-     * hook called by EGL to lock a buffer. This MUST be called before modifying
-     * the content of a buffer. The buffer must have been acquired with
-     * dequeueBuffer first.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*lockBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-    /*
-     * Hook called by EGL when modifications to the render buffer are done.
-     * This unlocks and post the buffer.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     *
-     * Buffers MUST be queued in the same order than they were dequeued.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*queueBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-
-    /*
-     * hook used to retrieve information about the native window.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*query)(const struct ANativeWindow* window,
-                int what, int* value);
-
-    /*
-     * hook used to perform various operations on the surface.
-     * (*perform)() is a generic mechanism to add functionality to
-     * ANativeWindow while keeping backward binary compatibility.
-     *
-     * DO NOT CALL THIS HOOK DIRECTLY.  Instead, use the helper functions
-     * defined below.
-     *
-     *  (*perform)() returns -ENOENT if the 'what' parameter is not supported
-     *  by the surface's implementation.
-     *
-     * The valid operations are:
-     *     NATIVE_WINDOW_SET_USAGE
-     *     NATIVE_WINDOW_CONNECT               (deprecated)
-     *     NATIVE_WINDOW_DISCONNECT            (deprecated)
-     *     NATIVE_WINDOW_SET_CROP
-     *     NATIVE_WINDOW_SET_BUFFER_COUNT
-     *     NATIVE_WINDOW_SET_BUFFERS_GEOMETRY  (deprecated)
-     *     NATIVE_WINDOW_SET_BUFFERS_TRANSFORM
-     *     NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP
-     *     NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS
-     *     NATIVE_WINDOW_SET_BUFFERS_FORMAT
-     *     NATIVE_WINDOW_SET_SCALING_MODE
-     *     NATIVE_WINDOW_LOCK                   (private)
-     *     NATIVE_WINDOW_UNLOCK_AND_POST        (private)
-     *     NATIVE_WINDOW_API_CONNECT            (private)
-     *     NATIVE_WINDOW_API_DISCONNECT         (private)
-     *
-     */
-
-    int     (*perform)(struct ANativeWindow* window,
-                int operation, ... );
-
-    /*
-     * Hook used to cancel a buffer that has been dequeued.
-     * No synchronization is performed between dequeue() and cancel(), so
-     * either external synchronization is needed, or these functions must be
-     * called from the same thread.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     */
-    int     (*cancelBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-
-
-    void* reserved_proc[2];
-};
-
- /* Backwards compatibility: use ANativeWindow (struct ANativeWindow in C).
-  * android_native_window_t is deprecated.
-  */
-typedef struct ANativeWindow ANativeWindow;
-typedef struct ANativeWindow android_native_window_t;
-
-/*
- *  native_window_set_usage(..., usage)
- *  Sets the intended usage flags for the next buffers
- *  acquired with (*lockBuffer)() and on.
- *  By default (if this function is never called), a usage of
- *      GRALLOC_USAGE_HW_RENDER | GRALLOC_USAGE_HW_TEXTURE
- *  is assumed.
- *  Calling this function will usually cause following buffers to be
- *  reallocated.
- */
-
-static inline int native_window_set_usage(
-        struct ANativeWindow* window, int usage)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_USAGE, usage);
-}
-
-/* deprecated. Always returns 0. Don't call. */
-static inline int native_window_connect(
-        struct ANativeWindow* window, int api) {
-    return 0;
-}
-
-/* deprecated. Always returns 0. Don't call. */
-static inline int native_window_disconnect(
-        struct ANativeWindow* window, int api) {
-    return 0;
-}
-
-/*
- * native_window_set_crop(..., crop)
- * Sets which region of the next queued buffers needs to be considered.
- * A buffer's crop region is scaled to match the surface's size.
- *
- * The specified crop region applies to all buffers queued after it is called.
- *
- * if 'crop' is NULL, subsequently queued buffers won't be cropped.
- *
- * An error is returned if for instance the crop region is invalid,
- * out of the buffer's bound or if the window is invalid.
- */
-static inline int native_window_set_crop(
-        struct ANativeWindow* window,
-        android_native_rect_t const * crop)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_CROP, crop);
-}
-
-/*
- * native_window_set_buffer_count(..., count)
- * Sets the number of buffers associated with this native window.
- */
-static inline int native_window_set_buffer_count(
-        struct ANativeWindow* window,
-        size_t bufferCount)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFER_COUNT, bufferCount);
-}
-
-/*
- * native_window_set_buffers_geometry(..., int w, int h, int format)
- * All buffers dequeued after this call will have the dimensions and format
- * specified.  A successful call to this function has the same effect as calling
- * native_window_set_buffers_size and native_window_set_buffers_format.
- *
- * XXX: This function is deprecated.  The native_window_set_buffers_dimensions
- * and native_window_set_buffers_format functions should be used instead.
- */
-static inline int native_window_set_buffers_geometry(
-        struct ANativeWindow* window,
-        int w, int h, int format)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_GEOMETRY,
-            w, h, format);
-}
-
-/*
- * native_window_set_buffers_dimensions(..., int w, int h)
- * All buffers dequeued after this call will have the dimensions specified.
- * In particular, all buffers will have a fixed-size, independent form the
- * native-window size. They will be scaled according to the scaling mode
- * (see native_window_set_scaling_mode) upon window composition.
- *
- * If w and h are 0, the normal behavior is restored. That is, dequeued buffers
- * following this call will be sized to match the window's size.
- *
- * Calling this function will reset the window crop to a NULL value, which
- * disables cropping of the buffers.
- */
-static inline int native_window_set_buffers_dimensions(
-        struct ANativeWindow* window,
-        int w, int h)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS,
-            w, h);
-}
-
-/*
- * native_window_set_buffers_format(..., int format)
- * All buffers dequeued after this call will have the format specified.
- *
- * If the specified format is 0, the default buffer format will be used.
- */
-static inline int native_window_set_buffers_format(
-        struct ANativeWindow* window,
-        int format)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_FORMAT, format);
-}
-
-/*
- * native_window_set_buffers_transform(..., int transform)
- * All buffers queued after this call will be displayed transformed according
- * to the transform parameter specified.
- */
-static inline int native_window_set_buffers_transform(
-        struct ANativeWindow* window,
-        int transform)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_TRANSFORM,
-            transform);
-}
-
-/*
- * native_window_set_buffers_timestamp(..., int64_t timestamp)
- * All buffers queued after this call will be associated with the timestamp
- * parameter specified. If the timestamp is set to NATIVE_WINDOW_TIMESTAMP_AUTO
- * (the default), timestamps will be generated automatically when queueBuffer is
- * called. The timestamp is measured in nanoseconds, and is normally monotonically
- * increasing. The timestamp should be unaffected by time-of-day adjustments,
- * and for a camera should be strictly monotonic but for a media player may be
- * reset when the position is set.
- */
-static inline int native_window_set_buffers_timestamp(
-        struct ANativeWindow* window,
-        int64_t timestamp)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP,
-            timestamp);
-}
-
-/*
- * native_window_set_scaling_mode(..., int mode)
- * All buffers queued after this call will be associated with the scaling mode
- * specified.
- */
-static inline int native_window_set_scaling_mode(
-        struct ANativeWindow* window,
-        int mode)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_SCALING_MODE,
-            mode);
-}
-
-
-/*
- * native_window_api_connect(..., int api)
- * connects an API to this window. only one API can be connected at a time.
- * Returns -EINVAL if for some reason the window cannot be connected, which
- * can happen if it's connected to some other API.
- */
-static inline int native_window_api_connect(
-        struct ANativeWindow* window, int api)
-{
-    return window->perform(window, NATIVE_WINDOW_API_CONNECT, api);
-}
-
-/*
- * native_window_api_disconnect(..., int api)
- * disconnect the API from this window.
- * An error is returned if for instance the window wasn't connected in the
- * first place.
- */
-static inline int native_window_api_disconnect(
-        struct ANativeWindow* window, int api)
-{
-    return window->perform(window, NATIVE_WINDOW_API_DISCONNECT, api);
-}
-
-
-__END_DECLS
-
-#endif /* SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H */
diff --git a/media/omx-plugin/include/ics/ui/GraphicBuffer.h b/media/omx-plugin/include/ics/ui/GraphicBuffer.h
deleted file mode 100644
index 6ab01f4c9..000000000
--- a/media/omx-plugin/include/ics/ui/GraphicBuffer.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_GRAPHIC_BUFFER_H
-#define ANDROID_GRAPHIC_BUFFER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <ui/android_native_buffer.h>
-#include <ui/PixelFormat.h>
-#include <ui/Rect.h>
-#include <utils/Flattenable.h>
-#include <pixelflinger/pixelflinger.h>
-
-struct ANativeWindowBuffer;
-
-namespace android {
-
-class GraphicBufferMapper;
-
-// ===========================================================================
-// GraphicBuffer
-// ===========================================================================
-
-class GraphicBuffer
-    : public EGLNativeBase<
-        ANativeWindowBuffer,
-        GraphicBuffer, 
-        LightRefBase<GraphicBuffer> >, public Flattenable
-{
-public:
-
-    enum {
-        USAGE_SW_READ_NEVER     = GRALLOC_USAGE_SW_READ_NEVER,
-        USAGE_SW_READ_RARELY    = GRALLOC_USAGE_SW_READ_RARELY,
-        USAGE_SW_READ_OFTEN     = GRALLOC_USAGE_SW_READ_OFTEN,
-        USAGE_SW_READ_MASK      = GRALLOC_USAGE_SW_READ_MASK,
-        
-        USAGE_SW_WRITE_NEVER    = GRALLOC_USAGE_SW_WRITE_NEVER,
-        USAGE_SW_WRITE_RARELY   = GRALLOC_USAGE_SW_WRITE_RARELY,
-        USAGE_SW_WRITE_OFTEN    = GRALLOC_USAGE_SW_WRITE_OFTEN,
-        USAGE_SW_WRITE_MASK     = GRALLOC_USAGE_SW_WRITE_MASK,
-
-        USAGE_SOFTWARE_MASK     = USAGE_SW_READ_MASK|USAGE_SW_WRITE_MASK,
-
-        USAGE_PROTECTED         = GRALLOC_USAGE_PROTECTED,
-
-        USAGE_HW_TEXTURE        = GRALLOC_USAGE_HW_TEXTURE,
-        USAGE_HW_RENDER         = GRALLOC_USAGE_HW_RENDER,
-        USAGE_HW_2D             = GRALLOC_USAGE_HW_2D,
-        USAGE_HW_COMPOSER       = GRALLOC_USAGE_HW_COMPOSER,
-        USAGE_HW_VIDEO_ENCODER  = GRALLOC_USAGE_HW_VIDEO_ENCODER,
-        USAGE_HW_MASK           = GRALLOC_USAGE_HW_MASK
-    };
-
-    GraphicBuffer();
-
-    // creates w * h buffer
-    GraphicBuffer(uint32_t w, uint32_t h, PixelFormat format, uint32_t usage);
-
-    // create a buffer from an existing handle
-    GraphicBuffer(uint32_t w, uint32_t h, PixelFormat format, uint32_t usage,
-            uint32_t stride, native_handle_t* handle, bool keepOwnership);
-
-    // create a buffer from an existing ANativeWindowBuffer
-    GraphicBuffer(ANativeWindowBuffer* buffer, bool keepOwnership);
-
-    // return status
-    status_t initCheck() const;
-
-    uint32_t getWidth() const           { return width; }
-    uint32_t getHeight() const          { return height; }
-    uint32_t getStride() const          { return stride; }
-    uint32_t getUsage() const           { return usage; }
-    PixelFormat getPixelFormat() const  { return format; }
-    Rect getBounds() const              { return Rect(width, height); }
-    
-    status_t reallocate(uint32_t w, uint32_t h, PixelFormat f, uint32_t usage);
-
-    status_t lock(uint32_t usage, void** vaddr);
-    status_t lock(uint32_t usage, const Rect& rect, void** vaddr);
-    status_t lock(GGLSurface* surface, uint32_t usage);
-    status_t unlock();
-
-    ANativeWindowBuffer* getNativeBuffer() const;
-    
-    void setIndex(int index);
-    int getIndex() const;
-
-    // for debugging
-    static void dumpAllocationsToSystemLog();
-
-private:
-    virtual ~GraphicBuffer();
-
-    enum {
-        ownNone   = 0,
-        ownHandle = 1,
-        ownData   = 2,
-    };
-
-    inline const GraphicBufferMapper& getBufferMapper() const {
-        return mBufferMapper;
-    }
-    inline GraphicBufferMapper& getBufferMapper() {
-        return mBufferMapper;
-    }
-    uint8_t mOwner;
-
-private:
-    friend class Surface;
-    friend class BpSurface;
-    friend class BnSurface;
-    friend class SurfaceTextureClient;
-    friend class LightRefBase<GraphicBuffer>;
-    GraphicBuffer(const GraphicBuffer& rhs);
-    GraphicBuffer& operator = (const GraphicBuffer& rhs);
-    const GraphicBuffer& operator = (const GraphicBuffer& rhs) const;
-
-    status_t initSize(uint32_t w, uint32_t h, PixelFormat format, 
-            uint32_t usage);
-
-    void free_handle();
-
-    // Flattenable interface
-    size_t getFlattenedSize() const;
-    size_t getFdCount() const;
-    status_t flatten(void* buffer, size_t size,
-            int fds[], size_t count) const;
-    status_t unflatten(void const* buffer, size_t size,
-            int fds[], size_t count);
-
-
-    GraphicBufferMapper& mBufferMapper;
-    ssize_t mInitCheck;
-    int mIndex;
-
-    // If we're wrapping another buffer then this reference will make sure it
-    // doesn't get freed.
-    sp<ANativeWindowBuffer> mWrappedBuffer;
-};
-
-}; // namespace android
-
-#endif // ANDROID_GRAPHIC_BUFFER_H
diff --git a/media/omx-plugin/include/ics/ui/PixelFormat.h b/media/omx-plugin/include/ics/ui/PixelFormat.h
deleted file mode 100644
index 848c5a114..000000000
--- a/media/omx-plugin/include/ics/ui/PixelFormat.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-
-// Pixel formats used across the system.
-// These formats might not all be supported by all renderers, for instance
-// skia or SurfaceFlinger are not required to support all of these formats
-// (either as source or destination)
-
-// XXX: we should consolidate these formats and skia's
-
-#ifndef UI_PIXELFORMAT_H
-#define UI_PIXELFORMAT_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-#include <pixelflinger/format.h>
-#include <hardware/hardware.h>
-
-namespace android {
-
-enum {
-    //
-    // these constants need to match those
-    // in graphics/PixelFormat.java & pixelflinger/format.h
-    //
-    PIXEL_FORMAT_UNKNOWN    =   0,
-    PIXEL_FORMAT_NONE       =   0,
-
-    // logical pixel formats used by the SurfaceFlinger -----------------------
-    PIXEL_FORMAT_CUSTOM         = -4,
-        // Custom pixel-format described by a PixelFormatInfo structure
-
-    PIXEL_FORMAT_TRANSLUCENT    = -3,
-        // System chooses a format that supports translucency (many alpha bits)
-
-    PIXEL_FORMAT_TRANSPARENT    = -2,
-        // System chooses a format that supports transparency
-        // (at least 1 alpha bit)
-
-    PIXEL_FORMAT_OPAQUE         = -1,
-        // System chooses an opaque format (no alpha bits required)
-
-    // real pixel formats supported for rendering -----------------------------
-
-    PIXEL_FORMAT_RGBA_8888   = HAL_PIXEL_FORMAT_RGBA_8888,  // 4x8-bit RGBA
-    PIXEL_FORMAT_RGBX_8888   = HAL_PIXEL_FORMAT_RGBX_8888,  // 4x8-bit RGB0
-    PIXEL_FORMAT_RGB_888     = HAL_PIXEL_FORMAT_RGB_888,    // 3x8-bit RGB
-    PIXEL_FORMAT_RGB_565     = HAL_PIXEL_FORMAT_RGB_565,    // 16-bit RGB
-    PIXEL_FORMAT_BGRA_8888   = HAL_PIXEL_FORMAT_BGRA_8888,  // 4x8-bit BGRA
-    PIXEL_FORMAT_RGBA_5551   = HAL_PIXEL_FORMAT_RGBA_5551,  // 16-bit ARGB
-    PIXEL_FORMAT_RGBA_4444   = HAL_PIXEL_FORMAT_RGBA_4444,  // 16-bit ARGB
-    PIXEL_FORMAT_A_8         = GGL_PIXEL_FORMAT_A_8,        // 8-bit A
-    PIXEL_FORMAT_L_8         = GGL_PIXEL_FORMAT_L_8,        // 8-bit L (R=G=B=L)
-    PIXEL_FORMAT_LA_88       = GGL_PIXEL_FORMAT_LA_88,      // 16-bit LA
-    PIXEL_FORMAT_RGB_332     = GGL_PIXEL_FORMAT_RGB_332,    // 8-bit RGB
-
-    // New formats can be added if they're also defined in
-    // pixelflinger/format.h
-};
-
-typedef int32_t PixelFormat;
-
-struct PixelFormatInfo
-{
-    enum {
-        INDEX_ALPHA   = 0,
-        INDEX_RED     = 1,
-        INDEX_GREEN   = 2,
-        INDEX_BLUE    = 3
-    };
-
-    enum { // components
-        ALPHA               = 1,
-        RGB                 = 2,
-        RGBA                = 3,
-        LUMINANCE           = 4,
-        LUMINANCE_ALPHA     = 5,
-        OTHER               = 0xFF
-    };
-
-    struct szinfo {
-        uint8_t h;
-        uint8_t l;
-    };
-
-    inline PixelFormatInfo() : version(sizeof(PixelFormatInfo)) { }
-    size_t getScanlineSize(unsigned int width) const;
-    size_t getSize(size_t ci) const {
-        return (ci <= 3) ? (cinfo[ci].h - cinfo[ci].l) : 0;
-    }
-    size_t      version;
-    PixelFormat format;
-    size_t      bytesPerPixel;
-    size_t      bitsPerPixel;
-    union {
-        szinfo      cinfo[4];
-        struct {
-            uint8_t     h_alpha;
-            uint8_t     l_alpha;
-            uint8_t     h_red;
-            uint8_t     l_red;
-            uint8_t     h_green;
-            uint8_t     l_green;
-            uint8_t     h_blue;
-            uint8_t     l_blue;
-        };
-    };
-    uint8_t     components;
-    uint8_t     reserved0[3];
-    uint32_t    reserved1;
-};
-
-// Consider caching the results of these functions are they're not
-// guaranteed to be fast.
-ssize_t     bytesPerPixel(PixelFormat format);
-ssize_t     bitsPerPixel(PixelFormat format);
-status_t    getPixelFormatInfo(PixelFormat format, PixelFormatInfo* info);
-
-}; // namespace android
-
-#endif // UI_PIXELFORMAT_H
diff --git a/media/omx-plugin/include/ics/ui/Point.h b/media/omx-plugin/include/ics/ui/Point.h
deleted file mode 100644
index 1653120a6..000000000
--- a/media/omx-plugin/include/ics/ui/Point.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2006 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UI_POINT
-#define ANDROID_UI_POINT
-
-#include <utils/TypeHelpers.h>
-
-namespace android {
-
-class Point
-{
-public:
-    int x;
-    int y;
-
-    // we don't provide copy-ctor and operator= on purpose
-    // because we want the compiler generated versions
-
-    // Default constructor doesn't initialize the Point
-    inline Point() {
-    }
-    inline Point(int x, int y) : x(x), y(y) {
-    }
-
-    inline bool operator == (const Point& rhs) const {
-        return (x == rhs.x) && (y == rhs.y);
-    }
-    inline bool operator != (const Point& rhs) const {
-        return !operator == (rhs);
-    }
-
-    inline bool isOrigin() const {
-        return !(x|y);
-    }
-
-    // operator < defines an order which allows to use points in sorted
-    // vectors.
-    bool operator < (const Point& rhs) const {
-        return y<rhs.y || (y==rhs.y && x<rhs.x);
-    }
-
-    inline Point& operator - () {
-        x = -x;
-        y = -y;
-        return *this;
-    }
-    
-    inline Point& operator += (const Point& rhs) {
-        x += rhs.x;
-        y += rhs.y;
-        return *this;
-    }
-    inline Point& operator -= (const Point& rhs) {
-        x -= rhs.x;
-        y -= rhs.y;
-        return *this;
-    }
-    
-    const Point operator + (const Point& rhs) const {
-        const Point result(x+rhs.x, y+rhs.y);
-        return result;
-    }
-    const Point operator - (const Point& rhs) const {
-        const Point result(x-rhs.x, y-rhs.y);
-        return result;
-    }    
-};
-
-ANDROID_BASIC_TYPES_TRAITS(Point)
-
-}; // namespace android
-
-#endif // ANDROID_UI_POINT
diff --git a/media/omx-plugin/include/ics/ui/Rect.h b/media/omx-plugin/include/ics/ui/Rect.h
deleted file mode 100644
index 9e98bc562..000000000
--- a/media/omx-plugin/include/ics/ui/Rect.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2006 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UI_RECT
-#define ANDROID_UI_RECT
-
-#include <utils/TypeHelpers.h>
-#include <ui/Point.h>
-
-#include <android/rect.h>
-
-namespace android {
-
-class Rect : public ARect
-{
-public:
-    typedef ARect::value_type value_type;
-
-    // we don't provide copy-ctor and operator= on purpose
-    // because we want the compiler generated versions
-
-    inline Rect() {
-    }
-    inline Rect(int32_t w, int32_t h) {
-        left = top = 0; right = w; bottom = h;
-    }
-    inline Rect(int32_t l, int32_t t, int32_t r, int32_t b) {
-        left = l; top = t; right = r; bottom = b;
-    }
-    inline Rect(const Point& lt, const Point& rb) {
-        left = lt.x; top = lt.y; right = rb.x; bottom = rb.y;
-    }
-
-    void makeInvalid();
-
-    inline void clear() {
-        left = top = right = bottom = 0;
-    }
-
-    // a valid rectangle has a non negative width and height
-    inline bool isValid() const {
-        return (width()>=0) && (height()>=0);
-    }
-
-    // an empty rect has a zero width or height, or is invalid
-    inline bool isEmpty() const {
-        return (width()<=0) || (height()<=0);
-    }
-
-    inline void set(const Rect& rhs) {
-        operator = (rhs);
-    }
-
-    // rectangle's width
-    inline int32_t width() const {
-        return right-left;
-    }
-    
-    // rectangle's height
-    inline int32_t height() const {
-        return bottom-top;
-    }
-
-    void setLeftTop(const Point& lt) {
-        left = lt.x;
-        top  = lt.y;
-    }
-
-    void setRightBottom(const Point& rb) {
-        right = rb.x;
-        bottom  = rb.y;
-    }
-    
-    // the following 4 functions return the 4 corners of the rect as Point
-    Point leftTop() const {
-        return Point(left, top);
-    }
-    Point rightBottom() const {
-        return Point(right, bottom);
-    }
-    Point rightTop() const {
-        return Point(right, top);
-    }
-    Point leftBottom() const {
-        return Point(left, bottom);
-    }
-
-    // comparisons
-    inline bool operator == (const Rect& rhs) const {
-        return (left == rhs.left) && (top == rhs.top) &&
-               (right == rhs.right) && (bottom == rhs.bottom);
-    }
-
-    inline bool operator != (const Rect& rhs) const {
-        return !operator == (rhs);
-    }
-
-    // operator < defines an order which allows to use rectangles in sorted
-    // vectors.
-    bool operator < (const Rect& rhs) const;
-
-    Rect& offsetToOrigin() {
-        right -= left;
-        bottom -= top;
-        left = top = 0;
-        return *this;
-    }
-    Rect& offsetTo(const Point& p) {
-        return offsetTo(p.x, p.y);
-    }
-    Rect& offsetBy(const Point& dp) {
-        return offsetBy(dp.x, dp.y);
-    }
-    Rect& operator += (const Point& rhs) {
-        return offsetBy(rhs.x, rhs.y);
-    }
-    Rect& operator -= (const Point& rhs) {
-        return offsetBy(-rhs.x, -rhs.y);
-    }
-    const Rect operator + (const Point& rhs) const;
-    const Rect operator - (const Point& rhs) const;
-
-    void translate(int32_t dx, int32_t dy) { // legacy, don't use.
-        offsetBy(dx, dy);
-    }
- 
-    Rect&   offsetTo(int32_t x, int32_t y);
-    Rect&   offsetBy(int32_t x, int32_t y);
-    bool    intersect(const Rect& with, Rect* result) const;
-};
-
-ANDROID_BASIC_TYPES_TRAITS(Rect)
-
-}; // namespace android
-
-#endif // ANDROID_UI_RECT
diff --git a/media/omx-plugin/include/ics/ui/android_native_buffer.h b/media/omx-plugin/include/ics/ui/android_native_buffer.h
deleted file mode 100644
index b6e1db460..000000000
--- a/media/omx-plugin/include/ics/ui/android_native_buffer.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ANDROID_NATIVES_PRIV_H
-#define ANDROID_ANDROID_NATIVES_PRIV_H
-
-#include <ui/egl/android_natives.h>
-
-#endif /* ANDROID_ANDROID_NATIVES_PRIV_H */
diff --git a/media/omx-plugin/include/ics/ui/egl/android_natives.h b/media/omx-plugin/include/ics/ui/egl/android_natives.h
deleted file mode 100644
index 9ac50a5a3..000000000
--- a/media/omx-plugin/include/ics/ui/egl/android_natives.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ANDROID_NATIVES_H
-#define ANDROID_ANDROID_NATIVES_H
-
-#include <sys/types.h>
-#include <string.h>
-
-#include <hardware/gralloc.h>
-#include <system/window.h>
-// FIXME: remove this header, it's for legacy use.  native_window is pulled from frameworks/base/native/include/android/
-#include <android/native_window.h>
-// ---------------------------------------------------------------------------
-
-/* FIXME: this is legacy for pixmaps */
-typedef struct egl_native_pixmap_t
-{
-    int32_t     version;    /* must be 32 */
-    int32_t     width;
-    int32_t     height;
-    int32_t     stride;
-    uint8_t*    data;
-    uint8_t     format;
-    uint8_t     rfu[3];
-    union {
-        uint32_t    compressedFormat;
-        int32_t     vstride;
-    };
-    int32_t     reserved;
-} egl_native_pixmap_t;
-
-/*****************************************************************************/
-
-#ifdef __cplusplus
-
-#include <utils/RefBase.h>
-
-namespace android {
-
-/*
- * This helper class turns an EGL android_native_xxx type into a C++
- * reference-counted object; with proper type conversions.
- */
-template <typename NATIVE_TYPE, typename TYPE, typename REF>
-class EGLNativeBase : public NATIVE_TYPE, public REF
-{
-public:
-    // Disambiguate between the incStrong in REF and NATIVE_TYPE
-    void incStrong(const void* id) const {
-        REF::incStrong(id);
-    }
-    void decStrong(const void* id) const {
-        REF::decStrong(id);
-    }
-
-protected:
-    typedef EGLNativeBase<NATIVE_TYPE, TYPE, REF> BASE;
-    EGLNativeBase() : NATIVE_TYPE(), REF() {
-        NATIVE_TYPE::common.incRef = incRef;
-        NATIVE_TYPE::common.decRef = decRef;
-    }
-    static inline TYPE* getSelf(NATIVE_TYPE* self) {
-        return static_cast<TYPE*>(self);
-    }
-    static inline TYPE const* getSelf(NATIVE_TYPE const* self) {
-        return static_cast<TYPE const *>(self);
-    }
-    static inline TYPE* getSelf(android_native_base_t* base) {
-        return getSelf(reinterpret_cast<NATIVE_TYPE*>(base));
-    }
-    static inline TYPE const * getSelf(android_native_base_t const* base) {
-        return getSelf(reinterpret_cast<NATIVE_TYPE const*>(base));
-    }
-    static void incRef(android_native_base_t* base) {
-        EGLNativeBase* self = getSelf(base);
-        self->incStrong(self);
-    }
-    static void decRef(android_native_base_t* base) {
-        EGLNativeBase* self = getSelf(base);
-        self->decStrong(self);
-    }
-};
-
-} // namespace android
-#endif // __cplusplus
-
-/*****************************************************************************/
-
-#endif /* ANDROID_ANDROID_NATIVES_H */
diff --git a/media/omx-plugin/include/ics/utils/Errors.h b/media/omx-plugin/include/ics/utils/Errors.h
deleted file mode 100644
index 0b75b1926..000000000
--- a/media/omx-plugin/include/ics/utils/Errors.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ERRORS_H
-#define ANDROID_ERRORS_H
-
-#include <sys/types.h>
-#include <errno.h>
-
-namespace android {
-
-// use this type to return error codes
-#ifdef HAVE_MS_C_RUNTIME
-typedef int         status_t;
-#else
-typedef int32_t     status_t;
-#endif
-
-/* the MS C runtime lacks a few error codes */
-
-/*
- * Error codes. 
- * All error codes are negative values.
- */
-
-// Win32 #defines NO_ERROR as well.  It has the same value, so there's no
-// real conflict, though it's a bit awkward.
-#ifdef _WIN32
-# undef NO_ERROR
-#endif
- 
-enum {
-    OK                = 0,    // Everything's swell.
-    NO_ERROR          = 0,    // No errors.
-    
-    UNKNOWN_ERROR       = 0x80000000,
-
-    NO_MEMORY           = -ENOMEM,
-    INVALID_OPERATION   = -ENOSYS,
-    BAD_VALUE           = -EINVAL,
-    BAD_TYPE            = 0x80000001,
-    NAME_NOT_FOUND      = -ENOENT,
-    PERMISSION_DENIED   = -EPERM,
-    NO_INIT             = -ENODEV,
-    ALREADY_EXISTS      = -EEXIST,
-    DEAD_OBJECT         = -EPIPE,
-    FAILED_TRANSACTION  = 0x80000002,
-    JPARKS_BROKE_IT     = -EPIPE,
-#if !defined(HAVE_MS_C_RUNTIME)
-    BAD_INDEX           = -EOVERFLOW,
-    NOT_ENOUGH_DATA     = -ENODATA,
-    WOULD_BLOCK         = -EWOULDBLOCK, 
-    TIMED_OUT           = -ETIMEDOUT,
-    UNKNOWN_TRANSACTION = -EBADMSG,
-#else    
-    BAD_INDEX           = -E2BIG,
-    NOT_ENOUGH_DATA     = 0x80000003,
-    WOULD_BLOCK         = 0x80000004,
-    TIMED_OUT           = 0x80000005,
-    UNKNOWN_TRANSACTION = 0x80000006,
-#endif    
-    FDS_NOT_ALLOWED     = 0x80000007,
-};
-
-// Restore define; enumeration is in "android" namespace, so the value defined
-// there won't work for Win32 code in a different namespace.
-#ifdef _WIN32
-# define NO_ERROR 0L
-#endif
-
-}; // namespace android
-    
-// ---------------------------------------------------------------------------
-    
-#endif // ANDROID_ERRORS_H
diff --git a/media/omx-plugin/include/ics/utils/Flattenable.h b/media/omx-plugin/include/ics/utils/Flattenable.h
deleted file mode 100644
index 852be3b6a..000000000
--- a/media/omx-plugin/include/ics/utils/Flattenable.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UTILS_FLATTENABLE_H
-#define ANDROID_UTILS_FLATTENABLE_H
-
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-
-namespace android {
-
-class Flattenable
-{
-public:
-    // size in bytes of the flattened object
-    virtual size_t getFlattenedSize() const = 0;
-
-    // number of file descriptors to flatten
-    virtual size_t getFdCount() const = 0;
-
-    // flattens the object into buffer.
-    // size should be at least of getFlattenedSize()
-    // file descriptors are written in the fds[] array but ownership is
-    // not transfered (ie: they must be dupped by the caller of
-    // flatten() if needed).
-    virtual status_t flatten(void* buffer, size_t size,
-            int fds[], size_t count) const = 0;
-
-    // unflattens the object from buffer.
-    // size should be equal to the value of getFlattenedSize() when the
-    // object was flattened.
-    // unflattened file descriptors are found in the fds[] array and
-    // don't need to be dupped(). ie: the caller of unflatten doesn't
-    // keep ownership. If a fd is not retained by unflatten() it must be
-    // explicitly closed.
-    virtual status_t unflatten(void const* buffer, size_t size,
-            int fds[], size_t count) = 0;
-
-protected:
-    virtual ~Flattenable() = 0;
-
-};
-
-}; // namespace android
-
-
-#endif /* ANDROID_UTILS_FLATTENABLE_H */
diff --git a/media/omx-plugin/include/ics/utils/KeyedVector.h b/media/omx-plugin/include/ics/utils/KeyedVector.h
deleted file mode 100644
index 6bcdea4ff..000000000
--- a/media/omx-plugin/include/ics/utils/KeyedVector.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_KEYED_VECTOR_H
-#define ANDROID_KEYED_VECTOR_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <utils/SortedVector.h>
-#include <utils/TypeHelpers.h>
-#include <utils/Errors.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <typename KEY, typename VALUE>
-class KeyedVector
-{
-public:
-    typedef KEY    key_type;
-    typedef VALUE  value_type;
-
-    inline                  KeyedVector();
-
-    /*
-     * empty the vector
-     */
-
-    inline  void            clear()                     { mVector.clear(); }
-
-    /*! 
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return mVector.size(); }
-    //! returns wether or not the vector is empty
-    inline  bool            isEmpty() const             { return mVector.isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return mVector.capacity(); }
-    //! setst the capacity. capacity can never be reduced less than size()
-    inline ssize_t          setCapacity(size_t size)    { return mVector.setCapacity(size); }
-    
-    /*! 
-     * accessors
-     */
-            const VALUE&    valueFor(const KEY& key) const;
-            const VALUE&    valueAt(size_t index) const;
-            const KEY&      keyAt(size_t index) const;
-            ssize_t         indexOfKey(const KEY& key) const;
-
-    /*!
-     * modifing the array
-     */
-
-            VALUE&          editValueFor(const KEY& key);
-            VALUE&          editValueAt(size_t index);
-
-            /*! 
-             * add/insert/replace items
-             */
-             
-            ssize_t         add(const KEY& key, const VALUE& item);
-            ssize_t         replaceValueFor(const KEY& key, const VALUE& item);
-            ssize_t         replaceValueAt(size_t index, const VALUE& item);
-
-    /*!
-     * remove items
-     */
-
-            ssize_t         removeItem(const KEY& key);
-            ssize_t         removeItemsAt(size_t index, size_t count = 1);
-            
-private:
-            SortedVector< key_value_pair_t<KEY, VALUE> >    mVector;
-};
-
-// ---------------------------------------------------------------------------
-
-/**
- * Variation of KeyedVector that holds a default value to return when
- * valueFor() is called with a key that doesn't exist.
- */
-template <typename KEY, typename VALUE>
-class DefaultKeyedVector : public KeyedVector<KEY, VALUE>
-{
-public:
-    inline                  DefaultKeyedVector(const VALUE& defValue = VALUE());
-            const VALUE&    valueFor(const KEY& key) const;
-
-private:
-            VALUE                                           mDefault;
-};
-
-// ---------------------------------------------------------------------------
-
-template<typename KEY, typename VALUE> inline
-KeyedVector<KEY,VALUE>::KeyedVector()
-{
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::indexOfKey(const KEY& key) const {
-    return mVector.indexOf( key_value_pair_t<KEY,VALUE>(key) );
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& KeyedVector<KEY,VALUE>::valueFor(const KEY& key) const {
-    ssize_t i = indexOfKey(key);
-    assert(i>=0);
-    return mVector.itemAt(i).value;
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& KeyedVector<KEY,VALUE>::valueAt(size_t index) const {
-    return mVector.itemAt(index).value;
-}
-
-template<typename KEY, typename VALUE> inline
-const KEY& KeyedVector<KEY,VALUE>::keyAt(size_t index) const {
-    return mVector.itemAt(index).key;
-}
-
-template<typename KEY, typename VALUE> inline
-VALUE& KeyedVector<KEY,VALUE>::editValueFor(const KEY& key) {
-    ssize_t i = indexOfKey(key);
-    assert(i>=0);
-    return mVector.editItemAt(i).value;
-}
-
-template<typename KEY, typename VALUE> inline
-VALUE& KeyedVector<KEY,VALUE>::editValueAt(size_t index) {
-    return mVector.editItemAt(index).value;
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::add(const KEY& key, const VALUE& value) {
-    return mVector.add( key_value_pair_t<KEY,VALUE>(key, value) );
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::replaceValueFor(const KEY& key, const VALUE& value) {
-    key_value_pair_t<KEY,VALUE> pair(key, value);
-    mVector.remove(pair);
-    return mVector.add(pair);
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::replaceValueAt(size_t index, const VALUE& item) {
-    if (index<size()) {
-        mVector.editItemAt(index).value = item;
-        return index;
-    }
-    return BAD_INDEX;
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::removeItem(const KEY& key) {
-    return mVector.remove(key_value_pair_t<KEY,VALUE>(key));
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY, VALUE>::removeItemsAt(size_t index, size_t count) {
-    return mVector.removeItemsAt(index, count);
-}
-
-// ---------------------------------------------------------------------------
-
-template<typename KEY, typename VALUE> inline
-DefaultKeyedVector<KEY,VALUE>::DefaultKeyedVector(const VALUE& defValue)
-    : mDefault(defValue)
-{
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& DefaultKeyedVector<KEY,VALUE>::valueFor(const KEY& key) const {
-    ssize_t i = indexOfKey(key);
-    return i >= 0 ? KeyedVector<KEY,VALUE>::valueAt(i) : mDefault;
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_KEYED_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/List.h b/media/omx-plugin/include/ics/utils/List.h
deleted file mode 100644
index 403cd7f1e..000000000
--- a/media/omx-plugin/include/ics/utils/List.h
+++ /dev/null
@@ -1,332 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// Templated list class.  Normally we'd use STL, but we don't have that.
-// This class mimics STL's interfaces.
-//
-// Objects are copied into the list with the '=' operator or with copy-
-// construction, so if the compiler's auto-generated versions won't work for
-// you, define your own.
-//
-// The only class you want to use from here is "List".
-//
-#ifndef _LIBS_UTILS_LIST_H
-#define _LIBS_UTILS_LIST_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-namespace android {
-
-/*
- * Doubly-linked list.  Instantiate with "List<MyClass> myList".
- *
- * Objects added to the list are copied using the assignment operator,
- * so this must be defined.
- */
-template<typename T> 
-class List 
-{
-protected:
-    /*
-     * One element in the list.
-     */
-    class _Node {
-    public:
-        explicit _Node(const T& val) : mVal(val) {}
-        ~_Node() {}
-        inline T& getRef() { return mVal; }
-        inline const T& getRef() const { return mVal; }
-        inline _Node* getPrev() const { return mpPrev; }
-        inline _Node* getNext() const { return mpNext; }
-        inline void setVal(const T& val) { mVal = val; }
-        inline void setPrev(_Node* ptr) { mpPrev = ptr; }
-        inline void setNext(_Node* ptr) { mpNext = ptr; }
-    private:
-        friend class List;
-        friend class _ListIterator;
-        T           mVal;
-        _Node*      mpPrev;
-        _Node*      mpNext;
-    };
-
-    /*
-     * Iterator for walking through the list.
-     */
-    
-    template <typename TYPE>
-    struct CONST_ITERATOR {
-        typedef _Node const * NodePtr;
-        typedef const TYPE Type;
-    };
-    
-    template <typename TYPE>
-    struct NON_CONST_ITERATOR {
-        typedef _Node* NodePtr;
-        typedef TYPE Type;
-    };
-    
-    template<
-        typename U,
-        template <class> class Constness
-    > 
-    class _ListIterator {
-        typedef _ListIterator<U, Constness>     _Iter;
-        typedef typename Constness<U>::NodePtr  _NodePtr;
-        typedef typename Constness<U>::Type     _Type;
-
-        explicit _ListIterator(_NodePtr ptr) : mpNode(ptr) {}
-
-    public:
-        _ListIterator() {}
-        _ListIterator(const _Iter& rhs) : mpNode(rhs.mpNode) {}
-        ~_ListIterator() {}
-        
-        // this will handle conversions from iterator to const_iterator
-        // (and also all convertible iterators)
-        // Here, in this implementation, the iterators can be converted
-        // if the nodes can be converted
-        template<typename V> explicit 
-        _ListIterator(const V& rhs) : mpNode(rhs.mpNode) {}
-        
-
-        /*
-         * Dereference operator.  Used to get at the juicy insides.
-         */
-        _Type& operator*() const { return mpNode->getRef(); }
-        _Type* operator->() const { return &(mpNode->getRef()); }
-
-        /*
-         * Iterator comparison.
-         */
-        inline bool operator==(const _Iter& right) const { 
-            return mpNode == right.mpNode; }
-        
-        inline bool operator!=(const _Iter& right) const { 
-            return mpNode != right.mpNode; }
-
-        /*
-         * handle comparisons between iterator and const_iterator
-         */
-        template<typename OTHER>
-        inline bool operator==(const OTHER& right) const { 
-            return mpNode == right.mpNode; }
-        
-        template<typename OTHER>
-        inline bool operator!=(const OTHER& right) const { 
-            return mpNode != right.mpNode; }
-
-        /*
-         * Incr/decr, used to move through the list.
-         */
-        inline _Iter& operator++() {     // pre-increment
-            mpNode = mpNode->getNext();
-            return *this;
-        }
-        const _Iter operator++(int) {    // post-increment
-            _Iter tmp(*this);
-            mpNode = mpNode->getNext();
-            return tmp;
-        }
-        inline _Iter& operator--() {     // pre-increment
-            mpNode = mpNode->getPrev();
-            return *this;
-        }
-        const _Iter operator--(int) {   // post-increment
-            _Iter tmp(*this);
-            mpNode = mpNode->getPrev();
-            return tmp;
-        }
-
-        inline _NodePtr getNode() const { return mpNode; }
-
-        _NodePtr mpNode;    /* should be private, but older gcc fails */
-    private:
-        friend class List;
-    };
-
-public:
-    List() {
-        prep();
-    }
-    List(const List<T>& src) {      // copy-constructor
-        prep();
-        insert(begin(), src.begin(), src.end());
-    }
-    virtual ~List() {
-        clear();
-        delete[] (unsigned char*) mpMiddle;
-    }
-
-    typedef _ListIterator<T, NON_CONST_ITERATOR> iterator;
-    typedef _ListIterator<T, CONST_ITERATOR> const_iterator;
-
-    List<T>& operator=(const List<T>& right);
-
-    /* returns true if the list is empty */
-    inline bool empty() const { return mpMiddle->getNext() == mpMiddle; }
-
-    /* return #of elements in list */
-    size_t size() const {
-        return size_t(distance(begin(), end()));
-    }
-
-    /*
-     * Return the first element or one past the last element.  The
-     * _Node* we're returning is converted to an "iterator" by a
-     * constructor in _ListIterator.
-     */
-    inline iterator begin() { 
-        return iterator(mpMiddle->getNext()); 
-    }
-    inline const_iterator begin() const { 
-        return const_iterator(const_cast<_Node const*>(mpMiddle->getNext())); 
-    }
-    inline iterator end() { 
-        return iterator(mpMiddle); 
-    }
-    inline const_iterator end() const { 
-        return const_iterator(const_cast<_Node const*>(mpMiddle)); 
-    }
-
-    /* add the object to the head or tail of the list */
-    void push_front(const T& val) { insert(begin(), val); }
-    void push_back(const T& val) { insert(end(), val); }
-
-    /* insert before the current node; returns iterator at new node */
-    iterator insert(iterator posn, const T& val) 
-    {
-        _Node* newNode = new _Node(val);        // alloc & copy-construct
-        newNode->setNext(posn.getNode());
-        newNode->setPrev(posn.getNode()->getPrev());
-        posn.getNode()->getPrev()->setNext(newNode);
-        posn.getNode()->setPrev(newNode);
-        return iterator(newNode);
-    }
-
-    /* insert a range of elements before the current node */
-    void insert(iterator posn, const_iterator first, const_iterator last) {
-        for ( ; first != last; ++first)
-            insert(posn, *first);
-    }
-
-    /* remove one entry; returns iterator at next node */
-    iterator erase(iterator posn) {
-        _Node* pNext = posn.getNode()->getNext();
-        _Node* pPrev = posn.getNode()->getPrev();
-        pPrev->setNext(pNext);
-        pNext->setPrev(pPrev);
-        delete posn.getNode();
-        return iterator(pNext);
-    }
-
-    /* remove a range of elements */
-    iterator erase(iterator first, iterator last) {
-        while (first != last)
-            erase(first++);     // don't erase than incr later!
-        return iterator(last);
-    }
-
-    /* remove all contents of the list */
-    void clear() {
-        _Node* pCurrent = mpMiddle->getNext();
-        _Node* pNext;
-
-        while (pCurrent != mpMiddle) {
-            pNext = pCurrent->getNext();
-            delete pCurrent;
-            pCurrent = pNext;
-        }
-        mpMiddle->setPrev(mpMiddle);
-        mpMiddle->setNext(mpMiddle);
-    }
-
-    /*
-     * Measure the distance between two iterators.  On exist, "first"
-     * will be equal to "last".  The iterators must refer to the same
-     * list.
-     *
-     * FIXME: This is actually a generic iterator function. It should be a 
-     * template function at the top-level with specializations for things like
-     * vector<>, which can just do pointer math). Here we limit it to
-     * _ListIterator of the same type but different constness.
-     */
-    template<
-        typename U,
-        template <class> class CL,
-        template <class> class CR
-    > 
-    ptrdiff_t distance(
-            _ListIterator<U, CL> first, _ListIterator<U, CR> last) const 
-    {
-        ptrdiff_t count = 0;
-        while (first != last) {
-            ++first;
-            ++count;
-        }
-        return count;
-    }
-
-private:
-    /*
-     * I want a _Node but don't need it to hold valid data.  More
-     * to the point, I don't want T's constructor to fire, since it
-     * might have side-effects or require arguments.  So, we do this
-     * slightly uncouth storage alloc.
-     */
-    void prep() {
-        mpMiddle = (_Node*) new unsigned char[sizeof(_Node)];
-        mpMiddle->setPrev(mpMiddle);
-        mpMiddle->setNext(mpMiddle);
-    }
-
-    /*
-     * This node plays the role of "pointer to head" and "pointer to tail".
-     * It sits in the middle of a circular list of nodes.  The iterator
-     * runs around the circle until it encounters this one.
-     */
-    _Node*      mpMiddle;
-};
-
-/*
- * Assignment operator.
- *
- * The simplest way to do this would be to clear out the target list and
- * fill it with the source.  However, we can speed things along by
- * re-using existing elements.
- */
-template<class T>
-List<T>& List<T>::operator=(const List<T>& right)
-{
-    if (this == &right)
-        return *this;       // self-assignment
-    iterator firstDst = begin();
-    iterator lastDst = end();
-    const_iterator firstSrc = right.begin();
-    const_iterator lastSrc = right.end();
-    while (firstSrc != lastSrc && firstDst != lastDst)
-        *firstDst++ = *firstSrc++;
-    if (firstSrc == lastSrc)        // ran out of elements in source?
-        erase(firstDst, lastDst);   // yes, erase any extras
-    else
-        insert(lastDst, firstSrc, lastSrc);     // copy remaining over
-    return *this;
-}
-
-}; // namespace android
-
-#endif // _LIBS_UTILS_LIST_H
diff --git a/media/omx-plugin/include/ics/utils/Log.h b/media/omx-plugin/include/ics/utils/Log.h
deleted file mode 100644
index 3c6cc8bdc..000000000
--- a/media/omx-plugin/include/ics/utils/Log.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// C/C++ logging functions.  See the logging documentation for API details.
-//
-// We'd like these to be available from C code (in case we import some from
-// somewhere), so this has a C interface.
-//
-// The output will be correct when the log file is shared between multiple
-// threads and/or multiple processes so long as the operating system
-// supports O_APPEND.  These calls have mutex-protected data structures
-// and so are NOT reentrant.  Do not use LOG in a signal handler.
-//
-#ifndef _LIBS_UTILS_LOG_H
-#define _LIBS_UTILS_LOG_H
-
-#include <cutils/log.h>
-
-#endif // _LIBS_UTILS_LOG_H
diff --git a/media/omx-plugin/include/ics/utils/RefBase.h b/media/omx-plugin/include/ics/utils/RefBase.h
deleted file mode 100644
index c7a9b7895..000000000
--- a/media/omx-plugin/include/ics/utils/RefBase.h
+++ /dev/null
@@ -1,528 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_REF_BASE_H
-#define ANDROID_REF_BASE_H
-
-#include <cutils/atomic.h>
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <utils/StrongPointer.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class TextOutput;
-TextOutput& printWeakPointer(TextOutput& to, const void* val);
-
-// ---------------------------------------------------------------------------
-
-#define COMPARE_WEAK(_op_)                                      \
-inline bool operator _op_ (const sp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-inline bool operator _op_ (const T* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const sp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const U* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}
-
-// ---------------------------------------------------------------------------
-class ReferenceMover;
-class ReferenceConverterBase {
-public:
-    virtual size_t getReferenceTypeSize() const = 0;
-    virtual void* getReferenceBase(void const*) const = 0;
-    inline virtual ~ReferenceConverterBase() { }
-};
-
-// ---------------------------------------------------------------------------
-
-class RefBase
-{
-public:
-            void            incStrong(const void* id) const;
-            void            decStrong(const void* id) const;
-    
-            void            forceIncStrong(const void* id) const;
-
-            //! DEBUGGING ONLY: Get current strong ref count.
-            int32_t         getStrongCount() const;
-
-    class weakref_type
-    {
-    public:
-        RefBase*            refBase() const;
-        
-        void                incWeak(const void* id);
-        void                decWeak(const void* id);
-        
-        // acquires a strong reference if there is already one.
-        bool                attemptIncStrong(const void* id);
-        
-        // acquires a weak reference if there is already one.
-        // This is not always safe. see ProcessState.cpp and BpBinder.cpp
-        // for proper use.
-        bool                attemptIncWeak(const void* id);
-
-        //! DEBUGGING ONLY: Get current weak ref count.
-        int32_t             getWeakCount() const;
-
-        //! DEBUGGING ONLY: Print references held on object.
-        void                printRefs() const;
-
-        //! DEBUGGING ONLY: Enable tracking for this object.
-        // enable -- enable/disable tracking
-        // retain -- when tracking is enable, if true, then we save a stack trace
-        //           for each reference and dereference; when retain == false, we
-        //           match up references and dereferences and keep only the 
-        //           outstanding ones.
-        
-        void                trackMe(bool enable, bool retain);
-    };
-    
-            weakref_type*   createWeak(const void* id) const;
-            
-            weakref_type*   getWeakRefs() const;
-
-            //! DEBUGGING ONLY: Print references held on object.
-    inline  void            printRefs() const { getWeakRefs()->printRefs(); }
-
-            //! DEBUGGING ONLY: Enable tracking of object.
-    inline  void            trackMe(bool enable, bool retain)
-    { 
-        getWeakRefs()->trackMe(enable, retain); 
-    }
-
-    typedef RefBase basetype;
-
-protected:
-                            RefBase();
-    virtual                 ~RefBase();
-
-    //! Flags for extendObjectLifetime()
-    enum {
-        OBJECT_LIFETIME_STRONG  = 0x0000,
-        OBJECT_LIFETIME_WEAK    = 0x0001,
-        OBJECT_LIFETIME_MASK    = 0x0001
-    };
-    
-            void            extendObjectLifetime(int32_t mode);
-            
-    //! Flags for onIncStrongAttempted()
-    enum {
-        FIRST_INC_STRONG = 0x0001
-    };
-    
-    virtual void            onFirstRef();
-    virtual void            onLastStrongRef(const void* id);
-    virtual bool            onIncStrongAttempted(uint32_t flags, const void* id);
-    virtual void            onLastWeakRef(const void* id);
-
-private:
-    friend class ReferenceMover;
-    static void moveReferences(void* d, void const* s, size_t n,
-            const ReferenceConverterBase& caster);
-
-private:
-    friend class weakref_type;
-    class weakref_impl;
-    
-                            RefBase(const RefBase& o);
-            RefBase&        operator=(const RefBase& o);
-
-        weakref_impl* const mRefs;
-};
-
-// ---------------------------------------------------------------------------
-
-template <class T>
-class LightRefBase
-{
-public:
-    inline LightRefBase() : mCount(0) { }
-    inline void incStrong(const void* id) const {
-        android_atomic_inc(&mCount);
-    }
-    inline void decStrong(const void* id) const {
-        if (android_atomic_dec(&mCount) == 1) {
-            delete static_cast<const T*>(this);
-        }
-    }
-    //! DEBUGGING ONLY: Get current strong ref count.
-    inline int32_t getStrongCount() const {
-        return mCount;
-    }
-
-    typedef LightRefBase<T> basetype;
-
-protected:
-    inline ~LightRefBase() { }
-
-private:
-    friend class ReferenceMover;
-    inline static void moveReferences(void* d, void const* s, size_t n,
-            const ReferenceConverterBase& caster) { }
-
-private:
-    mutable volatile int32_t mCount;
-};
-
-// ---------------------------------------------------------------------------
-
-template <typename T>
-class wp
-{
-public:
-    typedef typename RefBase::weakref_type weakref_type;
-    
-    inline wp() : m_ptr(0) { }
-
-    wp(T* other);
-    wp(const wp<T>& other);
-    wp(const sp<T>& other);
-    template<typename U> wp(U* other);
-    template<typename U> wp(const sp<U>& other);
-    template<typename U> wp(const wp<U>& other);
-
-    ~wp();
-    
-    // Assignment
-
-    wp& operator = (T* other);
-    wp& operator = (const wp<T>& other);
-    wp& operator = (const sp<T>& other);
-    
-    template<typename U> wp& operator = (U* other);
-    template<typename U> wp& operator = (const wp<U>& other);
-    template<typename U> wp& operator = (const sp<U>& other);
-    
-    void set_object_and_refs(T* other, weakref_type* refs);
-
-    // promotion to sp
-    
-    sp<T> promote() const;
-
-    // Reset
-    
-    void clear();
-
-    // Accessors
-    
-    inline  weakref_type* get_refs() const { return m_refs; }
-    
-    inline  T* unsafe_get() const { return m_ptr; }
-
-    // Operators
-
-    COMPARE_WEAK(==)
-    COMPARE_WEAK(!=)
-    COMPARE_WEAK(>)
-    COMPARE_WEAK(<)
-    COMPARE_WEAK(<=)
-    COMPARE_WEAK(>=)
-
-    inline bool operator == (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) && (m_refs == o.m_refs);
-    }
-    template<typename U>
-    inline bool operator == (const wp<U>& o) const {
-        return m_ptr == o.m_ptr;
-    }
-
-    inline bool operator > (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs > o.m_refs) : (m_ptr > o.m_ptr);
-    }
-    template<typename U>
-    inline bool operator > (const wp<U>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs > o.m_refs) : (m_ptr > o.m_ptr);
-    }
-
-    inline bool operator < (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs < o.m_refs) : (m_ptr < o.m_ptr);
-    }
-    template<typename U>
-    inline bool operator < (const wp<U>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs < o.m_refs) : (m_ptr < o.m_ptr);
-    }
-                         inline bool operator != (const wp<T>& o) const { return m_refs != o.m_refs; }
-    template<typename U> inline bool operator != (const wp<U>& o) const { return !operator == (o); }
-                         inline bool operator <= (const wp<T>& o) const { return !operator > (o); }
-    template<typename U> inline bool operator <= (const wp<U>& o) const { return !operator > (o); }
-                         inline bool operator >= (const wp<T>& o) const { return !operator < (o); }
-    template<typename U> inline bool operator >= (const wp<U>& o) const { return !operator < (o); }
-
-private:
-    template<typename Y> friend class sp;
-    template<typename Y> friend class wp;
-
-    T*              m_ptr;
-    weakref_type*   m_refs;
-};
-
-template <typename T>
-TextOutput& operator<<(TextOutput& to, const wp<T>& val);
-
-#undef COMPARE_WEAK
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts below here.
-
-template<typename T>
-wp<T>::wp(T* other)
-    : m_ptr(other)
-{
-    if (other) m_refs = other->createWeak(this);
-}
-
-template<typename T>
-wp<T>::wp(const wp<T>& other)
-    : m_ptr(other.m_ptr), m_refs(other.m_refs)
-{
-    if (m_ptr) m_refs->incWeak(this);
-}
-
-template<typename T>
-wp<T>::wp(const sp<T>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = m_ptr->createWeak(this);
-    }
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(U* other)
-    : m_ptr(other)
-{
-    if (other) m_refs = other->createWeak(this);
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(const wp<U>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = other.m_refs;
-        m_refs->incWeak(this);
-    }
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(const sp<U>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = m_ptr->createWeak(this);
-    }
-}
-
-template<typename T>
-wp<T>::~wp()
-{
-    if (m_ptr) m_refs->decWeak(this);
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (T* other)
-{
-    weakref_type* newRefs =
-        other ? other->createWeak(this) : 0;
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (const wp<T>& other)
-{
-    weakref_type* otherRefs(other.m_refs);
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherRefs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = otherRefs;
-    return *this;
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (const sp<T>& other)
-{
-    weakref_type* newRefs =
-        other != NULL ? other->createWeak(this) : 0;
-    T* otherPtr(other.m_ptr);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (U* other)
-{
-    weakref_type* newRefs =
-        other ? other->createWeak(this) : 0;
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (const wp<U>& other)
-{
-    weakref_type* otherRefs(other.m_refs);
-    U* otherPtr(other.m_ptr);
-    if (otherPtr) otherRefs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = otherRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (const sp<U>& other)
-{
-    weakref_type* newRefs =
-        other != NULL ? other->createWeak(this) : 0;
-    U* otherPtr(other.m_ptr);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T>
-void wp<T>::set_object_and_refs(T* other, weakref_type* refs)
-{
-    if (other) refs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = refs;
-}
-
-template<typename T>
-sp<T> wp<T>::promote() const
-{
-    sp<T> result;
-    if (m_ptr && m_refs->attemptIncStrong(&result)) {
-        result.set_pointer(m_ptr);
-    }
-    return result;
-}
-
-template<typename T>
-void wp<T>::clear()
-{
-    if (m_ptr) {
-        m_refs->decWeak(this);
-        m_ptr = 0;
-    }
-}
-
-template <typename T>
-inline TextOutput& operator<<(TextOutput& to, const wp<T>& val)
-{
-    return printWeakPointer(to, val.unsafe_get());
-}
-
-// ---------------------------------------------------------------------------
-
-// this class just serves as a namespace so TYPE::moveReferences can stay
-// private.
-
-class ReferenceMover {
-    // StrongReferenceCast and WeakReferenceCast do the impedance matching
-    // between the generic (void*) implementation in Refbase and the strongly typed
-    // template specializations below.
-
-    template <typename TYPE>
-    struct StrongReferenceCast : public ReferenceConverterBase {
-        virtual size_t getReferenceTypeSize() const { return sizeof( sp<TYPE> ); }
-        virtual void* getReferenceBase(void const* p) const {
-            sp<TYPE> const* sptr(reinterpret_cast<sp<TYPE> const*>(p));
-            return static_cast<typename TYPE::basetype *>(sptr->get());
-        }
-    };
-
-    template <typename TYPE>
-    struct WeakReferenceCast : public ReferenceConverterBase {
-        virtual size_t getReferenceTypeSize() const { return sizeof( wp<TYPE> ); }
-        virtual void* getReferenceBase(void const* p) const {
-            wp<TYPE> const* sptr(reinterpret_cast<wp<TYPE> const*>(p));
-            return static_cast<typename TYPE::basetype *>(sptr->unsafe_get());
-        }
-    };
-
-public:
-    template<typename TYPE> static inline
-    void move_references(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-        memmove(d, s, n*sizeof(sp<TYPE>));
-        StrongReferenceCast<TYPE> caster;
-        TYPE::moveReferences(d, s, n, caster);
-    }
-    template<typename TYPE> static inline
-    void move_references(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-        memmove(d, s, n*sizeof(wp<TYPE>));
-        WeakReferenceCast<TYPE> caster;
-        TYPE::moveReferences(d, s, n, caster);
-    }
-};
-
-// specialization for moving sp<> and wp<> types.
-// these are used by the [Sorted|Keyed]Vector<> implementations
-// sp<> and wp<> need to be handled specially, because they do not
-// have trivial copy operation in the general case (see RefBase.cpp
-// when DEBUG ops are enabled), but can be implemented very
-// efficiently in most cases.
-
-template<typename TYPE> inline
-void move_forward_type(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_backward_type(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_forward_type(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_backward_type(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_REF_BASE_H
diff --git a/media/omx-plugin/include/ics/utils/SharedBuffer.h b/media/omx-plugin/include/ics/utils/SharedBuffer.h
deleted file mode 100644
index 24508b0f7..000000000
--- a/media/omx-plugin/include/ics/utils/SharedBuffer.h
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_SHARED_BUFFER_H
-#define ANDROID_SHARED_BUFFER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-class SharedBuffer
-{
-public:
-
-    /* flags to use with release() */
-    enum {
-        eKeepStorage = 0x00000001
-    };
-
-    /*! allocate a buffer of size 'size' and acquire() it.
-     *  call release() to free it.
-     */
-    static          SharedBuffer*           alloc(size_t size);
-    
-    /*! free the memory associated with the SharedBuffer.
-     * Fails if there are any users associated with this SharedBuffer.
-     * In other words, the buffer must have been release by all its
-     * users.
-     */
-    static          ssize_t                 dealloc(const SharedBuffer* released);
-    
-    //! get the SharedBuffer from the data pointer
-    static  inline  const SharedBuffer*     sharedBuffer(const void* data);
-
-    //! access the data for read
-    inline          const void*             data() const;
-    
-    //! access the data for read/write
-    inline          void*                   data();
-
-    //! get size of the buffer
-    inline          size_t                  size() const;
- 
-    //! get back a SharedBuffer object from its data
-    static  inline  SharedBuffer*           bufferFromData(void* data);
-    
-    //! get back a SharedBuffer object from its data
-    static  inline  const SharedBuffer*     bufferFromData(const void* data);
-
-    //! get the size of a SharedBuffer object from its data
-    static  inline  size_t                  sizeFromData(const void* data);
-    
-    //! edit the buffer (get a writtable, or non-const, version of it)
-                    SharedBuffer*           edit() const;
-
-    //! edit the buffer, resizing if needed
-                    SharedBuffer*           editResize(size_t size) const;
-
-    //! like edit() but fails if a copy is required
-                    SharedBuffer*           attemptEdit() const;
-    
-    //! resize and edit the buffer, loose it's content.
-                    SharedBuffer*           reset(size_t size) const;
-
-    //! acquire/release a reference on this buffer
-                    void                    acquire() const;
-                    
-    /*! release a reference on this buffer, with the option of not
-     * freeing the memory associated with it if it was the last reference
-     * returns the previous reference count
-     */     
-                    int32_t                 release(uint32_t flags = 0) const;
-    
-    //! returns wether or not we're the only owner
-    inline          bool                    onlyOwner() const;
-    
-
-private:
-        inline SharedBuffer() { }
-        inline ~SharedBuffer() { }
-        inline SharedBuffer(const SharedBuffer&);
- 
-        // 16 bytes. must be sized to preserve correct alingment.
-        mutable int32_t        mRefs;
-                size_t         mSize;
-                uint32_t       mReserved[2];
-};
-
-// ---------------------------------------------------------------------------
-
-const SharedBuffer* SharedBuffer::sharedBuffer(const void* data) {
-    return data ? reinterpret_cast<const SharedBuffer *>(data)-1 : 0;
-}
-
-const void* SharedBuffer::data() const {
-    return this + 1;
-}
-
-void* SharedBuffer::data() {
-    return this + 1;
-}
-
-size_t SharedBuffer::size() const {
-    return mSize;
-}
-
-SharedBuffer* SharedBuffer::bufferFromData(void* data)
-{
-    return ((SharedBuffer*)data)-1;
-}
-    
-const SharedBuffer* SharedBuffer::bufferFromData(const void* data)
-{
-    return ((const SharedBuffer*)data)-1;
-}
-
-size_t SharedBuffer::sizeFromData(const void* data)
-{
-    return (((const SharedBuffer*)data)-1)->mSize;
-}
-
-bool SharedBuffer::onlyOwner() const {
-    return (mRefs == 1);
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/SortedVector.h b/media/omx-plugin/include/ics/utils/SortedVector.h
deleted file mode 100644
index 0e98aeb05..000000000
--- a/media/omx-plugin/include/ics/utils/SortedVector.h
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_SORTED_VECTOR_H
-#define ANDROID_SORTED_VECTOR_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <utils/Vector.h>
-#include <utils/VectorImpl.h>
-#include <utils/TypeHelpers.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <class TYPE>
-class SortedVector : private SortedVectorImpl
-{
-    friend class Vector<TYPE>;
-
-public:
-            typedef TYPE    value_type;
-    
-    /*! 
-     * Constructors and destructors
-     */
-    
-                            SortedVector();
-                            SortedVector(const SortedVector<TYPE>& rhs);
-    virtual                 ~SortedVector();
-
-    /*! copy operator */
-    const SortedVector<TYPE>&   operator = (const SortedVector<TYPE>& rhs) const;    
-    SortedVector<TYPE>&         operator = (const SortedVector<TYPE>& rhs);    
-
-    /*
-     * empty the vector
-     */
-
-    inline  void            clear()             { VectorImpl::clear(); }
-
-    /*! 
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return VectorImpl::size(); }
-    //! returns wether or not the vector is empty
-    inline  bool            isEmpty() const             { return VectorImpl::isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return VectorImpl::capacity(); }
-    //! setst the capacity. capacity can never be reduced less than size()
-    inline  ssize_t         setCapacity(size_t size)    { return VectorImpl::setCapacity(size); }
-
-    /*! 
-     * C-style array access
-     */
-     
-    //! read-only C-style access 
-    inline  const TYPE*     array() const;
-
-    //! read-write C-style access. BE VERY CAREFUL when modifying the array
-    //! you ust keep it sorted! You usually don't use this function.
-            TYPE*           editArray();
-
-            //! finds the index of an item
-            ssize_t         indexOf(const TYPE& item) const;
-            
-            //! finds where this item should be inserted
-            size_t          orderOf(const TYPE& item) const;
-            
-    
-    /*! 
-     * accessors
-     */
-
-    //! read-only access to an item at a given index
-    inline  const TYPE&     operator [] (size_t index) const;
-    //! alternate name for operator []
-    inline  const TYPE&     itemAt(size_t index) const;
-    //! stack-usage of the vector. returns the top of the stack (last element)
-            const TYPE&     top() const;
-    //! same as operator [], but allows to access the vector backward (from the end) with a negative index
-            const TYPE&     mirrorItemAt(ssize_t index) const;
-
-    /*!
-     * modifing the array
-     */
-
-            //! add an item in the right place (and replace the one that is there)
-            ssize_t         add(const TYPE& item);
-            
-            //! editItemAt() MUST NOT change the order of this item
-            TYPE&           editItemAt(size_t index) {
-                return *( static_cast<TYPE *>(VectorImpl::editItemLocation(index)) );
-            }
-
-            //! merges a vector into this one
-            ssize_t         merge(const Vector<TYPE>& vector);
-            ssize_t         merge(const SortedVector<TYPE>& vector);
-            
-            //! removes an item
-            ssize_t         remove(const TYPE&);
-
-    //! remove several items
-    inline  ssize_t         removeItemsAt(size_t index, size_t count = 1);
-    //! remove one item
-    inline  ssize_t         removeAt(size_t index)  { return removeItemsAt(index); }
-            
-protected:
-    virtual void    do_construct(void* storage, size_t num) const;
-    virtual void    do_destroy(void* storage, size_t num) const;
-    virtual void    do_copy(void* dest, const void* from, size_t num) const;
-    virtual void    do_splat(void* dest, const void* item, size_t num) const;
-    virtual void    do_move_forward(void* dest, const void* from, size_t num) const;
-    virtual void    do_move_backward(void* dest, const void* from, size_t num) const;
-    virtual int     do_compare(const void* lhs, const void* rhs) const;
-};
-
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts from here...
-// ---------------------------------------------------------------------------
-
-template<class TYPE> inline
-SortedVector<TYPE>::SortedVector()
-    : SortedVectorImpl(sizeof(TYPE),
-                ((traits<TYPE>::has_trivial_ctor   ? HAS_TRIVIAL_CTOR   : 0)
-                |(traits<TYPE>::has_trivial_dtor   ? HAS_TRIVIAL_DTOR   : 0)
-                |(traits<TYPE>::has_trivial_copy   ? HAS_TRIVIAL_COPY   : 0))
-                )
-{
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>::SortedVector(const SortedVector<TYPE>& rhs)
-    : SortedVectorImpl(rhs) {
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>::~SortedVector() {
-    finish_vector();
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>& SortedVector<TYPE>::operator = (const SortedVector<TYPE>& rhs) {
-    SortedVectorImpl::operator = (rhs);
-    return *this; 
-}
-
-template<class TYPE> inline
-const SortedVector<TYPE>& SortedVector<TYPE>::operator = (const SortedVector<TYPE>& rhs) const {
-    SortedVectorImpl::operator = (rhs);
-    return *this; 
-}
-
-template<class TYPE> inline
-const TYPE* SortedVector<TYPE>::array() const {
-    return static_cast<const TYPE *>(arrayImpl());
-}
-
-template<class TYPE> inline
-TYPE* SortedVector<TYPE>::editArray() {
-    return static_cast<TYPE *>(editArrayImpl());
-}
-
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::operator[](size_t index) const {
-    assert( index<size() );
-    return *(array() + index);
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::itemAt(size_t index) const {
-    return operator[](index);
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::mirrorItemAt(ssize_t index) const {
-    assert( (index>0 ? index : -index)<size() );
-    return *(array() + ((index<0) ? (size()-index) : index));
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::top() const {
-    return *(array() + size() - 1);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::add(const TYPE& item) {
-    return SortedVectorImpl::add(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::indexOf(const TYPE& item) const {
-    return SortedVectorImpl::indexOf(&item);
-}
-
-template<class TYPE> inline
-size_t SortedVector<TYPE>::orderOf(const TYPE& item) const {
-    return SortedVectorImpl::orderOf(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::merge(const Vector<TYPE>& vector) {
-    return SortedVectorImpl::merge(reinterpret_cast<const VectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::merge(const SortedVector<TYPE>& vector) {
-    return SortedVectorImpl::merge(reinterpret_cast<const SortedVectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::remove(const TYPE& item) {
-    return SortedVectorImpl::remove(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::removeItemsAt(size_t index, size_t count) {
-    return VectorImpl::removeItemsAt(index, count);
-}
-
-// ---------------------------------------------------------------------------
-
-template<class TYPE>
-void SortedVector<TYPE>::do_construct(void* storage, size_t num) const {
-    construct_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_destroy(void* storage, size_t num) const {
-    destroy_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_copy(void* dest, const void* from, size_t num) const {
-    copy_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_splat(void* dest, const void* item, size_t num) const {
-    splat_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(item), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_move_forward(void* dest, const void* from, size_t num) const {
-    move_forward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_move_backward(void* dest, const void* from, size_t num) const {
-    move_backward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-int SortedVector<TYPE>::do_compare(const void* lhs, const void* rhs) const {
-    return compare_type( *reinterpret_cast<const TYPE*>(lhs), *reinterpret_cast<const TYPE*>(rhs) );
-}
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_SORTED_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/String16.h b/media/omx-plugin/include/ics/utils/String16.h
deleted file mode 100644
index 360f407c3..000000000
--- a/media/omx-plugin/include/ics/utils/String16.h
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRING16_H
-#define ANDROID_STRING16_H
-
-#include <utils/Errors.h>
-#include <utils/SharedBuffer.h>
-#include <utils/Unicode.h>
-
-// ---------------------------------------------------------------------------
-
-extern "C" {
-
-}
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-// ---------------------------------------------------------------------------
-
-class String8;
-class TextOutput;
-
-//! This is a string holding UTF-16 characters.
-class String16
-{
-public:
-                                String16();
-                                String16(const String16& o);
-                                String16(const String16& o,
-                                         size_t len,
-                                         size_t begin=0);
-    explicit                    String16(const char16_t* o);
-    explicit                    String16(const char16_t* o, size_t len);
-    explicit                    String16(const String8& o);
-    explicit                    String16(const char* o);
-    explicit                    String16(const char* o, size_t len);
-
-                                ~String16();
-    
-    inline  const char16_t*     string() const;
-    inline  size_t              size() const;
-    
-    inline  const SharedBuffer* sharedBuffer() const;
-    
-            void                setTo(const String16& other);
-            status_t            setTo(const char16_t* other);
-            status_t            setTo(const char16_t* other, size_t len);
-            status_t            setTo(const String16& other,
-                                      size_t len,
-                                      size_t begin=0);
-    
-            status_t            append(const String16& other);
-            status_t            append(const char16_t* other, size_t len);
-            
-    inline  String16&           operator=(const String16& other);
-    
-    inline  String16&           operator+=(const String16& other);
-    inline  String16            operator+(const String16& other) const;
-
-            status_t            insert(size_t pos, const char16_t* chrs);
-            status_t            insert(size_t pos,
-                                       const char16_t* chrs, size_t len);
-
-            ssize_t             findFirst(char16_t c) const;
-            ssize_t             findLast(char16_t c) const;
-
-            bool                startsWith(const String16& prefix) const;
-            bool                startsWith(const char16_t* prefix) const;
-            
-            status_t            makeLower();
-
-            status_t            replaceAll(char16_t replaceThis,
-                                           char16_t withThis);
-
-            status_t            remove(size_t len, size_t begin=0);
-
-    inline  int                 compare(const String16& other) const;
-
-    inline  bool                operator<(const String16& other) const;
-    inline  bool                operator<=(const String16& other) const;
-    inline  bool                operator==(const String16& other) const;
-    inline  bool                operator!=(const String16& other) const;
-    inline  bool                operator>=(const String16& other) const;
-    inline  bool                operator>(const String16& other) const;
-    
-    inline  bool                operator<(const char16_t* other) const;
-    inline  bool                operator<=(const char16_t* other) const;
-    inline  bool                operator==(const char16_t* other) const;
-    inline  bool                operator!=(const char16_t* other) const;
-    inline  bool                operator>=(const char16_t* other) const;
-    inline  bool                operator>(const char16_t* other) const;
-    
-    inline                      operator const char16_t*() const;
-    
-private:
-            const char16_t*     mString;
-};
-
-TextOutput& operator<<(TextOutput& to, const String16& val);
-
-// ---------------------------------------------------------------------------
-// No user servicable parts below.
-
-inline int compare_type(const String16& lhs, const String16& rhs)
-{
-    return lhs.compare(rhs);
-}
-
-inline int strictly_order_type(const String16& lhs, const String16& rhs)
-{
-    return compare_type(lhs, rhs) < 0;
-}
-
-inline const char16_t* String16::string() const
-{
-    return mString;
-}
-
-inline size_t String16::size() const
-{
-    return SharedBuffer::sizeFromData(mString)/sizeof(char16_t)-1;
-}
-
-inline const SharedBuffer* String16::sharedBuffer() const
-{
-    return SharedBuffer::bufferFromData(mString);
-}
-
-inline String16& String16::operator=(const String16& other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String16& String16::operator+=(const String16& other)
-{
-    append(other);
-    return *this;
-}
-
-inline String16 String16::operator+(const String16& other) const
-{
-    String16 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline int String16::compare(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size());
-}
-
-inline bool String16::operator<(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) < 0;
-}
-
-inline bool String16::operator<=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) <= 0;
-}
-
-inline bool String16::operator==(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) == 0;
-}
-
-inline bool String16::operator!=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) != 0;
-}
-
-inline bool String16::operator>=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) >= 0;
-}
-
-inline bool String16::operator>(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) > 0;
-}
-
-inline bool String16::operator<(const char16_t* other) const
-{
-    return strcmp16(mString, other) < 0;
-}
-
-inline bool String16::operator<=(const char16_t* other) const
-{
-    return strcmp16(mString, other) <= 0;
-}
-
-inline bool String16::operator==(const char16_t* other) const
-{
-    return strcmp16(mString, other) == 0;
-}
-
-inline bool String16::operator!=(const char16_t* other) const
-{
-    return strcmp16(mString, other) != 0;
-}
-
-inline bool String16::operator>=(const char16_t* other) const
-{
-    return strcmp16(mString, other) >= 0;
-}
-
-inline bool String16::operator>(const char16_t* other) const
-{
-    return strcmp16(mString, other) > 0;
-}
-
-inline String16::operator const char16_t*() const
-{
-    return mString;
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRING16_H
diff --git a/media/omx-plugin/include/ics/utils/String8.h b/media/omx-plugin/include/ics/utils/String8.h
deleted file mode 100644
index 4163697d2..000000000
--- a/media/omx-plugin/include/ics/utils/String8.h
+++ /dev/null
@@ -1,383 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRING8_H
-#define ANDROID_STRING8_H
-
-#include <utils/Errors.h>
-#include <utils/SharedBuffer.h>
-#include <utils/Unicode.h>
-
-#include <string.h> // for strcmp
-#include <stdarg.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-class String16;
-class TextOutput;
-
-//! This is a string holding UTF-8 characters. Does not allow the value more
-// than 0x10FFFF, which is not valid unicode codepoint.
-class String8
-{
-public:
-                                String8();
-                                String8(const String8& o);
-    explicit                    String8(const char* o);
-    explicit                    String8(const char* o, size_t numChars);
-    
-    explicit                    String8(const String16& o);
-    explicit                    String8(const char16_t* o);
-    explicit                    String8(const char16_t* o, size_t numChars);
-    explicit                    String8(const char32_t* o);
-    explicit                    String8(const char32_t* o, size_t numChars);
-                                ~String8();
-
-    static inline const String8 empty();
-
-    static String8              format(const char* fmt, ...) __attribute__((format (printf, 1, 2)));
-    static String8              formatV(const char* fmt, va_list args);
-
-    inline  const char*         string() const;
-    inline  size_t              size() const;
-    inline  size_t              length() const;
-    inline  size_t              bytes() const;
-    inline  bool                isEmpty() const;
-    
-    inline  const SharedBuffer* sharedBuffer() const;
-    
-            void                clear();
-
-            void                setTo(const String8& other);
-            status_t            setTo(const char* other);
-            status_t            setTo(const char* other, size_t numChars);
-            status_t            setTo(const char16_t* other, size_t numChars);
-            status_t            setTo(const char32_t* other,
-                                      size_t length);
-
-            status_t            append(const String8& other);
-            status_t            append(const char* other);
-            status_t            append(const char* other, size_t numChars);
-
-            status_t            appendFormat(const char* fmt, ...)
-                    __attribute__((format (printf, 2, 3)));
-            status_t            appendFormatV(const char* fmt, va_list args);
-
-            // Note that this function takes O(N) time to calculate the value.
-            // No cache value is stored.
-            size_t              getUtf32Length() const;
-            int32_t             getUtf32At(size_t index,
-                                           size_t *next_index) const;
-            void                getUtf32(char32_t* dst) const;
-
-    inline  String8&            operator=(const String8& other);
-    inline  String8&            operator=(const char* other);
-    
-    inline  String8&            operator+=(const String8& other);
-    inline  String8             operator+(const String8& other) const;
-    
-    inline  String8&            operator+=(const char* other);
-    inline  String8             operator+(const char* other) const;
-
-    inline  int                 compare(const String8& other) const;
-
-    inline  bool                operator<(const String8& other) const;
-    inline  bool                operator<=(const String8& other) const;
-    inline  bool                operator==(const String8& other) const;
-    inline  bool                operator!=(const String8& other) const;
-    inline  bool                operator>=(const String8& other) const;
-    inline  bool                operator>(const String8& other) const;
-    
-    inline  bool                operator<(const char* other) const;
-    inline  bool                operator<=(const char* other) const;
-    inline  bool                operator==(const char* other) const;
-    inline  bool                operator!=(const char* other) const;
-    inline  bool                operator>=(const char* other) const;
-    inline  bool                operator>(const char* other) const;
-    
-    inline                      operator const char*() const;
-    
-            char*               lockBuffer(size_t size);
-            void                unlockBuffer();
-            status_t            unlockBuffer(size_t size);
-            
-            // return the index of the first byte of other in this at or after
-            // start, or -1 if not found
-            ssize_t             find(const char* other, size_t start = 0) const;
-
-            void                toLower();
-            void                toLower(size_t start, size_t numChars);
-            void                toUpper();
-            void                toUpper(size_t start, size_t numChars);
-
-    /*
-     * These methods operate on the string as if it were a path name.
-     */
-
-    /*
-     * Set the filename field to a specific value.
-     *
-     * Normalizes the filename, removing a trailing '/' if present.
-     */
-    void setPathName(const char* name);
-    void setPathName(const char* name, size_t numChars);
-
-    /*
-     * Get just the filename component.
-     *
-     * "/tmp/foo/bar.c" --> "bar.c"
-     */
-    String8 getPathLeaf(void) const;
-
-    /*
-     * Remove the last (file name) component, leaving just the directory
-     * name.
-     *
-     * "/tmp/foo/bar.c" --> "/tmp/foo"
-     * "/tmp" --> "" // ????? shouldn't this be "/" ???? XXX
-     * "bar.c" --> ""
-     */
-    String8 getPathDir(void) const;
-
-    /*
-     * Retrieve the front (root dir) component.  Optionally also return the
-     * remaining components.
-     *
-     * "/tmp/foo/bar.c" --> "tmp" (remain = "foo/bar.c")
-     * "/tmp" --> "tmp" (remain = "")
-     * "bar.c" --> "bar.c" (remain = "")
-     */
-    String8 walkPath(String8* outRemains = NULL) const;
-
-    /*
-     * Return the filename extension.  This is the last '.' and any number
-     * of characters that follow it.  The '.' is included in case we
-     * decide to expand our definition of what constitutes an extension.
-     *
-     * "/tmp/foo/bar.c" --> ".c"
-     * "/tmp" --> ""
-     * "/tmp/foo.bar/baz" --> ""
-     * "foo.jpeg" --> ".jpeg"
-     * "foo." --> ""
-     */
-    String8 getPathExtension(void) const;
-
-    /*
-     * Return the path without the extension.  Rules for what constitutes
-     * an extension are described in the comment for getPathExtension().
-     *
-     * "/tmp/foo/bar.c" --> "/tmp/foo/bar"
-     */
-    String8 getBasePath(void) const;
-
-    /*
-     * Add a component to the pathname.  We guarantee that there is
-     * exactly one path separator between the old path and the new.
-     * If there is no existing name, we just copy the new name in.
-     *
-     * If leaf is a fully qualified path (i.e. starts with '/', it
-     * replaces whatever was there before.
-     */
-    String8& appendPath(const char* leaf);
-    String8& appendPath(const String8& leaf)  { return appendPath(leaf.string()); }
-
-    /*
-     * Like appendPath(), but does not affect this string.  Returns a new one instead.
-     */
-    String8 appendPathCopy(const char* leaf) const
-                                             { String8 p(*this); p.appendPath(leaf); return p; }
-    String8 appendPathCopy(const String8& leaf) const { return appendPathCopy(leaf.string()); }
-
-    /*
-     * Converts all separators in this string to /, the default path separator.
-     *
-     * If the default OS separator is backslash, this converts all
-     * backslashes to slashes, in-place. Otherwise it does nothing.
-     * Returns self.
-     */
-    String8& convertToResPath();
-
-private:
-            status_t            real_append(const char* other, size_t numChars);
-            char*               find_extension(void) const;
-
-            const char* mString;
-};
-
-TextOutput& operator<<(TextOutput& to, const String16& val);
-
-// ---------------------------------------------------------------------------
-// No user servicable parts below.
-
-inline int compare_type(const String8& lhs, const String8& rhs)
-{
-    return lhs.compare(rhs);
-}
-
-inline int strictly_order_type(const String8& lhs, const String8& rhs)
-{
-    return compare_type(lhs, rhs) < 0;
-}
-
-inline const String8 String8::empty() {
-    return String8();
-}
-
-inline const char* String8::string() const
-{
-    return mString;
-}
-
-inline size_t String8::length() const
-{
-    return SharedBuffer::sizeFromData(mString)-1;
-}
-
-inline size_t String8::size() const
-{
-    return length();
-}
-
-inline bool String8::isEmpty() const
-{
-    return length() == 0;
-}
-
-inline size_t String8::bytes() const
-{
-    return SharedBuffer::sizeFromData(mString)-1;
-}
-
-inline const SharedBuffer* String8::sharedBuffer() const
-{
-    return SharedBuffer::bufferFromData(mString);
-}
-
-inline String8& String8::operator=(const String8& other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String8& String8::operator=(const char* other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String8& String8::operator+=(const String8& other)
-{
-    append(other);
-    return *this;
-}
-
-inline String8 String8::operator+(const String8& other) const
-{
-    String8 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline String8& String8::operator+=(const char* other)
-{
-    append(other);
-    return *this;
-}
-
-inline String8 String8::operator+(const char* other) const
-{
-    String8 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline int String8::compare(const String8& other) const
-{
-    return strcmp(mString, other.mString);
-}
-
-inline bool String8::operator<(const String8& other) const
-{
-    return strcmp(mString, other.mString) < 0;
-}
-
-inline bool String8::operator<=(const String8& other) const
-{
-    return strcmp(mString, other.mString) <= 0;
-}
-
-inline bool String8::operator==(const String8& other) const
-{
-    return strcmp(mString, other.mString) == 0;
-}
-
-inline bool String8::operator!=(const String8& other) const
-{
-    return strcmp(mString, other.mString) != 0;
-}
-
-inline bool String8::operator>=(const String8& other) const
-{
-    return strcmp(mString, other.mString) >= 0;
-}
-
-inline bool String8::operator>(const String8& other) const
-{
-    return strcmp(mString, other.mString) > 0;
-}
-
-inline bool String8::operator<(const char* other) const
-{
-    return strcmp(mString, other) < 0;
-}
-
-inline bool String8::operator<=(const char* other) const
-{
-    return strcmp(mString, other) <= 0;
-}
-
-inline bool String8::operator==(const char* other) const
-{
-    return strcmp(mString, other) == 0;
-}
-
-inline bool String8::operator!=(const char* other) const
-{
-    return strcmp(mString, other) != 0;
-}
-
-inline bool String8::operator>=(const char* other) const
-{
-    return strcmp(mString, other) >= 0;
-}
-
-inline bool String8::operator>(const char* other) const
-{
-    return strcmp(mString, other) > 0;
-}
-
-inline String8::operator const char*() const
-{
-    return mString;
-}
-
-}  // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRING8_H
diff --git a/media/omx-plugin/include/ics/utils/StrongPointer.h b/media/omx-plugin/include/ics/utils/StrongPointer.h
deleted file mode 100644
index 49fa3a8d6..000000000
--- a/media/omx-plugin/include/ics/utils/StrongPointer.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRONG_POINTER_H
-#define ANDROID_STRONG_POINTER_H
-
-#include <cutils/atomic.h>
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <stdlib.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class TextOutput;
-TextOutput& printStrongPointer(TextOutput& to, const void* val);
-
-template<typename T> class wp;
-
-// ---------------------------------------------------------------------------
-
-#define COMPARE(_op_)                                           \
-inline bool operator _op_ (const sp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-inline bool operator _op_ (const T* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const sp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const U* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-inline bool operator _op_ (const wp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const wp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}
-
-// ---------------------------------------------------------------------------
-
-template <typename T>
-class sp
-{
-public:
-    inline sp() : m_ptr(0) { }
-
-    sp(T* other);
-    sp(const sp<T>& other);
-    template<typename U> sp(U* other);
-    template<typename U> sp(const sp<U>& other);
-
-    ~sp();
-
-    // Assignment
-
-    sp& operator = (T* other);
-    sp& operator = (const sp<T>& other);
-
-    template<typename U> sp& operator = (const sp<U>& other);
-    template<typename U> sp& operator = (U* other);
-
-    //! Special optimization for use by ProcessState (and nobody else).
-    void force_set(T* other);
-
-    // Reset
-
-    void clear();
-
-    // Accessors
-
-    inline  T&      operator* () const  { return *m_ptr; }
-    inline  T*      operator-> () const { return m_ptr;  }
-    inline  T*      get() const         { return m_ptr; }
-
-    // Operators
-
-    COMPARE(==)
-    COMPARE(!=)
-    COMPARE(>)
-    COMPARE(<)
-    COMPARE(<=)
-    COMPARE(>=)
-
-private:    
-    template<typename Y> friend class sp;
-    template<typename Y> friend class wp;
-    void set_pointer(T* ptr);
-    T* m_ptr;
-};
-
-#undef COMPARE
-
-template <typename T>
-TextOutput& operator<<(TextOutput& to, const sp<T>& val);
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts below here.
-
-template<typename T>
-sp<T>::sp(T* other)
-: m_ptr(other)
-  {
-    if (other) other->incStrong(this);
-  }
-
-template<typename T>
-sp<T>::sp(const sp<T>& other)
-: m_ptr(other.m_ptr)
-  {
-    if (m_ptr) m_ptr->incStrong(this);
-  }
-
-template<typename T> template<typename U>
-sp<T>::sp(U* other) : m_ptr(other)
-{
-    if (other) ((T*)other)->incStrong(this);
-}
-
-template<typename T> template<typename U>
-sp<T>::sp(const sp<U>& other)
-: m_ptr(other.m_ptr)
-  {
-    if (m_ptr) m_ptr->incStrong(this);
-  }
-
-template<typename T>
-sp<T>::~sp()
-{
-    if (m_ptr) m_ptr->decStrong(this);
-}
-
-template<typename T>
-sp<T>& sp<T>::operator = (const sp<T>& other) {
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherPtr->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = otherPtr;
-    return *this;
-}
-
-template<typename T>
-sp<T>& sp<T>::operator = (T* other)
-{
-    if (other) other->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = other;
-    return *this;
-}
-
-template<typename T> template<typename U>
-sp<T>& sp<T>::operator = (const sp<U>& other)
-{
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherPtr->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = otherPtr;
-    return *this;
-}
-
-template<typename T> template<typename U>
-sp<T>& sp<T>::operator = (U* other)
-{
-    if (other) ((T*)other)->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = other;
-    return *this;
-}
-
-template<typename T>    
-void sp<T>::force_set(T* other)
-{
-    other->forceIncStrong(this);
-    m_ptr = other;
-}
-
-template<typename T>
-void sp<T>::clear()
-{
-    if (m_ptr) {
-        m_ptr->decStrong(this);
-        m_ptr = 0;
-    }
-}
-
-template<typename T>
-void sp<T>::set_pointer(T* ptr) {
-    m_ptr = ptr;
-}
-
-template <typename T>
-inline TextOutput& operator<<(TextOutput& to, const sp<T>& val)
-{
-    return printStrongPointer(to, val.get());
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRONG_POINTER_H
diff --git a/media/omx-plugin/include/ics/utils/Timers.h b/media/omx-plugin/include/ics/utils/Timers.h
deleted file mode 100644
index 8b4d32287..000000000
--- a/media/omx-plugin/include/ics/utils/Timers.h
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// Timer functions.
-//
-#ifndef _LIBS_UTILS_TIMERS_H
-#define _LIBS_UTILS_TIMERS_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <sys/time.h>
-
-// ------------------------------------------------------------------
-// C API
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef int64_t nsecs_t;       // nano-seconds
-
-static inline nsecs_t seconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000000000;
-}
-
-static inline nsecs_t milliseconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000000;
-}
-
-static inline nsecs_t microseconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000;
-}
-
-static inline nsecs_t nanoseconds_to_seconds(nsecs_t secs)
-{
-    return secs/1000000000;
-}
-
-static inline nsecs_t nanoseconds_to_milliseconds(nsecs_t secs)
-{
-    return secs/1000000;
-}
-
-static inline nsecs_t nanoseconds_to_microseconds(nsecs_t secs)
-{
-    return secs/1000;
-}
-
-static inline nsecs_t s2ns(nsecs_t v)  {return seconds_to_nanoseconds(v);}
-static inline nsecs_t ms2ns(nsecs_t v) {return milliseconds_to_nanoseconds(v);}
-static inline nsecs_t us2ns(nsecs_t v) {return microseconds_to_nanoseconds(v);}
-static inline nsecs_t ns2s(nsecs_t v)  {return nanoseconds_to_seconds(v);}
-static inline nsecs_t ns2ms(nsecs_t v) {return nanoseconds_to_milliseconds(v);}
-static inline nsecs_t ns2us(nsecs_t v) {return nanoseconds_to_microseconds(v);}
-
-static inline nsecs_t seconds(nsecs_t v)      { return s2ns(v); }
-static inline nsecs_t milliseconds(nsecs_t v) { return ms2ns(v); }
-static inline nsecs_t microseconds(nsecs_t v) { return us2ns(v); }
-
-enum {
-    SYSTEM_TIME_REALTIME = 0,  // system-wide realtime clock
-    SYSTEM_TIME_MONOTONIC = 1, // monotonic time since unspecified starting point
-    SYSTEM_TIME_PROCESS = 2,   // high-resolution per-process clock
-    SYSTEM_TIME_THREAD = 3     // high-resolution per-thread clock
-};
-    
-// return the system-time according to the specified clock
-#ifdef __cplusplus
-nsecs_t systemTime(int clock = SYSTEM_TIME_MONOTONIC);
-#else
-nsecs_t systemTime(int clock);
-#endif // def __cplusplus
-
-/**
- * Returns the number of milliseconds to wait between the reference time and the timeout time.
- * If the timeout is in the past relative to the reference time, returns 0.
- * If the timeout is more than INT_MAX milliseconds in the future relative to the reference time,
- * such as when timeoutTime == LLONG_MAX, returns -1 to indicate an infinite timeout delay.
- * Otherwise, returns the difference between the reference time and timeout time
- * rounded up to the next millisecond.
- */
-int toMillisecondTimeoutDelay(nsecs_t referenceTime, nsecs_t timeoutTime);
-
-#ifdef __cplusplus
-} // extern "C"
-#endif
-
-// ------------------------------------------------------------------
-// C++ API
-
-#ifdef __cplusplus
-
-namespace android {
-/*
- * Time the duration of something.
- *
- * Includes some timeval manipulation functions.
- */
-class DurationTimer {
-public:
-    DurationTimer() {}
-    ~DurationTimer() {}
-
-    // Start the timer.
-    void start();
-    // Stop the timer.
-    void stop();
-    // Get the duration in microseconds.
-    long long durationUsecs() const;
-
-    // Subtract two timevals.  Returns the difference (ptv1-ptv2) in
-    // microseconds.
-    static long long subtractTimevals(const struct timeval* ptv1,
-        const struct timeval* ptv2);
-
-    // Add the specified amount of time to the timeval.
-    static void addToTimeval(struct timeval* ptv, long usec);
-
-private:
-    struct timeval  mStartWhen;
-    struct timeval  mStopWhen;
-};
-
-}; // android
-#endif // def __cplusplus
-
-#endif // _LIBS_UTILS_TIMERS_H
diff --git a/media/omx-plugin/include/ics/utils/TypeHelpers.h b/media/omx-plugin/include/ics/utils/TypeHelpers.h
deleted file mode 100644
index d0dc33a7e..000000000
--- a/media/omx-plugin/include/ics/utils/TypeHelpers.h
+++ /dev/null
@@ -1,246 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_TYPE_HELPERS_H
-#define ANDROID_TYPE_HELPERS_H
-
-#include <new>
-#include <stdint.h>
-#include <string.h>
-#include <sys/types.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-/*
- * Types traits
- */
-
-template <typename T> struct trait_trivial_ctor { enum { value = false }; };
-template <typename T> struct trait_trivial_dtor { enum { value = false }; };
-template <typename T> struct trait_trivial_copy { enum { value = false }; };
-template <typename T> struct trait_trivial_move { enum { value = false }; };
-template <typename T> struct trait_pointer      { enum { value = false }; };    
-template <typename T> struct trait_pointer<T*>  { enum { value = true }; };
-
-template <typename TYPE>
-struct traits {
-    enum {
-        // whether this type is a pointer
-        is_pointer          = trait_pointer<TYPE>::value,
-        // whether this type's constructor is a no-op
-        has_trivial_ctor    = is_pointer || trait_trivial_ctor<TYPE>::value,
-        // whether this type's destructor is a no-op
-        has_trivial_dtor    = is_pointer || trait_trivial_dtor<TYPE>::value,
-        // whether this type type can be copy-constructed with memcpy
-        has_trivial_copy    = is_pointer || trait_trivial_copy<TYPE>::value,
-        // whether this type can be moved with memmove
-        has_trivial_move    = is_pointer || trait_trivial_move<TYPE>::value
-    };
-};
-
-template <typename T, typename U>
-struct aggregate_traits {
-    enum {
-        is_pointer          = false,
-        has_trivial_ctor    = 
-            traits<T>::has_trivial_ctor && traits<U>::has_trivial_ctor,
-        has_trivial_dtor    = 
-            traits<T>::has_trivial_dtor && traits<U>::has_trivial_dtor,
-        has_trivial_copy    = 
-            traits<T>::has_trivial_copy && traits<U>::has_trivial_copy,
-        has_trivial_move    = 
-            traits<T>::has_trivial_move && traits<U>::has_trivial_move
-    };
-};
-
-#define ANDROID_BASIC_TYPES_TRAITS( T )                                     \
-    template<> struct trait_trivial_ctor< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_dtor< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_copy< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_move< T >   { enum { value = true }; };
-
-// ---------------------------------------------------------------------------
-
-/*
- * basic types traits
- */
-
-ANDROID_BASIC_TYPES_TRAITS( void )
-ANDROID_BASIC_TYPES_TRAITS( bool )
-ANDROID_BASIC_TYPES_TRAITS( char )
-ANDROID_BASIC_TYPES_TRAITS( unsigned char )
-ANDROID_BASIC_TYPES_TRAITS( short )
-ANDROID_BASIC_TYPES_TRAITS( unsigned short )
-ANDROID_BASIC_TYPES_TRAITS( int )
-ANDROID_BASIC_TYPES_TRAITS( unsigned int )
-ANDROID_BASIC_TYPES_TRAITS( long )
-ANDROID_BASIC_TYPES_TRAITS( unsigned long )
-ANDROID_BASIC_TYPES_TRAITS( long long )
-ANDROID_BASIC_TYPES_TRAITS( unsigned long long )
-ANDROID_BASIC_TYPES_TRAITS( float )
-ANDROID_BASIC_TYPES_TRAITS( double )
-
-// ---------------------------------------------------------------------------
-
-
-/*
- * compare and order types
- */
-
-template<typename TYPE> inline
-int strictly_order_type(const TYPE& lhs, const TYPE& rhs) {
-    return (lhs < rhs) ? 1 : 0;
-}
-
-template<typename TYPE> inline
-int compare_type(const TYPE& lhs, const TYPE& rhs) {
-    return strictly_order_type(rhs, lhs) - strictly_order_type(lhs, rhs);
-}
-
-/*
- * create, destroy, copy and move types...
- */
-
-template<typename TYPE> inline
-void construct_type(TYPE* p, size_t n) {
-    if (!traits<TYPE>::has_trivial_ctor) {
-        while (n--) {
-            new(p++) TYPE;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void destroy_type(TYPE* p, size_t n) {
-    if (!traits<TYPE>::has_trivial_dtor) {
-        while (n--) {
-            p->~TYPE();
-            p++;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void copy_type(TYPE* d, const TYPE* s, size_t n) {
-    if (!traits<TYPE>::has_trivial_copy) {
-        while (n--) {
-            new(d) TYPE(*s);
-            d++, s++;
-        }
-    } else {
-        memcpy(d,s,n*sizeof(TYPE));
-    }
-}
-
-template<typename TYPE> inline
-void splat_type(TYPE* where, const TYPE* what, size_t n) {
-    if (!traits<TYPE>::has_trivial_copy) {
-        while (n--) {
-            new(where) TYPE(*what);
-            where++;
-        }
-    } else {
-        while (n--) {
-            *where++ = *what;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void move_forward_type(TYPE* d, const TYPE* s, size_t n = 1) {
-    if ((traits<TYPE>::has_trivial_dtor && traits<TYPE>::has_trivial_copy) 
-            || traits<TYPE>::has_trivial_move) 
-    {
-        memmove(d,s,n*sizeof(TYPE));
-    } else {
-        d += n;
-        s += n;
-        while (n--) {
-            --d, --s;
-            if (!traits<TYPE>::has_trivial_copy) {
-                new(d) TYPE(*s);
-            } else {
-                *d = *s;   
-            }
-            if (!traits<TYPE>::has_trivial_dtor) {
-                s->~TYPE();
-            }
-        }
-    }
-}
-
-template<typename TYPE> inline
-void move_backward_type(TYPE* d, const TYPE* s, size_t n = 1) {
-    if ((traits<TYPE>::has_trivial_dtor && traits<TYPE>::has_trivial_copy) 
-            || traits<TYPE>::has_trivial_move) 
-    {
-        memmove(d,s,n*sizeof(TYPE));
-    } else {
-        while (n--) {
-            if (!traits<TYPE>::has_trivial_copy) {
-                new(d) TYPE(*s);
-            } else {
-                *d = *s;   
-            }
-            if (!traits<TYPE>::has_trivial_dtor) {
-                s->~TYPE();
-            }
-            d++, s++;
-        }
-    }
-}
-
-// ---------------------------------------------------------------------------
-
-/*
- * a key/value pair
- */
-
-template <typename KEY, typename VALUE>
-struct key_value_pair_t {
-    KEY     key;
-    VALUE   value;
-    key_value_pair_t() { }
-    key_value_pair_t(const key_value_pair_t& o) : key(o.key), value(o.value) { }
-    key_value_pair_t(const KEY& k, const VALUE& v) : key(k), value(v)  { }
-    key_value_pair_t(const KEY& k) : key(k) { }
-    inline bool operator < (const key_value_pair_t& o) const {
-        return strictly_order_type(key, o.key);
-    }
-};
-
-template <typename K, typename V>
-struct trait_trivial_ctor< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_ctor }; };
-template <typename K, typename V>
-struct trait_trivial_dtor< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_dtor }; };
-template <typename K, typename V>
-struct trait_trivial_copy< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_copy }; };
-template <typename K, typename V>
-struct trait_trivial_move< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_move }; };
-
-// ---------------------------------------------------------------------------
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_TYPE_HELPERS_H
diff --git a/media/omx-plugin/include/ics/utils/Unicode.h b/media/omx-plugin/include/ics/utils/Unicode.h
deleted file mode 100644
index 90a82763b..000000000
--- a/media/omx-plugin/include/ics/utils/Unicode.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UNICODE_H
-#define ANDROID_UNICODE_H
-
-#include <sys/types.h>
-#include <stdint.h>
-
-extern "C" {
-
-#if !defined(__cplusplus) || __cplusplus == 199711L // C or C++98
-typedef uint32_t char32_t;
-typedef uint16_t char16_t;
-#endif
-
-// Standard string functions on char16_t strings.
-int strcmp16(const char16_t *, const char16_t *);
-int strncmp16(const char16_t *s1, const char16_t *s2, size_t n);
-size_t strlen16(const char16_t *);
-size_t strnlen16(const char16_t *, size_t);
-char16_t *strcpy16(char16_t *, const char16_t *);
-char16_t *strncpy16(char16_t *, const char16_t *, size_t);
-
-// Version of comparison that supports embedded nulls.
-// This is different than strncmp() because we don't stop
-// at a nul character and consider the strings to be different
-// if the lengths are different (thus we need to supply the
-// lengths of both strings).  This can also be used when
-// your string is not nul-terminated as it will have the
-// equivalent result as strcmp16 (unlike strncmp16).
-int strzcmp16(const char16_t *s1, size_t n1, const char16_t *s2, size_t n2);
-
-// Version of strzcmp16 for comparing strings in different endianness.
-int strzcmp16_h_n(const char16_t *s1H, size_t n1, const char16_t *s2N, size_t n2);
-
-// Standard string functions on char32_t strings.
-size_t strlen32(const char32_t *);
-size_t strnlen32(const char32_t *, size_t);
-
-/**
- * Measure the length of a UTF-32 string in UTF-8. If the string is invalid
- * such as containing a surrogate character, -1 will be returned.
- */
-ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len);
-
-/**
- * Stores a UTF-8 string converted from "src" in "dst", if "dst_length" is not
- * large enough to store the string, the part of the "src" string is stored
- * into "dst" as much as possible. See the examples for more detail.
- * Returns the size actually used for storing the string.
- * dst" is not null-terminated when dst_len is fully used (like strncpy).
- *
- * Example 1
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" >= 7
- * ->
- * Returned value == 6
- * "dst" becomes \xE3\x81\x82\xE3\x81\x84\0
- * (note that "dst" is null-terminated)
- *
- * Example 2
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" == 5
- * ->
- * Returned value == 3
- * "dst" becomes \xE3\x81\x82\0
- * (note that "dst" is null-terminated, but \u3044 is not stored in "dst"
- * since "dst" does not have enough size to store the character)
- *
- * Example 3
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" == 6
- * ->
- * Returned value == 6
- * "dst" becomes \xE3\x81\x82\xE3\x81\x84
- * (note that "dst" is NOT null-terminated, like strncpy)
- */
-void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst);
-
-/**
- * Returns the unicode value at "index".
- * Returns -1 when the index is invalid (equals to or more than "src_len").
- * If returned value is positive, it is able to be converted to char32_t, which
- * is unsigned. Then, if "next_index" is not NULL, the next index to be used is
- * stored in "next_index". "next_index" can be NULL.
- */
-int32_t utf32_from_utf8_at(const char *src, size_t src_len, size_t index, size_t *next_index);
-
-
-/**
- * Returns the UTF-8 length of UTF-16 string "src".
- */
-ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len);
-
-/**
- * Converts a UTF-16 string to UTF-8. The destination buffer must be large
- * enough to fit the UTF-16 as measured by utf16_to_utf8_length with an added
- * NULL terminator.
- */
-void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst);
-
-/**
- * Returns the length of "src" when "src" is valid UTF-8 string.
- * Returns 0 if src is NULL or 0-length string. Returns -1 when the source
- * is an invalid string.
- *
- * This function should be used to determine whether "src" is valid UTF-8
- * characters with valid unicode codepoints. "src" must be null-terminated.
- *
- * If you are going to use other utf8_to_... functions defined in this header
- * with string which may not be valid UTF-8 with valid codepoint (form 0 to
- * 0x10FFFF), you should use this function before calling others, since the
- * other functions do not check whether the string is valid UTF-8 or not.
- *
- * If you do not care whether "src" is valid UTF-8 or not, you should use
- * strlen() as usual, which should be much faster.
- */
-ssize_t utf8_length(const char *src);
-
-/**
- * Measure the length of a UTF-32 string.
- */
-size_t utf8_to_utf32_length(const char *src, size_t src_len);
-
-/**
- * Stores a UTF-32 string converted from "src" in "dst". "dst" must be large
- * enough to store the entire converted string as measured by
- * utf8_to_utf32_length plus space for a NULL terminator.
- */
-void utf8_to_utf32(const char* src, size_t src_len, char32_t* dst);
-
-/**
- * Returns the UTF-16 length of UTF-8 string "src".
- */
-ssize_t utf8_to_utf16_length(const uint8_t* src, size_t srcLen);
-
-/**
- * Convert UTF-8 to UTF-16 including surrogate pairs.
- * Returns a pointer to the end of the string (where a null terminator might go
- * if you wanted to add one).
- */
-char16_t* utf8_to_utf16_no_null_terminator(const uint8_t* src, size_t srcLen, char16_t* dst);
-
-/**
- * Convert UTF-8 to UTF-16 including surrogate pairs. The destination buffer
- * must be large enough to hold the result as measured by utf8_to_utf16_length
- * plus an added NULL terminator.
- */
-void utf8_to_utf16(const uint8_t* src, size_t srcLen, char16_t* dst);
-
-}
-
-#endif
diff --git a/media/omx-plugin/include/ics/utils/Vector.h b/media/omx-plugin/include/ics/utils/Vector.h
deleted file mode 100644
index e30071d16..000000000
--- a/media/omx-plugin/include/ics/utils/Vector.h
+++ /dev/null
@@ -1,424 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VECTOR_H
-#define ANDROID_VECTOR_H
-
-#include <new>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <cutils/log.h>
-
-#include <utils/VectorImpl.h>
-#include <utils/TypeHelpers.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <typename TYPE>
-class SortedVector;
-
-/*!
- * The main templated vector class ensuring type safety
- * while making use of VectorImpl.
- * This is the class users want to use.
- */
-
-template <class TYPE>
-class Vector : private VectorImpl
-{
-public:
-            typedef TYPE    value_type;
-
-    /*!
-     * Constructors and destructors
-     */
-
-                            Vector();
-                            Vector(const Vector<TYPE>& rhs);
-    explicit                Vector(const SortedVector<TYPE>& rhs);
-    virtual                 ~Vector();
-
-    /*! copy operator */
-            const Vector<TYPE>&     operator = (const Vector<TYPE>& rhs) const;
-            Vector<TYPE>&           operator = (const Vector<TYPE>& rhs);
-
-            const Vector<TYPE>&     operator = (const SortedVector<TYPE>& rhs) const;
-            Vector<TYPE>&           operator = (const SortedVector<TYPE>& rhs);
-
-            /*
-     * empty the vector
-     */
-
-    inline  void            clear()             { VectorImpl::clear(); }
-
-    /*!
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return VectorImpl::size(); }
-    //! returns whether or not the vector is empty
-    inline  bool            isEmpty() const             { return VectorImpl::isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return VectorImpl::capacity(); }
-    //! sets the capacity. capacity can never be reduced less than size()
-    inline  ssize_t         setCapacity(size_t size)    { return VectorImpl::setCapacity(size); }
-
-    /*!
-     * set the size of the vector. items are appended with the default
-     * constructor, or removed from the end as needed.
-     */
-    inline  ssize_t         resize(size_t size)         { return VectorImpl::resize(size); }
-
-    /*!
-     * C-style array access
-     */
-
-    //! read-only C-style access
-    inline  const TYPE*     array() const;
-    //! read-write C-style access
-            TYPE*           editArray();
-
-    /*!
-     * accessors
-     */
-
-    //! read-only access to an item at a given index
-    inline  const TYPE&     operator [] (size_t index) const;
-    //! alternate name for operator []
-    inline  const TYPE&     itemAt(size_t index) const;
-    //! stack-usage of the vector. returns the top of the stack (last element)
-            const TYPE&     top() const;
-
-    /*!
-     * modifying the array
-     */
-
-    //! copy-on write support, grants write access to an item
-            TYPE&           editItemAt(size_t index);
-    //! grants right access to the top of the stack (last element)
-            TYPE&           editTop();
-
-            /*!
-             * append/insert another vector
-             */
-
-    //! insert another vector at a given index
-            ssize_t         insertVectorAt(const Vector<TYPE>& vector, size_t index);
-
-    //! append another vector at the end of this one
-            ssize_t         appendVector(const Vector<TYPE>& vector);
-
-
-    //! insert an array at a given index
-            ssize_t         insertArrayAt(const TYPE* array, size_t index, size_t length);
-
-    //! append an array at the end of this vector
-            ssize_t         appendArray(const TYPE* array, size_t length);
-
-            /*!
-             * add/insert/replace items
-             */
-
-    //! insert one or several items initialized with their default constructor
-    inline  ssize_t         insertAt(size_t index, size_t numItems = 1);
-    //! insert one or several items initialized from a prototype item
-            ssize_t         insertAt(const TYPE& prototype_item, size_t index, size_t numItems = 1);
-    //! pop the top of the stack (removes the last element). No-op if the stack's empty
-    inline  void            pop();
-    //! pushes an item initialized with its default constructor
-    inline  void            push();
-    //! pushes an item on the top of the stack
-            void            push(const TYPE& item);
-    //! same as push() but returns the index the item was added at (or an error)
-    inline  ssize_t         add();
-    //! same as push() but returns the index the item was added at (or an error)
-            ssize_t         add(const TYPE& item);
-    //! replace an item with a new one initialized with its default constructor
-    inline  ssize_t         replaceAt(size_t index);
-    //! replace an item with a new one
-            ssize_t         replaceAt(const TYPE& item, size_t index);
-
-    /*!
-     * remove items
-     */
-
-    //! remove several items
-    inline  ssize_t         removeItemsAt(size_t index, size_t count = 1);
-    //! remove one item
-    inline  ssize_t         removeAt(size_t index)  { return removeItemsAt(index); }
-
-    /*!
-     * sort (stable) the array
-     */
-
-     typedef int (*compar_t)(const TYPE* lhs, const TYPE* rhs);
-     typedef int (*compar_r_t)(const TYPE* lhs, const TYPE* rhs, void* state);
-
-     inline status_t        sort(compar_t cmp);
-     inline status_t        sort(compar_r_t cmp, void* state);
-
-     // for debugging only
-     inline size_t getItemSize() const { return itemSize(); }
-
-
-     /*
-      * these inlines add some level of compatibility with STL. eventually
-      * we should probably turn things around.
-      */
-     typedef TYPE* iterator;
-     typedef TYPE const* const_iterator;
-
-     inline iterator begin() { return editArray(); }
-     inline iterator end()   { return editArray() + size(); }
-     inline const_iterator begin() const { return array(); }
-     inline const_iterator end() const   { return array() + size(); }
-     inline void reserve(size_t n) { setCapacity(n); }
-     inline bool empty() const{ return isEmpty(); }
-     inline void push_back(const TYPE& item)  { insertAt(item, size(), 1); }
-     inline void push_front(const TYPE& item) { insertAt(item, 0, 1); }
-     inline iterator erase(iterator pos) {
-         ssize_t index = removeItemsAt(pos-array());
-         return begin() + index;
-     }
-
-protected:
-    virtual void    do_construct(void* storage, size_t num) const;
-    virtual void    do_destroy(void* storage, size_t num) const;
-    virtual void    do_copy(void* dest, const void* from, size_t num) const;
-    virtual void    do_splat(void* dest, const void* item, size_t num) const;
-    virtual void    do_move_forward(void* dest, const void* from, size_t num) const;
-    virtual void    do_move_backward(void* dest, const void* from, size_t num) const;
-};
-
-// Vector<T> can be trivially moved using memcpy() because moving does not
-// require any change to the underlying SharedBuffer contents or reference count.
-template<typename T> struct trait_trivial_move<Vector<T> > { enum { value = true }; };
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts from here...
-// ---------------------------------------------------------------------------
-
-template<class TYPE> inline
-Vector<TYPE>::Vector()
-    : VectorImpl(sizeof(TYPE),
-                ((traits<TYPE>::has_trivial_ctor   ? HAS_TRIVIAL_CTOR   : 0)
-                |(traits<TYPE>::has_trivial_dtor   ? HAS_TRIVIAL_DTOR   : 0)
-                |(traits<TYPE>::has_trivial_copy   ? HAS_TRIVIAL_COPY   : 0))
-                )
-{
-}
-
-template<class TYPE> inline
-Vector<TYPE>::Vector(const Vector<TYPE>& rhs)
-    : VectorImpl(rhs) {
-}
-
-template<class TYPE> inline
-Vector<TYPE>::Vector(const SortedVector<TYPE>& rhs)
-    : VectorImpl(static_cast<const VectorImpl&>(rhs)) {
-}
-
-template<class TYPE> inline
-Vector<TYPE>::~Vector() {
-    finish_vector();
-}
-
-template<class TYPE> inline
-Vector<TYPE>& Vector<TYPE>::operator = (const Vector<TYPE>& rhs) {
-    VectorImpl::operator = (rhs);
-    return *this;
-}
-
-template<class TYPE> inline
-const Vector<TYPE>& Vector<TYPE>::operator = (const Vector<TYPE>& rhs) const {
-    VectorImpl::operator = (static_cast<const VectorImpl&>(rhs));
-    return *this;
-}
-
-template<class TYPE> inline
-Vector<TYPE>& Vector<TYPE>::operator = (const SortedVector<TYPE>& rhs) {
-    VectorImpl::operator = (static_cast<const VectorImpl&>(rhs));
-    return *this;
-}
-
-template<class TYPE> inline
-const Vector<TYPE>& Vector<TYPE>::operator = (const SortedVector<TYPE>& rhs) const {
-    VectorImpl::operator = (rhs);
-    return *this;
-}
-
-template<class TYPE> inline
-const TYPE* Vector<TYPE>::array() const {
-    return static_cast<const TYPE *>(arrayImpl());
-}
-
-template<class TYPE> inline
-TYPE* Vector<TYPE>::editArray() {
-    return static_cast<TYPE *>(editArrayImpl());
-}
-
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::operator[](size_t index) const {
-    LOG_FATAL_IF(index>=size(),
-            "%s: index=%u out of range (%u)", __PRETTY_FUNCTION__,
-            int(index), int(size()));
-    return *(array() + index);
-}
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::itemAt(size_t index) const {
-    return operator[](index);
-}
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::top() const {
-    return *(array() + size() - 1);
-}
-
-template<class TYPE> inline
-TYPE& Vector<TYPE>::editItemAt(size_t index) {
-    return *( static_cast<TYPE *>(editItemLocation(index)) );
-}
-
-template<class TYPE> inline
-TYPE& Vector<TYPE>::editTop() {
-    return *( static_cast<TYPE *>(editItemLocation(size()-1)) );
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertVectorAt(const Vector<TYPE>& vector, size_t index) {
-    return VectorImpl::insertVectorAt(reinterpret_cast<const VectorImpl&>(vector), index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::appendVector(const Vector<TYPE>& vector) {
-    return VectorImpl::appendVector(reinterpret_cast<const VectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertArrayAt(const TYPE* array, size_t index, size_t length) {
-    return VectorImpl::insertArrayAt(array, index, length);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::appendArray(const TYPE* array, size_t length) {
-    return VectorImpl::appendArray(array, length);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertAt(const TYPE& item, size_t index, size_t numItems) {
-    return VectorImpl::insertAt(&item, index, numItems);
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::push(const TYPE& item) {
-    return VectorImpl::push(&item);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::add(const TYPE& item) {
-    return VectorImpl::add(&item);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::replaceAt(const TYPE& item, size_t index) {
-    return VectorImpl::replaceAt(&item, index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertAt(size_t index, size_t numItems) {
-    return VectorImpl::insertAt(index, numItems);
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::pop() {
-    VectorImpl::pop();
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::push() {
-    VectorImpl::push();
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::add() {
-    return VectorImpl::add();
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::replaceAt(size_t index) {
-    return VectorImpl::replaceAt(index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::removeItemsAt(size_t index, size_t count) {
-    return VectorImpl::removeItemsAt(index, count);
-}
-
-template<class TYPE> inline
-status_t Vector<TYPE>::sort(Vector<TYPE>::compar_t cmp) {
-    return VectorImpl::sort((VectorImpl::compar_t)cmp);
-}
-
-template<class TYPE> inline
-status_t Vector<TYPE>::sort(Vector<TYPE>::compar_r_t cmp, void* state) {
-    return VectorImpl::sort((VectorImpl::compar_r_t)cmp, state);
-}
-
-// ---------------------------------------------------------------------------
-
-template<class TYPE>
-void Vector<TYPE>::do_construct(void* storage, size_t num) const {
-    construct_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_destroy(void* storage, size_t num) const {
-    destroy_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_copy(void* dest, const void* from, size_t num) const {
-    copy_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_splat(void* dest, const void* item, size_t num) const {
-    splat_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(item), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_move_forward(void* dest, const void* from, size_t num) const {
-    move_forward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_move_backward(void* dest, const void* from, size_t num) const {
-    move_backward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_H
-
diff --git a/media/omx-plugin/include/ics/utils/VectorImpl.h b/media/omx-plugin/include/ics/utils/VectorImpl.h
deleted file mode 100644
index 720b2546c..000000000
--- a/media/omx-plugin/include/ics/utils/VectorImpl.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VECTOR_IMPL_H
-#define ANDROID_VECTOR_IMPL_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts in here...
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-/*!
- * Implementation of the guts of the vector<> class
- * this ensures backward binary compatibility and
- * reduces code size.
- * For performance reasons, we expose mStorage and mCount
- * so these fields are set in stone.
- *
- */
-
-class VectorImpl
-{
-public:
-    enum { // flags passed to the ctor
-        HAS_TRIVIAL_CTOR    = 0x00000001,
-        HAS_TRIVIAL_DTOR    = 0x00000002,
-        HAS_TRIVIAL_COPY    = 0x00000004,
-    };
-
-                            VectorImpl(size_t itemSize, uint32_t flags);
-                            VectorImpl(const VectorImpl& rhs);
-    virtual                 ~VectorImpl();
-
-    /*! must be called from subclasses destructor */
-            void            finish_vector();
-
-            VectorImpl&     operator = (const VectorImpl& rhs);
-
-    /*! C-style array access */
-    inline  const void*     arrayImpl() const       { return mStorage; }
-            void*           editArrayImpl();
-
-    /*! vector stats */
-    inline  size_t          size() const        { return mCount; }
-    inline  bool            isEmpty() const     { return mCount == 0; }
-            size_t          capacity() const;
-            ssize_t         setCapacity(size_t size);
-            ssize_t         resize(size_t size);
-
-            /*! append/insert another vector or array */
-            ssize_t         insertVectorAt(const VectorImpl& vector, size_t index);
-            ssize_t         appendVector(const VectorImpl& vector);
-            ssize_t         insertArrayAt(const void* array, size_t index, size_t length);
-            ssize_t         appendArray(const void* array, size_t length);
-
-            /*! add/insert/replace items */
-            ssize_t         insertAt(size_t where, size_t numItems = 1);
-            ssize_t         insertAt(const void* item, size_t where, size_t numItems = 1);
-            void            pop();
-            void            push();
-            void            push(const void* item);
-            ssize_t         add();
-            ssize_t         add(const void* item);
-            ssize_t         replaceAt(size_t index);
-            ssize_t         replaceAt(const void* item, size_t index);
-
-            /*! remove items */
-            ssize_t         removeItemsAt(size_t index, size_t count = 1);
-            void            clear();
-
-            const void*     itemLocation(size_t index) const;
-            void*           editItemLocation(size_t index);
-
-            typedef int (*compar_t)(const void* lhs, const void* rhs);
-            typedef int (*compar_r_t)(const void* lhs, const void* rhs, void* state);
-            status_t        sort(compar_t cmp);
-            status_t        sort(compar_r_t cmp, void* state);
-
-protected:
-            size_t          itemSize() const;
-            void            release_storage();
-
-    virtual void            do_construct(void* storage, size_t num) const = 0;
-    virtual void            do_destroy(void* storage, size_t num) const = 0;
-    virtual void            do_copy(void* dest, const void* from, size_t num) const = 0;
-    virtual void            do_splat(void* dest, const void* item, size_t num) const = 0;
-    virtual void            do_move_forward(void* dest, const void* from, size_t num) const = 0;
-    virtual void            do_move_backward(void* dest, const void* from, size_t num) const = 0;
-
-private:
-        void* _grow(size_t where, size_t amount);
-        void  _shrink(size_t where, size_t amount);
-
-        inline void _do_construct(void* storage, size_t num) const;
-        inline void _do_destroy(void* storage, size_t num) const;
-        inline void _do_copy(void* dest, const void* from, size_t num) const;
-        inline void _do_splat(void* dest, const void* item, size_t num) const;
-        inline void _do_move_forward(void* dest, const void* from, size_t num) const;
-        inline void _do_move_backward(void* dest, const void* from, size_t num) const;
-
-            // These 2 fields are exposed in the inlines below,
-            // so they're set in stone.
-            void *      mStorage;   // base address of the vector
-            size_t      mCount;     // number of items
-
-    const   uint32_t    mFlags;
-    const   size_t      mItemSize;
-};
-
-
-
-class SortedVectorImpl : public VectorImpl
-{
-public:
-                            SortedVectorImpl(size_t itemSize, uint32_t flags);
-                            SortedVectorImpl(const VectorImpl& rhs);
-    virtual                 ~SortedVectorImpl();
-
-    SortedVectorImpl&     operator = (const SortedVectorImpl& rhs);
-
-    //! finds the index of an item
-            ssize_t         indexOf(const void* item) const;
-
-    //! finds where this item should be inserted
-            size_t          orderOf(const void* item) const;
-
-    //! add an item in the right place (or replaces it if there is one)
-            ssize_t         add(const void* item);
-
-    //! merges a vector into this one
-            ssize_t         merge(const VectorImpl& vector);
-            ssize_t         merge(const SortedVectorImpl& vector);
-
-    //! removes an item
-            ssize_t         remove(const void* item);
-
-protected:
-    virtual int             do_compare(const void* lhs, const void* rhs) const = 0;
-
-private:
-            ssize_t         _indexOrderOf(const void* item, size_t* order = 0) const;
-
-            // these are made private, because they can't be used on a SortedVector
-            // (they don't have an implementation either)
-            ssize_t         add();
-            void            pop();
-            void            push();
-            void            push(const void* item);
-            ssize_t         insertVectorAt(const VectorImpl& vector, size_t index);
-            ssize_t         appendVector(const VectorImpl& vector);
-            ssize_t         insertArrayAt(const void* array, size_t index, size_t length);
-            ssize_t         appendArray(const void* array, size_t length);
-            ssize_t         insertAt(size_t where, size_t numItems = 1);
-            ssize_t         insertAt(const void* item, size_t where, size_t numItems = 1);
-            ssize_t         replaceAt(size_t index);
-            ssize_t         replaceAt(const void* item, size_t index);
-};
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_IMPL_H
-
diff --git a/media/omx-plugin/include/ics/utils/threads.h b/media/omx-plugin/include/ics/utils/threads.h
deleted file mode 100644
index ab3e8cdb6..000000000
--- a/media/omx-plugin/include/ics/utils/threads.h
+++ /dev/null
@@ -1,564 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _LIBS_UTILS_THREADS_H
-#define _LIBS_UTILS_THREADS_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <time.h>
-#include <system/graphics.h>
-
-#if defined(HAVE_PTHREADS)
-# include <pthread.h>
-#endif
-
-// ------------------------------------------------------------------
-// C API
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef void* android_thread_id_t;
-
-typedef int (*android_thread_func_t)(void*);
-
-enum {
-    /*
-     * ***********************************************
-     * ** Keep in sync with android.os.Process.java **
-     * ***********************************************
-     * 
-     * This maps directly to the "nice" priorities we use in Android.
-     * A thread priority should be chosen inverse-proportionally to
-     * the amount of work the thread is expected to do. The more work
-     * a thread will do, the less favorable priority it should get so that 
-     * it doesn't starve the system. Threads not behaving properly might
-     * be "punished" by the kernel.
-     * Use the levels below when appropriate. Intermediate values are
-     * acceptable, preferably use the {MORE|LESS}_FAVORABLE constants below.
-     */
-    ANDROID_PRIORITY_LOWEST         =  19,
-
-    /* use for background tasks */
-    ANDROID_PRIORITY_BACKGROUND     =  10,
-    
-    /* most threads run at normal priority */
-    ANDROID_PRIORITY_NORMAL         =   0,
-    
-    /* threads currently running a UI that the user is interacting with */
-    ANDROID_PRIORITY_FOREGROUND     =  -2,
-
-    /* the main UI thread has a slightly more favorable priority */
-    ANDROID_PRIORITY_DISPLAY        =  -4,
-    
-    /* ui service treads might want to run at a urgent display (uncommon) */
-    ANDROID_PRIORITY_URGENT_DISPLAY =  HAL_PRIORITY_URGENT_DISPLAY,
-    
-    /* all normal audio threads */
-    ANDROID_PRIORITY_AUDIO          = -16,
-    
-    /* service audio threads (uncommon) */
-    ANDROID_PRIORITY_URGENT_AUDIO   = -19,
-
-    /* should never be used in practice. regular process might not 
-     * be allowed to use this level */
-    ANDROID_PRIORITY_HIGHEST        = -20,
-
-    ANDROID_PRIORITY_DEFAULT        = ANDROID_PRIORITY_NORMAL,
-    ANDROID_PRIORITY_MORE_FAVORABLE = -1,
-    ANDROID_PRIORITY_LESS_FAVORABLE = +1,
-};
-
-enum {
-    ANDROID_TGROUP_DEFAULT          = 0,
-    ANDROID_TGROUP_BG_NONINTERACT   = 1,
-    ANDROID_TGROUP_FG_BOOST         = 2,
-    ANDROID_TGROUP_MAX              = ANDROID_TGROUP_FG_BOOST,
-};
-
-// Create and run a new thread.
-extern int androidCreateThread(android_thread_func_t, void *);
-
-// Create thread with lots of parameters
-extern int androidCreateThreadEtc(android_thread_func_t entryFunction,
-                                  void *userData,
-                                  const char* threadName,
-                                  int32_t threadPriority,
-                                  size_t threadStackSize,
-                                  android_thread_id_t *threadId);
-
-// Get some sort of unique identifier for the current thread.
-extern android_thread_id_t androidGetThreadId();
-
-// Low-level thread creation -- never creates threads that can
-// interact with the Java VM.
-extern int androidCreateRawThreadEtc(android_thread_func_t entryFunction,
-                                     void *userData,
-                                     const char* threadName,
-                                     int32_t threadPriority,
-                                     size_t threadStackSize,
-                                     android_thread_id_t *threadId);
-
-// Used by the Java Runtime to control how threads are created, so that
-// they can be proper and lovely Java threads.
-typedef int (*android_create_thread_fn)(android_thread_func_t entryFunction,
-                                        void *userData,
-                                        const char* threadName,
-                                        int32_t threadPriority,
-                                        size_t threadStackSize,
-                                        android_thread_id_t *threadId);
-
-extern void androidSetCreateThreadFunc(android_create_thread_fn func);
-
-// ------------------------------------------------------------------
-// Extra functions working with raw pids.
-
-// Get pid for the current thread.
-extern pid_t androidGetTid();
-
-// Change the scheduling group of a particular thread.  The group
-// should be one of the ANDROID_TGROUP constants.  Returns BAD_VALUE if
-// grp is out of range, else another non-zero value with errno set if
-// the operation failed.  Thread ID zero means current thread.
-extern int androidSetThreadSchedulingGroup(pid_t tid, int grp);
-
-// Change the priority AND scheduling group of a particular thread.  The priority
-// should be one of the ANDROID_PRIORITY constants.  Returns INVALID_OPERATION
-// if the priority set failed, else another value if just the group set failed;
-// in either case errno is set.  Thread ID zero means current thread.
-extern int androidSetThreadPriority(pid_t tid, int prio);
-
-// Get the current priority of a particular thread. Returns one of the
-// ANDROID_PRIORITY constants or a negative result in case of error.
-extern int androidGetThreadPriority(pid_t tid);
-
-// Get the current scheduling group of a particular thread. Normally returns
-// one of the ANDROID_TGROUP constants other than ANDROID_TGROUP_DEFAULT.
-// Returns ANDROID_TGROUP_DEFAULT if no pthread support (e.g. on host) or if
-// scheduling groups are disabled.  Returns INVALID_OPERATION if unexpected error.
-// Thread ID zero means current thread.
-extern int androidGetThreadSchedulingGroup(pid_t tid);
-
-#ifdef __cplusplus
-}
-#endif
-
-// ------------------------------------------------------------------
-// C++ API
-
-#ifdef __cplusplus
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-#include <utils/Timers.h>
-
-namespace android {
-
-typedef android_thread_id_t thread_id_t;
-
-typedef android_thread_func_t thread_func_t;
-
-enum {
-    PRIORITY_LOWEST         = ANDROID_PRIORITY_LOWEST,
-    PRIORITY_BACKGROUND     = ANDROID_PRIORITY_BACKGROUND,
-    PRIORITY_NORMAL         = ANDROID_PRIORITY_NORMAL,
-    PRIORITY_FOREGROUND     = ANDROID_PRIORITY_FOREGROUND,
-    PRIORITY_DISPLAY        = ANDROID_PRIORITY_DISPLAY,
-    PRIORITY_URGENT_DISPLAY = ANDROID_PRIORITY_URGENT_DISPLAY,
-    PRIORITY_AUDIO          = ANDROID_PRIORITY_AUDIO,
-    PRIORITY_URGENT_AUDIO   = ANDROID_PRIORITY_URGENT_AUDIO,
-    PRIORITY_HIGHEST        = ANDROID_PRIORITY_HIGHEST,
-    PRIORITY_DEFAULT        = ANDROID_PRIORITY_DEFAULT,
-    PRIORITY_MORE_FAVORABLE = ANDROID_PRIORITY_MORE_FAVORABLE,
-    PRIORITY_LESS_FAVORABLE = ANDROID_PRIORITY_LESS_FAVORABLE,
-};
-
-// Create and run a new thread.
-inline bool createThread(thread_func_t f, void *a) {
-    return androidCreateThread(f, a) ? true : false;
-}
-
-// Create thread with lots of parameters
-inline bool createThreadEtc(thread_func_t entryFunction,
-                            void *userData,
-                            const char* threadName = "android:unnamed_thread",
-                            int32_t threadPriority = PRIORITY_DEFAULT,
-                            size_t threadStackSize = 0,
-                            thread_id_t *threadId = 0)
-{
-    return androidCreateThreadEtc(entryFunction, userData, threadName,
-        threadPriority, threadStackSize, threadId) ? true : false;
-}
-
-// Get some sort of unique identifier for the current thread.
-inline thread_id_t getThreadId() {
-    return androidGetThreadId();
-}
-
-/*****************************************************************************/
-
-/*
- * Simple mutex class.  The implementation is system-dependent.
- *
- * The mutex must be unlocked by the thread that locked it.  They are not
- * recursive, i.e. the same thread can't lock it multiple times.
- */
-class Mutex {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-    
-                Mutex();
-                Mutex(const char* name);
-                Mutex(int type, const char* name = NULL);
-                ~Mutex();
-
-    // lock or unlock the mutex
-    status_t    lock();
-    void        unlock();
-
-    // lock if possible; returns 0 on success, error otherwise
-    status_t    tryLock();
-
-    // Manages the mutex automatically. It'll be locked when Autolock is
-    // constructed and released when Autolock goes out of scope.
-    class Autolock {
-    public:
-        inline Autolock(Mutex& mutex) : mLock(mutex)  { mLock.lock(); }
-        inline Autolock(Mutex* mutex) : mLock(*mutex) { mLock.lock(); }
-        inline ~Autolock() { mLock.unlock(); }
-    private:
-        Mutex& mLock;
-    };
-
-private:
-    friend class Condition;
-    
-    // A mutex cannot be copied
-                Mutex(const Mutex&);
-    Mutex&      operator = (const Mutex&);
-    
-#if defined(HAVE_PTHREADS)
-    pthread_mutex_t mMutex;
-#else
-    void    _init();
-    void*   mState;
-#endif
-};
-
-#if defined(HAVE_PTHREADS)
-
-inline Mutex::Mutex() {
-    pthread_mutex_init(&mMutex, NULL);
-}
-inline Mutex::Mutex(const char* name) {
-    pthread_mutex_init(&mMutex, NULL);
-}
-inline Mutex::Mutex(int type, const char* name) {
-    if (type == SHARED) {
-        pthread_mutexattr_t attr;
-        pthread_mutexattr_init(&attr);
-        pthread_mutexattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_mutex_init(&mMutex, &attr);
-        pthread_mutexattr_destroy(&attr);
-    } else {
-        pthread_mutex_init(&mMutex, NULL);
-    }
-}
-inline Mutex::~Mutex() {
-    pthread_mutex_destroy(&mMutex);
-}
-inline status_t Mutex::lock() {
-    return -pthread_mutex_lock(&mMutex);
-}
-inline void Mutex::unlock() {
-    pthread_mutex_unlock(&mMutex);
-}
-inline status_t Mutex::tryLock() {
-    return -pthread_mutex_trylock(&mMutex);
-}
-
-#endif // HAVE_PTHREADS
-
-/*
- * Automatic mutex.  Declare one of these at the top of a function.
- * When the function returns, it will go out of scope, and release the
- * mutex.
- */
- 
-typedef Mutex::Autolock AutoMutex;
-
-/*****************************************************************************/
-
-#if defined(HAVE_PTHREADS)
-
-/*
- * Simple mutex class.  The implementation is system-dependent.
- *
- * The mutex must be unlocked by the thread that locked it.  They are not
- * recursive, i.e. the same thread can't lock it multiple times.
- */
-class RWLock {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-
-                RWLock();
-                RWLock(const char* name);
-                RWLock(int type, const char* name = NULL);
-                ~RWLock();
-
-    status_t    readLock();
-    status_t    tryReadLock();
-    status_t    writeLock();
-    status_t    tryWriteLock();
-    void        unlock();
-
-    class AutoRLock {
-    public:
-        inline AutoRLock(RWLock& rwlock) : mLock(rwlock)  { mLock.readLock(); }
-        inline ~AutoRLock() { mLock.unlock(); }
-    private:
-        RWLock& mLock;
-    };
-
-    class AutoWLock {
-    public:
-        inline AutoWLock(RWLock& rwlock) : mLock(rwlock)  { mLock.writeLock(); }
-        inline ~AutoWLock() { mLock.unlock(); }
-    private:
-        RWLock& mLock;
-    };
-
-private:
-    // A RWLock cannot be copied
-                RWLock(const RWLock&);
-   RWLock&      operator = (const RWLock&);
-
-   pthread_rwlock_t mRWLock;
-};
-
-inline RWLock::RWLock() {
-    pthread_rwlock_init(&mRWLock, NULL);
-}
-inline RWLock::RWLock(const char* name) {
-    pthread_rwlock_init(&mRWLock, NULL);
-}
-inline RWLock::RWLock(int type, const char* name) {
-    if (type == SHARED) {
-        pthread_rwlockattr_t attr;
-        pthread_rwlockattr_init(&attr);
-        pthread_rwlockattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_rwlock_init(&mRWLock, &attr);
-        pthread_rwlockattr_destroy(&attr);
-    } else {
-        pthread_rwlock_init(&mRWLock, NULL);
-    }
-}
-inline RWLock::~RWLock() {
-    pthread_rwlock_destroy(&mRWLock);
-}
-inline status_t RWLock::readLock() {
-    return -pthread_rwlock_rdlock(&mRWLock);
-}
-inline status_t RWLock::tryReadLock() {
-    return -pthread_rwlock_tryrdlock(&mRWLock);
-}
-inline status_t RWLock::writeLock() {
-    return -pthread_rwlock_wrlock(&mRWLock);
-}
-inline status_t RWLock::tryWriteLock() {
-    return -pthread_rwlock_trywrlock(&mRWLock);
-}
-inline void RWLock::unlock() {
-    pthread_rwlock_unlock(&mRWLock);
-}
-
-#endif // HAVE_PTHREADS
-
-/*****************************************************************************/
-
-/*
- * Condition variable class.  The implementation is system-dependent.
- *
- * Condition variables are paired up with mutexes.  Lock the mutex,
- * call wait(), then either re-wait() if things aren't quite what you want,
- * or unlock the mutex and continue.  All threads calling wait() must
- * use the same mutex for a given Condition.
- */
-class Condition {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-
-    Condition();
-    Condition(int type);
-    ~Condition();
-    // Wait on the condition variable.  Lock the mutex before calling.
-    status_t wait(Mutex& mutex);
-    // same with relative timeout
-    status_t waitRelative(Mutex& mutex, nsecs_t reltime);
-    // Signal the condition variable, allowing one thread to continue.
-    void signal();
-    // Signal the condition variable, allowing all threads to continue.
-    void broadcast();
-
-private:
-#if defined(HAVE_PTHREADS)
-    pthread_cond_t mCond;
-#else
-    void*   mState;
-#endif
-};
-
-#if defined(HAVE_PTHREADS)
-
-inline Condition::Condition() {
-    pthread_cond_init(&mCond, NULL);
-}
-inline Condition::Condition(int type) {
-    if (type == SHARED) {
-        pthread_condattr_t attr;
-        pthread_condattr_init(&attr);
-        pthread_condattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_cond_init(&mCond, &attr);
-        pthread_condattr_destroy(&attr);
-    } else {
-        pthread_cond_init(&mCond, NULL);
-    }
-}
-inline Condition::~Condition() {
-    pthread_cond_destroy(&mCond);
-}
-inline status_t Condition::wait(Mutex& mutex) {
-    return -pthread_cond_wait(&mCond, &mutex.mMutex);
-}
-inline status_t Condition::waitRelative(Mutex& mutex, nsecs_t reltime) {
-#if defined(HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE)
-    struct timespec ts;
-    ts.tv_sec  = reltime/1000000000;
-    ts.tv_nsec = reltime%1000000000;
-    return -pthread_cond_timedwait_relative_np(&mCond, &mutex.mMutex, &ts);
-#else // HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE
-    struct timespec ts;
-#if defined(HAVE_POSIX_CLOCKS)
-    clock_gettime(CLOCK_REALTIME, &ts);
-#else // HAVE_POSIX_CLOCKS
-    // we don't support the clocks here.
-    struct timeval t;
-    gettimeofday(&t, NULL);
-    ts.tv_sec = t.tv_sec;
-    ts.tv_nsec= t.tv_usec*1000;
-#endif // HAVE_POSIX_CLOCKS
-    ts.tv_sec += reltime/1000000000;
-    ts.tv_nsec+= reltime%1000000000;
-    if (ts.tv_nsec >= 1000000000) {
-        ts.tv_nsec -= 1000000000;
-        ts.tv_sec  += 1;
-    }
-    return -pthread_cond_timedwait(&mCond, &mutex.mMutex, &ts);
-#endif // HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE
-}
-inline void Condition::signal() {
-    pthread_cond_signal(&mCond);
-}
-inline void Condition::broadcast() {
-    pthread_cond_broadcast(&mCond);
-}
-
-#endif // HAVE_PTHREADS
-
-/*****************************************************************************/
-
-/*
- * This is our spiffy thread object!
- */
-
-class Thread : virtual public RefBase
-{
-public:
-    // Create a Thread object, but doesn't create or start the associated
-    // thread. See the run() method.
-                        Thread(bool canCallJava = true);
-    virtual             ~Thread();
-
-    // Start the thread in threadLoop() which needs to be implemented.
-    virtual status_t    run(    const char* name = 0,
-                                int32_t priority = PRIORITY_DEFAULT,
-                                size_t stack = 0);
-    
-    // Ask this object's thread to exit. This function is asynchronous, when the
-    // function returns the thread might still be running. Of course, this
-    // function can be called from a different thread.
-    virtual void        requestExit();
-
-    // Good place to do one-time initializations
-    virtual status_t    readyToRun();
-    
-    // Call requestExit() and wait until this object's thread exits.
-    // BE VERY CAREFUL of deadlocks. In particular, it would be silly to call
-    // this function from this object's thread. Will return WOULD_BLOCK in
-    // that case.
-            status_t    requestExitAndWait();
-
-    // Wait until this object's thread exits. Returns immediately if not yet running.
-    // Do not call from this object's thread; will return WOULD_BLOCK in that case.
-            status_t    join();
-
-protected:
-    // exitPending() returns true if requestExit() has been called.
-            bool        exitPending() const;
-    
-private:
-    // Derived class must implement threadLoop(). The thread starts its life
-    // here. There are two ways of using the Thread object:
-    // 1) loop: if threadLoop() returns true, it will be called again if
-    //          requestExit() wasn't called.
-    // 2) once: if threadLoop() returns false, the thread will exit upon return.
-    virtual bool        threadLoop() = 0;
-
-private:
-    Thread& operator=(const Thread&);
-    static  int             _threadLoop(void* user);
-    const   bool            mCanCallJava;
-    // always hold mLock when reading or writing
-            thread_id_t     mThread;
-    mutable Mutex           mLock;
-            Condition       mThreadExitedCondition;
-            status_t        mStatus;
-    // note that all accesses of mExitPending and mRunning need to hold mLock
-    volatile bool           mExitPending;
-    volatile bool           mRunning;
-            sp<Thread>      mHoldSelf;
-#if HAVE_ANDROID_OS
-            int             mTid;
-#endif
-};
-
-
-}; // namespace android
-
-#endif  // __cplusplus
-
-#endif // _LIBS_UTILS_THREADS_H
diff --git a/media/omx-plugin/kk/OmxPluginKitKat.cpp b/media/omx-plugin/kk/OmxPluginKitKat.cpp
deleted file mode 100644
index d33552c15..000000000
--- a/media/omx-plugin/kk/OmxPluginKitKat.cpp
+++ /dev/null
@@ -1,8 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#define MOZ_STAGEFRIGHT_OFF_T off64_t
-#define MOZ_ANDROID_KK
-#include "../OmxPlugin.cpp"
diff --git a/media/omx-plugin/kk/moz.build b/media/omx-plugin/kk/moz.build
deleted file mode 100644
index b2d2d942d..000000000
--- a/media/omx-plugin/kk/moz.build
+++ /dev/null
@@ -1,32 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOURCES += [
-    'OmxPluginKitKat.cpp',
-]
-
-SharedLibrary('omxpluginkk')
-
-LOCAL_INCLUDES += [
-    '../include/ics',
-    '../include/ics/media/stagefright/openmax',
-]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libstagefright/stagefright',
-    '/media/omx-plugin/lib/ics/libutils/utils',
-    'videoeditorplayer',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-# Suppress warnings in third-party code.
-CXXFLAGS += [
-    '-Wno-multichar',
-    '-Wno-shadow',
-]
diff --git a/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp b/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp
deleted file mode 100644
index a998c4a56..000000000
--- a/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp
+++ /dev/null
@@ -1,193 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#define STAGEFRIGHT_EXPORT __attribute__ ((visibility ("default")))
-#include "stagefright/ColorConverter.h"
-#include "stagefright/DataSource.h"
-#include "media/stagefright/MediaBuffer.h"
-#include "stagefright/MediaExtractor.h"
-#include "media/stagefright/MediaSource.h"
-#include "stagefright/MetaData.h"
-#include "media/stagefright/openmax/OMX_Types.h"
-#include "media/stagefright/openmax/OMX_Index.h"
-#include "media/stagefright/openmax/OMX_IVCommon.h"
-#include "media/stagefright/openmax/OMX_Video.h"
-#include "media/stagefright/openmax/OMX_Core.h"
-#include "stagefright/OMXCodec.h"
-#include "stagefright/OMXClient.h"
-
-namespace android {
-MOZ_EXPORT void
-MediaBuffer::release()
-{
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::range_offset() const
-{
-  return 0;
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::range_length() const
-{
-  return 0;
-}
-
-MOZ_EXPORT sp<MetaData>
-MediaBuffer::meta_data()
-{
-  return 0;
-}
-
-MOZ_EXPORT void*
-MediaBuffer::data() const
-{
-  return 0;
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::size() const
-{
-  return 0;
-}
-
-MOZ_EXPORT bool
-MetaData::findInt32(uint32_t key, int32_t *value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::setInt32(uint32_t, int32_t)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findInt64(uint32_t key, int64_t *value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findPointer(uint32_t key, void **value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findCString(uint32_t key, const char **value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findRect(unsigned int key, int *cropLeft, int *cropTop,
-                   int *cropRight, int *cropBottom)
-{
-  abort();
-}
-
-MOZ_EXPORT MediaSource::ReadOptions::ReadOptions()
-{
-}
-
-MOZ_EXPORT void
-MediaSource::ReadOptions::setSeekTo(int64_t time_us, SeekMode mode)
-{
-}
-
-MOZ_EXPORT sp<DataSource> DataSource::CreateFromURI(
-          const char *uri,
-          const KeyedVector<String8, String8> *headers) {
-  return 0;
-}
-
-MOZ_EXPORT bool
-DataSource::getUInt16(off64_t offset, uint16_t *x)
-{
-  return false;
-}
-
-MOZ_EXPORT status_t
-DataSource::getSize(off64_t *size)
-{
-  return 0;
-}
-
-MOZ_EXPORT String8
-DataSource::getMIMEType() const
-{
-  return String8();
-}
-
-MOZ_EXPORT void
-DataSource::RegisterDefaultSniffers()
-{
-}
-
-MOZ_EXPORT sp<MediaExtractor>
-MediaExtractor::Create(const sp<DataSource> &source, const char *mime)
-{
-  return 0;
-}
-
-MOZ_EXPORT sp<MediaSource>
-OMXCodec::Create(
-            const sp<IOMX> &omx,
-            const sp<MetaData> &meta, bool createEncoder,
-            const sp<MediaSource> &source,
-            const char *matchComponentName,
-            uint32_t flags,
-            const sp<ANativeWindow> &nativeWindow)
-{
-  return 0;
-}
-
-MOZ_EXPORT OMXClient::OMXClient()
-{
-}
-
-MOZ_EXPORT status_t OMXClient::connect()
-{
-  return OK;
-}
-
-MOZ_EXPORT void OMXClient::disconnect()
-{
-}
-
-MOZ_EXPORT
-ColorConverter::ColorConverter(OMX_COLOR_FORMATTYPE, OMX_COLOR_FORMATTYPE) { }
-
-MOZ_EXPORT
-ColorConverter::~ColorConverter() { }
-
-MOZ_EXPORT bool
-ColorConverter::isValid() const { return false; }
-
-MOZ_EXPORT status_t
-ColorConverter::convert(const void *srcBits,
-                        size_t srcWidth, size_t srcHeight,
-                        size_t srcCropLeft, size_t srcCropTop,
-                        size_t srcCropRight, size_t srcCropBottom,
-                        void *dstBits,
-                        size_t dstWidth, size_t dstHeight,
-                        size_t dstCropLeft, size_t dstCropTop,
-                        size_t dstCropRight, size_t dstCropBottom)
-{
-  return 0;
-}
-
-MOZ_EXPORT status_t QueryCodecs(const sp<IOMX> &omx,
-                                const char *mimeType, bool queryDecoders,
-                                Vector<CodecCapabilities> *results)
-{
-  return 0;
-}
-
-}
diff --git a/media/omx-plugin/lib/ics/libstagefright/moz.build b/media/omx-plugin/lib/ics/libstagefright/moz.build
deleted file mode 100644
index b156d151e..000000000
--- a/media/omx-plugin/lib/ics/libstagefright/moz.build
+++ /dev/null
@@ -1,32 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libstagefright.cpp',
-]
-# Some codec-related code uses multi-character constants; allow this.
-# XXX: could instead use the FOURCC macro to define these constants.
-if CONFIG['GNU_CC'] or CONFIG['CLANG_CL']:
-    SOURCES['libstagefright.cpp'].flags += ['-Wno-error=multichar']
-
-SharedLibrary('stagefright')
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-    '/media/omx-plugin/include/ics/media/stagefright/openmax',
-]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libutils/utils',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-if CONFIG['GNU_CXX']:
-    CXXFLAGS += ['-Wno-shadow']
diff --git a/media/omx-plugin/lib/ics/libutils/libutils.cpp b/media/omx-plugin/lib/ics/libutils/libutils.cpp
deleted file mode 100644
index 67f5a540a..000000000
--- a/media/omx-plugin/lib/ics/libutils/libutils.cpp
+++ /dev/null
@@ -1,84 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#include "utils/RefBase.h"
-#include "utils/String16.h"
-#include "utils/String8.h"
-#include "utils/Vector.h"
-
-namespace android {
-MOZ_EXPORT RefBase::RefBase() : mRefs(0)
-{
-}
-
-MOZ_EXPORT RefBase::~RefBase()
-{
-}
-
-MOZ_EXPORT void RefBase::incStrong(const void *id) const
-{
-}
-
-MOZ_EXPORT void RefBase::decStrong(const void *id) const
-{
-}
-
-MOZ_EXPORT void RefBase::onFirstRef()
-{
-}
-
-MOZ_EXPORT void RefBase::onLastStrongRef(const void* id)
-{
-}
-
-MOZ_EXPORT bool RefBase::onIncStrongAttempted(uint32_t flags, const void* id)
-{
-  return false;
-}
-
-MOZ_EXPORT void RefBase::onLastWeakRef(void const* id)
-{
-}
-
-MOZ_EXPORT String16::String16(char const*)
-{
-}
-
-MOZ_EXPORT String16::~String16()
-{
-}
-
-MOZ_EXPORT String8::String8()
-{
-}
-
-MOZ_EXPORT String8::String8(const String8 &)
-{
-}
-
-MOZ_EXPORT String8::~String8()
-{
-}
-
-MOZ_EXPORT VectorImpl::VectorImpl(size_t, uint32_t)
-  : mFlags(0), mItemSize(0)
-{
-}
-
-MOZ_EXPORT VectorImpl::VectorImpl(const VectorImpl &)
-  : mFlags(0), mItemSize(0)
-{
-}
-
-MOZ_EXPORT VectorImpl::~VectorImpl()
-{
-}
-
-MOZ_EXPORT void VectorImpl::finish_vector()
-{
-}
-
-}
diff --git a/media/omx-plugin/lib/ics/libutils/moz.build b/media/omx-plugin/lib/ics/libutils/moz.build
deleted file mode 100644
index 7fa617fb3..000000000
--- a/media/omx-plugin/lib/ics/libutils/moz.build
+++ /dev/null
@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libutils.cpp',
-]
-
-SharedLibrary('utils')
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-    '/media/omx-plugin/include/ics/media/stagefright/openmax',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-if CONFIG['GNU_CXX']:
-    CXXFLAGS += ['-Wno-shadow']
diff --git a/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp b/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp
deleted file mode 100644
index 2c491aeb9..000000000
--- a/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp
+++ /dev/null
@@ -1,23 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#include "I420ColorConverter.h"
-
-MOZ_EXPORT
-I420ColorConverter::I420ColorConverter()
-{
-}
-
-MOZ_EXPORT
-I420ColorConverter::~I420ColorConverter()
-{
-}
-
-MOZ_EXPORT bool
-I420ColorConverter::isLoaded()
-{
-  return false;
-}
diff --git a/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build b/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build
deleted file mode 100644
index f05f0f3c9..000000000
--- a/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build
+++ /dev/null
@@ -1,20 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libvideoeditorplayer.cpp',
-]
-
-SharedLibrary('videoeditorplayer')
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-]
diff --git a/media/omx-plugin/moz.build b/media/omx-plugin/moz.build
deleted file mode 100644
index 004a8bdba..000000000
--- a/media/omx-plugin/moz.build
+++ /dev/null
@@ -1,43 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# Copyright 2013 Mozilla Foundation and Mozilla contributors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-SOURCES += [
-    'OmxPlugin.cpp',
-]
-
-SharedLibrary('omxplugin')
-
-LOCAL_INCLUDES += [
-    'include/ics',
-    'include/ics/media/stagefright/openmax',
-]
-
-if CONFIG['GNU_CXX']:
-    # Stagefright header files define many multichar constants.
-    CXXFLAGS += [
-        '-Wno-multichar',
-        '-Wno-shadow',
-    ]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libstagefright/stagefright',
-    '/media/omx-plugin/lib/ics/libutils/utils',
-    'videoeditorplayer',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
diff --git a/modules/libmar/sign/mar_sign.c b/modules/libmar/sign/mar_sign.c
index 84319651d..182f387d9 100644
--- a/modules/libmar/sign/mar_sign.c
+++ b/modules/libmar/sign/mar_sign.c
@@ -534,6 +534,7 @@ extract_signature(const char *src, uint32_t sigIndex, const char * dest)
   for (i = 0; i <= sigIndex; i++) {
     /* Avoid leaking while skipping signatures */
     free(extractedSignature);
+    extractedSignature = NULL;
 
     /* skip past the signature algorithm ID */
     if (fseeko(fpSrc, sizeof(uint32_t), SEEK_CUR)) {
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index ebe9d4703..d57f644df 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -67,6 +67,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mForcePreflight(false)
   , mIsPreflight(false)
   , mLoadTriggeredFromExternal(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
   MOZ_ASSERT(mLoadingPrincipal);
   MOZ_ASSERT(mTriggeringPrincipal);
@@ -241,6 +242,7 @@ LoadInfo::LoadInfo(nsPIDOMWindowOuter* aOuterWindow,
   , mForcePreflight(false)
   , mIsPreflight(false)
   , mLoadTriggeredFromExternal(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
   // Top-level loads are never third-party
   // Grab the information we can out of the window.
@@ -304,6 +306,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
   , mForcePreflight(rhs.mForcePreflight)
   , mIsPreflight(rhs.mIsPreflight)
   , mLoadTriggeredFromExternal(rhs.mLoadTriggeredFromExternal)
+  , mIsFromProcessingFrameAttributes(rhs.mIsFromProcessingFrameAttributes)
 {
 }
 
@@ -355,6 +358,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mForcePreflight(aForcePreflight)
   , mIsPreflight(aIsPreflight)
   , mLoadTriggeredFromExternal(aLoadTriggeredFromExternal)
+  , mIsFromProcessingFrameAttributes(false)
 {
   // Only top level TYPE_DOCUMENT loads can have a null loadingPrincipal
   MOZ_ASSERT(mLoadingPrincipal || aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT);
@@ -970,5 +974,19 @@ LoadInfo::GetIsTopLevelLoad(bool *aResult)
   return NS_OK;
 }
 
+void
+LoadInfo::SetIsFromProcessingFrameAttributes()
+{
+  mIsFromProcessingFrameAttributes = true;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetIsFromProcessingFrameAttributes(bool *aIsFromProcessingFrameAttributes)
+{
+  MOZ_ASSERT(aIsFromProcessingFrameAttributes);
+  *aIsFromProcessingFrameAttributes = mIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
+
 } // namespace net
 } // namespace mozilla
diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h
index 2b1e8c9e8..a4ec25a9d 100644
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -81,6 +81,7 @@ public:
 
   void SetIsPreflight();
   void SetUpgradeInsecureRequests();
+  void SetIsFromProcessingFrameAttributes();
 
 private:
   // private constructor that is only allowed to be called from within
@@ -157,6 +158,11 @@ private:
   bool                             mForcePreflight;
   bool                             mIsPreflight;
   bool                             mLoadTriggeredFromExternal;
+
+  // Is true if this load was triggered by processing the attributes of the
+  // browsing context container.
+  // See nsILoadInfo.isFromProcessingFrameAttributes
+  bool                             mIsFromProcessingFrameAttributes;
 };
 
 } // namespace net
diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl
index bc609c317..fc1aadd93 100644
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -740,4 +740,11 @@ interface nsILoadInfo : nsISupports
    * Note that the load for a sub-frame's document will return false here.
    */
   [infallible] readonly attribute boolean isTopLevelLoad;
+
+  /**
+   * This attribute will be true if this is a load triggered by
+   * https://html.spec.whatwg.org/multipage/iframe-embed-object.html#process-the-iframe-attributes
+   * or https://html.spec.whatwg.org/multipage/obsolete.html#process-the-frame-attributes
+   */
+  [infallible] readonly attribute boolean isFromProcessingFrameAttributes;
 };
diff --git a/netwerk/ipc/NeckoChannelParams.ipdlh b/netwerk/ipc/NeckoChannelParams.ipdlh
index 2633ef608..2896f427d 100644
--- a/netwerk/ipc/NeckoChannelParams.ipdlh
+++ b/netwerk/ipc/NeckoChannelParams.ipdlh
@@ -56,6 +56,7 @@ struct LoadInfoArgs
   bool                  forcePreflight;
   bool                  isPreflight;
   bool                  loadTriggeredFromExternal;
+  bool                  isFromProcessingFrameAttributes;
 };
 
 /**
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index 03123ceb0..21b661c2b 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -3676,14 +3676,17 @@ HttpBaseChannel::GetPerformance()
     return nullptr;
   }
 
-  // We only add to the document's performance object if it has the same
-  // principal as the one triggering the load. This is to prevent navigations
-  // triggered _by_ the iframe from showing up in the parent document's
-  // performance entries if they have different origins.
   if (!mLoadInfo->TriggeringPrincipal()->Equals(loadingDocument->NodePrincipal())) {
     return nullptr;
   }
 
+  if (mLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_SUBDOCUMENT &&
+      !mLoadInfo->GetIsFromProcessingFrameAttributes()) {
+    // We only report loads caused by processing the attributes of the
+    // browsing context container.
+    return nullptr;
+  }
+
   nsCOMPtr<nsPIDOMWindowInner> innerWindow = loadingDocument->GetInnerWindow();
   if (!innerWindow) {
     return nullptr;
diff --git a/nsprpub/TAG-INFO b/nsprpub/TAG-INFO
deleted file mode 100644
index ed713edea..000000000
--- a/nsprpub/TAG-INFO
+++ /dev/null
@@ -1 +0,0 @@
-NSPR_4_19_RTM
diff --git a/nsprpub/configure b/nsprpub/configure
index 619d193ae..ce2543ed7 100755
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -2488,7 +2488,7 @@ test -n "$target_alias" &&
   program_prefix=${target_alias}-
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=19
+MOD_MINOR_VERSION=20
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
diff --git a/nsprpub/configure.in b/nsprpub/configure.in
index ea0ae7f8e..cbd22b42e 100644
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -15,7 +15,7 @@ dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=19
+MOD_MINOR_VERSION=20
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
@@ -2106,6 +2106,10 @@ tools are selected during the Xcode/Developer Tools installation.])
 	    AC_DEFINE(_AMD64_)
 	    USE_64=1
 	    ;;
+    aarch64)
+	    AC_DEFINE(_ARM64_)
+	    USE_64=1
+	    ;;
     ia64)
 	    AC_DEFINE(_IA64_)
 	    USE_64=1
diff --git a/nsprpub/lib/ds/plarena.h b/nsprpub/lib/ds/plarena.h
index 5336a0e4d..0ca00c0ac 100644
--- a/nsprpub/lib/ds/plarena.h
+++ b/nsprpub/lib/ds/plarena.h
@@ -95,13 +95,24 @@ struct PLArenaPool {
 
 #if defined(PL_SANITIZE_ADDRESS)
 
+#if defined(_MSC_VER)
+/* We can't use dllimport due to DLL linkage mismatch with
+ * sanitizer/asan_interface.h.
+ */
+#define PL_ASAN_VISIBILITY(type_) type_
+#else
+#define PL_ASAN_VISIBILITY(type_) PR_IMPORT(type_)
+#endif
+
 /* These definitions are usually provided through the
  * sanitizer/asan_interface.h header installed by ASan.
  * See https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning
  */
 
-PR_IMPORT(void) __asan_poison_memory_region(void const volatile *addr, size_t size);
-PR_IMPORT(void) __asan_unpoison_memory_region(void const volatile *addr, size_t size);
+PL_ASAN_VISIBILITY(void) __asan_poison_memory_region(
+    void const volatile *addr, size_t size);
+PL_ASAN_VISIBILITY(void) __asan_unpoison_memory_region(
+    void const volatile *addr, size_t size);
 
 #define PL_MAKE_MEM_NOACCESS(addr, size) \
     __asan_poison_memory_region((addr), (size))
diff --git a/nsprpub/pr/include/md/_linux.cfg b/nsprpub/pr/include/md/_linux.cfg
index b4c0ed427..afc407c47 100644
--- a/nsprpub/pr/include/md/_linux.cfg
+++ b/nsprpub/pr/include/md/_linux.cfg
@@ -1020,6 +1020,98 @@
 #define PR_BYTES_PER_WORD_LOG2   2
 #define PR_BYTES_PER_DWORD_LOG2  3
 
+#elif defined(__riscv) && (__riscv_xlen == 32)
+
+#undef  IS_BIG_ENDIAN
+#define IS_LITTLE_ENDIAN 1
+#undef  IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   4
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_DOUBLE 8
+#define PR_BYTES_PER_WORD   4
+#define PR_BYTES_PER_DWORD  8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    32
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_DOUBLE  64
+#define PR_BITS_PER_WORD    32
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   5
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_DOUBLE_LOG2 6
+#define PR_BITS_PER_WORD_LOG2   5
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    4
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 4
+#define PR_ALIGN_OF_WORD    4
+
+#define PR_BYTES_PER_WORD_LOG2  2
+#define PR_BYTES_PER_DWORD_LOG2 3
+
+#elif defined(__riscv) && (__riscv_xlen == 64)
+
+#undef  IS_BIG_ENDIAN
+#define IS_LITTLE_ENDIAN 1
+#define IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   8
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_DOUBLE 8
+#define PR_BYTES_PER_WORD   8
+#define PR_BYTES_PER_DWORD  8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    64
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_DOUBLE  64
+#define PR_BITS_PER_WORD    64
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   6
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_DOUBLE_LOG2 6
+#define PR_BITS_PER_WORD_LOG2   6
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    8
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 8
+#define PR_ALIGN_OF_WORD    8
+
+#define PR_BYTES_PER_WORD_LOG2  3
+#define PR_BYTES_PER_DWORD_LOG2 3
+
 #else
 
 #error "Unknown CPU architecture"
diff --git a/nsprpub/pr/include/md/_linux.h b/nsprpub/pr/include/md/_linux.h
index b4b298b71..2370ab831 100644
--- a/nsprpub/pr/include/md/_linux.h
+++ b/nsprpub/pr/include/md/_linux.h
@@ -57,6 +57,10 @@
 #define _PR_SI_ARCHITECTURE "m32r"
 #elif defined(__or1k__)
 #define _PR_SI_ARCHITECTURE "or1k"
+#elif defined(__riscv) && (__riscv_xlen == 32)
+#define _PR_SI_ARCHITECTURE "riscv32"
+#elif defined(__riscv) && (__riscv_xlen == 64)
+#define _PR_SI_ARCHITECTURE "riscv64"
 #else
 #error "Unknown CPU architecture"
 #endif
diff --git a/nsprpub/pr/include/md/_win95.cfg b/nsprpub/pr/include/md/_win95.cfg
index 1e693cc68..7c379fce7 100644
--- a/nsprpub/pr/include/md/_win95.cfg
+++ b/nsprpub/pr/include/md/_win95.cfg
@@ -214,6 +214,55 @@
 #define PR_BYTES_PER_WORD_LOG2  2
 #define PR_BYTES_PER_DWORD_LOG2 3
 
+#elif defined(_M_ARM64) || defined(_ARM64_)
+
+#define IS_LITTLE_ENDIAN 1
+#undef  IS_BIG_ENDIAN
+#define IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   4
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_WORD	8
+#define PR_BYTES_PER_DWORD	8
+#define PR_BYTES_PER_DOUBLE 8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    32
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_WORD	64
+#define PR_BITS_PER_DWORD	64
+#define PR_BITS_PER_DOUBLE  64
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   5
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_WORD_LOG2	6
+#define PR_BITS_PER_DWORD_LOG2	6
+#define PR_BITS_PER_DOUBLE_LOG2 6
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    4
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_WORD	8
+#define PR_ALIGN_OF_DWORD	8
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 8
+
+#define PR_BYTES_PER_WORD_LOG2	3
+#define PR_BYTES_PER_DWORD_LOG2	3
+
 #else /* defined(_M_IX86) || defined(_X86_) */
 
 #error unknown processor architecture
diff --git a/nsprpub/pr/include/md/_win95.h b/nsprpub/pr/include/md/_win95.h
index 04f811d37..24e537bb7 100644
--- a/nsprpub/pr/include/md/_win95.h
+++ b/nsprpub/pr/include/md/_win95.h
@@ -26,6 +26,8 @@
 #define _PR_SI_ARCHITECTURE   "ia64"
 #elif defined(_M_ARM) || defined(_ARM_)
 #define _PR_SI_ARCHITECTURE   "arm"
+#elif defined(_M_ARM64)
+#define _PR_SI_ARCHITECTURE   "aarch64"
 #else
 #error unknown processor architecture
 #endif
diff --git a/nsprpub/pr/include/prinit.h b/nsprpub/pr/include/prinit.h
index ab3aba208..5f6b4e3de 100644
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -31,9 +31,9 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.19"
+#define PR_VERSION  "4.20"
 #define PR_VMAJOR   4
-#define PR_VMINOR   19
+#define PR_VMINOR   20
 #define PR_VPATCH   0
 #define PR_BETA     PR_FALSE
 
diff --git a/nsprpub/pr/src/misc/prnetdb.c b/nsprpub/pr/src/misc/prnetdb.c
index affebf6ac..c482e8e4a 100644
--- a/nsprpub/pr/src/misc/prnetdb.c
+++ b/nsprpub/pr/src/misc/prnetdb.c
@@ -7,6 +7,10 @@
 
 #include <string.h>
 
+#if defined(LINUX)
+#include <sys/un.h>
+#endif
+
 /*
  * On Unix, the error code for gethostbyname() and gethostbyaddr()
  * is returned in the global variable h_errno, instead of the usual
@@ -1366,7 +1370,17 @@ PRUintn _PR_NetAddrSize(const PRNetAddr* addr)
 #endif
 #if defined(XP_UNIX) || defined(XP_OS2)
     else if (AF_UNIX == addr->raw.family)
-        addrsize = sizeof(addr->local);
+    {
+#if defined(LINUX)
+        if (addr->local.path[0] == 0)
+            /* abstract socket address is supported on Linux only */
+            addrsize = strnlen(addr->local.path + 1,
+                               sizeof(addr->local.path)) +
+                       offsetof(struct sockaddr_un, sun_path) + 1;
+        else
+#endif
+            addrsize = sizeof(addr->local);
+    }
 #endif
     else addrsize = 0;
 
diff --git a/nsprpub/pr/src/pthreads/ptio.c b/nsprpub/pr/src/pthreads/ptio.c
index f6aa56741..1549a905f 100644
--- a/nsprpub/pr/src/pthreads/ptio.c
+++ b/nsprpub/pr/src/pthreads/ptio.c
@@ -1750,7 +1750,12 @@ static PRStatus pt_Bind(PRFileDesc *fd, const PRNetAddr *addr)
     if (addr->raw.family == AF_UNIX)
     {
         /* Disallow relative pathnames */
-        if (addr->local.path[0] != '/')
+        if (addr->local.path[0] != '/'
+#if defined(LINUX)
+            /* Linux has abstract socket address support */
+            && addr->local.path[0] != 0
+#endif
+            )
         {
             PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
             return PR_FAILURE;
diff --git a/nsprpub/pr/src/pthreads/ptsynch.c b/nsprpub/pr/src/pthreads/ptsynch.c
index a93b74795..126bed670 100644
--- a/nsprpub/pr/src/pthreads/ptsynch.c
+++ b/nsprpub/pr/src/pthreads/ptsynch.c
@@ -911,7 +911,8 @@ PR_IMPLEMENT(PRStatus) PR_DeleteSemaphore(const char *name)
  * From the semctl(2) man page in glibc 2.0
  */
 #if (defined(__GNU_LIBRARY__) && !defined(_SEM_SEMUN_UNDEFINED)) \
-    || defined(FREEBSD) || defined(OPENBSD) || defined(BSDI) \
+    || (defined(FREEBSD) && __FreeBSD_version < 1200059) \
+    || defined(OPENBSD) || defined(BSDI) \
     || defined(DARWIN) || defined(SYMBIAN)
 /* union semun is defined by including <sys/sem.h> */
 #else
diff --git a/nsprpub/pr/tests/Makefile.in b/nsprpub/pr/tests/Makefile.in
index 79a67f09c..f1cfba9cc 100644
--- a/nsprpub/pr/tests/Makefile.in
+++ b/nsprpub/pr/tests/Makefile.in
@@ -18,6 +18,7 @@ include $(topsrcdir)/config/config.mk
 DIRS = dll
 
 CSRCS =             \
+	abstract.c		\
 	accept.c		\
 	acceptread.c	\
 	acceptreademu.c	\
diff --git a/nsprpub/pr/tests/abstract.c b/nsprpub/pr/tests/abstract.c
new file mode 100644
index 000000000..6be5610c0
--- /dev/null
+++ b/nsprpub/pr/tests/abstract.c
@@ -0,0 +1,157 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#if defined(LINUX)
+
+#include <string.h>
+#include "nspr.h"
+
+static const char abstractSocketName[] = "\0testsocket";
+
+static void
+ClientThread(void* aArg)
+{
+  PRFileDesc* socket;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSokcet failed\n");
+    exit(1);
+  }
+
+  if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) == PR_FAILURE) {
+    fprintf(stderr, "PR_Connect failed\n");
+    exit(1);
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+}
+
+int
+main()
+{
+  PRFileDesc* socket;
+  PRFileDesc* acceptSocket;
+  PRThread* thread;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSocket failed\n");
+    exit(1);
+  }
+  if (PR_Bind(socket, &addr) == PR_FAILURE) {
+    fprintf(stderr, "PR_Bind failed\n");
+    exit(1);
+  }
+
+  if (PR_Listen(socket, 5) == PR_FAILURE) {
+    fprintf(stderr, "PR_Listen failed\n");
+    exit(1);
+  }
+
+  thread = PR_CreateThread(PR_USER_THREAD, ClientThread, 0, PR_PRIORITY_NORMAL,
+                           PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
+  if (!thread) {
+    fprintf(stderr, "PR_CreateThread failed");
+    exit(1);
+  }
+
+  acceptSocket  = PR_Accept(socket, NULL, PR_INTERVAL_NO_TIMEOUT);
+  if (!acceptSocket) {
+    fprintf(stderr, "PR_Accept failed\n");
+    exit(1);
+  }
+
+  memset(buf, 'A', sizeof(buf));
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(acceptSocket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+
+  if (PR_JoinThread(thread) == PR_FAILURE) {
+    fprintf(stderr, "PR_JoinThread failed\n");
+    exit(1);
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+  printf("PASS\n");
+  return 0;
+}
+
+#else
+int
+main()
+{
+  prinf("PASS\n");
+  return 0;
+}
+#endif
diff --git a/nsprpub/pr/tests/runtests.pl b/nsprpub/pr/tests/runtests.pl
index 5dbc649bf..f1ab7647e 100755
--- a/nsprpub/pr/tests/runtests.pl
+++ b/nsprpub/pr/tests/runtests.pl
@@ -241,6 +241,7 @@ $prog = shift;  # Program to test
 
 # MAIN ---------------
 @progs = (
+"abstract",
 "accept",
 "acceptread",
 "acceptreademu",
diff --git a/nsprpub/pr/tests/runtests.sh b/nsprpub/pr/tests/runtests.sh
index 760f03292..d021287b8 100755
--- a/nsprpub/pr/tests/runtests.sh
+++ b/nsprpub/pr/tests/runtests.sh
@@ -71,6 +71,7 @@ LOGFILE=${NSPR_TEST_LOGFILE:-$NULL_DEVICE}
 #
 
 TESTS="
+abstract
 accept
 acceptread
 acceptreademu
diff --git a/nsprpub/pr/tests/vercheck.c b/nsprpub/pr/tests/vercheck.c
index 43b0abc4b..5e6588f9d 100644
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -40,7 +40,7 @@ static char *compatible_version[] = {
     "4.10", "4.10.1", "4.10.2", "4.10.3", "4.10.4",
     "4.10.5", "4.10.6", "4.10.7", "4.10.8", "4.10.9",
     "4.10.10", "4.11", "4.12", "4.13", "4.14", "4.15",
-    "4.16", "4.17", "4.18",
+    "4.16", "4.17", "4.18", "4.19",
     PR_VERSION
 };
 
@@ -56,8 +56,8 @@ static char *incompatible_version[] = {
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
-    "4.19.1",
-    "4.20", "4.20.1",
+    "4.20.1",
+    "4.21", "4.21.1",
     "10.0", "11.1", "12.14.20"
 };
 
diff --git a/old-configure.in b/old-configure.in
index 547b71cbf..ba3b75ef3 100644
--- a/old-configure.in
+++ b/old-configure.in
@@ -48,7 +48,7 @@ dnl ========================================================
 MOZJPEG=62
 MOZPNG=10625
 NSPR_VERSION=4
-NSPR_MINVER=4.19
+NSPR_MINVER=4.20
 NSS_VERSION=3
 
 dnl Set the minimum version of toolkit libs used by mozilla
@@ -2044,7 +2044,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.38, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.41, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -z "$MOZ_SYSTEM_NSS"; then
@@ -2211,8 +2211,6 @@ MOZ_WEBRTC_SIGNALING=
 MOZ_WEBRTC_ASSERT_ALWAYS=1
 MOZ_WEBRTC_HARDWARE_AEC_NS=
 MOZ_SCTP=
-MOZ_ANDROID_OMX=
-MOZ_OMX_PLUGIN=
 MOZ_VPX_ERROR_CONCEALMENT=
 VPX_USE_YASM=
 VPX_ASFLAGS=
@@ -2923,45 +2921,6 @@ if test -n "$MOZ_EME"; then
 fi
 
 dnl ========================================================
-dnl = Enable media plugin support
-dnl ========================================================
-if test "$OS_TARGET" = "Android"; then
-  dnl Enable support on android by default
-  MOZ_ANDROID_OMX=1
-fi
-
-MOZ_ARG_ENABLE_BOOL(android-omx,
-[  --enable-android-omx  Enable support for Android OMX media backend],
-    MOZ_ANDROID_OMX=1,
-    MOZ_ANDROID_OMX=)
-
-if test -n "$MOZ_ANDROID_OMX"; then
-  AC_DEFINE(MOZ_ANDROID_OMX)
-fi
-
-dnl ========================================================
-dnl = Enable building OMX media plugin (B2G or Android)
-dnl ========================================================
-if test "$OS_TARGET" = "Android"; then
-  dnl Enable support on android by default
-  MOZ_OMX_PLUGIN=1
-fi
-
-MOZ_ARG_ENABLE_BOOL(omx-plugin,
-[  --enable-omx-plugin      Enable building OMX plugin (B2G)],
-    MOZ_OMX_PLUGIN=1,
-    MOZ_OMX_PLUGIN=)
-
-if test -n "$MOZ_OMX_PLUGIN"; then
-    if test "$OS_TARGET" = "Android"; then
-        dnl Only allow building OMX plugin on Android
-        AC_DEFINE(MOZ_OMX_PLUGIN)
-    else
-        dnl fail if we're not building on Android
-        AC_MSG_ERROR([OMX media plugin can only be built on Android])
-    fi
-fi
-
 dnl system libvpx Support
 dnl ========================================================
 MOZ_ARG_WITH_BOOL(system-libvpx,
@@ -5466,8 +5425,6 @@ AC_SUBST(MOZ_TREMOR)
 AC_SUBST(MOZ_FFVPX)
 AC_SUBST_LIST(FFVPX_ASFLAGS)
 AC_SUBST(MOZ_EME)
-AC_SUBST(MOZ_ANDROID_OMX)
-AC_SUBST(MOZ_OMX_PLUGIN)
 AC_SUBST(MOZ_VPX_ERROR_CONCEALMENT)
 AC_SUBST(VPX_USE_YASM)
 AC_SUBST_LIST(VPX_ASFLAGS)
diff --git a/security/manager/ssl/nsSTSPreloadList.errors b/security/manager/ssl/nsSTSPreloadList.errors
index be60cc0ed..92e7ea00f 100644
--- a/security/manager/ssl/nsSTSPreloadList.errors
+++ b/security/manager/ssl/nsSTSPreloadList.errors
@@ -1,7 +1,7 @@
 0-1.party: could not connect to host
 0.me.uk: did not receive HSTS header
 00001.am: max-age too low: 129600
-0005.com: could not connect to host
+0005.com: did not receive HSTS header
 0005aa.com: could not connect to host
 0005pay.com: did not receive HSTS header
 00100010.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -13,10 +13,10 @@
 00180018.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00190019.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00220022.net: could not connect to host
-00330033.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+00330033.net: could not connect to host
 00440044.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00550055.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-00660066.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+00660066.net: could not connect to host
 007-preisvergleich.de: could not connect to host
 00770077.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00778899.com: did not receive HSTS header
@@ -38,7 +38,7 @@
 0222.mg: did not receive HSTS header
 0222aa.com: could not connect to host
 023838.com: could not connect to host
-02607.com: could not connect to host
+023sec.com: could not connect to host
 028718.com: did not receive HSTS header
 029978.com: did not receive HSTS header
 029inno.com: could not connect to host
@@ -46,7 +46,6 @@
 02smh.com: could not connect to host
 03-09-2016.wedding: could not connect to host
 0311buy.cn: did not receive HSTS header
-03170317.com: could not connect to host
 040fit.nl: did not receive HSTS header
 040fitvitality.nl: did not receive HSTS header
 048.ag: could not connect to host
@@ -66,9 +65,7 @@
 078860.com: did not receive HSTS header
 078890.com: did not receive HSTS header
 081638.com: did not receive HSTS header
-083962.com: could not connect to host
 086628.com: did not receive HSTS header
-09115.com: could not connect to host
 0c.eu: did not receive HSTS header
 0cdn.ga: could not connect to host
 0day.su: could not connect to host
@@ -76,7 +73,6 @@
 0fl.com: did not receive HSTS header
 0g.org.uk: could not connect to host
 0i0.nl: could not connect to host
-0iz.net: could not connect to host
 0o0.ooo: could not connect to host
 0p.no: did not receive HSTS header
 0vi.org: could not connect to host
@@ -99,15 +95,17 @@
 0xf00.ch: could not connect to host
 1.0.0.1: max-age too low: 0
 1000hats.com: did not receive HSTS header
+1000serien.com: could not connect to host
 1001.best: could not connect to host
+1001carats.fr: could not connect to host
 100onrainkajino.com: could not connect to host
+100rembourse.be: did not receive HSTS header
 1017scribes.com: could not connect to host
 1018hosting.nl: did not receive HSTS header
 1022996493.rsc.cdn77.org: could not connect to host
 10414.org: could not connect to host
 1066.io: could not connect to host
 1091.jp: could not connect to host
-10gb.io: could not connect to host
 10gbit.ovh: could not connect to host
 10seos.com: did not receive HSTS header
 10tacle.io: could not connect to host
@@ -125,7 +123,9 @@
 11scc.com: could not connect to host
 120dayweightloss.com: could not connect to host
 123110.com: could not connect to host
+123djdrop.com: did not receive HSTS header
 123movies.fyi: did not receive HSTS header
+123pay.ir: did not receive HSTS header
 123share.org: did not receive HSTS header
 123termpapers.com: could not connect to host
 123test.com: did not receive HSTS header
@@ -155,7 +155,7 @@
 1481485.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1481485.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1481486.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-1481486.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+1481486.net: could not connect to host
 1536.cf: could not connect to host
 16164f.com: could not connect to host
 163pwd.com: could not connect to host
@@ -181,10 +181,12 @@
 188trafalgar.ca: did not receive HSTS header
 189dv.com: could not connect to host
 1912x.com: could not connect to host
-19216811.online: could not connect to host
+19216811.online: did not receive HSTS header
 1921958389.rsc.cdn77.org: could not connect to host
 195gm.com: could not connect to host
 1a-jva.de: could not connect to host
+1a-vermessung.at: did not receive HSTS header
+1a-werkstattgeraete.de: did not receive HSTS header
 1aim.com: did not receive HSTS header
 1atic.com: could not connect to host
 1b1.pl: could not connect to host
@@ -202,13 +204,13 @@
 1q365a.com: could not connect to host
 1s.tn: could not connect to host
 1salland.nl: could not connect to host
-1st4abounce.co.uk: did not receive HSTS header
+1st4abounce.co.uk: could not connect to host
 1stcapital.com.sg: did not receive HSTS header
 1ststop.co.uk: did not receive HSTS header
 1three1.net: did not receive HSTS header
 1upinternet.com: could not connect to host
 1xcess.com: did not receive HSTS header
-1years.cc: could not connect to host
+1years.cc: did not receive HSTS header
 2-cpu.de: could not connect to host
 200fcw.com: could not connect to host
 2018.wales: could not connect to host
@@ -216,6 +218,7 @@
 2048game.co.uk: could not connect to host
 206rc.net: max-age too low: 2592000
 208.es: did not receive HSTS header
+20denier.com: could not connect to host
 20hs.cn: did not receive HSTS header
 20zq.com: could not connect to host
 21.co.uk: did not receive HSTS header
@@ -238,8 +241,10 @@
 256k.me: could not connect to host
 258da.com: did not receive HSTS header
 25daysof.io: could not connect to host
+263.info: could not connect to host
 27728522.com: could not connect to host
 2859cc.com: could not connect to host
+286.com: did not receive HSTS header
 288da.com: did not receive HSTS header
 29227.com: could not connect to host
 298da.com: did not receive HSTS header
@@ -253,7 +258,7 @@
 2carpros.com: did not receive HSTS header
 2fl.me: did not receive HSTS header
 2intermediate.co.uk: did not receive HSTS header
-2li.ch: could not connect to host
+2mir.com: could not connect to host
 2or3.tk: could not connect to host
 2smart4food.com: could not connect to host
 2ss.jp: did not receive HSTS header
@@ -289,6 +294,7 @@
 38888msc.com: could not connect to host
 38blog.com: did not receive HSTS header
 38sihu.com: could not connect to host
+398.info: could not connect to host
 3candy.com: could not connect to host
 3chit.cf: could not connect to host
 3click-loan.com: could not connect to host
@@ -300,14 +306,12 @@
 3fl.com: did not receive HSTS header
 3hl0.net: could not connect to host
 3ik.us: could not connect to host
-3james.com: could not connect to host
 3mbo.de: did not receive HSTS header
 3sreporting.com: did not receive HSTS header
 3vlnaeet.cz: could not connect to host
 3wecommerce.com.br: could not connect to host
 3weekdietworks.com: did not receive HSTS header
 3xx.link: could not connect to host
-40-grad.de: max-age too low: 2628000
 4036aa.com: did not receive HSTS header
 4036bb.com: did not receive HSTS header
 4036cc.com: did not receive HSTS header
@@ -330,7 +334,9 @@
 44957.com: could not connect to host
 44scc.com: could not connect to host
 4500.co.il: did not receive HSTS header
+4553vip.com: could not connect to host
 4679.space: did not receive HSTS header
+4736666.com: could not connect to host
 478933.com: could not connect to host
 47essays.com: could not connect to host
 47tech.com: could not connect to host
@@ -346,6 +352,7 @@
 4miners.net: could not connect to host
 4mybaby.ch: did not receive HSTS header
 4ourty2.org: could not connect to host
+4sics.se: could not connect to host
 4sqsu.eu: could not connect to host
 4w-performers.link: could not connect to host
 4web-hosting.com: could not connect to host
@@ -354,8 +361,6 @@
 500103.com: did not receive HSTS header
 500108.com: did not receive HSTS header
 500fcw.com: could not connect to host
-500k.nl: could not connect to host
-508088.com: could not connect to host
 50ma.xyz: could not connect to host
 50millionablaze.org: could not connect to host
 50plusnet.nl: could not connect to host
@@ -363,38 +368,41 @@
 517vpn.cn: could not connect to host
 518maicai.com: could not connect to host
 51aifuli.com: could not connect to host
-51tiaojiu.com: could not connect to host
 5214889.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 5214889.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 52b9.com: could not connect to host
 52b9.net: could not connect to host
+52hentai.ml: could not connect to host
 52kb.net: could not connect to host
 52kb1.com: could not connect to host
 52neptune.com: did not receive HSTS header
 5310899.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 5310899.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-5364.com: could not connect to host
 540.co: did not receive HSTS header
 5432.cc: did not receive HSTS header
 54bf.com: could not connect to host
-555fl.com: max-age too low: 129600
 555xl.com: could not connect to host
+558da.com: could not connect to host
 55bt.cc: did not receive HSTS header
 55scc.com: could not connect to host
 56877.com: could not connect to host
 56ct.com: could not connect to host
 57aromas.com: did not receive HSTS header
 57he.com: could not connect to host
+593380.com: could not connect to host
+598380.com: could not connect to host
 598598598.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+5986fc.com: could not connect to host
 5chat.it: could not connect to host
 5ece.de: could not connect to host
 5piecesofadvice.com: could not connect to host
-5starbouncycastlehire.co.uk: did not receive HSTS header
-5w5.la: did not receive HSTS header
+5starbouncycastlehire.co.uk: could not connect to host
+5w5.la: could not connect to host
 605508.cc: could not connect to host
 605508.com: could not connect to host
 60ych.net: did not receive HSTS header
 6120.eu: did not receive HSTS header
+626380.com: could not connect to host
 62755.com: did not receive HSTS header
 645ds.cn: did not receive HSTS header
 645ds.com: did not receive HSTS header
@@ -404,16 +412,19 @@
 64bitservers.net: could not connect to host
 65d88.com: could not connect to host
 660011.com: did not receive HSTS header
+6616fc.com: could not connect to host
 66205.net: did not receive HSTS header
 6677.us: could not connect to host
 668da.com: did not receive HSTS header
+66bwf.com: could not connect to host
 67899876.com: did not receive HSTS header
 688da.com: could not connect to host
 692b8c32.de: could not connect to host
 69mentor.com: could not connect to host
 69square.com: could not connect to host
-6w6.la: did not receive HSTS header
+6w6.la: could not connect to host
 6z3.net: could not connect to host
+7045.com: could not connect to host
 7183.org: could not connect to host
 721av.com: could not connect to host
 724go.com: could not connect to host
@@ -421,7 +432,6 @@
 72ty.com: could not connect to host
 72ty.net: could not connect to host
 73223.com: did not receive HSTS header
-73info.com: could not connect to host
 7570.com: did not receive HSTS header
 771122.tv: did not receive HSTS header
 7717a.com: did not receive HSTS header
@@ -437,13 +447,13 @@
 7kovrikov.ru: did not receive HSTS header
 7links.com.br: did not receive HSTS header
 7nw.eu: could not connect to host
-7proxies.com: did not receive HSTS header
 7thheavenrestaurant.com: could not connect to host
 8.net.co: could not connect to host
-80036.com: did not receive HSTS header
+80036.com: could not connect to host
 8003pay.com: could not connect to host
 808.lv: did not receive HSTS header
 808phone.net: could not connect to host
+818bwf.com: could not connect to host
 81uc.com: could not connect to host
 8206688.com: did not receive HSTS header
 826468.com: could not connect to host
@@ -454,17 +464,22 @@
 8522cn.com: did not receive HSTS header
 8522top.com: could not connect to host
 8560.be: could not connect to host
+8649955.com: could not connect to host
+8649966.com: could not connect to host
+8649977.com: could not connect to host
 8688fc.com: could not connect to host
-86metro.ru: could not connect to host
 8722.com: did not receive HSTS header
 87577.com: could not connect to host
 88.to: did not receive HSTS header
+8876205.com: did not receive HSTS header
 8887999.com: could not connect to host
 8888av.co: could not connect to host
 8888esb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 888azino.com: did not receive HSTS header
+888bwf.com: could not connect to host
 888lu.co: could not connect to host
-888msc.vip: did not receive HSTS header
+888msc.vip: could not connect to host
+88bwf.com: did not receive HSTS header
 88d.com: could not connect to host
 88laohu.cc: could not connect to host
 88laohu.com: could not connect to host
@@ -491,17 +506,18 @@
 8mpay.com: did not receive HSTS header
 8pecxstudios.com: could not connect to host
 8shequapp.com: could not connect to host
-8svn.com: could not connect to host
+8svn.com: did not receive HSTS header
 8t88.biz: could not connect to host
-8ung.online: did not receive HSTS header
 8xx.bet: could not connect to host
 8xx.io: could not connect to host
 8xx888.com: could not connect to host
+8xxxxxxx.com: could not connect to host
 90smthng.com: could not connect to host
 91-freedom.com: could not connect to host
 9118b.com: could not connect to host
 911911.pw: could not connect to host
 915ers.com: could not connect to host
+918yy.com: could not connect to host
 919945.com: did not receive HSTS header
 91dh.cc: could not connect to host
 91lt.info: did not receive HSTS header
@@ -526,12 +542,13 @@
 9bingo.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 9iwan.net: did not receive HSTS header
 9jadirect.com: could not connect to host
+9jaxtreme.com.ng: did not receive HSTS header
 9point6.com: could not connect to host
 9ss6.com: could not connect to host
+9tolife.be: did not receive HSTS header
 9vies.ca: could not connect to host
 9won.kr: could not connect to host
-9y.at: could not connect to host
-a-intel.com: could not connect to host
+a-intel.com: did not receive HSTS header
 a-ix.net: could not connect to host
 a-plus.space: could not connect to host
 a-rickroll-n.pw: could not connect to host
@@ -548,6 +565,7 @@ a3workshop.swiss: could not connect to host
 a7m2.me: could not connect to host
 a8q.org: could not connect to host
 a9c.co: could not connect to host
+aa-tour.ru: could not connect to host
 aa43d.cn: could not connect to host
 aa6688.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 aa7733.com: could not connect to host
@@ -560,8 +578,7 @@ aapp.space: could not connect to host
 aardvarksolutions.co.za: did not receive HSTS header
 aariefhaafiz.com: could not connect to host
 aaron-gustafson.com: did not receive HSTS header
-aaronburt.co.uk: could not connect to host
-aaronmcguire.me: did not receive HSTS header
+aaronmcguire.me: could not connect to host
 aarvinproperties.com: could not connect to host
 ab-bauservice-berlin.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 abacus-events.co.uk: did not receive HSTS header
@@ -570,6 +587,7 @@ abasky.net: could not connect to host
 abcdentalcare.com: did not receive HSTS header
 abcdobebe.com: did not receive HSTS header
 abchelp.net: could not connect to host
+abdullah.pw: could not connect to host
 abearofsoap.com: could not connect to host
 abecodes.net: could not connect to host
 aberdeenalmeras.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -613,7 +631,6 @@ accelerate.network: could not connect to host
 accelerole.com: did not receive HSTS header
 accelight.co.jp: did not receive HSTS header
 accelight.jp: did not receive HSTS header
-accelsnow.com: could not connect to host
 access-sofia.org: did not receive HSTS header
 accolade.com.br: could not connect to host
 accoun.technology: could not connect to host
@@ -623,17 +640,18 @@ accwing.com: could not connect to host
 aceadvisory.biz: did not receive HSTS header
 acelpb.com: could not connect to host
 acemypaper.com: could not connect to host
+acevik.de: could not connect to host
 acg.mn: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 acg.sb: could not connect to host
 acg18.us: max-age too low: 0
 acgaudio.com: could not connect to host
-acgmoon.org: did not receive HSTS header
 acgpiano.club: could not connect to host
 acheirj.com.br: could not connect to host
-acheritage.co.uk: did not receive HSTS header
+acheritage.co.uk: could not connect to host
 achmadfamily.com: could not connect to host
 achow101.com: did not receive HSTS header
 achterhoekseveiligheidsbeurs.nl: could not connect to host
+acidbin.co: could not connect to host
 acisonline.net: did not receive HSTS header
 acksoft.fr: did not receive HSTS header
 acksoftdemo.fr: did not receive HSTS header
@@ -655,28 +673,31 @@ activateplay.com: did not receive HSTS header
 active-escape.com: did not receive HSTS header
 activeclearweb.com: could not connect to host
 activeweb.top: could not connect to host
+activeworld.net: max-age too low: 2592000
 activistasconstructivos.org: did not receive HSTS header
 activiti.alfresco.com: did not receive HSTS header
 actu-film.com: max-age too low: 0
 actu-medias.com: could not connect to host
 actualite-videos.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+acupofsalt.tv: could not connect to host
 acuve.jp: could not connect to host
-acyume.com: did not receive HSTS header
 ad-disruptio.fr: could not connect to host
-ad13.in: did not receive HSTS header
+ad13.in: could not connect to host
 ada.is: max-age too low: 2592000
 adajwells.me: could not connect to host
-adambryant.ca: could not connect to host
 adamcoffee.net: could not connect to host
 adamdixon.co.uk: could not connect to host
+adamjoycegames.co.uk: could not connect to host
 adamricheimer.com: could not connect to host
 adamsfoundationrepair.com: did not receive HSTS header
+adamwilcox.org: did not receive HSTS header
 adamwk.com: did not receive HSTS header
 adastra.re: could not connect to host
 adblock.ovh: could not connect to host
 adboos.com: could not connect to host
 addaxpetroleum.com: could not connect to host
 addcrazy.com: did not receive HSTS header
+addiko.net: could not connect to host
 addvocate.com: could not connect to host
 adec-emsa.ae: could not connect to host
 adelaides.com: did not receive HSTS header
@@ -734,12 +755,10 @@ adventistdeploy.org: could not connect to host
 adventures.is: did not receive HSTS header
 adver.top: could not connect to host
 advertisemant.com: could not connect to host
+advicepro.org.uk: did not receive HSTS header
 adviespuntklokkenluiders.nl: could not connect to host
-adwokatkosterka.pl: did not receive HSTS header
 adzie.xyz: could not connect to host
 adzuna.co.uk: did not receive HSTS header
-ae-dir.com: could not connect to host
-ae-dir.org: could not connect to host
 aegialis.com: did not receive HSTS header
 aelisya.ch: could not connect to host
 aelurus.com: could not connect to host
@@ -756,20 +775,23 @@ aether.pw: could not connect to host
 aethonan.pro: could not connect to host
 aevpn.net: could not connect to host
 aevpn.org: could not connect to host
+aeyoun.com: did not receive HSTS header
 af-fotografie.net: did not receive HSTS header
 af-internet.nl: did not receive HSTS header
 afdkompakt.de: max-age too low: 86400
 afeefzarapackages.com: did not receive HSTS header
 affily.io: could not connect to host
 affinity.vc: did not receive HSTS header
+affloc.com: could not connect to host
 affordablebouncycastle.co.uk: did not receive HSTS header
 affordablepapers.com: could not connect to host
 aficotroceni.ro: did not receive HSTS header
 afiru.net: could not connect to host
 aflamtorrent.com: could not connect to host
-afmchandler.com: did not receive HSTS header
+afmchandler.com: could not connect to host
 afp548.tk: could not connect to host
-after.im: did not receive HSTS header
+africatravel.de: did not receive HSTS header
+after.im: could not connect to host
 afterskool.eu: could not connect to host
 afterstack.net: could not connect to host
 afvallendoeje.nu: could not connect to host
@@ -777,11 +799,12 @@ afyou.co.kr: could not connect to host
 afzco.asia: did not receive HSTS header
 agalaxyfarfaraway.co.uk: could not connect to host
 agatheetraphael.fr: could not connect to host
-agbremen.de: did not receive HSTS header
+agbremen.de: could not connect to host
 agdalieso.com.ba: could not connect to host
 agelesscitizen.com: could not connect to host
 agelesscitizens.com: could not connect to host
 agenbettingasia.com: did not receive HSTS header
+agenceactiv.immo: did not receive HSTS header
 agenceklic.com: did not receive HSTS header
 agenciagriff.com: did not receive HSTS header
 agencymanager.be: could not connect to host
@@ -789,9 +812,8 @@ agentseeker.ca: could not connect to host
 agevio.com: could not connect to host
 agiairini.cz: could not connect to host
 agilebits.net: could not connect to host
-agileecommerce.com.br: could not connect to host
 agingstop.net: could not connect to host
-agonswim.com: could not connect to host
+agonswim.com: did not receive HSTS header
 agoravm.tk: could not connect to host
 agowa.eu: did not receive HSTS header
 agowa338.de: did not receive HSTS header
@@ -807,17 +829,16 @@ ahabingo.com: did not receive HSTS header
 ahelos.tk: could not connect to host
 ahiru3.com: did not receive HSTS header
 aholic.co: did not receive HSTS header
-ahoynetwork.com: could not connect to host
+ahoynetwork.com: did not receive HSTS header
 ahri.ovh: could not connect to host
 ahsin.online: could not connect to host
 ahwah.net: could not connect to host
-ahwatukeefoothillsmontessori.com: did not receive HSTS header
+ahwatukeefoothillsmontessori.com: could not connect to host
 ai1989.com: could not connect to host
 aibaoyou.com: could not connect to host
 aibsoftware.mx: could not connect to host
 aicial.com: did not receive HSTS header
 aicial.com.au: could not connect to host
-aid-web.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 aidanwoods.com: did not receive HSTS header
 aide-admin.com: did not receive HSTS header
 aide-valais.ch: could not connect to host
@@ -825,6 +846,7 @@ aidikofflaw.com: did not receive HSTS header
 aiesecarad.ro: could not connect to host
 aifreeze.ru: could not connect to host
 aify.eu: could not connect to host
+aiheisi.com: did not receive HSTS header
 aikenorganics.com: could not connect to host
 aim-consultants.com: did not receive HSTS header
 aimrom.org: could not connect to host
@@ -851,16 +873,19 @@ airsick.guide: did not receive HSTS header
 airtimefranchise.com: did not receive HSTS header
 aishnair.com: could not connect to host
 aisle3.space: could not connect to host
+aisr.nl: did not receive HSTS header
 aiticon.de: did not receive HSTS header
 aivene.com: could not connect to host
 aiw-thkoeln.online: could not connect to host
 aixxe.net: did not receive HSTS header
+aizxxs.com: could not connect to host
 aizxxs.net: could not connect to host
 ajetaci.cz: could not connect to host
 ajibot.com: could not connect to host
 ajmahal.com: could not connect to host
 ajouin.com: could not connect to host
 ajw-group.com: did not receive HSTS header
+ak-webit.de: could not connect to host
 aka.my: did not receive HSTS header
 akboy.pw: could not connect to host
 akclinics.org: did not receive HSTS header
@@ -874,7 +899,6 @@ akihiro.xyz: could not connect to host
 akita-boutique.com: could not connect to host
 akita-stream.com: could not connect to host
 akkadia.cc: could not connect to host
-akkeylab.com: could not connect to host
 akoch.net: could not connect to host
 akombakom.net: could not connect to host
 akracing.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -887,7 +911,7 @@ aktuelle-uhrzeit.at: did not receive HSTS header
 akul.co.in: could not connect to host
 al-f.net: could not connect to host
 al-shami.net: could not connect to host
-alanhuang.name: did not receive HSTS header
+al3366.tech: could not connect to host
 alanlee.net: could not connect to host
 alanrickmanflipstable.com: did not receive HSTS header
 alanya.law: did not receive HSTS header
@@ -915,11 +939,10 @@ aldred.cloud: could not connect to host
 aleax.me: could not connect to host
 alecvannoten.be: did not receive HSTS header
 aledg.cl: could not connect to host
-alela.fr: could not connect to host
 alenan.org: could not connect to host
 aleph.land: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 alertaenlinea.gov: did not receive HSTS header
-alessandro.pw: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+alessandro.pw: could not connect to host
 alessandroz.ddns.net: could not connect to host
 alessandroz.pro: could not connect to host
 alethearose.com: did not receive HSTS header
@@ -939,20 +962,24 @@ alexkidd.de: did not receive HSTS header
 alexmak.net: did not receive HSTS header
 alexmol.tk: could not connect to host
 alexperry.io: could not connect to host
+alexsinnott.me: could not connect to host
 alfa24.pro: could not connect to host
+alfaperfumes.com.br: could not connect to host
 alfaponny.se: could not connect to host
 alfirous.com: could not connect to host
 alfredxing.com: did not receive HSTS header
 algarmatic-automatismos.pt: could not connect to host
 algebraaec.com: did not receive HSTS header
+algercounty.gov: could not connect to host
 alghaib.com: could not connect to host
-alibababee.com: did not receive HSTS header
+alibababee.com: could not connect to host
 alibip.de: could not connect to host
 alicialab.org: could not connect to host
 alien.bz: did not receive HSTS header
 alilialili.ga: could not connect to host
 alinemaciel.adm.br: could not connect to host
 alinode.com: could not connect to host
+alis-test.tk: could not connect to host
 alistairholland.me: did not receive HSTS header
 alistairpialek.com: max-age too low: 86400
 alisync.com: could not connect to host
@@ -960,7 +987,6 @@ alittlebitcheeky.com: did not receive HSTS header
 aliwebstore.com: could not connect to host
 aljammaz.holdings: could not connect to host
 aljmz.com: did not receive HSTS header
-aljweb.com: could not connect to host
 alkami.com: max-age too low: 0
 alkamitech.com: max-age too low: 0
 alkel.info: did not receive HSTS header
@@ -972,13 +998,15 @@ alldaymonitoring.com: could not connect to host
 alldm.ru: could not connect to host
 allegro-inc.com: did not receive HSTS header
 allemobieleproviders.nl: could not connect to host
+allenosgood.com: could not connect to host
 allerbestefreunde.de: did not receive HSTS header
+allfreelancers.su: did not receive HSTS header
 allgrass.es: did not receive HSTS header
 allgrass.net: did not receive HSTS header
 allhard.org: could not connect to host
 alliance-compacts.com: did not receive HSTS header
-alliances-faq.de: could not connect to host
 allinnote.com: could not connect to host
+allinone-ranking150.com: did not receive HSTS header
 allinonecyprus.com: could not connect to host
 allkindzabeats.com: did not receive HSTS header
 allladyboys.com: could not connect to host
@@ -995,14 +1023,12 @@ allrealty.co.za: could not connect to host
 allscammers.exposed: could not connect to host
 allseasons-cleaning.co.uk: could not connect to host
 allsortscastles.co.uk: could not connect to host
+allstarautokiaparts.com: could not connect to host
 allstarswithus.com: could not connect to host
 allstorebrasil.com.br: could not connect to host
 alltheducks.com: max-age too low: 43200
 allthingsblogging.com: could not connect to host
 allthingsfpl.com: could not connect to host
-allthingssquared.com: could not connect to host
-alltubedownload.net: could not connect to host
-allvips.ru: could not connect to host
 almagalla.com: could not connect to host
 almatinki.com: could not connect to host
 aloalabs.com: did not receive HSTS header
@@ -1014,11 +1040,11 @@ alpe-d-or.dyn-o-saur.com: could not connect to host
 alpencam.com: could not connect to host
 alpha.irccloud.com: could not connect to host
 alphabit-secure.com: could not connect to host
+alphabrock.cn: could not connect to host
 alphabuild.io: could not connect to host
 alphagamers.net: did not receive HSTS header
 alphahunks.com: could not connect to host
 alphalabs.xyz: could not connect to host
-alrait.com: could not connect to host
 als-hardware.co.za: did not receive HSTS header
 alspolska.pl: max-age too low: 2592000
 alt-tab-design.com: did not receive HSTS header
@@ -1034,12 +1060,12 @@ altered.network: could not connect to host
 altfire.ca: could not connect to host
 altiacaselight.com: could not connect to host
 altitudemoversdenver.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-altonblom.com: did not receive HSTS header
 altoneum.com: could not connect to host
 altporn.xyz: could not connect to host
 altruistgroup.net: max-age too low: 300
+alttrackr.com: could not connect to host
 aluminium-scaffolding.co.uk: could not connect to host
-alunjam.es: could not connect to host
+alunjam.es: did not receive HSTS header
 alunonaescola.com.br: did not receive HSTS header
 aluoblog.pw: could not connect to host
 aluoblog.top: could not connect to host
@@ -1052,7 +1078,10 @@ amadilo.de: could not connect to host
 amadoraslindas.com: could not connect to host
 amaforro.com: could not connect to host
 amaforums.org: did not receive HSTS header
+amalficoastchauffeur.com: could not connect to host
+amalfirock.it: could not connect to host
 amandaonishi.com: could not connect to host
+amandaworldstudies.com: could not connect to host
 amaranthus.com.ph: could not connect to host
 amateri.com: could not connect to host
 amatzen.dk: did not receive HSTS header
@@ -1114,7 +1143,6 @@ anacruz.es: did not receive HSTS header
 anadoluefessk.org: did not receive HSTS header
 anadoluefessporkulubu.org: could not connect to host
 anagra.ms: could not connect to host
-anaiscoachpersonal.es: could not connect to host
 anaisypirueta.es: did not receive HSTS header
 anajianu.ro: max-age too low: 2592000
 anakros.me: could not connect to host
@@ -1122,7 +1150,6 @@ analangelsteen.com: could not connect to host
 analpantyhose.org: could not connect to host
 analteengirls.net: could not connect to host
 analytic-s.ml: could not connect to host
-analytics-shop.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 analyticsinmotion.net: could not connect to host
 analyzemyfriends.com: could not connect to host
 anastasiafond.com: did not receive HSTS header
@@ -1147,7 +1174,6 @@ andreastoneman.com: could not connect to host
 andrefaber.nl: did not receive HSTS header
 andrei-coman.com: did not receive HSTS header
 andreigec.net: did not receive HSTS header
-andrejbenz.com: could not connect to host
 andrejstefanovski.com: did not receive HSTS header
 andrepicard.de: could not connect to host
 andrerose.ca: did not receive HSTS header
@@ -1163,6 +1189,7 @@ andrewregan.me: could not connect to host
 andrewtebert.com: did not receive HSTS header
 andrewthelott.net: could not connect to host
 andrewvoce.com: did not receive HSTS header
+andrewx.net: could not connect to host
 andrewyg.net: could not connect to host
 andreypopp.com: could not connect to host
 android: could not connect to host
@@ -1176,6 +1203,7 @@ andycloud.dynu.net: could not connect to host
 andycraftz.eu: did not receive HSTS header
 andymartin.cc: could not connect to host
 andymelichar.com: max-age too low: 0
+andys-place.co.uk: could not connect to host
 andyuk.org: could not connect to host
 anecuni-club.com: could not connect to host
 anecuni-rec.com: could not connect to host
@@ -1191,7 +1219,6 @@ angervillelorcher.fr: did not receive HSTS header
 anghami.com: did not receive HSTS header
 anglertanke.de: could not connect to host
 anglictinatabor.cz: could not connect to host
-angrut.com: could not connect to host
 angry-monk.com: could not connect to host
 angrydragonproductions.com: could not connect to host
 angrylab.com: did not receive HSTS header
@@ -1201,12 +1228,12 @@ aniaimichal.eu: could not connect to host
 anim.ee: could not connect to host
 animalnet.de: max-age too low: 7776000
 animalstropic.com: could not connect to host
-animatelluris.nl: max-age too low: 300
+animatelluris.nl: max-age too low: 2628000
 anime1.top: could not connect to host
 anime1video.tk: could not connect to host
 animeday.ml: could not connect to host
+animes-portal.info: did not receive HSTS header
 animesfusion.com.br: could not connect to host
-animojis.es: could not connect to host
 animurecs.com: could not connect to host
 aniplus.cf: could not connect to host
 aniplus.gq: could not connect to host
@@ -1218,7 +1245,8 @@ anitube-nocookie.ch: could not connect to host
 anivar.net: could not connect to host
 ankakaak.com: could not connect to host
 ankaraprofesyonelnakliyat.com: did not receive HSTS header
-ankaraprofesyonelnakliyat.com.tr: did not receive HSTS header
+ankaraprofesyonelnakliyat.com.tr: could not connect to host
+ankenbrand.me: did not receive HSTS header
 ankitha.in: max-age too low: 0
 ankya9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 anlp.top: could not connect to host
@@ -1232,9 +1260,9 @@ annicascakes.nl: could not connect to host
 annotate.software: could not connect to host
 annrusnak.com: did not receive HSTS header
 annsbouncycastles.com: could not connect to host
+anohana.org: could not connect to host
 anomaly.ws: did not receive HSTS header
 anonboards.com: could not connect to host
-anoneko.com: could not connect to host
 anonrea.ch: could not connect to host
 anonukradio.org: could not connect to host
 anonymo.co.uk: could not connect to host
@@ -1259,7 +1287,7 @@ anthonyavon.com: could not connect to host
 anthonyloop.com: did not receive HSTS header
 anthro.id: did not receive HSTS header
 antifraud.net.ru: could not connect to host
-antimatiere.space: could not connect to host
+antimatiere.space: did not receive HSTS header
 antimine.kr: could not connect to host
 antipa.ch: could not connect to host
 antirayapmalang.com: did not receive HSTS header
@@ -1274,7 +1302,7 @@ antons.io: did not receive HSTS header
 antraxx.ee: could not connect to host
 antscript.com: did not receive HSTS header
 anunayk.com: could not connect to host
-anycoin.me: could not connect to host
+anycoin.me: did not receive HSTS header
 anyfood.fi: could not connect to host
 anypool.fr: did not receive HSTS header
 anypool.net: did not receive HSTS header
@@ -1297,15 +1325,19 @@ apaginastore.com.br: could not connect to host
 apeasternpower.com: could not connect to host
 aperim.com: max-age too low: 43200
 aperture-laboratories.science: did not receive HSTS header
+apexitsolutions.ca: could not connect to host
 api.mega.co.nz: could not connect to host
 apibot.de: could not connect to host
 apience.com: did not receive HSTS header
+apila.care: could not connect to host
+apila.us: could not connect to host
 apiled.io: could not connect to host
 apis.blue: could not connect to host
 apis.google.com: did not receive HSTS header (error ignored - included regardless)
 apis.world: could not connect to host
 apivia.fr: did not receive HSTS header
 apkdv.com: did not receive HSTS header
+apkmod.id: did not receive HSTS header
 apkoyunlar.club: could not connect to host
 apkriver.com: did not receive HSTS header
 apl2bits.net: did not receive HSTS header
@@ -1326,12 +1358,13 @@ app-arena.com: did not receive HSTS header
 app.manilla.com: could not connect to host
 apparels24.com: did not receive HSTS header
 appart.ninja: could not connect to host
-appchive.net: could not connect to host
 appcoins.io: did not receive HSTS header
 appdb.cc: did not receive HSTS header
 appdrinks.com: could not connect to host
+appel-aide.ch: could not connect to host
 appeldorn.me: did not receive HSTS header
 appengine.google.com: did not receive HSTS header (error ignored - included regardless)
+appformacpc.com: did not receive HSTS header
 appimlab.it: could not connect to host
 apple-watch-zubehoer.de: could not connect to host
 apple.ax: could not connect to host
@@ -1352,23 +1385,23 @@ appsdash.io: could not connect to host
 appson.co.uk: did not receive HSTS header
 apptoutou.com: could not connect to host
 appuro.com: did not receive HSTS header
+appxcrypto.com: did not receive HSTS header
 aprefix.com: could not connect to host
 aprpullmanportermuseum.org: did not receive HSTS header
-aptitude9.com: did not receive HSTS header
+aptitude9.com: could not connect to host
 aqilacademy.com.au: could not connect to host
 aqqrate.com: could not connect to host
 aquariumaccessories.shop: could not connect to host
-aquaselect.eu: could not connect to host
+aquaron.com: did not receive HSTS header
 aquilaguild.com: could not connect to host
 aquilalab.com: could not connect to host
 aquireceitas.com: did not receive HSTS header
 ar.al: did not receive HSTS header
-arabdigitalexpression.org: could not connect to host
+arabdigitalexpression.org: did not receive HSTS header
 arabsexi.info: could not connect to host
 aradulconteaza.ro: could not connect to host
 aran.me.uk: could not connect to host
 aranel.me: could not connect to host
-arawaza.biz: did not receive HSTS header
 arawaza.info: could not connect to host
 arboineuropa.nl: did not receive HSTS header
 arboleda-hurtado.com: could not connect to host
@@ -1384,11 +1417,13 @@ arctica.io: did not receive HSTS header
 ardao.me: could not connect to host
 ardorlabs.se: did not receive HSTS header
 area3.org: could not connect to host
+area536.com: did not receive HSTS header
 areallyneatwebsite.com: could not connect to host
 arent.kz: did not receive HSTS header
 arenzanaphotography.com: could not connect to host
 arewedubstepyet.com: could not connect to host
 areyouever.me: could not connect to host
+argama-nature.com: did not receive HSTS header
 argennon.xyz: could not connect to host
 argh.io: could not connect to host
 arguggi.co.uk: could not connect to host
@@ -1416,7 +1451,7 @@ armeni-jewellery.gr: did not receive HSTS header
 armenians.online: could not connect to host
 armingrodon.de: did not receive HSTS header
 armodec.com: did not receive HSTS header
-armor.com: could not connect to host
+armor.com: did not receive HSTS header
 armored.ninja: did not receive HSTS header
 armory.consulting: could not connect to host
 armory.supplies: could not connect to host
@@ -1439,7 +1474,6 @@ arrowgrove.com: could not connect to host
 ars-design.net: could not connect to host
 arsenal.ru: could not connect to host
 arsk1.com: could not connect to host
-art2web.net: could not connect to host
 artansoft.com: could not connect to host
 artaronquieres.com: did not receive HSTS header
 artartefatos.com.br: could not connect to host
@@ -1466,8 +1500,10 @@ arto.bg: did not receive HSTS header
 artofeyes.nl: could not connect to host
 artsinthevalley.net.au: did not receive HSTS header
 artstopinc.com: did not receive HSTS header
+arturkohut.com: could not connect to host
 artyland.ru: could not connect to host
 arvamus.eu: could not connect to host
+arw.me: did not receive HSTS header
 arzaroth.com: did not receive HSTS header
 as.se: could not connect to host
 as9178.net: could not connect to host
@@ -1479,7 +1515,11 @@ asc16.com: could not connect to host
 aschaefer.net: could not connect to host
 asdpress.cn: could not connect to host
 aseith.com: could not connect to host
+aseko.gr: did not receive HSTS header
 asepms.com: max-age too low: 7776000
+ashd1.goip.de: could not connect to host
+ashd2.goip.de: could not connect to host
+ashd3.goip.de: could not connect to host
 ashlane-cottages.com: could not connect to host
 ashleakunowski.com: could not connect to host
 ashleyadum.com: could not connect to host
@@ -1490,7 +1530,6 @@ asian-archi.com.tw: did not receive HSTS header
 asianbet77.co: did not receive HSTS header
 asianbet77.net: did not receive HSTS header
 asisee.co.il: could not connect to host
-ask.pe: could not connect to host
 askfit.cz: did not receive HSTS header
 askmagicconch.com: could not connect to host
 aslinfinity.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1501,6 +1540,7 @@ asmui.ga: could not connect to host
 asmui.ml: did not receive HSTS header
 asoftwareco.com: did not receive HSTS header
 asphaltfruehling.de: could not connect to host
+aspisdata.com: did not receive HSTS header
 asral7.com: could not connect to host
 asryflorist.com: did not receive HSTS header
 ass.org.au: did not receive HSTS header
@@ -1509,13 +1549,14 @@ assdecoeur.org: could not connect to host
 assekuranzjobs.de: could not connect to host
 asset-alive.com: did not receive HSTS header
 asset-alive.net: could not connect to host
+assetict.com: max-age too low: 0
 assetsupervision.com: could not connect to host
 assindia.nl: did not receive HSTS header
 assistance-personnes-agees.ch: could not connect to host
 assistcart.com: could not connect to host
-asspinter.me: could not connect to host
 assurancesmons.be: did not receive HSTS header
 astaninki.com: could not connect to host
+astenretail.com: could not connect to host
 asthon.cn: could not connect to host
 astraalivankila.net: could not connect to host
 astral.gq: did not receive HSTS header
@@ -1524,7 +1565,6 @@ astrea-voetbal-groningen.nl: could not connect to host
 astrolpost.com: could not connect to host
 astromelody.com: did not receive HSTS header
 astronomie-fulda.de: did not receive HSTS header
-astrosnail.pt.eu.org: could not connect to host
 astutr.co: could not connect to host
 asuhe.cc: could not connect to host
 asuhe.win: did not receive HSTS header
@@ -1532,6 +1572,7 @@ asuhe.xyz: could not connect to host
 async.be: could not connect to host
 at-one.ca: did not receive HSTS header
 at1.co: could not connect to host
+ataber.pw: could not connect to host
 atacadooptico.com.br: could not connect to host
 atavio.at: could not connect to host
 atavio.ch: could not connect to host
@@ -1548,15 +1589,16 @@ athaliasoft.com: could not connect to host
 athenelive.com: could not connect to host
 athensbusinessresources.us: could not connect to host
 atheoryofchange.com: could not connect to host
+atherosense.ga: could not connect to host
 athi.pl: did not receive HSTS header
 athul.xyz: could not connect to host
 atk.me: could not connect to host
 atkdesign.pt: did not receive HSTS header
+atlantahairsurgeon.com: did not receive HSTS header
 atlas-5.site: could not connect to host
 atlas-staging.ml: could not connect to host
 atlas.co: did not receive HSTS header
 atlassian.net: did not receive HSTS header
-atlayo.com: could not connect to host
 atlex.nl: did not receive HSTS header
 atlseccon.com: did not receive HSTS header
 atmocdn.com: could not connect to host
@@ -1568,7 +1610,6 @@ atracaosexshop.com.br: could not connect to host
 atrevillot.com: could not connect to host
 attelage.net: did not receive HSTS header
 attic118.com: could not connect to host
-attilagyorffy.com: could not connect to host
 attimidesigns.com: did not receive HSTS header
 attogproductions.com: did not receive HSTS header
 au-pair24.de: did not receive HSTS header
@@ -1585,11 +1626,9 @@ aufprise.de: did not receive HSTS header
 augaware.org: did not receive HSTS header
 augenblicke-blog.de: could not connect to host
 augias.org: could not connect to host
-augiero.it: could not connect to host
-augix.net: could not connect to host
 augrandinquisiteur.com: did not receive HSTS header
-august.black: could not connect to host
 aujapan.ru: could not connect to host
+aulaschrank.gq: could not connect to host
 auntieme.com: did not receive HSTS header
 auntmia.com: could not connect to host
 aur.rocks: did not receive HSTS header
@@ -1633,6 +1672,7 @@ autodeploy.it: could not connect to host
 autoecolebudget.ch: did not receive HSTS header
 autoecoledumontblanc.com: could not connect to host
 autoeet.cz: did not receive HSTS header
+autohaus-snater.de: did not receive HSTS header
 autojuhos.sk: could not connect to host
 autokovrik-diskont.ru: did not receive HSTS header
 automobiles5.com: could not connect to host
@@ -1652,6 +1692,7 @@ av.de: did not receive HSTS header
 av01.tv: could not connect to host
 av163.cc: could not connect to host
 avadatravel.com: did not receive HSTS header
+avalon-studios.de: could not connect to host
 avalyuan.com: could not connect to host
 avantmfg.com: did not receive HSTS header
 avaq.fr: did not receive HSTS header
@@ -1670,7 +1711,7 @@ avmemo.com: could not connect to host
 avmo.pw: could not connect to host
 avmoo.com: could not connect to host
 avonlearningcampus.com: could not connect to host
-avotoma.com: did not receive HSTS header
+avotoma.com: could not connect to host
 avso.pw: could not connect to host
 avspot.net: could not connect to host
 avus-automobile.com: did not receive HSTS header
@@ -1697,7 +1738,7 @@ axg.io: did not receive HSTS header
 axialsports.com: did not receive HSTS header
 axis-stralis.co.uk: could not connect to host
 axiumacademy.com: did not receive HSTS header
-axka.com: could not connect to host
+axka.com: did not receive HSTS header
 axolsoft.com: max-age too low: 10540800
 axtudo.com: did not receive HSTS header
 axtux.tk: could not connect to host
@@ -1711,10 +1752,8 @@ ayor.jp: could not connect to host
 ayor.tech: could not connect to host
 ayuru.info: could not connect to host
 az-vinyl-boden.de: could not connect to host
-azabani.com: did not receive HSTS header
 azamra.com: did not receive HSTS header
 azia.info: could not connect to host
-azino777.ru: could not connect to host
 azirevpn.com: did not receive HSTS header
 azlo.com: did not receive HSTS header
 azprep.us: could not connect to host
@@ -1725,6 +1764,7 @@ b-entropy.com: could not connect to host
 b-pi.duckdns.org: could not connect to host
 b-rickroll-e.pw: could not connect to host
 b-space.de: could not connect to host
+b-ticket.ch: could not connect to host
 b0618.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b0618.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b0868.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1742,6 +1782,7 @@ b2b-nestle.com.br: could not connect to host
 b2bpromoteit.com: did not receive HSTS header
 b3orion.com: could not connect to host
 b422edu.com: could not connect to host
+b4r7.de: did not receive HSTS header
 b5189.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b5189.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b5289.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1753,7 +1794,7 @@ b8591.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 b8591.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b8979.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b8979.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-b8a.me: could not connect to host
+b8a.me: did not receive HSTS header
 b9018.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9018.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9108.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1765,7 +1806,7 @@ b9112.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 b911gt.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b911gt.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9168.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-b91688.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+b91688.com: could not connect to host
 b91688.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b91688.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b91688.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1853,7 +1894,7 @@ babybic.hu: could not connect to host
 babycs.house: could not connect to host
 babyhouse.xyz: could not connect to host
 babyliss-pro.com: could not connect to host
-babyliss-pro.net: max-age too low: 0
+babyliss-pro.net: did not receive HSTS header
 babysaying.me: could not connect to host
 babystep.tv: did not receive HSTS header
 bacchanallia.com: could not connect to host
@@ -1861,13 +1902,11 @@ bacgrouppublishing.com: could not connect to host
 bacimg.com: did not receive HSTS header
 back-bone.nl: did not receive HSTS header
 backenmachtgluecklich.de: max-age too low: 2592000
-backgroundchecks.online: did not receive HSTS header
 backgroundz.net: could not connect to host
 backintomotionphysiotherapy.com: did not receive HSTS header
 backlogapp.io: could not connect to host
 backpacken.org: could not connect to host
 backscattering.de: did not receive HSTS header
-backupsinop.com.br: did not receive HSTS header
 backyardbbqbash.com: did not receive HSTS header
 baconate.com: did not receive HSTS header
 bad.show: could not connect to host
@@ -1880,6 +1919,7 @@ badkamergigant.com: could not connect to host
 baff.lu: could not connect to host
 baffinlee.com: did not receive HSTS header
 bagiobella.com: max-age too low: 0
+baglu.com: could not connect to host
 bagstage.de: did not receive HSTS header
 baiduaccount.com: could not connect to host
 baildonhottubs.co.uk: could not connect to host
@@ -1887,12 +1927,12 @@ bair.io: could not connect to host
 bairdzhang.com: could not connect to host
 baito-j.jp: did not receive HSTS header
 baixoutudo.com: did not receive HSTS header
+bajajfinserv.in: did not receive HSTS header
 bakabt.info: could not connect to host
 bakanin.ru: could not connect to host
 bakaweb.fr: could not connect to host
 bakhansen.com: did not receive HSTS header
 bakkerdesignandbuild.com: did not receive HSTS header
-bakongcondo.com: could not connect to host
 bakxnet.com: could not connect to host
 balatoni-nyar.hu: did not receive HSTS header
 balcan-underground.net: could not connect to host
@@ -1902,6 +1942,7 @@ balenciaspa.com: did not receive HSTS header
 balihai.com: did not receive HSTS header
 balilingo.ooo: could not connect to host
 ballbusting-cbt.com: could not connect to host
+balle.dk: could not connect to host
 ballitolocksmith.com: could not connect to host
 balloonphp.com: could not connect to host
 balnearionaturaspa.com: did not receive HSTS header
@@ -1921,12 +1962,12 @@ bandar303.id: did not receive HSTS header
 bandar303.win: did not receive HSTS header
 bandarifamily.com: could not connect to host
 bandb.xyz: did not receive HSTS header
-bandrcrafts.com: did not receive HSTS header
+bandrcrafts.com: could not connect to host
 banduhn.com: did not receive HSTS header
 bangzafran.com: could not connect to host
 bank: could not connect to host
 bankcircle.co.in: could not connect to host
-bankfreeoffers.com: did not receive HSTS header
+bankersonline.com: could not connect to host
 bankitt.network: could not connect to host
 bankmilhas.com.br: did not receive HSTS header
 bankofrealty.review: could not connect to host
@@ -1948,7 +1989,7 @@ barcouniforms.com: did not receive HSTS header
 barely.sexy: did not receive HSTS header
 barf-alarm.de: did not receive HSTS header
 bargainmovingcompany.com: did not receive HSTS header
-bariller.fr: could not connect to host
+bariller.fr: did not receive HSTS header
 baris-sagdic.com: could not connect to host
 barnrats.com: could not connect to host
 baropkamp.be: did not receive HSTS header
@@ -1960,7 +2001,7 @@ barrett.ag: did not receive HSTS header
 barrut.me: did not receive HSTS header
 barshout.co.uk: could not connect to host
 barss.io: could not connect to host
-bartbania.com: did not receive HSTS header
+bartel.ws: could not connect to host
 bartelldrugs.com: did not receive HSTS header
 barunisystems.com: could not connect to host
 bascht.com: did not receive HSTS header
@@ -1983,6 +2024,7 @@ bat909.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 bat9vip.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bat9vip.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 batfoundry.com: could not connect to host
+batipresta.ch: did not receive HSTS header
 batonger.com: could not connect to host
 batten.eu.org: could not connect to host
 batteryservice.ru: did not receive HSTS header
@@ -1992,6 +2034,7 @@ baudairenergyservices.com: did not receive HSTS header
 bauen-mit-ziegel.de: max-age too low: 604800
 baum.ga: did not receive HSTS header
 baumstark.ca: could not connect to host
+bautied.de: did not receive HSTS header
 bayinstruments.com: could not connect to host
 bayrisch-fuer-anfaenger.de: did not receive HSTS header
 baysse.eu: did not receive HSTS header
@@ -2030,10 +2073,11 @@ bcnet.com.hk: could not connect to host
 bcnet.hk: could not connect to host
 bcodeur.com: did not receive HSTS header
 bcradio.org: could not connect to host
+bcs.adv.br: did not receive HSTS header
 bcsytv.com: could not connect to host
-bcvps.com: could not connect to host
+bcvps.com: did not receive HSTS header
 bcweightlifting.ca: could not connect to host
-bdata.cl: did not receive HSTS header
+bdata.cl: could not connect to host
 bddemir.com: could not connect to host
 bde-epitech.fr: could not connect to host
 bdenzer.com: did not receive HSTS header
@@ -2041,19 +2085,20 @@ bdenzer.xyz: could not connect to host
 bdikaros-network.net: could not connect to host
 bdsmxxxpics.com: could not connect to host
 be9418.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be9418.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be9418.info: could not connect to host
 be9418.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be9418.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be9418.org: could not connect to host
 be9458.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be958.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be958.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be958.info: could not connect to host
 be958.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be958.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be958.org: could not connect to host
 be9966.com: could not connect to host
 beach-inspector.com: did not receive HSTS header
+beachfutbolclub.com: did not receive HSTS header
 beachi.es: could not connect to host
 beacinsight.com: could not connect to host
 beaglewatch.com: could not connect to host
@@ -2061,7 +2106,7 @@ beagreenbean.co.uk: could not connect to host
 beamitapp.com: could not connect to host
 beanbot.party: could not connect to host
 beanworks.ca: did not receive HSTS header
-bearden.io: did not receive HSTS header
+bearden.io: could not connect to host
 beardydave.com: did not receive HSTS header
 beasel.biz: could not connect to host
 beastlog.tk: could not connect to host
@@ -2072,6 +2117,7 @@ bebeefy.uk: could not connect to host
 bebesurdoue.com: could not connect to host
 beccajoshwedding.com: could not connect to host
 becklove.cn: could not connect to host
+beckon.com: did not receive HSTS header
 becoast.fr: did not receive HSTS header
 becubed.co: could not connect to host
 bedabox.com: did not receive HSTS header
@@ -2091,11 +2137,12 @@ befundup.com: could not connect to host
 begcykel.com: did not receive HSTS header
 begoodny.co.il: max-age too low: 7889238
 behere.be: could not connect to host
-beholdthehurricane.com: did not receive HSTS header
+beholdthehurricane.com: could not connect to host
 beier.io: could not connect to host
 beikeil.de: did not receive HSTS header
 beingmad.org: did not receive HSTS header
 belairsewvac.com: could not connect to host
+belastingdienst-in-beeld.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 belcompany.nl: could not connect to host
 belewpictures.com: could not connect to host
 belgien.guide: could not connect to host
@@ -2107,6 +2154,7 @@ belmontprom.com: could not connect to host
 belpbleibtbelp.ch: could not connect to host
 belua.com: did not receive HSTS header
 belwederczykow.eu: could not connect to host
+belyvly.com: did not receive HSTS header
 bemvindoaolar.com.br: could not connect to host
 bemyvictim.com: max-age too low: 2678400
 benchcast.com: did not receive HSTS header
@@ -2128,7 +2176,8 @@ benjamindietrich.com: could not connect to host
 benjaminesims.com: did not receive HSTS header
 benjaminjurke.net: did not receive HSTS header
 benk.press: could not connect to host
-benny003.de: could not connect to host
+benmorecentre.co.uk: did not receive HSTS header
+benny003.de: did not receive HSTS header
 benohead.com: did not receive HSTS header
 bentphotos.se: could not connect to host
 benwattie.com: did not receive HSTS header
@@ -2140,15 +2189,13 @@ bep362.vn: could not connect to host
 beraru.tk: could not connect to host
 beraten-entwickeln-steuern.de: could not connect to host
 berdaguermontes.eu: could not connect to host
-berdu.id: did not receive HSTS header
 berduri.com: did not receive HSTS header
 beretech.fr: could not connect to host
 berger.work: could not connect to host
 bergfex.at: did not receive HSTS header
 bergland-seefeld.at: did not receive HSTS header
 berhampore-gateway.tk: could not connect to host
-berinhard.pl: did not receive HSTS header
-berlatih.com: could not connect to host
+berlatih.com: did not receive HSTS header
 berliancom.com: did not receive HSTS header
 berlin-kohlefrei.de: could not connect to host
 berlinleaks.com: could not connect to host
@@ -2160,6 +2207,7 @@ berseb.se: could not connect to host
 berthelier.me: could not connect to host
 berz.one: could not connect to host
 besb66.club: could not connect to host
+besb66.com: did not receive HSTS header
 besb66.me: could not connect to host
 besb66.ninja: could not connect to host
 besb66.rocks: could not connect to host
@@ -2200,11 +2248,10 @@ bet9bet9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERR
 betaclean.fr: did not receive HSTS header
 betafive.net: could not connect to host
 betakah.net: did not receive HSTS header
-betamint.org: could not connect to host
+betamint.org: did not receive HSTS header
 betcafearena.ro: could not connect to host
 betformular.com: could not connect to host
 betgo9.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-bethanyduke.com: could not connect to host
 bethditto.com: did not receive HSTS header
 betkoo.com: could not connect to host
 betnet.fr: could not connect to host
@@ -2251,15 +2298,17 @@ bgdaddy.com: did not receive HSTS header
 bgenlisted.com: could not connect to host
 bgfashion.net: could not connect to host
 bgneuesheim.de: did not receive HSTS header
+bgp.ee: could not connect to host
 bhatia.at: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bhosted.nl: did not receive HSTS header
+biancolievito.it: did not receive HSTS header
 bianinapiccanovias.com: could not connect to host
 biaoqingfuhao.net: did not receive HSTS header
 biaoqingfuhao.org: did not receive HSTS header
 biapinheiro.com.br: max-age too low: 5184000
-biathloncup.ru: could not connect to host
 biblerhymes.com: did not receive HSTS header
 bibliafeminina.com.br: could not connect to host
+biblio.wiki: could not connect to host
 bichines.es: did not receive HSTS header
 bichonfrise.com.br: could not connect to host
 bichonmaltes.com.br: could not connect to host
@@ -2273,7 +2322,7 @@ bienenblog.cc: could not connect to host
 bier.jp: did not receive HSTS header
 bierbringer.at: could not connect to host
 bierochs.org: could not connect to host
-biewen.me: could not connect to host
+biewen.me: did not receive HSTS header
 big-black.de: did not receive HSTS header
 bigbbqbrush.bid: could not connect to host
 bigbounceentertainment.co.uk: could not connect to host
@@ -2286,19 +2335,20 @@ biglagoonrentals.com: did not receive HSTS header
 bigshinylock.minazo.net: could not connect to host
 bigshort.org: could not connect to host
 biguixhe.net: could not connect to host
-bijoux.com.br: could not connect to host
 bijouxbrasil.com.br: did not receive HSTS header
 bijouxdegriffe.com.br: could not connect to host
 bijugeral.com.br: could not connect to host
 bijuteriicualint.ro: could not connect to host
 bikelifetvkidsquads.co.uk: could not connect to host
 bikermusic.net: could not connect to host
+bikeshopitalia.com: could not connect to host
 bilanligne.com: did not receive HSTS header
 bildermachr.de: could not connect to host
+biletru.net: could not connect to host
 biletua.de: could not connect to host
 biletyplus.ru: did not receive HSTS header
 bilibili.red: could not connect to host
-bill-nye-the.science: did not receive HSTS header
+bill-nye-the.science: could not connect to host
 billdestler.com: did not receive HSTS header
 billigssl.dk: did not receive HSTS header
 billkiss.com: could not connect to host
@@ -2310,7 +2360,6 @@ binam.center: could not connect to host
 binarization.net: could not connect to host
 binarization.org: did not receive HSTS header
 binaryabstraction.com: could not connect to host
-binaryevolved.com: could not connect to host
 binaryfigments.com: max-age too low: 7776000
 binbin9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 binbin9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2323,7 +2372,8 @@ bingofriends.com: could not connect to host
 bingostars.com: did not receive HSTS header
 binimo.com: could not connect to host
 binkanhada.biz: could not connect to host
-biocrafting.net: did not receive HSTS header
+binsp.net: could not connect to host
+bintelligence.nl: did not receive HSTS header
 bioespuna.eu: did not receive HSTS header
 biofam.ru: did not receive HSTS header
 biomax-mep.com.br: did not receive HSTS header
@@ -2334,13 +2384,13 @@ biospeak.solutions: could not connect to host
 biou.me: could not connect to host
 biovalue.eu: could not connect to host
 bip.gov.sa: could not connect to host
+birchbarkfurniture.ch: could not connect to host
 birdandbranchnyc.com: max-age too low: 43200
 birkengarten.ch: could not connect to host
 birkman.com: did not receive HSTS header
 biscuits-rec.com: could not connect to host
 biscuits-shop.com: could not connect to host
-bismarck-tb.de: could not connect to host
-bismarck.moe: did not receive HSTS header
+bismarck.moe: could not connect to host
 bisterfeldt.com: did not receive HSTS header
 bistrodeminas.com: could not connect to host
 biswas.me: could not connect to host
@@ -2348,6 +2398,7 @@ bit.voyage: did not receive HSTS header
 bitace.com: did not receive HSTS header
 bitbit.org: did not receive HSTS header
 bitbr.net: did not receive HSTS header
+bitcalt.ga: could not connect to host
 bitcantor.com: did not receive HSTS header
 bitchan.it: could not connect to host
 bitclubfun.com: did not receive HSTS header
@@ -2361,10 +2412,10 @@ bitcoinfo.jp: did not receive HSTS header
 bitcoinhk.org: did not receive HSTS header
 bitcoinjpn.com: could not connect to host
 bitcoinprivacy.net: did not receive HSTS header
+bitcoinwalletscript.tk: could not connect to host
 bitcoinworld.me: could not connect to host
 bitconcepts.co.uk: could not connect to host
 bitedge.com: did not receive HSTS header
-bitenose.com: could not connect to host
 bitenose.net: could not connect to host
 bitenose.org: could not connect to host
 biteoftech.com: did not receive HSTS header
@@ -2402,16 +2453,18 @@ bitvigor.com: could not connect to host
 bitwrought.net: could not connect to host
 bityes.org: could not connect to host
 bivsi.com: could not connect to host
+biyori.moe: did not receive HSTS header
 bizcms.com: could not connect to host
 bizedge.co.nz: did not receive HSTS header
 bizon.sk: did not receive HSTS header
-bizpare.com: did not receive HSTS header
+bizpare.com: max-age too low: 2592000
 bizzartech.com: did not receive HSTS header
 bizzi.tv: could not connect to host
 bizzybeebouncers.co.uk: could not connect to host
 bjgongyi.com: did not receive HSTS header
 bjl5689.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bjl5689.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+bjolanta.pl: could not connect to host
 bjrn.io: could not connect to host
 bjtxl.cn: could not connect to host
 bk-wife.com: could not connect to host
@@ -2431,11 +2484,13 @@ blackburn.link: could not connect to host
 blackdesertsp.com: could not connect to host
 blackdiam.net: did not receive HSTS header
 blackdragoninc.org: could not connect to host
+blackhell.xyz: could not connect to host
 blacklane.com: did not receive HSTS header
 blackly.uk: max-age too low: 0
 blackmagic.sk: could not connect to host
 blackmirror.com.au: did not receive HSTS header
 blackphantom.de: could not connect to host
+blackroot.eu: max-age too low: 10368000
 blackscreen.me: could not connect to host
 blackunicorn.wtf: could not connect to host
 bladesmith.io: did not receive HSTS header
@@ -2443,7 +2498,6 @@ blakerandall.xyz: did not receive HSTS header
 blantik.net: could not connect to host
 blantr.com: could not connect to host
 blarg.co: could not connect to host
-blauerhunger.de: could not connect to host
 blauwwit.be: did not receive HSTS header
 blazeit.io: could not connect to host
 blechpirat.name: could not connect to host
@@ -2455,7 +2509,6 @@ blessnet.jp: did not receive HSTS header
 bleutecmedia.com: did not receive HSTS header
 blha303.com.au: could not connect to host
 bliker.ga: could not connect to host
-blikund.swedbank.se: did not receive HSTS header
 blindaryproduction.tk: could not connect to host
 blindsexdate.nl: did not receive HSTS header
 bling9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2464,6 +2517,7 @@ bling999.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERR
 bling999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 blinkenlight.co.uk: could not connect to host
 blinkenlight.com.au: could not connect to host
+blitzvendor.com: could not connect to host
 blizz.news: max-age too low: 0
 blmiller.com: did not receive HSTS header
 blocksatz-medien.de: could not connect to host
@@ -2494,10 +2548,11 @@ bls-fiduciaire.be: did not receive HSTS header
 bltc.co: could not connect to host
 blubbablasen.de: could not connect to host
 blucas.org: did not receive HSTS header
+bludnykoren.ml: could not connect to host
 blue17.co.uk: did not receive HSTS header
+bluebahari.gq: could not connect to host
 bluebill.net: did not receive HSTS header
-bluecardlottery.eu: did not receive HSTS header
-bluecards.eu: did not receive HSTS header
+bluecardlottery.eu: could not connect to host
 bluecon.eu: could not connect to host
 bluefinger.nl: did not receive HSTS header
 blueglobalmedia.com: could not connect to host
@@ -2505,6 +2560,7 @@ bluehawk.cloud: could not connect to host
 bluehelixmusic.com: could not connect to host
 blueliv.com: did not receive HSTS header
 bluemoonroleplaying.com: could not connect to host
+bluemosh.com: could not connect to host
 bluepearl.tk: could not connect to host
 bluepoint.foundation: could not connect to host
 bluepoint.institute: could not connect to host
@@ -2515,7 +2571,6 @@ bluesecure.com.br: could not connect to host
 bluetenmeer.com: did not receive HSTS header
 bluezonehealth.co.uk: did not receive HSTS header
 blui.cf: max-age too low: 1209600
-bluiandaj.ml: could not connect to host
 bluketing.com: did not receive HSTS header
 blumen-binder.ch: did not receive HSTS header
 blumen-garage.de: could not connect to host
@@ -2532,6 +2587,8 @@ bm-i.ch: could not connect to host
 bm-trading.nl: did not receive HSTS header
 bmet.de: did not receive HSTS header
 bmoattachments.org: did not receive HSTS header
+bmone.net: could not connect to host
+bn4t.me: did not receive HSTS header
 bnb-buddy.nl: could not connect to host
 bnboy.cn: could not connect to host
 bngsecure.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2557,7 +2614,6 @@ bodrumfarm.com: could not connect to host
 bodyblog.nl: did not receive HSTS header
 bodybuilding-legends.com: could not connect to host
 bodybuilding.events: could not connect to host
-bodymusclejournal.com: could not connect to host
 bodyweightsolution.com: could not connect to host
 boel073.nl: did not receive HSTS header
 boensou.com: did not receive HSTS header
@@ -2578,20 +2634,22 @@ bombsquad.studio: could not connect to host
 bonamihome.ro: could not connect to host
 bonapp.restaurant: could not connect to host
 bondagefetishstore.com: could not connect to host
-bondtofte.dk: did not receive HSTS header
 boneko.de: did not receive HSTS header
-bonigo.de: did not receive HSTS header
+bonigo.de: could not connect to host
+bonita.com.br: could not connect to host
 bonitabrazilian.co.nz: did not receive HSTS header
+bonniekitchen.com: could not connect to host
 bonnin.fr: did not receive HSTS header
 bonobo.cz: could not connect to host
-bonop.com: could not connect to host
+bonop.com: did not receive HSTS header
+bonsi.net: could not connect to host
 bonta.one: could not connect to host
 bonus-flexi.com: did not receive HSTS header
 boobox.xyz: could not connect to host
-boodaah.com: did not receive HSTS header
 book-of-ra.de: could not connect to host
 bookcelerator.com: did not receive HSTS header
 booked.holiday: could not connect to host
+bookingdeluxesp.com: did not receive HSTS header
 bookingentertainment.com: did not receive HSTS header
 bookmakersfreebets.com.au: did not receive HSTS header
 bookofraonlinecasinos.com: could not connect to host
@@ -2616,12 +2674,12 @@ borchers-media.de: could not connect to host
 borchers.ninja: did not receive HSTS header
 borderlinegroup.com: could not connect to host
 borgmestervangen.xyz: could not connect to host
+borgodigatteraia.it: could not connect to host
 boringsecurity.net: could not connect to host
 boris.one: could not connect to host
 borisavstankovic.rs: could not connect to host
 borisbesemer.com: could not connect to host
 born-to-learn.com: could not connect to host
-borowski.pw: could not connect to host
 borrelioz.com: did not receive HSTS header
 borscheid-wenig.com: did not receive HSTS header
 borzoi.com.br: could not connect to host
@@ -2631,10 +2689,12 @@ botlab.ch: could not connect to host
 botmanager.pl: could not connect to host
 botox.bz: did not receive HSTS header
 bots.cat: could not connect to host
-bottke.berlin: could not connect to host
+botserver.de: could not connect to host
+botstack.host: could not connect to host
 boueki.jp: did not receive HSTS header
 boueki.org: did not receive HSTS header
 bouk.co: could not connect to host
+bounceaboutsussex.co.uk: did not receive HSTS header
 bouncebeyondcastles.co.uk: did not receive HSTS header
 bounceboxspc.com: did not receive HSTS header
 bouncecoffee.com: did not receive HSTS header
@@ -2650,6 +2710,8 @@ bouncycastles.me: could not connect to host
 bouncycastlesperth.net: could not connect to host
 bouncyhouses.co.uk: did not receive HSTS header
 bouncymadness.com: did not receive HSTS header
+bountiful.gov: could not connect to host
+bourgdepabos.com: did not receive HSTS header
 bouwbedrijfpurmerend.nl: did not receive HSTS header
 bowlsheet.com: did not receive HSTS header
 bownty.pt: could not connect to host
@@ -2683,6 +2745,7 @@ braintm.com: could not connect to host
 braintreebouncycastles.com: could not connect to host
 braintreegateway.com: did not receive HSTS header
 braintreepayments.com: did not receive HSTS header
+bramburek.net: could not connect to host
 bran.cc: could not connect to host
 bran.soy: could not connect to host
 branchzero.com: did not receive HSTS header
@@ -2697,11 +2760,12 @@ brandons.site: could not connect to host
 brandontaylor-black.com: could not connect to host
 brandred.net: could not connect to host
 brandspray.com: could not connect to host
+brandtrapselfie.nl: could not connect to host
+brandweeruitgeest.nl: could not connect to host
 brasilien.guide: could not connect to host
 brasilmorar.com: did not receive HSTS header
 bravz.de: could not connect to host
 brb.city: did not receive HSTS header
-breadofgod.org: could not connect to host
 breatheav.com: did not receive HSTS header
 breatheproduction.com: did not receive HSTS header
 breeswish.org: did not receive HSTS header
@@ -2709,7 +2773,6 @@ bregnedalsystems.dk: did not receive HSTS header
 bremensaki.com: max-age too low: 2592000
 brenden.net.au: could not connect to host
 bress.cloud: could not connect to host
-brettcornwall.com: did not receive HSTS header
 brettpemberton.xyz: did not receive HSTS header
 bretz-hufer.de: did not receive HSTS header
 brfvh24.se: could not connect to host
@@ -2719,6 +2782,7 @@ brianpcurran.com: did not receive HSTS header
 brickoo.com: could not connect to host
 brickwerks.io: could not connect to host
 brickyardbuffalo.com: did not receive HSTS header
+brideandgroomdirect.ie: did not receive HSTS header
 bridgeout.com: could not connect to host
 bridholm.se: could not connect to host
 brightfuturemadebyme.com: could not connect to host
@@ -2741,8 +2805,10 @@ brivadois.ovh: did not receive HSTS header
 brix.ninja: did not receive HSTS header
 brks.xyz: could not connect to host
 brmascots.com: could not connect to host
+brn.by: could not connect to host
 broerweb.nl: could not connect to host
 broken-oak.com: could not connect to host
+brokenjoysticks.net: did not receive HSTS header
 brookechase.com: did not receive HSTS header
 brookframework.org: could not connect to host
 brossman.it: could not connect to host
@@ -2750,14 +2816,15 @@ brouwerijkoelit.nl: could not connect to host
 brownlawoffice.us: did not receive HSTS header
 browserid.org: could not connect to host
 brplusdigital.com: could not connect to host
-brrd.io: could not connect to host
 bruckner.li: could not connect to host
 brunix.net: did not receive HSTS header
 brunoonline.co.uk: could not connect to host
+brunoramos.org: could not connect to host
 bryancastillo.site: could not connect to host
 bryanshearer.accountant: did not receive HSTS header
 bryn.xyz: could not connect to host
 brynnan.nl: could not connect to host
+brztec.com: could not connect to host
 bsagan.fr: did not receive HSTS header
 bsalyzer.com: could not connect to host
 bsc01.dyndns.org: could not connect to host
@@ -2785,6 +2852,7 @@ btcpot.ltd: could not connect to host
 btku.org: could not connect to host
 btrb.ml: could not connect to host
 btserv.de: did not receive HSTS header
+btth.xyz: could not connect to host
 bturboo.com: could not connect to host
 btxiaobai.com: did not receive HSTS header
 bubba.cc: could not connect to host
@@ -2812,13 +2880,14 @@ buiko.com: did not receive HSTS header
 build.chromium.org: did not receive HSTS header (error ignored - included regardless)
 buildci.asia: could not connect to host
 buildify.co.za: could not connect to host
+building-cost-estimators.com: did not receive HSTS header
 buildingclouds.at: could not connect to host
 buildingclouds.ch: could not connect to host
 buildingclouds.es: could not connect to host
 buildingclouds.eu: could not connect to host
 buildingclouds.fr: could not connect to host
 buildsaver.co.za: did not receive HSTS header
-builmaker.com: did not receive HSTS header
+builmaker.com: could not connect to host
 built.by: did not receive HSTS header
 buka.jp: could not connect to host
 bukai.men: did not receive HSTS header
@@ -2873,6 +2942,7 @@ businessmodeler.se: could not connect to host
 bustabit.com: could not connect to host
 bustimes.org.uk: did not receive HSTS header
 busybee360.com: could not connect to host
+busyon.cloud: could not connect to host
 butchersworkshop.com: did not receive HSTS header
 butian518.com: did not receive HSTS header
 butt.repair: could not connect to host
@@ -2896,9 +2966,11 @@ buynowdepot.com: did not receive HSTS header
 buyshoe.org: could not connect to host
 buywood.shop: could not connect to host
 buzzconcert.com: could not connect to host
+buzzconf.io: could not connect to host
 buzzdeck.com: did not receive HSTS header
 buzztelco.com.au: could not connect to host
 bvexplained.co.uk: could not connect to host
+bvgg.eu: did not receive HSTS header
 bvionline.eu: did not receive HSTS header
 bvv-europe.eu: could not connect to host
 bw81.xyz: could not connect to host
@@ -2920,12 +2992,13 @@ bwwb.nu: did not receive HSTS header
 bx-web.com: did not receive HSTS header
 by.cx: did not receive HSTS header
 by1896.com: could not connect to host
-by1898.com: could not connect to host
+by1898.com: did not receive HSTS header
 by1899.com: could not connect to host
 by4cqb.cn: could not connect to host
 by77.com: could not connect to host
 by777.com: did not receive HSTS header
 bydisk.com: could not connect to host
+byhe.me: could not connect to host
 byji.com: could not connect to host
 bypass.kr: could not connect to host
 bypassed.bid: could not connect to host
@@ -2947,7 +3020,6 @@ bypassed.today: could not connect to host
 bypassed.works: could not connect to host
 bypassed.world: could not connect to host
 bypro.xyz: could not connect to host
-byronkg.us: could not connect to host
 byronprivaterehab.com.au: did not receive HSTS header
 byronr.com: did not receive HSTS header
 byronwade.com: did not receive HSTS header
@@ -2976,15 +3048,20 @@ c3bbs.com: could not connect to host
 c3hv.cn: could not connect to host
 c3ie.com: did not receive HSTS header
 c4.hk: could not connect to host
+ca-terminal-multiservices.fr: did not receive HSTS header
 cablehighspeed.net: could not connect to host
 cabsites.com: could not connect to host
 cabusar.fr: could not connect to host
 cachethome.com: could not connect to host
 cachethq.io: did not receive HSTS header
 caconnect.org: could not connect to host
+cacr.pw: could not connect to host
 cadao.me: did not receive HSTS header
-cadburymovies.in.net: could not connect to host
+cadburymovies.in.net: did not receive HSTS header
+cadcreations.co.ke: could not connect to host
 cadenadg.gr: did not receive HSTS header
+cadra.nl: could not connect to host
+cadusilva.com: could not connect to host
 caerostris.com: could not connect to host
 caesreon.com: could not connect to host
 cafe-murr.de: could not connect to host
@@ -2993,7 +3070,7 @@ cafe-service.ru: could not connect to host
 cafechesscourt.com: could not connect to host
 cafefresco.pe: did not receive HSTS header
 cafesg.net: did not receive HSTS header
-caibi.io: could not connect to host
+caijunyi.net: did not receive HSTS header
 caim.cz: did not receive HSTS header
 caipai.fm: could not connect to host
 cairnterrier.com.br: could not connect to host
@@ -3009,6 +3086,7 @@ calgaryconstructionjobs.com: did not receive HSTS header
 calidoinvierno.com: could not connect to host
 callabs.net: could not connect to host
 callanbryant.co.uk: did not receive HSTS header
+callawayracing.se: could not connect to host
 calleveryday.com: could not connect to host
 callision.com: did not receive HSTS header
 callmereda.com: could not connect to host
@@ -3021,6 +3099,7 @@ calvin.me: did not receive HSTS header
 calypso-tour.net: could not connect to host
 calypsogames.net: could not connect to host
 camaya.net: did not receive HSTS header
+cambridge-security.com: could not connect to host
 cambridgeanalytica.net: could not connect to host
 cambridgeanalytica.org: did not receive HSTS header
 camisadotorcedor.com.br: could not connect to host
@@ -3049,12 +3128,16 @@ candratech.com: could not connect to host
 candygirl.shop: could not connect to host
 candykidsentertainment.co.uk: did not receive HSTS header
 candylion.rocks: could not connect to host
+canerkorkmaz.com: could not connect to host
+canfield.gov: did not receive HSTS header
+canglong.net: could not connect to host
 canifis.net: did not receive HSTS header
 cannarobotics.com: could not connect to host
+canterberry.cc: did not receive HSTS header
 canterbury.ws: could not connect to host
-canva-dev.com: could not connect to host
 canyons.media: did not receive HSTS header
 caodecristachines.com.br: could not connect to host
+caodesantohumberto.com.br: could not connect to host
 caoyu.info: did not receive HSTS header
 capacent.is: did not receive HSTS header
 capacitacionyautoempleo.com: did not receive HSTS header
@@ -3097,7 +3180,7 @@ carlsbouncycastlesandhottubs.co.uk: did not receive HSTS header
 carlscatering.com: did not receive HSTS header
 caroli.biz: could not connect to host
 caroli.info: could not connect to host
-carpliyz.com: did not receive HSTS header
+carpliyz.com: could not connect to host
 carrando.de: could not connect to host
 carredejardin.com: did not receive HSTS header
 carrentalsathens.com: max-age too low: 0
@@ -3105,7 +3188,6 @@ carroarmato0.be: did not receive HSTS header
 carsforbackpackers.com: could not connect to host
 carsten.pw: did not receive HSTS header
 carstenfeuls.de: did not receive HSTS header
-cartelcircuit.com: could not connect to host
 carterorland.com: could not connect to host
 cartesunicef.be: did not receive HSTS header
 carwashvapeur.be: could not connect to host
@@ -3119,6 +3201,7 @@ casefall.com: could not connect to host
 cash-pos.com: did not receive HSTS header
 cashfortulsahouses.com: could not connect to host
 cashless.fr: did not receive HSTS header
+cashlink.io: did not receive HSTS header
 cashmyphone.ch: could not connect to host
 cashsector.ga: could not connect to host
 casinocashflow.ru: could not connect to host
@@ -3134,8 +3217,9 @@ casovi.cf: could not connect to host
 castagnonavocats.com: did not receive HSTS header
 castlejackpot.com: did not receive HSTS header
 castleswa.com.au: could not connect to host
+cat-blum.com: could not connect to host
 cata.ga: could not connect to host
-catalin.pw: could not connect to host
+catalin.pw: did not receive HSTS header
 catarsisvr.com: could not connect to host
 catcontent.cloud: could not connect to host
 caterkids.com: did not receive HSTS header
@@ -3148,12 +3232,13 @@ cathosting.org: could not connect to host
 catinmay.com: did not receive HSTS header
 catnapstudios.com: could not connect to host
 catnmeow.com: could not connect to host
-catprog.org: could not connect to host
+catprog.org: did not receive HSTS header
 catsmagic.pp.ua: could not connect to host
 causae-fincas.es: did not receive HSTS header
 causae.es: did not receive HSTS header
 cavaleria.ro: did not receive HSTS header
 cavalierkingcharlesspaniel.com.br: could not connect to host
+cave-reynard.ch: could not connect to host
 caveclan.org: did not receive HSTS header
 cavedevs.de: could not connect to host
 cavedroid.xyz: could not connect to host
@@ -3161,6 +3246,7 @@ cavern.tv: did not receive HSTS header
 cayafashion.de: did not receive HSTS header
 cayounglab.co.jp: did not receive HSTS header
 cbamo.org: did not receive HSTS header
+cbdev.de: could not connect to host
 cbi-epa.gov: could not connect to host
 cc2729.com: did not receive HSTS header
 ccayearbook.com: could not connect to host
@@ -3177,7 +3263,7 @@ cd0.us: could not connect to host
 cdcpartners.gov: could not connect to host
 cdeck.net: could not connect to host
 cdkeyworld.de: did not receive HSTS header
-cdlcenter.com: could not connect to host
+cdlcenter.com: did not receive HSTS header
 cdmhp.org.nz: could not connect to host
 cdmon.tech: could not connect to host
 cdn.sx.cn: could not connect to host
@@ -3187,6 +3273,7 @@ cdnk39.com: could not connect to host
 cdreporting.co.uk: did not receive HSTS header
 cdt.org: did not receive HSTS header
 ce-agentur.de: did not receive HSTS header
+ceagriproducts.com: did not receive HSTS header
 cecilwalker.com.au: did not receive HSTS header
 cee.io: could not connect to host
 cefak.org.br: did not receive HSTS header
@@ -3201,10 +3288,12 @@ celigo.com: did not receive HSTS header
 celina-reads.de: could not connect to host
 cellartracker.com: could not connect to host
 cellsites.nz: could not connect to host
+celtadigital.com: did not receive HSTS header
 cem.pw: did not receive HSTS header
 cencalvia.org: could not connect to host
 centennialrewards.com: did not receive HSTS header
 centerforpolicy.org: could not connect to host
+centerpoint.ovh: did not receive HSTS header
 centillien.com: did not receive HSTS header
 centos.pub: could not connect to host
 central4.me: could not connect to host
@@ -3220,7 +3309,7 @@ centrolavoro.org: did not receive HSTS header
 centsforchange.net: could not connect to host
 century-group.com: max-age too low: 2592000
 ceoimon.com: did not receive HSTS header
-ceoptique.com: could not connect to host
+ceoptique.com: did not receive HSTS header
 cercevelet.com: did not receive HSTS header
 ceres1.space: did not receive HSTS header
 ceresia.ch: could not connect to host
@@ -3238,11 +3327,14 @@ certly.io: could not connect to host
 certmgr.org: could not connect to host
 ceruleanmainbeach.com.au: did not receive HSTS header
 cesal.net: could not connect to host
+cesantias.co: could not connect to host
 cesidianroot.eu: could not connect to host
 cespri.com.pe: did not receive HSTS header
 ceta.one: did not receive HSTS header
 cevrimici.com: could not connect to host
 cf11.de: did not receive HSTS header
+cfa.gov: did not receive HSTS header
+cfan.space: could not connect to host
 cfcnexus.org: could not connect to host
 cfcproperties.com: did not receive HSTS header
 cfetengineering.com: could not connect to host
@@ -3257,6 +3349,7 @@ chadklass.com: could not connect to host
 chadtaljaardt.com: could not connect to host
 chahub.com: could not connect to host
 chainmonitor.com: could not connect to host
+chaip.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 chairinstitute.com: did not receive HSTS header
 chaldeen.pro: did not receive HSTS header
 challengeskins.com: could not connect to host
@@ -3278,8 +3371,10 @@ channyc.com: could not connect to host
 chaos.fail: could not connect to host
 chaoscastles.co.uk: did not receive HSTS header
 chaoswebs.net: did not receive HSTS header
+chaotichive.com: could not connect to host
 chaoticlaw.com: did not receive HSTS header
 chaouby.com: could not connect to host
+chapelaria.tf: could not connect to host
 charakato.com: could not connect to host
 chargejuice.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 charityclear.com: could not connect to host
@@ -3290,10 +3385,10 @@ charlestonsecuritysystems.net: did not receive HSTS header
 charliemcneive.com: could not connect to host
 charlimarie.com: did not receive HSTS header
 charlipopkids.com.au: did not receive HSTS header
-charmyadesara.com: could not connect to host
 charnleyhouse.co.uk: did not receive HSTS header
 charonsecurity.com: could not connect to host
 charp.eu: could not connect to host
+charr.xyz: could not connect to host
 chartstoffarm.de: did not receive HSTS header
 chasafilli.ch: could not connect to host
 chaseganey.com: did not receive HSTS header
@@ -3303,6 +3398,8 @@ chasse-et-plaisir.com: did not receive HSTS header
 chat-porc.eu: did not receive HSTS header
 chatbot.me: did not receive HSTS header
 chatbot.one: could not connect to host
+chatbotclic.com: could not connect to host
+chatbotclick.com: could not connect to host
 chatbots.email: could not connect to host
 chateau-belvoir.com: could not connect to host
 chateauconstellation.ch: did not receive HSTS header
@@ -3312,6 +3409,8 @@ chatup.cf: could not connect to host
 chatxp.com: could not connect to host
 chaulootz.com: did not receive HSTS header
 chaverde.org: could not connect to host
+chaz6.com: did not receive HSTS header
+chazgie.se: did not receive HSTS header
 chcemvediet.sk: max-age too low: 1555200
 chdgaming.xyz: could not connect to host
 cheah.xyz: could not connect to host
@@ -3325,7 +3424,6 @@ checkhost.org: could not connect to host
 checkmateshoes.com: did not receive HSTS header
 checkmatewebsolutions.com: max-age too low: 0
 checkout.google.com: could not connect to host (error ignored - included regardless)
-checkras.tk: could not connect to host
 checkyourmeds.com: did not receive HSTS header
 cheekylittlerascals.co.uk: did not receive HSTS header
 cheerflow.com: could not connect to host
@@ -3334,7 +3432,6 @@ cheesehosting.net: did not receive HSTS header
 cheesetart.my: could not connect to host
 cheesypicsbooths.co.uk: could not connect to host
 cheetah85.de: could not connect to host
-cheetahwerx.com: could not connect to host
 chefgalles.com.br: could not connect to host
 chejianer.cn: could not connect to host
 chelema.xyz: could not connect to host
@@ -3344,19 +3441,20 @@ chelseafs.co.uk: did not receive HSTS header
 chemicalguys-ruhrpott.de: could not connect to host
 chenfengyi.com: could not connect to host
 chengtongled.com: could not connect to host
-chenky.com: could not connect to host
 chensir.net: could not connect to host
 chepaofen.com: did not receive HSTS header
 cherekerry.com: could not connect to host
+cherrett.digital: did not receive HSTS header
 cherrydropscandycarts.co.uk: could not connect to host
 cherylsoleway.com: did not receive HSTS header
 chessreporter.nl: did not receive HSTS header
 chesterbrass.uk: did not receive HSTS header
 chez-janine.de: could not connect to host
+chhy.at: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 chiamata-aiuto.ch: could not connect to host
 chiaramail.com: could not connect to host
 chib.chat: could not connect to host
-chicorycom.net: could not connect to host
+chicorycom.net: did not receive HSTS header
 chihiro.xyz: could not connect to host
 chijiokeindustries.co.uk: could not connect to host
 chikan-beacon.net: could not connect to host
@@ -3364,7 +3462,7 @@ chikatomo-ryugaku.com: did not receive HSTS header
 chikory.com: could not connect to host
 childcaresolutionscny.org: did not receive HSTS header
 childrendeservebetter.org: could not connect to host
-chilli943.info: could not connect to host
+chilli943.info: did not receive HSTS header
 chimparoo.ca: did not receive HSTS header
 china-dhl.org: could not connect to host
 china-line.org: could not connect to host
@@ -3372,6 +3470,7 @@ chinacdn.org: could not connect to host
 chinawhale.com: could not connect to host
 chinternet.xyz: could not connect to host
 chiphell.com: did not receive HSTS header
+chiralsoftware.com: could not connect to host
 chirgui.eu: could not connect to host
 chloca.jp: did not receive HSTS header
 chloe.re: did not receive HSTS header
@@ -3388,13 +3487,13 @@ choiralberta.ca: did not receive HSTS header
 choisirmonerp.com: did not receive HSTS header
 chollima.pro: could not connect to host
 chontalpa.pw: could not connect to host
+choootto.club: did not receive HSTS header
 chopperforums.com: could not connect to host
 chordso.com: did not receive HSTS header
 chorkley.me: could not connect to host
 chorleiterverband.de: did not receive HSTS header
 choruscrowd.com: could not connect to host
 chotu.net: could not connect to host
-chr0me.sh: could not connect to host
 chris-web.info: could not connect to host
 chrisandsarahinasia.com: could not connect to host
 chrisbrakebill.com: did not receive HSTS header
@@ -3406,7 +3505,6 @@ chriskirchner.de: did not receive HSTS header
 chriskyrouac.com: could not connect to host
 chrisopperwall.com: could not connect to host
 chrisself.xyz: could not connect to host
-chrissx.ga: could not connect to host
 christiaandruif.nl: could not connect to host
 christian-krug.website: did not receive HSTS header
 christianbro.gq: could not connect to host
@@ -3423,9 +3521,10 @@ christophheich.me: did not receive HSTS header
 christophkreileder.com: could not connect to host
 chrisupjohn.com: could not connect to host
 chrisupjohn.xyz: could not connect to host
+chrisvannooten.tk: could not connect to host
 chrisvicmall.com: did not receive HSTS header
 chromaryu.net: could not connect to host
-chromaxa.com: could not connect to host
+chromaxa.com: did not receive HSTS header
 chrome: could not connect to host
 chrome-devtools-frontend.appspot.com: did not receive HSTS header (error ignored - included regardless)
 chrome.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -3435,9 +3534,9 @@ chronoproject.com: did not receive HSTS header
 chrst.ph: could not connect to host
 chs.us: max-age too low: 0
 chsh.moe: could not connect to host
-chua.cf: could not connect to host
+chua.cf: did not receive HSTS header
 chua.family: did not receive HSTS header
-chuckame.fr: did not receive HSTS header
+chuckame.fr: could not connect to host
 chulado.com: did not receive HSTS header
 chundelac.com: could not connect to host
 churchlinkpro.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -3453,6 +3552,7 @@ cigarblogs.net: could not connect to host
 cigarterminal.com: could not connect to host
 cigi.site: could not connect to host
 ciicutini.ro: did not receive HSTS header
+ciiex.co: could not connect to host
 cim2b.de: could not connect to host
 cimalando.eu: could not connect to host
 cinartelorgu.com: did not receive HSTS header
@@ -3463,11 +3563,12 @@ cinelite.club: could not connect to host
 cinema5.ru: did not receive HSTS header
 cinemaclub.co: could not connect to host
 ciner.is: could not connect to host
+cinerama.com.br: did not receive HSTS header
 cintactimber.com: did not receive HSTS header
 cintdirect.com: could not connect to host
 cioconference.co.nz: could not connect to host
 cipher.co.th: did not receive HSTS header
-cipher.land: could not connect to host
+cipher.land: did not receive HSTS header
 cipherli.st: did not receive HSTS header
 ciplanutrition.com: could not connect to host
 cipriano.nl: did not receive HSTS header
@@ -3475,16 +3576,20 @@ cira.email: could not connect to host
 circ-logic.com: did not receive HSTS header
 circlebox.rocks: could not connect to host
 cirfi.com: could not connect to host
+cirope.com: could not connect to host
 cirrohost.com: did not receive HSTS header
+cirugiasplasticas.com.mx: did not receive HSTS header
+cirujanooral.com: could not connect to host
 ciscohomeanalytics.com: could not connect to host
 ciscommerce.net: could not connect to host
 citationgurus.com: could not connect to host
 citiagent.cz: could not connect to host
 citra-emu.org: did not receive HSTS header
-citroner.blog: could not connect to host
+citroner.blog: did not receive HSTS header
 citybusexpress.com: did not receive HSTS header
 cityofeastpointemi.gov: could not connect to host
 cityoflaurel.org: did not receive HSTS header
+cityoftitansmmo.com: could not connect to host
 cityofwadley-ga.gov: did not receive HSTS header
 citywalkr.com: could not connect to host
 ciuciucadou.ro: could not connect to host
@@ -3496,6 +3601,7 @@ cjessett.com: max-age too low: 0
 cjtkfan.club: could not connect to host
 ckcameron.net: could not connect to host
 ckp.io: could not connect to host
+clacetandil.com.ar: could not connect to host
 clad.cf: could not connect to host
 claibornecountytn.gov: could not connect to host
 claimit.ml: could not connect to host
@@ -3508,8 +3614,10 @@ claretandbanter.uk: did not receive HSTS header
 clarity-c2ced.appspot.com: did not receive HSTS header
 claritysrv.com: did not receive HSTS header
 clarksgaragedoorrepair.com: did not receive HSTS header
+clash-movies.de: max-age too low: 172800
 clashersrepublic.com: could not connect to host
 classicday.nl: could not connect to host
+classics.io: did not receive HSTS header
 classicsandexotics.com: could not connect to host
 classicshop.ua: did not receive HSTS header
 classicspublishing.com: could not connect to host
@@ -3523,7 +3631,7 @@ cleanexperts.co.uk: could not connect to host
 cleaningsquad.ca: did not receive HSTS header
 cleanmta.com: could not connect to host
 cleanstar.org: could not connect to host
-clear.ml: did not receive HSTS header
+clear.ml: could not connect to host
 clearc.tk: could not connect to host
 clearchatsandbox.com: could not connect to host
 clearsky.me: did not receive HSTS header
@@ -3549,11 +3657,13 @@ clicnbio.com: could not connect to host
 cliftons.com: did not receive HSTS header
 climaencusco.com: could not connect to host
 clinia.ca: did not receive HSTS header
+clinicadelogopedia.net: did not receive HSTS header
 clinicaferrusbratos.com: did not receive HSTS header
 clinicasilos.com: did not receive HSTS header
 cliniko.com: did not receive HSTS header
 clintonbloodworth.com: could not connect to host
 clintonbloodworth.io: could not connect to host
+clintonplasticsurgery.com: did not receive HSTS header
 clintwilson.technology: max-age too low: 2592000
 clip.ovh: did not receive HSTS header
 clipped4u.com: could not connect to host
@@ -3569,25 +3679,25 @@ cloud-project.com: could not connect to host
 cloud.wtf: could not connect to host
 cloud2go.de: did not receive HSTS header
 cloud58.org: did not receive HSTS header
+cloudalice.com: could not connect to host
+cloudalice.net: could not connect to host
 cloudapi.vc: could not connect to host
 cloudbased.info: did not receive HSTS header
 cloudbasedsite.com: did not receive HSTS header
 cloudberlin.goip.de: could not connect to host
 cloudbleed.info: could not connect to host
 cloudbreaker.de: could not connect to host
-cloudcert.org: did not receive HSTS header
 cloudconsulting.net.za: did not receive HSTS header
 cloudconsulting.org.za: did not receive HSTS header
 cloudconsulting.web.za: did not receive HSTS header
 cloudcy.net: could not connect to host
 clouddesktop.co.nz: could not connect to host
-cloudfiles.at: could not connect to host
-cloudfren.com: did not receive HSTS header
+cloudfren.com: could not connect to host
 cloudimag.es: could not connect to host
 cloudimproved.com: could not connect to host
 cloudimprovedtest.com: could not connect to host
-cloudlink.club: could not connect to host
-cloudmigrator365.com: could not connect to host
+cloudlink.club: did not receive HSTS header
+cloudmigrator365.com: did not receive HSTS header
 cloudns.com.au: could not connect to host
 cloudopt.net: did not receive HSTS header
 cloudpagesforwork.com: did not receive HSTS header
@@ -3603,7 +3713,7 @@ cloudteam.de: could not connect to host
 cloudwalk.io: did not receive HSTS header
 cloudwarez.xyz: could not connect to host
 clounix.online: could not connect to host
-clovissantos.com: did not receive HSTS header
+clovissantos.com: could not connect to host
 clowde.in: could not connect to host
 clownaroundbouncycastles.co.uk: did not receive HSTS header
 clownish.co.il: could not connect to host
@@ -3612,9 +3722,7 @@ clubcall.com: did not receive HSTS header
 clubdeslecteurs.net: could not connect to host
 clubmix.co.kr: could not connect to host
 clubscannan.ie: did not receive HSTS header
-cluefulca.com: could not connect to host
-cluefulca.net: could not connect to host
-cluefulca.org: could not connect to host
+clueful.ca: max-age too low: 0
 cluj.apartments: could not connect to host
 clush.pw: did not receive HSTS header
 cluster.id: could not connect to host
@@ -3644,13 +3752,13 @@ cncmachinemetal.com: did not receive HSTS header
 cncn.us: did not receive HSTS header
 cnetw.xyz: could not connect to host
 cnitdog.com: could not connect to host
-cnlau.com: did not receive HSTS header
+cnlau.com: could not connect to host
 cnlic.com: could not connect to host
-cnrd.me: could not connect to host
+cnrd.me: did not receive HSTS header
 cnsyear.com: did not receive HSTS header
 cnwage.com: could not connect to host
 cnwarn.com: could not connect to host
-co-driversphoto.se: could not connect to host
+co-driversphoto.se: did not receive HSTS header
 co-yutaka.com: could not connect to host
 co2eco.cn: did not receive HSTS header
 coa.one: could not connect to host
@@ -3677,6 +3785,7 @@ code-digsite.com: could not connect to host
 code-judge.tk: could not connect to host
 code.google.com: did not receive HSTS header (error ignored - included regardless)
 codealkemy.co: could not connect to host
+codebreaking.org: did not receive HSTS header
 codeco.pw: could not connect to host
 codecontrollers.de: could not connect to host
 codeforce.io: could not connect to host
@@ -3696,12 +3805,14 @@ codeproxy.ddns.net: could not connect to host
 codepx.com: could not connect to host
 codercy.com: could not connect to host
 coderhangout.com: could not connect to host
+codersatlas.co: could not connect to host
 codersatlas.com: could not connect to host
-codersbistro.com: did not receive HSTS header
+codersatlas.xyz: could not connect to host
+codersbistro.com: could not connect to host
 codestep.io: could not connect to host
 codewiththepros.org: could not connect to host
 codewiz.xyz: could not connect to host
-codigodelbonusbet365.com: could not connect to host
+codimaker.com: did not receive HSTS header
 codymoniz.com: could not connect to host
 coecrafters.com: could not connect to host
 coffeedino.com: did not receive HSTS header
@@ -3713,11 +3824,14 @@ cognixia.com: did not receive HSTS header
 cogumelosmagicos.org: could not connect to host
 cohesive.io: could not connect to host
 coin-exchange.cz: could not connect to host
+coincoele.com.br: could not connect to host
 coindam.com: could not connect to host
+coindatabase.net: could not connect to host
 coinessa.com: could not connect to host
 coinjar-sandbox.com: could not connect to host
 colarelli.ch: could not connect to host
 coldaddy.com: could not connect to host
+coldawn.com: could not connect to host
 coldlostsick.net: did not receive HSTS header
 coldwatericecream.com: did not receive HSTS header
 colearnr.com: could not connect to host
@@ -3739,10 +3853,9 @@ collision.fyi: could not connect to host
 colmexpro.com: did not receive HSTS header
 colo-tech.com: could not connect to host
 colognegaming.net: could not connect to host
-cololi.moe: max-age too low: 2592000
 coloradocomputernetworking.net: could not connect to host
 colorcentertoner.com.br: did not receive HSTS header
-coloringnotebook.com: could not connect to host
+coloringnotebook.com: did not receive HSTS header
 colorlib.com: did not receive HSTS header
 colorunhas.com.br: did not receive HSTS header
 com-news.io: could not connect to host
@@ -3754,9 +3867,6 @@ comeoncolleen.com: did not receive HSTS header
 comercialtrading.eu: could not connect to host
 cometbot.cf: could not connect to host
 cometrueunlimited.com: could not connect to host
-comevius.com: could not connect to host
-comevius.org: could not connect to host
-comevius.xyz: could not connect to host
 comfortdom.ua: did not receive HSTS header
 comfortticket.de: did not receive HSTS header
 comfy.cafe: could not connect to host
@@ -3774,17 +3884,13 @@ commercialplanet.eu: could not connect to host
 commune-preuilly.fr: did not receive HSTS header
 community-cupboard.org: did not receive HSTS header
 communityflow.info: could not connect to host
-comocurarlagastritis24.online: did not receive HSTS header
 comocurarlashemorroides.org: did not receive HSTS header
 comocurarlashemorroidesya.com: did not receive HSTS header
-comodesinflamarlashemorroides.org: did not receive HSTS header
-comohacerelamoraunhombrenet.com: did not receive HSTS header
-comoquitarlacaspa24.com: did not receive HSTS header
-comoquitarlasestriasrapidamente.com: did not receive HSTS header
 comorecuperaratumujerpdf.com: could not connect to host
 comotalk.com: could not connect to host
 compalytics.com: could not connect to host
 comparamejor.com: did not receive HSTS header
+compareandrecycle.com: did not receive HSTS header
 comparejewelleryprices.co.uk: could not connect to host
 comparetravelinsurance.com.au: did not receive HSTS header
 compassionate-biology.com: could not connect to host
@@ -3793,6 +3899,7 @@ compiledworks.com: could not connect to host
 completesportperformance.com: did not receive HSTS header
 completionist.audio: could not connect to host
 complex-organization.com: could not connect to host
+complexsystems.fail: did not receive HSTS header
 complt.xyz: could not connect to host
 complymd.com: did not receive HSTS header
 compredietlight.com.br: did not receive HSTS header
@@ -3801,12 +3908,14 @@ comprehensiveihc.com: could not connect to host
 compromised.com: could not connect to host
 compros.me: could not connect to host
 compsmag.com: did not receive HSTS header
-comptrollerofthecurrency.gov: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+compucastell.ch: could not connect to host
 compucorner.com.mx: could not connect to host
 compusolve.nl: could not connect to host
+computeracademy.co.za: could not connect to host
 computercraft.net: could not connect to host
 computertal.de: could not connect to host
 comssa.org.au: did not receive HSTS header
+comw.cc: could not connect to host
 comyuno.com: did not receive HSTS header
 concentrade.de: did not receive HSTS header
 conceptatelier.de: could not connect to host
@@ -3834,10 +3943,12 @@ connaitre-les-astres.com: did not receive HSTS header
 connect.ua: could not connect to host
 connected-verhuurservice.nl: did not receive HSTS header
 connectfss.com: could not connect to host
-connectingconcepts.com: did not receive HSTS header
+connectingconcepts.com: could not connect to host
 conniesacademy.com: could not connect to host
+conocimientosdigitales.com: could not connect to host
 conrad.am: could not connect to host
 consciousandglamorous.com: could not connect to host
+consciousbrand.co: did not receive HSTS header
 consciousbrand.org.au: could not connect to host
 consciousbranding.org.au: could not connect to host
 consciousbrands.net.au: could not connect to host
@@ -3856,6 +3967,8 @@ contaimo.com: did not receive HSTS header
 container-lion.com: did not receive HSTS header
 containerstatistics.com: could not connect to host
 contarkos.xyz: could not connect to host
+content-design.de: did not receive HSTS header
+contentdesign.de: did not receive HSTS header
 contents.ga: did not receive HSTS header
 continuation.io: could not connect to host
 continuumgaming.com: could not connect to host
@@ -3864,6 +3977,7 @@ contraout.com: could not connect to host
 controlcenter.gigahost.dk: did not receive HSTS header
 contxt-agentur.de: did not receive HSTS header
 convergemagazine.com: did not receive HSTS header
+convert.zone: could not connect to host
 converter.ml: could not connect to host
 convertimg.com: could not connect to host
 convoitises.com: did not receive HSTS header
@@ -3877,18 +3991,21 @@ coole-meister.de: could not connect to host
 cooljs.me: could not connect to host
 coolkidsbouncycastles.co.uk: did not receive HSTS header
 coolrc.me: did not receive HSTS header
+cooltang.ooo: did not receive HSTS header
 coolviewthermostat.com: did not receive HSTS header
 coolvox.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 coonelnel.net: did not receive HSTS header
-coor.fun: did not receive HSTS header
+cooperativehandmade.com: did not receive HSTS header
+cooperativehandmade.pe: did not receive HSTS header
 cooxa.com: could not connect to host
+copperhead.co: did not receive HSTS header
 copshop.com.br: could not connect to host
 coptic-treasures.com: max-age too low: 2592000
 copycaught.com: could not connect to host
 copytrack.com: did not receive HSTS header
 cor-ser.es: could not connect to host
 coralproject.net: did not receive HSTS header
-coralrosado.com.br: did not receive HSTS header
+coralrosado.com.br: could not connect to host
 coramcdaniel.com: could not connect to host
 corbinhesse.com: did not receive HSTS header
 corderoscleaning.com: did not receive HSTS header
@@ -3900,6 +4017,7 @@ coreinfrastructure.org: did not receive HSTS header
 corenetworking.de: could not connect to host
 coresos.com: could not connect to host
 corex.io: could not connect to host
+corgi.party: could not connect to host
 corgicloud.com: could not connect to host
 corinnanese.de: could not connect to host
 coriver.me: did not receive HSTS header
@@ -3909,23 +4027,24 @@ cormilu.com.br: did not receive HSTS header
 cornishcamels.com: did not receive HSTS header
 cornmachine.com: did not receive HSTS header
 coroasdefloresonline.com.br: could not connect to host
-coropiacere.org: could not connect to host
 corozanu.ro: did not receive HSTS header
 corpoatletico.com.br: could not connect to host
 corporateencryption.com: could not connect to host
 corporatesubscriptions.com.au: did not receive HSTS header
 correct.horse: did not receive HSTS header
 correctpaardbatterijnietje.nl: did not receive HSTS header
-correiodovale.com.br: could not connect to host
+correiodovale.com.br: did not receive HSTS header
 corruption-mc.net: could not connect to host
 corruption-rsps.net: could not connect to host
 corruption-server.net: could not connect to host
-corzntin.fr: did not receive HSTS header
-cosmeticosdelivery.com.br: did not receive HSTS header
+cosmeticosdelivery.com.br: could not connect to host
 cosmeticosnet.com.br: did not receive HSTS header
 cosmiatria.pe: could not connect to host
+cosmic-os.org: did not receive HSTS header
 cosmoluziluminacion.com: did not receive HSTS header
 cosmoss-departure.com: could not connect to host
+cosni.co: could not connect to host
+costa-rica-reisen.ch: did not receive HSTS header
 costcofinance.com: did not receive HSTS header
 costow.club: did not receive HSTS header
 cotonea.de: did not receive HSTS header
@@ -3955,6 +4074,7 @@ cozitop.com.br: could not connect to host
 cozmaadrian.ro: could not connect to host
 cozy.io: did not receive HSTS header
 cozycloud.cc: did not receive HSTS header
+cpahunt.com: did not receive HSTS header
 cpaneltips.com: could not connect to host
 cpbanq.com: could not connect to host
 cpuvinf.eu.org: could not connect to host
@@ -3962,16 +4082,15 @@ cqchome.com: did not receive HSTS header
 cracking.org: did not receive HSTS header
 crackingking.com: could not connect to host
 crackpfer.de: could not connect to host
-crackslut.eu: could not connect to host
 craftbeerbarn.co.uk: could not connect to host
 craftedge.xyz: could not connect to host
 craftination.net: could not connect to host
-craftinghand.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 craftmain.eu: could not connect to host
 craftmine.cz: could not connect to host
 craftngo.hu: could not connect to host
 craftwmcp.xyz: could not connect to host
 craftydev.design: could not connect to host
+craigary.net: could not connect to host
 cranems.com.ua: could not connect to host
 cranesafe.com: max-age too low: 7889238
 cranioschule.com: did not receive HSTS header
@@ -3989,7 +4108,6 @@ crazyker.com: did not receive HSTS header
 crbug.com: did not receive HSTS header (error ignored - included regardless)
 crc-online.nl: did not receive HSTS header
 creaescola.com: did not receive HSTS header
-crealogix-online.com: could not connect to host
 creamybuild.com: could not connect to host
 create-ls.jp: could not connect to host
 create-test-publish.co.uk: could not connect to host
@@ -4001,6 +4119,7 @@ creativecommons.cl: did not receive HSTS header
 creativecommonscatpictures.com: could not connect to host
 creativephysics.ml: could not connect to host
 creativeplayuk.com: did not receive HSTS header
+creativlabor.ch: did not receive HSTS header
 creato.top: could not connect to host
 creators.co: could not connect to host
 crecips.com: could not connect to host
@@ -4008,19 +4127,22 @@ crecket.me: could not connect to host
 credia.jp: did not receive HSTS header
 creditclear.com.au: did not receive HSTS header
 creditreporttips.net: did not receive HSTS header
+creepycraft.nl: could not connect to host
 crendontech.com: did not receive HSTS header
 creorin.com: did not receive HSTS header
 crestoncottage.com: could not connect to host
+creusalp.ch: did not receive HSTS header
 crewplanner.eu: did not receive HSTS header
-crge.eu: max-age too low: 0
+crge.eu: could not connect to host
 criadorespet.com.br: could not connect to host
 crickey.eu: could not connect to host
 crimewatch.net.za: could not connect to host
 crimson.no: did not receive HSTS header
 crip-usk.ba: could not connect to host
 crisissurvivalspecialists.com: could not connect to host
+cristiandeluxe.com: did not receive HSTS header
 cristianhares.com: could not connect to host
-critcola.com: did not receive HSTS header
+critcola.com: could not connect to host
 criticalaim.com: could not connect to host
 crizk.com: could not connect to host
 crl-autos.com: could not connect to host
@@ -4037,7 +4159,6 @@ croome.no-ip.org: could not connect to host
 crop-alert.com: could not connect to host
 croquette.net: did not receive HSTS header
 crosbug.com: did not receive HSTS header (error ignored - included regardless)
-crosscom.ch: could not connect to host
 crosspeakoms.com: did not receive HSTS header
 crosssec.com: did not receive HSTS header
 crow.tw: could not connect to host
@@ -4057,12 +4178,11 @@ crushroom.com: max-age too low: 43200
 cruzadobalcazarabogados.com: could not connect to host
 cruzeiropedia.org: did not receive HSTS header
 cruzr.xyz: could not connect to host
-crypalert.com: could not connect to host
+crypalert.com: did not receive HSTS header
 crypt.guru: did not receive HSTS header
 cryptify.eu: could not connect to host
-crypto-armory.com: could not connect to host
 crypto-navi.org: did not receive HSTS header
-crypto.tube: did not receive HSTS header
+crypto.tube: max-age too low: 2592000
 cryptobells.com: did not receive HSTS header
 cryptobin.org: could not connect to host
 cryptocaseproject.com: could not connect to host
@@ -4079,10 +4199,10 @@ cryptopro.shop: could not connect to host
 cryptopush.com: did not receive HSTS header
 crysadm.com: could not connect to host
 crystalclassics.co.uk: did not receive HSTS header
+crystallizedcouture.com: did not receive HSTS header
 crystalmate.eu: did not receive HSTS header
 cs-colorscreed-betongulve.dk: could not connect to host
 cs-ubladego.pl: could not connect to host
-csacongress.org: max-age too low: 2592000
 csapak.com: did not receive HSTS header
 csawctf.poly.edu: could not connect to host
 csbgtribalta.com: did not receive HSTS header
@@ -4143,6 +4263,7 @@ cuongthach.com: did not receive HSTS header
 cuonic.com: could not connect to host
 cupcake.io: did not receive HSTS header
 cupcake.is: did not receive HSTS header
+cupi.co: could not connect to host
 cupidosshop.com: could not connect to host
 cupofarchitects.net: could not connect to host
 curacao-license.com: could not connect to host
@@ -4155,7 +4276,6 @@ curroapp.com: could not connect to host
 cursosdnc.cl: did not receive HSTS header
 cursosgratuitos.com.br: did not receive HSTS header
 curveweb.co.uk: did not receive HSTS header
-curvylove.de: could not connect to host
 cusfit.com: did not receive HSTS header
 custe.rs: could not connect to host
 custerweb.com: did not receive HSTS header
@@ -4180,7 +4300,7 @@ cvsoftub.com: did not receive HSTS header
 cvtparking.co.uk: did not receive HSTS header
 cw-bw.de: could not connect to host
 cwage.com: could not connect to host
-cwbw.network: did not receive HSTS header
+cwbw.network: could not connect to host
 cwilson.ga: could not connect to host
 cy.technology: did not receive HSTS header
 cyanogenmod.xxx: could not connect to host
@@ -4198,7 +4318,6 @@ cyberpeace.nl: could not connect to host
 cyberphaze.com: did not receive HSTS header
 cyberprey.com: did not receive HSTS header
 cyberpunk.ca: could not connect to host
-cybersantri.com: could not connect to host
 cyberserver.org: could not connect to host
 cybershambles.com: could not connect to host
 cybersmart.co.uk: did not receive HSTS header
@@ -4211,15 +4330,18 @@ cygu.ch: did not receive HSTS header
 cymtech.net: could not connect to host
 cynoshair.com: could not connect to host
 cyoda.com: did not receive HSTS header
+cypad.cn: did not receive HSTS header
 cype.dedyn.io: could not connect to host
 cypherpunk.ws: could not connect to host
 cyphertite.com: could not connect to host
 cytadel.fr: did not receive HSTS header
-cyyzaid.cn: could not connect to host
+cyyzaid.cn: max-age too low: 0
 czaw.org: did not receive HSTS header
-czirnich.org: could not connect to host
+czechamlp.com: could not connect to host
+czirnich.org: did not receive HSTS header
 czlx.co: could not connect to host
 d-academia.com: did not receive HSTS header
+d-garnier-delaunay.fr: did not receive HSTS header
 d-macindustries.com: did not receive HSTS header
 d-rickroll-e.pw: could not connect to host
 d.rip: max-age too low: 900
@@ -4228,9 +4350,6 @@ d0xq.net: could not connect to host
 d1ves.io: did not receive HSTS header
 d3njjcbhbojbot.cloudfront.net: did not receive HSTS header
 d3x.pw: could not connect to host
-d3xx3r.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-d4rkdeagle.tk: could not connect to host
-d4wson.com: could not connect to host
 d88688.com: could not connect to host
 d88871.com: could not connect to host
 d8studio.net: could not connect to host
@@ -4257,10 +4376,13 @@ dakl-shop.de: did not receive HSTS header
 dakotasilencer.com: did not receive HSTS header
 dakrib.net: could not connect to host
 daku.gdn: could not connect to host
+dalepresencia.com: did not receive HSTS header
 dalfiume.it: did not receive HSTS header
 dalingk.co: could not connect to host
+dallas.gov: could not connect to host
 daltonedwards.me: could not connect to host
 dam74.com.ar: could not connect to host
+damedrogy.cz: could not connect to host
 damianuv-blog.cz: could not connect to host
 damienpontifex.com: did not receive HSTS header
 damjanovic.work: could not connect to host
@@ -4268,6 +4390,7 @@ dan.org.nz: could not connect to host
 danbarrett.com.au: could not connect to host
 dancebuzz.co.uk: did not receive HSTS header
 dancerdates.net: did not receive HSTS header
+dancingshiva.at: could not connect to host
 dandymrsb.com: could not connect to host
 dango.in: could not connect to host
 daniel-du.com: could not connect to host
@@ -4279,8 +4402,10 @@ danielcowie.me: could not connect to host
 danieldk.eu: did not receive HSTS header
 danielgraziano.ca: could not connect to host
 danieliancu.com: could not connect to host
+danieljireh.com: did not receive HSTS header
 danielkratz.com: max-age too low: 172800
-danielmarquard.com: did not receive HSTS header
+danielnaaman.net: could not connect to host
+danielnaaman.org: could not connect to host
 danielt.co.uk: did not receive HSTS header
 danielverlaan.nl: could not connect to host
 danielworthy.com: did not receive HSTS header
@@ -4294,15 +4419,12 @@ dannycrichton.com: did not receive HSTS header
 danova.de: did not receive HSTS header
 danoz.net: could not connect to host
 danrl.de: could not connect to host
-dansa.com.co: could not connect to host
 danskringsporta.be: did not receive HSTS header
 danwillenberg.com: did not receive HSTS header
 daolerp.xyz: could not connect to host
-dapim.co.il: did not receive HSTS header
 dargasia.is: could not connect to host
 darinjohnson.ca: did not receive HSTS header
 dario.im: did not receive HSTS header
-dariosirangelo.me: could not connect to host
 dark-x.cf: could not connect to host
 darkanzali.pl: max-age too low: 0
 darkdestiny.ch: could not connect to host
@@ -4370,7 +4492,6 @@ davewut.ca: did not receive HSTS header
 david-mallett.com: did not receive HSTS header
 davidandkailey.com: could not connect to host
 davidbrito.tech: could not connect to host
-davidbuckell.com: could not connect to host
 davidglidden.eu: did not receive HSTS header
 davidgrudl.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 davidhunter.scot: did not receive HSTS header
@@ -4382,7 +4503,6 @@ davidscherzer.at: could not connect to host
 davimun.org: could not connect to host
 davros.eu: could not connect to host
 davros.ru: could not connect to host
-daw.nz: could not connect to host
 dawnofeden.org: did not receive HSTS header
 dawnson.is: could not connect to host
 dawnsonb.com: could not connect to host
@@ -4407,14 +4527,15 @@ dcl.re: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAI
 dctxf.com: did not receive HSTS header
 dcuofriends.net: could not connect to host
 dd.art.pl: could not connect to host
-ddatsh.com: did not receive HSTS header
 dden.website: could not connect to host
 dden.xyz: could not connect to host
+ddholdingservices.com: did not receive HSTS header
 ddmeportal.com: could not connect to host
 ddns-anbieter.de: could not connect to host
 ddocu.me: could not connect to host
 ddos-mitigation.co.uk: could not connect to host
 ddos-mitigation.info: could not connect to host
+de-osopanda.com: could not connect to host
 de-servers.de: could not connect to host
 deadmann.com: could not connect to host
 deadsoul.net: could not connect to host
@@ -4422,9 +4543,11 @@ deai-life.biz: could not connect to host
 debank.tv: did not receive HSTS header
 debatch.se: could not connect to host
 debian-vhost.de: could not connect to host
+debigare.com: did not receive HSTS header
 debiton.dk: could not connect to host
 debitoutil.com: did not receive HSTS header
 debitpaie.com: did not receive HSTS header
+debkleinteam.com: did not receive HSTS header
 deborahmarinelli.eu: could not connect to host
 debtkit.co.uk: did not receive HSTS header
 debtprotectionreporting.com: did not receive HSTS header
@@ -4448,7 +4571,10 @@ dede.ml: could not connect to host
 dedeo.tk: could not connect to host
 dedicatutiempo.es: could not connect to host
 dedietrich-asia.com: did not receive HSTS header
+deeonix.eu: could not connect to host
+deep.club: could not connect to host
 deep.social: did not receive HSTS header
+deepaero.com: could not connect to host
 deepcovelabs.net: could not connect to host
 deepcreampie.com: could not connect to host
 deepearth.uk: could not connect to host
@@ -4477,17 +4603,20 @@ degroetenvanrosaline.nl: could not connect to host
 dehydrated.de: did not receive HSTS header
 deight.co: could not connect to host
 deight.in: could not connect to host
+dejan.media: could not connect to host
 dekasan.ru: could not connect to host
+dekoh-shouyu.com: did not receive HSTS header
 delandalucia.com: did not receive HSTS header
 delayrefunds.co.uk: could not connect to host
-delcopa.gov: could not connect to host
+delcopa.gov: did not receive HSTS header
 delf.co.jp: did not receive HSTS header
 deliberatedigital.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+delitto.top: could not connect to host
 deliver.moe: did not receive HSTS header
 deliverance.co.uk: could not connect to host
-deliveryiquique.cl: did not receive HSTS header
 deloittequant.com: could not connect to host
 deltaconcepts.de: could not connect to host
+deltasmart.ch: did not receive HSTS header
 delvj.org: could not connect to host
 demandware.com: did not receive HSTS header
 demarche-expresse.com: did not receive HSTS header
@@ -4495,11 +4624,11 @@ demdis.org: could not connect to host
 demilitarized.ninja: could not connect to host
 demo-server.us: could not connect to host
 demo.sb: could not connect to host
-demo.swedbank.se: did not receive HSTS header
 democracy.io: did not receive HSTS header
 democraticdifference.com: could not connect to host
 demomanca.com: did not receive HSTS header
 demotops.com: could not connect to host
+demuzere.eu: could not connect to host
 dengchangdong.com: did not receive HSTS header
 denh.am: did not receive HSTS header
 denimio.com: did not receive HSTS header
@@ -4511,7 +4640,7 @@ dentaldomain.org: did not receive HSTS header
 dentaldomain.ph: did not receive HSTS header
 denvercybersecurity.com: did not receive HSTS header
 denverphilharmonic.org: did not receive HSTS header
-denverprophit.us: could not connect to host
+denverprophit.us: did not receive HSTS header
 depaco.com: did not receive HSTS header
 deped.blog: could not connect to host
 depedshs.com: could not connect to host
@@ -4524,13 +4653,12 @@ deprobe.pro: could not connect to host
 dequehablamos.es: could not connect to host
 derbyshiredotnet.co.uk: did not receive HSTS header
 derchris.me: could not connect to host
-derekkent.com: could not connect to host
 derevtsov.com: did not receive HSTS header
 derivativeshub.pro: could not connect to host
 derive.cc: could not connect to host
 dermacarecomplex.com: could not connect to host
 derpumpkinfuhrer.com: could not connect to host
-derrickemery.com: could not connect to host
+derrickemery.com: did not receive HSTS header
 derwaldschrat.net: did not receive HSTS header
 derwolfe.net: did not receive HSTS header
 desiccantpackets.com: did not receive HSTS header
@@ -4542,14 +4670,15 @@ designgraphic.fr: did not receive HSTS header
 designsbykerrialee.co.uk: could not connect to host
 designthinking.or.jp: did not receive HSTS header
 desormiers.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+despachomartinyasociados.com: could not connect to host
 despora.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 despotika.de: could not connect to host
 desserteagleselvenar.tk: could not connect to host
 destinationbijoux.fr: could not connect to host
 destinopiriapolis.com: did not receive HSTS header
 destom.be: could not connect to host
+desuperheroes.co: could not connect to host
 desveja.com.br: could not connect to host
-detalhecomercio.com.br: could not connect to host
 detechnologiecooperatie.nl: did not receive HSTS header
 detecte-fuite.ch: could not connect to host
 detecte.ch: could not connect to host
@@ -4571,28 +4700,26 @@ deuxvia.com: could not connect to host
 dev: could not connect to host
 dev-aegon.azurewebsites.net: did not receive HSTS header
 dev-bluep.pantheonsite.io: did not receive HSTS header
-dev-talk.eu: did not receive HSTS header
+dev-talk.eu: could not connect to host
 dev-talk.net: could not connect to host
 devafterdark.com: could not connect to host
-devcast.io: could not connect to host
 devdesco.com: could not connect to host
 devdom.io: max-age too low: 172800
 devdoodle.net: could not connect to host
-develerik.com: could not connect to host
 develop.cool: could not connect to host
 develop.fitness: could not connect to host
 developersclub.website: could not connect to host
 devenney.io: did not receive HSTS header
 devh.de: could not connect to host
-deviltracks.net: could not connect to host
+devh.net: could not connect to host
+deviltracks.net: did not receive HSTS header
+deviltraxxx.de: could not connect to host
 devin-balimuhac.de: did not receive HSTS header
 devincrow.me: could not connect to host
 devinpacker.com: could not connect to host
 devisonline.ch: could not connect to host
 devistravaux.org: did not receive HSTS header
-devjack.de: could not connect to host
-devkit.cc: could not connect to host
-devlux.ch: did not receive HSTS header
+devjack.de: did not receive HSTS header
 devmsg.com: could not connect to host
 devnsec.com: could not connect to host
 devnull.team: could not connect to host
@@ -4600,12 +4727,13 @@ devolution.ws: could not connect to host
 devopps.me: could not connect to host
 devops.moe: could not connect to host
 devopsconnected.com: could not connect to host
-devpgsv.com: could not connect to host
+devpgsv.com: did not receive HSTS header
 devtestfan1.gov: could not connect to host
 devtub.com: could not connect to host
 devuan.org: did not receive HSTS header
 dewebwerf.nl: did not receive HSTS header
 dewin.io: could not connect to host
+dexonsoftware.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 dfixit.com: could not connect to host
 dfrance.com.br: did not receive HSTS header
 dfviana.com.br: max-age too low: 2592000
@@ -4642,17 +4770,16 @@ dichvudangkygiayphep.com: could not connect to host
 dicio.com.br: did not receive HSTS header
 dick.red: could not connect to host
 didierlaumen.be: did not receive HSTS header
-didikhari.web.id: did not receive HSTS header
 die-besten-weisheiten.de: could not connect to host
 die-gruenen-teufel.de: could not connect to host
 dieb.photo: could not connect to host
 diejanssens.net: did not receive HSTS header
 diemogebhardt.com: could not connect to host
-dierabenmutti.de: max-age too low: 7776000
 dierencompleet.nl: did not receive HSTS header
 dierenkruiden.nl: did not receive HSTS header
 dieser.me: could not connect to host
 dietagespresse.com: did not receive HSTS header
+dietergreven.de: did not receive HSTS header
 diewebstube.de: could not connect to host
 diezel.com: could not connect to host
 diferenca.com: did not receive HSTS header
@@ -4660,11 +4787,13 @@ diff2html.xyz: did not receive HSTS header
 diggable.co: max-age too low: 2592000
 digihyp.ch: did not receive HSTS header
 digikol.net: could not connect to host
+digimomedia.co.uk: did not receive HSTS header
 diginota.com: did not receive HSTS header
 digired.ro: could not connect to host
 digired.xyz: could not connect to host
-digital1world.com: did not receive HSTS header
+digital1world.com: could not connect to host
 digitalbank.kz: could not connect to host
+digitalcash.cf: could not connect to host
 digitalcloud.ovh: could not connect to host
 digitalcuko.com: did not receive HSTS header
 digitaldaddy.net: could not connect to host
@@ -4680,8 +4809,7 @@ digitalnonplus.com: could not connect to host
 digitalquery.com: did not receive HSTS header
 digitalriver.tk: did not receive HSTS header
 digitalrxcloud.com: could not connect to host
-digitalunite.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-digitalwasteland.net: could not connect to host
+digitalwasteland.net: did not receive HSTS header
 digiworks.se: did not receive HSTS header
 diguass.us: could not connect to host
 dijks.com: could not connect to host
@@ -4721,6 +4849,7 @@ direwolfsoftware.ca: could not connect to host
 dirips.com: did not receive HSTS header
 dirtycat.ru: could not connect to host
 disadattamentolavorativo.it: could not connect to host
+discipul.nl: did not receive HSTS header
 disclosure.io: did not receive HSTS header
 disco-crazy-world.de: could not connect to host
 discord-chan.net: could not connect to host
@@ -4728,7 +4857,7 @@ discountmania.eu: did not receive HSTS header
 discountmetaux.fr: did not receive HSTS header
 discover-mercure.com: could not connect to host
 discoveringdocker.com: could not connect to host
-discoverrsv.com: did not receive HSTS header
+discoverrsv.com: could not connect to host
 discoverucluelet.com: did not receive HSTS header
 discoverwellness.center: could not connect to host
 discovery.lookout.com: did not receive HSTS header
@@ -4739,6 +4868,7 @@ disruptivelabs.net: could not connect to host
 disruptivelabs.org: could not connect to host
 dissieux.com: did not receive HSTS header
 dissimulo.me: could not connect to host
+distiduffer.org: could not connect to host
 distinctivephotography.com.au: could not connect to host
 distinguishedwindows.co.uk: did not receive HSTS header
 distractionco.de: did not receive HSTS header
@@ -4763,7 +4893,9 @@ dj4et.de: could not connect to host
 djieno.com: could not connect to host
 djsk.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 djul.net: could not connect to host
+djursland-psykologen.dk: did not receive HSTS header
 djxmmx.net: did not receive HSTS header
+djz4music.com: did not receive HSTS header
 dkn.go.id: did not receive HSTS header
 dkniss.de: could not connect to host
 dl.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -4778,11 +4910,11 @@ dmcastles.com: did not receive HSTS header
 dmcglobaltravel.com.mx: did not receive HSTS header
 dmcibulldog.com: did not receive HSTS header
 dmdre.com: did not receive HSTS header
+dmeevalumate.com: did not receive HSTS header
 dmenergy.ru: did not receive HSTS header
 dmfd.net: could not connect to host
 dmix.ca: could not connect to host
 dmlogic.com: could not connect to host
-dmmkenya.co.ke: could not connect to host
 dmtry.me: did not receive HSTS header
 dmwall.cn: could not connect to host
 dmz.ninja: could not connect to host
@@ -4794,7 +4926,7 @@ dns.google.com: did not receive HSTS header (error ignored - included regardless
 dnsbird.net: could not connect to host
 dnsbird.org: could not connect to host
 dnscrypt.nl: could not connect to host
-dnscrypt.org: could not connect to host
+dnscrypt.org: did not receive HSTS header
 dnsknowledge.com: did not receive HSTS header
 dnsql.io: could not connect to host
 dnzz123.com: did not receive HSTS header
@@ -4802,7 +4934,6 @@ do-do.tk: could not connect to host
 do-it.cz: could not connect to host
 doak.io: did not receive HSTS header
 dobet.in: could not connect to host
-dobrev.family: could not connect to host
 doc-justice.com: did not receive HSTS header
 docid.io: could not connect to host
 dockerm.com: could not connect to host
@@ -4810,18 +4941,21 @@ dockerturkiye.com: could not connect to host
 docket.news: could not connect to host
 doclassworks.com: could not connect to host
 doclot.io: could not connect to host
-docplexus.in: could not connect to host
+docplexus.in: did not receive HSTS header
 docplexus.org: did not receive HSTS header
 docset.io: could not connect to host
 docsoc.org.uk: could not connect to host
 docufiel.com: could not connect to host
 doculus.io: could not connect to host
 documentations-sociales.com: could not connect to host
+docupet.com: did not receive HSTS header
 docxtemplater.com: did not receive HSTS header
 doesmycodehavebugs.today: could not connect to host
 doeswindowssuckforeveryoneorjustme.com: could not connect to host
+dog-blum.com: could not connect to host
 dogbox.se: did not receive HSTS header
 dogcratereview.info: could not connect to host
+doge.town: could not connect to host
 dogespeed.ga: could not connect to host
 dogfi.sh: could not connect to host
 doggieholic.net: could not connect to host
@@ -4844,7 +4978,7 @@ dolphin-cloud.com: could not connect to host
 dolphin-hosting.com: could not connect to host
 dolphincorp.co.uk: could not connect to host
 dolphinswithlasers.com: could not connect to host
-dolt.xyz: could not connect to host
+dolt.xyz: did not receive HSTS header
 domaine-aigoual-cevennes.com: did not receive HSTS header
 domainelaremejeanne.com: did not receive HSTS header
 domaris.de: did not receive HSTS header
@@ -4853,10 +4987,12 @@ domen-reg.ru: could not connect to host
 domengrad.ru: did not receive HSTS header
 domenicocatelli.com: did not receive HSTS header
 domfee.com: could not connect to host
+domian.cz: could not connect to host
 dominikanskarepubliken.guide: could not connect to host
 dominioanimal.com: could not connect to host
 dominioanimal.com.br: could not connect to host
 dominique-mueller.de: could not connect to host
+domwkwiatach.pl: did not receive HSTS header
 domytermpaper.com: could not connect to host
 don.yokohama: could not connect to host
 dong8.top: could not connect to host
@@ -4869,11 +5005,11 @@ donna-bellini-business-fotografie-muenchen.de: did not receive HSTS header
 donotspampls.me: could not connect to host
 donotspellitgav.in: did not receive HSTS header
 donpaginasweb.com: did not receive HSTS header
-donpomodoro.com.co: did not receive HSTS header
 donsbach-edv.de: did not receive HSTS header
 donthedragonwilson.com: could not connect to host
 donttrustrobots.nl: could not connect to host
 donzelot.co.uk: did not receive HSTS header
+donzool.es: could not connect to host
 doobydude.us: could not connect to host
 doodledraw.ninja: could not connect to host
 doodlefinder.de: max-age too low: 600000
@@ -4884,13 +5020,13 @@ doopdidoop.com: did not receive HSTS header
 door.cards: could not connect to host
 dopfer-fenstertechnik.de: did not receive HSTS header
 dopost.it: could not connect to host
+doppenpost.nl: could not connect to host
 doriginal.es: did not receive HSTS header
 dorkfarm.com: did not receive HSTS header
 dormebebe.com.br: could not connect to host
 dosipe.com: could not connect to host
 doska.kz: could not connect to host
 dostavkakurierom.ru: could not connect to host
-dot.ro: did not receive HSTS header
 dotadata.me: could not connect to host
 dotb.dn.ua: did not receive HSTS header
 dotbrick.co.th: could not connect to host
@@ -4900,6 +5036,7 @@ dotspaperie.com: could not connect to host
 doublethink.online: could not connect to host
 doubleyummy.uk: did not receive HSTS header
 dougferris.id.au: could not connect to host
+douglas-ma.gov: did not receive HSTS header
 douglasstafford.com: did not receive HSTS header
 doujin-domain.cz: could not connect to host
 doujin.nagoya: could not connect to host
@@ -4907,6 +5044,7 @@ doulasofgreaterkansascity.org: max-age too low: 300
 dovecotadmin.org: could not connect to host
 doveholesband.co.uk: did not receive HSTS header
 dovetailnow.com: could not connect to host
+dovro.de: could not connect to host
 dowc.org: did not receive HSTS header
 download.jitsi.org: did not receive HSTS header
 downsouthweddings.com.au: did not receive HSTS header
@@ -4927,15 +5065,16 @@ dragons-of-highlands.cz: did not receive HSTS header
 dragonsmoke.cloud: could not connect to host
 dragonstower.net: could not connect to host
 dragonteam.ninja: could not connect to host
+drahcro.uk: could not connect to host
 drainagebuizen.nl: did not receive HSTS header
 drakefortreasurer.sexy: could not connect to host
 drakensberg-tourism.com: did not receive HSTS header
 drakfot.se: could not connect to host
 dralexjimenez.com: did not receive HSTS header
-dranek.com: max-age too low: 2592000
 drastosasports.com.br: could not connect to host
-drawvesly.ovh: did not receive HSTS header
+drawvesly.ovh: could not connect to host
 drbarnabus.com: could not connect to host
+drbethanybarnes.com: could not connect to host
 drdavidgilpin.com: did not receive HSTS header
 drdevil.ru: could not connect to host
 drdim.ru: could not connect to host
@@ -4947,6 +5086,8 @@ dreamersgiftshopec.com: could not connect to host
 dreaming.solutions: could not connect to host
 dreamlighteyeserum.com: could not connect to host
 dreamsforabetterworld.com.au: did not receive HSTS header
+dreamtechie.com: did not receive HSTS header
+dreatho.com: did not receive HSTS header
 dreax.win: could not connect to host
 dredgepress.com: did not receive HSTS header
 dreischneidiger.de: could not connect to host
@@ -4989,6 +5130,8 @@ droomhuisophetplattelandverkopen.nl: could not connect to host
 dropcam.com: did not receive HSTS header
 drostschocolates.com: did not receive HSTS header
 drpure.pw: could not connect to host
+drpure.top: did not receive HSTS header
+drrodina.com: did not receive HSTS header
 drtroyhendrickson.com: could not connect to host
 drtti.io: could not connect to host
 drturner.com.au: did not receive HSTS header
@@ -4996,7 +5139,6 @@ drubn.de: could not connect to host
 drugagodba.si: did not receive HSTS header
 drumbandesperanto.nl: could not connect to host
 drump-truck.com: did not receive HSTS header
-drunkscifi.com: could not connect to host
 drupal123.com: could not connect to host
 druznek.rocks: could not connect to host
 druznek.xyz: could not connect to host
@@ -5008,19 +5150,17 @@ ds-christiansen.de: could not connect to host
 dshiv.io: could not connect to host
 dsne.com.mx: could not connect to host
 dsouzamusic.com: did not receive HSTS header
-dsrw.org: max-age too low: 1576800
 dsuinnovation.com: could not connect to host
-dsyunmall.com: did not receive HSTS header
+dsyunmall.com: could not connect to host
 dtechstore.com.br: did not receive HSTS header
 dtub.co: could not connect to host
 dualias.xyz: could not connect to host
 duan.li: could not connect to host
-dubai-company.ae: could not connect to host
 dubaosheng.com: could not connect to host
 dubik.su: did not receive HSTS header
 duchyoffeann.com: could not connect to host
+ducius.net: could not connect to host
 duckasylum.com: did not receive HSTS header
-duckyubuntu.tk: could not connect to host
 ducohosting.com: did not receive HSTS header
 dudesunderwear.com.br: could not connect to host
 duelsow.eu: could not connect to host
@@ -5033,20 +5173,24 @@ dukec.me: could not connect to host
 dukefox.com: could not connect to host
 duks.com.br: did not receive HSTS header
 dullsir.com: did not receive HSTS header
+dum.moe: could not connect to host
 dumbdemo.com: could not connect to host
 dunamiscommunity.com: could not connect to host
 dunashoes.com: could not connect to host
 dune.io: did not receive HSTS header
 dunea.nl: did not receive HSTS header
 dung-massage.fr: did not receive HSTS header
-dunklau.fr: could not connect to host
 duo.money: could not connect to host
 duocircle.com: did not receive HSTS header
 duole30.com: could not connect to host
+duonganhtuan.com: could not connect to host
 duongpho.com: did not receive HSTS header
+duploclique.pt: did not receive HSTS header
 durangoenergyllc.com: could not connect to host
 dushu.cat: could not connect to host
 duskopy.top: could not connect to host
+dustycloth.com: could not connect to host
+dutchessuganda.com: did not receive HSTS header
 dutchrank.com: did not receive HSTS header
 dutyfreeonboard.com: did not receive HSTS header
 duuu.ch: could not connect to host
@@ -5055,6 +5199,7 @@ dvotx.org: did not receive HSTS header
 dwellstudio.com: did not receive HSTS header
 dwhd.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 dwnld.me: could not connect to host
+dxm.no-ip.biz: could not connect to host
 dycem-ns.com: did not receive HSTS header
 dycontrol.de: could not connect to host
 dylanscott.com.au: did not receive HSTS header
@@ -5063,16 +5208,18 @@ dynamic-networks.be: could not connect to host
 dynamize.solutions: did not receive HSTS header
 dyncdn.me: could not connect to host
 dynts.pro: could not connect to host
-dyz.pw: did not receive HSTS header
+dyz.pw: could not connect to host
 dziekonski.com: could not connect to host
 dzimejl.sk: did not receive HSTS header
 dzlibs.io: could not connect to host
 dzndk.net: could not connect to host
 dzndk.org: could not connect to host
 dzytdl.com: did not receive HSTS header
+e-apack.com.br: could not connect to host
 e-aut.net: could not connect to host
 e-baraxolka.ru: could not connect to host
 e-deca2.org: did not receive HSTS header
+e-gemeinde.at: could not connect to host
 e-isfa.eu: did not receive HSTS header
 e-mak.eu: could not connect to host
 e-migration.ch: could not connect to host
@@ -5081,6 +5228,7 @@ e-planetelec.fr: did not receive HSTS header
 e-pokupki.eu: did not receive HSTS header
 e-rickroll-r.pw: could not connect to host
 e-sa.com: did not receive HSTS header
+e-tune-mt.net: could not connect to host
 e-vau.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 e-vo-linka.cz: did not receive HSTS header
 e-wishlist.net: could not connect to host
@@ -5109,6 +5257,7 @@ earlybirdsnacks.com: could not connect to host
 earth-people.org: could not connect to host
 earthrise16.com: could not connect to host
 easew.com: could not connect to host
+easez.net: could not connect to host
 eason-yang.com: could not connect to host
 east-line.su: could not connect to host
 eastcoastbubbleandbounce.co.uk: could not connect to host
@@ -5144,9 +5293,10 @@ ebooksgratuits.org: could not connect to host
 ebop.ch: could not connect to host
 ebp2p.com: could not connect to host
 ebraph.com: could not connect to host
+ebrnd.de: could not connect to host
 ebrowz.com: could not connect to host
 ec-baran.de: could not connect to host
-ecake.in: did not receive HSTS header
+ecake.in: could not connect to host
 ecc-kaufbeuren.de: could not connect to host
 eccux.com: could not connect to host
 ecelembrou.ovh: could not connect to host
@@ -5154,7 +5304,8 @@ ecfs.link: could not connect to host
 ecg.fr: could not connect to host
 echipstore.com: did not receive HSTS header
 echoactive.com: max-age too low: 7776000
-echomanchester.net: could not connect to host
+echomanchester.net: did not receive HSTS header
+ecir.pro: could not connect to host
 eckro.com: could not connect to host
 eco-wiki.com: could not connect to host
 ecobrain.be: max-age too low: 0
@@ -5171,7 +5322,10 @@ econativa.pt: could not connect to host
 economy.st: did not receive HSTS header
 economycarrentalscyprus.com: could not connect to host
 ecorus.eu: did not receive HSTS header
+ecos.srl: did not receive HSTS header
+ecoskif.ru: could not connect to host
 ecosoftconsult.com: could not connect to host
+ecosystemmanager.azurewebsites.net: did not receive HSTS header
 ecotruck-pooling.com: did not receive HSTS header
 ecrimex.net: did not receive HSTS header
 ectora.com: could not connect to host
@@ -5181,6 +5335,7 @@ edcphenix.tk: could not connect to host
 eddmixpanel.com: could not connect to host
 edelblack.ch: could not connect to host
 edelsteincosmetic.com: did not receive HSTS header
+eden-institut-carita-valdisere.com: did not receive HSTS header
 eden-mobility.co.uk: did not receive HSTS header
 eden-noel.at: could not connect to host
 edenaya.com: could not connect to host
@@ -5195,6 +5350,7 @@ edisonchee.com: did not receive HSTS header
 edissecurity.sk: did not receive HSTS header
 edition-pommern.com: max-age too low: 86400
 editoraacademiacrista.com.br: could not connect to host
+editoraimaculada.com.br: did not receive HSTS header
 edix.ru: could not connect to host
 edk.com.tr: did not receive HSTS header
 edpubs.gov: could not connect to host
@@ -5213,6 +5369,7 @@ eduvance.in: did not receive HSTS header
 ee-terminals.com: could not connect to host
 eeb98.com: could not connect to host
 eeetrust.org: could not connect to host
+eemcevn.com: could not connect to host
 eenekorea.com: could not connect to host
 eengezinswoning-in-alphen-aan-den-rijn-kopen.nl: could not connect to host
 eengezinswoning-in-de-friese-meren-kopen.nl: could not connect to host
@@ -5234,21 +5391,20 @@ eez.ee: could not connect to host
 effectiveosgi.com: could not connect to host
 effectivepapers.com: could not connect to host
 efficienthealth.com: could not connect to host
+effizienta.ch: did not receive HSTS header
 eftcorp.biz: did not receive HSTS header
 egfl.org.uk: did not receive HSTS header
 egge.com: max-age too low: 0
 egit.co: could not connect to host
-eglek.com: could not connect to host
 ego-world.org: could not connect to host
 egupova.ru: did not receive HSTS header
-ehcommerce.com: did not receive HSTS header
 ehealthcounselor.com: could not connect to host
 ehipaadev.com: could not connect to host
 ehito.ovh: could not connect to host
 ehr.gov: could not connect to host
 ehrenamt-skpfcw.de: could not connect to host
 ehrlichesbier.de: could not connect to host
-ehseller.com: did not receive HSTS header
+ehsellert.com: did not receive HSTS header
 ehuber.info: could not connect to host
 eicfood.com: could not connect to host
 eidolonhost.com: did not receive HSTS header
@@ -5257,7 +5413,6 @@ eigenbubi.de: could not connect to host
 eightyfour.ca: could not connect to host
 eigo.work: did not receive HSTS header
 eimanavicius.lt: did not receive HSTS header
-einar.io: max-age too low: 86400
 einfachmaldiefressehalten.de: could not connect to host
 einhorn.space: could not connect to host
 einmonolog.de: could not connect to host
@@ -5267,9 +5422,10 @@ einsitapis.com: could not connect to host
 ejgconsultancy.co.uk: did not receive HSTS header
 ejuicelab.co.uk: did not receive HSTS header
 ejusu.com: could not connect to host
-ek.network: could not connect to host
+ek.network: did not receive HSTS header
 ekbanden.nl: could not connect to host
 ekobudisantoso.net: could not connect to host
+ekodevices.com: could not connect to host
 ekong366.com: could not connect to host
 eksik.com: could not connect to host
 el-soul.com: did not receive HSTS header
@@ -5283,10 +5439,10 @@ elbaal.gov: did not receive HSTS header
 elblein.de: did not receive HSTS header
 elblogdegoyo.mx: max-age too low: 2592000
 elbohlyart.com: did not receive HSTS header
-eldevo.com: could not connect to host
 eldietista.es: could not connect to host
 eldisagjapi.de: could not connect to host
 elearningpilot.com: did not receive HSTS header
+eleaut.com.br: did not receive HSTS header
 electicofficial.com: did not receive HSTS header
 electricalcontrolpanels.co.uk: could not connect to host
 electricant.com: did not receive HSTS header
@@ -5311,13 +5467,16 @@ elenagherta.ga: could not connect to host
 elenoon.ir: max-age too low: 1
 elenorsmadness.org: could not connect to host
 eleonorengland.com: did not receive HSTS header
-elestanteliterario.com: did not receive HSTS header
+elestanteliterario.com: max-age too low: 43200
 elevateandprosper.com: could not connect to host
+elevator.ee: could not connect to host
+elexel.ru: could not connect to host
 elgacien.de: could not connect to host
 elguillatun.cl: did not receive HSTS header
 elhall.pro: did not receive HSTS header
 elhall.ru: did not receive HSTS header
 eliasojala.me: did not receive HSTS header
+elielaloum.com: could not connect to host
 elimdengelen.com: did not receive HSTS header
 eline168.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 eliott.be: could not connect to host
@@ -5327,8 +5486,10 @@ elite-box.org: did not receive HSTS header
 elite-porno.ru: could not connect to host
 elitecovering.fr: did not receive HSTS header
 elitefishtank.com: could not connect to host
+elitehosting.de: did not receive HSTS header
 elitesensual.com.br: did not receive HSTS header
 elizeugomes.com.br: did not receive HSTS header
+ell-net.tokyo: could not connect to host
 ellen-skye.de: max-age too low: 604800
 elliff.net: did not receive HSTS header
 elliotgluck.com: did not receive HSTS header
@@ -5340,13 +5501,13 @@ elo.fyi: could not connect to host
 elohna.ch: did not receive HSTS header
 elonbase.com: could not connect to host
 elonm.ru: could not connect to host
+elosuite.com: could not connect to host
 eloxt.com: could not connect to host
 elpay.kz: did not receive HSTS header
 elpo.xyz: could not connect to host
 elsamakhin.com: could not connect to host
 elsemanario.com: did not receive HSTS header
 elsensohn.ch: did not receive HSTS header
-elsignificadodesonar.com: did not receive HSTS header
 elsitar.com: could not connect to host
 elsword.moe: could not connect to host
 eltransportquevolem.org: could not connect to host
@@ -5356,9 +5517,12 @@ elyisus.info: did not receive HSTS header
 elytronsecurity.com: did not receive HSTS header
 email.lookout.com: could not connect to host
 email2rss.net: could not connect to host
+emailalaperformance.fr: could not connect to host
 emailcontrol.nl: did not receive HSTS header
+emailing.alsace: could not connect to host
 emanatepixels.com: could not connect to host
 emanga.su: did not receive HSTS header
+emasex.es: could not connect to host
 emavok.eu: could not connect to host
 embellir-aroma.com: could not connect to host
 embellir-kyujin.com: could not connect to host
@@ -5371,6 +5535,7 @@ emergencymedicinefoundations.com: did not receive HSTS header
 emergentvisiontec.com: did not receive HSTS header
 emesolutions.net: did not receive HSTS header
 emiele.com.br: could not connect to host
+emiliendevos.be: could not connect to host
 emilyhorsman.com: could not connect to host
 emilyshepherd.me: did not receive HSTS header
 eminhuseynov.com: could not connect to host
@@ -5378,6 +5543,7 @@ eminovic.me: could not connect to host
 emjainteractive.com: did not receive HSTS header
 emjimadhu.com: could not connect to host
 emma-o.com: could not connect to host
+emma.ca: did not receive HSTS header
 emmable.com: could not connect to host
 emmaliddell.com: did not receive HSTS header
 emmanuelle-et-julien.ch: could not connect to host
@@ -5398,17 +5564,15 @@ empty-r.com: could not connect to host
 emptypath.com: did not receive HSTS header
 emupedia.net: did not receive HSTS header
 emyself.info: could not connect to host
-emyself.org: did not receive HSTS header
+emyself.org: could not connect to host
 en4u.org: could not connect to host
-enaah.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 enaia.fr: did not receive HSTS header
+enaim.de: max-age too low: 0
 encadrer-mon-enfant.com: did not receive HSTS header
 encode.space: could not connect to host
 encode.uk.com: did not receive HSTS header
 encoder.pw: could not connect to host
-encoderx.uk: could not connect to host
 encontrebarato.com.br: could not connect to host
-encore.io: could not connect to host
 encrypted.google.com: did not receive HSTS header (error ignored - included regardless)
 encryptedaudience.com: could not connect to host
 encryptio.com: could not connect to host
@@ -5416,8 +5580,7 @@ end.pp.ua: could not connect to host
 endangeredwatch.com: could not connect to host
 ende-x.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 endlessdark.net: max-age too low: 600
-endlessdiy.ca: could not connect to host
-endlesshorizon.net: could not connect to host
+endlesshorizon.net: max-age too low: 0
 endlesstone.com: did not receive HSTS header
 endofinternet.goip.de: could not connect to host
 endofnet.org: could not connect to host
@@ -5431,7 +5594,7 @@ enefan.jp: could not connect to host
 enelacto.com: did not receive HSTS header
 energethik-tulln.at: did not receive HSTS header
 energisammenslutningen.dk: could not connect to host
-energy.eu: did not receive HSTS header
+energyradio.mk: max-age too low: 0
 enersaveapp.org: could not connect to host
 enersec.co.uk: could not connect to host
 enfoqueseguro.com: did not receive HSTS header
@@ -5444,12 +5607,12 @@ englishdirectory.de: could not connect to host
 englishyamal.ru: did not receive HSTS header
 enigmacpt.com: did not receive HSTS header
 enigmail.net: did not receive HSTS header
-enixgaming.com: could not connect to host
 enjen.net: did not receive HSTS header
 enjoymayfield.com: max-age too low: 0
 enjoystudio.ro: did not receive HSTS header
 enlatte.com: could not connect to host
 enlazaresbueno.cl: could not connect to host
+enlighten10x.ga: could not connect to host
 enlightened.si: did not receive HSTS header
 enoou.com: could not connect to host
 enpalmademallorca.info: could not connect to host
@@ -5465,6 +5628,7 @@ enterdev.co: did not receive HSTS header
 enterprisecarclub.co.uk: could not connect to host
 enterprisechannel.asia: did not receive HSTS header
 enterprivacy.com: did not receive HSTS header
+entersynapse.com: could not connect to host
 entheorie.net: did not receive HSTS header
 entourneebeetle.com: could not connect to host
 entrepreneur.or.id: could not connect to host
@@ -5491,8 +5655,9 @@ epave.paris: could not connect to host
 epaygateway.net: could not connect to host
 ephe.be: could not connect to host
 ephry.com: could not connect to host
+epicbouncycastlehirenorwich.co.uk: could not connect to host
 epicmc.games: could not connect to host
-epicsoft.de: could not connect to host
+epicpages.com: could not connect to host
 eposcloud.net: could not connect to host
 eposmidlands.co.uk: could not connect to host
 eposnewport.co.uk: did not receive HSTS header
@@ -5505,13 +5670,14 @@ eposwales.co.uk: could not connect to host
 epoxate.com: could not connect to host
 eprofitacademy.com: did not receive HSTS header
 epsorting.cz: did not receive HSTS header
-epulsar.ru: max-age too low: 604800
+epulsar.ru: did not receive HSTS header
 epvin.com: could not connect to host
 eq8.net.au: could not connect to host
 eqib.nl: did not receive HSTS header
+eqibank.com: could not connect to host
 eqim.me: could not connect to host
 eqorg.com: could not connect to host
-equallyy.com: could not connect to host
+equallyy.com: did not receive HSTS header
 equalparts.eu: could not connect to host
 equate.net.au: did not receive HSTS header
 equatetechnologies.com.au: did not receive HSTS header
@@ -5523,7 +5689,6 @@ equitee.co: did not receive HSTS header
 equityflows.com: did not receive HSTS header
 er-music.com: could not connect to host
 erad.fr: could not connect to host
-erasmo.info: could not connect to host
 erawanarifnugroho.com: did not receive HSTS header
 erclab.kr: could not connect to host
 erecciontotalal100.com: could not connect to host
@@ -5534,7 +5699,7 @@ ericbond.net: could not connect to host
 erichalv.com: could not connect to host
 ericloud.tk: could not connect to host
 ericorporation.com: did not receive HSTS header
-ericyl.com: could not connect to host
+eridanus.uk: could not connect to host
 eriel.com.br: could not connect to host
 erikwagner.de: did not receive HSTS header
 erinlin.com: did not receive HSTS header
@@ -5548,6 +5713,7 @@ eromixx.com: could not connect to host
 eromon.net: could not connect to host
 erotalia.es: could not connect to host
 erotic4me.ch: did not receive HSTS header
+eroticforce.com: could not connect to host
 erotische-aanbiedingen.nl: could not connect to host
 erotpo.cz: could not connect to host
 erpiv.com: could not connect to host
@@ -5561,6 +5727,7 @@ es8888.net: could not connect to host
 es888999.com: could not connect to host
 es999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 es9999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+esaborit.ddns.net: could not connect to host
 esb-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb-top.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb-top.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -5671,6 +5838,7 @@ esbm4.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 esbm5.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esbuilders.co.nz: did not receive HSTS header
 escalate.eu: could not connect to host
+escape2rooms.fr: did not receive HSTS header
 escapees.com: did not receive HSTS header
 escolaengenharia.com.br: did not receive HSTS header
 escort-byuro.net: could not connect to host
@@ -5685,6 +5853,7 @@ esh.ink: could not connect to host
 eshepperd.com: did not receive HSTS header
 eshobe.com: did not receive HSTS header
 eshtapay.com: could not connect to host
+esipublications.com: did not receive HSTS header
 esko.bar: could not connect to host
 esln.org: did not receive HSTS header
 esmoney.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -5711,6 +5880,7 @@ essayscam.org: could not connect to host
 essayshark.com: could not connect to host
 essaywebsite.com: did not receive HSTS header
 essenceofvitalitydetox.com: could not connect to host
+essencesdeprana.org: did not receive HSTS header
 essential12.com: could not connect to host
 essentialoilsimports.com: could not connect to host
 essentiel-physique.com: could not connect to host
@@ -5746,6 +5916,7 @@ ethantskinner.com: did not receive HSTS header
 ether.school: could not connect to host
 etherderbies.com: could not connect to host
 etheria-software.tk: did not receive HSTS header
+etherpad.fr: did not receive HSTS header
 ethicalexploiting.com: could not connect to host
 ethicall.org.uk: did not receive HSTS header
 ethicaltek.com: could not connect to host
@@ -5764,6 +5935,7 @@ ettebiz.com: max-age too low: 0
 etula.ga: did not receive HSTS header
 etula.me: could not connect to host
 etys.no: did not receive HSTS header
+etzi.myds.me: did not receive HSTS header
 euanbaines.com: did not receive HSTS header
 eucl3d.com: could not connect to host
 euclideanpostulates.xyz: could not connect to host
@@ -5781,11 +5953,11 @@ eupresidency2018.com: could not connect to host
 euren.se: could not connect to host
 eurocamping.se: could not connect to host
 eurocomcompany.cz: could not connect to host
+euroconthr.ro: could not connect to host
 euroescortguide.com: could not connect to host
 europapier.at: did not receive HSTS header
 europapier.ba: did not receive HSTS header
 europapier.bg: did not receive HSTS header
-europapier.com: did not receive HSTS header
 europapier.cz: did not receive HSTS header
 europapier.hr: did not receive HSTS header
 europapier.rs: did not receive HSTS header
@@ -5798,7 +5970,7 @@ eurospecautowerks.com: did not receive HSTS header
 eurostrategy.vn.ua: could not connect to host
 euvo.tk: could not connect to host
 evades.io: did not receive HSTS header
-evangelosm.com: could not connect to host
+evadifranco.com: did not receive HSTS header
 evanhandgraaf.nl: did not receive HSTS header
 evankurniawan.com: did not receive HSTS header
 evanreev.es: could not connect to host
@@ -5822,13 +5994,14 @@ everygayporn.xyz: could not connect to host
 everylab.org: could not connect to host
 everymove.org: could not connect to host
 everything.place: could not connect to host
+everythingstech.com: could not connect to host
 everytruckjob.com: did not receive HSTS header
 eveseat.net: could not connect to host
 eveshaiwu.com: could not connect to host
 evi.be: did not receive HSTS header
+evilarmy.com: did not receive HSTS header
 evilbeasts.ru: could not connect to host
 evilcult.me: did not receive HSTS header
-evileden.com: could not connect to host
 evilnerd.de: did not receive HSTS header
 evilness.nl: could not connect to host
 evilsay.com: could not connect to host
@@ -5836,6 +6009,7 @@ evilvolcanolairs.com: did not receive HSTS header
 evin.ml: could not connect to host
 evio.com: did not receive HSTS header
 evites.me: could not connect to host
+evokepk.com: could not connect to host
 evoludis.net: did not receive HSTS header
 evolutionexpeditions.com: did not receive HSTS header
 evomon.com: could not connect to host
@@ -5853,15 +6027,17 @@ exceptionalbits.com: could not connect to host
 exceptionalservices.us: could not connect to host
 exchangecoordinator.com: could not connect to host
 exchangeworks.co: did not receive HSTS header
-exclusivedesignz.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+exclusivedesignz.com: could not connect to host
 exebouncycastles.co.uk: did not receive HSTS header
 exembit.com: did not receive HSTS header
 exfiles.cz: could not connect to host
 exgaywatch.com: could not connect to host
 exgravitus.com: could not connect to host
+exhaledayspa.com.au: did not receive HSTS header
 exno.co: could not connect to host
 exnovin.co: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 exocen.com: could not connect to host
+exoplatform.com: did not receive HSTS header
 exoticads.com: could not connect to host
 exousiakaidunamis.xyz: could not connect to host
 expatads.com: could not connect to host
@@ -5871,6 +6047,7 @@ experticon.com: did not receive HSTS header
 expertmile.com: did not receive HSTS header
 experts-en-gestion.fr: did not receive HSTS header
 explodingcamera.com: did not receive HSTS header
+exploration.ga: did not receive HSTS header
 expo-designers.com: did not receive HSTS header
 expokohler.com: did not receive HSTS header
 expoort.com.br: could not connect to host
@@ -5890,7 +6067,7 @@ extratorrents.tech: could not connect to host
 extremenetworking.net: could not connect to host
 extremeservicesandrestoration.com: could not connect to host
 exy.pw: could not connect to host
-eyasc.nl: did not receive HSTS header
+eyasc.nl: could not connect to host
 eyedarts.com: did not receive HSTS header
 eyeglassuniverse.com: did not receive HSTS header
 eyenote.gov: did not receive HSTS header
@@ -5899,6 +6076,7 @@ eyesoccer-didikh.rhcloud.com: could not connect to host
 eyesonly.cc: did not receive HSTS header
 eytosh.net: could not connect to host
 ez.fi: could not connect to host
+ezequiel-garzon.net: could not connect to host
 ezgamble.com: did not receive HSTS header
 ezimoeko.net: could not connect to host
 ezmod.org: could not connect to host
@@ -5919,11 +6097,12 @@ faber.io: could not connect to host
 faberusa.com: did not receive HSTS header
 fabhub.io: could not connect to host
 fabian-kluge.de: could not connect to host
+fabian-koeppen.de: did not receive HSTS header
 fabianasantiago.com: could not connect to host
 fabianfischer.de: did not receive HSTS header
 fabianmunoz.com: did not receive HSTS header
 fabienbaker.com: could not connect to host
-fabled.com: did not receive HSTS header
+fabled.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fabriko.fr: did not receive HSTS header
 fabriziorocca.com: could not connect to host
 fabulouslyyouthfulskin.com: could not connect to host
@@ -5979,7 +6158,7 @@ familie-sprink.de: did not receive HSTS header
 familie-zimmermann.at: could not connect to host
 familiegrottendieck.de: max-age too low: 7776000
 familletouret.fr: did not receive HSTS header
-famio.cn: did not receive HSTS header
+famio.cn: could not connect to host
 fanflow.com: could not connect to host
 fansmade.art: could not connect to host
 fant.dk: did not receive HSTS header
@@ -5994,7 +6173,6 @@ faraonplay5.com: could not connect to host
 faraonplay7.com: could not connect to host
 faraonplay8.com: could not connect to host
 faraslot8.net: could not connect to host
-farces.com: could not connect to host
 faretravel.co.uk: could not connect to host
 farkas.bz: did not receive HSTS header
 farm24.co.uk: could not connect to host
@@ -6002,6 +6180,9 @@ farmacia.pt: did not receive HSTS header
 farmaciaformula.com.br: could not connect to host
 farmaciamedicom.com.br: could not connect to host
 farmmaximizer.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+farrel-f.id: could not connect to host
+farsil.eu: could not connect to host
+fascia.fit: could not connect to host
 fashion.net: did not receive HSTS header
 fashioncare.cz: did not receive HSTS header
 fashiondays.bg: max-age too low: 0
@@ -6015,14 +6196,13 @@ fastbackmbg.be: could not connect to host
 fastbackmbm.be: could not connect to host
 fastcomcorp.net: did not receive HSTS header
 fastconfirm.com: could not connect to host
-fastforwardsociety.nl: could not connect to host
+fastcp.top: could not connect to host
 fastograph.com: could not connect to host
 fastopen.ml: could not connect to host
 fastwebsites.com.br: did not receive HSTS header
 fastworx.com: did not receive HSTS header
 fatdoge.cn: did not receive HSTS header
 fatgeekflix.net: could not connect to host
-fatherhood.gov: did not receive HSTS header
 fatlossguide.xyz: could not connect to host
 fator25.com.br: could not connect to host
 fatox.de: could not connect to host
@@ -6030,12 +6210,11 @@ fattorino.it: did not receive HSTS header
 fatwin.pw: could not connect to host
 fatzebra.com.au: max-age too low: 0
 favorit.club: did not receive HSTS header
-fawkex.me: could not connect to host
+fawkex.me: did not receive HSTS header
 faxreader.net: could not connect to host
-fayntic.com: could not connect to host
 fayolle.info: did not receive HSTS header
 fbf.gov: did not receive HSTS header
-fbi.pw: did not receive HSTS header
+fbi.pw: could not connect to host
 fbook.top: could not connect to host
 fbox.li: could not connect to host
 fcapartsdb.com: could not connect to host
@@ -6046,12 +6225,13 @@ fdm.ro: did not receive HSTS header
 fdt.name: did not receive HSTS header
 feard.space: could not connect to host
 fecik.sk: did not receive HSTS header
-fed51.com: could not connect to host
+fed51.com: did not receive HSTS header
 fedbizopps.gov: could not connect to host
 fedemo.top: did not receive HSTS header
 federalregister.gov: did not receive HSTS header
 fedn.it: could not connect to host
 fedo.moe: could not connect to host
+fee-hosting.com: max-age too low: 0
 feedstringer.com: could not connect to host
 feedthebot.com: did not receive HSTS header
 feegg.com.br: could not connect to host
@@ -6061,11 +6241,13 @@ fegans.org.uk: did not receive HSTS header
 feirlane.org: could not connect to host
 feist.io: could not connect to host
 feitobrasilcosmeticos.com.br: did not receive HSTS header
+fejes.house: could not connect to host
 felger-times.fr: could not connect to host
 felgitscher.xyz: max-age too low: 2592000
 felisslovakia.sk: did not receive HSTS header
 feliwyn.fr: did not receive HSTS header
 felixhefner.de: did not receive HSTS header
+felixqu.com: did not receive HSTS header
 felixrr.pro: could not connect to host
 femaledom.xyz: could not connect to host
 femdombbw.com: could not connect to host
@@ -6086,23 +6268,22 @@ fernangp.com: could not connect to host
 fernseher-kauf.de: could not connect to host
 ferrolatino.com: could not connect to host
 feschiyan.com: could not connect to host
-festember.com: could not connect to host
+festember.com: did not receive HSTS header
 festival.house: did not receive HSTS header
 festivalxdentro.com: did not receive HSTS header
 festrip.com: could not connect to host
-fetch.co.uk: did not receive HSTS header
+fetch.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fetclips.se: could not connect to host
 fetlife.com: could not connect to host
 fettbrot.tk: did not receive HSTS header
 feudaltactics.com: could not connect to host
 feuerwehr-dachaufsetzer.de: could not connect to host
-fexmen.com: did not receive HSTS header
+fexmen.com: could not connect to host
 ff-bg.xyz: could not connect to host
-ffh.me: could not connect to host
+ffbans.org: did not receive HSTS header
 ffl123.com: did not receive HSTS header
-ffsociety.nl: could not connect to host
 fgequipamentos.com.br: did not receive HSTS header
-fhg90.com: could not connect to host
+fhg90.com: did not receive HSTS header
 fhsseniormens.club: could not connect to host
 fi-sanki.co.jp: could not connect to host
 fibrasynormasdecolombia.com: did not receive HSTS header
@@ -6124,6 +6305,7 @@ fightr.co: could not connect to host
 figura.cz: did not receive HSTS header
 figura.im: did not receive HSTS header
 figuurzagers.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+fiissh.tech: did not receive HSTS header
 fiksel.info: could not connect to host
 fikt.space: could not connect to host
 filamentia.nl: could not connect to host
@@ -6159,7 +6341,8 @@ findmybottleshop.com.au: could not connect to host
 findthere.net: could not connect to host
 findtutorsnearme.com: did not receive HSTS header
 findyour.diet: could not connect to host
-finer04.pw: did not receive HSTS header
+fine-services.paris: could not connect to host
+finer04.pw: could not connect to host
 finewineonline.com: could not connect to host
 fingent.com: did not receive HSTS header
 fingerscrossed.style: could not connect to host
@@ -6177,7 +6360,6 @@ firebird.io: did not receive HSTS header
 firefall.rocks: could not connect to host
 firehost.com: did not receive HSTS header
 fireinthedeep.com: could not connect to host
-firekoi.com: did not receive HSTS header
 firemail.io: could not connect to host
 fireorbit.de: did not receive HSTS header
 firepeak.ru: could not connect to host
@@ -6190,6 +6372,7 @@ firstchoicepool.com: did not receive HSTS header
 firstdogonthemoon.com.au: did not receive HSTS header
 firstforex.co.uk: did not receive HSTS header
 firstlook.org: did not receive HSTS header
+fischer-its.com: could not connect to host
 fiscoeconti.it: did not receive HSTS header
 fishfinders.info: did not receive HSTS header
 fiskestang.com: did not receive HSTS header
@@ -6200,7 +6383,6 @@ fitfitup.com: did not receive HSTS header
 fitiapp.com: could not connect to host
 fitnesswerk.de: could not connect to host
 fitqbe.com: did not receive HSTS header
-fitseven.ru: did not receive HSTS header
 fitshop.com.br: could not connect to host
 fitsw.com: did not receive HSTS header
 fiuxy.org: could not connect to host
@@ -6212,7 +6394,7 @@ fivezerocreative.com: did not receive HSTS header
 fiws.net: did not receive HSTS header
 fix-the-timeline.com: could not connect to host
 fix-the-timeline.org: could not connect to host
-fixate.ru: max-age too low: 3153600
+fixate.ru: could not connect to host
 fixeaide.com: did not receive HSTS header
 fixeaider.com: did not receive HSTS header
 fixico-staging.nl: could not connect to host
@@ -6253,10 +6435,10 @@ flc111.com: did not receive HSTS header
 flc999.com: max-age too low: 129600
 fleamarketgoods.com: did not receive HSTS header
 flemingtonaudiparts.com: could not connect to host
+flesters.com.br: did not receive HSTS header
 fleurette.me: could not connect to host
 fleursdesoleil.fr: did not receive HSTS header
 flexdrukker.nl: could not connect to host
-fleximaal.com: could not connect to host
 flexinvesting.fi: could not connect to host
 flextribly.xyz: could not connect to host
 fliexer.com: could not connect to host
@@ -6264,11 +6446,11 @@ flightschoolusa.com: did not receive HSTS header
 flikmsg.co: could not connect to host
 fling.dating: could not connect to host
 flipagram.com: did not receive HSTS header
-flipbell.com: did not receive HSTS header
+flipbell.com: could not connect to host
 flipkey.com: did not receive HSTS header
 flirchi.com: did not receive HSTS header
-flirtycourts.com: did not receive HSTS header
-flixhaven.net: could not connect to host
+flirtycourts.com: could not connect to host
+flixhaven.net: did not receive HSTS header
 flixtor.net: could not connect to host
 flkrpxl.com: max-age too low: 86400
 flood.io: did not receive HSTS header
@@ -6277,6 +6459,7 @@ flopy.club: could not connect to host
 florafiora.com.br: did not receive HSTS header
 florian-lillpopp.de: did not receive HSTS header
 florian-schlachter.de: did not receive HSTS header
+florian2833z.de: could not connect to host
 florianlillpopp.de: did not receive HSTS header
 floridaderi.ru: did not receive HSTS header
 floridaescapes.co.uk: did not receive HSTS header
@@ -6295,6 +6478,7 @@ floweslawncare.com: could not connect to host
 flowlo.me: could not connect to host
 flox.io: could not connect to host
 floydm.com: did not receive HSTS header
+flucky.xyz: could not connect to host
 flucto.com: did not receive HSTS header
 flue-ducting.co.uk: did not receive HSTS header
 flugplatz-edvc.de: could not connect to host
@@ -6314,19 +6498,20 @@ flyingyoung.top: could not connect to host
 flyspace.ga: did not receive HSTS header
 flyspace.ml: did not receive HSTS header
 flyss.net: could not connect to host
+flyssh.net: could not connect to host
 fm83.nl: could not connect to host
 fm992.com: could not connect to host
 fmapplication.com: could not connect to host
 fmi.gov: did not receive HSTS header
 fmovies.fyi: did not receive HSTS header
-fmovies.life: could not connect to host
+fmovies.life: did not receive HSTS header
 fnfpt.co.uk: could not connect to host
 fniephaus.com: did not receive HSTS header
 fnncat.com: did not receive HSTS header
 fnvsecurity.com: could not connect to host
 fobc-usa.org: did not receive HSTS header
 focalforest.com: could not connect to host
-foerster-kunststoff.de: could not connect to host
+foerster-kunststoff.de: did not receive HSTS header
 fognini-depablo.eu: could not connect to host
 fohome.ca: could not connect to host
 fokan.ch: did not receive HSTS header
@@ -6334,7 +6519,6 @@ fol.tf: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAI
 foliekonsulenten.dk: did not receive HSTS header
 folioapp.io: could not connect to host
 folkfests.org: did not receive HSTS header
-folwarkwiazy.pl: could not connect to host
 fondanastasia.ru: did not receive HSTS header
 fondy.ru: did not receive HSTS header
 foneo.com: could not connect to host
@@ -6365,10 +6549,10 @@ fordshop.by: [Exception... "Component returned failure code: 0x80004005 (NS_ERRO
 foreignexchangeresource.com: did not receive HSTS header
 forestfinance.fr: did not receive HSTS header
 foreveralone.io: could not connect to host
-foreverssl.com: could not connect to host
 foreveryoung.pt: did not receive HSTS header
 forex-dan.com: did not receive HSTS header
 forex-plus.com: did not receive HSTS header
+forexsignals7.com: could not connect to host
 forgix.com: could not connect to host
 forglemmigej.net: could not connect to host
 forlagetmarx.dk: did not receive HSTS header
@@ -6376,16 +6560,14 @@ formadmin.com: did not receive HSTS header
 formaliteo.com: did not receive HSTS header
 formasdemaquillarse.com: did not receive HSTS header
 formazioneopen.it: could not connect to host
-formbetter.com: could not connect to host
 formersessalaries.com: did not receive HSTS header
 formkiq.com: could not connect to host
 formula.cf: could not connect to host
+forpc.us: did not receive HSTS header
 forplanetsake.com: could not connect to host
 forplayers.pl: could not connect to host
 forquilhinhanoticias.com.br: did not receive HSTS header
 forsyththeatre.com: could not connect to host
-fort.eu: did not receive HSTS header
-fortknox.cz: did not receive HSTS header
 fortoglethorpega.gov: could not connect to host
 fortricks.in: did not receive HSTS header
 fortuna-loessnitz.de: could not connect to host
@@ -6411,7 +6593,6 @@ fotopasja.info: could not connect to host
 fotostravestisbr.com: could not connect to host
 fourchin.net: could not connect to host
 fourwheelpartloanssimple.com: did not receive HSTS header
-fox.my: could not connect to host
 foxdev.io: could not connect to host
 foxelbox.com: did not receive HSTS header
 foxes.no: could not connect to host
@@ -6440,7 +6621,6 @@ franklinhua.com: could not connect to host
 fransallen.com: did not receive HSTS header
 franta.biz: did not receive HSTS header
 franta.email: did not receive HSTS header
-frantorregrosa.me: did not receive HSTS header
 franzt.de: could not connect to host
 franzt.ovh: could not connect to host
 frasesaniversarios.com.br: did not receive HSTS header
@@ -6449,11 +6629,68 @@ frasys.cloud: max-age too low: 2592000
 frasys.io: could not connect to host
 fraudempire.com: could not connect to host
 freakyamazing.com: could not connect to host
-freakyawesome.ca: did not receive HSTS header
-freakyawesome.co.uk: did not receive HSTS header
-freakyawesome.com: max-age too low: 86400
-freakyawesome.in: did not receive HSTS header
-freakyawesome.net: could not connect to host
+freakyaweso.me: did not receive HSTS header
+freakyawesome.blog: max-age too low: 86400
+freakyawesome.club: did not receive HSTS header
+freakyawesome.co: did not receive HSTS header
+freakyawesome.com: did not receive HSTS header
+freakyawesome.company: did not receive HSTS header
+freakyawesome.dance: did not receive HSTS header
+freakyawesome.design: could not connect to host
+freakyawesome.education: did not receive HSTS header
+freakyawesome.email: did not receive HSTS header
+freakyawesome.events: did not receive HSTS header
+freakyawesome.fashion: did not receive HSTS header
+freakyawesome.fitness: did not receive HSTS header
+freakyawesome.fm: did not receive HSTS header
+freakyawesome.fun: did not receive HSTS header
+freakyawesome.fyi: did not receive HSTS header
+freakyawesome.games: did not receive HSTS header
+freakyawesome.guide: did not receive HSTS header
+freakyawesome.guru: did not receive HSTS header
+freakyawesome.info: did not receive HSTS header
+freakyawesome.io: did not receive HSTS header
+freakyawesome.lgbt: did not receive HSTS header
+freakyawesome.life: did not receive HSTS header
+freakyawesome.live: did not receive HSTS header
+freakyawesome.management: did not receive HSTS header
+freakyawesome.marketing: did not receive HSTS header
+freakyawesome.me: did not receive HSTS header
+freakyawesome.media: did not receive HSTS header
+freakyawesome.network: did not receive HSTS header
+freakyawesome.news: did not receive HSTS header
+freakyawesome.online: did not receive HSTS header
+freakyawesome.photography: did not receive HSTS header
+freakyawesome.photos: did not receive HSTS header
+freakyawesome.press: did not receive HSTS header
+freakyawesome.recipes: did not receive HSTS header
+freakyawesome.rentals: did not receive HSTS header
+freakyawesome.reviews: did not receive HSTS header
+freakyawesome.science: did not receive HSTS header
+freakyawesome.services: did not receive HSTS header
+freakyawesome.shop: did not receive HSTS header
+freakyawesome.site: did not receive HSTS header
+freakyawesome.social: did not receive HSTS header
+freakyawesome.software: did not receive HSTS header
+freakyawesome.solutions: could not connect to host
+freakyawesome.space: did not receive HSTS header
+freakyawesome.store: did not receive HSTS header
+freakyawesome.support: did not receive HSTS header
+freakyawesome.team: did not receive HSTS header
+freakyawesome.tech: did not receive HSTS header
+freakyawesome.technology: did not receive HSTS header
+freakyawesome.tips: did not receive HSTS header
+freakyawesome.today: did not receive HSTS header
+freakyawesome.tours: did not receive HSTS header
+freakyawesome.training: did not receive HSTS header
+freakyawesome.tv: did not receive HSTS header
+freakyawesome.video: did not receive HSTS header
+freakyawesome.website: did not receive HSTS header
+freakyawesome.work: did not receive HSTS header
+freakyawesome.world: could not connect to host
+freakyawesome.wtf: did not receive HSTS header
+freakyawesome.xyz: did not receive HSTS header
+freakyawesome.yoga: could not connect to host
 freakyawesomeblog.com: could not connect to host
 freakyawesomeio.com: could not connect to host
 freakyawesomemedia.com: could not connect to host
@@ -6465,39 +6702,47 @@ freakyawesometeam.com: could not connect to host
 freakyawesometheme.com: could not connect to host
 freakyawesomethemes.com: could not connect to host
 freakyawesomewp.com: could not connect to host
+frebi.org: could not connect to host
+frebib.co.uk: could not connect to host
+frebib.com: could not connect to host
 frebib.me: could not connect to host
+frebib.net: could not connect to host
 freddythechick.uk: could not connect to host
+fredericcote.com: could not connect to host
 frederickalcantara.com: could not connect to host
 fredliang.cn: could not connect to host
 fredriksslekt.se: did not receive HSTS header
 free-your-pc.com: could not connect to host
 free8.xyz: could not connect to host
 freeasinlliure.org: did not receive HSTS header
-freeassangenow.org: did not receive HSTS header
 freeben666.fr: could not connect to host
 freebies.id: could not connect to host
 freeblog.me: could not connect to host
 freebookmakerbets.com.au: did not receive HSTS header
+freecookies.nl: did not receive HSTS header
 freedomrealtyoftexas.com: did not receive HSTS header
 freedomvote.nl: could not connect to host
 freeexampapers.com: could not connect to host
 freeflow.tv: could not connect to host
 freehao123.cn: could not connect to host
 freejidi.com: could not connect to host
-freekdevries.nl: did not receive HSTS header
 freelancecollab.com: could not connect to host
 freelanced.co.za: could not connect to host
 freelanceshipping.com: did not receive HSTS header
 freelandinnovation.com: did not receive HSTS header
 freelansir.com: could not connect to host
 freemanning.de: could not connect to host
-freematthale.net: could not connect to host
+freematthale.net: did not receive HSTS header
+freepoints.us: could not connect to host
 freeslots.guru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 freesoftwaredriver.com: could not connect to host
 freesounding.com: did not receive HSTS header
 freesounding.ru: did not receive HSTS header
 freethought.org.au: could not connect to host
 freeutopia.org: did not receive HSTS header
+freevps.us: did not receive HSTS header
+freitasul.com.br: could not connect to host
+freitasul.io: could not connect to host
 frenzel.dk: could not connect to host
 freqlabs.com: did not receive HSTS header
 freshfind.xyz: could not connect to host
@@ -6512,7 +6757,6 @@ fridaperfumaria.com.br: could not connect to host
 friedhelm-wolf.de: could not connect to host
 friendica.ch: could not connect to host
 friendlyfiregameshow.com: could not connect to host
-friendlysiberia.com: could not connect to host
 friller.com.au: did not receive HSTS header
 frimons.com: max-age too low: 7889238
 fritteli.ch: did not receive HSTS header
@@ -6574,7 +6818,6 @@ fuelministry.com: did not receive HSTS header
 fugamo.de: did not receive HSTS header
 fugle.de: could not connect to host
 fuitedeau.ch: could not connect to host
-fujianshipbuilding.com: could not connect to host
 fujiorganics.com: did not receive HSTS header
 fukuko.biz: could not connect to host
 fukuko.xyz: could not connect to host
@@ -6590,11 +6833,12 @@ fumiware.com: could not connect to host
 fun25.tk: could not connect to host
 fun9.cc: could not connect to host
 fun99.cc: could not connect to host
-funarena.com.ua: did not receive HSTS header
+funarena.com.ua: could not connect to host
 fundacionfranciscofiasco.org: could not connect to host
 fundacionhijosdelsol.org: could not connect to host
 fundayltd.com: could not connect to host
 funderburg.me: did not receive HSTS header
+fundingempire.com: could not connect to host
 funerariahogardecristo.cl: did not receive HSTS header
 fungame.eu: did not receive HSTS header
 funi4u.com: could not connect to host
@@ -6604,12 +6848,13 @@ funkyweddingideas.com.au: could not connect to host
 funnelweb.xyz: could not connect to host
 funny-joke-pictures.com: did not receive HSTS header
 funnyang.com: could not connect to host
-funoverip.net: could not connect to host
 funrun.com: did not receive HSTS header
 funtastic-event-hire.co.uk: did not receive HSTS header
 funtastic.ie: could not connect to host
 funtimebourne.co.uk: did not receive HSTS header
 fuorifuocogenova.it: could not connect to host
+furaje-iasi.com: could not connect to host
+furcity.me: could not connect to host
 furi.ga: could not connect to host
 furiffic.com: did not receive HSTS header
 furikake.xyz: could not connect to host
@@ -6643,11 +6888,12 @@ fwww7.com: could not connect to host
 fxgame.online: could not connect to host
 fxpig-ib.com: could not connect to host
 fxwebstudio.com.au: max-age too low: 0
+fydjbsd.cn: could not connect to host
 fyodorpi.com: did not receive HSTS header
 fyol.pw: could not connect to host
 fysiohaenraets.nl: did not receive HSTS header
 fzn.io: did not receive HSTS header
-fzslm.me: could not connect to host
+fzslm.me: did not receive HSTS header
 g-i-s.vn: did not receive HSTS header
 g-marketing.ro: could not connect to host
 g-o.pl: did not receive HSTS header
@@ -6660,6 +6906,7 @@ g2a.co: did not receive HSTS header
 g2g.com: did not receive HSTS header
 g4w.co: could not connect to host (error ignored - included regardless)
 g5led.nl: could not connect to host
+g6666g.tk: could not connect to host
 g77.ca: could not connect to host
 gaanbaksho.com.au: did not receive HSTS header
 gaasuper6.com: could not connect to host
@@ -6673,29 +6920,32 @@ gabriele-kluge.de: could not connect to host
 gabrielsimonet.ch: could not connect to host
 gaelleetarnaud.com: did not receive HSTS header
 gafachi.com: could not connect to host
+gagne-enterprises.com: did not receive HSTS header
 gaichanh.com: did not receive HSTS header
 gainesvillegoneaustin.org: did not receive HSTS header
 gaiserik.com: did not receive HSTS header
 gaite.me: did not receive HSTS header
 gajas18.com: could not connect to host
-gakkainavi.net: could not connect to host
+gakkainavi-epsilon.jp: could not connect to host
 gakkainavi4.com: could not connect to host
+gala.kiev.ua: could not connect to host
 galardi.org: could not connect to host
 galena.io: could not connect to host
 galenskap.eu: could not connect to host
 galeriadobimba.com.br: could not connect to host
+galeriart.xyz: could not connect to host
 galerieautodirect.com: did not receive HSTS header
 galgoafegao.com.br: could not connect to host
 galgoingles.com.br: could not connect to host
 galgopersa.com.br: could not connect to host
 gali.review: did not receive HSTS header
 galileomtz.com: did not receive HSTS header
+gallerify.eu: could not connect to host
 gallery44.org: did not receive HSTS header
 galoisvpn.xyz: could not connect to host
 gam3rs.de: could not connect to host
 gamajo.com: did not receive HSTS header
 gambitcloud.net: could not connect to host
-game-files.net: did not receive HSTS header
 game-gentle.com: could not connect to host
 game.yt: could not connect to host
 game88city.com: could not connect to host
@@ -6729,11 +6979,11 @@ gametium.es: could not connect to host
 gamhealth.net: could not connect to host
 gamingmedia.eu: did not receive HSTS header
 gamingreinvented.com: did not receive HSTS header
-gamisalya.com: did not receive HSTS header
 gamismodelbaru.com: did not receive HSTS header
 gamismu.com: did not receive HSTS header
 gamoice.com: did not receive HSTS header
 gampenhof.de: could not connect to host
+gan.wtf: could not connect to host
 gangnam-club.com: could not connect to host
 gangnam-karaoke.com: did not receive HSTS header
 ganhonet.com.br: did not receive HSTS header
@@ -6759,7 +7009,7 @@ gartenhauszentrum.de: [Exception... "Component returned failure code: 0x80004005
 gasbarkenora.com: could not connect to host
 gasnews.net: could not connect to host
 gasser-daniel.ch: did not receive HSTS header
-gassouthkenticoqa.azurewebsites.net: did not receive HSTS header
+gassouthkenticoqa.azurewebsites.net: could not connect to host
 gastauftritt.net: did not receive HSTS header
 gastritisolucion.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gatapro.net: could not connect to host
@@ -6770,11 +7020,11 @@ gatilagata.com.br: could not connect to host
 gatomix.net: could not connect to host
 gatorsa.es: could not connect to host
 gaussorgues.me: could not connect to host
-gautham.pro: could not connect to host
+gautham.pro: did not receive HSTS header
 gavick.com: did not receive HSTS header
 gay-jays.com: could not connect to host
 gay-sissies.com: could not connect to host
-gaya-sa.org: did not receive HSTS header
+gaya-sa.org: could not connect to host
 gayauthors.org: could not connect to host
 gayforgenji.com: could not connect to host
 gaygeeks.de: could not connect to host
@@ -6792,9 +7042,10 @@ gchp.ie: did not receive HSTS header
 gcodetools.com: could not connect to host
 gdegem.org: did not receive HSTS header
 gdevpenze.ru: could not connect to host
-gdprhallofshame.com: could not connect to host
+gdprhallofshame.com: did not receive HSTS header
 gdutnic.com: could not connect to host
 gdz-otvety.com: could not connect to host
+gdz.tv: could not connect to host
 gear-acquisition-syndrome.community: could not connect to host
 gearseo.com.br: did not receive HSTS header
 geaskb.nl: could not connect to host
@@ -6802,10 +7053,12 @@ geass.xyz: could not connect to host
 geblitzt.de: did not receive HSTS header
 gedankenbude.info: could not connect to host
 gedankenworks.com: could not connect to host
+geek.ch: could not connect to host
+geek1.de: did not receive HSTS header
 geekbaba.com: could not connect to host
 geekcast.co.uk: could not connect to host
 geekchimp.com: could not connect to host
-geekdt.com: did not receive HSTS header
+geekdt.com: could not connect to host
 geekmind.org: max-age too low: 172800
 geeks.berlin: could not connect to host
 geeks.lgbt: could not connect to host
@@ -6817,17 +7070,18 @@ geemo.top: could not connect to host
 gehrke.nrw: could not connect to host
 geigr.de: could not connect to host
 geiser.io: did not receive HSTS header
+gekosoft.eu: could not connect to host
 geldteveel.eu: could not connect to host
 geli-graphics.com: did not receive HSTS header
-gem-info.fr: could not connect to host
 gemeinfreie-lieder.de: did not receive HSTS header
 gemsoftheworld.org: could not connect to host
 gemuplay.com: could not connect to host
+genbright.com: could not connect to host
 genemesservwparts.com: could not connect to host
 general-insurance.tk: could not connect to host
 generalpants.com.au: did not receive HSTS header
 generationnext.pl: could not connect to host
-genesischangelog.com: could not connect to host
+genesischangelog.com: did not receive HSTS header
 geneve.guide: could not connect to host
 genia-life.de: could not connect to host
 genie-seiner-generation.de: did not receive HSTS header
@@ -6838,6 +7092,7 @@ genshiken.org: could not connect to host
 gensokyo.chat: could not connect to host
 genuu.com: did not receive HSTS header
 genuxation.com: could not connect to host
+genuxtsg.com: did not receive HSTS header
 genxbeats.com: could not connect to host
 genxnotes.com: could not connect to host
 genyaa.com: could not connect to host
@@ -6848,6 +7103,7 @@ geoffdev.com: could not connect to host
 geoffmyers.com: did not receive HSTS header
 geoffreyrichard.com: did not receive HSTS header
 geopals.net: did not receive HSTS header
+georgehalachev.com: did not receive HSTS header
 georgeperez.me: could not connect to host
 georgesonarthurs.com.au: did not receive HSTS header
 gepe.ch: did not receive HSTS header
@@ -6855,6 +7111,7 @@ gereja.ga: max-age too low: 1209600
 gerencianet.com.br: did not receive HSTS header
 gereon.ch: could not connect to host
 geri.be: could not connect to host
+germancraft.net: could not connect to host
 germansoldiers.net: could not connect to host
 gers-authentique.com: could not connect to host
 gerum.dynv6.net: did not receive HSTS header
@@ -6874,6 +7131,7 @@ getcarina.com: could not connect to host
 getcleartouch.com: did not receive HSTS header
 getcolor.com: did not receive HSTS header
 getdigitized.net: could not connect to host
+geteduroam.no: could not connect to host
 getenergized2018.kpn: could not connect to host
 getfestify.com: did not receive HSTS header
 getfilterlive.org: could not connect to host
@@ -6892,6 +7150,7 @@ getgeek.se: did not receive HSTS header
 getinternet.de: did not receive HSTS header
 getkai.co.nz: did not receive HSTS header
 getlantern.org: did not receive HSTS header
+getleanflorida.gov: could not connect to host
 getlifti.com: could not connect to host
 getlittleapps.com: could not connect to host
 getlolaccount.com: did not receive HSTS header
@@ -6942,13 +7201,16 @@ ghowell.io: could not connect to host
 gianlucapartengo.photography: did not receive HSTS header
 giant-powerfit.co.uk: did not receive HSTS header
 gibraltar-firma.com: did not receive HSTS header
+gibraltar.at: could not connect to host
+gicl.dk: could not connect to host
 giddyaunt.net: could not connect to host
 gidea.nu: could not connect to host
 giduv.com: did not receive HSTS header
 giegler.software: could not connect to host
 giftbg.org: did not receive HSTS header
+giftedconsortium.com: could not connect to host
 giftgofers.com: max-age too low: 2592000
-giftservices.nl: did not receive HSTS header
+giftservices.nl: could not connect to host
 gifzilla.net: could not connect to host
 gigacloud.org: could not connect to host
 gigawattz.com: did not receive HSTS header
@@ -6959,6 +7221,7 @@ gilescountytn.gov: did not receive HSTS header
 gilgaz.com: did not receive HSTS header
 gillet-cros.fr: could not connect to host
 gilly.berlin: did not receive HSTS header
+gilpinmanagement.com: did not receive HSTS header
 gilpinrealty.com: did not receive HSTS header
 gilroywestwood.org: did not receive HSTS header
 gincher.net: did not receive HSTS header
@@ -6966,6 +7229,7 @@ gingali.de: did not receive HSTS header
 ginie.de: did not receive HSTS header
 ginijony.com: did not receive HSTS header
 ginkel.com: did not receive HSTS header
+ginnegappen.nl: could not connect to host
 gintenreiter-photography.com: did not receive HSTS header
 giochistem.it: could not connect to host
 giogadesign.com: did not receive HSTS header
@@ -6973,6 +7237,7 @@ gip-carif-idf.net: could not connect to host
 gip-carif-idf.org: could not connect to host
 gipsamsfashion.com: could not connect to host
 gipsic.com: did not receive HSTS header
+giraffeinflatables.co.uk: did not receive HSTS header
 girlsgonesporty.com: could not connect to host
 girlsnet.work: could not connect to host
 gis3m.org: did not receive HSTS header
@@ -6986,13 +7251,17 @@ github.party: did not receive HSTS header
 givemyanswer.com: could not connect to host
 giverang.biz: could not connect to host
 giverang.com: could not connect to host
+givip.eu: could not connect to host
 gix.net.pl: could not connect to host
 gixtools.co.uk: could not connect to host
 gixtools.uk: could not connect to host
 gizmo.ovh: could not connect to host
 gizzo.sk: could not connect to host
+gkimanyar.org: did not receive HSTS header
 glabiatoren-kst.de: could not connect to host
 gladystudio.com: did not receive HSTS header
+glahcks.com: could not connect to host
+glaspe.com: could not connect to host
 glass.google.com: did not receive HSTS header (error ignored - included regardless)
 glasslikes.com: did not receive HSTS header
 glbg.eu: did not receive HSTS header
@@ -7005,6 +7274,7 @@ glicerina.online: could not connect to host
 glittersjabloon.nl: did not receive HSTS header
 glitzmirror.com: could not connect to host
 glnpo.gov: could not connect to host
+global.hr: could not connect to host
 globalado.com: could not connect to host
 globalbridge-japan.com: did not receive HSTS header
 globalelite.black: did not receive HSTS header
@@ -7015,7 +7285,7 @@ globalinstitutefortraining.org.au: did not receive HSTS header
 globalittech.com: could not connect to host
 globalmoneyapp.com: could not connect to host
 globalmusic.ga: could not connect to host
-globalnewsdaily.cf: could not connect to host
+globalnewsdaily.cf: did not receive HSTS header
 globalnomadvintage.com: could not connect to host
 globalperspectivescanada.com: could not connect to host
 globalsites.nl: did not receive HSTS header
@@ -7028,7 +7298,6 @@ gloomyspark.com: could not connect to host
 glotter.com: did not receive HSTS header
 gloucesterphotographer.com: did not receive HSTS header
 glubbforum.de: did not receive HSTS header
-gluecksgriff-taschen.de: could not connect to host
 glutenfreiheit.at: could not connect to host
 glws.org: did not receive HSTS header
 gm-assicurazioni.it: could not connect to host
@@ -7041,7 +7310,6 @@ gmplab.com: did not receive HSTS header
 gnaptracker.tk: could not connect to host
 gnom.me: could not connect to host
 gnosticjade.net: did not receive HSTS header
-gnwp.eu: could not connect to host
 gnylf.com: could not connect to host
 go.ax: did not receive HSTS header
 go2sh.de: did not receive HSTS header
@@ -7062,6 +7330,7 @@ godbo9.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 godbo9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 godbo9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 godesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+godofnea.com: could not connect to host
 godrealms.com: could not connect to host
 godruoyi.com: did not receive HSTS header
 goedeke.ml: could not connect to host
@@ -7113,7 +7382,6 @@ goozz.nl: did not receive HSTS header
 gopay.cz: did not receive HSTS header
 gopokego.cz: could not connect to host
 goranrango.ch: could not connect to host
-gordonobrecht.com: did not receive HSTS header
 gorgiaxx.com: could not connect to host
 gorilla-gym.site: could not connect to host
 gorillow.com: could not connect to host
@@ -7128,29 +7396,29 @@ gotobrno.cz: did not receive HSTS header
 gotocloud.ru: could not connect to host
 gotowned.org: could not connect to host
 gotspot.com: could not connect to host
-gottfridsberg.org: could not connect to host
 gottfriedfeyen.com: did not receive HSTS header
 goubi.me: did not receive HSTS header
 goujianwen.com: did not receive HSTS header
 goukon.ru: could not connect to host
 gourmettia.com: did not receive HSTS header
-gouthro-goteborg.se: could not connect to host
+gouthro-goteborg.se: did not receive HSTS header
 gouv.ovh: did not receive HSTS header
 gov.ax: could not connect to host
 goverage.org: could not connect to host
 govillemo.ca: did not receive HSTS header
-govtjobs.blog: could not connect to host
 gowin9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gowin9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gozadentro.com: could not connect to host
 gozel.com.tr: did not receive HSTS header
 gpalabs.com: could not connect to host
 gparent.org: did not receive HSTS header
+gpfclan.de: could not connect to host
 gpga.cf: could not connect to host
 gplintegratedit.com: could not connect to host
 gpo.gov: did not receive HSTS header
 gps.com.br: could not connect to host
 gpsarena.ro: could not connect to host
+gpsfix.cz: could not connect to host
 gpstuner.com: did not receive HSTS header
 graavaapi.elasticbeanstalk.com: could not connect to host
 grabi.ga: could not connect to host
@@ -7158,8 +7426,8 @@ gracechurchpc.net: could not connect to host
 graceful-project.eu: did not receive HSTS header
 gracesofgrief.com: could not connect to host
 grachtenpandverkopen.nl: could not connect to host
-grademymac.com: did not receive HSTS header
-grademypc.com: did not receive HSTS header
+grademymac.com: could not connect to host
+grademypc.com: could not connect to host
 gradenotify.com: could not connect to host
 grads360.org: could not connect to host
 gradsm-ci.net: could not connect to host
@@ -7194,20 +7462,24 @@ greatfire.kr: could not connect to host
 greatideahub.com: did not receive HSTS header
 greatlengthshairextensionssalon.com: did not receive HSTS header
 greatnet.de: did not receive HSTS header
-greatsong.net: did not receive HSTS header
-greedbutt.com: could not connect to host
+greatsong.net: max-age too low: 2592000
+greedbutt.com: max-age too low: 2592000
 green-light.cf: could not connect to host
 green-light.ga: could not connect to host
 green-light.gq: could not connect to host
 green-light.ml: could not connect to host
+greenbaysecuritysolutions.com: did not receive HSTS header
 greencardtalent.com: could not connect to host
 greenconn.ca: could not connect to host
+greendroid.de: did not receive HSTS header
 greenenergysolution.uk: did not receive HSTS header
 greenesting.ch: could not connect to host
 greenesting.com: could not connect to host
+greenglam.biz: did not receive HSTS header
+greengoblindev.com: could not connect to host
 greengov.gov: could not connect to host
 greenhillantiques.co.uk: did not receive HSTS header
-greenitpark.net: could not connect to host
+greenitpark.net: did not receive HSTS header
 greensolid.biz: could not connect to host
 greenville.ag: did not receive HSTS header
 greenvines.com.tw: did not receive HSTS header
@@ -7215,8 +7487,6 @@ greenvpn.ltd: could not connect to host
 greenvpn.pro: did not receive HSTS header
 greggsfoundation.org.uk: could not connect to host
 gregmartyn.com: could not connect to host
-gregmarziomedia.co.za: did not receive HSTS header
-gregmilton.com: could not connect to host
 gregmilton.org: could not connect to host
 gregorytlee.me: could not connect to host
 grekland.guide: could not connect to host
@@ -7228,12 +7498,12 @@ grettogeek.com: did not receive HSTS header
 greuel.online: could not connect to host
 greve.xyz: could not connect to host
 grevesgarten.de: could not connect to host
-greybeards.ca: could not connect to host
 greyline.se: could not connect to host
 grian-bam.at: did not receive HSTS header
 gribani.com: could not connect to host
 grid2osm.org: could not connect to host
 gridle.io: did not receive HSTS header
+griecopelino.com: did not receive HSTS header
 grifomarchetti.com: did not receive HSTS header
 grigalanzsoftware.com: could not connect to host
 grillinfools.com: did not receive HSTS header
@@ -7279,6 +7549,7 @@ gtdgo.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 gtech.work: did not receive HSTS header
 gtldna.com: could not connect to host
 gtraxapp.com: could not connect to host
+gts-dp.de: did not receive HSTS header
 gts-schulsoftware.de: did not receive HSTS header
 gtts.space: did not receive HSTS header
 guarajubaimoveis.com.br: did not receive HSTS header
@@ -7312,6 +7583,7 @@ gulitsky.me: could not connect to host
 gulleyperformancecenter.com: did not receive HSTS header
 gulshankumar.net: did not receive HSTS header
 gumannp.de: did not receive HSTS header
+gumballs.com: did not receive HSTS header
 gummibande.noip.me: could not connect to host
 gunhunter.com: could not connect to host
 guniram.com: did not receive HSTS header
@@ -7365,21 +7637,27 @@ h3x.jp: could not connect to host
 haarkliniek.com: did not receive HSTS header
 habbixed.tk: could not connect to host
 habbo.life: could not connect to host
+habbos.es: could not connect to host
 habbotalk.nl: could not connect to host
 habeo.si: could not connect to host
 hablemosdetecnologia.com.ve: could not connect to host
+habtium.com: could not connect to host
 hac30.com: could not connect to host
+hack.club: could not connect to host
 hack.cz: could not connect to host
 hack.li: could not connect to host
 hackbubble.me: could not connect to host
+hacker.club: could not connect to host
 hacker.deals: could not connect to host
 hacker8.cn: could not connect to host
 hackercat.ninja: max-age too low: 2592000
+hackerco.com: did not receive HSTS header
 hackerforever.com: did not receive HSTS header
 hackerlite.xyz: max-age too low: 0
 hackerone-ext-adroll.com: could not connect to host
 hackerpoints.com: did not receive HSTS header
 hackerspace-ntnu.no: did not receive HSTS header
+hackerstxt.org: could not connect to host
 hackest.org: did not receive HSTS header
 hackingsafe.com: could not connect to host
 hackit.im: could not connect to host
@@ -7389,7 +7667,7 @@ hacksnack.io: could not connect to host
 hackyourfaceoff.com: could not connect to host
 hackzogtum-coburg.de: did not receive HSTS header
 hadaf.pro: could not connect to host
-hadret.com: could not connect to host
+hadret.com: did not receive HSTS header
 hadret.sh: could not connect to host
 hadzic.co: could not connect to host
 haeckdesign.com: did not receive HSTS header
@@ -7399,6 +7677,7 @@ haemmerle.net: [Exception... "Component returned failure code: 0x80004005 (NS_ER
 haf.gr: could not connect to host
 hafoda.com: did not receive HSTS header
 hahayidu.org: could not connect to host
+haidihai.ro: did not receive HSTS header
 hail2u.net: did not receive HSTS header
 hainoni.com: did not receive HSTS header
 hairlossstop.net: could not connect to host
@@ -7416,8 +7695,8 @@ hal-9th.space: could not connect to host
 halcyonsbastion.com: could not connect to host
 half-logic.eu.org: could not connect to host
 halfwaythere.eu: could not connect to host
-halletienne.fr: could not connect to host
-halloweenthings.website: did not receive HSTS header
+halledesprix.fr: did not receive HSTS header
+halloweenthings.website: could not connect to host
 halo.red: could not connect to host
 halta.info: did not receive HSTS header
 halyul.cc: did not receive HSTS header
@@ -7474,6 +7753,7 @@ happytiger.eu: could not connect to host
 hapsfordmill.co.uk: could not connect to host
 hapvm.com: could not connect to host
 haqaza.com.br: did not receive HSTS header
+harald-pfeiffer.de: could not connect to host
 harambe.site: could not connect to host
 harbourweb.net: did not receive HSTS header
 hardline.xyz: could not connect to host
@@ -7486,6 +7766,7 @@ harlentimberproducts.co.uk: did not receive HSTS header
 harmonycosmetic.com: max-age too low: 300
 harrisonsdirect.co.uk: did not receive HSTS header
 harristony.com: could not connect to host
+harry-baker.com: could not connect to host
 harryharrison.co: did not receive HSTS header
 harrypottereditor.com: could not connect to host
 harrypottereditor.net: could not connect to host
@@ -7533,7 +7814,7 @@ haze-productions.com: could not connect to host
 haze.network: did not receive HSTS header
 haze.sucks: could not connect to host
 hazeltime.com: could not connect to host
-hazloconlapix.com: could not connect to host
+hazeltime.se: did not receive HSTS header
 hazyrom.net: could not connect to host
 hb1111.com: could not connect to host
 hb3333.com: could not connect to host
@@ -7553,9 +7834,8 @@ hcfhomelottery.ca: did not receive HSTS header
 hcoe.fi: did not receive HSTS header
 hcr.io: did not receive HSTS header
 hcs-company.com: did not receive HSTS header
-hcs-company.nl: did not receive HSTS header
+hcs-company.nl: could not connect to host
 hcstr.com: did not receive HSTS header
-hd1tj.org: did not receive HSTS header
 hda.me: did not receive HSTS header
 hdm.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hdrboundless.com: could not connect to host
@@ -7568,40 +7848,43 @@ hdwallpapers.net: could not connect to host
 hdy.nz: could not connect to host
 head-shop.lt: could not connect to host
 head-shop.lv: could not connect to host
-head.org: could not connect to host
 headmates.xyz: could not connect to host
 health-match.com.au: could not connect to host
+health.gov: could not connect to host
 healthcare6.com: did not receive HSTS header
+healthfinder.gov: could not connect to host
 healthjoy.com: did not receive HSTS header
 healthlabs.com: did not receive HSTS header
 healthmatchapp.com: could not connect to host
 healthyandnaturalliving.com: could not connect to host
 healthycod.in: could not connect to host
-healtious.com: did not receive HSTS header
+healtious.com: could not connect to host
 hearingshofar.com: could not connect to host
 heart.ge: could not connect to host
-heart.taxi: max-age too low: 0
 heartlandrentals.com: did not receive HSTS header
 hearty.cf: did not receive HSTS header
 hearty.ink: could not connect to host
 hearty.space: could not connect to host
 hearty.tech: could not connect to host
+hearty.us: could not connect to host
 heartyapp.com: could not connect to host
 heartyme.net: could not connect to host
 heathmanners.com: could not connect to host
 heavenlyseals.com: could not connect to host
 heavenlysmokenc.com: could not connect to host
 heavystresser.com: could not connect to host
+heayao.com: could not connect to host
 hebaus.com: could not connect to host
 heberut.gov: did not receive HSTS header
 hebriff.com: could not connect to host
+hechamano.es: did not receive HSTS header
 hectorj.net: could not connect to host
 hedweb.com: could not connect to host
 heeler.blue: could not connect to host
 heeler.red: could not connect to host
 heidilein.info: did not receive HSTS header
 heimnetze.org: could not connect to host
-heisenberg.co: could not connect to host
+hejahanif.se: could not connect to host
 hejsupport.se: could not connect to host
 hekeki.com: could not connect to host
 hele.cz: could not connect to host
@@ -7611,6 +7894,7 @@ helgakristoffer.wedding: could not connect to host
 helicaldash.com: could not connect to host
 helixflight.com: did not receive HSTS header
 hellenicaward.com: did not receive HSTS header
+hellerup.net: could not connect to host
 hello-nestor.com: did not receive HSTS header
 helloanselm.com: did not receive HSTS header
 hellofilters.com: could not connect to host
@@ -7632,12 +7916,12 @@ helpium.de: did not receive HSTS header
 helpmebuild.com: did not receive HSTS header
 helppresta.com: did not receive HSTS header
 helpverif.com: did not receive HSTS header
-helpwithmybank.gov: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 helsingfors.guide: could not connect to host
 helup.com: did not receive HSTS header
 hemlockhillscabinrentals.com: did not receive HSTS header
 hencagon.com: could not connect to host
 hendersonrealestatepros.com: did not receive HSTS header
+hendyisaac.com: did not receive HSTS header
 henhenlu.com: could not connect to host
 henkbrink.com: did not receive HSTS header
 henningkerstan.org: did not receive HSTS header
@@ -7648,25 +7932,25 @@ hentaimaster.net: could not connect to host
 hentaiz.net: could not connect to host
 hepteract.us: could not connect to host
 heptner24.de: could not connect to host
+heracles-hotel.eu: did not receive HSTS header
 herbal-id.com: did not receive HSTS header
 herbandpat.org: could not connect to host
 herbertmouwen.nl: could not connect to host
 here.ml: could not connect to host
-here4funpartysolutions.ie: did not receive HSTS header
+here4funpartysolutions.ie: could not connect to host
 heribe-maruo.com: did not receive HSTS header
 heritagedentistry.ca: did not receive HSTS header
 hermann.in: could not connect to host
 hermes-servizi.it: could not connect to host
+hermes.cat: could not connect to host
 heroin.org.uk: could not connect to host
 herpaderp.net: could not connect to host
 herr-webdesign.de: could not connect to host
 herramientasbazarot.com: did not receive HSTS header
 herrenfahrt.com: did not receive HSTS header
 herrtxbias.org: could not connect to host
-hethely.ch: did not receive HSTS header
 hetmeisjeachterpauw.nl: could not connect to host
 hetmer.com: did not receive HSTS header
-hetmer.cz: did not receive HSTS header
 hetmer.net: did not receive HSTS header
 hetzflix.stream: did not receive HSTS header
 heutger.net: did not receive HSTS header
@@ -7675,7 +7959,7 @@ hex.bz: could not connect to host
 hex2013.com: did not receive HSTS header
 hexacon.io: could not connect to host
 hexadecimal.tech: could not connect to host
-hexe.net: did not receive HSTS header
+hexe.net: could not connect to host
 hexhu.com: could not connect to host
 hexieshe.com: could not connect to host
 hexobind.com: could not connect to host
@@ -7708,9 +7992,10 @@ hig.gov: could not connect to host
 highgrove.org.uk: could not connect to host
 highland-webcams.com: could not connect to host
 highlandparkcog.org: did not receive HSTS header
+highlatitudestravel.com: did not receive HSTS header
 highperformancehvac.com: did not receive HSTS header
 highseer.com: did not receive HSTS header
-highspeedinternetservices.ca: could not connect to host
+highspeedinternetservices.ca: did not receive HSTS header
 highsurf-miyazaki.com: could not connect to host
 hightechgadgets.net: could not connect to host
 hightimes.com: could not connect to host
@@ -7742,9 +8027,9 @@ hiojbk.com: did not receive HSTS header
 hipercultura.com: did not receive HSTS header
 hiphopconvention.nl: could not connect to host
 hipi.jp: could not connect to host
-hipnos.net: did not receive HSTS header
 hipnoseinstitute.org: did not receive HSTS header
-hiraku.me: did not receive HSTS header
+hiqfleet.co.uk: did not receive HSTS header
+hiraku.me: could not connect to host
 hirefitness.co.uk: did not receive HSTS header
 hireprofs.com: could not connect to host
 hiresuccessstaffing.com: did not receive HSTS header
@@ -7753,7 +8038,6 @@ hirevets.gov: did not receive HSTS header
 hirokilog.com: could not connect to host
 hirte-digital.de: did not receive HSTS header
 hisingenrunt.se: did not receive HSTS header
-hisnet.de: could not connect to host
 histoire-theatre.com: did not receive HSTS header
 history.pe: could not connect to host
 hitchunion.org: could not connect to host
@@ -7766,13 +8050,15 @@ hjf-immobilien.de: did not receive HSTS header
 hjkhs.cn: did not receive HSTS header
 hknet.at: did not receive HSTS header
 hlacosedora.com: max-age too low: 7889238
+hloe0xff.ru: could not connect to host
 hlpublicidad.com: could not connect to host
 hlyue.com: did not receive HSTS header
 hm1ch.com: could not connect to host
 hm1ch.ovh: could not connect to host
 hmksq.ae: max-age too low: 7776000
 hmm.nyc: could not connect to host
-hoast.xyz: could not connect to host
+hnwebi.com: did not receive HSTS header
+hoast.xyz: did not receive HSTS header
 hobaugh.social: could not connect to host
 hobby-gamerz-community.de: did not receive HSTS header
 hocassian.cn: did not receive HSTS header
@@ -7786,6 +8072,7 @@ hoerbuecher-und-hoerspiele.de: could not connect to host
 hoffens.se: could not connect to host
 hofiprojekt.cz: did not receive HSTS header
 hogar123.es: could not connect to host
+hohm.in: could not connect to host
 hoiku-map.tokyo: could not connect to host
 hoiku-navi.com: did not receive HSTS header
 hokepon.com: did not receive HSTS header
@@ -7800,7 +8087,6 @@ hollandguns.com: did not receive HSTS header
 hollerau.de: could not connect to host
 holowaty.me: could not connect to host
 holstphoto.com: max-age too low: 2592000
-holy-hi.com: did not receive HSTS header
 holymoly.lu: could not connect to host
 holymolycasinos.com: did not receive HSTS header
 homa.website: could not connect to host
@@ -7810,7 +8096,7 @@ home-coaching.be: did not receive HSTS header
 home-craft.de: could not connect to host
 home-insurance-quotes.tk: could not connect to host
 home-v.ind.in: could not connect to host
-home-work-jobs.com: did not receive HSTS header
+home-work-jobs.com: could not connect to host
 homeandyarddetailing.com: could not connect to host
 homecarpetcleaning.co.uk: could not connect to host
 homeclouding.de: could not connect to host
@@ -7823,7 +8109,7 @@ homeownersassociationmanagementla.com: could not connect to host
 homeremodelingcontractorsca.com: did not receive HSTS header
 homesandal.com: did not receive HSTS header
 homeseller.co.uk: could not connect to host
-homesfordinner.ca: could not connect to host
+homesfordinner.ca: did not receive HSTS header
 homeyantra.com: did not receive HSTS header
 homezhi.com.tw: could not connect to host
 homoglyph.net: could not connect to host
@@ -7860,6 +8146,7 @@ horvathtom.com: could not connect to host
 horvatnyelvkonyv.hu: could not connect to host
 host.black: could not connect to host
 hostam.link: could not connect to host
+hostcoz.com: did not receive HSTS header
 hosted-oswa.org: did not receive HSTS header
 hostedbgp.net: did not receive HSTS header
 hostedtalkgadget.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -7879,6 +8166,7 @@ hotchoc.io: could not connect to host
 hotel-huberhof.at: did not receive HSTS header
 hotel-tongruben.de: max-age too low: 0
 hotelaustria-wien.at: did not receive HSTS header
+hotello.io: could not connect to host
 hotelmadhuwanvihar.com: could not connect to host
 hotelvictoriaoax-mailing.com: could not connect to host
 hotelvillahermosa-mailing.com: could not connect to host
@@ -7917,11 +8205,11 @@ hqq.tv: could not connect to host
 hr-intranet.com: could not connect to host
 hr-tech.store: could not connect to host
 hr98.tk: could not connect to host
-hr98.xyz: did not receive HSTS header
+hr98.xyz: could not connect to host
 hrackydomino.cz: did not receive HSTS header
 hrfhomelottery.com: did not receive HSTS header
 hrjfeedstock.com: did not receive HSTS header
-hrk.io: did not receive HSTS header
+hrk.io: could not connect to host
 hrtech.store: could not connect to host
 hrtraining.com.au: did not receive HSTS header
 hru.gov: could not connect to host
@@ -7934,6 +8222,7 @@ hsts-preload-test.xyz: could not connect to host
 hsts.com.br: could not connect to host
 hsts.date: could not connect to host
 hstspreload.me: could not connect to host
+hsulei.com: could not connect to host
 hszhyy120.com: could not connect to host
 htlball.at: could not connect to host
 html-lab.tk: could not connect to host
@@ -7948,10 +8237,8 @@ hua-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 hua-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hua-li88.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hua-li88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-huang.nu: could not connect to host
+huang-haitao.com: could not connect to host
 huangguancq.com: could not connect to host
-huangh.com: could not connect to host
-huangliangbo.com: did not receive HSTS header
 huangting.me: did not receive HSTS header
 huangzenghao.com: could not connect to host
 huarongdao.com: did not receive HSTS header
@@ -7979,12 +8266,13 @@ humortuga.pt: did not receive HSTS header
 hump.dk: could not connect to host
 humpi.at: could not connect to host
 humpteedumptee.in: did not receive HSTS header
+huniverse.co: could not connect to host
 hunqz.com: could not connect to host
 hunterjohnson.io: could not connect to host
 huodongweb.com: could not connect to host
 huoduan.com: did not receive HSTS header
 huongquynh.com: could not connect to host
-hup.blue: did not receive HSTS header
+hup.blue: could not connect to host
 hurleyhomestead.com: could not connect to host
 hurricanelabs.com: did not receive HSTS header
 huskybutt.dog: could not connect to host
@@ -7994,6 +8282,7 @@ hustle.life: did not receive HSTS header
 huwjones.me: could not connect to host
 huzu.com: did not receive HSTS header
 huzurmetal.net: could not connect to host
+hveradistributions.com: could not connect to host
 hwcine.com: could not connect to host
 hwinfo.com: did not receive HSTS header
 hwpkasse.de: max-age too low: 2592000
@@ -8009,7 +8298,7 @@ hydra.zone: could not connect to host
 hydrabit.nl: did not receive HSTS header
 hydrante.ch: could not connect to host
 hydrocloud.net: could not connect to host
-hydrodipcenter.nl: did not receive HSTS header
+hydrodipcenter.nl: could not connect to host
 hydronium.cf: could not connect to host
 hydronium.ga: could not connect to host
 hydronium.me: could not connect to host
@@ -8023,17 +8312,15 @@ hymerscollege.co.uk: max-age too low: 43200
 hypa.net.au: did not receive HSTS header
 hyper-matrix.org: could not connect to host
 hyper69.com: could not connect to host
-hyperactive.am: could not connect to host
 hyperporn.net: could not connect to host
 hyperreal.info: could not connect to host
 hypnoresults.com.au: did not receive HSTS header
-hypnos.hu: could not connect to host
+hypnos.hu: did not receive HSTS header
 hypotheques24.ch: could not connect to host
 hysg.me: could not connect to host
-hysh.jp: could not connect to host
+hytzongxuan.com: did not receive HSTS header
 hyvive.com: could not connect to host
 hzh.pub: did not receive HSTS header
-i--b.com: did not receive HSTS header
 i-jp.net: could not connect to host
 i-partners.sk: could not connect to host
 i-rickroll-n.pw: could not connect to host
@@ -8047,7 +8334,9 @@ i9multiequipamentos.com.br: did not receive HSTS header
 ia1000.com: could not connect to host
 iadttaveras.com: could not connect to host
 iain.tech: did not receive HSTS header
+iamlbk.com: could not connect to host
 iamlizu.com: did not receive HSTS header
+iamlzh.com: did not receive HSTS header
 iamokay.nl: did not receive HSTS header
 iamreubin.co.uk: did not receive HSTS header
 iamsoareyou.se: could not connect to host
@@ -8060,26 +8349,27 @@ ibarf.nl: did not receive HSTS header
 ibase.com: did not receive HSTS header
 ibenchu.com: did not receive HSTS header
 ibestreview.com: did not receive HSTS header
+ibiu.xyz: did not receive HSTS header
 ibizatopcharter.com: did not receive HSTS header
 ibna.online: could not connect to host
 ibnuwebhost.com: could not connect to host
 ibnw.de: did not receive HSTS header
 ibox.ovh: did not receive HSTS header
 ibpegasus.tk: could not connect to host
-ibps.blog: could not connect to host
+ibps.blog: did not receive HSTS header
 ibpsrecruitment.co.in: could not connect to host
 ibron.co: could not connect to host
 ibsafrica.co.za: could not connect to host
 ibsglobal.co.za: could not connect to host
 icabanken.se: did not receive HSTS header
 icaforsakring.se: did not receive HSTS header
-icake.life: could not connect to host
+icake.life: did not receive HSTS header
 icasnetwork.com: did not receive HSTS header
+icbemp.gov: could not connect to host
 ice.yt: could not connect to host
 icebat.dyndns.org: could not connect to host
 icebound.cc: did not receive HSTS header
 icebound.win: could not connect to host
-icedream.tech: could not connect to host
 iceiu.com: could not connect to host
 iceloch.com: could not connect to host
 icepink.com.br: could not connect to host
@@ -8087,7 +8377,7 @@ icewoman.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERR
 icfl.com.br: could not connect to host
 ich-find-den-g.net: could not connect to host
 ich-mach-druck.eu: did not receive HSTS header
-ichasco.com: could not connect to host
+ichasco.com: did not receive HSTS header
 ichnichtskaufmann.de: could not connect to host
 ichoosebtec.com: did not receive HSTS header
 ichronos.net: did not receive HSTS header
@@ -8109,7 +8399,6 @@ icusignature.com: could not connect to host
 icys2017.com: did not receive HSTS header
 id-co.in: could not connect to host
 id-conf.com: did not receive HSTS header
-idafauziyah.com: could not connect to host
 idblab.tk: could not connect to host
 idc.yn.cn: could not connect to host
 idcrane.com: could not connect to host
@@ -8130,16 +8419,16 @@ idemo.in: could not connect to host
 identity-hash.online: could not connect to host
 identitylabs.uk: could not connect to host
 identitysandbox.gov: could not connect to host
-idgsupply.com: could not connect to host
+idgsupply.com: did not receive HSTS header
 idinby.dk: did not receive HSTS header
-idiopolis.org: could not connect to host
+idiopolis.org: did not receive HSTS header
 idisplay.es: could not connect to host
 idlekernel.com: could not connect to host
 idol-bikes.ru: could not connect to host
-idolish7.fun: did not receive HSTS header
 idontexist.me: could not connect to host
 idsafe.co.za: could not connect to host
 idsoccer.com: did not receive HSTS header
+idvl.de: could not connect to host
 iec.pe: could not connect to host
 iemas.azurewebsites.net: did not receive HSTS header
 iemb.cf: could not connect to host
@@ -8165,15 +8454,15 @@ ifxor.com: could not connect to host
 igamingforums.com: could not connect to host
 igaryhe.io: did not receive HSTS header
 igd.chat: could not connect to host
-igforums.com: could not connect to host
-igi.codes: did not receive HSTS header
+igforums.com: did not receive HSTS header
+igi.codes: could not connect to host
 igiftcards.nl: did not receive HSTS header
 ignatisd.gr: did not receive HSTS header
 igule.net: could not connect to host
 iha6.com: could not connect to host
+ihatethissh.it: could not connect to host
 ihc.im: did not receive HSTS header
 ihcr.top: did not receive HSTS header
-ihls.world: could not connect to host
 ihls.xyz: did not receive HSTS header
 ihongzu.com: could not connect to host
 ihrlotto.de: could not connect to host
@@ -8187,15 +8476,18 @@ iilin.com: did not receive HSTS header
 iispeed.com: did not receive HSTS header
 ijn-dd.nl: could not connect to host
 ijoda.com: could not connect to host
+ijr.com: did not receive HSTS header
 ike.io: did not receive HSTS header
 ikenmeyer.com: could not connect to host
 ikenmeyer.eu: could not connect to host
 ikocik.sk: could not connect to host
 ikon.name: could not connect to host
 ikudo.top: could not connect to host
+ikuuuu.com: could not connect to host
 ikwilguidobellen.nl: could not connect to host
 ikzoekeengoedkopeauto.nl: could not connect to host
 ikzoekjeugdhulp.nl: did not receive HSTS header
+ilazycat.com: could not connect to host
 ilbuongiorno.it: did not receive HSTS header
 ildomani.it: did not receive HSTS header
 ileat.com: could not connect to host
@@ -8203,7 +8495,7 @@ ilgi.work: could not connect to host
 ilii.me: could not connect to host
 ilikerainbows.co: did not receive HSTS header
 ilikerainbows.co.uk: could not connect to host
-ilikfreshweedstores.com: did not receive HSTS header
+ilikfreshweedstores.com: could not connect to host
 ilmconpm.de: could not connect to host
 iloilofit.org: did not receive HSTS header
 ilona.graphics: did not receive HSTS header
@@ -8214,6 +8506,7 @@ imadalin.ro: could not connect to host
 image.tf: could not connect to host
 imagecurl.com: could not connect to host
 imagecurl.org: could not connect to host
+imagenesdedibujosalapizfacilesdehacer.com: could not connect to host
 imaginarymakings.me: could not connect to host
 imakepoems.net: could not connect to host
 imanhearts.com: max-age too low: 0
@@ -8263,16 +8556,18 @@ imoner.com: could not connect to host
 imoner.ga: could not connect to host
 imoni-blog.net: could not connect to host
 imoto.me: could not connect to host
+imperdin.com: could not connect to host
 imperdintechnologies.com: could not connect to host
 imperialonlinestore.com: did not receive HSTS header
 imperialwebsolutions.com: did not receive HSTS header
-imperiodigital.online: did not receive HSTS header
 imprenta-es.com: did not receive HSTS header
 improvingwp.com: could not connect to host
 impulse-clan.de: could not connect to host
 imu.li: did not receive HSTS header
 imusic.dk: did not receive HSTS header
 imy.life: did not receive HSTS header
+imydl.com: could not connect to host
+imyjy.cn: could not connect to host
 inandeyes.com: did not receive HSTS header
 inb4.us: could not connect to host
 inbox.li: did not receive HSTS header
@@ -8288,18 +8583,22 @@ indexyz.me: could not connect to host
 indiawise.co.uk: could not connect to host
 indiecert.net: did not receive HSTS header
 indieethos.com: did not receive HSTS header
-indiemods.com: could not connect to host
+indiemods.com: did not receive HSTS header
 indien.guide: could not connect to host
 indilens.com: did not receive HSTS header
 indiraactive.com: could not connect to host
 indiroyunu.com: did not receive HSTS header
+indochina.io: could not connect to host
 indogerman.de: did not receive HSTS header
 indogermantrade.de: could not connect to host
+indoorplantsexpert.com: could not connect to host
 indoorskiassen.nl: did not receive HSTS header
 indostar303.com: did not receive HSTS header
 indredouglas.me: could not connect to host
+indusfastremit.com: could not connect to host
 industreiler.com: could not connect to host
 industreiler.com.br: could not connect to host
+industriasrenova.com: could not connect to host
 industrybazar.com: did not receive HSTS header
 ineed.com.mt: could not connect to host
 inetpub.cn: could not connect to host
@@ -8325,9 +8624,9 @@ info-bay.com: could not connect to host
 info-sys.tk: could not connect to host
 infoamin.com: did not receive HSTS header
 infocoin.es: did not receive HSTS header
+infopagina.es: could not connect to host
 inforichjapan.com: did not receive HSTS header
 inforisposte.com: did not receive HSTS header
-informaciondeciclismo.com: did not receive HSTS header
 informaticapremium.com: did not receive HSTS header
 informatik.zone: could not connect to host
 infos-generation.com: did not receive HSTS header
@@ -8337,6 +8636,7 @@ infosoph.org: could not connect to host
 infotics.es: did not receive HSTS header
 infovae-idf.com: could not connect to host
 infoworm.org: could not connect to host
+infr.red: did not receive HSTS header
 infradio.am: could not connect to host
 infranix.eu: max-age too low: 7360000
 infruction.com: could not connect to host
@@ -8369,7 +8669,6 @@ inku.ovh: did not receive HSTS header
 inkvisual.tk: could not connect to host
 inleaked.com: could not connect to host
 inme.ga: did not receive HSTS header
-inmusrv.de: could not connect to host
 innerform.com: could not connect to host
 innit.be: could not connect to host
 innobatics.com: did not receive HSTS header
@@ -8378,7 +8677,6 @@ innovamag.ca: did not receive HSTS header
 innovativebuildingsolutions.co.za: could not connect to host
 innovativeideaz.org: could not connect to host
 innoventure.de: could not connect to host
-innwan.com: could not connect to host
 inondation.ch: could not connect to host
 inorder.website: could not connect to host
 inovatec.com: did not receive HSTS header
@@ -8424,8 +8722,11 @@ intelbet.ro: did not receive HSTS header
 intelhost.net: max-age too low: 0
 intelldynamics.com: could not connect to host
 intelliance.eu: did not receive HSTS header
+interabbit.com: could not connect to host
 interboursegeneva.ch: did not receive HSTS header
 interchanges.io: max-age too low: 0
+intercom.com: did not receive HSTS header
+intercom.io: did not receive HSTS header
 interference.io: did not receive HSTS header
 interfloraservices.co.uk: could not connect to host
 intergenx.co.uk: could not connect to host
@@ -8437,7 +8738,7 @@ interim-cto.de: could not connect to host
 interiorcheapo.com: could not connect to host
 interiortradingco.com.au: could not connect to host
 interleucina.org: did not receive HSTS header
-interlocal.co.uk: could not connect to host
+interlocal.co.uk: did not receive HSTS header
 interlun.com: could not connect to host
 intermezzo-emmerich.de: did not receive HSTS header
 intermezzo-emmerich.nl: did not receive HSTS header
@@ -8463,10 +8764,12 @@ intim-uslugi-kazan.net: could not connect to host
 intimateperrierjouet.com: could not connect to host
 intimici.com.br: could not connect to host
 intimtoy.com.ua: could not connect to host
+intracom.com: did not receive HSTS header
 intranetsec.fr: could not connect to host
 intreaba.xyz: could not connect to host
+intrigue3d.com: could not connect to host
+introverted.ninja: did not receive HSTS header
 introvertedtravel.space: max-age too low: 0
-intrp.net: did not receive HSTS header
 invenio.software: could not connect to host
 inventoryexpress.xyz: could not connect to host
 inverselink.com: could not connect to host
@@ -8481,17 +8784,17 @@ invinsec.com: max-age too low: 86400
 invis.net: could not connect to host
 invitation-factory.tk: could not connect to host
 invite24.pro: could not connect to host
-invitescene.com: did not receive HSTS header
 invuelto.com: did not receive HSTS header
 iodev.nl: could not connect to host
 iodice.org: did not receive HSTS header
 iodu.re: could not connect to host
+ioerror.us: did not receive HSTS header
 ioiart.eu: could not connect to host
 iolife.dk: could not connect to host
 ionas-law.ro: did not receive HSTS header
 ionc.ca: could not connect to host
 ionote.me: could not connect to host
-iop.intuit.com: did not receive HSTS header
+iop.intuit.com: max-age too low: 86400
 iora.fr: could not connect to host
 iostips.ru: could not connect to host
 iotfen.com: could not connect to host
@@ -8506,8 +8809,9 @@ ipcfg.me: could not connect to host
 ipfp.pl: did not receive HSTS header
 iphonechina.net: could not connect to host
 iphoneportfolioapp.com: did not receive HSTS header
+ipid.me: could not connect to host
+iplabs.de: did not receive HSTS header
 iplife.cn: could not connect to host
-iplog.info: could not connect to host
 ipmimagazine.com: did not receive HSTS header
 ipmotion.ca: could not connect to host
 ipnetworking.net: could not connect to host
@@ -8521,21 +8825,25 @@ iprice.vn: did not receive HSTS header
 ipricethailand.com: did not receive HSTS header
 iprody.com: could not connect to host
 ipsilon-project.org: did not receive HSTS header
+ipstoragesolutions.com: did not receive HSTS header
 iptel.ro: could not connect to host
+iptvmakedonija.mk: did not receive HSTS header
 ipuservicedesign.com: could not connect to host
 ipv6.watch: did not receive HSTS header
 ipv6cloud.club: could not connect to host
 ipv6demo.de: could not connect to host
 ipv6only.network: could not connect to host
+ipv8.net: could not connect to host
 ipvsec.nl: could not connect to host
 iqcn.co: could not connect to host
 iqualtech.com: max-age too low: 7889238
 ir-saitama.com: could not connect to host
 iran-geo.com: could not connect to host
 iran-poll.org: max-age too low: 0
-irandp.net: did not receive HSTS header
+irandp.net: could not connect to host
 iranianlawschool.com: could not connect to host
 iraqidinar.org: did not receive HSTS header
+irasandi.com: could not connect to host
 irazimina.ru: did not receive HSTS header
 irccloud.com: did not receive HSTS header
 ircmett.de: did not receive HSTS header
@@ -8546,7 +8854,6 @@ irische-segenswuensche.info: could not connect to host
 irisdina.de: could not connect to host
 irishmusic.nu: did not receive HSTS header
 irland.guide: could not connect to host
-irmag.ru: did not receive HSTS header
 irmtrudjurke.de: did not receive HSTS header
 irodorinet.com: max-age too low: 0
 iron-guard.net: did not receive HSTS header
@@ -8570,10 +8877,11 @@ isdf.me: could not connect to host
 isdown.cz: could not connect to host
 isef-eg.com: did not receive HSTS header
 iserv.fr: did not receive HSTS header
+isfff.com: could not connect to host
 isfriday.com: could not connect to host
 ishadowsocks.ltd: could not connect to host
+ishet.al: max-age too low: 0
 ishillaryclintoninprisonyet.com: could not connect to host
-ishome.org: could not connect to host
 isidom.fr: did not receive HSTS header
 isipulsa.web.id: did not receive HSTS header
 isisfighters.info: could not connect to host
@@ -8589,11 +8897,10 @@ islandpumpandtank.com: did not receive HSTS header
 islandzero.net: could not connect to host
 islazia.fr: did not receive HSTS header
 isntall.us: did not receive HSTS header
-isocom.eu: could not connect to host
+isocom.eu: did not receive HSTS header
 isoface33.fr: did not receive HSTS header
 isogen5.com: could not connect to host
 isogram.nl: did not receive HSTS header
-isondo.com: could not connect to host
 isoroc-nidzica.pl: could not connect to host
 ispringcloud.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 ispweb.es: did not receive HSTS header
@@ -8607,35 +8914,33 @@ istgame.com: did not receive HSTS header
 isthefieldcontrolsystemdown.com: could not connect to host
 istherrienstillcoach.com: could not connect to host
 isv.online: did not receive HSTS header
+iszy.me: could not connect to host
 it-cave.com: could not connect to host
 it-enthusiasts.tech: could not connect to host
 it-go.net: did not receive HSTS header
-it-kron.de: did not receive HSTS header
 it-labor.info: did not receive HSTS header
 it-schwerin.de: could not connect to host
-it1b.com: could not connect to host
 itad.top: could not connect to host
 itblog.pp.ua: did not receive HSTS header
 itbrief.co.nz: did not receive HSTS header
 itbrief.com.au: did not receive HSTS header
 itchimes.com: did not receive HSTS header
-itchy.nl: could not connect to host
 itchybrainscentral.com: could not connect to host
 itds-consulting.com: could not connect to host
 itds-consulting.cz: could not connect to host
 itds-consulting.eu: could not connect to host
 itechgeek.com: did not receive HSTS header
-iteli.eu: did not receive HSTS header
 items.lv: did not receive HSTS header
 itemton.com: could not connect to host
-iterror.co: could not connect to host
+iterasoft.de: did not receive HSTS header
 itfaq.nl: did not receive HSTS header
-itfensi.net: max-age too low: 6307200
+itfensi.net: could not connect to host
 itforcc.com: did not receive HSTS header
 ithakama.com: could not connect to host
 itinsight.hu: did not receive HSTS header
 itiomassagem.com.br: did not receive HSTS header
 itisjustnot.cricket: could not connect to host
+itmanie.cz: could not connect to host
 itnews-bg.com: could not connect to host
 itogoyomi.com: did not receive HSTS header
 itos.asia: did not receive HSTS header
@@ -8647,6 +8952,7 @@ itrack.in.th: did not receive HSTS header
 itriskltd.com: did not receive HSTS header
 its-schindler.de: could not connect to host
 its-v.de: could not connect to host
+its4living.com: could not connect to host
 itsadog.co.uk: did not receive HSTS header
 itsagadget.com: did not receive HSTS header
 itsamurai.ru: max-age too low: 2592000
@@ -8656,6 +8962,7 @@ itsg-faq.de: could not connect to host
 itshka.rv.ua: max-age too low: 604800
 itshost.ru: could not connect to host
 itsmejohn.org: could not connect to host
+itspartytimesweetinflations.com: could not connect to host
 itsupport-luzern.ch: could not connect to host
 ittop-gabon.com: could not connect to host
 itu2015.de: could not connect to host
@@ -8682,9 +8989,14 @@ ixec2.tk: could not connect to host
 ixh.me: did not receive HSTS header
 ixio.cz: could not connect to host
 izdiwho.com: could not connect to host
+izevg.ru: could not connect to host
+izhaojie.com: could not connect to host
 izolight.ch: could not connect to host
 izonemart.com: did not receive HSTS header
 izoox.com: did not receive HSTS header
+izxxs.com: could not connect to host
+izxxs.net: could not connect to host
+izxzw.net: could not connect to host
 izzzorgconcerten.nl: could not connect to host
 j-eck.nl: did not receive HSTS header
 j-lsolutions.com: could not connect to host
@@ -8693,6 +9005,7 @@ j0ng.xyz: could not connect to host
 j15t98j.co.uk: did not receive HSTS header
 j2ee.cz: could not connect to host
 j8y.de: did not receive HSTS header
+ja-publications.agency: did not receive HSTS header
 ja-publications.com: did not receive HSTS header
 jaan.su: could not connect to host
 jaaxypro.com: could not connect to host
@@ -8704,7 +9017,7 @@ jackops.com: could not connect to host
 jackrusselterrier.com.br: could not connect to host
 jackyyf.com: could not connect to host
 jaco.by: could not connect to host
-jacobparry.ca: max-age too low: 0
+jacobparry.ca: did not receive HSTS header
 jadara.info: could not connect to host
 jaepinformatica.com: did not receive HSTS header
 jagido.de: did not receive HSTS header
@@ -8726,7 +9039,7 @@ jamberry.com.mx: could not connect to host
 james-parker.com: did not receive HSTS header
 james.je: could not connect to host
 jamesandanneke.com: could not connect to host
-jamesbradach.com: could not connect to host
+jamesbradach.com: did not receive HSTS header
 jamesburton.london: could not connect to host
 jamesbywater.co.uk: could not connect to host
 jamesbywater.com: could not connect to host
@@ -8763,13 +9076,15 @@ janmachynka.cz: could not connect to host
 janmg.com: could not connect to host
 janosh.com: did not receive HSTS header
 janssen.fm: could not connect to host
+janssenwigman.nl: did not receive HSTS header
 janus-engineering.de: did not receive HSTS header
 janverlaan.nl: did not receive HSTS header
 jap-nope.de: did not receive HSTS header
 japan4you.org: did not receive HSTS header
 japanbaths.com: did not receive HSTS header
-japaneseemoticons.org: did not receive HSTS header
+japaneseemoticons.org: could not connect to host
 japanesenames.biz: did not receive HSTS header
+japangids.nl: max-age too low: 86400
 japansm.com: could not connect to host
 japanwide.net: did not receive HSTS header
 japaripark.com: could not connect to host
@@ -8782,17 +9097,20 @@ jaredfraser.com: could not connect to host
 jarivisual.com: could not connect to host
 jarl.ninja: could not connect to host
 jarnail.ca: could not connect to host
+jaroslavc.eu: could not connect to host
 jaroslavtrsek.cz: did not receive HSTS header
 jarrodcastaing.com: did not receive HSTS header
 jarrodcastaing.com.au: did not receive HSTS header
 jarsater.com: could not connect to host
 jartza.org: could not connect to host
+jasl.works: could not connect to host
 jasmineconseil.com: did not receive HSTS header
 jasoncosper.com: did not receive HSTS header
 jasonian-photo.com: could not connect to host
 jasonradin.com: did not receive HSTS header
 jasonrobinson.me: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 jasonroe.me: did not receive HSTS header
+jasonsansone.com: could not connect to host
 jasonwindholz.com: could not connect to host
 jastoria.pl: did not receive HSTS header
 jastrow.me: did not receive HSTS header
@@ -8800,18 +9118,19 @@ jateng.press: could not connect to host
 jav-collective.com: could not connect to host
 java-board.com: could not connect to host
 javachip.win: could not connect to host
-javan.ga: could not connect to host
+javan.ga: did not receive HSTS header
 javascriptlab.fr: could not connect to host
 javelinsms.com: could not connect to host
 javfree.me: could not connect to host
 javiermixdjs.com: did not receive HSTS header
+javik.net: did not receive HSTS header
 javilacat.info: could not connect to host
 jawn.ca: could not connect to host
 jawnelodzkie.org.pl: could not connect to host
 jaxageto.de: did not receive HSTS header
 jayblock.com: did not receive HSTS header
 jayharris.ca: could not connect to host
-jaylen.com.ar: did not receive HSTS header
+jaylen.com.ar: could not connect to host
 jayna.design: did not receive HSTS header
 jayschulman.com: did not receive HSTS header
 jayscoaching.com: could not connect to host
@@ -8839,14 +9158,13 @@ jcyz.cf: could not connect to host
 jdav-leipzig.de: could not connect to host
 jdcdirectsales.com.ph: could not connect to host
 jdfk.net: could not connect to host
-jdgonzalez95.com: did not receive HSTS header
+jdgonzalez95.com: could not connect to host
 jdh8.org: did not receive HSTS header
-jdsf.tk: did not receive HSTS header
+jdsf.tk: could not connect to host
 jean-remy.ch: could not connect to host
 jebengotai.com: did not receive HSTS header
-jec-dekrone.be: did not receive HSTS header
-jecho.cn: could not connect to host
 jedayoshi.me: could not connect to host
+jedayoshi.tk: could not connect to host
 jeepmafia.com: did not receive HSTS header
 jeff.forsale: did not receive HSTS header
 jeff.is: could not connect to host
@@ -8854,12 +9172,13 @@ jeff393.com: could not connect to host
 jeffanderson.me: did not receive HSTS header
 jeffersonregan.org: could not connect to host
 jeffhuxley.com: could not connect to host
+jeffmcneill.com: did not receive HSTS header
 jeffreymagee.com: did not receive HSTS header
 jeil-makes.co.kr: could not connect to host
 jelewa.de: did not receive HSTS header
-jelleglebbeek.com: max-age too low: 0
 jellow.nl: did not receive HSTS header
 jemoticons.com: did not receive HSTS header
+jena.space: could not connect to host
 jenjoit.de: could not connect to host
 jennedebleser.com: did not receive HSTS header
 jenniferchan.id.au: could not connect to host
@@ -8868,12 +9187,14 @@ jennybeaned.com: did not receive HSTS header
 jens-prangenberg.de: did not receive HSTS header
 jens.hk: could not connect to host
 jensenbanden.no: could not connect to host
-jenssen.org: could not connect to host
+jenssen.org: did not receive HSTS header
+jeparamedia.com: did not receive HSTS header
 jeremye77.com: did not receive HSTS header
 jeremymade.com: did not receive HSTS header
 jeremywagner.me: did not receive HSTS header
 jermann.biz: did not receive HSTS header
 jeroenensanne.wedding: could not connect to host
+jeroensangers.com: could not connect to host
 jeroenvanderwal.nl: did not receive HSTS header
 jeroldirvin.com: did not receive HSTS header
 jerrypau.ca: could not connect to host
@@ -8899,7 +9220,6 @@ jewellerymarvels.com: did not receive HSTS header
 jez.nl: could not connect to host
 jfmel.com: did not receive HSTS header
 jfnllc.com: could not connect to host
-jfr.im: did not receive HSTS header
 jfx.space: did not receive HSTS header
 jh-media.eu: could not connect to host
 jhburton.co.uk: could not connect to host
@@ -8915,17 +9235,19 @@ jiangzequn.com: could not connect to host
 jiangzm.com: could not connect to host
 jianjiantv.com: could not connect to host
 jiaqiang.vip: could not connect to host
+jiazhao.ga: could not connect to host
 jichi.me: could not connect to host
 jie.dance: could not connect to host
 jief.me: could not connect to host
 jigsawdevelopments.com: could not connect to host
 jiid.ga: could not connect to host
 jikegu.com: could not connect to host
-jikken.de: could not connect to host
+jikken.de: did not receive HSTS header
 jimas.eu: did not receive HSTS header
 jimenacocina.com: did not receive HSTS header
 jimgao.tk: did not receive HSTS header
 jimmehcai.com: could not connect to host
+jimmycn.com: could not connect to host
 jimmynelson.com: did not receive HSTS header
 jinancy.fr: could not connect to host
 jing-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -8949,8 +9271,10 @@ jkest.cc: could not connect to host
 jkng.eu: could not connect to host
 jko.works: could not connect to host
 jkuvw.xyz: could not connect to host
+jkyuan.tk: could not connect to host
 jldp.org: did not receive HSTS header
 jlhmedia.com: did not receive HSTS header
+jlot.org: did not receive HSTS header
 jm06.com: did not receive HSTS header
 jm22.com: could not connect to host
 jmb.lc: could not connect to host
@@ -8986,6 +9310,8 @@ joefixit.co.uk: could not connect to host
 joelgonewild.com: did not receive HSTS header
 joerg-wellpott.de: did not receive HSTS header
 joetyson.io: could not connect to host
+joeyfelix.com: could not connect to host
+joeyvilaro.com: could not connect to host
 johand.io: could not connect to host
 johannaojanen.com: could not connect to host
 johannes-bugenhagen.de: did not receive HSTS header
@@ -8994,8 +9320,7 @@ johnbrownphotography.ch: did not receive HSTS header
 johncardell.com: did not receive HSTS header
 johners.me: could not connect to host
 johngaltgroup.com: did not receive HSTS header
-johnhgaunt.com: did not receive HSTS header
-johnmichel.org: could not connect to host
+johngo.tk: did not receive HSTS header
 johnmorganpartnership.co.uk: did not receive HSTS header
 johnrom.com: could not connect to host
 johntomasowa.com: could not connect to host
@@ -9007,15 +9332,19 @@ jonarcher.info: did not receive HSTS header
 jonas-keidel.de: did not receive HSTS header
 jonasgroth.se: did not receive HSTS header
 jonathan.ir: could not connect to host
+jonathancarter.org: could not connect to host
 jonathandowning.uk: did not receive HSTS header
 jonathanmassacand.ch: could not connect to host
 jonathanreyes.com: did not receive HSTS header
 jonathansanchez.pro: could not connect to host
+jonathanselea.se: did not receive HSTS header
 jonesopolis.xyz: could not connect to host
+jonferwerda.net: could not connect to host
 jonfor.net: could not connect to host
 jongha.me: could not connect to host
 jonn.me: could not connect to host
 jonnichols.info: could not connect to host
+jons.org: could not connect to host
 jonsno.ws: could not connect to host
 joostbovee.nl: did not receive HSTS header
 jooto.com: did not receive HSTS header
@@ -9031,12 +9360,10 @@ jornadasciberdefensa2016.es: could not connect to host
 jorovik.com: did not receive HSTS header
 jorrit.info: max-age too low: 0
 josahrens.me: could not connect to host
-josc.com.au: could not connect to host
 jose.eti.br: did not receive HSTS header
 joseaveleira.es: did not receive HSTS header
 josecage.com: could not connect to host
 josegerber.ch: did not receive HSTS header
-josemikkola.fi: could not connect to host
 josericaurte.com: could not connect to host
 joshi.su: could not connect to host
 joshplant.co.uk: could not connect to host
@@ -9061,22 +9388,25 @@ jptun.com: could not connect to host
 jrgold.me: could not connect to host
 jrmd.io: could not connect to host
 jrvar.com: could not connect to host
+js3311.com: could not connect to host
 js88.sg: could not connect to host
+js93029.com: could not connect to host
 jsanders.us: did not receive HSTS header
 jsbentertainment.nl: could not connect to host
 jsbevents.nl: could not connect to host
 jsblights.nl: could not connect to host
 jsc7776.com: could not connect to host
 jsdelivr.net: could not connect to host
+jsevilleja.org: could not connect to host
 jsg-technologies.de: did not receive HSTS header
 jsjyhzy.cc: could not connect to host
 jslidong.top: did not receive HSTS header
 json-viewer.com: did not receive HSTS header
 jstelecom.com.br: did not receive HSTS header
-jstore.ch: could not connect to host
 jsuse.xyz: could not connect to host
 jsvr.tk: could not connect to host
 jsxc.ch: could not connect to host
+jtcat.com: could not connect to host
 jtcjewelry.com: could not connect to host
 ju1ro.de: could not connect to host
 jualautoclave.com: did not receive HSTS header
@@ -9089,6 +9419,7 @@ jucktehkeinen.de: did not receive HSTS header
 juiced.gs: did not receive HSTS header
 juka.pp.ua: could not connect to host
 julegoerke.de: did not receive HSTS header
+julenlanda.com: could not connect to host
 juliamweber.de: could not connect to host
 julian-kipka.de: did not receive HSTS header
 julian-witusch.de: could not connect to host
@@ -9108,17 +9439,18 @@ jumping-duck.com: could not connect to host
 jumpman-iphone-design.de: could not connect to host
 junaos.com: did not receive HSTS header
 junaos.xyz: did not receive HSTS header
+junctioncitywisconsin.gov: could not connect to host
 jundimax.com.br: could not connect to host
 junge-selbsthilfe.info: could not connect to host
 jungleculture.co.za: did not receive HSTS header
 junglegoat.xyz: did not receive HSTS header
+junias-fenske.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 juniwalk.cz: could not connect to host
 junjung.me: could not connect to host
 junoaroma.com: could not connect to host
 junqtion.com: could not connect to host
-jupp0r.de: did not receive HSTS header
+jupp0r.de: could not connect to host
 juridiqueo.com: did not receive HSTS header
-jurisprudent.by: did not receive HSTS header
 juristas.com.br: did not receive HSTS header
 juristeo.com: did not receive HSTS header
 jurke.com: did not receive HSTS header
@@ -9127,29 +9459,30 @@ just-english.online: did not receive HSTS header
 just-pools.co.za: could not connect to host
 just2trade.com: did not receive HSTS header
 justbelieverecovery.com: did not receive HSTS header
-justiceforfathers.com: could not connect to host
+justiceforfathers.com: did not receive HSTS header
 justiceo.org: did not receive HSTS header
 justinellingwood.com: could not connect to host
+justinharrison.ca: could not connect to host
 justinlemay.com: could not connect to host
 justinrudio.com: did not receive HSTS header
 justlikethat.hosting: did not receive HSTS header
 justmy.website: did not receive HSTS header
 justnaw.co.uk: could not connect to host
-justonce.net: could not connect to host
 justudin.com: did not receive HSTS header
 justwood.cz: did not receive HSTS header
 justzz.xyz: could not connect to host
 jutella.de: did not receive HSTS header
 juul.xyz: could not connect to host
-juventusclublugano.ch: could not connect to host
+juventusclublugano.ch: did not receive HSTS header
 juventusmania1897.com: could not connect to host
 juwairen.cn: could not connect to host
 juzgalo.com: did not receive HSTS header
+jva-wuerzburg.de: could not connect to host
 jvn.com: did not receive HSTS header
-jvoice.net: could not connect to host
+jvoice.net: did not receive HSTS header
+jwallet.cc: did not receive HSTS header
 jwilsson.me: could not connect to host
 jwolt-lx.com: could not connect to host
-jxir.de: could not connect to host
 jysperm.me: did not receive HSTS header
 jzachpearson.com: max-age too low: 0
 jzcapital.co: could not connect to host
@@ -9158,21 +9491,21 @@ k-dev.de: could not connect to host
 k-rickroll-g.pw: could not connect to host
 k-wallet.com: could not connect to host
 k1cp.com: could not connect to host
-k33k00.com: did not receive HSTS header
+k3508.com: could not connect to host
 k38.cc: could not connect to host
 ka-clan.com: could not connect to host
 kaanduman.com: could not connect to host
 kaasbijwijn.nl: did not receive HSTS header
 kaashosting.nl: did not receive HSTS header
+kabarlinux.id: could not connect to host
 kabinapp.com: did not receive HSTS header
 kabuabc.com: could not connect to host
-kabus.org: could not connect to host
 kackscharf.de: could not connect to host
 kadioglumakina.com.tr: did not receive HSTS header
 kadmec.com: did not receive HSTS header
 kaela.design: could not connect to host
 kahopoon.net: could not connect to host
-kai.cool: did not receive HSTS header
+kai.cool: could not connect to host
 kaibol.com: could not connect to host
 kaika-facilitymanagement.de: could not connect to host
 kaika-hms.de: did not receive HSTS header
@@ -9200,6 +9533,7 @@ kambodja.guide: could not connect to host
 kamcvicit.sk: could not connect to host
 kamikano.com: could not connect to host
 kamitech.ch: could not connect to host
+kampunginggris-ue.com: could not connect to host
 kanada.guide: could not connect to host
 kanagawachuo-hospital.jp: could not connect to host
 kanar.nl: could not connect to host
@@ -9212,7 +9546,6 @@ kanganer.com: could not connect to host
 kangzaber.com: could not connect to host
 kaniklani.co.za: did not receive HSTS header
 kanmitao.com: did not receive HSTS header
-kannchen.de: could not connect to host
 kanotijd.nl: could not connect to host
 kanr.in: could not connect to host
 kanscooking.org: could not connect to host
@@ -9225,7 +9558,8 @@ kaomojis.net: did not receive HSTS header
 kaotik4266.com: could not connect to host
 kapiorr.duckdns.org: could not connect to host
 kaplatz.is: could not connect to host
-kapo.info: could not connect to host
+kaplatzis.com: could not connect to host
+kapo.info: did not receive HSTS header
 kappit.dk: could not connect to host
 kapucini.si: max-age too low: 0
 kaputt.com: could not connect to host
@@ -9245,6 +9579,7 @@ karpanhellas.com: could not connect to host
 kars.ooo: could not connect to host
 karting34.com: did not receive HSTS header
 karuneshjohri.com: could not connect to host
+kasadara.com: did not receive HSTS header
 kashdash.ca: could not connect to host
 kashis.com.au: max-age too low: 0
 kat.al: could not connect to host
@@ -9261,7 +9596,7 @@ katproxy.site: could not connect to host
 katproxy.tech: could not connect to host
 katproxy.top: could not connect to host
 katrinjanke.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-kattenfun.be: did not receive HSTS header
+kattenfun.be: could not connect to host
 kattenfun.nl: could not connect to host
 katthewaffle.fr: could not connect to host
 katzen.me: could not connect to host
@@ -9274,7 +9609,7 @@ kausta.me: could not connect to host
 kaverti.com: did not receive HSTS header
 kavik.no: could not connect to host
 kavinvin.me: could not connect to host
-kawaiii.link: did not receive HSTS header
+kawaii.io: could not connect to host
 kawaiiku.com: could not connect to host
 kawaiiku.de: could not connect to host
 kaydan.io: could not connect to host
@@ -9285,7 +9620,6 @@ kaysis.gov.tr: did not receive HSTS header
 kazamasion.com: could not connect to host
 kazanasolutions.de: could not connect to host
 kazenojiyu.fr: did not receive HSTS header
-kazumi.ooo: could not connect to host
 kbfl.org: could not connect to host
 kcluster.io: could not connect to host
 kcptun.com: could not connect to host
@@ -9299,7 +9633,8 @@ keechain.io: could not connect to host
 keeley.gq: could not connect to host
 keeley.ml: could not connect to host
 keeleysam.me: could not connect to host
-keepaa.com: could not connect to host
+keematdekho.com: could not connect to host
+keepaa.com: did not receive HSTS header
 keepassa.co: could not connect to host
 keepclean.me: could not connect to host
 keepcoalintheground.org: could not connect to host
@@ -9316,6 +9651,7 @@ kelm.me: could not connect to host
 kelmarsafety.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kelp.agency: did not receive HSTS header
 ken-electric.com.br: could not connect to host
+kenbillionsyuan.tk: could not connect to host
 kenc.dk: max-age too low: 2592000
 kenchristensen.dk: max-age too low: 2592000
 kenderbeton-magyarorszag.hu: did not receive HSTS header
@@ -9340,16 +9676,16 @@ keskeces.com: did not receive HSTS header
 kessel-runners.com: could not connect to host
 kesteren.com: could not connect to host
 kevindekoninck.com: could not connect to host
-kevinfoley.cc: could not connect to host
-kevinfoley.org: could not connect to host
+kevinheslinphoto.com: did not receive HSTS header
 kevinmoreland.com: could not connect to host
 kevinroebert.de: did not receive HSTS header
 kevlar.pw: did not receive HSTS header
 kewego.co.uk: could not connect to host
 keymaster.lookout.com: did not receive HSTS header
-keys.fedoraproject.org: could not connect to host
+keypersonins.com: did not receive HSTS header
 keyserver.sexy: could not connect to host
 kfbrussels.be: could not connect to host
+kfm.ink: did not receive HSTS header
 kg-rating.com: could not connect to host
 kgb.us: did not receive HSTS header
 kgregorczyk.pl: could not connect to host
@@ -9375,11 +9711,15 @@ kiel-media.de: did not receive HSTS header
 kielderweather.org.uk: did not receive HSTS header
 kielwi.gov: could not connect to host
 kienlen.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+kieran.ie: could not connect to host
+kieranjones.uk: could not connect to host
 kieranweightman.me: could not connect to host
 kiesuwcursus.nl: did not receive HSTS header
 kievradio.com: could not connect to host
+kikimilyatacado.com.br: could not connect to host
 kikuzuki.org: could not connect to host
 kiladera.be: did not receive HSTS header
+kilerd.me: could not connect to host
 kill-paff.com: did not receive HSTS header
 kimana.pe: did not receive HSTS header
 kimberg.co.uk: did not receive HSTS header
@@ -9410,7 +9750,7 @@ kinnon.enterprises: could not connect to host
 kinow.com: did not receive HSTS header
 kinsmenhomelottery.com: did not receive HSTS header
 kintoandar.com: max-age too low: 0
-kintrip.com: did not receive HSTS header
+kintrip.com: could not connect to host
 kintzingerfilm.de: did not receive HSTS header
 kionetworks.com: did not receive HSTS header
 kipin.fr: did not receive HSTS header
@@ -9423,13 +9763,14 @@ kirillpokrovsky.de: could not connect to host
 kirito.kr: did not receive HSTS header
 kirkforsenate.com: could not connect to host
 kirkpatrickdavis.com: could not connect to host
-kirrie.pe.kr: could not connect to host
+kis-toitoidixi.de: could not connect to host
 kisa.io: could not connect to host
 kiss-register.org: could not connect to host
 kissart.net: could not connect to host
 kissesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kissesb.net: could not connect to host
 kisskiss.ch: could not connect to host
+kissoft.ro: could not connect to host
 kisstube.tv: could not connect to host
 kisstyle.ru: did not receive HSTS header
 kisun.co.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -9439,8 +9780,8 @@ kitakemon.com: could not connect to host
 kitashop.com.br: could not connect to host
 kitatec.com.br: could not connect to host
 kitchenaccessories.pro: did not receive HSTS header
-kitchenalley.ca: could not connect to host
-kitchenalley.com: could not connect to host
+kitchenalley.ca: max-age too low: 86400
+kitchenalley.com: max-age too low: 86400
 kitchenchaos.de: could not connect to host
 kitegarage.eu: did not receive HSTS header
 kiteschoolamsterdam.nl: could not connect to host
@@ -9462,8 +9803,9 @@ kj1396.net: did not receive HSTS header
 kj1397.com: did not receive HSTS header
 kjaermaxi.me: did not receive HSTS header
 kjg-bachrain.de: could not connect to host
+kjg-ummeln.de: did not receive HSTS header
 kjoglum.me: could not connect to host
-kkomputer.net: could not connect to host
+kkomputer.net: did not receive HSTS header
 kkull.tv: could not connect to host
 kkws.co: could not connect to host
 klantenadvies.nl: did not receive HSTS header
@@ -9474,6 +9816,7 @@ klauwd.com: could not connect to host
 klaxn.org: could not connect to host
 klean-ritekc.com: did not receive HSTS header
 kleberstoff.xyz: could not connect to host
+kleding.website: did not receive HSTS header
 kleertjesvoordelig.nl: could not connect to host
 kleidertauschpartys.de: could not connect to host
 kleinerarchitekturfuehrer.de: could not connect to host
@@ -9484,6 +9827,7 @@ kletterkater.com: did not receive HSTS header
 klicktojob.de: could not connect to host
 klingeletest.de: could not connect to host
 klingsundet.no: did not receive HSTS header
+klinkerstreet.com.ua: did not receive HSTS header
 kliqsd.com: could not connect to host
 kloentrup.de: max-age too low: 604800
 klotz-labs.com: max-age too low: 7889238
@@ -9493,9 +9837,9 @@ km-net.pl: did not receive HSTS header
 kmdev.me: did not receive HSTS header
 knapen.io: max-age too low: 604800
 knccloud.com: could not connect to host
-knegten-agilis.com: could not connect to host
 kneipi.de: did not receive HSTS header
 kngk-azs.ru: could not connect to host
+kniga.market: could not connect to host
 knigadel.com: did not receive HSTS header
 knightsbridgegroup.org: could not connect to host
 knightsweep.com: could not connect to host
@@ -9512,7 +9856,10 @@ koddsson.com: did not receive HSTS header
 kodexplorer.ml: could not connect to host
 kodiaklabs.org: could not connect to host
 kodokushi.fr: could not connect to host
+koehn.com: could not connect to host
+koelbli.ch: could not connect to host
 koen.io: max-age too low: 86400
+koenen-bau.de: did not receive HSTS header
 koenvdheuvel.me: could not connect to host
 koerper-wie-seele.de: did not receive HSTS header
 koerperimpuls.ch: did not receive HSTS header
@@ -9524,20 +9871,22 @@ kokenmetaanbiedingen.nl: could not connect to host
 kokoiroworks.com: could not connect to host
 kola-entertainments.de: did not receive HSTS header
 kolania.com: could not connect to host
-kolania.net: could not connect to host
 kolaykaydet.com: could not connect to host
 kolbeck.tk: could not connect to host
 kollawat.me: could not connect to host
 kolozsvaricsuhe.hu: did not receive HSTS header
+kombidorango.com.br: did not receive HSTS header
 komikito.com: could not connect to host
 kompetenzwerft.de: did not receive HSTS header
 konata.us: could not connect to host
 kongbaofang.com: could not connect to host
 konicaprinterdriver.com: could not connect to host
 konings.it: could not connect to host
+konkai.store: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 konkurs.ba: could not connect to host
 kontakthuman.hu: did not receive HSTS header
 kontaxis.network: could not connect to host
+kontrolapovinnosti.cz: did not receive HSTS header
 konventseliten.se: could not connect to host
 koop-bremen.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 koopjesnel.nl: could not connect to host
@@ -9545,6 +9894,7 @@ koordinate.net: could not connect to host
 kopio.jp: did not receive HSTS header
 koppelvlak.net: could not connect to host
 kopular.com: could not connect to host
+koretech.nl: could not connect to host
 kori.ml: did not receive HSTS header
 koriyoukai.net: did not receive HSTS header
 kornersafe.com: did not receive HSTS header
@@ -9554,7 +9904,7 @@ kostuumstore.nl: could not connect to host
 kostya.net: did not receive HSTS header
 kotakoo.id: could not connect to host
 kotausaha.com: could not connect to host
-kotelezobiztositas.eu: could not connect to host
+kotelezobiztositas.eu: did not receive HSTS header
 kotomei.moe: could not connect to host
 kotonehoko.net: could not connect to host
 kotorimusic.ga: could not connect to host
@@ -9564,6 +9914,7 @@ koukni.cz: did not receive HSTS header
 kourpe.online: could not connect to host
 kousaku.jp: could not connect to host
 kovnsk.net: could not connect to host
+kovuthehusky.com: did not receive HSTS header
 kozmik.co: could not connect to host
 kpdyer.com: did not receive HSTS header
 kpebetka.net: did not receive HSTS header
@@ -9575,7 +9926,7 @@ kraigwalker.com: could not connect to host
 kraiwan.com: did not receive HSTS header
 krasavchik.by: could not connect to host
 krasota.ru: did not receive HSTS header
-krausen.ca: did not receive HSTS header
+krausen.ca: could not connect to host
 krausoft.hu: did not receive HSTS header
 kravelindo-adventure.com: could not connect to host
 kraynik.com: could not connect to host
@@ -9586,7 +9937,7 @@ kreb.io: could not connect to host
 kredietpaspoort.nl: could not connect to host
 kredite.sale: could not connect to host
 kredite24.de: did not receive HSTS header
-kreditkarte-fuer-backpacker.de: did not receive HSTS header
+kreditkarte-fuer-backpacker.de: could not connect to host
 krestanskydarek.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kreza.de: could not connect to host
 kriegskindernothilfe.de: could not connect to host
@@ -9605,14 +9956,12 @@ kroodle.nl: did not receive HSTS header
 krouzkyliduska.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kruegerrand-wert.de: did not receive HSTS header
 krunut.com: did not receive HSTS header
-krusesec.com: could not connect to host
 kryha.io: did not receive HSTS header
 krypteia.org: could not connect to host
-kryptomech.com: could not connect to host
 kryptomodkingz.com: could not connect to host
-ks88.com: could not connect to host
 ksfh-mail.de: could not connect to host
 ksk-agentur.de: did not receive HSTS header
+kspg.tv: could not connect to host
 kstan.me: could not connect to host
 kswcosmetics.com: could not connect to host
 kswriter.com: could not connect to host
@@ -9622,10 +9971,9 @@ kuba.guide: could not connect to host
 kubiwa.net: could not connect to host
 kubusadvocaten.nl: could not connect to host
 kuchenschock.de: did not receive HSTS header
-kucheryavenkovn.ru: did not receive HSTS header
+kucheryavenkovn.ru: could not connect to host
 kucom.it: did not receive HSTS header
-kueche-co.de: max-age too low: 9190324
-kuechenplan.online: could not connect to host
+kuechenplan.online: did not receive HSTS header
 kueulangtahunanak.net: could not connect to host
 kuko-crews.org: could not connect to host
 kultmobil.se: did not receive HSTS header
@@ -9638,9 +9986,10 @@ kunstfehler.at: did not receive HSTS header
 kunstschule-krabax.de: did not receive HSTS header
 kuops.com: did not receive HSTS header
 kupdokuchyne.cz: could not connect to host
-kupelne-ptacek.sk: could not connect to host
+kupelne-ptacek.sk: did not receive HSTS header
 kuppingercole.com: did not receive HSTS header
 kura.io: could not connect to host
+kurashino-mall.com: could not connect to host
 kurehun.org: could not connect to host
 kuro346.moe: could not connect to host
 kuroisalva.xyz: did not receive HSTS header
@@ -9652,17 +10001,16 @@ kurumi.io: did not receive HSTS header
 kurz.pw: could not connect to host
 kurzonline.com.br: could not connect to host
 kuwago.io: could not connect to host
-kuzdrowiu24.pl: did not receive HSTS header
+kuzdrowiu24.pl: could not connect to host
 kvt.berlin: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kwidz.fr: did not receive HSTS header
 kwikmed.eu: could not connect to host
 kwiknews.com: did not receive HSTS header
 kwipi.com: did not receive HSTS header
 kwmr.me: did not receive HSTS header
-kwok.cc: could not connect to host
 kwok.tv: could not connect to host
 kwondratsch.com: could not connect to host
-kxind.cn: could not connect to host
+kxind.cn: did not receive HSTS header
 kyanite.co: max-age too low: 7889238
 kyberna.xyz: could not connect to host
 kykoonn.net: did not receive HSTS header
@@ -9677,7 +10025,6 @@ kymo.org: did not receive HSTS header
 kynaston.org.uk: could not connect to host
 kyochon.fr: could not connect to host
 kyonagashima.com: did not receive HSTS header
-kyoto-k9.com: did not receive HSTS header
 kyoto-sake.net: could not connect to host
 kyouko.nl: could not connect to host
 kyujin-office.net: could not connect to host
@@ -9715,6 +10062,7 @@ lacentral.com: did not receive HSTS header
 lacledeslan.ninja: could not connect to host
 lacuevadechauvet.com: did not receive HSTS header
 ladadate.com: could not connect to host
+ladenzeile.de: did not receive HSTS header
 ladybugjam.com: could not connect to host
 ladylikeit.com: could not connect to host
 ladylucks.co.uk: could not connect to host
@@ -9723,7 +10071,7 @@ laemen.nl: could not connect to host
 laf.in.net: could not connect to host
 lafamillemusique.fr: did not receive HSTS header
 lafeemam.fr: could not connect to host
-lafema.de: could not connect to host
+lafka.org: could not connect to host
 laforetenchantee.ch: could not connect to host
 lafosseobservatoire.be: did not receive HSTS header
 lafr4nc3.xyz: could not connect to host
@@ -9743,7 +10091,9 @@ lakewoodcomputerservices.com: could not connect to host
 lalajj.com: could not connect to host
 laltroweb.it: did not receive HSTS header
 lamafioso.com: could not connect to host
+lamaisondelatransformationculturelle.com: did not receive HSTS header
 lamaland.ru: did not receive HSTS header
+lamanwebinfo.com: did not receive HSTS header
 lambda-complex.org: could not connect to host
 lambdafive.co.uk: could not connect to host
 lamiaposta.email: did not receive HSTS header
@@ -9751,7 +10101,6 @@ lamomebijou.paris: did not receive HSTS header
 lampl.info: could not connect to host
 lamtv.com.mx: could not connect to host
 lan2k.org: max-age too low: 86400
-lana.swedbank.se: did not receive HSTS header
 lanauzedesigns.com: did not receive HSTS header
 lanboll.com: could not connect to host
 lanbyte.se: could not connect to host
@@ -9768,9 +10117,10 @@ langenbach.rocks: could not connect to host
 langendorf-ernaehrung-training.de: could not connect to host
 langendries.eu: did not receive HSTS header
 langhun.me: could not connect to host
+lanhhuyet510.tk: could not connect to host
 laniakean.com: did not receive HSTS header
+lannainnovation.com: did not receive HSTS header
 lanonfire.com: could not connect to host
-lanseyujie.com: max-age too low: 0
 lansinoh.co.uk: did not receive HSTS header
 lanzainc.xyz: could not connect to host
 laobox.fr: could not connect to host
@@ -9778,18 +10128,19 @@ laohei.org: did not receive HSTS header
 laospage.com: did not receive HSTS header
 lapakus.com: could not connect to host
 laperfumista.es: could not connect to host
-lapix.com.co: could not connect to host
 laplaceduvillage.net: could not connect to host
 laquack.com: could not connect to host
 lared.ovh: did not receive HSTS header
 laredsemanario.com: could not connect to host
-larotayogaming.stream: could not connect to host
 larsgujord.no: did not receive HSTS header
 larsmerke.de: did not receive HSTS header
 lasepiataca.com: did not receive HSTS header
 lasercloud.ml: could not connect to host
+laserfuchs.de: did not receive HSTS header
 lashstuff.com: did not receive HSTS header
 lasnaves.com: did not receive HSTS header
+lassesworld.com: could not connect to host
+lassesworld.se: could not connect to host
 lasst-uns-beten.de: could not connect to host
 latabaccheria.net: could not connect to host
 latable-bowling-vire.fr: did not receive HSTS header
@@ -9803,12 +10154,15 @@ lathamlabs.com: could not connect to host
 lathamlabs.net: could not connect to host
 lathamlabs.org: could not connect to host
 lathen-wahn.de: did not receive HSTS header
+latiendadelbebefeliz.com: did not receive HSTS header
+latinphone.com: could not connect to host
 latinred.com: did not receive HSTS header
 latitude42technology.com: did not receive HSTS header
 latour-managedcare.ch: could not connect to host
 latterdaybride.com: max-age too low: 7889238
 latus.xyz: could not connect to host
 laufcampus.com: did not receive HSTS header
+laufers.pl: did not receive HSTS header
 laufseminare-laufreisen.com: did not receive HSTS header
 lauftrainer-ausbildung.com: did not receive HSTS header
 laurel4th.org: did not receive HSTS header
@@ -9838,8 +10192,12 @@ lbrlh.tk: could not connect to host
 lbrli.tk: could not connect to host
 lbrls.tk: could not connect to host
 lbrt.xyz: could not connect to host
+lbsi-nordwest.de: did not receive HSTS header
+lcbizsolutions.com: could not connect to host
 lclarkpdx.com: could not connect to host
 lcti.biz: could not connect to host
+lcy.cat: could not connect to host
+lcybox.com: did not receive HSTS header
 ldarby.me.uk: could not connect to host
 ldcraft.pw: could not connect to host
 leadbook.ru: max-age too low: 604800
@@ -9850,6 +10208,7 @@ leaks.directory: could not connect to host
 leanclub.org: could not connect to host
 leaodarodesia.com.br: could not connect to host
 leardev.de: did not receive HSTS header
+learn-smart.uk: did not receive HSTS header
 learnedhacker.com: could not connect to host
 learnedovo.com: did not receive HSTS header
 learnfrenchfluently.com: could not connect to host
@@ -9871,13 +10230,11 @@ leebiblestudycenter.com: could not connect to host
 leebiblestudycentre.com: could not connect to host
 leebiblestudycentre.net: could not connect to host
 leebiblestudycentre.org: could not connect to host
-leech360.com: did not receive HSTS header
 leefindlow.com: could not connect to host
 leegyuho.com: could not connect to host
 leelou.wedding: could not connect to host
 leen.io: could not connect to host
 leerkotte.eu: could not connect to host
-leet2.com: could not connect to host
 leetsaber.com: did not receive HSTS header
 legal.farm: could not connect to host
 legaleus.co.uk: could not connect to host
@@ -9901,12 +10258,13 @@ leinir.dk: did not receive HSTS header
 leition.com: did not receive HSTS header
 leitionusercontent.com: did not receive HSTS header
 leitner.com.au: did not receive HSTS header
+leiyun.me: could not connect to host
 lelehei.com: could not connect to host
 lellyboi.ml: could not connect to host
 lelongbank.com: did not receive HSTS header
 lelubre.info: did not receive HSTS header
 lemon.co: could not connect to host
-lemondrops.xyz: could not connect to host
+lemonthy.ca: could not connect to host
 lemp.io: did not receive HSTS header
 lenders.direct: could not connect to host
 lenguajedeprogramacion.com: did not receive HSTS header
@@ -9926,8 +10284,8 @@ leochedibracchio.com: did not receive HSTS header
 leodaniels.com: did not receive HSTS header
 leon-jaekel.com: could not connect to host
 leonardcamacho.me: could not connect to host
+leonauto.de: could not connect to host
 leonhooijer.nl: could not connect to host
-leonmahler.consulting: did not receive HSTS header
 leopold.email: could not connect to host
 leopotamgroup.com: could not connect to host
 lepiquillo.fr: did not receive HSTS header
@@ -9942,21 +10300,22 @@ lesbiansslaves.com: could not connect to host
 lesbofight.com: could not connect to host
 lescomptoirsdepierrot.com: could not connect to host
 lesconteursavis.org: could not connect to host
+lescourtiersbordelais.com: did not receive HSTS header
 lesdouceursdeliyana.com: could not connect to host
 lesecuadors.com: did not receive HSTS header
 lesformations.net: could not connect to host
 lesh.eu: could not connect to host
 lesharris.com: could not connect to host
-lesjardinsdubanchet.fr: could not connect to host
+leshervelines.com: could not connect to host
 lesliekearney.com: did not receive HSTS header
 lesperlesdunet.fr: could not connect to host
 lesquatredauphins.fr: did not receive HSTS header
-lesquerda.cat: did not receive HSTS header
 lessing.consulting: did not receive HSTS header
 letempsdunefleur.be: could not connect to host
 leter.io: did not receive HSTS header
 lethbridgecoffee.com: did not receive HSTS header
 letitfly.me: could not connect to host
+letraba.com: could not connect to host
 letras.mus.br: did not receive HSTS header
 letreview.ph: could not connect to host
 letsgetintouch.com: could not connect to host
@@ -9972,16 +10331,18 @@ levelum.com: did not receive HSTS header
 levelupwear.com: max-age too low: 7889238
 leveredge.net: could not connect to host
 levert.ch: could not connect to host
+lewdgamer.com: could not connect to host
 lewisjuggins.co.uk: did not receive HSTS header
 lewisseals.com: could not connect to host
 lexiphanic.co.uk: did not receive HSTS header
 lexpartsofac.com: could not connect to host
+lexxyn.nl: did not receive HSTS header
 lez-cuties.com: could not connect to host
 lezdomsm.com: could not connect to host
 lfaz.org: could not connect to host
 lg21.co: could not connect to host
-lgbtqventures.com: did not receive HSTS header
-lgbtventures.com: could not connect to host
+lgbtqventures.com: max-age too low: 86400
+lgbtventures.com: did not receive HSTS header
 lgiswa.com.au: did not receive HSTS header
 lgrs.com.au: did not receive HSTS header
 lgsg.us: could not connect to host
@@ -10008,7 +10369,6 @@ lianyexiuchang.in: could not connect to host
 liaoshuma.com: could not connect to host
 liaozheqi.cn: could not connect to host
 liaronce.win: could not connect to host
-liautard.fr: could not connect to host
 libanco.com: could not connect to host
 libdeer.so: could not connect to host
 libertas-tech.com: could not connect to host
@@ -10018,7 +10378,6 @@ libfte.org: did not receive HSTS header
 librairie-asie.com: did not receive HSTS header
 library.linode.com: did not receive HSTS header
 librechan.net: could not connect to host
-librends.org: could not connect to host
 libricks.fr: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 librisulibri.it: did not receive HSTS header
 licence-registry.com: could not connect to host
@@ -10031,7 +10390,7 @@ lidl-selection.at: did not receive HSTS header
 liduan.com: could not connect to host
 liebach.me: did not receive HSTS header
 liebestarot.at: did not receive HSTS header
-lieblingsholz.de: did not receive HSTS header
+lieblingsholz.de: could not connect to host
 lied8.eu: could not connect to host
 liehuojun.com: could not connect to host
 lietaer.eu: did not receive HSTS header
@@ -10040,18 +10399,19 @@ lifecoach.tw: did not receive HSTS header
 lifecoachproviders.com: could not connect to host
 lifeguard.aecom.com: did not receive HSTS header
 lifeinitsownway.com: could not connect to host
-lifeinsurances.pro: did not receive HSTS header
+lifeinsurances.pro: could not connect to host
 lifeinsurances24.com: did not receive HSTS header
-lifekiss.ru: could not connect to host
 lifemarque.co.uk: did not receive HSTS header
 lifenexto.com: could not connect to host
 lifeng.us: could not connect to host
 lifeskillsdirect.com: did not receive HSTS header
+lifestyle7788.com: could not connect to host
 lifestyler.me: could not connect to host
 lifetimemoneymachine.com: did not receive HSTS header
 lifeventure.co.uk: did not receive HSTS header
 lightarmory.com: could not connect to host
 lightcloud.com: did not receive HSTS header
+lightdark.xyz: could not connect to host
 lighthouseinstruments.com: did not receive HSTS header
 lightning-ashe.com: did not receive HSTS header
 lightnovelsekai.com: could not connect to host
@@ -10074,16 +10434,19 @@ lilpwny.com: could not connect to host
 lilycms.com: could not connect to host
 lilygreen.co.za: did not receive HSTS header
 limalama.eu: max-age too low: 1
+limeburst.net: did not receive HSTS header
 limeyeti.com: could not connect to host
 limiteddata.co.uk: could not connect to host
-limitget.com: did not receive HSTS header
+limitget.com: could not connect to host
 limn.me: could not connect to host
 limodo-shop.de: did not receive HSTS header
 limpens.net: did not receive HSTS header
 limpido.it: could not connect to host
 limunana.com: could not connect to host
+lincolncountytn.gov: could not connect to host
 lincsbouncycastlehire.co.uk: did not receive HSTS header
 lindberg.io: did not receive HSTS header
+lindnerhof.info: could not connect to host
 lineauniformes.com.br: could not connect to host
 linernotekids.com: could not connect to host
 linext.cn: did not receive HSTS header
@@ -10107,10 +10470,10 @@ linmi.cc: did not receive HSTS header
 linno.me: could not connect to host
 linorman1997.me: could not connect to host
 linostassi.net: could not connect to host
-linpx.com: could not connect to host
 linux-admin-california.com: could not connect to host
 linux-mint.cz: could not connect to host
 linux.army: could not connect to host
+linux.im: did not receive HSTS header
 linux.sb: could not connect to host
 linuxandstuff.de: could not connect to host
 linuxcode.net: could not connect to host
@@ -10123,7 +10486,7 @@ linuxmint.cz: could not connect to host
 linuxmonitoring.net: could not connect to host
 linvx.org: did not receive HSTS header
 linxmind.eu: could not connect to host
-lionlyrics.com: could not connect to host
+lionhosting.nl: could not connect to host
 lipo.lol: could not connect to host
 liquid.solutions: did not receive HSTS header
 liquidcomm.net: could not connect to host
@@ -10149,9 +10512,8 @@ littledisney.ro: did not receive HSTS header
 littlefreelibrary.org: did not receive HSTS header
 littlelife.co.uk: did not receive HSTS header
 littleservice.cn: could not connect to host
-littleskin.cn: did not receive HSTS header
 liud.im: could not connect to host
-liujunyang.com: could not connect to host
+liujunyang.com: did not receive HSTS header
 liukang.tech: could not connect to host
 liushuyu.tk: did not receive HSTS header
 liv3ly.com: did not receive HSTS header
@@ -10165,17 +10527,21 @@ liviababynet.com.br: could not connect to host
 livinghealthywithchocolate.com: did not receive HSTS header
 livrariacoad.com.br: could not connect to host
 livrariahugodesaovitor.com.br: could not connect to host
+livroseuniformes.com.br: could not connect to host
 lixiang.one: could not connect to host
 lixiaojiang.ga: could not connect to host
 lixingcong.com: could not connect to host
 liyinjia.com: did not receive HSTS header
 lizzythepooch.com: did not receive HSTS header
+ljason.cn: could not connect to host
 lkiserver.com: max-age too low: 43200
 lll.st: could not connect to host
 llvm.us: could not connect to host
+lmerza.com: did not receive HSTS header
 lmrcouncil.gov: could not connect to host
 ln.io: could not connect to host
 lnbeauty.ru: max-age too low: 0
+lnmp.me: could not connect to host
 lnoldan.com: could not connect to host
 loacg.com: did not receive HSTS header
 loadingdeck.com: did not receive HSTS header
@@ -10184,6 +10550,7 @@ loadtraining.com: did not receive HSTS header
 loafbox.com: could not connect to host
 loafhead.me: could not connect to host
 loanmatch.sg: could not connect to host
+loansharkpro.com: could not connect to host
 loansonline.today: could not connect to host
 loanstreet.be: could not connect to host
 lobin21.com: could not connect to host
@@ -10196,8 +10563,8 @@ localblitz.com: did not receive HSTS header
 localchum.com: could not connect to host
 localdata.us: could not connect to host
 localdrive.me: could not connect to host
+localhorst.xyz: could not connect to host
 localnetwork.nz: could not connect to host
-location-fichier-email.com: could not connect to host
 locationvoitureautriche.com: could not connect to host
 locationvoiturecorse.net: could not connect to host
 locationvoiturefinlande.com: could not connect to host
@@ -10252,23 +10619,23 @@ lojashowdecozinha.com.br: could not connect to host
 lojasviavento.com.br: could not connect to host
 lojatema.com.br: could not connect to host
 lojavalcapelli.com.br: could not connect to host
-lolhax.org: could not connect to host
+lojavirtualfct.com.br: did not receive HSTS header
 loli.bz: could not connect to host
 loli.com: could not connect to host
-loli.ski: did not receive HSTS header
-loli.vip: did not receive HSTS header
+loli.vip: could not connect to host
 lolicon.info: could not connect to host
 lolicore.ch: could not connect to host
 lolidunno.com: could not connect to host
 lolis.stream: could not connect to host
 lollaconcept.com.br: could not connect to host
-lonasdigital.com: did not receive HSTS header
+lonasdigital.com: could not connect to host
 lonbali.com: did not receive HSTS header
 londoncalling.co: did not receive HSTS header
 londonlanguageexchange.com: could not connect to host
 londonseedcentre.co.uk: could not connect to host
 lonerwolf.com: did not receive HSTS header
 long139.com: could not connect to host
+long18.cc: could not connect to host
 long688.com: could not connect to host
 longboarding-ulm.de: could not connect to host
 longma.pw: could not connect to host
@@ -10285,7 +10652,6 @@ loperetti.ch: could not connect to host
 loqyu.co: could not connect to host
 lordgun.com: did not receive HSTS header
 lordjevington.co.uk: did not receive HSTS header
-lormansas.com: could not connect to host
 losebellyfat.pro: could not connect to host
 losrascadoresparagatos.com: did not receive HSTS header
 loss.no: could not connect to host
@@ -10305,7 +10671,7 @@ lotuscloud.de: could not connect to host
 lotuscloud.org: could not connect to host
 louduniverse.net: did not receive HSTS header
 louiewatch.com: could not connect to host
-louisvillevmug.info: could not connect to host
+louisvillevmug.info: did not receive HSTS header
 love-schna.jp: could not connect to host
 love4taylor.eu.org: could not connect to host
 loveable.de: could not connect to host
@@ -10327,6 +10693,7 @@ lovemen.cc: did not receive HSTS header
 lovemysafetynet.com: did not receive HSTS header
 loveread-ec.appspot.com: did not receive HSTS header
 loveto.at: could not connect to host
+lovetravel360.com: could not connect to host
 lovingpenguin.com: did not receive HSTS header
 lowhangingfruitgrabber.com: could not connect to host
 lowt.us: could not connect to host
@@ -10334,38 +10701,40 @@ lowtherpavilion.co.uk: did not receive HSTS header
 loxal.org: could not connect to host
 loxis.be: did not receive HSTS header
 loyaltech.ch: could not connect to host
-lp-support.nl: could not connect to host
 lpacademy.com.br: could not connect to host
 lpak.nl: could not connect to host
+lpcom.de: max-age too low: 172800
 lpgram.ga: could not connect to host
 lpm-uk.com: did not receive HSTS header
+lqs.me: could not connect to host
 lrhsclubs.com: could not connect to host
 lrhstsa.com: could not connect to host
 ls-a.org: did not receive HSTS header
 ls-reallife.de: did not receive HSTS header
 ls-rp.es: did not receive HSTS header
+lshiy.com: did not receive HSTS header
 lsky.cn: could not connect to host
 lsp-sports.de: did not receive HSTS header
 lstma.com: could not connect to host
 lsvih.com: did not receive HSTS header
 lswim.com: did not receive HSTS header
 lsws.de: could not connect to host
-lsys.ac: could not connect to host
+lsy.cn: did not receive HSTS header
 lszj.com: could not connect to host
 ltba.org: could not connect to host
 ltbytes.com: could not connect to host
-ltechnologygroup.com: did not receive HSTS header
+ltechnologygroup.com: could not connect to host
 ltransferts.com: could not connect to host
 ltu.social: could not connect to host
-luan.ma: did not receive HSTS header
+lubomirkazakov.com: did not receive HSTS header
 lubot.net: could not connect to host
 lucakrebs.de: could not connect to host
 lucas-garte.com: did not receive HSTS header
 lucascantor.com: did not receive HSTS header
 lucascobb.com: did not receive HSTS header
 lucascodes.com: could not connect to host
-lucassoler.com.ar: could not connect to host
 lucaterzini.com: could not connect to host
+lucianoalbanes.com: did not receive HSTS header
 lucidlogs.com: could not connect to host
 luckydog.pw: could not connect to host
 luckystarfishing.com: did not receive HSTS header
@@ -10377,6 +10746,7 @@ luginbuehl.eu: could not connect to host
 luis-checa.com: could not connect to host
 luisgf.es: did not receive HSTS header
 luisv.me: could not connect to host
+luizkowalski.net: could not connect to host
 luk.photo: could not connect to host
 lukas-schauer.de: did not receive HSTS header
 lukas.im: did not receive HSTS header
@@ -10395,11 +10765,10 @@ luma.pink: could not connect to host
 lumd.me: could not connect to host
 lumer.tech: could not connect to host
 lumi.do: did not receive HSTS header
-luminancy.com: did not receive HSTS header
+luminancy.com: could not connect to host
 lunapatch.com: max-age too low: 7889238
 lunarift.com: could not connect to host
 lunarrift.net: could not connect to host
-lunarsoft.net: did not receive HSTS header
 luneta.nearbuysystems.com: could not connect to host
 lunight.ml: could not connect to host
 lunix.io: did not receive HSTS header
@@ -10409,10 +10778,10 @@ luolikong.vip: did not receive HSTS header
 luom.net: could not connect to host
 luoxiao.im: could not connect to host
 luoxingyu.ml: could not connect to host
-luqsus.pl: could not connect to host
 luripump.se: could not connect to host
 lusis.fr: did not receive HSTS header
 lusis.net: could not connect to host
+lustige-zitate.com: did not receive HSTS header
 lustrumxi.nl: could not connect to host
 luther.fi: could not connect to host
 luvplay.co.uk: could not connect to host
@@ -10430,8 +10799,9 @@ lydia-und-simon.de: could not connect to host
 lydiagorstein.com: did not receive HSTS header
 lyfbits.com: could not connect to host
 lylares.com: did not receive HSTS header
-lynkos.com: could not connect to host
+lynkos.com: did not receive HSTS header
 lyonelkaufmann.ch: did not receive HSTS header
+lyoness.digital: could not connect to host
 lyonl.com: could not connect to host
 lyscnd.com: could not connect to host
 lysergion.com: could not connect to host
@@ -10458,7 +10828,7 @@ ma-plancha.ch: did not receive HSTS header
 maarten.nyc: could not connect to host
 maartenprovo.be: did not receive HSTS header
 maartenterpstra.xyz: could not connect to host
-mac-torrents.me: did not receive HSTS header
+mac-torrents.me: could not connect to host
 mac-world.pl: did not receive HSTS header
 macandtonic.com: could not connect to host
 macbolo.com: could not connect to host
@@ -10466,25 +10836,28 @@ macchaberrycream.com: could not connect to host
 macchedil.com: did not receive HSTS header
 macdj.tk: could not connect to host
 macedopesca.com.br: did not receive HSTS header
-macgeneral.de: did not receive HSTS header
 mach1club.com: did not receive HSTS header
 machbach.net: could not connect to host
+machijun.net: did not receive HSTS header
 machinelearningjavascript.com: could not connect to host
 maciespartyhire.co.uk: did not receive HSTS header
 mack.space: could not connect to host
+mackey7.net: did not receive HSTS header
 macleodnc.com: did not receive HSTS header
 macsandcheesedreams.com: could not connect to host
 macstore.pe: did not receive HSTS header
 macustar.eu: did not receive HSTS header
+madbicicletas.com: could not connect to host
 madcatdesign.de: did not receive HSTS header
 maddin.ga: could not connect to host
+made-to-usb.com: did not receive HSTS header
 madebyfalcon.co.uk: did not receive HSTS header
 madebymagnitude.com: did not receive HSTS header
 madeglobal.com: did not receive HSTS header
 madeinorder.com: could not connect to host
 madeintucson.org: could not connect to host
 mademoiselle-emma.be: could not connect to host
-mademoiselle-emma.fr: could not connect to host
+mademoiselle-emma.fr: did not receive HSTS header
 maderasbrown.com: could not connect to host
 maderwin.com: did not receive HSTS header
 madesoftware.com.br: could not connect to host
@@ -10500,7 +10873,6 @@ magazinedabeleza.net: could not connect to host
 magebankin.com: did not receive HSTS header
 magenx.com: did not receive HSTS header
 magia360.com: did not receive HSTS header
-magicball.co: could not connect to host
 magickmoments.co.uk: did not receive HSTS header
 magieamour.com: did not receive HSTS header
 magieblanche.fr: did not receive HSTS header
@@ -10520,7 +10892,7 @@ mailchuck.com: could not connect to host
 maildragon.com: did not receive HSTS header
 mailgarant.nl: could not connect to host
 mailhost.it: could not connect to host
-mailing-femprendedores.com: did not receive HSTS header
+mailing-femprendedores.com: could not connect to host
 mailing-jbgg.com: could not connect to host
 maillink.store: could not connect to host
 mailon.ga: could not connect to host
@@ -10530,8 +10902,12 @@ main-unit.com: could not connect to host
 mainston.com: could not connect to host
 maintainerheaven.ch: could not connect to host
 maisalto.ind.br: could not connect to host
+maitrechaton.fr: did not receive HSTS header
 maitriser-son-stress.com: could not connect to host
 majesticcolorado.com: did not receive HSTS header
+majkl.me: could not connect to host
+majkl.xyz: could not connect to host
+majkl578.cz: could not connect to host
 majncloud.tk: could not connect to host
 make-pizza.info: could not connect to host
 makedonien.guide: could not connect to host
@@ -10539,7 +10915,7 @@ makeit-so.de: could not connect to host
 makeitdynamic.com: could not connect to host
 makemejob.com: could not connect to host
 makemyvape.co.uk: max-age too low: 7889238
-makerstuff.net: did not receive HSTS header
+makerstuff.net: could not connect to host
 makeshiftco.de: could not connect to host
 makeuplove.nl: could not connect to host
 makeyourlaws.org: did not receive HSTS header
@@ -10557,6 +10933,7 @@ maljaars-media.nl: could not connect to host
 malkaso.com.ua: could not connect to host
 malmstroms-co.se: could not connect to host
 malone.link: could not connect to host
+malte-kiefer.de: did not receive HSTS header
 maltes.website: could not connect to host
 malvy.kiev.ua: could not connect to host
 malwareverse.us: did not receive HSTS header
@@ -10577,7 +10954,7 @@ manaboutahor.se: could not connect to host
 manage.zenpayroll.com: did not receive HSTS header
 manage4all.com: could not connect to host
 manageall.de: could not connect to host
-managed-varnish.de: did not receive HSTS header
+managed-varnish.de: could not connect to host
 manageforall.com: could not connect to host
 manageforall.de: could not connect to host
 management-ethics.com: did not receive HSTS header
@@ -10610,6 +10987,7 @@ mansiontech.cn: did not receive HSTS header
 manududu.com.br: could not connect to host
 manuel7espejo.com: did not receive HSTS header
 manuelrueger.de: could not connect to host
+manuscript.com: did not receive HSTS header
 manutrol.com.br: did not receive HSTS header
 maomao.blog: could not connect to host
 maomaobt.com: did not receive HSTS header
@@ -10623,15 +11001,14 @@ maquillage-permanent-tatoo.com: did not receive HSTS header
 maquininhamercadopoint.com.br: could not connect to host
 maranatha.pl: did not receive HSTS header
 marbinvest.com: did not receive HSTS header
-marcaudefroy.com: could not connect to host
+marcaudefroy.com: did not receive HSTS header
 marcberman.co: did not receive HSTS header
 marcbuehlmann.com: did not receive HSTS header
 marcelmarnitz.com: could not connect to host
 marcelparra.com: could not connect to host
 marchagen.nl: did not receive HSTS header
 marche-nordic-jorat.ch: could not connect to host
-marchhappy.tech: did not receive HSTS header
-marco-kretz.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+marco-kretz.de: did not receive HSTS header
 marco01809.net: could not connect to host
 marcoececilia.it: did not receive HSTS header
 marcofinke.de: could not connect to host
@@ -10640,14 +11017,15 @@ marcontrol.com: did not receive HSTS header
 marcosteixeira.tk: could not connect to host
 marcschlagenhauf.de: could not connect to host
 marcus-scheffler.com: did not receive HSTS header
-marcush.de: could not connect to host
-marcusserver.synology.me: did not receive HSTS header
+marcush.de: did not receive HSTS header
+marcusserver.synology.me: could not connect to host
 mardelcupon.com: could not connect to host
 mare92.cz: could not connect to host
 mareklecian.cz: did not receive HSTS header
 margan.ch: could not connect to host
 margaretrosefashions.co.uk: could not connect to host
 margo.ml: could not connect to host
+mariacorzo.com: could not connect to host
 mariacristinadoces.com.br: did not receive HSTS header
 mariannematthew.com: could not connect to host
 marianwehlus.de: did not receive HSTS header
@@ -10657,7 +11035,6 @@ marie-en-provence.com: could not connect to host
 marie.club: could not connect to host
 marienschule-sundern.de: did not receive HSTS header
 marinecadastre.gov: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-mario.party: could not connect to host
 marioabela.com: did not receive HSTS header
 mariusschulte.de: did not receive HSTS header
 marix.ro: could not connect to host
@@ -10671,6 +11048,7 @@ marketing-advertising.eu: could not connect to host
 marketingdesignu.cz: could not connect to host
 marketingromania.ro: did not receive HSTS header
 marketio.co: did not receive HSTS header
+marketlinks.org: did not receive HSTS header
 markllego.com: could not connect to host
 marko-fenster24.de: did not receive HSTS header
 markorszulak.com: did not receive HSTS header
@@ -10679,6 +11057,7 @@ markrego.com: could not connect to host
 marksill.com: could not connect to host
 marktboten.de: did not receive HSTS header
 markusabraham.com: did not receive HSTS header
+markusgran.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 markusueberallassetmanagement.de: could not connect to host
 markusueberallconsulting.de: could not connect to host
 markusweimar.de: did not receive HSTS header
@@ -10747,7 +11126,7 @@ mastodon.fun: could not connect to host
 mastodon.my: could not connect to host
 mastodon.org.uk: did not receive HSTS header
 mastodon.pl: did not receive HSTS header
-mastodones.club: could not connect to host
+mastodones.club: did not receive HSTS header
 masty.nl: could not connect to host
 masumreza.tk: could not connect to host
 mat99.dk: could not connect to host
@@ -10755,10 +11134,16 @@ matarrosabierzo.com: could not connect to host
 matchneedle.com: did not receive HSTS header
 mateusmeyer.com.br: could not connect to host
 mateuszpilszek.pl: could not connect to host
-mathematris.com: did not receive HSTS header
+mathematris.com: could not connect to host
 mathers.ovh: did not receive HSTS header
+matheusmacedo.ddns.net: could not connect to host
 mathias.re: did not receive HSTS header
+mathieui.net: could not connect to host
 mathijskingma.nl: could not connect to host
+mathsource.ga: could not connect to host
+mathsweek.nz: could not connect to host
+mathsweek.org.nz: could not connect to host
+mathsweek.school.nz: could not connect to host
 matillat.ovh: did not receive HSTS header
 matlabjo.ir: did not receive HSTS header
 matmessages.com: did not receive HSTS header
@@ -10793,6 +11178,7 @@ mavisang.cf: could not connect to host
 mawe.red: could not connect to host
 max-mad.com: could not connect to host
 maxbachmann.de: did not receive HSTS header
+maxdev72.freeboxos.fr: could not connect to host
 maxfox.me: could not connect to host
 maxhorvath.com: could not connect to host
 maxibanki.ovh: could not connect to host
@@ -10807,14 +11193,15 @@ maya-ro.com: could not connect to host
 maya.mg: could not connect to host
 maybeul.com: could not connect to host
 maynardnetworks.com: could not connect to host
+mayoimobiliare.ro: did not receive HSTS header
 mayoristassexshop.com: did not receive HSTS header
+mazternet.ru: could not connect to host
 mazyun.com: did not receive HSTS header
 mazz-tech.com: could not connect to host
 mb300sd.com: could not connect to host
 mb300sd.net: could not connect to host
 mbconsultancy.nu: did not receive HSTS header
 mbdrogenbos-usedcars.be: could not connect to host
-mbsec.net: could not connect to host
 mbwemmel-usedcars.be: could not connect to host
 mc81.com: did not receive HSTS header
 mca2017.org: did not receive HSTS header
@@ -10824,11 +11211,11 @@ mcb-bank.com: did not receive HSTS header
 mcc.re: could not connect to host
 mccordworks.com: did not receive HSTS header
 mcdanieldevelopmentservices.com: could not connect to host
-mcdona1d.me: could not connect to host
 mcdonalds.ru: did not receive HSTS header
 mcga.media: could not connect to host
 mcgavocknissanwichitaparts.com: could not connect to host
 mchan.us: did not receive HSTS header
+mchopkins.net: could not connect to host
 mcideas.tk: could not connect to host
 mcjackk77.com: could not connect to host
 mckinley1.com: could not connect to host
@@ -10836,7 +11223,6 @@ mckinleytk.com: could not connect to host
 mcl.gg: did not receive HSTS header
 mclab.su: max-age too low: 2592000
 mclist.it: could not connect to host
-mclyr.com: could not connect to host
 mcnoobs.pro: could not connect to host
 mcooperlaw.com: did not receive HSTS header
 mcqyy.com: could not connect to host
@@ -10847,6 +11233,8 @@ mctherealm.net: could not connect to host
 mcuexchange.com: did not receive HSTS header
 mcuong.tk: could not connect to host
 md-student.com: did not receive HSTS header
+mdbouncycastlehirelondon.co.uk: did not receive HSTS header
+mdcloudpracticesolutions.com: could not connect to host
 mdfnet.se: did not receive HSTS header
 mdscomp.net: could not connect to host
 mdwftw.com: could not connect to host
@@ -10863,13 +11251,16 @@ mecenat-cassous.com: did not receive HSTS header
 mechok.ru: could not connect to host
 medallia.io: could not connect to host
 meddatix.com: could not connect to host
+medi-link.co.il: did not receive HSTS header
 media-access.online: did not receive HSTS header
 media-courses.com: could not connect to host
+mediabm.jp: did not receive HSTS header
 mediacru.sh: could not connect to host
 mediadandy.com: could not connect to host
 mediafinancelab.org: could not connect to host
 mediamag.am: max-age too low: 0
-mediastorm.us: did not receive HSTS header
+mediarocks.de: did not receive HSTS header
+mediastorm.us: could not connect to host
 mediawikicn.org: could not connect to host
 medicinskavranje.edu.rs: could not connect to host
 medienservice-fritz.de: did not receive HSTS header
@@ -10889,7 +11280,6 @@ medy-me.com: could not connect to host
 medzinenews.com: did not receive HSTS header
 meedoenzaanstad.nl: did not receive HSTS header
 meetfinch.com: could not connect to host
-meetmibaby.co.uk: could not connect to host
 mega-aukcion.ru: could not connect to host
 megadrol.com: could not connect to host
 megaflix.nl: could not connect to host
@@ -10900,7 +11290,7 @@ megashur.se: could not connect to host
 megasystem.cl: could not connect to host
 meghudson.com: could not connect to host
 meifrench.com: could not connect to host
-meimeistartup.com: could not connect to host
+meilleur.xyz: did not receive HSTS header
 meincloudspeicher.de: could not connect to host
 meine-plancha.ch: did not receive HSTS header
 meine-reise-gut-versichert.de: did not receive HSTS header
@@ -10922,12 +11312,12 @@ melody-lyrics.com: could not connect to host
 melonstudios.net: could not connect to host
 melpomene.me: could not connect to host
 melted.pw: could not connect to host
-meltzow.net: could not connect to host
 melvinlammerts.nl: could not connect to host
 melvinlow.com: did not receive HSTS header
 memberpress.com: did not receive HSTS header
 members.mayfirst.org: did not receive HSTS header
 membersonline.org: did not receive HSTS header
+memberstweets.com: could not connect to host
 memdoc.org: could not connect to host
 memeblast.ninja: could not connect to host
 memepasmal.org: could not connect to host
@@ -10941,13 +11331,13 @@ menaraannonces.com: could not connect to host
 menchez.me: could not connect to host
 menhera.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 menntagatt.is: did not receive HSTS header
+menotag.com: could not connect to host
 mensachterdepatient.nl: max-age too low: 2592000
 mensmaximus.de: did not receive HSTS header
 mentalhealth.gov: did not receive HSTS header
 mentax.net: did not receive HSTS header
 mentesemprendedoras.net: could not connect to host
 menthix.net: could not connect to host
-mentorithm.com: could not connect to host
 menu.fyi: could not connect to host
 menudrivetest.com: could not connect to host
 menuiserie-berard.com: did not receive HSTS header
@@ -10956,6 +11346,7 @@ menzel-motors.com: did not receive HSTS header
 meo.de: could not connect to host
 meow.cloud: could not connect to host
 meozcraft.com: could not connect to host
+meraseo.com: could not connect to host
 mercanix.co.uk: could not connect to host
 merccorp.de: max-age too low: 0
 mercedes-benz-usedcars.be: could not connect to host
@@ -10989,17 +11380,20 @@ metrans-spedition.de: could not connect to host
 metricaid.com: did not receive HSTS header
 metrix-money-ptc.com: could not connect to host
 metrix.design: could not connect to host
+metropolisil.gov: did not receive HSTS header
 metzgerei-birkenhof.de: could not connect to host
 meu-smartphone.com: did not receive HSTS header
 meucosmetico.com.br: could not connect to host
 meuemail.pro: could not connect to host
 meupedido.online: did not receive HSTS header
 meusigno.com: could not connect to host
+mevanshop.com: could not connect to host
 mexbt.com: could not connect to host
 mexicanbusinessweb.mx: did not receive HSTS header
 mexicansbook.ru: could not connect to host
 mexior.nl: could not connect to host
 meyeraviation.com: could not connect to host
+mfacko.cz: did not receive HSTS header
 mfcatalin.com: could not connect to host
 mfedderke.com: could not connect to host
 mfgod.com: did not receive HSTS header
@@ -11009,8 +11403,8 @@ mfrsgb45.org: did not receive HSTS header
 mft.global: could not connect to host
 mfxer.com: could not connect to host
 mfz.mk: did not receive HSTS header
-mgcraft.net: did not receive HSTS header
-mgdigital.fr: did not receive HSTS header
+mgcraft.net: could not connect to host
+mgdigital.fr: could not connect to host
 mgiay.com: did not receive HSTS header
 mgoessel.de: did not receive HSTS header
 mh-bloemen.co.jp: could not connect to host
@@ -11018,6 +11412,7 @@ mhdsyarif.com: did not receive HSTS header
 mhealthdemocamp.com: could not connect to host
 mhertel.com: did not receive HSTS header
 mhict.nl: could not connect to host
+mhjuma.com: could not connect to host
 mht-travel.com: could not connect to host
 mhx.pw: could not connect to host
 mia.ac: could not connect to host
@@ -11042,6 +11437,7 @@ michaelwaite.org: could not connect to host
 michal-kral.cz: could not connect to host
 michalborka.cz: could not connect to host
 michalkral.tk: could not connect to host
+michalp.pl: did not receive HSTS header
 michalvasicek.cz: did not receive HSTS header
 michasfahrschule.com: could not connect to host
 michel.pt: did not receive HSTS header
@@ -11058,9 +11454,11 @@ micropple.net: could not connect to host
 microtalk.org: could not connect to host
 middletowndelcopa.gov: could not connect to host
 midirs.org: did not receive HSTS header
+midlgx.com: max-age too low: 0
 midonet.org: did not receive HSTS header
 midriversmotorsllc.com: did not receive HSTS header
 midterm.us: could not connect to host
+midweststructuralrepair.com: could not connect to host
 midwestwomenworkers.org: could not connect to host
 miegl.cz: could not connect to host
 miemie.jp: could not connect to host
@@ -11075,8 +11473,8 @@ migrator.co: could not connect to host
 miguelgfierro.com: did not receive HSTS header
 miguksaram.com: could not connect to host
 mijn-email.org: could not connect to host
-mijnavg.eu: did not receive HSTS header
 mijndiad.nl: did not receive HSTS header
+mijnetickets.nl: did not receive HSTS header
 mijnkredietpaspoort.nl: could not connect to host
 mijnsite.ovh: could not connect to host
 mika.cat: could not connect to host
@@ -11088,7 +11486,7 @@ mikeg.de: did not receive HSTS header
 mikek.work: did not receive HSTS header
 mikeology.org: could not connect to host
 mikepair.net: could not connect to host
-mikes.tk: could not connect to host
+mikes.tk: did not receive HSTS header
 mikeybot.com: could not connect to host
 mikii.club: could not connect to host
 mikk.cz: could not connect to host
@@ -11102,7 +11500,6 @@ mikumiku.stream: could not connect to host
 mikusinec.com: could not connect to host
 milahendri.com: did not receive HSTS header
 milang.xyz: could not connect to host
-milanpala.cz: could not connect to host
 milatrans.pl: did not receive HSTS header
 milcoresonline.com: could not connect to host
 milesgeek.com: did not receive HSTS header
@@ -11110,18 +11507,68 @@ military-portal.cz: did not receive HSTS header
 militarycarlot.com: did not receive HSTS header
 militaryconsumer.gov: did not receive HSTS header
 milkingit.net: could not connect to host
-milktea.info: could not connect to host
 millibitcoin.jp: could not connect to host
+million5.com: did not receive HSTS header
+million6.com: did not receive HSTS header
+million8.com: did not receive HSTS header
 millionairessecrets.com: could not connect to host
+millions11.com: did not receive HSTS header
+millions13.com: did not receive HSTS header
+millions14.com: did not receive HSTS header
+millions15.com: did not receive HSTS header
+millions16.com: did not receive HSTS header
+millions17.com: did not receive HSTS header
+millions19.com: did not receive HSTS header
+millions20.com: did not receive HSTS header
+millions22.com: did not receive HSTS header
+millions25.com: did not receive HSTS header
+millions26.com: did not receive HSTS header
+millions27.com: did not receive HSTS header
+millions28.com: did not receive HSTS header
+millions29.com: did not receive HSTS header
+millions31.com: did not receive HSTS header
+millions33.com: did not receive HSTS header
+millions35.com: did not receive HSTS header
+millions36.com: did not receive HSTS header
+millions37.com: did not receive HSTS header
+millions38.com: did not receive HSTS header
+millions39.com: could not connect to host
+millions40.com: could not connect to host
+millions41.com: could not connect to host
+millions42.com: could not connect to host
+millions43.com: could not connect to host
+millions5.com: did not receive HSTS header
+millions50.com: did not receive HSTS header
+millions55.com: did not receive HSTS header
+millions56.com: did not receive HSTS header
+millions58.com: did not receive HSTS header
+millions59.com: did not receive HSTS header
+millions6.com: did not receive HSTS header
+millions61.com: did not receive HSTS header
+millions62.com: did not receive HSTS header
+millions63.com: did not receive HSTS header
+millions66.com: did not receive HSTS header
+millions7.com: did not receive HSTS header
+millions70.com: did not receive HSTS header
+millions71.com: did not receive HSTS header
+millions72.com: did not receive HSTS header
+millions80.com: did not receive HSTS header
+millions81.com: did not receive HSTS header
+millions82.com: did not receive HSTS header
+millions88.com: did not receive HSTS header
+millions9.com: did not receive HSTS header
+millions99.com: did not receive HSTS header
 millstep.de: did not receive HSTS header
 milonga.tips: could not connect to host
 mim.properties: could not connect to host
 mimbeim.com: did not receive HSTS header
 mimm.gov: did not receive HSTS header
+mimobile.website: could not connect to host
 mimoderoupa.pt: could not connect to host
 min.kiwi: could not connect to host
 minacssas.com: could not connect to host
 minantavla.se: could not connect to host
+mind-moves.es: could not connect to host
 mind.sh: did not receive HSTS header
 mindbodycontinuum.com: could not connect to host
 mindbodytherapymn.com: did not receive HSTS header
@@ -11142,6 +11589,7 @@ minecraftforums.gq: could not connect to host
 minecraftforums.ml: could not connect to host
 minecraftserverz.com: could not connect to host
 minecraftvoter.com: could not connect to host
+minei.me: did not receive HSTS header
 mineover.es: could not connect to host
 minetude.com: could not connect to host
 mingkyaa.com: could not connect to host
@@ -11156,19 +11604,21 @@ minimaliston.com: could not connect to host
 minimoo.se: could not connect to host
 minipainting.net: could not connect to host
 miniskipper.at: did not receive HSTS header
+miniwallaby.com: could not connect to host
 minkondom.nu: could not connect to host
 minnesotadata.com: could not connect to host
-minor.news: could not connect to host
+minor.news: did not receive HSTS header
 minora.io: could not connect to host
 minoris.se: did not receive HSTS header
 mintea-noua.ro: could not connect to host
+minu.link: could not connect to host
 mipiaci.co.nz: did not receive HSTS header
 mipiaci.com.au: did not receive HSTS header
+mipla.ch: could not connect to host
 miragrow.com: could not connect to host
 mireillewendling.com.br: could not connect to host
 mirgleich.dnshome.de: could not connect to host
 mirindadomo.ru: did not receive HSTS header
-mirjamderijk.nl: could not connect to host
 mirodasilva.be: could not connect to host
 mironized.com: did not receive HSTS header
 mirrorsedgearchive.ga: could not connect to host
@@ -11177,7 +11627,7 @@ miruc.co: did not receive HSTS header
 mirucon.com: did not receive HSTS header
 misconfigured.io: could not connect to host
 miscreant.me: could not connect to host
-misericordiasegrate.org: did not receive HSTS header
+misericordiasegrate.org: could not connect to host
 misgluteosperfectos.com: did not receive HSTS header
 misiondelosangeles-mailing.com: could not connect to host
 misiru.jp: could not connect to host
@@ -11196,8 +11646,6 @@ mittenhacks.com: could not connect to host
 mityinc.com: did not receive HSTS header
 miukimodafeminina.com: could not connect to host
 mivcon.net: could not connect to host
-mivestuariolaboral.com: did not receive HSTS header
-mivzaklive.co.il: did not receive HSTS header
 mixer.cash: could not connect to host
 miya.io: could not connect to host
 miyako-kyoto.jp: could not connect to host
@@ -11213,7 +11661,6 @@ mkakh.xyz: could not connect to host
 mkfs.be: could not connect to host
 mkfs.fr: could not connect to host
 mkg-palais-hanau.de: did not receive HSTS header
-mkie.cf: could not connect to host
 mkp-deutschland.de: did not receive HSTS header
 mkplay.io: could not connect to host
 mkw.st: could not connect to host
@@ -11237,6 +11684,7 @@ mmilog.hu: could not connect to host
 mmmm.com: could not connect to host
 mmstick.tk: could not connect to host
 mna7e.com: did not receive HSTS header
+mncr.nl: could not connect to host
 mnec.io: could not connect to host
 mneeb.de: could not connect to host
 mnemotiv.com: could not connect to host
@@ -11247,7 +11695,6 @@ mo3.club: could not connect to host
 moar.so: did not receive HSTS header
 moas.design: did not receive HSTS header
 moas.photos: did not receive HSTS header
-mobag.ru: did not receive HSTS header
 mobaircon.com: did not receive HSTS header
 mobi4.tk: could not connect to host
 mobile-gesundheit.org: could not connect to host
@@ -11292,7 +11739,7 @@ moderntld.net: could not connect to host
 mododo.de: could not connect to host
 modx.by: max-age too low: 31536
 modx.io: could not connect to host
-modydev.club: could not connect to host
+modydev.club: did not receive HSTS header
 moe.pe: could not connect to host
 moe.wtf: could not connect to host
 moe4sale.in: did not receive HSTS header
@@ -11315,11 +11762,14 @@ moitur.com: did not receive HSTS header
 mojapraca.sk: did not receive HSTS header
 mojefilmy.xyz: could not connect to host
 mojizuri.jp: max-age too low: 86400
+mojnet.eu: could not connect to host
+mojnet.net: could not connect to host
 mokadev.com: did not receive HSTS header
 mokken-fabriek.nl: did not receive HSTS header
 mols.me: could not connect to host
 momento.co.id: did not receive HSTS header
 momfulfilled.com: could not connect to host
+momjoyas.com: did not receive HSTS header
 mommel.com: could not connect to host
 mommelonline.de: could not connect to host
 momoka.moe: could not connect to host
@@ -11331,6 +11781,7 @@ monarca.systems: could not connect to host
 monasterialis.eu: could not connect to host
 monautoneuve.fr: did not receive HSTS header
 mondar.io: could not connect to host
+mondedesnovels.com: did not receive HSTS header
 mondopoint.com: did not receive HSTS header
 mondwandler.de: could not connect to host
 moneoci.com.br: could not connect to host
@@ -11346,6 +11797,7 @@ monitaure.io: could not connect to host
 monitman.solutions: could not connect to host
 monitorchain.com: did not receive HSTS header
 monitori.ng: could not connect to host
+monkeydust.net: max-age too low: 0
 monkieteel.nl: did not receive HSTS header
 monochrometoys.com: could not connect to host
 monodukuri.cafe: could not connect to host
@@ -11366,8 +11818,8 @@ moonless.net: could not connect to host
 moonlightcapital.ml: could not connect to host
 moonloupe.com: could not connect to host
 moonrhythm.info: could not connect to host
-moonrhythm.io: did not receive HSTS header
 moonysbouncycastles.co.uk: could not connect to host
+mooretownrancheria-nsn.gov: could not connect to host
 moosemanstudios.com: could not connect to host
 moov.is: could not connect to host
 moparcraft.com: could not connect to host
@@ -11407,7 +11859,7 @@ mostwuat.com: could not connect to host
 motherbase.io: could not connect to host
 motherboard.services: could not connect to host
 motionfreight.com: could not connect to host
-motionpicturesolutions.com: did not receive HSTS header
+motionpicturesolutions.com: could not connect to host
 motocyklovedily.cz: did not receive HSTS header
 motomorgen.com: could not connect to host
 motorbiketourhanoi.com: could not connect to host
@@ -11422,10 +11874,12 @@ moucloud.cn: did not receive HSTS header
 moudicat.com: max-age too low: 6307200
 moula.com.au: did not receive HSTS header
 moumaobuchiyu.com: could not connect to host
+mounp.me: max-age too low: 2592000
 mountainadventureseminars.com: did not receive HSTS header
 mountainmusicpromotions.com: did not receive HSTS header
+mountairymd.gov: could not connect to host
 mousemessages.com: did not receive HSTS header
-movabletype.net: max-age too low: 3600
+movabletype.net: did not receive HSTS header
 moveek.com: did not receive HSTS header
 moveisfit.com.br: could not connect to host
 movepin.com: could not connect to host
@@ -11434,6 +11888,7 @@ movie4k.life: could not connect to host
 movie4kto.site: could not connect to host
 moviedollars.com: could not connect to host
 movienang.com: max-age too low: 0
+movienized.de: did not receive HSTS header
 moviesabout.net: could not connect to host
 moviespur.info: did not receive HSTS header
 moving-pixtures.de: could not connect to host
@@ -11442,7 +11897,6 @@ movio.ga: could not connect to host
 mowalls.net: could not connect to host
 moy-gorod.od.ua: did not receive HSTS header
 moyoo.net: did not receive HSTS header
-moysovet.info: did not receive HSTS header
 moyu.host: did not receive HSTS header
 mozart-game.cz: could not connect to host
 mozartgame.cz: could not connect to host
@@ -11493,7 +11947,7 @@ mruganiepodspacja.pl: could not connect to host
 ms-alternativ.de: did not receive HSTS header
 msc-seereisen.net: could not connect to host
 msgallery.tk: could not connect to host
-msopopop.cn: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+msopopop.cn: max-age too low: 5184000
 msp66.de: could not connect to host
 mstd.tokyo: did not receive HSTS header
 mstdn-tech.jp: could not connect to host
@@ -11505,6 +11959,7 @@ mt.me.uk: could not connect to host
 mtamaki.com: could not connect to host
 mtau.com: max-age too low: 2592000
 mtcgf.com: could not connect to host
+mtcq.jp: could not connect to host
 mtd.ovh: could not connect to host
 mtdn.jp: could not connect to host
 mtfgnettoyage.fr: could not connect to host
@@ -11512,10 +11967,10 @@ mtg-esport.de: did not receive HSTS header
 mtirc.co: could not connect to host
 mtn.cc: could not connect to host
 mtr.md: could not connect to host
-mu3on.com: could not connect to host
+mu3on.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+muahahahaha.co.uk: could not connect to host
 muchohentai.com: could not connect to host
 mudgezero.one: could not connect to host
-muel.io: could not connect to host
 muenzubi.de: did not receive HSTS header
 muffet.pw: did not receive HSTS header
 muga.space: could not connect to host
@@ -11523,7 +11978,8 @@ muj-svet.cz: could not connect to host
 mujadin.se: did not receive HSTS header
 mulenvo.com: did not receive HSTS header
 mulheres18.com: could not connect to host
-mullen.net.au: could not connect to host
+mullen.net.au: did not receive HSTS header
+multiplexcy.com: could not connect to host
 multiterm.org: could not connect to host
 multivpn.cn.com: could not connect to host
 multivpn.com.de: could not connect to host
@@ -11534,6 +11990,7 @@ multizone.games: could not connect to host
 mumei.space: could not connect to host
 mundoadulto.com.br: did not receive HSTS header
 mundoalpha.com.br: did not receive HSTS header
+mundodoscarbonos.com.br: could not connect to host
 munecoscabezones.com: did not receive HSTS header
 munich-rage.de: did not receive HSTS header
 munkiepus.com: did not receive HSTS header
@@ -11565,7 +12022,9 @@ musicaconleali.it: did not receive HSTS header
 musiccitycats.com: did not receive HSTS header
 musikkfondene.no: did not receive HSTS header
 musikzug-bookholzberg.de: did not receive HSTS header
+musique2nuit.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 muslimbanter.co.za: could not connect to host
+mustafa.space: could not connect to host
 mustika.cf: did not receive HSTS header
 mutamatic.com: could not connect to host
 mutuelle-obligatoire-pme.fr: did not receive HSTS header
@@ -11581,7 +12040,7 @@ mxawei.cn: could not connect to host
 mxlife.org: could not connect to host
 mxp.tw: did not receive HSTS header
 my-demo.co: could not connect to host
-my-dick.ru: could not connect to host
+my-dick.ru: did not receive HSTS header
 my-owncloud.com: could not connect to host
 my-pawnshop.com.ua: could not connect to host
 my-plancha.ch: did not receive HSTS header
@@ -11606,7 +12065,8 @@ mycollab.net: could not connect to host
 mycolorado.gov: could not connect to host
 mycontrolmonitor.com: could not connect to host
 mycoted.com: did not receive HSTS header
-myday.eu.com: could not connect to host
+mycreativeartsconsulting.com: could not connect to host
+myday.eu.com: did not receive HSTS header
 mydeos.com: could not connect to host
 mydigipass.com: did not receive HSTS header
 mydmdi.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -11614,6 +12074,7 @@ mydnaresults.com: could not connect to host
 mydnatest.com: did not receive HSTS header
 mydriversedge.com: did not receive HSTS header
 mydrone.services: could not connect to host
+myeasybooking.de: could not connect to host
 myeml.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 myepass.bg: could not connect to host
 myepass.de: could not connect to host
@@ -11624,7 +12085,6 @@ myfishpalace.at: could not connect to host
 myfunworld.de: could not connect to host
 mygalgame.com: did not receive HSTS header
 mygaysitges.com: could not connect to host
-mygeneral.org: could not connect to host
 mygivingcircle.org: did not receive HSTS header
 mygooder.com: did not receive HSTS header
 mygov.scot: did not receive HSTS header
@@ -11636,7 +12096,6 @@ myhloli.com: did not receive HSTS header
 myicare.org: did not receive HSTS header
 myiocc.org: did not receive HSTS header
 myip.tech: max-age too low: 2592000
-myjumpsuit.de: did not receive HSTS header
 mykolab.com: did not receive HSTS header
 mykreuzfahrt.de: could not connect to host
 mylene-chandelier.me: did not receive HSTS header
@@ -11661,6 +12120,7 @@ myownconference.fr: did not receive HSTS header
 myownconference.lt: did not receive HSTS header
 myownconference.lv: did not receive HSTS header
 myownconference.pt: did not receive HSTS header
+myownwebinar.com: could not connect to host
 mypagella.com: could not connect to host
 mypagella.eu: could not connect to host
 mypagella.it: could not connect to host
@@ -11675,12 +12135,10 @@ myqdu.cn: could not connect to host
 myqdu.com: could not connect to host
 myrig.com.ua: did not receive HSTS header
 myrig.io: could not connect to host
-myrig.net: could not connect to host
 myrig.ru: did not receive HSTS header
 myrsa.in: did not receive HSTS header
 myruststats.com: could not connect to host
 mysa.is: could not connect to host
-mysecretcase.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 mysecretrewards.com: could not connect to host
 myseo.ga: could not connect to host
 myserv.one: could not connect to host
@@ -11691,6 +12149,7 @@ mystery-science-theater-3000.de: did not receive HSTS header
 mysteryblog.de: did not receive HSTS header
 mystown.org: could not connect to host
 mystudy.me: could not connect to host
+mysupboard.de: could not connect to host
 mytc.fr: could not connect to host
 mythlogic.com: did not receive HSTS header
 mythslegendscollection.com: did not receive HSTS header
@@ -11713,13 +12172,13 @@ n2x.in: could not connect to host
 n3twork.net: could not connect to host
 n4l.pw: could not connect to host
 n64chan.me: did not receive HSTS header
-n7.education: did not receive HSTS header
-n8ch.net: could not connect to host
-na.hn: did not receive HSTS header
+na.hn: could not connect to host
 naano.org: could not connect to host
 nabru.co.uk: did not receive HSTS header
 nabu-bad-nauheim.de: did not receive HSTS header
 nabytko.cz: could not connect to host
+nacktwanderfreunde.de: did not receive HSTS header
+nadaquenosepas.com: could not connect to host
 nadia.pt: could not connect to host
 nagajanroshiya.info: did not receive HSTS header
 nagaragem.com.br: did not receive HSTS header
@@ -11729,7 +12188,6 @@ naiaspa.fr: did not receive HSTS header
 naiharngym.com: did not receive HSTS header
 nailedithomebuilders.com: max-age too low: 300
 nais.me: did not receive HSTS header
-najedlo.sk: could not connect to host
 nakamastreamingcommunity.com: could not connect to host
 nakanishi-paint.com: could not connect to host
 nakhonidc.com: could not connect to host
@@ -11748,8 +12206,9 @@ nameme.xyz: could not connect to host
 nametaken-cloud.duckdns.org: could not connect to host
 namethatbone.com: could not connect to host
 namethatporn.com: could not connect to host
+nami.exchange: did not receive HSTS header
 namikawatetsuji.jp: could not connect to host
-namorico.me: could not connect to host
+namorico.me: did not receive HSTS header
 namuwikiusercontent.com: could not connect to host
 nan.ci: did not receive HSTS header
 nan.zone: could not connect to host
@@ -11767,6 +12226,7 @@ naoar.com: could not connect to host
 naphex.rocks: could not connect to host
 napisynapomniky.cz: did not receive HSTS header
 narach.com: did not receive HSTS header
+narazaka.net: could not connect to host
 nargele.eu: did not receive HSTS header
 narko.space: could not connect to host
 narodniki.com: did not receive HSTS header
@@ -11781,7 +12241,7 @@ nastysclaw.com: could not connect to host
 natalia-fadeeva.ru: could not connect to host
 natalia.io: did not receive HSTS header
 natalieandjoshua.com: could not connect to host
-natalt.org: could not connect to host
+natalt.org: did not receive HSTS header
 natalydanilova.com: max-age too low: 300
 nataniel-perissier.fr: could not connect to host
 natatorium.org: did not receive HSTS header
@@ -11790,7 +12250,6 @@ natecraun.net: did not receive HSTS header
 natenom.com: max-age too low: 7200
 natenom.de: max-age too low: 7200
 natenom.name: max-age too low: 7200
-nathan.io: did not receive HSTS header
 nationalmall.gov: could not connect to host
 nationwidevehiclecontracts.co.uk: did not receive HSTS header
 natropie.pl: could not connect to host
@@ -11806,22 +12265,25 @@ nauck.org: did not receive HSTS header
 naudles.me: could not connect to host
 nav.jobs: could not connect to host
 naval.tf: could not connect to host
-navegos.net: did not receive HSTS header
+navegos.net: could not connect to host
+navenlle.com: could not connect to host
 naviaddress.io: did not receive HSTS header
 naviteq.eu: could not connect to host
 navitime.me: did not receive HSTS header
 navjobs.com: could not connect to host
+navstivime.cz: did not receive HSTS header
 nawroth.info: could not connect to host
-nax.io: did not receive HSTS header
-nay.moe: did not receive HSTS header
-nazigol.com: could not connect to host
+nax.io: could not connect to host
+nay.moe: could not connect to host
+nazigol.com: did not receive HSTS header
 nba2kqq.com: could not connect to host
 nba669.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 nba686.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-nbb.io: could not connect to host
+nbb.io: did not receive HSTS header
 nbg-ha.de: could not connect to host
 nbis.gov: could not connect to host
 nbl.org.tw: could not connect to host
+nbp.com.pk: did not receive HSTS header
 nbtparse.org: could not connect to host
 nc2c.com: could not connect to host
 ncaq.net: did not receive HSTS header
@@ -11833,16 +12295,17 @@ ncpc.gov: could not connect to host
 ncpw.gov: did not receive HSTS header
 ncrmnt.org: did not receive HSTS header
 nct.org.uk: did not receive HSTS header
+ndatc.com: did not receive HSTS header
 ndmath.club: could not connect to host
 ndtblog.com: could not connect to host
 ndtmarket.place: could not connect to host
 ne1home.dyndns.org: did not receive HSTS header
 neap.io: could not connect to host
 near.st: did not receive HSTS header
+nearbi.com.mx: could not connect to host
 nearbiwa.com: did not receive HSTS header
 nearon.nl: could not connect to host
 neavision.de: did not receive HSTS header
-nebula.exchange: did not receive HSTS header
 nebulousenhanced.com: could not connect to host
 necesitodinero.org: could not connect to host
 necio.ca: could not connect to host
@@ -11852,7 +12315,7 @@ nedwave.com: did not receive HSTS header
 nedys.top: did not receive HSTS header
 needle.net.nz: could not connect to host
 needle.nz: could not connect to host
-neels.ch: did not receive HSTS header
+neels.ch: could not connect to host
 neer.io: could not connect to host
 neet-investor.biz: could not connect to host
 neftaly.com: did not receive HSTS header
@@ -11867,9 +12330,14 @@ neko-life.com: did not receive HSTS header
 neko.li: could not connect to host
 nekoku.io: could not connect to host
 nekox.ml: could not connect to host
+nella-project.org: could not connect to host
 nella.io: could not connect to host
+nellacms.com: could not connect to host
+nellacms.org: could not connect to host
+nellafw.org: could not connect to host
 nellen.it: did not receive HSTS header
 nemanja.top: did not receive HSTS header
+nemecl.eu: could not connect to host
 nemno.de: could not connect to host
 nemovement.org: could not connect to host
 neoani.me: did not receive HSTS header
@@ -11880,6 +12348,7 @@ neoeliteconsulting.com: could not connect to host
 neofelhz.space: could not connect to host
 neojames.me: could not connect to host
 neokobe.city: could not connect to host
+neolink.dk: could not connect to host
 neonisi.com: could not connect to host
 neonnuke.tech: did not receive HSTS header
 neosolution.ca: did not receive HSTS header
@@ -11894,6 +12363,7 @@ nerfroute.com: could not connect to host
 neris.io: could not connect to host
 neriumhcp.com: did not receive HSTS header
 nesantuoka.lt: could not connect to host
+nestedquotes.ca: could not connect to host
 nesterov.pw: could not connect to host
 nestone.ru: could not connect to host
 net-navi.cc: did not receive HSTS header
@@ -11907,7 +12377,6 @@ netbox.cc: could not connect to host
 netbrief.ml: could not connect to host
 netde.jp: did not receive HSTS header
 netdego.jp: could not connect to host
-netducks.com: could not connect to host
 netducks.space: could not connect to host
 netfs.pl: did not receive HSTS header
 netguide.co.nz: did not receive HSTS header
@@ -11915,16 +12384,16 @@ netherwind.eu: did not receive HSTS header
 netlilo.com: could not connect to host
 netloanusa.com: could not connect to host
 netmagik.com: did not receive HSTS header
-netprofile.com.au: did not receive HSTS header
+netprofile.com.au: could not connect to host
 netresourcedesign.com: could not connect to host
 netsafeid.biz: did not receive HSTS header
 netscaler.expert: could not connect to host
 netsight.org: could not connect to host
 netsparkercloud.com: did not receive HSTS header
 netsystems.pro: could not connect to host
-nettacompany.com.tr: did not receive HSTS header
 nettefoundation.com: could not connect to host
 nettopower.dk: did not receive HSTS header
+nettoyage.email: could not connect to host
 nettplusultra-rhone.fr: did not receive HSTS header
 networkmon.net: could not connect to host
 networx-online.de: could not connect to host
@@ -11938,6 +12407,7 @@ neueonlinecasino2016.com: could not connect to host
 neuhaus-city.de: could not connect to host
 neuralgic.net: could not connect to host
 neuro-plus-100.com: could not connect to host
+neurogroove.info: did not receive HSTS header
 neuronasdigitales.com: did not receive HSTS header
 neuronfactor.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 neutralvehicle.com: did not receive HSTS header
@@ -11946,6 +12416,7 @@ never-afk.de: did not receive HSTS header
 neveta.com: could not connect to host
 new: could not connect to host
 newantiagingcreams.com: could not connect to host
+newbasemedia.us: did not receive HSTS header
 newbieboss.com: did not receive HSTS header
 newbownerton.xyz: could not connect to host
 newchance.store: could not connect to host
@@ -11959,10 +12430,10 @@ newhdmovies.io: could not connect to host
 newline.online: did not receive HSTS header
 newlooknow.com: did not receive HSTS header
 newparadigmventures.net: did not receive HSTS header
-newpathintegratedtherapy.com: did not receive HSTS header
+newpathintegratedtherapy.com: could not connect to host
 newpoke.net: could not connect to host
 newportpropertygroup.com: could not connect to host
-newposts.ru: could not connect to host
+news47ell.com: did not receive HSTS header
 news4c.com: did not receive HSTS header
 newsa2.com: could not connect to host
 newsaboutgames.de: did not receive HSTS header
@@ -11974,17 +12445,19 @@ newtonhaus.com: could not connect to host
 newtonwarp.com: could not connect to host
 nexgeneration-solutions.com: could not connect to host
 nexlab.org: did not receive HSTS header
+nexril.net: max-age too low: 7776000
 next-taxi.ru: could not connect to host
 next47.com: did not receive HSTS header
-nextcloud.li: could not connect to host
+nextcloud.nerdpol.ovh: could not connect to host
 nextcloud.org: could not connect to host
-nextend.net: could not connect to host
+nextend.net: did not receive HSTS header
 nextend.org: did not receive HSTS header
 nexth.de: could not connect to host
 nexth.net: did not receive HSTS header
 nexth.us: could not connect to host
 nexthop.co.jp: could not connect to host
 nexthop.co.th: did not receive HSTS header
+nexthop.jp: could not connect to host
 nextlevel-it.co.uk: could not connect to host
 nextpages.de: could not connect to host
 nextproject.us: could not connect to host
@@ -11992,7 +12465,6 @@ nextshutter.com: did not receive HSTS header
 nexusbyte.de: could not connect to host
 nexuscorporation.in: could not connect to host
 nfhome.be: did not receive HSTS header
-nfls.io: did not receive HSTS header
 nfluence.org: could not connect to host
 nfo.so: could not connect to host
 nfrost.me: could not connect to host
@@ -12002,10 +12474,12 @@ ngiemboon.net: could not connect to host
 ngine.ch: did not receive HSTS header
 nginxnudes.com: could not connect to host
 nginxyii.tk: could not connect to host
+ngla.gov: could not connect to host
 nglr.org: could not connect to host
 ngocuong.net: could not connect to host
 ngt-service.ru: could not connect to host
 ngtoys.com.br: did not receive HSTS header
+nhccnews.org: could not connect to host
 nhliberty.org: did not receive HSTS header
 nhsuites.com: did not receive HSTS header
 nhus.de: max-age too low: 172800
@@ -12013,8 +12487,7 @@ niallator.com: could not connect to host
 nibiisclaim.com: could not connect to host
 nicestresser.fr: could not connect to host
 nickcleans.co.uk: could not connect to host
-nickmertin.ca: did not receive HSTS header
-nickmorri.com: could not connect to host
+nicktheitguy.com: could not connect to host
 nicky.io: did not receive HSTS header
 nico.one: could not connect to host
 nicoborghuis.nl: could not connect to host
@@ -12029,6 +12502,7 @@ nicorevin.ru: could not connect to host
 nidux.com: did not receive HSTS header
 niduxcomercial.com: could not connect to host
 niedersetz.de: could not connect to host
+niedrigsterpreis.de: did not receive HSTS header
 nien.chat: could not connect to host
 nien.com.tw: could not connect to host
 nienfun.com: could not connect to host
@@ -12049,7 +12523,7 @@ niklaslindblad.se: did not receive HSTS header
 nikobradshaw.com: could not connect to host
 nikolaichik.photo: did not receive HSTS header
 nikolasbradshaw.com: could not connect to host
-nikolasgrottendieck.com: max-age too low: 7776000
+nikz.in: did not receive HSTS header
 nilianwo.com: could not connect to host
 niloxy.com: did not receive HSTS header
 ninchisho-online.com: did not receive HSTS header
@@ -12074,6 +12548,7 @@ nishisbma.com: could not connect to host
 nitaonline.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 niva.synology.me: could not connect to host
 niveldron.com: could not connect to host
+nivi.ca: could not connect to host
 nixien.fr: could not connect to host
 nixmag.net: could not connect to host
 nixne.st: could not connect to host
@@ -12084,7 +12559,7 @@ nkb.in.th: could not connect to host
 nll.fi: could not connect to host
 nlrb.gov: did not receive HSTS header
 nmadda.com: did not receive HSTS header
-nmctest.net: could not connect to host
+nmctest.net: did not receive HSTS header
 nmd.so: did not receive HSTS header
 nmgb.ga: could not connect to host
 nmgb.ml: could not connect to host
@@ -12097,6 +12572,7 @@ no17sifangjie.cc: could not connect to host
 noc.wang: could not connect to host
 nocallaghan.com: could not connect to host
 noclegi-online.pl: did not receive HSTS header
+nocmd.com: did not receive HSTS header
 noctinus.tk: could not connect to host
 nodalr.com: did not receive HSTS header
 node-core-app.com: could not connect to host
@@ -12109,12 +12585,11 @@ nodelab-it.de: could not connect to host
 nodepanel.net: did not receive HSTS header
 nodepositcasinouk.com: did not receive HSTS header
 nodeselect.com: could not connect to host
-nodespin.com: did not receive HSTS header
 nodesturut.cl: did not receive HSTS header
 nodetemple.com: could not connect to host
-nodi.at: could not connect to host
+nodi.at: did not receive HSTS header
 nodum.io: did not receive HSTS header
-noegoph.com: did not receive HSTS header
+noegoph.com: could not connect to host
 noelblog.ga: could not connect to host
 noelssanssoucipensacola.com: did not receive HSTS header
 noesberts-weidmoos.de: did not receive HSTS header
@@ -12140,9 +12615,9 @@ nopex.no: could not connect to host
 nopol.de: could not connect to host
 norandom.com: could not connect to host
 norb.at: could not connect to host
-norden.eu.org: could not connect to host
 nordic-survival.de: did not receive HSTS header
 nordiccasinocommunity.com: did not receive HSTS header
+nordicess.dk: could not connect to host
 nordlicht.photography: did not receive HSTS header
 noref.tk: could not connect to host
 noreply.mx: could not connect to host
@@ -12158,6 +12633,7 @@ northwest-events.co.uk: could not connect to host
 northwoodsfish.com: could not connect to host
 nosbenevolesontdutalent.com: could not connect to host
 nosecretshop.com: could not connect to host
+nosfermiers.com: could not connect to host
 nosproduitsdequalite.fr: did not receive HSTS header
 nossasenhoradaconceicao.com.br: could not connect to host
 nostraspace.com: could not connect to host
@@ -12212,10 +12688,11 @@ nowremindme.com: could not connect to host
 noxi.ga: could not connect to host
 nozoe.jp: could not connect to host
 npm.li: did not receive HSTS header
-npol.de: did not receive HSTS header
-npool.org: could not connect to host
+npol.de: could not connect to host
+npool.org: did not receive HSTS header
 nq7.pl: could not connect to host
-nqesh.com: did not receive HSTS header
+nqesh.com: could not connect to host
+nqeshreviewer.com: could not connect to host
 nrc-gateway.gov: could not connect to host
 nrechn.de: could not connect to host
 nrizzio.me: could not connect to host
@@ -12233,7 +12710,7 @@ nstyleintl.ca: did not receive HSTS header
 nsure.us: could not connect to host
 nsweb.solutions: could not connect to host
 ntbs.pro: could not connect to host
-nth.sh: could not connect to host
+nth.sh: did not receive HSTS header
 ntse.xyz: could not connect to host
 nu-pogodi.net: could not connect to host
 nu3.at: did not receive HSTS header
@@ -12247,6 +12724,7 @@ nu3.fr: did not receive HSTS header
 nu3.no: did not receive HSTS header
 nu3.se: did not receive HSTS header
 nube.ninja: did not receive HSTS header
+nubella.com.au: did not receive HSTS header
 nubeslayer.com: could not connect to host
 nuclear-crimes.com: did not receive HSTS header
 nuclearcrimes.com: did not receive HSTS header
@@ -12271,7 +12749,7 @@ numis.tech: could not connect to host
 numista.com: did not receive HSTS header
 numm.fr: did not receive HSTS header
 nuovamoda.al: could not connect to host
-nup.pw: max-age too low: 0
+nup.pw: did not receive HSTS header
 nupef.org.br: did not receive HSTS header
 nurserybook.co: did not receive HSTS header
 nurture.be: did not receive HSTS header
@@ -12313,6 +12791,7 @@ nzbs.io: could not connect to host
 nzdmo.govt.nz: did not receive HSTS header
 nzmk.cz: could not connect to host
 nzquakes.maori.nz: did not receive HSTS header
+o-loska.cz: did not receive HSTS header
 o-rickroll-y.pw: could not connect to host
 o0o.one: did not receive HSTS header
 oakesfam.net: did not receive HSTS header
@@ -12324,20 +12803,20 @@ oben.pl: did not receive HSTS header
 oberam.de: could not connect to host
 oberhof.co: could not connect to host
 oberhofjuice.com: could not connect to host
+oberoi.de: did not receive HSTS header
 obioncountytn.gov: could not connect to host
 objectif-leger.com: did not receive HSTS header
-obligacjekk.pl: could not connect to host
 oblikdom.pro: did not receive HSTS header
 oblikdom.ru: did not receive HSTS header
 oblondata.io: did not receive HSTS header
 obrienlab.com: did not receive HSTS header
+obscur.us: could not connect to host
 obscuredfiles.com: could not connect to host
 observatory.se: could not connect to host
 obsydian.org: could not connect to host
 oc-minecraft.com: could not connect to host
 ocad.com.au: did not receive HSTS header
 ocapic.com: could not connect to host
-occ.gov: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 occasion-impro.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 occupymedia.org: could not connect to host
 ochaken.cf: could not connect to host
@@ -12348,7 +12827,7 @@ octanio.com: could not connect to host
 octo.im: could not connect to host
 octocat.ninja: could not connect to host
 octod.tk: could not connect to host
-octohost.net: did not receive HSTS header
+octohost.net: could not connect to host
 oddmouse.com: could not connect to host
 odin.xxx: could not connect to host
 odinkapital.no: did not receive HSTS header
@@ -12369,6 +12848,7 @@ offgames.pro: could not connect to host
 office-ruru.com: could not connect to host
 officeclub.com.mx: did not receive HSTS header
 officeprint.co.th: could not connect to host
+officium.tech: could not connect to host
 offshore-firma.org: could not connect to host
 offshore-unternehmen.com: could not connect to host
 offshorefirma-gruenden.com: could not connect to host
@@ -12385,7 +12865,7 @@ ohayosoro.me: could not connect to host
 ohhdeertrade.com: did not receive HSTS header
 ohm2013.org: did not receive HSTS header
 ohma.ga: did not receive HSTS header
-ohnemusik.com: max-age too low: 0
+ohnemusik.com: did not receive HSTS header
 ohohrazi.com: did not receive HSTS header
 ohreally.de: could not connect to host
 ohsocool.org: did not receive HSTS header
@@ -12394,6 +12874,7 @@ oiepoie.nl: could not connect to host
 oilfieldinjury.attorney: could not connect to host
 oinky.ddns.net: could not connect to host
 oishioffice.com: did not receive HSTS header
+ojanaho.com: did not receive HSTS header
 ojbk.eu: could not connect to host
 ojeremy.com: did not receive HSTS header
 ojls.co: could not connect to host
@@ -12401,7 +12882,6 @@ okad-center.de: did not receive HSTS header
 okad.de: did not receive HSTS header
 okad.eu: did not receive HSTS header
 okaidi.es: could not connect to host
-okaidi.fr: could not connect to host
 okane.love: did not receive HSTS header
 okaz.de: did not receive HSTS header
 oklahomamoversassociation.org: could not connect to host
@@ -12412,9 +12892,10 @@ okutama.in.th: could not connect to host
 olafnorge.de: did not receive HSTS header
 olcso-vps-szerver.hu: could not connect to host
 oldandyounglesbians.us: could not connect to host
+oldbrookinflatables.co.uk: did not receive HSTS header
+oldenglishsheepdog.com.br: could not connect to host
 oldschool-criminal.com: did not receive HSTS header
 oldtimer-trifft-flugplatz.de: did not receive HSTS header
-olifant.fr: did not receive HSTS header
 olightstore.com: did not receive HSTS header
 oliode.tk: could not connect to host
 olivlabs.com: could not connect to host
@@ -12424,6 +12905,7 @@ ols.io: did not receive HSTS header
 olswangtrainees.com: could not connect to host
 olympe-transport.fr: did not receive HSTS header
 omacostudio.com: could not connect to host
+omar.yt: did not receive HSTS header
 omarsuniagamusic.ga: did not receive HSTS header
 omeuanimal.com: did not receive HSTS header
 omgaanmetidealen.com: could not connect to host
@@ -12433,11 +12915,10 @@ omise.co: did not receive HSTS header
 ommahpost.com: did not receive HSTS header
 omnigon.network: could not connect to host
 omnilab.tech: could not connect to host
-omnisiens.se: could not connect to host
+omnisafira.com: did not receive HSTS header
 omniti.com: max-age too low: 1
 omorashi.org: could not connect to host
 omquote.gq: could not connect to host
-omsdieppe.fr: did not receive HSTS header
 omskit.ru: could not connect to host
 omyogarishikesh.com: did not receive HSTS header
 on-te.ch: did not receive HSTS header
@@ -12448,6 +12929,7 @@ oneb4nk.com: could not connect to host
 onecycling.my: could not connect to host
 onecycling.world: could not connect to host
 onefour.co: could not connect to host
+onegoodthingbyjillee.com: did not receive HSTS header
 onehourloan.com: could not connect to host
 onehourloan.sg: did not receive HSTS header
 oneiros.cc: could not connect to host
@@ -12457,11 +12939,12 @@ oneminutefilm.tv: did not receive HSTS header
 onemusou.com: could not connect to host
 onepathnetwork.com: max-age too low: 7776000
 onepluscamps.com: did not receive HSTS header
+onepointsafeband.ca: could not connect to host
+onepointsafeband.com: could not connect to host
 onepopstore.com: could not connect to host
 onespiritinc.com: did not receive HSTS header
 onet.space: could not connect to host
 onetly.com: could not connect to host
-onetwentyseven001.com: did not receive HSTS header
 onewebdev.info: could not connect to host
 oneworldbank.com: did not receive HSTS header
 onewpst.com: could not connect to host
@@ -12471,11 +12954,12 @@ onionbot.ga: could not connect to host
 onioncloud.org: could not connect to host
 onionplay.live: could not connect to host
 onionsburg.com: could not connect to host
+onkfaktor.de: could not connect to host
 online-casino.eu: did not receive HSTS header
 online-horoskop.ch: did not receive HSTS header
+online-results.dk: did not receive HSTS header
 online-scene.com: did not receive HSTS header
 online-wetten.de: could not connect to host
-online.swedbank.se: did not receive HSTS header
 onlinebiller.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 onlinebillingform.com: could not connect to host
 onlinecasinobluebook.com: could not connect to host
@@ -12560,7 +13044,7 @@ opensourcehouse.net: could not connect to host
 openspace.xxx: did not receive HSTS header
 opensrd.com: could not connect to host
 openssf.org: did not receive HSTS header
-opentexon.com: did not receive HSTS header
+opentexon.com: could not connect to host
 openxmpp.com: could not connect to host
 operad.fr: could not connect to host
 opiates.net: did not receive HSTS header
@@ -12582,8 +13066,17 @@ opteamax.eu: did not receive HSTS header
 optenhoefel.de: could not connect to host
 optiekzien.nl: did not receive HSTS header
 optimal-e.com: did not receive HSTS header
+optimised.cloud: could not connect to host
+optimised.io: could not connect to host
+optimisedlabs.info: could not connect to host
+optimisedlabs.net: could not connect to host
+optimisedlabs.uk: could not connect to host
 optimista.soy: could not connect to host
 optimize-jpg.com: could not connect to host
+optimizedlabs.co.uk: could not connect to host
+optimizedlabs.info: could not connect to host
+optimizedlabs.net: could not connect to host
+optimizedlabs.uk: could not connect to host
 optisure.de: did not receive HSTS header
 optometriepunt.nl: did not receive HSTS header
 optumrxhealthstore.com: could not connect to host
@@ -12593,7 +13086,6 @@ opure.ru: could not connect to host
 oracaodocredo.com.br: could not connect to host
 orangekey.tk: could not connect to host
 oranges.tokyo: did not receive HSTS header
-orangetravel.eu: did not receive HSTS header
 oranic.com: did not receive HSTS header
 orbiosales.com: could not connect to host
 orbitcom.de: did not receive HSTS header
@@ -12613,17 +13105,22 @@ orfeo-engineering.ch: could not connect to host
 organic-superfood.net: could not connect to host
 organicae.com: did not receive HSTS header
 oricejoc.com: could not connect to host
+orientravelmacas.com: did not receive HSTS header
 originalmockups.com: did not receive HSTS header
 originalsport.com.br: could not connect to host
 orioncustompcs.com: could not connect to host
 orionfcu.com: did not receive HSTS header
 orionrebellion.com: did not receive HSTS header
 orleika.ml: could not connect to host
+orovillelaw.com: could not connect to host
 oroweatorganic.com: could not connect to host
+orro.ro: did not receive HSTS header
 ortho-graz.at: max-age too low: 86400
 orthodoxy.lt: did not receive HSTS header
 ortodonciaian.com: did not receive HSTS header
-orui.com.br: could not connect to host
+orui.com.br: did not receive HSTS header
+orum.in: max-age too low: 0
+orz.uno: did not receive HSTS header
 osaiyuwu.com: could not connect to host
 osaka-onakura.com: did not receive HSTS header
 oscamp.eu: could not connect to host
@@ -12633,11 +13130,11 @@ oscloud.com: could not connect to host
 oscloud.com.ua: could not connect to host
 oscreen.me: could not connect to host
 oscreen.org: could not connect to host
-oscsdp.cz: did not receive HSTS header
+oscsdp.cz: could not connect to host
 osdls.gov: did not receive HSTS header
 osha-kimi.com: did not receive HSTS header
 oshanko.de: could not connect to host
-oshinagaki.jp: could not connect to host
+oshinagaki.jp: did not receive HSTS header
 oslfoundation.org: did not receive HSTS header
 osmestres.com: did not receive HSTS header
 osp.cx: could not connect to host
@@ -12647,24 +13144,26 @@ ossbinaries.com: could not connect to host
 osteammate.com: could not connect to host
 ostendorf.com: did not receive HSTS header
 osticketawesome.com: did not receive HSTS header
-ostrov8.com: could not connect to host
 oswaldmattgroup.com: did not receive HSTS header
 otako.pl: did not receive HSTS header
+otakucloud.net: did not receive HSTS header
 otakuworld.de: could not connect to host
-otakuyun.com: could not connect to host
 otchecker.com: could not connect to host
 othercode.nl: could not connect to host
 otherkinforum.com: could not connect to host
 othermedia.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 otherstuff.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-otichi.com: did not receive HSTS header
+otichi.com: could not connect to host
 otinane.eu: could not connect to host
 otmns.net: could not connect to host
 otmo7.com: could not connect to host
+otoblok.com: did not receive HSTS header
 otokonna.com: could not connect to host
 otrsdemo.hu: did not receive HSTS header
 otsu.beer: could not connect to host
 ottospora.nl: could not connect to host
+ouimoove.com: could not connect to host
+ouowo.gq: could not connect to host
 ourbank.com: max-age too low: 2592000
 ourchoice2016.com: could not connect to host
 ouruglyfood.com: could not connect to host
@@ -12677,12 +13176,13 @@ ouvirmusica.com.br: did not receive HSTS header
 ovabag.com: did not receive HSTS header
 ovenapp.io: did not receive HSTS header
 over25tips.com: did not receive HSTS header
+overceny.cz: did not receive HSTS header
 override.io: could not connect to host
 overrustle.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-overseamusic.de: did not receive HSTS header
 oversight.io: could not connect to host
 overstappen.nl: did not receive HSTS header
 overture.london: did not receive HSTS header
+overwall.org: could not connect to host
 ovuscloud.de: could not connect to host
 ovwane.com: could not connect to host
 owall.ml: did not receive HSTS header
@@ -12718,11 +13218,10 @@ p3in.com: could not connect to host
 p3ter.fr: did not receive HSTS header
 p8r.de: could not connect to host
 paavolastudio.com: did not receive HSTS header
-pabloarteaga.name: did not receive HSTS header
 pablocamino.tk: could not connect to host
-pablofain.com: did not receive HSTS header
 pablorey-art.com: did not receive HSTS header
 pachaiyappas.org: did not receive HSTS header
+pacificpalisadeselectrician.com: could not connect to host
 packair.com: did not receive HSTS header
 packer.io: did not receive HSTS header
 packetapp.ru: could not connect to host
@@ -12757,6 +13256,8 @@ pajonzeck.de: could not connect to host
 paket.io: could not connect to host
 paket.ml: did not receive HSTS header
 paketkreditsuzuki.com: could not connect to host
+pakeystonescholars.gov: could not connect to host
+pakowanie-polska.pl: could not connect to host
 paku.me: could not connect to host
 palationtrade.com: could not connect to host
 palawan.jp: could not connect to host
@@ -12782,8 +13283,10 @@ panjee.com: did not receive HSTS header
 panjee.fr: did not receive HSTS header
 panlex.org: did not receive HSTS header
 panni.me: could not connect to host
+panoma.de: did not receive HSTS header
 panoranordic.net: could not connect to host
 panos.io: did not receive HSTS header
+panoti.com: could not connect to host
 pansu.space: could not connect to host
 pantsu.cat: did not receive HSTS header
 paolo565.org: did not receive HSTS header
@@ -12811,11 +13314,12 @@ parav.xyz: did not receive HSTS header
 pardnoy.com: could not connect to host
 parent5446.us: could not connect to host
 parentmail.co.uk: did not receive HSTS header
-parfum-baza.ru: did not receive HSTS header
+parfum-baza.ru: could not connect to host
 pariga.co.uk: could not connect to host
 paris-cyber.fr: did not receive HSTS header
 parisdimanche.com: did not receive HSTS header
 parishome.jp: could not connect to host
+parisprovincedemenagements.fr: did not receive HSTS header
 parisvox.info: did not receive HSTS header
 parithy.net: could not connect to host
 parkhillsbaptist.church: did not receive HSTS header
@@ -12824,7 +13328,6 @@ parkrocker.com: max-age too low: 604800
 parksland.net: did not receive HSTS header
 parksubaruoemparts.com: could not connect to host
 parkwithark.com: could not connect to host
-parleu2016.nl: could not connect to host
 parodybit.net: did not receive HSTS header
 parpaing-paillette.net: could not connect to host
 parquet-lascazes.fr: did not receive HSTS header
@@ -12833,9 +13336,9 @@ participatorybudgeting.de: did not receive HSTS header
 participatorybudgeting.info: did not receive HSTS header
 particonpsplus.it: could not connect to host
 partirkyoto.jp: did not receive HSTS header
-partiwatch.com: could not connect to host
+partiwatch.com: max-age too low: 2592000
 partnerbeam.com: could not connect to host
-partnercardservices.com: did not receive HSTS header
+partnersfcu.org: did not receive HSTS header
 partnerwerk.de: did not receive HSTS header
 partyhaus.ovh: could not connect to host
 partyhireformby.co.uk: did not receive HSTS header
@@ -12846,9 +13349,11 @@ partyvan.it: could not connect to host
 partyvan.moe: could not connect to host
 partyvan.nl: could not connect to host
 partyvan.se: could not connect to host
-pascal-kannchen.de: could not connect to host
 pascalchristen.ch: did not receive HSTS header
+pascalspoerri.ch: could not connect to host
 pasportaservo.org: did not receive HSTS header
+passendonderwijs.nl: did not receive HSTS header
+passionebenessere.com: did not receive HSTS header
 passpilot.co.uk: did not receive HSTS header
 passwd.io: did not receive HSTS header
 password.codes: could not connect to host
@@ -12863,23 +13368,26 @@ pastenib.com: could not connect to host
 paster.li: did not receive HSTS header
 pasteros.io: could not connect to host
 pastie.se: could not connect to host
+pastorbelgagroenendael.com.br: could not connect to host
 pastorcanadense.com.br: could not connect to host
+pastormaremanoabruzes.com.br: could not connect to host
 pastorsuico.com.br: could not connect to host
 pataua.kiwi: did not receive HSTS header
 paternitydnatest.com: could not connect to host
 patfs.com: did not receive HSTS header
 pathwaytofaith.com: could not connect to host
 patientinsight.net: could not connect to host
+patouille-et-gribouille.fr: did not receive HSTS header
 patriaco.net: did not receive HSTS header
+patric-lenhart.de: could not connect to host
 patrick.dark.name: could not connect to host
 patrickbusch.net: could not connect to host
 patrickmcnamara.xyz: did not receive HSTS header
 patrickneuro.de: could not connect to host
 patrickquinn.ca: did not receive HSTS header
 patrickschneider.me: could not connect to host
-patt.us: did not receive HSTS header
+patt.us: could not connect to host
 patterson.mp: could not connect to host
-paul-bronski.de: could not connect to host
 paul-kerebel.pro: could not connect to host
 paul-schmidt.de: max-age too low: 0
 paulbunyanmls.com: did not receive HSTS header
@@ -12887,13 +13395,10 @@ paulewen.ca: could not connect to host
 paulpetersen.dk: did not receive HSTS header
 paulproell.at: did not receive HSTS header
 paulrudge.codes: could not connect to host
-paulshir.com: could not connect to host
-paulshir.is: could not connect to host
 paulyang.cn: did not receive HSTS header
 paveljanda.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 pavelkahouseforcisco.com: did not receive HSTS header
 pavelstriz.cz: could not connect to host
-pawfriends.org.za: did not receive HSTS header
 pawsru.org: could not connect to host
 paxdei.com.br: could not connect to host
 paxwinkel.nl: could not connect to host
@@ -12912,6 +13417,7 @@ payroll.ch: could not connect to host
 paytwopay.com: could not connect to host
 payzwin.com: did not receive HSTS header
 pb-design.ch: could not connect to host
+pb.ax: could not connect to host
 pbapp.net: did not receive HSTS header
 pbbr.com: did not receive HSTS header
 pbcknd.ml: could not connect to host
@@ -12976,14 +13482,14 @@ peperiot.com: did not receive HSTS header
 pepper.dog: could not connect to host
 pepperhead.com: did not receive HSTS header
 pepperworldhotshop.de: did not receive HSTS header
-pepsicoemployeepreferencesurvey.com: did not receive HSTS header
+pepsicoemployeepreferencesurvey.com: could not connect to host
 per-pedes.at: did not receive HSTS header
 perdel.cn: could not connect to host
 pereuda.com: could not connect to host
 perez-marrero.com: could not connect to host
 perfect-radiant-wrinkles.com: could not connect to host
 perfectionis.me: could not connect to host
-perfectionunite.com: did not receive HSTS header
+perfectionunite.com: could not connect to host
 perfectseourl.com: did not receive HSTS header
 performancesantafe.org: did not receive HSTS header
 performaride.com.au: did not receive HSTS header
@@ -12998,6 +13504,7 @@ perm-juridique.ch: could not connect to host
 permanence-juridique.com: could not connect to host
 permanencejuridique-ge.ch: could not connect to host
 permanencejuridique.com: could not connect to host
+permiscoderoute.fr: did not receive HSTS header
 pernatie.ru: could not connect to host
 peromsik.com: did not receive HSTS header
 perplex.nl: did not receive HSTS header
@@ -13035,31 +13542,32 @@ petplum.com: did not receive HSTS header
 petrkrapek.cz: did not receive HSTS header
 petrotranz.com: did not receive HSTS header
 petrovsky.pro: could not connect to host
+petruzz.net: did not receive HSTS header
 petsittersservices.com: could not connect to host
 pettsy.com: did not receive HSTS header
 peuf.shop: could not connect to host
 peuterspeelzaalhoekvanholland.nl: could not connect to host
+pewat.com: could not connect to host
 pewboards.com: could not connect to host
 pexieapp.com: did not receive HSTS header
 peykezamin.ir: did not receive HSTS header
 peyote.org: could not connect to host
 peytonfarrar.com: could not connect to host
 pf.dk: did not receive HSTS header
-pfadfinder-grossauheim.de: could not connect to host
 pferdeeinstreu-kaufen.com: did not receive HSTS header
 pfgshop.com.br: could not connect to host
 pflegedienst-gratia.de: max-age too low: 300
 pfo.io: could not connect to host
 pfolta.net: could not connect to host
-pfrost.me: could not connect to host
 pgcpbc.com: could not connect to host
 pgmsource.com: could not connect to host
 pgpm.io: could not connect to host
-pgregg.com: did not receive HSTS header
 pgtb.be: could not connect to host
 phalconist.com: could not connect to host
+phantasie.cc: could not connect to host
 pharmaboard.org: did not receive HSTS header
 pharmgkb.org: could not connect to host
+phaux.uno: could not connect to host
 phcmembers.com: did not receive HSTS header
 phdsupply.com: could not connect to host
 phdwuda.com: could not connect to host
@@ -13072,6 +13580,7 @@ philadelphiadancefoundation.org: could not connect to host
 philipkohn.com: did not receive HSTS header
 philipmordue.co.uk: could not connect to host
 philippa.cool: could not connect to host
+philippinedroneassociation.org: did not receive HSTS header
 phillippi.me: could not connect to host
 phillmoore.com: did not receive HSTS header
 phillprice.com: did not receive HSTS header
@@ -13079,9 +13588,9 @@ philonas.net: did not receive HSTS header
 philpropertygroup.com: could not connect to host
 phippsreporting.com: did not receive HSTS header
 phishing.rs: did not receive HSTS header
-phocean.net: could not connect to host
 phoebe.co.nz: did not receive HSTS header
 phoenicis.com.ua: did not receive HSTS header
+phoenics.de: did not receive HSTS header
 phoenix.dj: did not receive HSTS header
 phonenumberinfo.co.uk: could not connect to host
 phongmay24h.com: could not connect to host
@@ -13100,14 +13609,15 @@ php-bach.org: could not connect to host
 phpdistribution.com: did not receive HSTS header
 phperformances.fr: did not receive HSTS header
 phpfashion.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+phpkari.cz: could not connect to host
 phr34kz.pw: did not receive HSTS header
 phra.gs: could not connect to host
 phrasing.me: could not connect to host
+phrive.space: could not connect to host
 phryneas.de: did not receive HSTS header
 phumin.in.th: did not receive HSTS header
 phuong.faith: could not connect to host
 physicpezeshki.com: did not receive HSTS header
-pi-box.ml: could not connect to host
 pi-eng.fr: did not receive HSTS header
 pianetaottica.eu: could not connect to host
 pianetaottica.info: could not connect to host
@@ -13121,10 +13631,11 @@ picardiascr.com: could not connect to host
 pickr.co: could not connect to host
 picone.com.au: could not connect to host
 picotronic.biz: could not connect to host
-picsandtours.com: could not connect to host
+picotronic.de: did not receive HSTS header
+picsandtours.com: did not receive HSTS header
 picscare.co.uk: did not receive HSTS header
 picshare.nz: could not connect to host
-pidatacenters.com: did not receive HSTS header
+pidatacenters.com: could not connect to host
 pidomex.com: did not receive HSTS header
 piedfeed.com: did not receive HSTS header
 pieinsurance.com: did not receive HSTS header
@@ -13136,11 +13647,13 @@ piggott.me.uk: did not receive HSTS header
 pigritia.de: could not connect to host
 piils.fr: did not receive HSTS header
 pikalongwar.com: did not receive HSTS header
+pikeitservices.com.au: did not receive HSTS header
 pikmy.com: could not connect to host
 pilgermaske.org: did not receive HSTS header
 piligrimname.com: could not connect to host
 pillowandpepper.com: did not receive HSTS header
 pilotcrowd.nl: did not receive HSTS header
+pimg136.com: could not connect to host
 pimpmymac.ru: did not receive HSTS header
 pimpmypaper.com: could not connect to host
 pims.global: did not receive HSTS header
@@ -13156,10 +13669,8 @@ pinkhq.com: did not receive HSTS header
 pinkinked.com: could not connect to host
 pinoylinux.org: did not receive HSTS header
 pinscher.com.br: could not connect to host
-pintosbeeremovals.co.za: did not receive HSTS header
 pintoselectrician.co.za: did not receive HSTS header
 pioche.ovh: did not receive HSTS header
-pipenny.net: could not connect to host
 pippen.io: could not connect to host
 pips.rocks: could not connect to host
 pir9.com: did not receive HSTS header
@@ -13200,11 +13711,12 @@ pixelpoint.io: did not receive HSTS header
 pixelrain.info: could not connect to host
 pixi.chat: could not connect to host
 pixi.me: did not receive HSTS header
+pixiv.rip: could not connect to host
 pixivimg.me: could not connect to host
 pizala.de: could not connect to host
 pizzacook.ch: did not receive HSTS header
 pizzadoc.ch: could not connect to host
-pizzafunny.com.br: did not receive HSTS header
+pizzafunny.com.br: could not connect to host
 pizzamc.eu: could not connect to host
 pj00100.com: did not receive HSTS header
 pj00200.com: did not receive HSTS header
@@ -13213,15 +13725,15 @@ pj00400.com: did not receive HSTS header
 pj00600.com: did not receive HSTS header
 pj00700.com: did not receive HSTS header
 pj00800.com: did not receive HSTS header
-pj009.com: did not receive HSTS header
+pj009.com: could not connect to host
 pj00900.com: did not receive HSTS header
 pj02.com: did not receive HSTS header
 pj83.duckdns.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 pj881988.com: could not connect to host
 pjbet.mg: could not connect to host
+pjili.com: did not receive HSTS header
 pjsec.tk: could not connect to host
 pkautodesign.com: did not receive HSTS header
-pkbjateng.or.id: could not connect to host
 pko.ch: did not receive HSTS header
 pkschat.com: could not connect to host
 plaasprodukte.com: could not connect to host
@@ -13240,29 +13752,28 @@ planete-secu.com: could not connect to host
 planetromeo.com: could not connect to host
 planformation.com: did not receive HSTS header
 planktonholland.com: did not receive HSTS header
-planolowcarb.com: could not connect to host
 planpharmacy.com: could not connect to host
 plant.ml: could not connect to host
 plantroon.com: could not connect to host
 plass.hamburg: could not connect to host
 plasti-pac.ch: did not receive HSTS header
 plasticsurgeryartist.com: max-age too low: 300
-plasticsurgerynola.com: did not receive HSTS header
-plasticsurgeryservices.com: did not receive HSTS header
 plastiflex.it: could not connect to host
 plasvilledescartaveis.com.br: could not connect to host
 platform.lookout.com: could not connect to host
 platinumpeek.com: did not receive HSTS header
 platomania.eu: did not receive HSTS header
+plattner.club: could not connect to host
 play: could not connect to host
 play.google.com: did not receive HSTS header (error ignored - included regardless)
 playdreamcraft.com.br: did not receive HSTS header
 playerhunter.com: did not receive HSTS header
 playflick.com: could not connect to host
+playhappywheelsunblocked.com: could not connect to host
 playkh.com: did not receive HSTS header
 playkinder.com: did not receive HSTS header
 playmaker.io: did not receive HSTS header
-playmaza.live: did not receive HSTS header
+playmaza.live: could not connect to host
 playmfe.com: could not connect to host
 playsoundevents.be: could not connect to host
 playsource.co: could not connect to host
@@ -13274,12 +13785,12 @@ pleasure.forsale: could not connect to host
 plen.io: could not connect to host
 plexi.dyndns.tv: could not connect to host
 plexpy13.ddns.net: could not connect to host
+plextv.de: did not receive HSTS header
 plexusmd.com: did not receive HSTS header
 plfgr.eu.org: could not connect to host
 plhdb.org: did not receive HSTS header
 plinc.co: could not connect to host
 plirt.ru: could not connect to host
-ploader.ru: max-age too low: 604800
 plogable.co: could not connect to host
 plomberierenga.com: max-age too low: 2592000
 plombirator.kz: did not receive HSTS header
@@ -13290,12 +13801,15 @@ plugboard.xyz: could not connect to host
 pluggedhead.com: did not receive HSTS header
 plumbingboksburg.co.za: did not receive HSTS header
 plumbingman.com.au: did not receive HSTS header
+plumnet.ch: could not connect to host
 plus-digital.net: could not connect to host
 plus-u.com.au: did not receive HSTS header
 plus.sandbox.google.com: did not receive HSTS header (error ignored - included regardless)
+plus1s.site: could not connect to host
 plus1s.tk: could not connect to host
 plushev.com: did not receive HSTS header
 plussizereviews.com: could not connect to host
+plustech.id: did not receive HSTS header
 plut.org: did not receive HSTS header
 pluth.org: did not receive HSTS header
 plymouthglassgallery.com: did not receive HSTS header
@@ -13314,6 +13828,7 @@ pneumonline.be: did not receive HSTS header
 pneusgppremium.com.br: did not receive HSTS header
 pnukee.com: did not receive HSTS header
 po.gl: could not connect to host
+poc17.com: could not connect to host
 pocakdrops.com: did not receive HSTS header
 pocakking.tk: could not connect to host
 pocket-lint.com: did not receive HSTS header
@@ -13326,7 +13841,6 @@ podcast.style: could not connect to host
 podiumsdiskussion.org: did not receive HSTS header
 poed.com.au: could not connect to host
 poeg.cz: did not receive HSTS header
-pogetback.pl: could not connect to host
 pogoswine.com: could not connect to host
 pogs.us: could not connect to host
 poiema.com.sg: did not receive HSTS header
@@ -13366,7 +13880,6 @@ polypho.nyc: could not connect to host
 polysage.org: did not receive HSTS header
 polytechecosystem.vc: could not connect to host
 pomardaserra.com: could not connect to host
-pomfe.co: could not connect to host
 pompefunebrilariviera.it: could not connect to host
 pompompoes.com: could not connect to host
 pondof.fish: could not connect to host
@@ -13390,6 +13903,7 @@ popkins.ml: did not receive HSTS header
 popkins.tk: could not connect to host
 popupsoftplay.com: could not connect to host
 poris.web.id: could not connect to host
+pormat.cl: did not receive HSTS header
 porn77.info: could not connect to host
 pornalpha.com: could not connect to host
 pornbay.org: could not connect to host
@@ -13407,7 +13921,6 @@ pornsocket.com: could not connect to host
 pornstars.me: did not receive HSTS header
 pornteddy.com: could not connect to host
 pornultra.net: could not connect to host
-porpcr.com: could not connect to host
 porschen.fr: could not connect to host
 port.im: did not receive HSTS header
 port.social: could not connect to host
@@ -13424,13 +13937,11 @@ portalzine.de: did not receive HSTS header
 portefeuillesignalen.nl: could not connect to host
 portraitsystem.biz: did not receive HSTS header
 poshpak.com: max-age too low: 86400
-positivenames.net: could not connect to host
 positivesobrietyinstitute.com: did not receive HSTS header
-post.we.bs: did not receive HSTS header
+posoiu.net: could not connect to host
 postback.io: did not receive HSTS header
 postcardpayment.com: could not connect to host
 postcodegarant.nl: could not connect to host
-postdeck.de: did not receive HSTS header
 posters.win: could not connect to host
 postscheduler.org: could not connect to host
 posylka.de: did not receive HSTS header
@@ -13477,13 +13988,13 @@ pozzitiv.ro: could not connect to host
 pozzo-balbi.com: did not receive HSTS header
 ppembed.com: did not receive HSTS header
 ppoou.co.uk: could not connect to host
-ppoozl.com: could not connect to host
 pppo.gov: could not connect to host
 ppr-truby.ru: could not connect to host
 ppsvcs2.com: did not receive HSTS header
 ppuu.org: did not receive HSTS header
 ppy3.com: did not receive HSTS header
 practodev.com: could not connect to host
+prajwalkoirala.com: could not connect to host
 pratinav.xyz: could not connect to host
 prattpokemon.com: could not connect to host
 praxis-research.info: could not connect to host
@@ -13506,14 +14017,15 @@ premioambiente.it: did not receive HSTS header
 premiumzweirad.de: max-age too low: 7776000
 prepaidgirl.com: could not connect to host
 prepandgo-euro.com: could not connect to host
-preposted.com: did not receive HSTS header
+preposted.com: could not connect to host
 preppertactics.com: did not receive HSTS header
 preprodfan.gov: could not connect to host
+presbee.com: could not connect to host
 prescriptionrex.com: did not receive HSTS header
 presentesdegrife.com.br: could not connect to host
 presidentials2016.com: could not connect to host
 press-anime-nenkan.com: did not receive HSTS header
-press-presse.ca: did not receive HSTS header
+press-presse.ca: max-age too low: 2592000
 pressakey.de: did not receive HSTS header
 pressenews.net: could not connect to host
 pressfreedomfoundation.org: did not receive HSTS header
@@ -13523,26 +14035,24 @@ prestonapp.com: could not connect to host
 prettygrouse.com: did not receive HSTS header
 prettyphotoart.de: did not receive HSTS header
 prettytunesapp.com: could not connect to host
-pretwolk.nl: could not connect to host
 pretzlaff.info: did not receive HSTS header
 preworkout.me: could not connect to host
 prgslab.net: could not connect to host
 priceholic.com: could not connect to host
-prideindomination.com: could not connect to host
 pridoc.se: did not receive HSTS header
 prifo.se: could not connect to host
 prijsvergelijken.ml: could not connect to host
 prilock.com: did not receive HSTS header
-primaconsulting.net: could not connect to host
 primecaplending.com: could not connect to host
 primewho.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 primordialsnooze.com: could not connect to host
-primotiles.co.uk: did not receive HSTS header
+primotiles.co.uk: could not connect to host
 primotilesandbathrooms.co.uk: max-age too low: 2592000
 prinbanat.ngo: did not receive HSTS header
 princeagency.com: did not receive HSTS header
 princessbackpack.de: could not connect to host
 princessmargaretlotto.com: did not receive HSTS header
+principalship.net: could not connect to host
 prinesdoma.at: did not receive HSTS header
 printerest.io: could not connect to host
 printersonline.be: did not receive HSTS header
@@ -13556,6 +14066,7 @@ privacylabs.io: did not receive HSTS header
 privacymanatee.com: could not connect to host
 privacyrup.net: could not connect to host
 privategiant.com: could not connect to host
+privatepokertour.com: could not connect to host
 privatstunden.express: could not connect to host
 privcloud.cc: could not connect to host
 privcloud.org: could not connect to host
@@ -13574,17 +14085,21 @@ procens.us: could not connect to host
 proclubs.news: did not receive HSTS header
 procode.gq: could not connect to host
 procrastinatingengineer.co.uk: could not connect to host
+prodottogiusto.com: could not connect to host
 prodpad.com: did not receive HSTS header
 produccioneskm.cl: did not receive HSTS header
 productgap.com: did not receive HSTS header
 productived.net: did not receive HSTS header
 producto8.com: did not receive HSTS header
+productoinnovador.com: did not receive HSTS header
+produkttest-online.com: did not receive HSTS header
 proesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 proesb.net: could not connect to host
 profi-durchgangsmelder.de: did not receive HSTS header
 profinetz.de: could not connect to host
 profivps.com: could not connect to host
 profloorstl.com: did not receive HSTS header
+proformer.io: could not connect to host
 profpay.com: could not connect to host
 profundr.com: could not connect to host
 profusion.io: could not connect to host
@@ -13595,6 +14110,7 @@ programmingstudent.com: could not connect to host
 progress-technologies.com: could not connect to host
 progressivecfo.co.nz: could not connect to host
 prohostonline.fi: could not connect to host
+proimpact.it: did not receive HSTS header
 proitconsulting.com.au: could not connect to host
 proj.org.cn: could not connect to host
 project-rune.tech: could not connect to host
@@ -13609,15 +14125,13 @@ projectherogames.xyz: could not connect to host
 projectl1b1t1na.tk: could not connect to host
 projectmercury.space: did not receive HSTS header
 projectte.ch: could not connect to host
-projectunity.io: could not connect to host
 projectvault.ovh: did not receive HSTS header
 projectx.top: could not connect to host
 projekt-umbriel.de: could not connect to host
 projektik.cz: did not receive HSTS header
-projet-fly.ch: could not connect to host
 projetoresecia.com: could not connect to host
 prok.pw: did not receive HSTS header
-prokop.ovh: could not connect to host
+prokop.ovh: did not receive HSTS header
 promarketer.net: did not receive HSTS header
 promecon-gmbh.de: did not receive HSTS header
 promedicalapplications.com: did not receive HSTS header
@@ -13629,6 +14143,7 @@ pronostic-king.fr: could not connect to host
 prontocleaners.co.uk: could not connect to host
 prontolight.com: did not receive HSTS header
 prontomovers.co.uk: could not connect to host
+proobec.cz: did not receive HSTS header
 propactrading.com: could not connect to host
 propagandism.org: did not receive HSTS header
 propepper.net: did not receive HSTS header
@@ -13647,9 +14162,7 @@ prostoporno.sexy: could not connect to host
 proteapower.co.za: could not connect to host
 protecciondelconsumidor.gov: did not receive HSTS header
 proteinnuts.cz: could not connect to host
-proteinnuts.sk: did not receive HSTS header
 protonmail.ch: did not receive HSTS header
-protoyou.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 provisionaldriving.com: did not receive HSTS header
 provisionircd.tk: did not receive HSTS header
 provitacare.com: did not receive HSTS header
@@ -13659,7 +14172,7 @@ proxbox.net: did not receive HSTS header
 proxi.cf: could not connect to host
 proximato.com: could not connect to host
 proxybay.al: could not connect to host
-proxybay.club: could not connect to host
+proxybay.club: did not receive HSTS header
 proxybay.info: did not receive HSTS header
 proxybay.top: could not connect to host
 proxydesk.eu: could not connect to host
@@ -13694,6 +14207,7 @@ pstrozniak.com: could not connect to host
 pstudio.me: max-age too low: 0
 psw.academy: could not connect to host
 psw.consulting: could not connect to host
+psxtr.com: could not connect to host
 psychiatrie-betreuung.ch: could not connect to host
 psychologie-hofner.at: could not connect to host
 psynapse.net.au: could not connect to host
@@ -13714,7 +14228,8 @@ puetter.eu: could not connect to host
 pugilares.com.pl: could not connect to host
 pugliese.fr: could not connect to host
 puhe.se: could not connect to host
-puikheid.nl: could not connect to host
+puhka.me: could not connect to host
+puikheid.nl: did not receive HSTS header
 puiterwijk.org: could not connect to host
 puli.com.br: could not connect to host
 pulledporkheaven.com: could not connect to host
@@ -13730,6 +14245,7 @@ purahealthyliving.com: did not receive HSTS header
 purbd.com: did not receive HSTS header
 pureessentialoil.biz: max-age too low: 300
 pureholisticliving.me: could not connect to host
+purelunch.co.uk: could not connect to host
 purewebmasters.com: could not connect to host
 purikore.com: could not connect to host
 purplehippie.in: did not receive HSTS header
@@ -13737,7 +14253,8 @@ purplez.pw: did not receive HSTS header
 purpoz.com.br: could not connect to host
 purpspc.com: could not connect to host
 push.world: did not receive HSTS header
-pushapp.org: could not connect to host
+pushapp.org: did not receive HSTS header
+pushphp.com: could not connect to host
 pushstar.com: max-age too low: 0
 puzz.gg: could not connect to host
 pvagner.tk: did not receive HSTS header
@@ -13745,8 +14262,9 @@ pwd.ovh: could not connect to host
 pwfrance.com: could not connect to host
 pwi.agency: did not receive HSTS header
 pwm.jp: could not connect to host
-pwnsdx.pw: could not connect to host
+pwnsdx.pw: did not receive HSTS header
 pwntr.com: could not connect to host
+pwt.pw: could not connect to host
 pxio.de: did not receive HSTS header
 pyjiaoyi.cf: could not connect to host
 pyol.org: could not connect to host
@@ -13787,6 +14305,7 @@ qirinus.com: did not receive HSTS header
 qiuxian.ddns.net: could not connect to host
 qixxit.de: did not receive HSTS header
 qkka.org: did not receive HSTS header
+qkzy.net: did not receive HSTS header
 qldconservation.org: could not connect to host
 qnatek.org: could not connect to host
 qonqa.de: did not receive HSTS header
@@ -13804,6 +14323,7 @@ qrforex.com: did not receive HSTS header
 qrlending.com: could not connect to host
 qrlfinancial.com: could not connect to host
 qswoo.org: could not connect to host
+qtap.me: could not connect to host
 qto.org: could not connect to host
 quaedam.org: did not receive HSTS header
 quail.solutions: could not connect to host
@@ -13829,7 +14349,7 @@ quarus.net: could not connect to host
 quebecmailbox.com: could not connect to host
 queenbrownie.com.br: could not connect to host
 queenshaflo.com: could not connect to host
-queextensiones.com: did not receive HSTS header
+queercinema.ch: could not connect to host
 quelmandataire.fr: did not receive HSTS header
 querkommentar.de: did not receive HSTS header
 queroreceitasoberana.com.br: did not receive HSTS header
@@ -13837,6 +14357,7 @@ queryplayground.com: could not connect to host
 questionable.host: could not connect to host
 questions-admin.com: did not receive HSTS header
 questionyu.com: did not receive HSTS header
+questoj.cn: did not receive HSTS header
 questsandrewards.com: could not connect to host
 quic.fr: did not receive HSTS header
 quickandroid.tools: could not connect to host
@@ -13844,6 +14365,7 @@ quickpayservice.com: could not connect to host
 quietus.gq: could not connect to host
 quikrmovies.to: could not connect to host
 quikstorhawaii.com: max-age too low: 300
+quilmo.com: could not connect to host
 quimsertek.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 quizionic.com: could not connect to host
 quizl.io: did not receive HSTS header
@@ -13857,23 +14379,22 @@ qweepi.de: could not connect to host
 qwertyatom100.me: could not connect to host
 qwilink.me: did not receive HSTS header
 qybot.cc: did not receive HSTS header
-r-ay.club: did not receive HSTS header
+r-ay.club: could not connect to host
 r-core.org: could not connect to host
 r-core.ru: could not connect to host
 r-cut.fr: could not connect to host
 r-rickroll-u.pw: could not connect to host
-r0uzic.net: could not connect to host
+r0t.co: could not connect to host
+r0uzic.net: did not receive HSTS header
 r10n.com: did not receive HSTS header
 r15.me: did not receive HSTS header
 r18.moe: could not connect to host
 raajheshkannaa.com: could not connect to host
 rabbitvcactus.eu: did not receive HSTS header
 rabota-x.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-rabotaescort.com: did not receive HSTS header
 racasdecachorro.org: could not connect to host
-racdek.com: max-age too low: 300
-racdek.net: max-age too low: 300
-racdek.nl: max-age too low: 300
+racdek.net: max-age too low: 2628000
+racdek.nl: max-age too low: 2628000
 rachaelrussell.com: did not receive HSTS header
 rackblue.com: could not connect to host
 racktear.com: did not receive HSTS header
@@ -13885,13 +14406,13 @@ raddavarden.nu: did not receive HSTS header
 radicaleducation.net: could not connect to host
 radioactivenetwork.xyz: could not connect to host
 radioafibra.com.br: could not connect to host
+radionicabg.com: could not connect to host
 radior9.it: could not connect to host
 radom-pack.pl: could not connect to host
-radtke.bayern: could not connect to host
+radtke.bayern: did not receive HSTS header
 rafaelcz.de: could not connect to host
 raft.pub: could not connect to host
-rage-overload.ch: could not connect to host
-rage.rip: could not connect to host
+raghavdua.in: could not connect to host
 ragingserenity.com: did not receive HSTS header
 ragnaroktop.com.br: could not connect to host
 rahadiana.com: could not connect to host
@@ -13900,18 +14421,16 @@ rai-co.net: did not receive HSTS header
 raiblockscommunity.net: could not connect to host
 raidstone.com: could not connect to host
 raidstone.rocks: could not connect to host
-raiffeisen-kosovo.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 railjob.cn: could not connect to host
 railyardurgentcare.com: did not receive HSTS header
 rainbin.com: could not connect to host
 rainbowbarracuda.com: could not connect to host
-raisecorp.com: could not connect to host
 raitza.de: could not connect to host
 rakugaki.cn: could not connect to host
 ramatola.uk: could not connect to host
 rambii.de: could not connect to host
 ramblingrf.tech: could not connect to host
-ramezanloo.com: could not connect to host
+ramezanloo.com: did not receive HSTS header
 ramitmittal.com: could not connect to host
 ramon-c.nl: could not connect to host
 ramonj.nl: could not connect to host
@@ -13928,21 +14447,25 @@ rantanda.com: could not connect to host
 rany.duckdns.org: could not connect to host
 rany.io: did not receive HSTS header
 rany.pw: could not connect to host
+ranyeh.co: could not connect to host
+rapdogg.com: could not connect to host
 raphaelmoura.ddns.net: could not connect to host
 rapidemobile.com: did not receive HSTS header
 rapidflow.io: could not connect to host
 rapido.nu: could not connect to host
 rapidresearch.me: could not connect to host
 rapidthunder.io: could not connect to host
+rasebo.ro: could not connect to host
 rasing.me: max-age too low: 43200
 raspass.me: did not receive HSTS header
 raspberry.us: could not connect to host
 raspberryultradrops.com: did not receive HSTS header
+raspitec.ddns.net: could not connect to host
 rastreador.com.es: did not receive HSTS header
-rastreie.net: did not receive HSTS header
+rastreie.net: could not connect to host
 ratajczak.fr: could not connect to host
 rate-esport.de: could not connect to host
-rathorian.fr: did not receive HSTS header
+rathorian.fr: could not connect to host
 rationem.nl: did not receive HSTS header
 ratuseks.com: could not connect to host
 ratuseks.net: could not connect to host
@@ -13950,12 +14473,13 @@ ratuseks.us: could not connect to host
 rauchenwald.net: could not connect to host
 raucris.ro: could not connect to host
 raulfraile.net: could not connect to host
-raum4224.de: max-age too low: 0
-rautermods.net: could not connect to host
+rautermods.net: did not receive HSTS header
 ravage.fm: did not receive HSTS header
 raven.lipetsk.ru: could not connect to host
 ravengergaming.ga: could not connect to host
 ravengergaming.net: could not connect to host
+ravenx.me: could not connect to host
+raviparekh.co.uk: could not connect to host
 ravse.dk: could not connect to host
 raw-diets.com: could not connect to host
 rawet.se: could not connect to host
@@ -13985,6 +14509,7 @@ rburchell.com: did not receive HSTS header
 rbxcatalog.com: could not connect to host
 rc4.io: could not connect to host
 rc7.ch: could not connect to host
+rca.ink: could not connect to host
 rcafox.com: could not connect to host
 rcoliveira.com: could not connect to host
 rcorporation.be: did not receive HSTS header
@@ -13993,8 +14518,6 @@ rcraigmurphy.net: could not connect to host
 rcvd.io: did not receive HSTS header
 rcx.io: could not connect to host
 rdfz.tech: could not connect to host
-rdh.asia: could not connect to host
-rdns.cc: could not connect to host
 rdns.im: did not receive HSTS header
 rdplumbingsolutions.com.au: did not receive HSTS header
 rdxsattamatka.mobi: could not connect to host
@@ -14003,6 +14526,7 @@ re-customer.net: could not connect to host
 re-wilding.com: could not connect to host
 reachr.com: could not connect to host
 reactdatepicker.com: did not receive HSTS header
+reactions.ai: could not connect to host
 reactor92.com: could not connect to host
 reader.ga: could not connect to host
 readify.com.au: did not receive HSTS header
@@ -14022,7 +14546,6 @@ realfamilyincest.com: could not connect to host
 realgarant-shop.de: did not receive HSTS header
 realhost.name: could not connect to host
 realincest.tv: could not connect to host
-really.ai: could not connect to host
 really.io: did not receive HSTS header
 reallyreally.io: did not receive HSTS header
 realmic.net: could not connect to host
@@ -14035,6 +14558,7 @@ reaper.rip: could not connect to host
 reardenporn.com: could not connect to host
 rebekaesgabor.online: could not connect to host
 rebootmc.com: could not connect to host
+rebtoor.com: could not connect to host
 receitas-de-bolos.pt: could not connect to host
 receitasdebacalhau.pt: could not connect to host
 receptionsbook.com: could not connect to host
@@ -14048,6 +14572,7 @@ recreation.gov: did not receive HSTS header
 recruitsecuritytraining.co.uk: could not connect to host
 recruitsecuritytraining.com: could not connect to host
 rectoraudiparts.com: could not connect to host
+red-trigger.net: did not receive HSTS header
 redair.es: could not connect to host
 redar.xyz: could not connect to host
 redburn.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -14056,12 +14581,15 @@ reddiseals.com: [Exception... "Component returned failure code: 0x80004005 (NS_E
 reddit.com: did not receive HSTS header
 rede.ca: did not receive HSTS header
 redeemingbeautyminerals.com: max-age too low: 0
+redespaulista.com: did not receive HSTS header
 redheeler.com.br: could not connect to host
 redhorsemountainranch.com: did not receive HSTS header
 redicabo.de: could not connect to host
+redigest.it: max-age too low: 0
 redirectman.com: could not connect to host
 redizoo.com: did not receive HSTS header
 redlatam.org: did not receive HSTS header
+redletter.link: could not connect to host
 redmbk.com: did not receive HSTS header
 redneck-gaming.de: did not receive HSTS header
 redner.cc: did not receive HSTS header
@@ -14114,6 +14642,7 @@ reinaertvandecruys.com: could not connect to host
 reinaertvandecruys.me: could not connect to host
 reineberthe.ch: could not connect to host
 reinoldus.ddns.net: could not connect to host
+reisenbauer.ee: could not connect to host
 reismil.ch: could not connect to host
 reisyukaku.org: did not receive HSTS header
 reithguard-it.de: did not receive HSTS header
@@ -14131,34 +14660,36 @@ rem.pe: did not receive HSTS header
 rema.site: did not receive HSTS header
 remain.london: could not connect to host
 remedica.fr: could not connect to host
-remedioparaherpes.com: did not receive HSTS header
-remedios-caserospara.com: did not receive HSTS header
+remedioscaserosparalacistitis.com: did not receive HSTS header
 remedium.de: could not connect to host
 remedyrehab.com: did not receive HSTS header
 rememberthis.co.za: could not connect to host
 remodela.com.ve: could not connect to host
 remodelwithlegacy.com: did not receive HSTS header
 remonttitekniikka.fi: could not connect to host
-remoteham.com: could not connect to host
 remotestance.com: did not receive HSTS header
 rencaijia.com: did not receive HSTS header
 rencontres-erotiques.com: did not receive HSTS header
-reneclemens.nl: max-age too low: 300
-renedekoeijer.nl: max-age too low: 300
-renewed.technology: could not connect to host
+rene-guitton.fr: did not receive HSTS header
+reneclemens.nl: max-age too low: 2628000
+renedekoeijer.nl: max-age too low: 2628000
 rengarenkblog.com: could not connect to host
 renideo.fr: could not connect to host
 renkhosting.com: could not connect to host
 renlong.org: did not receive HSTS header
 rennfire.org: could not connect to host
 renrenss.com: could not connect to host
+renscreations.com: could not connect to host
 rentacarcluj.xyz: did not receive HSTS header
 rentalmed.com.br: did not receive HSTS header
+rentasweb.gob.ar: did not receive HSTS header
 rentbrowser.com: could not connect to host
 rentbrowsertrain.me: could not connect to host
 rentcarassist.com: could not connect to host
 renteater.com: could not connect to host
 rentex.com: did not receive HSTS header
+reo.gov: could not connect to host
+reorz.com: could not connect to host
 reparo.pe: did not receive HSTS header
 repex.co.il: could not connect to host
 replaceits.me: could not connect to host
@@ -14181,6 +14712,7 @@ reptilauksjonen.no: could not connect to host
 republicmo.gov: could not connect to host
 repustate.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 reqognize.com: could not connect to host
+reqrut.net: could not connect to host
 request-trent.com: could not connect to host
 res-rheingau.de: could not connect to host
 res42.com: did not receive HSTS header
@@ -14200,6 +14732,8 @@ restaurantemiperu.com: did not receive HSTS header
 restaurantesimonetti.com.br: could not connect to host
 restaurantmangal.ch: could not connect to host
 restchart.com: did not receive HSTS header
+rester-a-domicile.ch: could not connect to host
+rester-autonome-chez-soi.ch: could not connect to host
 restioson.me: could not connect to host
 restopro.nyc: could not connect to host
 restoreresearchstudy.com: could not connect to host
@@ -14236,6 +14770,7 @@ reykjavik.guide: could not connect to host
 rezun.cloud: did not receive HSTS header
 rf.tn: could not connect to host
 rfeif.org: could not connect to host
+rfxanalyst.com: could not connect to host
 rgservers.com: did not receive HSTS header
 rhapsodhy.hu: could not connect to host
 rhdigital.pro: could not connect to host
@@ -14244,10 +14779,10 @@ rhering.de: could not connect to host
 rhetthenckel.com: max-age too low: 0
 rheuma-online.de: could not connect to host
 rhiskiapril.com: could not connect to host
+rhnet.at: could not connect to host
 rhodes.ml: could not connect to host
 rhodesianridgeback.com.br: could not connect to host
 rhodosdreef.nl: could not connect to host
-riaucybersolution.net: did not receive HSTS header
 ribopierre.fr: could not connect to host
 riceglue.com: could not connect to host
 richamorindonesia.com: did not receive HSTS header
@@ -14277,20 +14812,21 @@ riesenmagnete.de: could not connect to host
 riester.pl: did not receive HSTS header
 right-to-love.name: did not receive HSTS header
 right2.org: could not connect to host
+rightcapital.com: did not receive HSTS header
 righteousendeavour.com: could not connect to host
 righttoknow.ie: did not receive HSTS header
 rijndael.xyz: could not connect to host
 rijnmondeg.nl: did not receive HSTS header
 rika.me: could not connect to host
+rimediogiusto.com: could not connect to host
 rincon-nsn.gov: could not connect to host
 ring0.xyz: did not receive HSTS header
 ringh.am: could not connect to host
 rinj.se: did not receive HSTS header
 rionewyork.com.br: could not connect to host
-ripa.io: did not receive HSTS header
+ripa.io: could not connect to host
 ripple.com: did not receive HSTS header
 rippleunion.com: could not connect to host
-ris.fi: could not connect to host
 risi-china.com: could not connect to host
 risingsun.red: could not connect to host
 riskmgt.com.au: could not connect to host
@@ -14299,13 +14835,11 @@ ristorantefattoamano.eu: could not connect to host
 rithm.ch: did not receive HSTS header
 rittis.ru: did not receive HSTS header
 rivagecare.it: did not receive HSTS header
-riverbed.com: did not receive HSTS header
 rivercruiseadvisor.com: did not receive HSTS header
 rivermendhealthcenters.com: did not receive HSTS header
 riversideauto.net: did not receive HSTS header
 riverstyxgame.com: could not connect to host
 rivlo.com: could not connect to host
-riwick.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 rj.gg: could not connect to host
 rjnutrition.consulting: did not receive HSTS header
 rk6.cz: could not connect to host
@@ -14325,13 +14859,15 @@ roan24.pl: did not receive HSTS header
 roave.com: could not connect to host
 rob.uk.com: did not receive HSTS header
 robertabittle.com: could not connect to host
-robertbln.com: could not connect to host
+robertg.me: did not receive HSTS header
+robertglastra.com: could not connect to host
 roberto-webhosting.nl: could not connect to host
 robertocasares.no-ip.biz: could not connect to host
 robi-net.it: could not connect to host
 robin-novotny.com: could not connect to host
-robinadr.com: could not connect to host
+robinadr.com: did not receive HSTS header
 robomonkey.org: could not connect to host
+robtatemusic.com: could not connect to host
 robteix.com: did not receive HSTS header
 robtex.net: did not receive HSTS header
 robtex.org: did not receive HSTS header
@@ -14339,6 +14875,7 @@ robust.ga: could not connect to host
 roc.net.au: could not connect to host
 rochman.id: did not receive HSTS header
 rockcellar.ch: could not connect to host
+rocketgnomes.com: could not connect to host
 rocketnet.ml: could not connect to host
 rockeyscrivo.com: did not receive HSTS header
 rocksberg.net: could not connect to host
@@ -14359,6 +14896,7 @@ rofrank.space: could not connect to host
 rogeiro.net: could not connect to host
 roger101.com: did not receive HSTS header
 rogerdat.ovh: could not connect to host
+roguesignal.net: could not connect to host
 rohanbassett.com: could not connect to host
 rohankrishnadev.in: could not connect to host
 rohlik.cz: did not receive HSTS header
@@ -14372,7 +14910,7 @@ rolroer.co.za: could not connect to host
 romaimperator.com: did not receive HSTS header
 romainmuller.xyz: did not receive HSTS header
 romans-place.me.uk: could not connect to host
-romantic-quotes.co.uk: could not connect to host
+romantic-quotes.co.uk: did not receive HSTS header
 romanticschemermovie.com: could not connect to host
 romeoferraris.com: did not receive HSTS header
 romleg.cf: could not connect to host
@@ -14391,7 +14929,7 @@ rool.me: did not receive HSTS header
 roolevoi.ru: could not connect to host
 room-checkin24.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 roomongo.com: did not receive HSTS header
-roosteroriginals.com: could not connect to host
+roosterpgplus.nl: did not receive HSTS header
 rootbsd.at: could not connect to host
 rootforum.org: did not receive HSTS header
 rootrelativity.com: could not connect to host
@@ -14401,6 +14939,7 @@ rop.io: did not receive HSTS header
 roquecenter.org: did not receive HSTS header
 roromendut.online: could not connect to host
 rorymcdaniel.com: could not connect to host
+roseofyork.com: did not receive HSTS header
 rosetiger.life: could not connect to host
 rosewoodranch.com: did not receive HSTS header
 roshiya.co.in: could not connect to host
@@ -14408,6 +14947,7 @@ rosi-royal.com: could not connect to host
 rospa100.com: did not receive HSTS header
 rossclark.com: did not receive HSTS header
 rossen.be: did not receive HSTS header
+rossfrancis.co.uk: did not receive HSTS header
 rossiworld.com: did not receive HSTS header
 rosslug.org.uk: could not connect to host
 rotex1840.de: did not receive HSTS header
@@ -14422,10 +14962,50 @@ rous.se: could not connect to host
 rouvray.org: could not connect to host
 royal-forest.org: max-age too low: 0
 royal-mangal.ch: could not connect to host
+royal806.com: did not receive HSTS header
+royal810.com: could not connect to host
+royal811.com: could not connect to host
+royal816.com: could not connect to host
+royal817.com: could not connect to host
+royal830.com: could not connect to host
+royal833.com: did not receive HSTS header
+royal851.com: could not connect to host
+royal852.com: did not receive HSTS header
+royal855.com: could not connect to host
+royal856.com: did not receive HSTS header
+royal857.com: did not receive HSTS header
+royal859.com: did not receive HSTS header
+royal86.com: did not receive HSTS header
+royal861.com: did not receive HSTS header
+royal865.com: did not receive HSTS header
+royal869.com: did not receive HSTS header
+royal872.com: could not connect to host
+royal873.com: did not receive HSTS header
+royal875.com: did not receive HSTS header
 royal876.com: could not connect to host
+royal877.com: could not connect to host
+royal879.com: could not connect to host
+royal88.tech: did not receive HSTS header
+royal881.com: could not connect to host
+royal882.com: could not connect to host
+royal883.com: could not connect to host
+royal885.com: did not receive HSTS header
+royal886.com: did not receive HSTS header
+royal887.com: did not receive HSTS header
+royal888888.com: did not receive HSTS header
+royal889.com: did not receive HSTS header
+royal890.com: could not connect to host
+royal891.com: could not connect to host
+royal892.com: could not connect to host
+royal893.com: could not connect to host
+royal894.com: could not connect to host
+royal895.com: could not connect to host
+royal896.com: did not receive HSTS header
+royal899.com: did not receive HSTS header
 royalhop.co: could not connect to host
 royalsignaturecruise.com: could not connect to host
 royaltube.net: could not connect to host
+royalyule.com: did not receive HSTS header
 roychan.org: max-age too low: 0
 royzez.com: could not connect to host
 rozalisbengal.ro: could not connect to host
@@ -14434,7 +15014,8 @@ rpasafrica.com: could not connect to host
 rr.in.th: could not connect to host
 rring.me: could not connect to host
 rritv.com: could not connect to host
-rrke.cc: did not receive HSTS header
+rrke.cc: could not connect to host
+rro.rs: could not connect to host
 rrom.me: did not receive HSTS header
 rs-devdemo.host: could not connect to host
 rsajeey.info: could not connect to host
@@ -14450,6 +15031,7 @@ rsships.com: could not connect to host
 rstraining.co.uk: did not receive HSTS header
 rstsecuritygroup.co.uk: could not connect to host
 rtc.fun: could not connect to host
+rtd.uk.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 rtfpessoa.xyz: did not receive HSTS header
 rtho.me: did not receive HSTS header
 rttss.com: could not connect to host
@@ -14463,6 +15045,8 @@ rubendv.be: did not receive HSTS header
 rubenschulz.nl: did not receive HSTS header
 rubi-ka.net: max-age too low: 0
 ruborr.se: did not receive HSTS header
+rubyquincunx.com: could not connect to host
+rubyquincunx.org: could not connect to host
 rubysecurity.org: did not receive HSTS header
 rubyshop.nl: could not connect to host
 rudeotter.com: did not receive HSTS header
@@ -14472,7 +15056,7 @@ ruflay.ru: could not connect to host
 rugirlfriend.com: could not connect to host
 rugs.ca: did not receive HSTS header
 rugstorene.co.uk: did not receive HSTS header
-ruhr3.de: could not connect to host
+ruhr3.de: did not receive HSTS header
 ruig.jp: could not connect to host
 ruigomes.me: did not receive HSTS header
 ruitershoponline.nl: did not receive HSTS header
@@ -14481,11 +15065,9 @@ rukhaiyar.com: could not connect to host
 rullzer.com: did not receive HSTS header
 rummel-platz.de: could not connect to host
 rumoterra.com.br: could not connect to host
-run-forrest.run: could not connect to host
 runawebinar.nl: could not connect to host
 runcarina.com: could not connect to host
 rundumcolumn.xyz: could not connect to host
-runefake.com: did not receive HSTS header
 runementors.com: could not connect to host
 runhardt.eu: did not receive HSTS header
 runtl.com: did not receive HSTS header
@@ -14496,7 +15078,6 @@ rusadmin.biz: did not receive HSTS header
 rusl.me: could not connect to host
 rusl.net: did not receive HSTS header
 russmarshall.com: could not connect to host
-russpuss.ru: did not receive HSTS header
 rustbyexample.com: did not receive HSTS header
 rustfanatic.com: did not receive HSTS header
 rustralasia.net: max-age too low: 0
@@ -14510,9 +15091,11 @@ rvolve.net: could not connect to host
 rw-solutions.tech: could not connect to host
 rwanderlust.com: did not receive HSTS header
 rwgamernl.ml: could not connect to host
+rxgroup.io: could not connect to host
 rxprep.com: did not receive HSTS header
 rxt.social: could not connect to host
 rxv.cc: could not connect to host
+ryancarter.co.uk: did not receive HSTS header
 ryanroberts.co.uk: could not connect to host
 ryanteck.uk: did not receive HSTS header
 rybox.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -14520,6 +15103,7 @@ ryejuice.sytes.net: could not connect to host
 rylin.net: did not receive HSTS header
 rylore.com: could not connect to host
 ryssland.guide: could not connect to host
+ryyule.com: did not receive HSTS header
 ryzex.de: could not connect to host
 rzegroup.com: did not receive HSTS header
 s-d-v.ch: could not connect to host
@@ -14528,27 +15112,28 @@ s-on.li: could not connect to host
 s-rickroll-p.pw: could not connect to host
 s.how: could not connect to host
 s0923.com: could not connect to host
-s0laris.co.uk: could not connect to host
 s1mplescripts.de: could not connect to host
 s1ris.org: did not receive HSTS header
 s3cases.com: did not receive HSTS header
+s3gfault.com: could not connect to host
 s3n.se: could not connect to host
-s4ur0n.com: could not connect to host
 saabwa.org: could not connect to host
 sabatek.pl: did not receive HSTS header
 sabrinajoiasprontaentrega.com.br: could not connect to host
 sabtunes.com: did not receive HSTS header
 sac-shop.com: did not receive HSTS header
+saccounty.gov: could not connect to host
 sacharidovejednotky.eu: could not connect to host
 sachk.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 sackers.com: did not receive HSTS header
 saco-ceso.com: could not connect to host
 sadiejanehair.com: could not connect to host
+sadmansh.com: could not connect to host
 sadsu.com: did not receive HSTS header
 saenforcement.agency: could not connect to host
 safari-afrique.com: did not receive HSTS header
 safe.space: could not connect to host
-safedevice.net: did not receive HSTS header
+safedevice.net: could not connect to host
 safelist.eu: did not receive HSTS header
 safemovescheme.co.uk: could not connect to host
 safemt.gov: could not connect to host
@@ -14566,11 +15151,10 @@ sageth.com: could not connect to host
 sah3.net: could not connect to host
 saigonstar.de: could not connect to host
 sail-nyc.com: did not receive HSTS header
-saimoe.org: did not receive HSTS header
 saint-astier-triathlon.com: did not receive HSTS header
+saintefoy-tarentaise.com: did not receive HSTS header
 saintjohnlutheran.church: did not receive HSTS header
 saintmichelqud.com: did not receive HSTS header
-saintw.com: could not connect to host
 sairai.bid: could not connect to host
 saiyasu-search.com: did not receive HSTS header
 sakaserver.com: did not receive HSTS header
@@ -14581,10 +15165,9 @@ sale.sh: did not receive HSTS header
 saleaks.org: could not connect to host
 salearnership.co.za: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 saleslift.pl: could not connect to host
-salishseawhalewatching.ca: could not connect to host
+salishseawhalewatching.ca: did not receive HSTS header
 sallysubs.com: could not connect to host
 salmo23.com.br: could not connect to host
-salmonrecovery.gov: could not connect to host
 salon-claudia.ch: could not connect to host
 salonestella.it: could not connect to host
 salserocafe.com: did not receive HSTS header
@@ -14592,20 +15175,23 @@ salserototal.com: could not connect to host
 saltedskies.com: could not connect to host
 saltra.online: could not connect to host
 saltro.nl: did not receive HSTS header
-saludsexualmasculina.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+saludsexualmasculina.org: did not receive HSTS header
 salvaalocombia.com: could not connect to host
 salverainha.org: could not connect to host
 salzamt.tk: could not connect to host
+samanacafe.com: could not connect to host
 samanthahumphreysstudio.com: did not receive HSTS header
+samanthasicecream.com: could not connect to host
 samaritan.tech: could not connect to host
 samaritansnet.org: did not receive HSTS header
 sametovymesic.cz: could not connect to host
 samin.tk: could not connect to host
+samip.fi: did not receive HSTS header
 saml2.com: could not connect to host
 samlamac.com: could not connect to host
 samm.com.au: did not receive HSTS header
 sammenlignakasser.dk: did not receive HSTS header
-sammyjohnson.com: could not connect to host
+sammyslimos.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 samp.im: could not connect to host
 sampcup.com: could not connect to host
 sampoznay.ru: could not connect to host
@@ -14616,7 +15202,7 @@ samsungxoa.com: could not connect to host
 samvanderkris.com: could not connect to host
 samvanderkris.xyz: did not receive HSTS header
 samyerkes.com: did not receive HSTS header
-san-mian-ka.ml: could not connect to host
+san-mian-ka.ml: did not receive HSTS header
 sanalbayrak.com: could not connect to host
 sanandreasstories.com: did not receive HSTS header
 sanasalud.org: could not connect to host
@@ -14624,10 +15210,11 @@ sanatfilan.com: did not receive HSTS header
 sanatrans.com: could not connect to host
 sanchez.adv.br: could not connect to host
 sanderknape.com: did not receive HSTS header
+sandtonvipcompanions.com: did not receive HSTS header
 sandviks.com: did not receive HSTS header
 sanguoxiu.com: could not connect to host
 sanhei.ch: did not receive HSTS header
-sanik.my: could not connect to host
+sanik.my: did not receive HSTS header
 sanmuding.com: could not connect to host
 sanradon.by: did not receive HSTS header
 sansage.com.br: did not receive HSTS header
@@ -14710,9 +15297,8 @@ sbox-archives.com: could not connect to host
 sbsrv.ml: could not connect to host
 sby.de: did not receive HSTS header
 sc4le.com: could not connect to host
+scaarus.com: could not connect to host
 scaffoldhireeastrand.co.za: did not receive HSTS header
-scaffoldhirefourways.co.za: did not receive HSTS header
-scaffoldhirerandburg.co.za: did not receive HSTS header
 scaffoldhiresandton.co.za: did not receive HSTS header
 scala.click: did not receive HSTS header
 scannabi.com: could not connect to host
@@ -14722,7 +15308,8 @@ schaafenstrasse.koeln: could not connect to host
 schachburg.de: did not receive HSTS header
 schadegarant.net: could not connect to host
 schalkoortbv.nl: did not receive HSTS header
-schatmeester.be: could not connect to host
+schaper-sport.com: did not receive HSTS header
+schatmeester.be: did not receive HSTS header
 schau-rein.co.at: did not receive HSTS header
 schauer.so: could not connect to host
 schd.io: did not receive HSTS header
@@ -14738,8 +15325,8 @@ schmitz.link: could not connect to host
 schneider-electric.tg: did not receive HSTS header
 schnell-abnehmen.tips: could not connect to host
 schnell-gold.com: could not connect to host
-schnellsuche.de: could not connect to host
 scholl.io: could not connect to host
+schollbox.de: could not connect to host
 school.in.th: could not connect to host
 schooli.io: could not connect to host
 schooltrends.co.uk: did not receive HSTS header
@@ -14770,6 +15357,7 @@ science-anatomie.com: did not receive HSTS header
 scienceathome.org: did not receive HSTS header
 sciencemonster.co.uk: could not connect to host
 scionasset.com: did not receive HSTS header
+sciototownship-oh.gov: did not receive HSTS header
 scivillage.com: did not receive HSTS header
 sckc.stream: could not connect to host
 sclgroup.cc: did not receive HSTS header
@@ -14778,6 +15366,8 @@ scooshonline.co.uk: did not receive HSTS header
 scopea.fr: max-age too low: 0
 score-savers.com: max-age too low: 10540800
 scores4schools.com: could not connect to host
+scorobudem.ru: could not connect to host
+scorocode.ru: did not receive HSTS header
 scotbirchfield.com: did not receive HSTS header
 scottainslie.me.uk: could not connect to host
 scottdial.com: did not receive HSTS header
@@ -14790,14 +15380,15 @@ scottynordstrom.org: could not connect to host
 scourt.info: max-age too low: 0
 scourt.org.ua: could not connect to host
 scoutdb.ch: did not receive HSTS header
+scpartyentertainment.co.uk: did not receive HSTS header
 scrambl.is: could not connect to host
-scramble.io: did not receive HSTS header
+scramble.io: could not connect to host
 scrambler.in: could not connect to host
 scrapings.net: could not connect to host
-screencaster.io: did not receive HSTS header
+screencaster.io: could not connect to host
 screenresolution.space: could not connect to host
 screensaversplanet.com: did not receive HSTS header
-scribbleserver.com: could not connect to host
+scribbleserver.com: did not receive HSTS header
 scribe.systems: could not connect to host
 scrion.com: could not connect to host
 script.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -14809,6 +15400,8 @@ scrollstory.com: did not receive HSTS header
 scruffymen.com: could not connect to host
 scrumplex.net: did not receive HSTS header
 sctm.at: could not connect to host
+scuters.club: could not connect to host
+scw.com: did not receive HSTS header
 scw.nz: could not connect to host
 scwilliams.co.uk: could not connect to host
 scwilliams.uk: could not connect to host
@@ -14827,9 +15420,10 @@ seans.cc: did not receive HSTS header
 seanstrout.com: did not receive HSTS header
 seansyardservice.com: did not receive HSTS header
 searchgov.gov.il: did not receive HSTS header
-searchshops.com: could not connect to host
+searchshops.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 searx.pw: could not connect to host
-searx.xyz: did not receive HSTS header
+seatshare.co.uk: did not receive HSTS header
+seattleprivacy.org: could not connect to host
 seavancouver.com: did not receive HSTS header
 sebastian-bair.de: could not connect to host
 sebastian-lutsch.de: could not connect to host
@@ -14842,10 +15436,10 @@ sebster.com: did not receive HSTS header
 sec4share.me: did not receive HSTS header
 secandtech.com: could not connect to host
 secanje.nl: did not receive HSTS header
-secboom.com: could not connect to host
+secboom.com: did not receive HSTS header
 seccomp.ru: did not receive HSTS header
 seceye.cn: could not connect to host
-secitem.at: did not receive HSTS header
+secitem.at: could not connect to host
 secitem.de: could not connect to host
 secitem.eu: could not connect to host
 secnet.ga: could not connect to host
@@ -14879,6 +15473,7 @@ secureideas.com: did not receive HSTS header
 secureindia.co: could not connect to host
 secureradio.net: could not connect to host
 securesuisse.ch: could not connect to host
+securetronic.ch: could not connect to host
 securita.eu: did not receive HSTS header
 security-carpet.com: could not connect to host
 security-thoughts.org: could not connect to host
@@ -14915,10 +15510,10 @@ seefunk.net: did not receive HSTS header
 seehimnaked.com: could not connect to host
 seehimnude.com: could not connect to host
 seehisnudes.com: could not connect to host
-seekthe.net: could not connect to host
+seekthe.net: did not receive HSTS header
 seele.ca: could not connect to host
 seemeasaperson.com: did not receive HSTS header
-seen.life: could not connect to host
+seen.life: did not receive HSTS header
 sehenderson.com: did not receive HSTS header
 seida.at: could not connect to host
 seiko-dojo.com: could not connect to host
@@ -14937,8 +15532,7 @@ selfhosters.com: could not connect to host
 selfie-france.fr: could not connect to host
 selfserverx.com: could not connect to host
 selitysvideot.fi: did not receive HSTS header
-selldorado.com: could not connect to host
-sellercritic.com: did not receive HSTS header
+sellercritic.com: could not connect to host
 sellocdn.com: could not connect to host
 sellservs.co.za: could not connect to host
 seltendoof.de: could not connect to host
@@ -14947,6 +15541,7 @@ semen3325.xyz: could not connect to host
 semenkovich.com: did not receive HSTS header
 sementes.gratis: could not connect to host
 semianalog.com: could not connect to host
+semirben.de: max-age too low: 172800
 semmlers.com: did not receive HSTS header
 semps-servers.de: could not connect to host
 sendash.com: did not receive HSTS header
@@ -14960,8 +15555,7 @@ sensibus.com: did not receive HSTS header
 sensoft-int.com: could not connect to host
 sensoft-int.net: could not connect to host
 sensualism.com: could not connect to host
-sentic.info: did not receive HSTS header
-seo-lagniappe.com: could not connect to host
+seo-lagniappe.com: did not receive HSTS header
 seoarchive.org: could not connect to host
 seobot.com.au: could not connect to host
 seoenmexico.com.mx: did not receive HSTS header
@@ -14975,12 +15569,14 @@ seomen.biz: could not connect to host
 seomobo.com: could not connect to host
 seosanantonioinc.com: did not receive HSTS header
 seoscribe.net: could not connect to host
+seosec.xyz: could not connect to host
 seotronix.net: did not receive HSTS header
 seowarp.net: did not receive HSTS header
 sep23.ru: did not receive HSTS header
 sepakbola.win: could not connect to host
 sephr.com: did not receive HSTS header
 sepie.gob.es: did not receive HSTS header
+seproco.com: could not connect to host
 septakkordeon.de: could not connect to host
 seq.tf: did not receive HSTS header
 sequatchiecountytn.gov: could not connect to host
@@ -14989,6 +15585,7 @@ serathius.ovh: could not connect to host
 serbien.guide: could not connect to host
 serenitycreams.com: did not receive HSTS header
 serfdom.io: did not receive HSTS header
+sergeemond.ca: could not connect to host
 sergivb01.me: did not receive HSTS header
 serized.pw: could not connect to host
 serkaneles.com: did not receive HSTS header
@@ -14998,7 +15595,6 @@ servecrypt.net: could not connect to host
 servecrypt.ru: could not connect to host
 server-bg.net: could not connect to host
 server.pk: did not receive HSTS header
-serverangels.co.uk: did not receive HSTS header
 servercode.ca: did not receive HSTS header
 serverdensity.io: did not receive HSTS header
 servergno.me: did not receive HSTS header
@@ -15040,6 +15636,8 @@ sfcomercio.com.br: could not connect to host
 sfhobbies.com.br: could not connect to host
 sfsltd.com: did not receive HSTS header
 sgovaard.nl: did not receive HSTS header
+sgroup-hitoduma.com: did not receive HSTS header
+sgroup-rec.com: did not receive HSTS header
 sgthotshot.com: could not connect to host
 sgtsnookums.net: could not connect to host
 sh11.pp.ua: did not receive HSTS header
@@ -15083,6 +15681,7 @@ shanxiapark.com: could not connect to host
 shanyhs.com: could not connect to host
 shapesedinburgh.co.uk: did not receive HSTS header
 shardsoft.com: could not connect to host
+sharecc.co: could not connect to host
 shareeri.com: could not connect to host
 shareimg.xyz: could not connect to host
 sharemessage.net: could not connect to host
@@ -15109,11 +15708,12 @@ shawnh.net: could not connect to host
 shawnstarrcustomhomes.com: did not receive HSTS header
 shawnwilson.info: could not connect to host
 shazbots.org: could not connect to host
+shellday.cc: could not connect to host
 shellot.com: could not connect to host
 shellsec.pw: did not receive HSTS header
-shemissed.me: could not connect to host
 shena.co.uk: could not connect to host
 shengrenyu.com: could not connect to host
+shens.ai: could not connect to host
 shentengtu.idv.tw: could not connect to host
 shep.co.il: did not receive HSTS header
 sheratan.web.id: could not connect to host
@@ -15126,6 +15726,7 @@ sheying.tm: could not connect to host
 shiatsu-institut.ch: could not connect to host
 shibainu.com.br: could not connect to host
 shibe.club: could not connect to host
+shieldofachilles.in: could not connect to host
 shift.ooo: did not receive HSTS header
 shiftins.com: could not connect to host
 shiftnrg.org: did not receive HSTS header
@@ -15148,11 +15749,12 @@ shishamania.de: could not connect to host
 shishkin.link: did not receive HSTS header
 shitfest.info: did not receive HSTS header
 shitposting.life: could not connect to host
-shivamber.com: did not receive HSTS header
 shk.im: could not connect to host
 shlemenkov.by: could not connect to host
 shm-forum.org.uk: could not connect to host
-sho-tanaka.jp: did not receive HSTS header
+shmibbles.me: could not connect to host
+shmunky.co.uk: did not receive HSTS header
+sho-tanaka.jp: could not connect to host
 shocksrv.com: did not receive HSTS header
 shoemuse.com: did not receive HSTS header
 shooshosha.com: could not connect to host
@@ -15179,6 +15781,7 @@ showdepiscinas.com.br: did not receive HSTS header
 shower.im: did not receive HSTS header
 showkeeper.tv: did not receive HSTS header
 showroom.de: did not receive HSTS header
+showroom113.ru: could not connect to host
 shoxmusic.net: max-age too low: 2592000
 shred.ch: could not connect to host
 shredoptics.ch: could not connect to host
@@ -15195,6 +15798,7 @@ shybynature.com: did not receive HSTS header
 shymeck.pw: could not connect to host
 shypp.it: could not connect to host
 shyrydan.es: could not connect to host
+si.to: could not connect to host
 siamega.com: could not connect to host
 siammedia.co: could not connect to host
 siamojo.com: could not connect to host
@@ -15202,14 +15806,20 @@ sianimacion.com: could not connect to host
 siao-mei.com: did not receive HSTS header
 sichere-kartenakzeptanz.de: could not connect to host
 siciliadigitale.pro: could not connect to host
+sickfile.com: could not connect to host
 sicklepod.com: could not connect to host
+siconnect.us: did not receive HSTS header
 sictame-tigf.org: did not receive HSTS header
 sideropolisnoticias.com.br: did not receive HSTS header
+sidpod.ru: could not connect to host
+siduga.com: could not connect to host
 siebens.net: could not connect to host
 sieh.es: did not receive HSTS header
 sieulog.com: could not connect to host
 sifls.com: could not connect to host
 sifreuret.com: could not connect to host
+signaltransmitter.de: did not receive HSTS header
+signdesk.com: did not receive HSTS header
 signere.com: could not connect to host
 signere.no: did not receive HSTS header
 signoracle.com: could not connect to host
@@ -15234,8 +15844,9 @@ silver-drachenkrieger.de: did not receive HSTS header
 silverartcollector.com: did not receive HSTS header
 silverback.is: did not receive HSTS header
 silvergoldbull.ba: could not connect to host
+silvergoldbull.bg: could not connect to host
 silvergoldbull.kg: could not connect to host
-silvergoldbull.lt: could not connect to host
+silvergoldbull.ky: could not connect to host
 silvergoldbull.md: could not connect to host
 silvergoldbull.ml: could not connect to host
 silvergoldbull.ph: could not connect to host
@@ -15269,6 +15880,7 @@ simpan.id: could not connect to host
 simpeo.fr: did not receive HSTS header
 simpeo.org: did not receive HSTS header
 simpleai.net: max-age too low: 600
+simpleclassiclife.com: could not connect to host
 simplefraud.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 simplelearner.com: could not connect to host
 simplepractice.com: did not receive HSTS header
@@ -15287,9 +15899,10 @@ sincai666.com: could not connect to host
 sinceschool.com: could not connect to host
 sinclairmoving.com: did not receive HSTS header
 sincron.org: could not connect to host
+sinefili.com: could not connect to host
 sinful.pw: could not connect to host
 singee.site: could not connect to host
-singerwang.com: could not connect to host
+singerwang.com: did not receive HSTS header
 singles-berlin.de: could not connect to host
 singul4rity.com: could not connect to host
 sinkip.com: could not connect to host
@@ -15302,6 +15915,7 @@ sinsojb.me: could not connect to host
 sintesysglobal.com: did not receive HSTS header
 sinusbot.online: did not receive HSTS header
 sion.moe: did not receive HSTS header
+sipc.org: did not receive HSTS header
 sipsik.net: did not receive HSTS header
 siqi.wang: could not connect to host
 sirburton.com: could not connect to host
@@ -15310,7 +15924,7 @@ sirius-lee.net: could not connect to host
 siro.gq: did not receive HSTS header
 siroop.ch: did not receive HSTS header
 sisgopro.com: could not connect to host
-sistemasespecializados.com: could not connect to host
+sistemasespecializados.com: did not receive HSTS header
 sistemlash.com: did not receive HSTS header
 sistemos.net: could not connect to host
 sistersurprise.de: did not receive HSTS header
@@ -15329,10 +15943,9 @@ sitesuccessful.com: did not receive HSTS header
 sitsy.ru: did not receive HSTS header
 sittinginoblivion.com: did not receive HSTS header
 sizingservers.be: did not receive HSTS header
-sizzle.co.uk: did not receive HSTS header
+sizzle.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 sja-se-training.com: could not connect to host
 sjatsh.com: could not connect to host
-sjdaws.com: could not connect to host
 sjdtaxi.com: did not receive HSTS header
 sjhyl11.com: could not connect to host
 sjsc.fr: did not receive HSTS header
@@ -15363,13 +15976,14 @@ skinbet.co: could not connect to host
 skinmarket.co: could not connect to host
 skischuleulm.de: did not receive HSTS header
 skk.io: could not connect to host
-sklotechnik.cz: did not receive HSTS header
 skocia.net: did not receive HSTS header
 skoda-clever-lead.de: could not connect to host
 skoda-im-dialog.de: could not connect to host
 skoda-nurdiebesten.de: did not receive HSTS header
 skoda-service-team-cup.de: did not receive HSTS header
+skolnieks.lv: could not connect to host
 skomski.org: did not receive HSTS header
+skoolergraph.azurewebsites.net: did not receive HSTS header
 skpdev.net: could not connect to host
 skrimix.tk: could not connect to host
 skrivande.co: could not connect to host
@@ -15379,19 +15993,19 @@ sky-universe.net: did not receive HSTS header
 skyasker.cn: could not connect to host
 skyasker.com: could not connect to host
 skybloom.com: could not connect to host
+skybloom.io: could not connect to host
 skybound.link: did not receive HSTS header
 skyflix.me: could not connect to host
 skyline.link: could not connect to host
 skyline.tw: did not receive HSTS header
 skylocker.net: could not connect to host
 skylocker.nl: did not receive HSTS header
-skynetz.tk: could not connect to host
 skyoy.com: did not receive HSTS header
 skypeassets.com: could not connect to host
 skypoker.com: could not connect to host
 skyris.co: could not connect to host
 skyrunners.ch: could not connect to host
-skytec.host: did not receive HSTS header
+skytec.host: could not connect to host
 skyvault.io: could not connect to host
 skyveo.ml: did not receive HSTS header
 skyway.capital: did not receive HSTS header
@@ -15408,6 +16022,7 @@ slashbits.no: did not receive HSTS header
 slashdesign.it: did not receive HSTS header
 slashem.me: did not receive HSTS header
 slatemc.fun: could not connect to host
+slatko.io: could not connect to host
 slattery.co: did not receive HSTS header
 slauber.de: did not receive HSTS header
 sld08.com: did not receive HSTS header
@@ -15419,12 +16034,13 @@ slicketl.com: did not receive HSTS header
 slicss.com: could not connect to host
 slides.zone: could not connect to host
 slightfuture.click: could not connect to host
+slightfuture.com: did not receive HSTS header
 slimk1nd.nl: could not connect to host
 slimmerbouwen.be: did not receive HSTS header
 slingo.com: did not receive HSTS header
-slingoweb.com: did not receive HSTS header
 slix.io: could not connect to host
 sln.cloud: could not connect to host
+slo-net.net: could not connect to host
 slope.haus: could not connect to host
 slotboss.co.uk: did not receive HSTS header
 slovakiana.sk: did not receive HSTS header
@@ -15433,12 +16049,13 @@ slovoice.org: could not connect to host
 slowfood.es: did not receive HSTS header
 slowsociety.org: could not connect to host
 slse.ca: max-age too low: 0
-sluplift.com: did not receive HSTS header
+sluplift.com: could not connect to host
 slycurity.de: could not connect to host
 slytech.ch: could not connect to host
 smallcdn.rocks: could not connect to host
 smallchat.nl: could not connect to host
 smallcloudsolutions.co.za: could not connect to host
+smallpath.me: could not connect to host
 smallplanet.ch: did not receive HSTS header
 smallshopit.com: did not receive HSTS header
 smart-mirror.de: did not receive HSTS header
@@ -15477,11 +16094,6 @@ sml.lc: could not connect to host
 smmcab.ru: could not connect to host
 smmcab.website: could not connect to host
 smokinghunks.com: could not connect to host
-smoothics.at: could not connect to host
-smoothics.com: could not connect to host
-smoothics.eu: could not connect to host
-smoothics.mobi: could not connect to host
-smoothics.net: could not connect to host
 smove.sg: did not receive HSTS header
 smplix.com: could not connect to host
 smries.com: could not connect to host
@@ -15493,10 +16105,12 @@ smtp.bz: did not receive HSTS header
 smtpdev.com: could not connect to host
 smuhelper.cn: could not connect to host
 smusg.com: did not receive HSTS header
+smutba.se: did not receive HSTS header
 snafarms.com: did not receive HSTS header
 snailing.org: could not connect to host
 snake.dog: could not connect to host
 snakehosting.dk: did not receive HSTS header
+snapappts.com: could not connect to host
 snapworks.net: did not receive HSTS header
 snarf.in: could not connect to host
 sneaker.date: could not connect to host
@@ -15510,7 +16124,6 @@ sniderman.pro: could not connect to host
 sniderman.xyz: could not connect to host
 snip.host: could not connect to host
 snod.land: did not receive HSTS header
-snoot.club: did not receive HSTS header
 snoozedds.com: max-age too low: 600
 snoqualmiefiber.org: could not connect to host
 snoringhq.com: did not receive HSTS header
@@ -15518,10 +16131,12 @@ snovey.com: could not connect to host
 snow-online.de: could not connect to host
 snowdy.eu: could not connect to host
 snowdy.link: could not connect to host
+snrat.com: did not receive HSTS header
 so-healthy.co.uk: did not receive HSTS header
 sobabox.ru: could not connect to host
 sobinski.pl: did not receive HSTS header
 soboleva-pr.com.ua: could not connect to host
+soc.net: could not connect to host
 socal-babes.com: could not connect to host
 soccergif.com: could not connect to host
 soci.ml: could not connect to host
@@ -15529,7 +16144,7 @@ social-journey.com: could not connect to host
 socialbillboard.com: could not connect to host
 socialcs.xyz: could not connect to host
 socialdj.de: did not receive HSTS header
-socialfacecook.com: could not connect to host
+socialfacecook.com: did not receive HSTS header
 socialgrowing.cl: did not receive HSTS header
 socialhead.io: could not connect to host
 socialhub.com: did not receive HSTS header
@@ -15541,9 +16156,11 @@ socialworkout.org: could not connect to host
 socialworkout.tv: could not connect to host
 socketize.com: did not receive HSTS header
 sockeye.cc: could not connect to host
+socoastal.com: could not connect to host
 socomponents.co.uk: could not connect to host
 sodacore.com: could not connect to host
 sodamakerclub.com: did not receive HSTS header
+sodiao.cc: could not connect to host
 softballsavings.com: did not receive HSTS header
 softbebe.com: did not receive HSTS header
 softclean.pt: did not receive HSTS header
@@ -15560,7 +16177,8 @@ soldbygold.net: did not receive HSTS header
 solentes.com.br: could not connect to host
 solidfuelappliancespares.co.uk: did not receive HSTS header
 solidimage.com.br: could not connect to host
-solidus.systems: did not receive HSTS header
+solidtuesday.com: could not connect to host
+solidus.systems: could not connect to host
 solidwebnetworks.co.uk: did not receive HSTS header
 solinter.com.br: did not receive HSTS header
 solisrey.es: could not connect to host
@@ -15574,6 +16192,7 @@ solymar.co: could not connect to host
 some.rip: max-age too low: 6307200
 somebodycares.org: did not receive HSTS header
 somepills.com: did not receive HSTS header
+somersetscr.nhs.uk: could not connect to host
 someshit.xyz: could not connect to host
 something-else.cf: could not connect to host
 somethingnew.xyz: could not connect to host
@@ -15588,13 +16207,15 @@ sonicrainboom.rocks: could not connect to host
 sonix.dk: could not connect to host
 sonja-daniels.com: could not connect to host
 sonja-kowa.de: could not connect to host
+sonoecoracao.com.br: could not connect to host
 sonyforum.no: did not receive HSTS header
 soobi.org: did not receive HSTS header
-soondy.com: did not receive HSTS header
+soodwatthanaphon.net: did not receive HSTS header
+soondy.com: could not connect to host
 soothemobilemassage.com.au: did not receive HSTS header
 soply.com: could not connect to host
 soporte.cc: could not connect to host
-sorenam.com: could not connect to host
+sorenam.com: did not receive HSTS header
 sorensen-online.com: could not connect to host
 sorex.photo: did not receive HSTS header
 sorinmuntean.ro: did not receive HSTS header
@@ -15604,6 +16225,7 @@ soruly.moe: did not receive HSTS header
 sos.de: did not receive HSTS header
 sosaka.ml: could not connect to host
 sosecu.red: could not connect to host
+sosesh.shop: could not connect to host
 sosiolog.com: did not receive HSTS header
 sosko.in.rs: could not connect to host
 sotavasara.net: did not receive HSTS header
@@ -15611,7 +16233,7 @@ sotiran.com: did not receive HSTS header
 sotor.de: did not receive HSTS header
 soucorneteiro.com.br: could not connect to host
 soulcraft.bz: could not connect to host
-soulema.com: could not connect to host
+soulema.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 soulfulglamour.uk: could not connect to host
 soulsteer.com: could not connect to host
 soundedj.com.br: could not connect to host
@@ -15623,13 +16245,13 @@ sourcecode.love: could not connect to host
 sourcelair.com: did not receive HSTS header
 sourcely.net: could not connect to host
 sourcitec.com: did not receive HSTS header
-sous-surveillance.net: could not connect to host
 southcoastkitesurf.co.uk: did not receive HSTS header
 southcoastswords.com: did not receive HSTS header
 southernjamusa.com: did not receive HSTS header
 southernlights.xyz: could not connect to host
 southgale.condos: could not connect to host
 southside-crew.club: could not connect to host
+southwindsor-ct.gov: could not connect to host
 southworcestershiregpservices.co.uk: could not connect to host
 soutien-naissance.com: could not connect to host
 souvik.me: did not receive HSTS header
@@ -15662,12 +16284,12 @@ sparkreviewcenter.com: did not receive HSTS header
 sparkwood.org: could not connect to host
 sparmedo.de: did not receive HSTS header
 sparsa.army: could not connect to host
-sparta-en.org: could not connect to host
 sparta-trade.com: could not connect to host
 spartantheatre.org: could not connect to host
 spauted.com: could not connect to host
 spawn.cz: could not connect to host
 spcx.eu: could not connect to host
+spd-pulheim-mitte.de: did not receive HSTS header
 spdysync.com: could not connect to host
 specialedesigns.com: could not connect to host
 specialistnow.com.au: did not receive HSTS header
@@ -15687,7 +16309,6 @@ spendwise.com.au: could not connect to host
 sperohub.com: could not connect to host
 sperohub.io: could not connect to host
 sperohub.lt: did not receive HSTS header
-spherenix.org: could not connect to host
 sphinx.network: could not connect to host
 spicydog.tk: could not connect to host
 spicywombat.com: could not connect to host
@@ -15696,10 +16317,10 @@ spiel-teppich.de: could not connect to host
 spielcasinos.com: did not receive HSTS header
 spikeykc.me: could not connect to host
 spillersfamily.net: could not connect to host
-spillmaker.no: did not receive HSTS header
 spilsbury.io: could not connect to host
 spineandscoliosis.com: did not receive HSTS header
 spinner.dnshome.de: could not connect to host
+spinor.im: could not connect to host
 spirit-dev.net: max-age too low: 0
 spirit-hunters-germany.de: did not receive HSTS header
 spiritbionic.ro: could not connect to host
@@ -15709,7 +16330,7 @@ spitefultowel.com: did not receive HSTS header
 spitfireuav.com: could not connect to host
 spititout.it: could not connect to host
 split.is: could not connect to host
-splunk.zone: could not connect to host
+splunk.zone: did not receive HSTS header
 spoketwist.com: did not receive HSTS header
 spokonline.com: could not connect to host
 spon.cz: did not receive HSTS header
@@ -15736,6 +16357,7 @@ spr.id.au: could not connect to host
 spreadsheets.google.com: did not receive HSTS header (error ignored - included regardless)
 spresso.me: did not receive HSTS header
 sprigings.com: did not receive HSTS header
+springreizen.nl: did not receive HSTS header
 springsoffthegrid.com: could not connect to host
 sprint.ml: did not receive HSTS header
 sprk.fitness: did not receive HSTS header
@@ -15753,6 +16375,7 @@ sqshq.de: did not receive HSTS header
 squaddraft.com: did not receive HSTS header
 squadlinx.com: did not receive HSTS header
 square.gs: could not connect to host
+squarelab.it: could not connect to host
 squareonebgc.com.ph: could not connect to host
 squatldf.org: could not connect to host
 squids.space: could not connect to host
@@ -15762,6 +16385,7 @@ sr-cs.net: did not receive HSTS header
 srcc.fr: could not connect to host
 sreeharis.tk: could not connect to host
 srevilak.net: did not receive HSTS header
+srichan.net: could not connect to host
 sritest.io: could not connect to host
 srmaximo.com: could not connect to host
 srna.sk: did not receive HSTS header
@@ -15775,13 +16399,13 @@ ssc8689.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERRO
 ssc8689.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 ssco.xyz: did not receive HSTS header
 ssconn.com: could not connect to host
-ssh.nu: could not connect to host
+ssh.nu: did not receive HSTS header
 sshool.at: could not connect to host
 ssl.panoramio.com: could not connect to host
 ssl.rip: could not connect to host
 sslzilla.de: did not receive HSTS header
 ssn1.ru: did not receive HSTS header
-sspanda.com: did not receive HSTS header
+sspanda.com: could not connect to host
 ssrvpn.tech: could not connect to host
 sss3s.com: could not connect to host
 ssworld.ga: could not connect to host
@@ -15798,7 +16422,6 @@ staffjoystaging.com: could not connect to host
 stagingjobshq.com: could not connect to host
 stahl.xyz: did not receive HSTS header
 stakestrategy.com: could not connect to host
-stalder.work: could not connect to host
 stalkerhispano.com: max-age too low: 0
 stalkthe.net: could not connect to host
 stall-zur-linde.de: did not receive HSTS header
@@ -15808,14 +16431,14 @@ stamboomvanderwal.nl: did not receive HSTS header
 stanandjerre.org: could not connect to host
 standardssuck.org: did not receive HSTS header
 standingmist.com: did not receive HSTS header
-standoutbooks.com: did not receive HSTS header
+standoutbooks.com: max-age too low: 0
 standuppaddlesports.com.au: did not receive HSTS header
 stang.moe: did not receive HSTS header
 stannahtrapliften.nl: did not receive HSTS header
 star-citizen.wiki: did not receive HSTS header
 star-killer.net: could not connect to host
-star-stuff.de: did not receive HSTS header
-star.do: could not connect to host
+star-stuff.de: could not connect to host
+star.do: did not receive HSTS header
 starandshield.com: did not receive HSTS header
 starapple.nl: did not receive HSTS header
 starcafe.me: could not connect to host
@@ -15824,7 +16447,7 @@ stardust-entertainments.co.uk: did not receive HSTS header
 starease.net: could not connect to host
 starfeeling.net: could not connect to host
 stargatepartners.com: did not receive HSTS header
-starinvestors.in: did not receive HSTS header
+starinvestors.in: could not connect to host
 starklane.com: max-age too low: 300
 starlightentertainmentdevon.co.uk: did not receive HSTS header
 starmusic.ga: could not connect to host
@@ -15866,8 +16489,9 @@ stcomex.com: did not receive HSTS header
 stdev.org: could not connect to host
 steamhours.com: could not connect to host
 steampunkrobot.com: did not receive HSTS header
+steborio.pw: could not connect to host
+steckel.cc: could not connect to host
 steelbea.ms: could not connect to host
-steelmounta.in: could not connect to host
 steelrhino.co: could not connect to host
 steem.io: did not receive HSTS header
 steenackers.be: did not receive HSTS header
@@ -15875,7 +16499,6 @@ stefanweiser.de: did not receive HSTS header
 steffi-in-australien.com: could not connect to host
 stellarvale.net: could not connect to host
 stellen.ch: did not receive HSTS header
-stellenticket.de: did not receive HSTS header
 stem.is: did not receive HSTS header
 stepbystep3d.com: did not receive HSTS header
 steph-autoecole.ch: did not receive HSTS header
@@ -15883,12 +16506,12 @@ steph3n.me: could not connect to host
 stephanierxo.com: did not receive HSTS header
 stephanos.me: could not connect to host
 stephenandburns.com: did not receive HSTS header
+stephenjvoiceovers.com: did not receive HSTS header
 stephensolis.net: could not connect to host
 stephensolisrey.es: could not connect to host
 steplogictalent.com: could not connect to host
 sterjoski.com: did not receive HSTS header
 stesti.cz: could not connect to host
-steuerberater-essen-steele.com: could not connect to host
 steuerkanzlei-und-wirtschaftsberater-manke.de: could not connect to host
 steve.kiwi: could not connect to host
 stevechekblain.win: could not connect to host
@@ -15896,6 +16519,7 @@ stevengoodpaster.com: could not connect to host
 stevenkwan.me: could not connect to host
 stevensheffey.me: could not connect to host
 stevensononthe.net: did not receive HSTS header
+steventruesdell.com: could not connect to host
 stewartremodelingadvantage.com: could not connect to host
 stewonet.nl: did not receive HSTS header
 stge.uk: could not connect to host
@@ -15912,6 +16536,7 @@ stijnbelmans.be: max-age too low: 604800
 stikkie.me: could not connect to host
 stilettomoda.com.br: could not connect to host
 stillblackhat.id: could not connect to host
+stillnessproject.com: did not receive HSTS header
 stillyarts.com: did not receive HSTS header
 stinkytrashhound.com: could not connect to host
 stirlingpoon.net: could not connect to host
@@ -15925,7 +16550,6 @@ stl.news: max-age too low: 0
 stlucasmuseum.org: did not receive HSTS header
 stm32f4.jp: could not connect to host
 stmbgr.com: could not connect to host
-stmkza.net: max-age too low: 0
 stn.me.uk: did not receive HSTS header
 stnl.de: could not connect to host
 stockseyeserum.com: could not connect to host
@@ -15935,6 +16559,7 @@ stoffelen.nl: did not receive HSTS header
 stoianlawfirm.com: could not connect to host
 stoick.me: could not connect to host
 stoinov.com: could not connect to host
+stolbart.com: could not connect to host
 stole-my.bike: could not connect to host
 stole-my.tv: could not connect to host
 stolkschepen.nl: did not receive HSTS header
@@ -15953,6 +16578,7 @@ store10.de: could not connect to host
 storecove.com: did not receive HSTS header
 storeden.com: did not receive HSTS header
 storefrontify.com: could not connect to host
+storeprijs.nl: did not receive HSTS header
 storiesofhealth.org: could not connect to host
 stormhub.org: could not connect to host
 stormwatcher.org: could not connect to host
@@ -15990,13 +16616,13 @@ streamzilla.com: did not receive HSTS header
 strehl.tk: could not connect to host
 strelitzia02.com: could not connect to host
 stressfreehousehold.com: could not connect to host
+stretchpc.com: could not connect to host
 strictlynormal.com: could not connect to host
 strictlysudo.com: could not connect to host
 strife.tk: did not receive HSTS header
 strila.me: could not connect to host
 striptizer.tk: could not connect to host
 strming.com: could not connect to host
-stroeder.com: could not connect to host
 stroeercrm.de: could not connect to host
 strongest-privacy.com: could not connect to host
 struxureon.com: did not receive HSTS header
@@ -16008,7 +16634,7 @@ student.andover.edu: could not connect to host
 studentrdh.com: did not receive HSTS header
 studentresearcher.org: did not receive HSTS header
 studentskydenik.cz: could not connect to host
-studenttravel.cz: did not receive HSTS header
+studenttravel.cz: could not connect to host
 studer.su: could not connect to host
 studiemeter.nl: did not receive HSTS header
 studiereader.nl: did not receive HSTS header
@@ -16018,7 +16644,6 @@ studio-webdigi.com: did not receive HSTS header
 studiocn.cn: could not connect to host
 studiodoprazer.com.br: could not connect to host
 studiozelden.com: did not receive HSTS header
-studisys.net: could not connect to host
 studlan.no: could not connect to host
 studport.rv.ua: max-age too low: 604800
 studyabroadstation.com: could not connect to host
@@ -16036,9 +16661,11 @@ sturbi.de: did not receive HSTS header
 sturbock.me: did not receive HSTS header
 sturdio.com.br: could not connect to host
 sturge.co.uk: did not receive HSTS header
+stutsmancounty.gov: could not connect to host
 stuttgart-gablenberg.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 stuudium.cloud: could not connect to host
 stuudium.life: could not connect to host
+stylaq.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 stylenda.com: could not connect to host
 stylle.me: could not connect to host
 stytt.com: could not connect to host
@@ -16046,7 +16673,6 @@ suaraangin.com: could not connect to host
 suareforma.com: could not connect to host
 suave.io: did not receive HSTS header
 subbing.work: could not connect to host
-subdimension.org: could not connect to host
 subeesu.com: could not connect to host
 subhacker.net: could not connect to host
 subjektzentrisch.de: could not connect to host
@@ -16054,26 +16680,28 @@ sublevel.net: did not receive HSTS header
 subrain.com: did not receive HSTS header
 subrosa.io: could not connect to host
 subsys.no: did not receive HSTS header
+subterfuge.io: did not receive HSTS header
 subtitle.rip: could not connect to host
 subwayz.de: did not receive HSTS header
 subzerolosangeles.com: did not receive HSTS header
-subzerotech.co.uk: could not connect to host
 successwithflora.com: could not connect to host
 succubus.network: could not connect to host
 succubus.xxx: could not connect to host
 suchprogrammer.net: did not receive HSTS header
 sudo.im: could not connect to host
-sudoschool.com: could not connect to host
 sudosu.fr: could not connect to host
 suempresa.cloud: could not connect to host
-suffts.de: could not connect to host
+suffts.de: did not receive HSTS header
 sugarcitycon.com: could not connect to host
 sugarsweetorsour.com: did not receive HSTS header
 sugartownfarm.com: could not connect to host
 suian.or.jp: max-age too low: 86400
 suite73.org: could not connect to host
+suited21.com: did not receive HSTS header
 suitocracy.com: could not connect to host
+summa-prefis.com: did not receive HSTS header
 summer.ga: could not connect to host
+summermc.cc: could not connect to host
 summitbankofkc.com: did not receive HSTS header
 summitmasters.net: did not receive HSTS header
 sumoatm.com: did not receive HSTS header
@@ -16089,7 +16717,7 @@ sunfireshop.com.br: could not connect to host
 sunlandsg.vn: did not receive HSTS header
 sunnyfruit.ru: could not connect to host
 sunriseafricarelief.com: did not receive HSTS header
-sunset.im: did not receive HSTS header
+sunset.im: could not connect to host
 sunshinepress.org: could not connect to host
 sunxchina.com: could not connect to host
 sunyanzi.tk: could not connect to host
@@ -16122,19 +16750,23 @@ supersecurefancydomain.com: could not connect to host
 supertramp-dafonseca.com: did not receive HSTS header
 superuser.fi: could not connect to host
 superwally.org: could not connect to host
+superway.es: did not receive HSTS header
 supes.io: did not receive HSTS header
 supperclub.es: could not connect to host
 support4server.de: could not connect to host
 supportfan.gov: could not connect to host
 suprlink.net: could not connect to host
-supweb.ovh: did not receive HSTS header
+supweb.ovh: could not connect to host
+surasak.io: could not connect to host
 surasak.xyz: could not connect to host
 suraya.online: could not connect to host
+surdam.casa: could not connect to host
 surfeasy.com: did not receive HSTS header
 surfone-leucate.com: did not receive HSTS header
 surgiclinic.gr: did not receive HSTS header
 surkatty.org: did not receive HSTS header
 suruifu.tk: could not connect to host
+survivalistplanet.com: could not connect to host
 survivebox.fr: did not receive HSTS header
 susanvelez.com: did not receive HSTS header
 susastudentenjobs.de: could not connect to host
@@ -16157,6 +16789,7 @@ svarovani.tk: could not connect to host
 svatba-frantovi.cz: could not connect to host
 sve-hosting.nl: could not connect to host
 svenbacia.me: could not connect to host
+svendubbeld.nl: did not receive HSTS header
 svenskacasino.com: could not connect to host
 svenskaservern.se: could not connect to host
 svetdrzaku.cz: did not receive HSTS header
@@ -16176,10 +16809,10 @@ swarmation.com: did not receive HSTS header
 sway.com: did not receive HSTS header
 swdatlantico.pt: could not connect to host
 sweep.cards: did not receive HSTS header
-sweet-spatula.com: could not connect to host
 sweetlegs.jp: could not connect to host
 sweetstreats.ca: could not connect to host
 sweetvanilla.jp: could not connect to host
+swehack.org: could not connect to host
 swfloshatraining.com: could not connect to host
 swift-devedge.de: could not connect to host
 swiftconf.com: did not receive HSTS header
@@ -16189,8 +16822,10 @@ swiggy.com: did not receive HSTS header
 swimming.ca: did not receive HSTS header
 swimmingpoolaccidentattorney.net: could not connect to host
 swingular.com: could not connect to host
+swisscannabis.club: could not connect to host
 swissentreprises.ch: could not connect to host
 swissfreshaircan.com: could not connect to host
+swisstechtalks.ch: did not receive HSTS header
 swisstranslate.ch: did not receive HSTS header
 swisstranslate.fr: did not receive HSTS header
 swisswebhelp.ch: could not connect to host
@@ -16204,8 +16839,13 @@ sxbk.pw: could not connect to host
 syam.cc: could not connect to host
 syamuwatching.xyz: could not connect to host
 sydgrabber.tk: could not connect to host
+syhost.at: did not receive HSTS header
+syhost.ch: did not receive HSTS header
+syhost.de: did not receive HSTS header
 sykl.us: could not connect to host
 sylvaincombe.net: could not connect to host
+sylvan.me: could not connect to host
+sylvangarden.net: could not connect to host
 sylvangarden.org: could not connect to host
 sylvanorder.com: did not receive HSTS header
 synackr.com: could not connect to host
@@ -16214,15 +16854,16 @@ syncaddict.net: could not connect to host
 syncappate.com: could not connect to host
 syncclinicalstudy.com: could not connect to host
 syncer.jp: did not receive HSTS header
-synchtu.be: could not connect to host
 syncmylife.net: could not connect to host
 syncserve.net: did not receive HSTS header
-syneic.com: could not connect to host
+syneic.com: did not receive HSTS header
 synergisticsoccer.com: could not connect to host
 syno.gq: could not connect to host
 syntaxoff.com: could not connect to host
 syntheticmotoroil.org: did not receive HSTS header
 syobon.org: could not connect to host
+syoier.com: could not connect to host
+syracuseut.gov: could not connect to host
 syrocon.ch: could not connect to host
 sys.tf: could not connect to host
 sysadmins.ro: could not connect to host
@@ -16237,6 +16878,7 @@ systea.net: could not connect to host
 system-online.cz: did not receive HSTS header
 systemd.me: could not connect to host
 sytk.me: could not connect to host
+syunpay.cn: did not receive HSTS header
 syy.hk: did not receive HSTS header
 szagun.net: did not receive HSTS header
 szaszm.tk: could not connect to host
@@ -16253,17 +16895,19 @@ t-tz.com: could not connect to host
 t0dd.eu: could not connect to host
 t2000headphones.com: could not connect to host
 t2000laserpointers.com: could not connect to host
+t3rror.net: could not connect to host
 t4c-rebirth.com: could not connect to host
 t4x.org: could not connect to host
 taabe.xyz: could not connect to host
 taartenfeesies.nl: did not receive HSTS header
 tab.watch: did not receive HSTS header
 taberu-fujitsubo.com: did not receive HSTS header
-tabhui.com: could not connect to host
+tabhui.com: did not receive HSTS header
 tabitatsu.jp: did not receive HSTS header
 tabla-periodica.com: could not connect to host
 tachyonapp.com: could not connect to host
 tacoma-games.com: did not receive HSTS header
+tacostea.net: could not connect to host
 tacotown.tk: could not connect to host
 tadata.me: could not connect to host
 tadcastercircuit.org.uk: did not receive HSTS header
@@ -16304,16 +16948,17 @@ talroo.com: could not connect to host
 talsi.eu: could not connect to host
 tam7t.com: did not receive HSTS header
 tamex.xyz: could not connect to host
-tanak3n.xyz: could not connect to host
 tandarts-haarlem.nl: did not receive HSTS header
 tandblekningidag.com: could not connect to host
-tangerine.ga: did not receive HSTS header
+tandilmap.com.ar: did not receive HSTS header
+tangerine.ga: could not connect to host
 tangibilizing.com: could not connect to host
 tangiblesecurity.com: did not receive HSTS header
 tango-cats.de: could not connect to host
 tangsisi.com: could not connect to host
 tangyue.date: could not connect to host
 tangzhao.net: could not connect to host
+tanhit.com: could not connect to host
 taniesianie.pl: did not receive HSTS header
 tankfreunde.de: did not receive HSTS header
 tante-bugil.net: could not connect to host
@@ -16328,7 +16973,6 @@ tapfinder.ca: could not connect to host
 tapka.cz: did not receive HSTS header
 tappublisher.com: did not receive HSTS header
 taqun.club: could not connect to host
-taranis.re: could not connect to host
 tarantul.org.ua: could not connect to host
 taravancil.com: did not receive HSTS header
 tarek.link: could not connect to host
@@ -16337,7 +16981,7 @@ tarhauskielto.fi: did not receive HSTS header
 tarots-et-oracles.com: did not receive HSTS header
 tarsashaz-biztositas.hu: did not receive HSTS header
 tartaros.fi: could not connect to host
-taskstats.com: could not connect to host
+taskstats.com: did not receive HSTS header
 tasmansecurity.com: could not connect to host
 tassup.com: could not connect to host
 tasta.ro: could not connect to host
@@ -16349,10 +16993,11 @@ tatilmix.com: could not connect to host
 tatort-fanpage.de: could not connect to host
 tatt.io: could not connect to host
 tauchkater.de: could not connect to host
+tauschen.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tavoittaja.fi: did not receive HSTS header
 tavopica.lt: did not receive HSTS header
 taxbench.com: could not connect to host
-taxi-24std.de: could not connect to host
+taxi-24std.de: did not receive HSTS header
 taxiindenbosch.nl: did not receive HSTS header
 taxmadras.com: could not connect to host
 taxsnaps.co.nz: did not receive HSTS header
@@ -16389,6 +17034,8 @@ tdsbhack.tk: could not connect to host
 teacherph.net: did not receive HSTS header
 teachforcanada.ca: did not receive HSTS header
 tealdrones.com: did not receive HSTS header
+team-bbd.com: could not connect to host
+team-pancake.eu: could not connect to host
 team-teasers.com: could not connect to host
 team2fou.cf: did not receive HSTS header
 teamassists.com: did not receive HSTS header
@@ -16400,6 +17047,7 @@ teamnetsol.com: did not receive HSTS header
 teampoint.cz: could not connect to host
 teams.microsoft.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 teamsocial.co: did not receive HSTS header
+teamtravel.co: could not connect to host
 teamx-gaming.de: could not connect to host
 teamzeus.cz: could not connect to host
 teaparty.id: could not connect to host
@@ -16412,6 +17060,7 @@ tech55i.com: could not connect to host
 techandtux.de: could not connect to host
 techask.it: could not connect to host
 techassist.io: did not receive HSTS header
+techbelife.com: could not connect to host
 techbrawl.org: could not connect to host
 techcavern.ml: could not connect to host
 techcentric.com: did not receive HSTS header
@@ -16430,6 +17079,7 @@ techmasters.andover.edu: could not connect to host
 techmatehq.com: could not connect to host
 technicalforensic.com: could not connect to host
 technicalpenguins.com: did not receive HSTS header
+technifocal.com: could not connect to host
 technogroup.cz: did not receive HSTS header
 technologyand.me: did not receive HSTS header
 technosavvyport.com: did not receive HSTS header
@@ -16447,12 +17097,12 @@ techtraveller.com.au: did not receive HSTS header
 techtuts.info: could not connect to host
 techunit.org: could not connect to host
 techvalue.gr: did not receive HSTS header
+techwords.io: could not connect to host
 tecit.ch: could not connect to host
 tecnimotos.com: did not receive HSTS header
-tecnogaming.com: did not receive HSTS header
 tecnologino.com: could not connect to host
-tecture.de: did not receive HSTS header
-tedovo.com: could not connect to host
+tecture.de: could not connect to host
+tedovo.com: did not receive HSTS header
 tedxkmitl.com: could not connect to host
 tee-idf.net: could not connect to host
 teehaus-shila.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -16474,7 +17124,9 @@ teksuperior.com: could not connect to host
 tektoria.de: did not receive HSTS header
 tektuts.com: could not connect to host
 tel-dithmarschen.de: did not receive HSTS header
+tele-alarme.ch: could not connect to host
 tele-assistance.ch: could not connect to host
+telealarmevalais.ch: could not connect to host
 teleallarme.ch: could not connect to host
 telecharger-itunes.com: could not connect to host
 telecharger-open-office.com: could not connect to host
@@ -16482,7 +17134,7 @@ telecharger-winrar.com: could not connect to host
 telefisk.org: did not receive HSTS header
 telefonnummer.online: could not connect to host
 telefonogratuito.com: did not receive HSTS header
-telefonsinyalguclendirici.com: did not receive HSTS header
+telefonsinyalguclendirici.com: could not connect to host
 telefoonnummerinfo.nl: could not connect to host
 telekollektiv.org: could not connect to host
 telepons.com: could not connect to host
@@ -16505,6 +17157,7 @@ tengu.cloud: could not connect to host
 tenispopular.com: could not connect to host
 tenma.pro: could not connect to host
 tenni.xyz: could not connect to host
+tennisadmin.com: could not connect to host
 tennisapp.org: could not connect to host
 tennispensacola.com: could not connect to host
 tensei-slime.com: did not receive HSTS header
@@ -16559,6 +17212,7 @@ textracer.dk: could not connect to host
 tezcam.tk: could not connect to host
 tf-network.de: did not receive HSTS header
 tf2stadium.com: did not receive HSTS header
+tf7879.com: could not connect to host
 tfcoms-sp-tracker-client.azurewebsites.net: could not connect to host
 tffans.com: could not connect to host
 tfl.lu: did not receive HSTS header
@@ -16566,7 +17220,7 @@ tgbyte.com: did not receive HSTS header
 tgod.co: could not connect to host
 tgr.re: could not connect to host
 th-bl.de: did not receive HSTS header
-th3nd.com: could not connect to host
+th3nd.com: did not receive HSTS header
 thackert.myfirewall.org: could not connect to host
 thagki9.com: did not receive HSTS header
 thaianthro.com: max-age too low: 0
@@ -16578,7 +17232,6 @@ thalskarth.com: did not receive HSTS header
 thatgudstuff.com: could not connect to host
 thatpodcast.io: did not receive HSTS header
 thatvizsla.life: did not receive HSTS header
-thcpbees.co.uk: did not receive HSTS header
 the-construct.com: could not connect to host
 the-delta.net.eu.org: could not connect to host
 the-digitale.com: did not receive HSTS header
@@ -16595,6 +17248,7 @@ thearcheryguide.com: did not receive HSTS header
 theater.cf: could not connect to host
 theavenuegallery.com: did not receive HSTS header
 thebakingclass.com: max-age too low: 60
+thebarneystyle.com: did not receive HSTS header
 thebasementguys.com: could not connect to host
 thebeautifulmusic.net: did not receive HSTS header
 thebeginningisnye.com: could not connect to host
@@ -16618,30 +17272,30 @@ thecodeninja.net: did not receive HSTS header
 thecoffeehouse.xyz: could not connect to host
 thecoffeepod.co.uk: did not receive HSTS header
 thecozycastle.com: did not receive HSTS header
+thecrochetcottage.net: could not connect to host
 thecskr.in: did not receive HSTS header
 thecsw.com: did not receive HSTS header
 thecuriouscat.net: could not connect to host
 thedailyupvote.com: could not connect to host
 thedarkartsandcrafts.com: could not connect to host
-thedebug.life: did not receive HSTS header
 thedevilwearswibra.nl: did not receive HSTS header
 thediaryofadam.com: did not receive HSTS header
-thedominatorsclan.com: did not receive HSTS header
+thedominatorsclan.com: could not connect to host
 thedrinks.co: did not receive HSTS header
 thedrop.pw: did not receive HSTS header
 thedrunkencabbage.com: could not connect to host
 thedystance.com: could not connect to host
 theel0ja.info: did not receive HSTS header
 theelitebuzz.com: could not connect to host
-theendofzion.com: could not connect to host
+theendofzion.com: did not receive HSTS header
 theepankar.com: could not connect to host
 theescapistswiki.com: could not connect to host
 theevergreen.me: could not connect to host
 theexpatriate.de: could not connect to host
-theeyeopener.com: did not receive HSTS header
 thefarbeyond.com: could not connect to host
 thefasterweb.com: did not receive HSTS header
 thefilmcolor.com: max-age too low: 0
+theflyingbear.net: could not connect to host
 thefootballanalyst.com: did not receive HSTS header
 thefox.co: did not receive HSTS header
 thefox.com.fr: could not connect to host
@@ -16689,6 +17343,7 @@ themerchandiser.net: [Exception... "Component returned failure code: 0x80004005
 themesurgeons.net: could not connect to host
 themicrocapital.com: could not connect to host
 themoderate.xyz: could not connect to host
+thenarcissisticlife.com: did not receive HSTS header
 thenextstep.events: could not connect to host
 thenichecast.com: could not connect to host
 thenorthschool.org.uk: did not receive HSTS header
@@ -16701,6 +17356,7 @@ theosophie-afrique.org: could not connect to host
 theoverfly.co: could not connect to host
 thepartywarehouse.co.uk: did not receive HSTS header
 thepcweb.tk: could not connect to host
+thepiabo.ovh: did not receive HSTS header
 thepiratebay.al: could not connect to host
 thepiratebay.poker: could not connect to host
 thepiratebay.tech: could not connect to host
@@ -16709,6 +17365,7 @@ thepostoffice.ro: did not receive HSTS header
 theprincegame.com: could not connect to host
 theprivacysolution.com: could not connect to host
 thepurem.com: could not connect to host
+thepythianseed.com: did not receive HSTS header
 thequillmagazine.org: could not connect to host
 therewill.be: could not connect to host
 therise.ca: max-age too low: 300
@@ -16752,6 +17409,7 @@ thewp.pro: max-age too low: 0
 theyachtteam.com: could not connect to host
 thezonders.com: did not receive HSTS header
 thgros.fr: could not connect to host
+thibaultwalle.com: could not connect to host
 thibautcharles.net: did not receive HSTS header
 thienteakee.com: did not receive HSTS header
 thierfreund.de: did not receive HSTS header
@@ -16763,7 +17421,6 @@ thinkdo.jp: could not connect to host
 thinklikeanentrepreneur.com: did not receive HSTS header
 thinkswap.com: did not receive HSTS header
 thinlyveiledcontempt.com: could not connect to host
-thirdbearsolutions.com: could not connect to host
 thirdpartytrade.com: did not receive HSTS header
 thirdworld.moe: could not connect to host
 thirty5.net: did not receive HSTS header
@@ -16800,8 +17457,8 @@ throughthelookingglasslens.co.uk: could not connect to host
 thrx.net: did not receive HSTS header
 thumbtack.com: did not receive HSTS header
 thundercampaign.com: could not connect to host
-thuviensoft.com: could not connect to host
 thuviensoft.net: could not connect to host
+thynx.io: could not connect to host
 thyrex.fr: could not connect to host
 ti-js.com: could not connect to host
 ti.blog.br: did not receive HSTS header
@@ -16813,8 +17470,6 @@ tianxing.pro: did not receive HSTS header
 tianxingvpn.pro: could not connect to host
 tibbitshall.ca: could not connect to host
 tibovanheule.site: could not connect to host
-ticfleet.com: could not connect to host
-tichieru.pw: could not connect to host
 ticketmates.com.au: did not receive HSTS header
 ticketoplichting.nl: did not receive HSTS header
 tickopa.co.uk: could not connect to host
@@ -16829,7 +17484,6 @@ tiendschuurstraat.nl: could not connect to host
 tiensnet.com: could not connect to host
 tierarztpraxis-illerwinkel.de: did not receive HSTS header
 tiernanx.com: could not connect to host
-tierraprohibida.net: did not receive HSTS header
 tierrarp.com: could not connect to host
 tiggi.pw: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tightlineproductions.com: did not receive HSTS header
@@ -16842,7 +17496,7 @@ tilkah.com.au: could not connect to host
 tillcraft.com: could not connect to host
 timbeilby.com: could not connect to host
 timbuktutimber.com: did not receive HSTS header
-timcamara.com: could not connect to host
+timcamara.com: did not receive HSTS header
 timchanhxe.com: did not receive HSTS header
 timdebruijn.nl: did not receive HSTS header
 time-river.xyz: could not connect to host
@@ -16859,12 +17513,13 @@ timestamp.io: did not receive HSTS header
 timestamp.uk: could not connect to host
 timetab.org: could not connect to host
 timhieubenh.net: could not connect to host
+timhieuthuoc.com: could not connect to host
 timhjalpen.se: could not connect to host
 timklefisch.de: did not receive HSTS header
 timmy.im: could not connect to host
 timmy.ws: could not connect to host
-timotrans.de: did not receive HSTS header
-timotrans.eu: did not receive HSTS header
+timotrans.de: could not connect to host
+timotrans.eu: could not connect to host
 timowi.net: could not connect to host
 timroes.de: did not receive HSTS header
 timschubert.net: max-age too low: 172800
@@ -16875,7 +17530,7 @@ tinchbear.xyz: could not connect to host
 tindewen.net: could not connect to host
 tink.network: could not connect to host
 tinkerboard.org: could not connect to host
-tinkerers-trunk.co.za: did not receive HSTS header
+tinkerers-trunk.co.za: could not connect to host
 tipiakers.club: could not connect to host
 tipps-fuer-den-haushalt.de: could not connect to host
 tippspiel.cc: could not connect to host
@@ -16890,6 +17545,7 @@ titanleaf.com: could not connect to host
 titanpointe.org: did not receive HSTS header
 tittarpuls.se: could not connect to host
 titties.ml: could not connect to host
+tivido.nl: could not connect to host
 tjandpals.com: could not connect to host
 tjc.wiki: could not connect to host
 tjeckien.guide: could not connect to host
@@ -16899,14 +17555,13 @@ tkappertjedemetamorfose.nl: could not connect to host
 tkarstens.de: did not receive HSTS header
 tkeycoin.com: did not receive HSTS header
 tkhw.tk: could not connect to host
-tkirch.de: could not connect to host
-tkn.tokyo: could not connect to host
 tkonstantopoulos.tk: could not connect to host
 tkts.cl: could not connect to host
 tlcdn.net: could not connect to host
 tlo.hosting: could not connect to host
 tlo.link: could not connect to host
 tlo.network: could not connect to host
+tls.builders: could not connect to host
 tls.li: could not connect to host
 tlsbv.nl: did not receive HSTS header
 tlshost.net: could not connect to host
@@ -16920,15 +17575,19 @@ tmi.news: did not receive HSTS header
 tmin.cf: could not connect to host
 tmitchell.io: could not connect to host
 tmprod.com: did not receive HSTS header
-tmtradingmorocco.ma: could not connect to host
+tmtradingmorocco.ma: did not receive HSTS header
 tnb-plattform.de: could not connect to host
 tncnanet.com.br: could not connect to host
 tno.io: could not connect to host
+tnwioa.gov: could not connect to host
 to2mbn.org: could not connect to host
+toabsentfamily.com: did not receive HSTS header
 tobaby.com.br: could not connect to host
 tobacco.gov: could not connect to host
 tobaccore.eu: could not connect to host
 tobaccore.sk: could not connect to host
+tobi-server.goip.de: could not connect to host
+tobi-videos.goip.de: could not connect to host
 tobias-bielefeld.de: did not receive HSTS header
 tobiasbergius.se: could not connect to host
 tobiasmathes.com: could not connect to host
@@ -16937,8 +17596,8 @@ tobiasofficial.at: could not connect to host
 tobiassachs.cf: could not connect to host
 tobiassachs.tk: could not connect to host
 tobis-webservice.de: did not receive HSTS header
-tobyx.eu: could not connect to host
 tobyx.is: could not connect to host
+toddmissiontx.gov: did not receive HSTS header
 todesschaf.org: could not connect to host
 todo.is: could not connect to host
 todobazar.es: could not connect to host
@@ -16950,12 +17609,13 @@ tofa-koeln.de: could not connect to host
 tofilmhub.com: could not connect to host
 tofu.im: could not connect to host
 togelonlinecommunity.com: did not receive HSTS header
+tohokufd.com: could not connect to host
 tojeto.eu: did not receive HSTS header
 toka.sg: could not connect to host
 tokage.me: could not connect to host
+tokbijouxs.com.br: did not receive HSTS header
 tokenloan.com: could not connect to host
-tokfun.com: could not connect to host
-tokintu.com: did not receive HSTS header
+tokintu.com: could not connect to host
 tokky.eu: could not connect to host
 tokobungaasryflorist.com: did not receive HSTS header
 tokobungadijambi.com: did not receive HSTS header
@@ -16974,6 +17634,7 @@ tom-maxwell.com: did not receive HSTS header
 tom.run: did not receive HSTS header
 tomandshirley.com: could not connect to host
 tomaspialek.cz: did not receive HSTS header
+tomaz.eu: could not connect to host
 tomberek.info: did not receive HSTS header
 tomcort.com: could not connect to host
 tomdudfield.com: did not receive HSTS header
@@ -16991,9 +17652,10 @@ tomoyaf.com: could not connect to host
 tomphill.co.uk: could not connect to host
 tomudding.com: did not receive HSTS header
 tomy.icu: could not connect to host
-tonburi.jp: could not connect to host
+tonburi.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tongmu.me: could not connect to host
 tonguetechnology.com: could not connect to host
+toni-dis.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 toniharant.de: could not connect to host
 toomanypillows.com: could not connect to host
 toomy.ddns.net: could not connect to host
@@ -17029,7 +17691,8 @@ toretfaction.net: could not connect to host
 torlock.download: could not connect to host
 torproject.org.uk: could not connect to host
 torproject.ovh: could not connect to host
-torrentdownloads.bid: could not connect to host
+torrentdownloads.bid: did not receive HSTS header
+torrentfunk.com: could not connect to host
 torrentgamesps2.info: could not connect to host
 torrenttop100.net: could not connect to host
 torrentz.website: could not connect to host
@@ -17037,10 +17700,10 @@ torrentz2.eu: did not receive HSTS header
 tortocan.com: could not connect to host
 tortugalife.de: could not connect to host
 torv.rocks: did not receive HSTS header
+tosainu.com.br: could not connect to host
 tosecure.link: could not connect to host
 toshnix.com: could not connect to host
 toshub.com: could not connect to host
-toskana-appartement.de: did not receive HSTS header
 totalbeauty.co.uk: could not connect to host
 totaldragonshop.com.br: could not connect to host
 totalle.com.br: could not connect to host
@@ -17062,12 +17725,13 @@ touchstonefms.co.uk: did not receive HSTS header
 tougetu.com: could not connect to host
 touhou.cc: did not receive HSTS header
 touray-enterprise.ch: could not connect to host
+tourispo.com: could not connect to host
 tourpeer.com: did not receive HSTS header
 toursandtransfers.it: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tousproducteurs.fr: did not receive HSTS header
-tout-art.ch: could not connect to host
-toutart.ch: could not connect to host
+tovp.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 towaway.ru: could not connect to host
+townofruthnc.gov: could not connect to host
 tox.im: did not receive HSTS header
 toxicboot.com: could not connect to host
 toxicip.com: could not connect to host
@@ -17078,14 +17742,12 @@ tpbcdn.com: could not connect to host
 tpblist.xyz: could not connect to host
 tpbunblocked.org: could not connect to host
 tpe-edu.com: could not connect to host
-tpms4u.at: did not receive HSTS header
+tpms4u.at: could not connect to host
 tppdebate.org: did not receive HSTS header
 trabajarenperu.com: did not receive HSTS header
 tracalada.cl: did not receive HSTS header
-traces.ml: could not connect to host
 tracetracker.com: did not receive HSTS header
 tracewind.top: could not connect to host
-track.plus: could not connect to host
 trackdays4fun.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tracker-gps.ch: could not connect to host
 trackfeed.tokyo: could not connect to host
@@ -17118,7 +17780,6 @@ trainline.se: could not connect to host
 trainut.com: could not connect to host
 trakfusion.com: could not connect to host
 trancendances.fr: could not connect to host
-trangell.com: did not receive HSTS header
 tranos.de: did not receive HSTS header
 transbike.es: did not receive HSTS header
 transcendmotor.sg: could not connect to host
@@ -17133,7 +17794,6 @@ translate.googleapis.com: did not receive HSTS header (error ignored - included
 translateblender.ru: could not connect to host
 translatoruk.co.uk: did not receive HSTS header
 transmithe.net: could not connect to host
-transport.eu: did not receive HSTS header
 transportal.sk: did not receive HSTS header
 transsexualpantyhose.com: could not connect to host
 tratamentoparacelulite.biz: could not connect to host
@@ -17141,6 +17801,8 @@ trauertexte.info: could not connect to host
 traumhuetten.de: did not receive HSTS header
 travality.ru: could not connect to host
 travel-kuban.ru: did not receive HSTS header
+travel-to-nature.ch: did not receive HSTS header
+travel.co.za: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 travel1x1.com: did not receive HSTS header
 traveling-thailand.info: could not connect to host
 travelinsightswriter.com: could not connect to host
@@ -17154,6 +17816,7 @@ trazosdearte.com: did not receive HSTS header
 treasuredinheritanceministry.com: did not receive HSTS header
 treatment.org: could not connect to host
 treatprostatewithhifu.com: could not connect to host
+treebaglia.xyz: could not connect to host
 treeby.net: could not connect to host
 treehousebydesign.com: did not receive HSTS header
 treeremovaljohannesburg.co.za: could not connect to host
@@ -17174,10 +17837,6 @@ triadwars.com: did not receive HSTS header
 triageo.com.au: could not connect to host
 trialmock.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 trianon.xyz: could not connect to host
-tributh.ga: could not connect to host
-tributh.gq: could not connect to host
-tributh.ml: could not connect to host
-tributh.tk: could not connect to host
 trickedguys.com: could not connect to host
 tricks.clothing: did not receive HSTS header
 triddi.com: could not connect to host
@@ -17190,12 +17849,15 @@ trinity.fr.eu.org: could not connect to host
 trinityaffirmations.com: max-age too low: 0
 trinitycore.org: max-age too low: 2592000
 trinitytechdev.com: did not receive HSTS header
+trink-und-partyspiele.de: could not connect to host
 tripcombi.com: did not receive HSTS header
 tripdelta.com: did not receive HSTS header
 tripinsider.club: did not receive HSTS header
 triple-mmm.de: max-age too low: 0
+tripout.tech: did not receive HSTS header
 trisportas.lt: did not receive HSTS header
 tristanfarkas.one: could not connect to host
+triticeaetoolbox.org: did not receive HSTS header
 trixati.org.ua: did not receive HSTS header
 trixies-wish.nz: could not connect to host
 trixy.com.br: could not connect to host
@@ -17203,7 +17865,7 @@ trizone.com.au: did not receive HSTS header
 troisdorf-gestalten.de: did not receive HSTS header
 trollme.me: could not connect to host
 trollscave.xyz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-trondelan.no: could not connect to host
+trondelan.no: did not receive HSTS header
 tronflix.com: did not receive HSTS header
 troo.ly: could not connect to host
 trouter.io: could not connect to host
@@ -17212,7 +17874,6 @@ troykelly.com: did not receive HSTS header
 trpg.wiki: could not connect to host
 truckgpsreviews.com: did not receive HSTS header
 true.ink: did not receive HSTS header
-trueblueessentials.com: could not connect to host
 truebred-labradors.com: did not receive HSTS header
 trueessayhelp.co.uk: did not receive HSTS header
 truejob.com: did not receive HSTS header
@@ -17221,11 +17882,10 @@ trumeet.top: did not receive HSTS header
 trunkjunk.co: could not connect to host
 trush.in: could not connect to host
 trustedinnovators.com: could not connect to host
-trustednewssites.com: did not receive HSTS header
+trustednewssites.com: could not connect to host
 trusteecar.com: did not receive HSTS header
 trustmeimfancy.com: could not connect to host
 trustocean.com: did not receive HSTS header
-try2services.cm: did not receive HSTS header
 trybind.com: could not connect to host
 tryfabulousdiet.com: could not connect to host
 tryfm.net: did not receive HSTS header
@@ -17254,7 +17914,6 @@ tsumi.moe: could not connect to host
 tsura.org: could not connect to host
 tsurezurematome.ga: could not connect to host
 ttackmedical.com.br: could not connect to host
-ttrade.ga: did not receive HSTS header
 tts.co.nz: did not receive HSTS header
 ttspttsp.com: could not connect to host
 tty.space: could not connect to host
@@ -17275,6 +17934,8 @@ tufilo.com: could not connect to host
 tugers.com: did not receive HSTS header
 tulenceria.es: could not connect to host
 tulsameetingroom.com: could not connect to host
+tumagiri.net: did not receive HSTS header
+tumutanzi.com: did not receive HSTS header
 tunca.it: did not receive HSTS header
 tunebitfm.de: could not connect to host
 tungstenroyce.com: did not receive HSTS header
@@ -17283,7 +17944,6 @@ tuou.xyz: could not connect to host
 tupizm.com: could not connect to host
 turismo.cl: could not connect to host
 turkiet.guide: could not connect to host
-turkrock.com: did not receive HSTS header
 turn-sticks.com: could not connect to host
 turnik-67.ru: could not connect to host
 turniker.ru: could not connect to host
@@ -17300,6 +17960,7 @@ tutorio.ga: could not connect to host
 tutu.ro: could not connect to host
 tuturulianda.com: did not receive HSTS header
 tuvalie.com: did not receive HSTS header
+tuxflow.de: could not connect to host
 tuxhound.org: could not connect to host
 tuxrtfm.com: could not connect to host
 tv.search.yahoo.com: could not connect to host
@@ -17353,6 +18014,8 @@ twolinepassbrewing.com: could not connect to host
 twolivelife.com: could not connect to host
 twoo.com: could not connect to host
 twotube.ie: could not connect to host
+twun.io: could not connect to host
+twuni.org: did not receive HSTS header
 tx041cap.org: could not connect to host
 txbi.de: could not connect to host
 txclimbers.com: could not connect to host
@@ -17360,15 +18023,12 @@ txcp01.com: could not connect to host
 txcp02.com: could not connect to host
 txf.pw: could not connect to host
 ty2u.com: did not receive HSTS header
-tycjt.vip: did not receive HSTS header
-tyil.nl: could not connect to host
+tycjt.vip: could not connect to host
 tykoon.com: could not connect to host
 tyl.io: did not receive HSTS header
 tyler.coach: could not connect to host
 tylercoach.com: could not connect to host
-tylerharcourt.ca: max-age too low: 86400
-tylerharcourt.com: could not connect to host
-tylerharcourt.org: did not receive HSTS header
+tylerharcourt.net: could not connect to host
 tylerharcourt.xyz: could not connect to host
 tylerjharcourt.com: could not connect to host
 tylian.net: max-age too low: 0
@@ -17377,7 +18037,6 @@ type1joe.net: could not connect to host
 type1joe.org: could not connect to host
 typehub.net: could not connect to host
 typeofweb.com: did not receive HSTS header
-typeonejoe.com: could not connect to host
 typeonejoe.net: could not connect to host
 typeonejoe.org: could not connect to host
 typingrevolution.com: did not receive HSTS header
@@ -17391,14 +18050,15 @@ tzwe.com: could not connect to host
 u-master.net: did not receive HSTS header
 u-metals.com: did not receive HSTS header
 u175.com: could not connect to host
+uaci.edu.mx: could not connect to host
 uadp.pw: could not connect to host
 uahs.org.uk: did not receive HSTS header
 ubalert.com: could not connect to host
 uber.com.au: did not receive HSTS header
 ubercalculator.com: did not receive HSTS header
 uberfunction.com: did not receive HSTS header
-ubermail.me: could not connect to host
-ubicloud.de: could not connect to host
+ubertt.org: could not connect to host
+ubicloud.de: did not receive HSTS header
 ubicv.com: could not connect to host
 ublox.com: did not receive HSTS header
 ubtce.com: could not connect to host
@@ -17409,6 +18069,7 @@ uchiha.ml: could not connect to host
 uclanmasterplan.co.uk: did not receive HSTS header
 udbhav.me: could not connect to host
 uega.net: did not receive HSTS header
+uel-thompson-okanagan.ca: could not connect to host
 uerdingen.info: did not receive HSTS header
 uesociedadlimitada.com: could not connect to host
 ueu.me: could not connect to host
@@ -17420,14 +18081,42 @@ ugcdn.com: could not connect to host
 ugisgutless.com: could not connect to host
 ugo.ninja: could not connect to host
 ugosadventures.com: could not connect to host
-uhappy69.com: could not connect to host
-uhappy70.com: could not connect to host
-uhappy72.com: could not connect to host
-uhappy80.com: could not connect to host
-uhappy81.com: could not connect to host
+uhappy11.com: did not receive HSTS header
+uhappy21.com: did not receive HSTS header
+uhappy23.com: did not receive HSTS header
+uhappy24.com: did not receive HSTS header
+uhappy25.com: did not receive HSTS header
+uhappy26.com: did not receive HSTS header
+uhappy27.com: did not receive HSTS header
+uhappy28.com: did not receive HSTS header
+uhappy29.com: did not receive HSTS header
+uhappy3.com: did not receive HSTS header
+uhappy31.com: did not receive HSTS header
+uhappy33.com: did not receive HSTS header
+uhappy55.com: did not receive HSTS header
+uhappy56.com: did not receive HSTS header
+uhappy58.com: did not receive HSTS header
+uhappy59.com: did not receive HSTS header
+uhappy60.com: did not receive HSTS header
+uhappy61.com: did not receive HSTS header
+uhappy62.com: did not receive HSTS header
+uhappy66.com: did not receive HSTS header
+uhappy67.com: did not receive HSTS header
+uhappy71.com: did not receive HSTS header
+uhappy73.com: could not connect to host
+uhappy74.com: could not connect to host
+uhappy75.com: could not connect to host
+uhappy76.com: could not connect to host
+uhappy77.com: did not receive HSTS header
+uhappy78.com: could not connect to host
+uhappy8.com: did not receive HSTS header
+uhappy86.com: did not receive HSTS header
+uhappy9.com: did not receive HSTS header
+uhappy99.com: did not receive HSTS header
 uhasseltctf.ga: could not connect to host
 uhasseltodin.be: did not receive HSTS header
 uhm.io: did not receive HSTS header
+uhssl.com: did not receive HSTS header
 uhuru-market.com: did not receive HSTS header
 uitslagensoftware.nl: did not receive HSTS header
 ukas.com: could not connect to host
@@ -17448,6 +18137,7 @@ ultimate-memoryplus.com: could not connect to host
 ultimate-neuroplus.com: could not connect to host
 ultramax.biz: could not connect to host
 ultraporn.biz: could not connect to host
+ultrasite.tk: could not connect to host
 ultrasteam.net: could not connect to host
 ultros.io: did not receive HSTS header
 umaimise.info: did not receive HSTS header
@@ -17458,7 +18148,9 @@ umidev.com: could not connect to host
 umie.cc: did not receive HSTS header
 umkmjogja.com: did not receive HSTS header
 ump45.moe: could not connect to host
-umsolugar.com.br: did not receive HSTS header
+umsolugar.com.br: could not connect to host
+umwandeln-online.de: could not connect to host
+unapolegetic.co: did not receive HSTS header
 unart.info: could not connect to host
 unbanthe.net: could not connect to host
 unblockat.tk: did not receive HSTS header
@@ -17487,6 +18179,7 @@ unblockthe.site: could not connect to host
 unblockthe.top: could not connect to host
 unccdesign.club: could not connect to host
 unclegen.xyz: could not connect to host
+undecidable.de: could not connect to host
 under30stravelinsurance.com.au: did not receive HSTS header
 undercovercondoms.com: could not connect to host
 underkin.com: could not connect to host
@@ -17494,6 +18187,7 @@ undone.me: could not connect to host
 unefuite.ch: could not connect to host
 unfiltered.nyc: could not connect to host
 unfuddle.cn: could not connect to host
+ungeek.eu: did not receive HSTS header
 ungern.guide: could not connect to host
 unhu.fr: could not connect to host
 uni-games.com: could not connect to host
@@ -17513,24 +18207,27 @@ uniformespousoalegre.com.br: did not receive HSTS header
 unikitty-on-tour.com: could not connect to host
 unikrn.com: could not connect to host
 uninet.cf: could not connect to host
-uniojeda.ml: did not receive HSTS header
+uniojeda.ml: could not connect to host
 unionstationapp.com: could not connect to host
 unirenter.ru: did not receive HSTS header
 unison.com: did not receive HSTS header
-unisyssecurity.com: could not connect to host
+unisyssecurity.com: did not receive HSTS header
 unitedcyberdevelopment.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 unitlabs.net: could not connect to host
 unitrade-425.co.za: did not receive HSTS header
+univerpack.net: could not connect to host
 university4industry.com: did not receive HSTS header
 universogay.com: could not connect to host
 univstore.win: could not connect to host
 univz.com: could not connect to host
+unixapp.ml: could not connect to host
+unixfox.eu: could not connect to host
 unixtime.pro: could not connect to host
 unknownbreakup.com: max-age too low: 2592000
 unknownphenomena.net: could not connect to host
 unleash.pw: could not connect to host
 unlogis.ch: could not connect to host
-unmanaged.space: could not connect to host
+unmanaged.space: did not receive HSTS header
 unplugg3r.dk: could not connect to host
 unpossible.xyz: could not connect to host
 unravel.ie: could not connect to host
@@ -17553,6 +18250,7 @@ up1.ca: could not connect to host
 upaknship.com: did not receive HSTS header
 upandclear.org: max-age too low: 0
 upboard.jp: could not connect to host
+updatehub.io: did not receive HSTS header
 upldr.pw: could not connect to host
 uploadbro.com: could not connect to host
 upmchealthsecurity.us: could not connect to host
@@ -17569,13 +18267,14 @@ ur-lauber.de: did not receive HSTS header
 urban-garden.lt: could not connect to host
 urban-garden.lv: could not connect to host
 urban-karuizawa.co.jp: max-age too low: 0
+urbanfi.sh: did not receive HSTS header
 urbanmic.com: could not connect to host
 urbanstylestaging.com: could not connect to host
 urbpic.com: could not connect to host
 urcentral.org: could not connect to host
-url.cab: could not connect to host
+urgences-valais.ch: could not connect to host
+url.cab: did not receive HSTS header
 urlachershop.com.br: did not receive HSTS header
-urlakite.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 urlchomp.com: did not receive HSTS header
 urology.wiki: did not receive HSTS header
 urphp.com: did not receive HSTS header
@@ -17588,11 +18287,11 @@ usbtypeccompliant.com: could not connect to host
 uscitizenship.info: did not receive HSTS header
 uscntalk.com: could not connect to host
 uscp8.com: could not connect to host
-uscurrency.gov: did not receive HSTS header
 use.ci: could not connect to host
 used-in.jp: could not connect to host
 usedesk.ru: did not receive HSTS header
 usedoor.jp: did not receive HSTS header
+usedu.us: could not connect to host
 useevlo.com.br: could not connect to host
 user-new.com: did not receive HSTS header
 usercare.com: could not connect to host
@@ -17605,7 +18304,9 @@ usparklodging.com: did not receive HSTS header
 usportsgo.com: could not connect to host
 usr.nz: did not receive HSTS header
 usuluddin.ga: did not receive HSTS header
+utahfireinfo.gov: did not receive HSTS header
 utdscanner.com: did not receive HSTS header
+utdsgda.com: could not connect to host
 uteam.it: could not connect to host
 utilio.nl: max-age too low: 2592000
 utilitronium-shockwave.com: could not connect to host
@@ -17622,6 +18323,7 @@ uttnetgroup.fr: could not connect to host
 utube.tw: could not connect to host
 utumno.ch: could not connect to host
 utvbloggen.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+uuid.cf: could not connect to host
 uvarov.pw: could not connect to host
 uvolejniku.cz: did not receive HSTS header
 uwekoetter.com: did not receive HSTS header
@@ -17657,7 +18359,7 @@ vaclavambroz.cz: did not receive HSTS header
 vaclavambroz.eu: could not connect to host
 vacuumreviewcenter.com: did not receive HSTS header
 vaddder.com: could not connect to host
-vadennissanofhinesvilleparts.com: could not connect to host
+vadennissanofhinesvilleparts.com: did not receive HSTS header
 vadik.me: could not connect to host
 vadodesign.nl: did not receive HSTS header
 vaibhavchatarkar.com: could not connect to host
@@ -17669,12 +18371,12 @@ valenhub.com: could not connect to host
 valenhub.es: could not connect to host
 valenscaelum.com: could not connect to host
 valentin-ochs.de: could not connect to host
-valentin.ml: could not connect to host
 valesdev.com: max-age too low: 0
 valethound.com: could not connect to host
 valhallacostarica.com: could not connect to host
 valhallamovement.com: did not receive HSTS header
 valitron.se: did not receive HSTS header
+valkor.pro: could not connect to host
 valkyrja.xyz: could not connect to host
 valleyridgepta.org: could not connect to host
 valleyshop.ca: could not connect to host
@@ -17692,15 +18394,17 @@ vanderstraeten.dynv6.net: could not connect to host
 vanessabalibridal.com: could not connect to host
 vanestack.com: could not connect to host
 vanetv.com: could not connect to host
-vangeluwedeberlaere.be: did not receive HSTS header
+vangeluwedeberlaere.be: could not connect to host
 vanhaos.com: could not connect to host
 vanitas.xyz: could not connect to host
 vanitynailworkz.com: could not connect to host
 vanlaanen.com: did not receive HSTS header
+vanohaker.ru: could not connect to host
 vansieleghem.com: could not connect to host
 vantaio.com: did not receive HSTS header
 vapecom-shop.com: could not connect to host
 vapecraftinc.com: did not receive HSTS header
+vapehour.com: could not connect to host
 vapemania.eu: could not connect to host
 vapeshopsupply.com: max-age too low: 7889238
 vaporpunk.space: did not receive HSTS header
@@ -17722,12 +18426,11 @@ vayaport.com: could not connect to host
 vb-oa.co.uk: did not receive HSTS header
 vbest.net: could not connect to host
 vbestreviews.com: did not receive HSTS header
-vbhelp.org: did not receive HSTS header
+vbhelp.org: could not connect to host
 vbulletin-russia.com: could not connect to host
 vbulletinrussia.com: could not connect to host
 vcdn.xyz: could not connect to host
 vcdove.com: could not connect to host
-vcelin-na-doliku.cz: could not connect to host
 vconcept.ch: could not connect to host
 vconcept.me: could not connect to host
 vcr.re: could not connect to host
@@ -17752,13 +18455,13 @@ veggiesbourg.fr: did not receive HSTS header
 vegis.ro: did not receive HSTS header
 veglog.com: could not connect to host
 vehent.org: did not receive HSTS header
+vehicletransportservices.co: did not receive HSTS header
 vehicleuplift.co.uk: did not receive HSTS header
 vekenz.com: could not connect to host
 velasense.com: could not connect to host
 velonustraduction.com: could not connect to host
 velotyretz.fr: did not receive HSTS header
 vemokin.net: could not connect to host
-venenum.org: could not connect to host
 venicecomputerrepair.com: could not connect to host
 venicefloridawebsitedesign.com: could not connect to host
 venicerealdeal.com: could not connect to host
@@ -17771,11 +18474,13 @@ venoom.eu: did not receive HSTS header
 vensl.org: could not connect to host
 venturedisplay.co.uk: did not receive HSTS header
 venturepro.com: did not receive HSTS header
+venusbymariatash.com: could not connect to host
 venzocrm.com: did not receive HSTS header
-ver-ooginoog.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-veraandsteve.date: could not connect to host
+ver-ooginoog.nl: max-age too low: 2592000
+veraandsteve.date: did not receive HSTS header
 verdeandco.co.uk: could not connect to host
 vergeaccessories.com: could not connect to host
+vergessen.cn: could not connect to host
 verifiedinvesting.com: could not connect to host
 verifikatorindonesia.com: could not connect to host
 veriomed.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -17789,8 +18494,8 @@ versbeton.nl: max-age too low: 864000
 versfin.net: could not connect to host
 versia.ru: did not receive HSTS header
 veryhax.de: could not connect to host
+veryimportantusers.com: could not connect to host
 veryyounglesbians.com: could not connect to host
-verzick.com: could not connect to host
 ves.vn.ua: could not connect to host
 vestacp.top: could not connect to host
 vetdnacenter.com: did not receive HSTS header
@@ -17798,7 +18503,7 @@ veterinaire-cazeres-foucault.fr: could not connect to host
 vethouse.com.ua: did not receive HSTS header
 vetmgmt.com: could not connect to host
 veto.fish: could not connect to host
-vforvendetta.science: could not connect to host
+vforvendetta.science: did not receive HSTS header
 vfree.org: could not connect to host
 vgatest.nl: could not connect to host
 vglimg.com: could not connect to host
@@ -17816,8 +18521,20 @@ viciousflora.com: could not connect to host
 viciousviscosity.xyz: could not connect to host
 vickshomes.com: could not connect to host
 victorenxovais.com.br: could not connect to host
+victoreriksson.ch: could not connect to host
+victoreriksson.co: could not connect to host
+victoreriksson.com: could not connect to host
+victoreriksson.eu: could not connect to host
+victoreriksson.info: could not connect to host
+victoreriksson.me: could not connect to host
+victoreriksson.net: could not connect to host
+victoreriksson.nu: could not connect to host
+victoreriksson.org: could not connect to host
+victoreriksson.se: could not connect to host
+victoreriksson.us: could not connect to host
 victoriapemberton.com: did not receive HSTS header
 victoriaville.ca: did not receive HSTS header
+victornilsson.pw: did not receive HSTS header
 vid.me: did not receive HSTS header
 vidb.me: could not connect to host
 vidbuchanan.co.uk: did not receive HSTS header
@@ -17827,13 +18544,13 @@ videnskabsklubben.dk: did not receive HSTS header
 videobola.win: could not connect to host
 videoload.co: could not connect to host
 videomuz.com: could not connect to host
-videorullen.se: could not connect to host
+videorullen.se: did not receive HSTS header
 videosxgays.com: could not connect to host
 videotogel.net: could not connect to host
 videoueberwachung-set.de: did not receive HSTS header
 vider.ga: could not connect to host
 vidid.net: did not receive HSTS header
-vidiproject.com: did not receive HSTS header
+vidiproject.com: could not connect to host
 viditut.com: could not connect to host
 vidkovaomara.si: could not connect to host
 vidlyoficial.com: could not connect to host
@@ -17850,6 +18567,7 @@ vigilo.ga: could not connect to host
 viikko.eu: could not connect to host
 vijos.org: did not receive HSTS header
 vikasbabyworld.de: could not connect to host
+vikodek.com: did not receive HSTS header
 viktor-machnik.de: could not connect to host
 viktorsvantesson.net: did not receive HSTS header
 vilabiamodas.com.br: could not connect to host
@@ -17880,16 +18598,19 @@ vinesauce.info: could not connect to host
 vinetalk.net: could not connect to host
 vinicius.sl: could not connect to host
 viniferawineclub.com: did not receive HSTS header
+vinigas.com: did not receive HSTS header
 vinihk.com: did not receive HSTS header
+vinnie.gq: could not connect to host
 vinogradovka.com: did not receive HSTS header
 vintock.com: could not connect to host
 vio.no: did not receive HSTS header
 violenceinterrupted.org: did not receive HSTS header
 violet-letter.delivery: could not connect to host
-violetraven.co.uk: could not connect to host
+violetraven.co.uk: did not receive HSTS header
 viosey.com: could not connect to host
 vioye.com: could not connect to host
 vip-9649.com: did not receive HSTS header
+vip4553.com: could not connect to host
 vip9649.com: did not receive HSTS header
 viperdns.com: could not connect to host
 vipesball.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -17903,12 +18624,14 @@ vipnettikasinoklubi.com: did not receive HSTS header
 viral8.jp: could not connect to host
 viralboombox.xyz: could not connect to host
 virginiacrimeanalysisnetwork.org: did not receive HSTS header
+virial.de: did not receive HSTS header
 viris.si: max-age too low: 536000
 virtualhealth.com: did not receive HSTS header
 virtualstrongbox.ca: did not receive HSTS header
 visa-shinsei.com: did not receive HSTS header
 visanhigia.com: could not connect to host
 viserproject.com: did not receive HSTS header
+visioflux-premium.com: did not receive HSTS header
 vision-painting.com: did not receive HSTS header
 visiondigitalsog.com: could not connect to host
 visiongamestudios.com: could not connect to host
@@ -17926,6 +18649,8 @@ vitagenda.nl: could not connect to host
 vital-tel.co.uk: did not receive HSTS header
 vitalamin.at: could not connect to host
 vitalamin.ch: could not connect to host
+vitalamin.com: could not connect to host
+vitalamin.de: did not receive HSTS header
 vitalita.cz: did not receive HSTS header
 vitalorange.com: did not receive HSTS header
 vitalthings.de: could not connect to host
@@ -17934,6 +18659,7 @@ vitamineproteine.com: did not receive HSTS header
 vitta.me: did not receive HSTS header
 vitzro.kr: could not connect to host
 viva-french.com: did not receive HSTS header
+vivamusic.es: did not receive HSTS header
 vivasports.com.br: could not connect to host
 viveconsalud.club: could not connect to host
 vivocloud.com: could not connect to host
@@ -17949,11 +18675,12 @@ vleij.family: could not connect to host
 vlogge.com: did not receive HSTS header
 vlsk.eu: did not receive HSTS header
 vlzbazar.ru: could not connect to host
+vmem.jp: did not receive HSTS header
 vmrdev.com: could not connect to host
 vmstan.com: did not receive HSTS header
 vndb.org: could not connect to host
 vocab.guru: could not connect to host
-vocalik.com: did not receive HSTS header
+vocalik.com: could not connect to host
 vocalsynth.space: could not connect to host
 voceinveste.com: did not receive HSTS header
 vodpay.com: could not connect to host
@@ -17969,13 +18696,13 @@ voidpay.org: could not connect to host
 voids.org: could not connect to host
 voidserv.net: could not connect to host
 voidshift.com: could not connect to host
-voidzehn.com: did not receive HSTS header
 voilo.club: could not connect to host
 voilodaisuki.club: could not connect to host
 voipkb.com: did not receive HSTS header
 voiro.club: could not connect to host
 voirodaisuki.club: could not connect to host
 vokalsystem.com: did not receive HSTS header
+vokurka.net: did not receive HSTS header
 volatimer.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 volbyzive.cz: did not receive HSTS header
 volcain.io: could not connect to host
@@ -18006,9 +18733,10 @@ vosjesweb.nl: could not connect to host
 votercircle.com: did not receive HSTS header
 voterstartingpoint.uk: did not receive HSTS header
 votewa.gov: could not connect to host
+votre-site-internet.ch: could not connect to host
 votresiteweb.ch: could not connect to host
 vow.vn: could not connect to host
-voyageofyume.com: could not connect to host
+vox.vg: did not receive HSTS header
 vozami.com: could not connect to host
 vpip.net: could not connect to host
 vpl.me: did not receive HSTS header
@@ -18044,12 +18772,14 @@ vsamsonov.com: could not connect to host
 vsc-don-stocksport.de: did not receive HSTS header
 vtuber-schedule.info: could not connect to host
 vucdn.com: could not connect to host
+vulndetect.org: did not receive HSTS header
 vulnerabilities.io: could not connect to host
 vuosaarenmontessoritalo.fi: did not receive HSTS header
 vvl.me: did not receive HSTS header
 vw-touranclub.cz: could not connect to host
 vwoforangeparts.com: could not connect to host
 vwt-event.nl: could not connect to host
+vww-8522.com: could not connect to host
 vxapps.com: could not connect to host
 vxml.club: could not connect to host
 vxst.org: max-age too low: 2592000
@@ -18063,6 +18793,7 @@ vyvygen.com: did not receive HSTS header
 vyzner.cz: could not connect to host
 vzk.io: could not connect to host
 w10club.com: could not connect to host
+w1221.com: could not connect to host
 w2gshop.com.br: could not connect to host
 w4a.fr: could not connect to host
 w4b.in: could not connect to host
@@ -18071,19 +18802,17 @@ w4xzr.xyz: could not connect to host
 w84.it: could not connect to host
 w9rld.com: did not receive HSTS header
 wabifoggynuts.com: could not connect to host
-wachter.biz: did not receive HSTS header
+wachter.biz: could not connect to host
 wachtwoordencheck.nl: could not connect to host
 wadvisor.com: could not connect to host
 waelti.xxx: could not connect to host
 wafa4hw.com: could not connect to host
 wafairhaven.com.au: did not receive HSTS header
 wafni.com: could not connect to host
-wahhoi.net: could not connect to host
 wai-in.com: could not connect to host
 wai-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 waidu.de: did not receive HSTS header
 wail.net: could not connect to host
-wait.jp: could not connect to host
 wait.moe: could not connect to host
 waixingrenfuli7.vip: could not connect to host
 waka-mono.com: could not connect to host
@@ -18094,6 +18823,7 @@ waka88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 wakapp.de: could not connect to host
 wakened.net: did not receive HSTS header
 waldkinder-ilmenau.de: did not receive HSTS header
+waligorska.pl: could not connect to host
 walkeryoung.ca: could not connect to host
 walkingforhealth.org.uk: did not receive HSTS header
 wallabag.it: did not receive HSTS header
@@ -18112,7 +18842,7 @@ wanda79.com: could not connect to host
 wanda96.com: could not connect to host
 wanda97.com: could not connect to host
 wanda98.com: could not connect to host
-wandercue.com: did not receive HSTS header
+wandercue.com: could not connect to host
 wangjiatun.com.tw: could not connect to host
 wangjun.me: did not receive HSTS header
 wangkezun.com: could not connect to host
@@ -18122,9 +18852,7 @@ wangqiliang.xn--fiqs8s: could not connect to host
 wangql.cn: could not connect to host
 wanquanojbk.com: did not receive HSTS header
 wantshow.com.br: did not receive HSTS header
-wanvi.net: did not receive HSTS header
 wanybug.cn: did not receive HSTS header
-wanybug.com: could not connect to host
 wapgu.cc: could not connect to host
 wapjt.cn: could not connect to host
 wapking.live: could not connect to host
@@ -18150,15 +18878,17 @@ warsentech.com: did not receive HSTS header
 warumsuchen.at: did not receive HSTS header
 wasatchconstables.com: did not receive HSTS header
 wasatchcrest.com: did not receive HSTS header
-washandfun.com: could not connect to host
+washandfun.com: did not receive HSTS header
 wassim.is: did not receive HSTS header
 watashi.bid: could not connect to host
 watchium.com: did not receive HSTS header
 watchtv-online.pw: could not connect to host
 watchweasel.com: could not connect to host
+waterfedpole.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 waterforlife.net.au: did not receive HSTS header
 waterpoint.com.br: could not connect to host
 watersportmarkt.net: did not receive HSTS header
+watertrails.io: could not connect to host
 watsonhall.uk: could not connect to host
 wattechweb.com: did not receive HSTS header
 wave-ola.es: did not receive HSTS header
@@ -18166,6 +18896,7 @@ wavefloatrooms.com: did not receive HSTS header
 wavefrontsystemstech.com: could not connect to host
 wavesoftime.com: could not connect to host
 waxlrs.com: could not connect to host
+wayfairertravel.com: did not receive HSTS header
 waylaydesign.com: did not receive HSTS header
 waylee.net: did not receive HSTS header
 wbit.co.il: did not receive HSTS header
@@ -18176,7 +18907,6 @@ wdesk.com: did not receive HSTS header
 wdrl.info: did not receive HSTS header
 wdt.io: could not connect to host
 we.serveftp.net: could not connect to host
-wealthcentral.com.au: did not receive HSTS header
 wealthformyhealth.com: did not receive HSTS header
 wear2work.nl: could not connect to host
 wearedisneyland.com: did not receive HSTS header
@@ -18187,8 +18917,10 @@ weaverhairextensions.nl: could not connect to host
 web-adminy.co.uk: could not connect to host
 web-advisor.co.uk: could not connect to host
 web-demarche.com: could not connect to host
+web-dl.cc: did not receive HSTS header
 web-industry.fr: could not connect to host
 web-insider.net: did not receive HSTS header
+web-thinker.ru: could not connect to host
 web-vision.de: did not receive HSTS header
 web4all.fr: did not receive HSTS header
 web4pro.fr: could not connect to host
@@ -18213,6 +18945,7 @@ webdosh.com: did not receive HSTS header
 webeconomia.it: did not receive HSTS header
 webelement.sk: did not receive HSTS header
 weberjulia.com: could not connect to host
+webfox.com.br: did not receive HSTS header
 webfronten.dk: did not receive HSTS header
 webgaff.com: could not connect to host
 webgap.me: did not receive HSTS header
@@ -18241,7 +18974,7 @@ webninja.work: could not connect to host
 webnoob.net: could not connect to host
 webnosql.com: could not connect to host
 webogram.org: could not connect to host
-webperformance.ru: could not connect to host
+webperformance.ru: did not receive HSTS header
 webproshosting.tk: could not connect to host
 webproxy.pw: could not connect to host
 webpublica.pt: could not connect to host
@@ -18262,12 +18995,12 @@ webtechgadgetry.com: could not connect to host
 webtek.nu: could not connect to host
 webthings.com.br: could not connect to host
 webtiles.co.uk: could not connect to host
-webukhost.com: could not connect to host
 webuni.hu: did not receive HSTS header
 webveloper.com: did not receive HSTS header
-webwolf.co.za: did not receive HSTS header
+webwolf.co.za: could not connect to host
 webwork.pw: did not receive HSTS header
 webypass.xyz: could not connect to host
+webz.one: could not connect to host
 webzanem.com: could not connect to host
 wecanfindit.co.za: could not connect to host
 wecanvisit.com: could not connect to host
@@ -18283,6 +19016,8 @@ weedcircles.com: did not receive HSTS header
 weedlandia.org: could not connect to host
 weekly.fyi: could not connect to host
 wegenaer.nl: could not connect to host
+wegethitched.co.uk: could not connect to host
+weggeweest.nl: could not connect to host
 wegner.no: could not connect to host
 weicn.org: did not receive HSTS header
 weightreviews.com: could not connect to host
@@ -18291,11 +19026,11 @@ weiler.xyz: could not connect to host
 weimaraner.com.br: could not connect to host
 weinhandel-preissler.de: could not connect to host
 weirdserver.com: could not connect to host
-weixiaojun.org: could not connect to host
+weixiaojun.org: did not receive HSTS header
 weizenke.im: could not connect to host
 wejumall.com: could not connect to host
 wekibe.de: could not connect to host
-welby.cat: could not connect to host
+welby.cat: did not receive HSTS header
 welches-kinderfahrrad.de: could not connect to host
 welcomehelp.de: could not connect to host
 welkers.org: could not connect to host
@@ -18331,7 +19066,7 @@ werdeeintimo.de: could not connect to host
 wereldplanner.nl: could not connect to host
 werhatunsverraten.eu: could not connect to host
 werken-bij-inwork.nl: could not connect to host
-werkenbijkfc.nl: could not connect to host
+werkenbijkfc.nl: did not receive HSTS header
 werkplaatsoost.nl: did not receive HSTS header
 werkruimtebottendaal.nl: could not connect to host
 werkz.io: could not connect to host
@@ -18339,7 +19074,6 @@ wes-dev.com: did not receive HSTS header
 wesayyesprogram.com: could not connect to host
 wesleyharris.ca: did not receive HSTS header
 wespeakgeek.co.za: could not connect to host
-wessner.co: could not connect to host
 westcoastaggregate.com: could not connect to host
 westendzone.com: could not connect to host
 westerhoud.nl: did not receive HSTS header
@@ -18358,7 +19092,6 @@ wetthost.com: could not connect to host
 wetttipps.com: could not connect to host
 wetttipps.de: could not connect to host
 wevahoo.com: could not connect to host
-wevg.org: did not receive HSTS header
 wevolver.com: did not receive HSTS header
 wewillgo.com: could not connect to host
 wewillgo.org: did not receive HSTS header
@@ -18366,6 +19099,7 @@ wewlad.me: could not connect to host
 weyland.tech: did not receive HSTS header
 weynaphotography.com: did not receive HSTS header
 wf-training-master.appspot.com: did not receive HSTS header (error ignored - included regardless)
+wfl.ro: did not receive HSTS header
 wftda.com: did not receive HSTS header
 wg-tools.de: could not connect to host
 whanau.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -18383,7 +19117,7 @@ whereismyorigin.cf: could not connect to host
 wherephoto.com: did not receive HSTS header
 wheresben.today: could not connect to host
 whilsttraveling.com: could not connect to host
-whimtrip.fr: did not receive HSTS header
+whimtrip.fr: could not connect to host
 whisker.network: could not connect to host
 whistler-transfers.com: did not receive HSTS header
 whitehat.id: could not connect to host
@@ -18391,6 +19125,7 @@ whiterabbit.org: did not receive HSTS header
 whiterabbitcakery.com: could not connect to host
 whiteready.it: did not receive HSTS header
 whiteroom.agency: did not receive HSTS header
+whiterose.goip.de: could not connect to host
 whitestagforge.com: did not receive HSTS header
 whoasome.com: could not connect to host
 whoclicks.net: could not connect to host
@@ -18406,7 +19141,6 @@ whoownsmyavailability.com: [Exception... "Component returned failure code: 0x800
 whoshotya.de: did not receive HSTS header
 whysuck.com: could not connect to host
 wiapply.com: could not connect to host
-wiberg.nu: could not connect to host
 wibruje.pl: did not receive HSTS header
 wibuw.com: could not connect to host
 widdleguy.com: did not receive HSTS header
@@ -18416,7 +19150,6 @@ wienerwichtelchallenge.at: did not receive HSTS header
 wieninternational.at: did not receive HSTS header
 wificafehosting.com: did not receive HSTS header
 wifimapa.cz: could not connect to host
-wifimask.com: did not receive HSTS header
 wiiaam.com: could not connect to host
 wiiforum.no: did not receive HSTS header
 wiire.me: could not connect to host
@@ -18439,7 +19172,6 @@ william.si: could not connect to host
 williamboundsltd.com: could not connect to host
 williamsapiens.com: could not connect to host
 williamsflintlocks.com: did not receive HSTS header
-williamsroom.com: did not receive HSTS header
 williamtm.design: could not connect to host
 willkommen-fuerstenberg.de: did not receive HSTS header
 willosagiede.com: did not receive HSTS header
@@ -18447,6 +19179,7 @@ wilsonovi.com: could not connect to host
 wilsonvilleoregon.gov: could not connect to host
 winaes.com: did not receive HSTS header
 winclient.cn: could not connect to host
+wind.moe: could not connect to host
 windholz.us: could not connect to host
 windows10insider.com: did not receive HSTS header
 windowsforum.com: did not receive HSTS header
@@ -18502,6 +19235,7 @@ wittepapaver.nl: did not receive HSTS header
 witting.co: could not connect to host
 wittydonut.com: could not connect to host
 witzemaschine.com: max-age too low: 0
+wixguide.co: did not receive HSTS header
 wizardmeow.xin: could not connect to host
 wizardspire.com: did not receive HSTS header
 wizznab.tk: could not connect to host
@@ -18511,8 +19245,10 @@ wlzhiyin.cn: could not connect to host
 wmawri.com: did not receive HSTS header
 wmcuk.net: did not receive HSTS header
 wmfinanz.com: could not connect to host
+wmnrj.com: did not receive HSTS header
 wmoda.com.br: could not connect to host
-wnmed.com.au: could not connect to host
+wmustore.com: did not receive HSTS header
+wnmed.com.au: did not receive HSTS header
 wnmm.nl: could not connect to host
 wnnc.co.uk: could not connect to host
 woaiuhd.com: could not connect to host
@@ -18525,7 +19261,7 @@ wodice.com: could not connect to host
 wohnungsbau-ludwigsburg.de: did not receive HSTS header
 woi.vision: could not connect to host
 woima.fi: max-age too low: 604800
-wokeai.net: could not connect to host
+wokeai.net: did not receive HSTS header
 woktoss.com: could not connect to host
 wolfemg.com: could not connect to host
 wolfenland.net: did not receive HSTS header
@@ -18533,8 +19269,10 @@ wolfesden.com: could not connect to host
 wolfram.io: could not connect to host
 wolkenspeicher.org: could not connect to host
 wollekorb.de: could not connect to host
+womb.city: could not connect to host
 womf.org: did not receive HSTS header
 womosale.de: could not connect to host
+wonabo.com: could not connect to host
 wonderbooks.club: could not connect to host
 wonderfall.xyz: could not connect to host
 wonderhost.info: could not connect to host
@@ -18559,6 +19297,7 @@ wordsofamaster.com: could not connect to host
 work-and-jockel.de: did not receive HSTS header
 workemy.com: could not connect to host
 workfone.io: could not connect to host
+workingmachine.info: could not connect to host
 workissime.com: did not receive HSTS header
 workpermit.com.vn: could not connect to host
 workplaces.online: did not receive HSTS header
@@ -18566,6 +19305,7 @@ worksofwyoming.org: did not receive HSTS header
 workwithgo.com: could not connect to host
 world-education-association.org: could not connect to host
 worldchess.london: could not connect to host
+worldcrafts.org: did not receive HSTS header
 worldfree4.org: did not receive HSTS header
 worldlist.org: could not connect to host
 worldofterra.net: could not connect to host
@@ -18575,6 +19315,8 @@ worldwhisperer.net: could not connect to host
 wormdisk.net: could not connect to host
 wormholevpn.net: could not connect to host
 worshapp.com: did not receive HSTS header
+woti.dedyn.io: could not connect to host
+wow-foederation.de: could not connect to host
 wow-travel.eu: could not connect to host
 wow202y5.com: did not receive HSTS header
 wowapi.org: could not connect to host
@@ -18591,6 +19333,7 @@ wpcheck.io: could not connect to host
 wpcontrol.se: could not connect to host
 wpdesigner.ir: did not receive HSTS header
 wpdublin.com: could not connect to host
+wpexplainer.com: did not receive HSTS header
 wpfast.net: could not connect to host
 wpfortify.com: could not connect to host
 wpg-inc.com: did not receive HSTS header
@@ -18609,7 +19352,6 @@ wpzhiku.com: did not receive HSTS header
 wql.zj.cn: did not receive HSTS header
 wrapit.hu: could not connect to host
 wrapitup.co.uk: did not receive HSTS header
-wrara.org: could not connect to host
 wrbunderwriting.com: did not receive HSTS header
 wrfu.co.nz: did not receive HSTS header
 wriedts.de: did not receive HSTS header
@@ -18622,7 +19364,6 @@ writing-expert.com: could not connect to host
 wrldevelopment.com: did not receive HSTS header
 wroffle.com: did not receive HSTS header
 wrwg.ca: could not connect to host
-ws-meca.com: did not receive HSTS header
 wsb-immo.at: could not connect to host
 wsdcap.com: could not connect to host
 wsor.group: did not receive HSTS header
@@ -18635,6 +19376,7 @@ wubify.com: did not receive HSTS header
 wubocong.com: did not receive HSTS header
 wubthecaptain.eu: could not connect to host
 wuchipc.com: could not connect to host
+wufu.org: did not receive HSTS header
 wufupay.com: could not connect to host
 wuhengmin.com: could not connect to host
 wulpi.it: did not receive HSTS header
@@ -18651,9 +19393,9 @@ wusx.club: could not connect to host
 wutianxian.com: could not connect to host
 wvr-law.de: did not receive HSTS header
 wvv-8522.com: could not connect to host
+wvw-8522.com: could not connect to host
 wvw698.com: max-age too low: 2592000
 wwbsb.xyz: could not connect to host
-wwjd.dynu.net: could not connect to host
 wwv-8522.com: could not connect to host
 www-001133.com: could not connect to host
 www-0385.com: could not connect to host
@@ -18674,6 +19416,7 @@ www-9649.com: did not receive HSTS header
 www-9995.com: could not connect to host
 www-djbet.com: could not connect to host
 www-jinshavip.com: could not connect to host
+www-pj009.com: could not connect to host
 www.captaintrain.com: did not receive HSTS header
 www.cueup.com: could not connect to host
 www.cyveillance.com: did not receive HSTS header
@@ -18683,7 +19426,7 @@ www.gmail.com: did not receive HSTS header (error ignored - included regardless)
 www.googlemail.com: did not receive HSTS header (error ignored - included regardless)
 www.gpo.gov: did not receive HSTS header
 www.greplin.com: could not connect to host
-www.icann.org: did not receive HSTS header
+www.intercom.io: did not receive HSTS header
 www.jitsi.org: did not receive HSTS header
 www.ledgerscope.net: could not connect to host
 www.logentries.com: did not receive HSTS header
@@ -18714,7 +19457,7 @@ wzrd.in: did not receive HSTS header
 x-pertservice.com: did not receive HSTS header
 x-power-detox.com: could not connect to host
 x-ripped-hd.com: could not connect to host
-x1be.win: could not connect to host
+x1be.win: did not receive HSTS header
 x23.eu: did not receive HSTS header
 x2c0.net: did not receive HSTS header
 x2w.io: could not connect to host
@@ -18729,6 +19472,7 @@ xat.re: did not receive HSTS header
 xavier.is: could not connect to host
 xavierbarroso.com: did not receive HSTS header
 xbc.nz: could not connect to host
+xbertschy.com: did not receive HSTS header
 xbind.io: could not connect to host
 xchangeinfo.com: could not connect to host
 xchating.com: could not connect to host
@@ -18738,7 +19482,6 @@ xcoop.me: did not receive HSTS header
 xd.fi: did not receive HSTS header
 xd.gov: did not receive HSTS header
 xdd.io: could not connect to host
-xdty.org: could not connect to host
 xehoivn.vn: could not connect to host
 xellos.ga: could not connect to host
 xellos.ml: could not connect to host
@@ -18755,13 +19498,15 @@ xhadius.de: could not connect to host
 xia100.xyz: could not connect to host
 xiangqiushi.com: did not receive HSTS header
 xianguocy.com: could not connect to host
+xiaobude.cn: did not receive HSTS header
 xiaody.me: could not connect to host
+xiaofengsky.com: did not receive HSTS header
 xiaolan.me: could not connect to host
 xiaolvmu.com: could not connect to host
 xiaolvmu.me: could not connect to host
 xiaoxiao.im: could not connect to host
 xiaxuejin.cn: could not connect to host
-xiazhanjian.com: could not connect to host
+xiazhanjian.com: did not receive HSTS header
 xice.cf: could not connect to host
 xilegames.com: could not connect to host
 ximage.me: could not connect to host
@@ -18769,28 +19514,29 @@ ximens.me: could not connect to host
 xin-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xin-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xinbiji.cn: could not connect to host
+xinbo270.com: could not connect to host
 xinex.cz: did not receive HSTS header
 xing-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xing.ml: could not connect to host
 xinghuokeji.xin: could not connect to host
 xingiahanvisa.net: did not receive HSTS header
 xinnixwebshop.be: did not receive HSTS header
-xiongx.cn: did not receive HSTS header
+xinplay.net: max-age too low: 0
+xinsane.com: could not connect to host
 xiqi.us: did not receive HSTS header
-xirion.net: could not connect to host
+xirion.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xisa.it: could not connect to host
 xivpn.com: could not connect to host
 xiyu.it: did not receive HSTS header
 xiyu.moe: did not receive HSTS header
 xj8876.com: max-age too low: 2592000
-xjoi.net: did not receive HSTS header
 xlaff.com: did not receive HSTS header
-xlboo.com: could not connect to host
+xlboo.com: did not receive HSTS header
 xlfblog.com: did not receive HSTS header
 xlinar.com: could not connect to host
+xlui.me: did not receive HSTS header
 xmerak.com: did not receive HSTS header
 xmiui.com: could not connect to host
-xmlogin288.com: could not connect to host
 xmonk.org: did not receive HSTS header
 xmr.my: could not connect to host
 xn-----8kcgbo2bmdgkdacthvjf.xn--p1ai: could not connect to host
@@ -18828,14 +19574,13 @@ xn--dckya4a0bya6x.com: could not connect to host
 xn--dckya4a0bya6x.jp: could not connect to host
 xn--die-zahnrzte-ncb.de: did not receive HSTS header
 xn--dk8haaa.ws: could not connect to host
-xn--dmontaa-9za.com: could not connect to host
 xn--e--0g4aiy1b8rmfg3o.jp: could not connect to host
 xn--e--4h4axau6ld4lna0g.com: could not connect to host
 xn--e--ig4a4c3f6bvc5et632i.com: could not connect to host
 xn--e--k83a5h244w54gttk.xyz: could not connect to host
+xn--eckle6c0exa0b0modc7054g7h8ajw6f.com: did not receive HSTS header
 xn--ehq13kgw4e.ml: could not connect to host
 xn--ekr87w7se89ay98ezcs.biz: did not receive HSTS header
-xn--elsignificadodesoar-c4b.com: did not receive HSTS header
 xn--gfrrli-yxa.ch: could not connect to host
 xn--gmq92k.nagoya: could not connect to host
 xn--grnderlehrstuhl-0vb.de: could not connect to host
@@ -18861,15 +19606,15 @@ xn--mhsv04avtt1xi.com: could not connect to host
 xn--milchaufschumer-test-lzb.de: could not connect to host
 xn--n8jubz39q0g0afpa985c.com: could not connect to host
 xn--neb-tma3u8u.xyz: could not connect to host
-xn--nf1a578axkh.xn--fiqs8s: did not receive HSTS header
 xn--o77hka.ga: could not connect to host
+xn--oiqt18e8e2a.eu.org: could not connect to host
 xn--p8jskj.jp: could not connect to host
 xn--pck4e3a2ex597b4ml.xyz: did not receive HSTS header
 xn--pckqk6xk43lunk.net: could not connect to host
 xn--qckqc0nxbyc4cdb4527err7c.biz: did not receive HSTS header
 xn--qckyd1cu698a35zarib.xyz: could not connect to host
+xn--qfun83b.ga: could not connect to host
 xn--r77hya.ga: could not connect to host
-xn--rlcus7b3d.xn--xkc2dl3a5ee0h: could not connect to host
 xn--rt-cja.eu: could not connect to host
 xn--sdkwa9azd389v01ya.com: could not connect to host
 xn--srenpind-54a.dk: could not connect to host
@@ -18891,17 +19636,18 @@ xn--xdtx3pfzbiw3ar8e7yedqrhui.com: could not connect to host
 xn--xz1a.jp: could not connect to host
 xn--y8j2eb5631a4qf5n0h.com: could not connect to host
 xn--y8j5gq14rbdd.net: did not receive HSTS header
-xn--y8ja6lb.xn--q9jyb4c: could not connect to host
 xn--yj8h0m.ws: could not connect to host
 xn--ykrp42k.com: could not connect to host
 xn--yoamomisuasbcn-ynb.com: could not connect to host
 xn--zck9a4b352yuua.jp: did not receive HSTS header
 xng.io: did not receive HSTS header
+xnode.org: could not connect to host
 xobox.me: could not connect to host
 xoda.pw: could not connect to host
 xoffy.com: did not receive HSTS header
 xom.party: could not connect to host
 xombra.com: could not connect to host
+xoonth.net: could not connect to host
 xor-a.net: could not connect to host
 xotika.tv: could not connect to host
 xpbytes.com: did not receive HSTS header
@@ -18911,7 +19657,10 @@ xpi.fr: could not connect to host
 xpj.bet: did not receive HSTS header
 xpj.sx: could not connect to host
 xpjcunkuan.com: could not connect to host
+xplore-dna.net: could not connect to host
 xpressprint.com.br: max-age too low: 90
+xps2pdf.co.uk: could not connect to host
+xps2pdf.info: could not connect to host
 xpwn.cz: did not receive HSTS header
 xq55.com: did not receive HSTS header
 xqin.net: could not connect to host
@@ -18944,12 +19693,6 @@ xxx3dbdsm.com: could not connect to host
 xxxladyboysporn.com: could not connect to host
 xxxred.net: could not connect to host
 xy1919.com: could not connect to host
-xy6161.com: could not connect to host
-xy6262.com: could not connect to host
-xy6363.com: could not connect to host
-xy7171.com: could not connect to host
-xy7272.com: could not connect to host
-xy7373.com: could not connect to host
 xyndrac.net: max-age too low: 2592000
 xynex.us: could not connect to host
 xyngular-health.com: did not receive HSTS header
@@ -18987,10 +19730,11 @@ yaucy.win: could not connect to host
 yawen.tw: did not receive HSTS header
 yawnbox.com: did not receive HSTS header
 yayart.club: could not connect to host
+yazaral.com: did not receive HSTS header
 ybscareers.co.uk: did not receive HSTS header
+ybt520.com: did not receive HSTS header
 ycaaz.com: did not receive HSTS header
 ycc.wtf: could not connect to host
-ycherbonnel.fr: could not connect to host
 ycm2.wtf: could not connect to host
 ydy.jp: could not connect to host
 yello.website: could not connect to host
@@ -19008,6 +19752,7 @@ yepbitcoin.com: could not connect to host
 yesdevnull.net: did not receive HSTS header
 yesfone.com.br: could not connect to host
 yeshu.org: could not connect to host
+yesiammaisey.me: could not connect to host
 yestees.com: did not receive HSTS header
 yetcore.io: could not connect to host
 yetishirt.com: could not connect to host
@@ -19023,28 +19768,27 @@ yicknam.my: could not connect to host
 yiffy.tips: did not receive HSTS header
 yiffy.zone: did not receive HSTS header
 yikzu.cn: could not connect to host
-yimgo.fr: could not connect to host
 yin.roma.it: did not receive HSTS header
 yin8888.tv: did not receive HSTS header
 ying299.com: could not connect to host
 ying299.net: could not connect to host
 yinga.ga: did not receive HSTS header
 yingsuo.ltd: could not connect to host
-yingyj.com: could not connect to host
+yingyj.com: did not receive HSTS header
 yinhe12.net: did not receive HSTS header
 yipingguo.com: could not connect to host
 yippie.nl: could not connect to host
 yizhu.com: could not connect to host
 yjsw.sh.cn: could not connect to host
-ykhut.com: could not connect to host
-ylde.de: could not connect to host
 ylilauta.org: could not connect to host
 ylk.io: could not connect to host
 ylwz.cc: did not receive HSTS header
 ynode.co: did not receive HSTS header
 ynsn.nl: could not connect to host
 yntongji.com: could not connect to host
+ynxfh.cn: did not receive HSTS header
 yob.vn: could not connect to host
+yobai28.com: did not receive HSTS header
 yobst.tk: could not connect to host
 yocchan1513.net: did not receive HSTS header
 yoga-prive.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -19063,21 +19807,21 @@ yomena.in: could not connect to host
 yomepre.com: could not connect to host
 yopers.com: did not receive HSTS header
 yorkshireterrier.com.br: could not connect to host
-yorname.ml: did not receive HSTS header
 yoru.me: could not connect to host
 yosheenetwork.fr: could not connect to host
 yotilab.com: could not connect to host
 yotilabs.com: could not connect to host
-youcaitian.com: did not receive HSTS header
+youcaitian.com: could not connect to host
 youcancraft.de: could not connect to host
-youcanmakeit.at: could not connect to host
 youcontrol.ru: could not connect to host
 youdowell.com: did not receive HSTS header
 youfencun.com: did not receive HSTS header
+youftp.tk: could not connect to host
 yougot.pw: could not connect to host
 youjizz.bz: could not connect to host
 youlend.com: did not receive HSTS header
 youlog.net: could not connect to host
+youmiracle.com: could not connect to host
 youmonit.me: could not connect to host
 youngandunited.nl: did not receive HSTS header
 younl.net: could not connect to host
@@ -19114,16 +19858,16 @@ ytbmp3.com: did not receive HSTS header
 ytbmp4.com: did not receive HSTS header
 ytcuber.xyz: could not connect to host
 ythyth.com: max-age too low: 2592000
-ytpak.com: did not receive HSTS header
+ytpak.com: could not connect to host
 ytvwld.de: did not receive HSTS header
 yu7.jp: did not receive HSTS header
 yuanbenlian.com: did not receive HSTS header
+yuanjiazhao.tk: could not connect to host
 yudan.com.br: could not connect to host
 yude.ml: could not connect to host
 yue2.net: could not connect to host
 yuema.net.cn: could not connect to host
 yufan.me: did not receive HSTS header
-yugasun.com: could not connect to host
 yugege.cf: could not connect to host
 yuhen.ru: did not receive HSTS header
 yui.cat: did not receive HSTS header
@@ -19148,8 +19892,7 @@ yuntama.xyz: could not connect to host
 yunzhan.io: could not connect to host
 yunzhu.org: could not connect to host
 yuppi.tv: max-age too low: 43200
-yuqi.me: did not receive HSTS header
-yurimoens.be: could not connect to host
+yuqi.me: could not connect to host
 yurinet.org: could not connect to host
 yuriykuzmin.com: did not receive HSTS header
 yutabon.com: could not connect to host
@@ -19162,7 +19905,9 @@ yuzu.tk: did not receive HSTS header
 yvetteerasmus.com: max-age too low: 0
 ywei.org: could not connect to host
 ywyz.tech: could not connect to host
-yya.bid: could not connect to host
+yxs.me: could not connect to host
+yxt521.com: did not receive HSTS header
+yya.bid: did not receive HSTS header
 yya.men: could not connect to host
 yyrss.com: could not connect to host
 z-coder.com: could not connect to host
@@ -19173,14 +19918,13 @@ z33.co: could not connect to host
 z3liff.com: could not connect to host
 z3liff.net: could not connect to host
 zaalleatherwear.nl: did not receive HSTS header
-zabavno.mk: max-age too low: 0
+zabavno.mk: did not receive HSTS header
 zacharopoulos.me: could not connect to host
 zachbolinger.com: could not connect to host
 zachpeters.org: did not receive HSTS header
 zadieheimlich.com: did not receive HSTS header
 zadroweb.com: did not receive HSTS header
 zaem.tv: could not connect to host
-zagluszaczgps.pl: could not connect to host
 zahnrechner-staging.azurewebsites.net: could not connect to host
 zahyantechnologies.com: did not receive HSTS header
 zaidan.de: did not receive HSTS header
@@ -19212,17 +19956,18 @@ zberger.com: could not connect to host
 zbetcheck.in: could not connect to host
 zbigniewgalucki.eu: did not receive HSTS header
 zbp.at: did not receive HSTS header
-zby.io: could not connect to host
 zdravesteny.cz: could not connect to host
 zdravotnickasluzba.eu: could not connect to host
 zdrowiepaleo.pl: could not connect to host
 zdx.ch: max-age too low: 0
+zeal-and.jp: could not connect to host
 zeb.fun: could not connect to host
-zebibyte.cn: could not connect to host
+zebibyte.cn: did not receive HSTS header
 zebrababy.cn: could not connect to host
 zebry.nl: did not receive HSTS header
 zecrypto.com: could not connect to host
 zeedroom.be: did not receive HSTS header
+zeelynk.com: could not connect to host
 zefiris.org: did not receive HSTS header
 zefu.ca: could not connect to host
 zehdenick-bleibt-bunt.de: could not connect to host
@@ -19236,18 +19981,18 @@ zeloz.xyz: could not connect to host
 zenfusion.fr: could not connect to host
 zenhaiku.com: could not connect to host
 zenics.co.uk: did not receive HSTS header
+zenmate.com.tr: could not connect to host
 zeno-system.com: did not receive HSTS header
 zenpayroll.com: did not receive HSTS header
+zenram.com: did not receive HSTS header
 zentience.dk: did not receive HSTS header
 zentience.net: did not receive HSTS header
 zentience.org: did not receive HSTS header
 zentiweb.nl: did not receive HSTS header
 zentraler-kreditausschuss.de: did not receive HSTS header
 zentralwolke.de: did not receive HSTS header
-zenvite.com: could not connect to host
 zenwears.com: could not connect to host
-zenycosta.com: could not connect to host
-zeparadox.com: could not connect to host
+zeparadox.com: did not receive HSTS header
 zepect.com: did not receive HSTS header
 zera.com.au: could not connect to host
 zerekin.net: max-age too low: 86400
@@ -19259,8 +20004,8 @@ zerofox.gq: could not connect to host
 zeroling.com: could not connect to host
 zeroml.ml: could not connect to host
 zerosource.net: could not connect to host
-zerowastesavvy.com: could not connect to host
 zerowastesonoma.gov: could not connect to host
+zertif.info: could not connect to host
 zerudi.com: did not receive HSTS header
 zetadisseny.es: did not receive HSTS header
 zeto365.pl: did not receive HSTS header
@@ -19283,6 +20028,7 @@ zhengouwu.com: could not connect to host
 zhenmeish.com: could not connect to host
 zhenyan.org: could not connect to host
 zhh.in: could not connect to host
+zhih.me: could not connect to host
 zhihua-lai.com: did not receive HSTS header
 zhiin.net: could not connect to host
 zhikin.com: could not connect to host
@@ -19296,27 +20042,29 @@ zhuweiyou.com: did not receive HSTS header
 zi0r.com: did not receive HSTS header
 zian.online: could not connect to host
 zicklam.com: could not connect to host
+ziegler-family.com: could not connect to host
 zigcore.com.br: could not connect to host
 zikirakhirzaman.com: could not connect to host
 zinc-x.com: did not receive HSTS header
 zinenapse.info: could not connect to host
 zippy-download.com: could not connect to host
 zippy-download.de: could not connect to host
+ziptie.com: max-age too low: 0
 zirtue.io: could not connect to host
 zitrone44.de: did not receive HSTS header
-zivagold.com: did not receive HSTS header
 zivy-ruzenec.cz: could not connect to host
 zixo.sk: could not connect to host
 ziyuanabc.xyz: could not connect to host
 ziz.exchange: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zizoo.com: did not receive HSTS header
-zju.tv: could not connect to host
+zju.tv: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zjubtv.com: could not connect to host
+zjuqsc.com: could not connect to host
 zjutv.com: could not connect to host
 zjyifa.cn: could not connect to host
 zkillboard.com: did not receive HSTS header
 zking.ga: could not connect to host
-zl0iu.com: did not receive HSTS header
+zl0iu.com: could not connect to host
 zl8862.com: could not connect to host
 zlc1994.com: did not receive HSTS header
 zlcp.com: could not connect to host
@@ -19336,7 +20084,6 @@ zokster.net: could not connect to host
 zolokar.xyz: could not connect to host
 zolotoy-standart.com.ua: did not receive HSTS header
 zombiesecured.com: could not connect to host
-zomiac.pp.ua: could not connect to host
 zonadebolsa.es: did not receive HSTS header
 zone403.net: could not connect to host
 zoneminder.com: did not receive HSTS header
@@ -19346,9 +20093,9 @@ zoo.city: could not connect to host
 zoo24.de: did not receive HSTS header
 zoofaeth.de: did not receive HSTS header
 zoofit.com.au: did not receive HSTS header
-zoological-gardens.eu: could not connect to host
 zoomingin.net: max-age too low: 5184000
 zoommailing.com: did not receive HSTS header
+zoomseoservices.com: max-age too low: 2592000
 zoorigin.com: did not receive HSTS header
 zooxdata.com: could not connect to host
 zorki.nl: did not receive HSTS header
@@ -19360,8 +20107,6 @@ zq789.com: could not connect to host
 zqhong.com: could not connect to host
 zqjs.tk: could not connect to host
 zqstudio.top: could not connect to host
-zrhdwz.cn: could not connect to host
-zrkr.de: could not connect to host
 zrn.in: did not receive HSTS header
 ztan.tk: could not connect to host
 ztcaoll222.cn: could not connect to host
diff --git a/security/manager/ssl/nsSTSPreloadList.inc b/security/manager/ssl/nsSTSPreloadList.inc
index 209beded5..75d35a777 100644
--- a/security/manager/ssl/nsSTSPreloadList.inc
+++ b/security/manager/ssl/nsSTSPreloadList.inc
@@ -8,7 +8,7 @@
 /*****************************************************************************/
 
 #include <stdint.h>
-const PRTime gPreloadListExpirationTime = INT64_C(1554207118864000);
+const PRTime gPreloadListExpirationTime = INT64_C(1555803903526000);
 
 class nsSTSPreload
 {
@@ -41,11 +41,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "022610.com", true },
   { "02327.net", true },
   { "02375.net", true },
-  { "023sec.com", true },
+  { "02607.com", true },
   { "026122.com", true },
   { "02638.net", true },
+  { "03170317.com", true },
   { "0391315.com", true },
   { "046569.com", true },
+  { "04911701.cn", true },
   { "050.ca", true },
   { "050media.nl", true },
   { "0511315.net", true },
@@ -81,16 +83,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "083912.com", true },
   { "083957.com", true },
   { "083960.com", true },
+  { "083962.com", true },
   { "083965.com", true },
   { "083967.com", true },
   { "08detaxe.fr", true },
+  { "09115.com", true },
   { "0916app.com", true },
   { "09892.net", true },
   { "0au.de", true },
   { "0c3.de", true },
   { "0day.agency", true },
   { "0des.com", true },
+  { "0ii0.cf", true },
   { "0ik.de", true },
+  { "0iz.net", true },
   { "0knowledge.de", false },
   { "0o0.edu.pl", true },
   { "0paste.com", true },
@@ -123,8 +129,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "100-downloads.com", true },
   { "10000v.ru", true },
   { "1000minds.com", true },
-  { "1000serien.com", true },
-  { "1001carats.fr", true },
   { "1001firms.com", true },
   { "1001kartini.com", true },
   { "1001kerstpakketten.com", false },
@@ -136,7 +140,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "100lat.pl", true },
   { "100mani.it", true },
   { "100pounds.co.uk", true },
-  { "100rembourse.be", true },
   { "101.qa", true },
   { "1011100.com", true },
   { "101sauna.kz", true },
@@ -151,6 +154,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "10495.net", true },
   { "10774.net", true },
   { "10840.net", true },
+  { "10gb.io", true },
   { "10hz.de", true },
   { "10og.de", true },
   { "10ppm.com", true },
@@ -173,10 +177,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "123bearing.com", true },
   { "123bearing.eu", true },
   { "123comparer.fr", true },
-  { "123djdrop.com", true },
   { "123midterm.com", true },
+  { "123nutricion.es", true },
   { "123opstalverzekeringen.nl", true },
-  { "123pay.ir", false },
   { "123plons.nl", true },
   { "123roulement.be", true },
   { "123roulement.com", true },
@@ -221,6 +224,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "159cp.com", true },
   { "1600esplanade.com", true },
   { "160887.com", true },
+  { "162jonesrd.ca", true },
   { "1644091933.rsc.cdn77.org", true },
   { "1661237.com", true },
   { "1750studios.com", false },
@@ -237,6 +241,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "18f.gov", true },
   { "18f.gsa.gov", false },
   { "1911trust.com", true },
+  { "192.io", true },
   { "192168ll.repair", true },
   { "192433.com", true },
   { "1972969867.rsc.cdn77.org", true },
@@ -244,8 +249,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "19area.cn", true },
   { "19hundert84.de", true },
   { "1a-diamantscheiben.de", true },
-  { "1a-vermessung.at", true },
-  { "1a-werkstattgeraete.de", true },
   { "1ab-machinery.com", true },
   { "1c-power.ru", true },
   { "1cover.co.nz", true },
@@ -294,10 +297,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "1wl.uk", true },
   { "2.wtf", true },
   { "200.network", true },
+  { "2001y.me", true },
   { "2012.ovh", true },
   { "20188088.com", true },
   { "20at.com", true },
-  { "20denier.com", true },
   { "215dy.net", true },
   { "21sthammersmith.org.uk", true },
   { "21stnc.us", true },
@@ -309,11 +312,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "23333.link", true },
   { "2333666.xyz", true },
   { "2333blog.com", true },
-  { "233abc.com", true },
+  { "233abc.com", false },
   { "233blog.com", true },
   { "233boy.com", true },
   { "233bwg.com", true },
   { "233hugo.com", true },
+  { "233now.com", true },
   { "233ss.net", true },
   { "233vps.com", true },
   { "233yes.com", true },
@@ -343,12 +347,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2600edinburgh.org", true },
   { "2600hq.com", true },
   { "260887.com", true },
-  { "263.info", true },
   { "2718282.net", true },
   { "28-industries.com", true },
   { "281180.de", true },
   { "2858958.com", true },
-  { "286.com", true },
   { "28peaks.com", true },
   { "28spots.net", true },
   { "291167.xyz", true },
@@ -381,9 +383,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2hypeenterprises.com", true },
   { "2kgwf.fi", true },
   { "2krueger.de", true },
+  { "2li.ch", true },
   { "2manydots.nl", true },
   { "2mb.solutions", true },
-  { "2mir.com", true },
   { "2nains.ch", true },
   { "2nerds1bit.com", true },
   { "2nics.net", true },
@@ -392,6 +394,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2rsc.com", true },
   { "2rsc.net", true },
   { "2stv.net", true },
+  { "2tuu.com", true },
   { "2ulcceria.nl", true },
   { "2wheel.com", true },
   { "2y.fi", true },
@@ -522,7 +525,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "394622.com", true },
   { "394922.com", true },
   { "396422.com", true },
-  { "398.info", true },
   { "39sihu.com", false },
   { "3aandl.com", true },
   { "3ags.de", true },
@@ -536,8 +538,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "3countiescastlehire.co.uk", true },
   { "3cs.ch", true },
   { "3d-fotoservice.de", true },
+  { "3dcollective.es", true },
   { "3de5.nl", true },
   { "3deeplearner.com", true },
+  { "3dgep.com", true },
   { "3djuegos.com", true },
   { "3dmedium.de", true },
   { "3dmusiclab.nl", true },
@@ -546,9 +550,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "3drenaline.com", true },
   { "3haeuserprojekt.org", true },
   { "3haueserprojekt.org", true },
+  { "3james.com", true },
   { "3logic.ru", true },
   { "3lot.ru", true },
   { "3n5b.com", true },
+  { "3niu168.com", true },
+  { "3niu178.com", true },
+  { "3niu6.com", true },
+  { "3niu66.com", true },
+  { "3niu666.com", true },
+  { "3niu8.com", true },
+  { "3niu88.com", true },
+  { "3niu8888.com", true },
+  { "3niuurl.com", true },
   { "3os.ooo", true },
   { "3phase.pw", true },
   { "3plusdesign.gr", true },
@@ -603,11 +617,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "44sec.com", true },
   { "451.ooo", true },
   { "4553s.com", true },
-  { "4553vip.com", true },
   { "4706666.com", true },
   { "4716666.com", true },
   { "4726666.com", true },
-  { "4736666.com", true },
   { "4756666.com", true },
   { "4786666.com", true },
   { "491mhz.net", true },
@@ -623,11 +635,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "4garage.com.br", true },
   { "4host.ch", true },
   { "4kprojektory.cz", true },
+  { "4lock.com.br", true },
   { "4mm.org", true },
   { "4plebs.moe", true },
   { "4project.co.il", true },
   { "4share.tv", true },
-  { "4sics.se", true },
   { "4th-ave-studio.com", true },
   { "4thdc.com", true },
   { "4u.services", true },
@@ -650,6 +662,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "500h500.com", true },
   { "500i500.com", true },
   { "500j500.com", true },
+  { "500k.nl", true },
   { "500k500.com", true },
   { "500l500.com", true },
   { "500m500.com", true },
@@ -671,6 +684,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "504922.com", true },
   { "506422.com", true },
   { "506pay.com", true },
+  { "508088.com", true },
   { "50lakeshore.com", true },
   { "50north.de", true },
   { "514122.com", true },
@@ -682,11 +696,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "51877.net", true },
   { "519422.com", true },
   { "51acg.eu.org", true },
+  { "51tiaojiu.com", true },
+  { "5219.ml", true },
   { "524022.com", true },
   { "524622.com", true },
   { "524922.com", true },
   { "525.info", true },
-  { "52hentai.ml", true },
+  { "52hentai.us", true },
   { "52kb365.com", true },
   { "52ncp.net", true },
   { "52sykb.com", true },
@@ -694,6 +710,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "534122.com", true },
   { "534622.com", true },
   { "534922.com", true },
+  { "5364.com", true },
   { "536422.com", true },
   { "5364b.com", true },
   { "5364c.com", true },
@@ -713,7 +730,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "5555yh.com", true },
   { "55639.com", true },
   { "55797.com", true },
-  { "558da.com", true },
   { "566380.com", true },
   { "575380.com", true },
   { "576422.com", true },
@@ -730,13 +746,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "592380.com", true },
   { "592422.com", true },
   { "5930593.com", true },
-  { "593380.com", true },
   { "594022.com", true },
   { "594622.com", true },
   { "595422.com", true },
   { "596422.com", true },
-  { "598380.com", true },
-  { "5986fc.com", true },
   { "5997891.com", true },
   { "5apps.com", true },
   { "5c1fd0f31022cbc40af9f785847baaf9.space", true },
@@ -763,13 +776,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "614322.com", true },
   { "614922.com", true },
   { "61730123.com", true },
+  { "618media.com", true },
   { "621422.com", true },
   { "624022.com", true },
   { "624122.com", true },
   { "624322.com", true },
   { "624522.com", true },
   { "624922.com", true },
-  { "626380.com", true },
   { "626422.com", true },
   { "630422.com", true },
   { "631422.com", true },
@@ -832,7 +845,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "656088.com", true },
   { "659422.com", true },
   { "66136.com", true },
-  { "6616fc.com", true },
   { "6633445.com", true },
   { "6652566.com", true },
   { "6660111.ru", true },
@@ -841,7 +853,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "6666yh.com", true },
   { "666omg.com", true },
   { "66b.com", true },
-  { "66bwf.com", true },
   { "670422.com", true },
   { "671422.com", true },
   { "672422.com", true },
@@ -872,7 +883,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "6t-montjoye.org", true },
   { "700.az", true },
   { "704233.com", true },
-  { "7045.com", true },
   { "704533.com", true },
   { "7045h.com", true },
   { "704633.com", true },
@@ -895,12 +905,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "736433.com", true },
   { "738433.com", true },
   { "739433.com", true },
+  { "73info.com", true },
   { "740833.com", true },
   { "741833.com", true },
   { "742833.com", true },
   { "743833.com", true },
   { "74th.jp", true },
   { "755k3.com", true },
+  { "758global.com", true },
   { "762.ch", true },
   { "7733445.com", true },
   { "7777yh.com", true },
@@ -917,6 +929,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "7geese.com", true },
   { "7graus.pt", true },
   { "7kicks.com", true },
+  { "7proxies.com", true },
   { "7qly.com", true },
   { "7sons.de", true },
   { "7thcircledesigns.com", true },
@@ -929,7 +942,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "814022.com", true },
   { "81818app.com", true },
   { "8189196.com", true },
-  { "818bwf.com", true },
   { "818da.com", true },
   { "8349822.com", true },
   { "850226.com", true },
@@ -941,9 +953,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8522usa.com", true },
   { "86286286.com", true },
   { "86499.com", true },
-  { "8649955.com", true },
-  { "8649966.com", true },
-  { "8649977.com", true },
+  { "86metro.ru", true },
   { "8722.am", true },
   { "8722am.com", true },
   { "8722cn.com", true },
@@ -963,7 +973,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8876008.com", true },
   { "8876009.com", true },
   { "8876138.com", true },
-  { "8876205.com", true },
   { "8876278.com", true },
   { "8876289.com", true },
   { "8876290.com", true },
@@ -1037,10 +1046,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8889893.com", true },
   { "8889903.com", true },
   { "8889910.com", true },
-  { "888bwf.com", true },
   { "888funcity.com", true },
   { "888funcity.net", true },
-  { "88bwf.com", true },
   { "88yule11.com", true },
   { "88yule112.com", true },
   { "88yule113.com", true },
@@ -1064,6 +1071,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8tech.com.hk", true },
   { "8thportsmouth.org.uk", true },
   { "8tuffbeers.com", true },
+  { "8ung.online", true },
   { "8xxbet.net", true },
   { "8y.network", true },
   { "9-11commission.gov", true },
@@ -1078,7 +1086,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "914122.com", true },
   { "918116.com", true },
   { "918gd.com", true },
-  { "918yy.com", true },
   { "919422.com", true },
   { "91966.com", true },
   { "91tianmi.com", false },
@@ -1130,9 +1137,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "9jajuice.com", true },
   { "9pkfz.com", true },
   { "9riddles.com", true },
-  { "9tolife.be", true },
   { "9uelle.jp", true },
   { "9vx.org", true },
+  { "9y.at", true },
   { "9yw.me", true },
   { "a-1basements.com", true },
   { "a-1indianawaterproofing.com", true },
@@ -1142,6 +1149,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "a-little-linux-box.at", true },
   { "a-msystems.com", true },
   { "a-oben.org", true },
+  { "a-players.team", true },
   { "a-wife.net", true },
   { "a-ztransmission.com", true },
   { "a0print.nl", true },
@@ -1157,13 +1165,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "a4sound.com", true },
   { "a632079.me", true },
   { "a7la-chat.com", true },
-  { "aa-tour.ru", true },
   { "aa1718.net", true },
   { "aaapl.com", true },
   { "aabanet.com.br", true },
   { "aaben-bank.dk", true },
   { "aabenbank.dk", true },
   { "aacfree.com", true },
+  { "aacs-design.com", true },
+  { "aadw.de", true },
   { "aaex.cloud", true },
   { "aagetransport.no", true },
   { "aalalbayt.com", true },
@@ -1181,6 +1190,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aarkue.eu", true },
   { "aaron.cm", true },
   { "aaron.xin", true },
+  { "aaronburt.co.uk", false },
   { "aaronhorler.com", true },
   { "aaronhorler.com.au", true },
   { "aaronkimmig.de", true },
@@ -1216,7 +1226,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abcstudio.com.au", true },
   { "abdel.me", true },
   { "abdelsater.net", true },
-  { "abdullah.pw", true },
   { "abdulwahaab.ca", true },
   { "abe-elektro.de", true },
   { "abe-medical.jp", true },
@@ -1344,6 +1353,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acceleratenetworks.com", true },
   { "accelerateyourworld.org", true },
   { "accelerator.net", true },
+  { "accelsnow.com", true },
   { "accentthailand.com", true },
   { "accesloges.com", true },
   { "accessacab.co.uk", true },
@@ -1357,6 +1367,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "accoladescreens.com.au", true },
   { "accord-application.com", true },
   { "accordiondoor.com", true },
+  { "account.bbc.com", true },
   { "accounts.firefox.com", true },
   { "accounts.google.com", true },
   { "accpl.co", true },
@@ -1383,9 +1394,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acerentalandsales.com", true },
   { "acerislaw.com", true },
   { "acessoeducacao.com", true },
-  { "acevik.de", true },
   { "acfo.org", true },
   { "acg.social", true },
+  { "acgmoon.com", true },
+  { "acgmoon.org", true },
   { "acgtalktw.com", true },
   { "achalay.org", true },
   { "acheconcursos.com.br", true },
@@ -1399,7 +1411,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "achtzig20.de", true },
   { "achwo.de", true },
   { "acid.ninja", true },
-  { "acidbin.co", true },
   { "aciety.com", true },
   { "aciksite.com", true },
   { "ackermann.ch", true },
@@ -1423,6 +1434,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acousticalsolutions.com", true },
   { "acoustics.network", true },
   { "acoustics.tech", true },
+  { "acousticsoundrecords.com", true },
   { "acoustique-tardy.com", true },
   { "acpcoils.com", true },
   { "acperu.ch", true },
@@ -1464,7 +1476,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "activeexcavator.com", true },
   { "activehire.co.uk", true },
   { "activeleisure.ie", true },
-  { "activeworld.net", false },
   { "activiteithardenberg.nl", true },
   { "activitesaintnicaise.org", true },
   { "activityeventhire.co.uk", true },
@@ -1485,12 +1496,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "actuatemedia.com", true },
   { "acuica.co.uk", false },
   { "acul.me", true },
-  { "acupofsalt.tv", true },
   { "acus.gov", true },
   { "acwcerts.co.uk", true },
   { "acwi.gov", true },
   { "acy.com", true },
   { "acyfxasia.com", true },
+  { "acyume.com", true },
   { "ad-notam.asia", true },
   { "ad-notam.ch", true },
   { "ad-notam.co.uk", true },
@@ -1509,11 +1520,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adam.lgbt", true },
   { "adamas-magicus.ru", true },
   { "adambalogh.net", true },
+  { "adambryant.ca", false },
   { "adambyers.com", true },
   { "adamek.online", true },
   { "adamfontenot.com", true },
   { "adamh.us", true },
-  { "adamjoycegames.co.uk", true },
   { "adamkaminski.com", true },
   { "adamkostecki.de", true },
   { "adamoutler.com", true },
@@ -1522,14 +1533,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adamsbouncycastles.co.uk", true },
   { "adamstas.com", true },
   { "adamwallington.co.uk", true },
-  { "adamwilcox.org", true },
   { "adamyuan.xyz", true },
+  { "adappt.co.uk", true },
+  { "adapptlabs.com", true },
   { "adapt-elektronik.com", true },
   { "adapt.de", true },
   { "adaptablesecurity.org", true },
   { "adapti.de", true },
   { "adaptivemechanics.edu.au", true },
   { "adarshthapa.in", true },
+  { "adativos.com.br", true },
   { "adawolfa.cz", true },
   { "adayinthelifeof.nl", true },
   { "adblockextreme.com", true },
@@ -1540,7 +1553,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "addicional.com", true },
   { "addictionresource.com", true },
   { "addictively.com", true },
-  { "addiko.net", true },
   { "addisoncrump.info", true },
   { "addnine.com", true },
   { "addon.watch", true },
@@ -1550,6 +1562,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "addvalue-renovations.co.uk", true },
   { "addydari.us", true },
   { "adelebeals.com", true },
+  { "adelianz.com", true },
   { "adelightfulglow.com", true },
   { "adeline.mobi", true },
   { "adentalsolution.com", true },
@@ -1562,6 +1575,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adhd-inattentive.com", true },
   { "adhesivelaundry.co.uk", true },
   { "adhoc.is", true },
+  { "adiehard.party", true },
   { "adimaja.com", true },
   { "adinariversloveschool.com", true },
   { "adingenierie.fr", true },
@@ -1582,6 +1596,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "admin.google.com", true },
   { "admin.stg.fedoraproject.org", true },
   { "adminforge.de", true },
+  { "administrator.de", true },
   { "administratorserwera.pl", true },
   { "adminlinux.pl", true },
   { "admino.cz", true },
@@ -1594,6 +1609,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "admongo.gov", true },
   { "adnanoktar.com", true },
   { "adnanotoyedekparca.com", true },
+  { "adnolesh.com", true },
   { "adnot.am", true },
   { "adnseguros.es", true },
   { "adonizer.science", true },
@@ -1612,6 +1628,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adr.gov", true },
   { "adra.com", true },
   { "adrafinil.wiki", true },
+  { "adresults.com", true },
+  { "adresults.nl", true },
   { "adrianbechtold.de", true },
   { "adriancitu.com", true },
   { "adriancostin.ro", true },
@@ -1649,6 +1667,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "advento.bg", true },
   { "adventure-inn.com", true },
   { "adventureally.com", true },
+  { "adventuredrives.com", true },
   { "adventureforest.co.nz", true },
   { "adventureforest.de", false },
   { "adventureforest.nz", true },
@@ -1658,7 +1677,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adventureswithlillie.ca", true },
   { "adventurousway.com", true },
   { "advertis.biz", true },
-  { "advicepro.org.uk", true },
   { "advocate-europe.eu", true },
   { "advocaten-avocats.be", true },
   { "advocatenalkmaar.org", true },
@@ -1668,6 +1686,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "advokat-romanov.com", true },
   { "advtran.com", true },
   { "adware.pl", true },
+  { "adwokatkosterka.pl", true },
   { "adwokatzdunek.pl", true },
   { "adws.io", true },
   { "adxperience.com", true },
@@ -1687,6 +1706,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adzuna.ru", true },
   { "adzuna.sg", true },
   { "ae-construction.co.uk", true },
+  { "ae-dir.com", true },
+  { "ae-dir.org", true },
   { "aebian.org", true },
   { "aecexpert.fr", true },
   { "aedollon.com", true },
@@ -1729,7 +1750,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aextron.com", true },
   { "aextron.de", true },
   { "aextron.org", true },
-  { "aeyoun.com", true },
   { "afavre.io", true },
   { "afb24.de", true },
   { "afbeelding.im", true },
@@ -1737,6 +1757,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "afcmrs.org", true },
   { "afcompany.it", true },
   { "afcurgentcarelyndhurst.com", true },
+  { "affarsnatverk.nu", true },
   { "affichagepub3.com", true },
   { "affiliatefeatures.com", true },
   { "affiliateroyale.com", true },
@@ -1747,7 +1768,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "affittacamere.roma.it", true },
   { "affittialmare.it", true },
   { "affittisalento.it", true },
-  { "affloc.com", true },
   { "affordableazdivorce.com", true },
   { "affordableblindsexpress.com", true },
   { "affordableenergyadvocates.com", true },
@@ -1759,6 +1779,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "affping.com", true },
   { "affvps.net", true },
   { "afghan.dating", true },
+  { "afgn.com.ua", true },
   { "afi-business-consulting.com", true },
   { "aficionados.com.br", true },
   { "afinadoronline.com.br", true },
@@ -1774,13 +1795,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "africanexponent.com", true },
   { "africanimpact.com", true },
   { "africantourer.com", true },
-  { "africatravel.de", true },
   { "afrikarl.de", true },
   { "afrodigital.uk", true },
   { "afs-asso.org", true },
   { "afscheidsportret.nl", true },
   { "aftab-alam.de", true },
   { "after.digital", true },
+  { "afterdwi.info", true },
   { "afterhate.fr", true },
   { "afuh.de", true },
   { "afva.net", true },
@@ -1802,6 +1823,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agenda-loto.net", false },
   { "agenda21senden.de", true },
   { "agendatelefonica.com.br", true },
+  { "agendazilei.com", true },
   { "agent-grow.com", true },
   { "agent6.com.au", true },
   { "agentprocessing.com", true },
@@ -1815,6 +1837,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agic.io", true },
   { "agilebits.com", true },
   { "agilecraft.com", true },
+  { "agileecommerce.com.br", true },
   { "agileui.com", true },
   { "agiley.se", true },
   { "agilizing.us", true },
@@ -1897,6 +1920,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aibenzi.com", true },
   { "aibiying.com", true },
   { "aicial.co.uk", true },
+  { "aid-web.ch", true },
   { "aidanapple.com", true },
   { "aidanmitchell.co.uk", true },
   { "aidanmitchell.uk", true },
@@ -1915,7 +1939,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aignermunich.com", true },
   { "aignermunich.de", true },
   { "aignermunich.jp", true },
-  { "aiheisi.com", true },
   { "aiho.stream", true },
   { "aiicy.org", true },
   { "aiida.se", true },
@@ -1932,7 +1955,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ailitonia.xyz", true },
   { "aimax.com", true },
   { "aimeeandalec.com", true },
-  { "aimerworld.com", true },
+  { "aimerworld.com", false },
   { "aimgroup.co.tz", true },
   { "aimi-salon.com", true },
   { "aimotive.com", true },
@@ -2057,7 +2080,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ais.fashion", true },
   { "aisance-co.com", true },
   { "aisi316l.net", true },
-  { "aisr.nl", true },
   { "aistockcharts.com", true },
   { "aistrope.com", true },
   { "ait.com.ar", true },
@@ -2067,7 +2089,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aivd.lol", true },
   { "aiwdirect.com", true },
   { "aixvox.com", false },
-  { "aizxxs.com", true },
   { "ajapaik.ee", true },
   { "ajarope.com", true },
   { "ajaxed.net", true },
@@ -2083,7 +2104,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ajnasz.hu", true },
   { "ajsb85.com", true },
   { "ak-varazdin.hr", true },
-  { "ak-webit.de", true },
   { "aka.ms", true },
   { "akachanikuji.com", true },
   { "akademeia.moe", true },
@@ -2104,6 +2124,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "akiym.com", true },
   { "akj.io", true },
   { "akkbouncycastles.co.uk", true },
+  { "akkeylab.com", true },
   { "akostecki.de", true },
   { "akovana.com", true },
   { "akoww.de", false },
@@ -2116,7 +2137,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "akropol.cz", false },
   { "akropolis-ravensburg.de", true },
   { "aksehir.bel.tr", true },
-  { "akselinurmio.fi", false },
+  { "akselinurmio.fi", true },
+  { "akshay.in.eu.org", true },
   { "akshi.in", true },
   { "aktin.cz", true },
   { "aktin.sk", true },
@@ -2131,7 +2153,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "akutun.cl", true },
   { "akvorrat.at", true },
   { "akyildiz.net", true },
-  { "al3366.tech", true },
   { "al3xpro.com", true },
   { "alab.space", true },
   { "alabamadebtrelief.org", true },
@@ -2150,6 +2171,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alamgir.works", true },
   { "alanberger.me.uk", true },
   { "alanhua.ng", true },
+  { "alanhuang.name", true },
   { "alaninkenya.org", true },
   { "alaricfavier.eu", false },
   { "alarmcomplete.co.uk", true },
@@ -2184,12 +2206,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aldomedia.com", true },
   { "aldorr.net", false },
   { "aldous-huxley.com", true },
+  { "alecel.de", true },
   { "alecpap.com", true },
   { "alecpapierniak.com", true },
   { "alecrust.com", true },
   { "alek.in", true },
   { "aleksejjocic.tk", true },
   { "aleksib.fi", true },
+  { "alela.fr", true },
   { "alerbon.net", true },
   { "alertboxx.com", true },
   { "alertonline.nl", true },
@@ -2220,6 +2244,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexei.su", false },
   { "alexey-shamara.ru", true },
   { "alexeykopytko.com", true },
+  { "alexfabian.myftp.org", true },
   { "alexgaynor.net", true },
   { "alexgebhard.com", true },
   { "alexhd.de", true },
@@ -2239,7 +2264,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexschroeder.ch", true },
   { "alexsergeyev.com", true },
   { "alexsexton.com", true },
-  { "alexsinnott.me", true },
   { "alextaffe.com", true },
   { "alexthayne.co.uk", true },
   { "alextjam.es", true },
@@ -2250,7 +2274,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexwilliams.tech", true },
   { "alexyang.me", true },
   { "alfa-tech.su", true },
-  { "alfaperfumes.com.br", true },
   { "alfred-figge.de", true },
   { "alftrain.com", true },
   { "algbee.com", true },
@@ -2285,7 +2308,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alinasmusicstudio.com", true },
   { "alinbu.net", true },
   { "aliorange.com", true },
-  { "alis-test.tk", true },
   { "alisonisrealestate.com", true },
   { "alisonlitchfield.com", true },
   { "alistairstowing.com", true },
@@ -2294,6 +2316,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aljaspod.com", true },
   { "aljaspod.hu", true },
   { "aljaspod.net", true },
+  { "aljweb.com", true },
+  { "alkacoin.net", true },
   { "all-connect.net", false },
   { "all-fashion-schools.com", true },
   { "all-markup-news.com", true },
@@ -2325,24 +2349,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alle.bg", true },
   { "allemoz.com", true },
   { "allemoz.fr", true },
-  { "allenosgood.com", true },
   { "allenscaravans.co.uk", true },
   { "allensun.org", true },
   { "allesisonline.nl", true },
   { "alleskomtgoed.org", true },
   { "allesrocknroll.de", true },
   { "allforyou.at", true },
-  { "allfreelancers.su", false },
   { "allfundsconnect.com", true },
   { "allgaragefloors.com", true },
   { "allgreenturf.com.au", true },
   { "alliance-psychiatry.com", true },
+  { "alliances-faq.de", true },
   { "alliances-globalsolutions.com", true },
   { "alliedfrozenstorage.com", true },
   { "alligatorge.de", true },
   { "allinagency.com", true },
   { "allincoin.shop", true },
-  { "allinone-ranking150.com", true },
   { "allis.studio", true },
   { "allius.de", true },
   { "alljamin.com", true },
@@ -2364,7 +2386,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "allsearch.io", true },
   { "allshousedesigns.com", true },
   { "allstakesupply.com.au", true },
-  { "allstarautokiaparts.com", true },
   { "allstarcashforcars.com", true },
   { "allstarpartyinflatables.co.uk", true },
   { "allstarquilts.com", true },
@@ -2375,10 +2396,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "allthecryptonews.com", true },
   { "allthethings.co.nz", true },
   { "allthings.me", true },
+  { "allthingssquared.com", true },
   { "allthingswild.co.uk", true },
+  { "alltubedownload.net", true },
   { "allurebikerental.com", true },
   { "allurescarves.com", true },
   { "alluvion.studio", true },
+  { "allvips.ru", true },
   { "allweatherlandscaping.net", true },
   { "almaatlantica.com", true },
   { "almavios.com", false },
@@ -2402,7 +2426,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alphaantileak.net", true },
   { "alphabetsigns.com", true },
   { "alphabouncycastles.co.uk", true },
-  { "alphabrock.cn", true },
   { "alphachat.net", true },
   { "alphadote.com", true },
   { "alphaetomega3d.fr", true },
@@ -2411,6 +2434,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alphagateanddoor.com", true },
   { "alphainflatablehire.com", true },
   { "alphaman.ooo", true },
+  { "alphanodes.com", true },
   { "alphapengu.in", true },
   { "alpharotary.com", true },
   { "alphasall.com", false },
@@ -2431,6 +2455,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alqassam.net", true },
   { "alquiaga.com", true },
   { "alquiladoramexico.com", true },
+  { "alrait.com", true },
+  { "alre-outillage.fr", true },
   { "alroniks.com", true },
   { "als-japan.com", true },
   { "alstertouch.com", true },
@@ -2446,10 +2472,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alterbaum.net", true },
   { "alternador.com.br", true },
   { "alternative.bike", true },
+  { "alternative.hosting", true },
   { "alternativebit.fr", true },
   { "alternativedev.ca", true },
   { "alternativeinternet.ca", true },
   { "alternativet.party", true },
+  { "alternativetomeds.com", true },
   { "alterspalter.de", true },
   { "altes-sportamt.de", true },
   { "altesses.eu", true },
@@ -2457,13 +2485,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "altisdev.com", true },
   { "altkremsmuensterer.at", true },
   { "altmaestrat.es", true },
+  { "altmann-systems.de", true },
   { "altoa.cz", true },
+  { "altonblom.com", true },
   { "altopartners.com", true },
   { "altopia.com", true },
   { "altphotos.com", true },
   { "alts.li", true },
   { "altstipendiaten.de", true },
-  { "alttrackr.com", true },
   { "altunbas.info", true },
   { "alumni-kusa.jp", true },
   { "alupferd.de", true },
@@ -2497,11 +2526,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "amagical.net", false },
   { "amaiz.com", true },
   { "amalfi5stars.com", true },
-  { "amalficoastchauffeur.com", true },
   { "amalfilapiazzetta.it", true },
   { "amalfipositanoboatrental.com", true },
-  { "amalfirock.it", true },
   { "amalfitabula.it", true },
+  { "amaliagamis.com", true },
   { "amanatrustbooks.org.uk", true },
   { "amandadamsphotography.com", true },
   { "amandasage.ca", true },
@@ -2520,6 +2548,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "amazili-communication.com", true },
   { "amazing-castles.co.uk", true },
   { "amazinginflatables.co.uk", true },
+  { "amazingraymond.com", true },
+  { "amazingraymond.com.au", true },
   { "amb.tf", true },
   { "amberalert.gov", true },
   { "amberglowleisure.co.uk", true },
@@ -2578,8 +2608,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aminafrance.com", true },
   { "amineptine.com", true },
   { "aminorth.com", true },
+  { "aminullrouted.com", true },
   { "amionvpn.com", true },
-  { "amirautos.com", true },
+  { "amirautos.com", false },
   { "amirmahdy.com", true },
   { "amisderodin.fr", true },
   { "amitabhsirkiclasses.org.in", true },
@@ -2600,6 +2631,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ampersandnbspsemicolon.com", true },
   { "amphetamines.org", true },
   { "amphibo.ly", true },
+  { "ampleroads.com", true },
   { "ampol-agd.pl", true },
   { "ampproject.com", true },
   { "ampproject.org", true },
@@ -2615,14 +2647,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "amyrussellhair.com", true },
   { "amyyeung.com", true },
   { "amzn.rocks", true },
+  { "an-alles-gedacht.de", true },
   { "anabolic.co", true },
   { "anacreon.de", true },
   { "anadiyogacentre.com", true },
   { "anaethelion.fr", true },
+  { "anaiscoachpersonal.es", true },
   { "analbleachingguide.com", true },
   { "analgesia.net", true },
   { "analisilaica.it", true },
   { "analogist.net", true },
+  { "analytics-shop.com", true },
   { "analyticsinmotion.com", true },
   { "analyticum.at", true },
   { "analyticum.com", true },
@@ -2639,6 +2674,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anassiriphotography.com", false },
   { "anastasia-shamara.ru", true },
   { "anaveragehuman.eu.org", true },
+  { "ance.lv", true },
   { "ancestramil.fr", true },
   { "anchev.net", true },
   { "anchorit.gov", true },
@@ -2684,6 +2720,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andree.cloud", true },
   { "andrehansen.de", true },
   { "andrei-nakov.org", true },
+  { "andrejbenz.com", true },
   { "andrelauzier.com", true },
   { "andreoliveira.io", true },
   { "andrespaz.com", true },
@@ -2704,7 +2741,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andrewryno.com", true },
   { "andrewsun.com", true },
   { "andrewtchin.com", true },
-  { "andrewx.net", true },
   { "andrezadnik.com", true },
   { "andro2id.com", true },
   { "andro4all.com", true },
@@ -2722,7 +2758,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "androticsdirect.com", true },
   { "andruvision.cz", true },
   { "andsat.org", true },
-  { "andschwa.com", true },
+  { "andschwa.com", false },
   { "andso.cn", true },
   { "anduril.de", true },
   { "anduril.eu", true },
@@ -2730,7 +2766,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andyc.cc", true },
   { "andycrockett.io", true },
   { "andymoore.info", true },
-  { "andys-place.co.uk", true },
   { "andysroom.dynu.net", true },
   { "andyt.eu", true },
   { "andzia.art.pl", true },
@@ -2763,6 +2798,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "angrapa.ru", true },
   { "angristan.fr", true },
   { "angristan.xyz", true },
+  { "angrut.com", true },
   { "angry.im", true },
   { "angrysnarl.com", true },
   { "angryteeth.net", true },
@@ -2791,9 +2827,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "animeai.com", true },
   { "animefluxxx.com", true },
   { "animeinsights.net", true },
-  { "animes-portal.info", true },
   { "animesharp.com", true },
   { "animetriad.com", true },
+  { "animojis.es", true },
   { "animorphsfanforum.com", true },
   { "anipassion.com", false },
   { "anitaalbersen.nl", true },
@@ -2807,7 +2843,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ankarauzmanlarnakliyat.com", true },
   { "ankarayilmaznakliyat.com", true },
   { "ankarayucelnakliyat.com", true },
-  { "ankenbrand.me", true },
   { "ankitpati.in", true },
   { "ankiuser.net", true },
   { "ankiweb.net", true },
@@ -2818,6 +2853,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anleitung-zum-schreiben.de", true },
   { "anleitung-zum-schweissen.de", true },
   { "anleitung-zum-toepfern.de", true },
+  { "anlovegeek.net", true },
   { "anna.info", true },
   { "annaenemma.nl", true },
   { "annafiore.com.br", true },
@@ -2841,15 +2877,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "annuaire-jcb.com", true },
   { "annuaire-photographe.fr", false },
   { "annunciationbvmchurch.org", true },
-  { "anohana.org", true },
   { "anojan.com", true },
   { "anon-next.de", true },
   { "anoncom.net", true },
   { "anoncrypto.org", true },
+  { "anoneko.com", true },
   { "anongoth.pl", true },
   { "anons.fr", true },
   { "anonym-surfen.de", true },
   { "anonyme-spieler.at", true },
+  { "anopan.tk", true },
   { "anorak.tech", true },
   { "another.ch", true },
   { "anotherchef.com", true },
@@ -2883,6 +2920,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antennista.pavia.it", true },
   { "antennista.roma.it", true },
   { "antennista.tv", true },
+  { "antennistaroma.it", true },
   { "antennisti.milano.it", true },
   { "antennisti.roma.it", true },
   { "anteprima.info", true },
@@ -2897,6 +2935,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anthropoid.ca", true },
   { "anti-bible.com", true },
   { "anti-radar.org", true },
+  { "antiaz.com", true },
   { "antibioticshome.com", true },
   { "anticopyright.com", true },
   { "antiekboerderijgraafland.nl", true },
@@ -2904,6 +2943,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antik-trodelmarkt.de", true },
   { "antikvariat.ru", true },
   { "antikvarius.ro", true },
+  { "antilaserpriority.com", true },
   { "antiled.by", true },
   { "antimine.me", true },
   { "antipolygraph.org", true },
@@ -2921,8 +2961,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antonin.one", true },
   { "antonio-gartenbau.de", true },
   { "antonjuulnaber.dk", true },
+  { "antonuotila.fi", true },
   { "antota.lt", true },
   { "antragsgruen.de", true },
+  { "antroposboutique.it", true },
   { "antroposofica.com.br", true },
   { "anttitenhunen.com", true },
   { "antvklik.com", true },
@@ -2969,6 +3011,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apartmentkroatien.at", true },
   { "apartmentregister.com.au", true },
   { "apasaja.tech", true },
+  { "apbank.ch", true },
   { "apbox.de", true },
   { "apcemporium.co.uk", true },
   { "apcube.com", true },
@@ -2978,7 +3021,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apertis.org", true },
   { "aperturesciencelabs.de", true },
   { "apervita.net", true },
-  { "apexitsolutions.ca", true },
   { "apfelcholest.de", true },
   { "apgw.jp", true },
   { "aphelionentertainment.com", true },
@@ -2998,8 +3040,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apiary.store", true },
   { "apiary.supplies", true },
   { "apiary.supply", true },
-  { "apila.care", true },
-  { "apila.us", true },
+  { "apimon.de", true },
   { "apination.com", true },
   { "apio.systems", true },
   { "apis.google.com", true },
@@ -3007,7 +3048,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apisyouwonthate.com", true },
   { "apk.li", true },
   { "apk4fun.com", true },
-  { "apkmod.id", true },
   { "aplikaceproandroid.cz", true },
   { "aplpackaging.co.uk", true },
   { "aplu.fr", true },
@@ -3040,13 +3080,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "appartement-evolene.net", true },
   { "appartementhaus-badria.de", true },
   { "appartementmarsum.nl", true },
+  { "appchive.net", true },
   { "appearance-plm.de", true },
-  { "appel-aide.ch", true },
   { "appelaprojets.fr", true },
   { "appelboomdefilm.nl", true },
   { "appengine.google.com", true },
   { "apperio.com", true },
-  { "appformacpc.com", true },
   { "appgeek.com.br", true },
   { "appharbor.com", true },
   { "appify.org", true },
@@ -3070,6 +3109,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apprenticeships.gov", true },
   { "approbo.com", true },
   { "approvedtreecare.com", true },
+  { "apps-perso.com", true },
   { "apps.co", true },
   { "apps.facebook.com", false },
   { "apps.fedoraproject.org", true },
@@ -3084,7 +3124,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "appuals.com", true },
   { "appui-de-fenetre.fr", true },
   { "appveyor.com", true },
-  { "appxcrypto.com", true },
   { "appzoojoo.be", true },
   { "apratimsaha.com", true },
   { "apretatuercas.es", true },
@@ -3115,7 +3154,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aqualysis.nl", true },
   { "aquapoint.kiev.ua", true },
   { "aquarium-supplement.net", true },
-  { "aquaron.com", true },
+  { "aquaselect.eu", true },
   { "aquatechnologygroup.com", true },
   { "aquaundine.net", true },
   { "aquavitaedayspa.com.au", true },
@@ -3139,6 +3178,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "araratour.com", true },
   { "araro.ch", true },
   { "araseifudousan.com", true },
+  { "arawaza.biz", true },
   { "arawaza.com", false },
   { "araxis.com", true },
   { "arbeitsch.eu", true },
@@ -3149,6 +3189,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arbitrary.ch", true },
   { "arboworks.com", true },
   { "arbu.eu", false },
+  { "arcaea.net", true },
   { "arcaik.net", true },
   { "arcbouncycastles.co.uk", true },
   { "arcenergy.co.uk", true },
@@ -3160,6 +3201,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "architectureandgovernance.com", true },
   { "archivero.es", true },
   { "archivesdelavieordinaire.ch", true },
+  { "archivosstl.com", true },
   { "archlinux.de", true },
   { "archlinux.org", true },
   { "arclandholdings.com.au", true },
@@ -3172,7 +3214,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ardor.noip.me", true },
   { "ardtrade.ru", true },
   { "area4pro.com", true },
-  { "area536.com", true },
   { "areaclienti.net", true },
   { "areafiftylan.nl", true },
   { "areatrend.com", true },
@@ -3189,7 +3230,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arethsu.se", true },
   { "arfad.ch", true },
   { "arg.zone", true },
-  { "argama-nature.com", true },
   { "arganaderm.ch", true },
   { "argb.de", true },
   { "argekultur.at", true },
@@ -3250,6 +3290,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "armstrongsengineering.com", true },
   { "army24.cz", true },
   { "armyprodej.cz", true },
+  { "arnakdanielian.com", true },
   { "arnaudb.net", true },
   { "arnaudfeld.de", true },
   { "arne.codes", true },
@@ -3267,6 +3308,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arnsmedia.nl", true },
   { "arod.tk", true },
   { "arogov.com", true },
+  { "arogyadhamhealth.com", true },
   { "arokha.com", true },
   { "aromacos.ch", true },
   { "aromatlas.com", true },
@@ -3274,6 +3316,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aroonchande.com", true },
   { "aros.pl", true },
   { "arose.io", true },
+  { "around-cms.de", true },
   { "arox.eu", true },
   { "arpamip.org", true },
   { "arpnet.co.jp", true },
@@ -3297,6 +3340,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arswb.men", true },
   { "art-auction.jp", true },
   { "art-et-culture.ch", true },
+  { "art-pix.com", true },
+  { "art-pix.de", true },
+  { "art-pix.net", true },
+  { "art2web.net", true },
   { "artboja.com", true },
   { "artdeco-photo.com", true },
   { "arte-soft.co", true },
@@ -3326,6 +3373,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arthermitage.org", true },
   { "arthur.cn", true },
   { "arthurlaw.ca", true },
+  { "articu.no", true },
   { "artificial.army", true },
   { "artificialgrassandlandscaping.com", true },
   { "artik.cloud", true },
@@ -3356,7 +3404,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arts.gov", true },
   { "artschmidtoptical.com", true },
   { "artspac.es", true },
-  { "arturkohut.com", true },
+  { "arturopinto.com.mx", true },
   { "arturrossa.de", true },
   { "arturszalak.com", true },
   { "artweby.cz", true },
@@ -3369,7 +3417,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arvindhariharan.com", true },
   { "arvindhariharan.me", true },
   { "arvutiladu.ee", true },
-  { "arw.me", true },
   { "arxell.com", true },
   { "aryalaroca.de", true },
   { "aryan-nation.com", true },
@@ -3400,18 +3447,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "asdyx.de", true },
   { "asec01.net", true },
   { "asegem.es", true },
-  { "aseko.gr", true },
   { "asenno.com", true },
   { "aserver.co", true },
   { "asexualitat.cat", true },
   { "asgapps.co.za", true },
   { "asge-handel.de", true },
   { "ashastalent.com", true },
-  { "ashd1.goip.de", true },
-  { "ashd2.goip.de", true },
-  { "ashd3.goip.de", true },
   { "ashkan-rechtsanwalt-arbeitsrecht-paderborn.de", true },
   { "ashleyedisonuk.com", true },
+  { "ashleythouret.com", true },
   { "ashlocklawgroup.com", true },
   { "ashmportfolio.com", true },
   { "ashutoshmishra.org", true },
@@ -3429,8 +3473,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "asiinc-tex.com", true },
   { "asile-colis.fr", true },
   { "asinetasima.com", true },
+  { "asirviablog.com", true },
   { "asisee.photography", true },
   { "ask.fi", true },
+  { "ask.pe", true },
   { "ask1.org", true },
   { "askcaisse.com", true },
   { "askcascade.com", true },
@@ -3456,7 +3502,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aspiradorasbaratas.net", true },
   { "aspirateur-anti-pollution.fr", true },
   { "aspires.co.jp", true },
-  { "aspisdata.com", true },
+  { "asprion.org", true },
   { "asproni.it", true },
   { "asr.cloud", true },
   { "asr.li", true },
@@ -3468,7 +3514,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "assempsaibiza.com", true },
   { "assertion.de", true },
   { "assessoriati.com.br", true },
-  { "assetict.com", true },
   { "assetvault.co.za", true },
   { "assguidesporrentruy.ch", true },
   { "assign-it.co.uk", true },
@@ -3478,6 +3523,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "assistenzalavatrice.org", true },
   { "assistenzamicroonde.org", true },
   { "assodigitale.it", true },
+  { "asspinter.me", true },
   { "assumptionpj.org", true },
   { "astal.rs", true },
   { "astarbouncycastles.co.uk", true },
@@ -3486,11 +3532,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "astec-informatica.com", true },
   { "astengox.com", true },
   { "astenotarili.online", true },
-  { "astenretail.com", true },
   { "astral-imperium.uk", true },
   { "astral.org.pl", true },
   { "astrology42.com", true },
   { "astroscopy.ch", true },
+  { "astrosnail.pt.eu.org", true },
   { "astrovandalistas.cc", true },
   { "astural.org", true },
   { "astutikhonda.com", true },
@@ -3505,13 +3551,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "asws.nl", true },
   { "asystent-dzierzawy.pl", true },
   { "at.search.yahoo.com", false },
-  { "ataber.pw", true },
+  { "at7s.me", true },
   { "atac.no", true },
   { "atacadocervejeiro.com.br", true },
   { "atacadodesandalias.com.br", true },
   { "atallo.com", true },
   { "atallo.es", true },
   { "ataton.ch", true },
+  { "atc.cuneo.it", true },
   { "atc.io", true },
   { "atchleyjazz.com", true },
   { "atchleyjazz.org", true },
@@ -3544,11 +3591,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atgseed.uk", true },
   { "ath0.org", false },
   { "atheist-refugees.com", true },
+  { "atheistfrontier.com", true },
   { "athena-bartholdi.com", true },
   { "athena-garage.co.uk", true },
   { "athenadynamics.com", true },
   { "athenaneuro.com", true },
-  { "atherosense.ga", true },
   { "athlin.de", true },
   { "atigerseye.com", true },
   { "atimbertownservices.com", true },
@@ -3562,7 +3609,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atitude.com", true },
   { "ativapsicologia.com.br", true },
   { "atl-paas.net", true },
-  { "atlantahairsurgeon.com", true },
   { "atlantareroof.com", true },
   { "atlantaspringroll.com", true },
   { "atlantichomes.com.au", true },
@@ -3579,6 +3625,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atlasone.us", true },
   { "atlassian.io", true },
   { "atlassignsandplaques.com", true },
+  { "atlayo.com", false },
   { "atletika.hu", true },
   { "atmschambly.com", true },
   { "atnis.com", true },
@@ -3604,6 +3651,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "attendantdesign.com", true },
   { "attendu.cz", true },
   { "attention.horse", true },
+  { "attilagyorffy.com", true },
   { "attilavandervelde.nl", true },
   { "attinderdhillon.com", true },
   { "attitudes-bureaux.fr", true },
@@ -3653,19 +3701,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "auditos.com", true },
   { "audits.io", true },
   { "auditsquare.com", true },
+  { "audreyhossepian.fr", true },
   { "audreyjudson.com", true },
   { "auenhof-agrar.de", true },
   { "auerbach-verlag.de", true },
   { "auf-feindgebiet.de", true },
   { "augen-seite.de", true },
+  { "augiero.it", true },
+  { "augix.net", true },
   { "augmentable.de", false },
   { "augmented-portal.com", true },
   { "august-don.site", true },
+  { "august.black", true },
   { "augustian-life.cz", true },
   { "augustiner-kantorei-erfurt.de", true },
   { "augustiner-kantorei.de", true },
   { "aukaraoke.su", true },
-  { "aulaschrank.gq", true },
   { "aulo.in", false },
   { "aumilieudumonde.gf", true },
   { "aunali1.com", true },
@@ -3703,9 +3754,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "austintxlocksmiths.com", true },
   { "austinuniversityhouse.com", true },
   { "australian.dating", true },
+  { "australianairbrushedtattoos.com.au", true },
   { "australianarmedforces.org", true },
   { "australianattractions.com.au", true },
   { "australianimmigrationadvisors.com.au", true },
+  { "australiantemporarytattoos.com", true },
+  { "australiantemporarytattoos.com.au", true },
   { "australien-tipps.info", true },
   { "austromorph.space", true },
   { "auszeit-lanzarote.com", true },
@@ -3745,7 +3799,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autodidacticstudios.org", true },
   { "autoentrepreneurinfo.com", true },
   { "autoepc.ro", true },
-  { "autohaus-snater.de", true },
+  { "autoeshop.eu", true },
   { "autoinsurancehavasu.com", true },
   { "autokeyreplacementsanantonio.com", true },
   { "autoledky.sk", true },
@@ -3769,6 +3823,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autoproshouston.com", true },
   { "autorando.com", true },
   { "autorijschoolrichardschut.nl", true },
+  { "autos-mertens.com", true },
   { "autoschadeschreuder.nl", true },
   { "autoscuola.roma.it", true },
   { "autosecurityfinance.com", true },
@@ -3803,10 +3858,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avaaz.org", true },
   { "avabouncehire.co.uk", true },
   { "avacariu.me", true },
+  { "avaemr-development-environment.ca", true },
+  { "avaeon.com", true },
   { "availablecastles.com", true },
   { "avalon-island.ru", true },
   { "avalon-rpg.com", true },
-  { "avalon-studios.de", true },
   { "avanet.ch", true },
   { "avanet.com", true },
   { "avanovum.de", true },
@@ -3832,6 +3888,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avia-krasnoyarsk.ru", true },
   { "avia-ufa.ru", true },
   { "aviapoisk.kz", true },
+  { "aviationstrategies.aero", true },
   { "aviationstrategy.aero", true },
   { "avid.blue", true },
   { "avidmode-dev.com", true },
@@ -3846,6 +3903,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avocadooo.stream", true },
   { "avocatbeziau.com", true },
   { "avocode.com", true },
+  { "avonture.be", true },
   { "avova.de", true },
   { "avpres.net", true },
   { "avptp.org", true },
@@ -3853,9 +3911,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avs-building-services.co.uk", true },
   { "avsox.com", true },
   { "avticket.ru", false },
+  { "avtobania.pro", true },
   { "avtoforex.ru", true },
   { "avtogara-isperih.com", true },
   { "avtomarket.ru", true },
+  { "avtoveles.by", true },
   { "avtovokzaly.ru", true },
   { "avv.li", true },
   { "avvaterra.ch", true },
@@ -3871,8 +3931,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "awaro.net", true },
   { "awbouncycastlehire.com", true },
   { "awecademy.org", true },
+  { "awesome-coconut-software.fr", true },
   { "awesomebouncycastles.co.uk", true },
   { "awesomesit.es", true },
+  { "awic.ca", true },
   { "awk.tw", true },
   { "awksolutions.com", true },
   { "awningcanopyus.com", true },
@@ -3904,6 +3966,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ayanomimi.com", true },
   { "aycomba.de", true },
   { "ayesh.me", true },
+  { "ayj.solutions", true },
   { "aykutcevik.com", true },
   { "aylak.com", true },
   { "aylesburycastlehire.co.uk", true },
@@ -3916,6 +3979,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ayurveda-mantry.com", true },
   { "az-moga.bg", true },
   { "az.search.yahoo.com", false },
+  { "azabani.com", true },
   { "azadliq.info", true },
   { "azane.ga", true },
   { "azarus.ch", true },
@@ -3923,11 +3987,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "azgfd.com", true },
   { "aziende.com.ar", true },
   { "azimut.fr", true },
+  { "azino777.ru", true },
   { "azizfirat.com", true },
-  { "azizvicdan.com", true },
+  { "azizvicdan.com", false },
   { "azlk-team.ru", true },
+  { "azmusica.biz", true },
+  { "azmusica.com", true },
   { "azort.com", true },
   { "azrazalea.net", true },
+  { "azsgeniedev.azurewebsites.net", true },
   { "azso.pro", true },
   { "azsupport.com", true },
   { "aztraslochi.it", true },
@@ -3935,6 +4003,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "azu-l.com", true },
   { "azu-l.jp", true },
   { "azuki.cloud", true },
+  { "azukie.com", true },
   { "azurecrimson.com", true },
   { "azuriasky.com", true },
   { "azuriasky.net", true },
@@ -3948,7 +4017,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "b-landia.net", true },
   { "b-root-force.de", true },
   { "b-services.net", true },
-  { "b-ticket.ch", true },
   { "b0k.org", true },
   { "b0rk.com", true },
   { "b1788.net", false },
@@ -3959,7 +4027,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "b303.me", true },
   { "b4bouncycastles.co.uk", true },
   { "b4ckbone.de", true },
-  { "b4r7.de", true },
   { "b4z.eu", true },
   { "b64.club", true },
   { "b72.com", true },
@@ -3987,6 +4054,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "baches-piscines.com", true },
   { "baciu.ch", true },
   { "backeby.eu", true },
+  { "backgroundchecks.online", true },
   { "backmountaingas.com", true },
   { "backpacker.dating", true },
   { "backschues.com", true },
@@ -3996,16 +4064,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "backsideverbier.ch", true },
   { "backterris.com", true },
   { "backtest.org", true },
+  { "backup-kurumsal.com", true },
   { "backupcloud.ru", true },
+  { "backupsinop.com.br", true },
   { "bacon-monitoring.org", true },
   { "baconismagic.ca", true },
   { "bacontreeconsulting.com", true },
   { "bacoux.com", true },
   { "bacsituvansuckhoe.com", true },
   { "bacula.jp", true },
+  { "bad-wurzach.de", true },
   { "bad.horse", true },
   { "bad.pet", true },
   { "badam.co", true },
+  { "badanka.com", true },
   { "badanteinfamiglia.it", true },
   { "badaparda.com", true },
   { "badblock.fr", true },
@@ -4037,7 +4109,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bageluncle.com", true },
   { "baggy.me.uk", true },
   { "bagheera.me.uk", true },
-  { "baglu.com", true },
   { "bagsofbounce.co.uk", true },
   { "bagspecialist.nl", true },
   { "bah.im", false },
@@ -4057,11 +4128,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bailonga.com", true },
   { "baitulongbaycruises.com", true },
   { "baiyangliu.com", true },
-  { "bajajfinserv.in", true },
   { "bajic.ch", true },
   { "baka-gamer.net", true },
   { "baka.network", true },
   { "baka.org.cn", true },
+  { "baka.red", true },
   { "bakaproxy.moe", true },
   { "bakermen.com", true },
   { "bakersafari.co", true },
@@ -4070,6 +4141,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bakim.li", true },
   { "bakingstone.com", true },
   { "bakkerinjebuurt.be", true },
+  { "bakongcondo.com", true },
   { "balade-commune.ch", true },
   { "baladecommune.ch", true },
   { "balancascia.com.br", true },
@@ -4095,7 +4167,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ball.holdings", true },
   { "ball3d.es", true },
   { "ballarin.cc", true },
-  { "balle.dk", true },
   { "ballejaune.com", true },
   { "balletcenterofhouston.com", true },
   { "ballinarsl.com.au", true },
@@ -4144,8 +4215,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bankcardoffer.com", true },
   { "bankee.us", true },
   { "bankerbuch.de", true },
-  { "bankersonline.com", true },
   { "banketbesteld.nl", true },
+  { "bankfreeoffers.com", true },
   { "bankgradesecurity.com", true },
   { "bankin.com", true },
   { "bankinter.pt", true },
@@ -4160,6 +4231,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bannermarquees.ie", true },
   { "bannsecurity.com", true },
   { "banquevanbreda.be", true },
+  { "bantaihost.com", true },
   { "banter.city", true },
   { "baobeiglass.com", true },
   { "baofengtech.com", true },
@@ -4213,7 +4285,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "barslecht.nl", true },
   { "bart-f.com", true },
   { "barta.me", true },
-  { "bartel.ws", true },
+  { "bartbania.com", true },
   { "bartelt.name", true },
   { "barter4crypto.com", true },
   { "barthonia-showroom.de", true },
@@ -4262,7 +4334,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "batch.com", true },
   { "bati-alu.fr", true },
   { "batiburrillo.net", true },
-  { "batipresta.ch", true },
   { "batistareisfloresonline.com.br", true },
   { "batlab.ch", true },
   { "batolis.com", true },
@@ -4281,7 +4352,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bausep.de", true },
   { "baustils.com", true },
   { "bauthier-occasions.be", true },
-  { "bautied.de", true },
   { "bauunternehmen-herr.de", true },
   { "bauwens.cloud", true },
   { "bavartec.de", true },
@@ -4356,9 +4426,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bcmhire.co.uk", true },
   { "bcpc-ccgpfcheminots.com", true },
   { "bcrook.com", true },
-  { "bcs.adv.br", true },
   { "bcswampcabins.com", true },
-  { "bcyw56.live", true },
+  { "bcyw56.live", false },
   { "bd2positivo.com", true },
   { "bda-boulevarddesairs.com", true },
   { "bdbxml.net", true },
@@ -4374,7 +4443,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "be2cloud.de", true },
   { "beacham.online", true },
   { "beachcitycastles.com", true },
-  { "beachfutbolclub.com", true },
   { "beadare.com", true },
   { "beadare.nl", true },
   { "beaglesecurity.com", true },
@@ -4390,6 +4458,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bearded.sexy", true },
   { "beardic.cn", true },
   { "bearingworks.com", true },
+  { "bearlakelife.com", true },
   { "beastiejob.com", true },
   { "beastowner.li", true },
   { "beatfeld.de", true },
@@ -4415,7 +4484,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bebout.pw", true },
   { "beckenhamcastles.co.uk", true },
   { "beckerantiques.com", true },
-  { "beckon.com", true },
   { "becs.ch", true },
   { "becydog.cz", true },
   { "bedamedia.com", true },
@@ -4426,6 +4494,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bedfordnissanparts.com", true },
   { "bednar.co", true },
   { "bedrijfsfotoreportages.nl", true },
+  { "bedrijfshulpverleningfriesland.nl", true },
   { "bedrijfsportaal.nl", true },
   { "bedrocklinux.org", true },
   { "bedste10.dk", true },
@@ -4486,6 +4555,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "beginwp.top", true },
   { "behamepresrdce.sk", true },
   { "behamzdarma.cz", true },
+  { "behead.de", true },
   { "behindthethrills.com", true },
   { "behna24hodin.cz", true },
   { "behoerden-online-dienste.de", true },
@@ -4509,14 +4579,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "belarto.it", true },
   { "belarto.nl", true },
   { "belarto.pl", true },
-  { "belastingdienst-in-beeld.nl", false },
   { "belastingmiddeling.nl", true },
   { "belavis.com", true },
   { "beleggingspanden-financiering.nl", true },
   { "belegit.org", true },
+  { "belezashopping.com.br", true },
   { "belfastbounce.co.uk", true },
   { "belfastlocks.com", true },
   { "belfasttechservices.co.uk", true },
+  { "belfor-probleme.de", true },
   { "belge.rs", true },
   { "belgers.com", true },
   { "belhopro.be", true },
@@ -4540,7 +4611,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "belt.black", true },
   { "belvoirbouncycastles.co.uk", true },
   { "bely-mishka.by", true },
-  { "belyvly.com", true },
   { "bemcorp.de", true },
   { "bemindly.com", true },
   { "bemsoft.pl", true },
@@ -4550,6 +4620,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ben.ninja", true },
   { "ben2.co.il", true },
   { "benabrams.it", true },
+  { "benandsarah.life", true },
   { "benary.org", true },
   { "benbozsa.ca", true },
   { "benburwell.com", true },
@@ -4576,6 +4647,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benhavenarchives.org", true },
   { "benjamin-hering.com", true },
   { "benjamin.pe", true },
+  { "benjaminbedard.com", true },
   { "benjaminblack.net", true },
   { "benjamindietrich.de", true },
   { "benjaminjurke.com", true },
@@ -4587,7 +4659,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benleemd.com", true },
   { "benmatthews.com.au", true },
   { "benmillett.us", false },
-  { "benmorecentre.co.uk", true },
   { "bennettsbouncycastlehire.co.uk", true },
   { "bennettshire.co.uk", true },
   { "benni1.eu", true },
@@ -4602,6 +4673,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benscobie.com", true },
   { "benshoof.org", true },
   { "bensinflatables.co.uk", true },
+  { "bensokol.com", true },
   { "bentertain.de", true },
   { "bentley.blog", true },
   { "bentley.link", true },
@@ -4613,9 +4685,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "beoordelingen.be", true },
   { "bepenak.com", true },
   { "bephoenix.org.uk", true },
+  { "bepsvpt.me", true },
   { "bequiia.com", true },
   { "beranovi.com", true },
   { "berasavocate.com", true },
+  { "berdu.id", true },
   { "bergenhave.nl", true },
   { "berger-chiro.com", true },
   { "bergevoet-fa.nl", true },
@@ -4642,6 +4716,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bergstoneware.com", true },
   { "berichtsheft-vorlage.de", true },
   { "berikod.ru", true },
+  { "beringsoegaard.dk", true },
   { "berlin-flirt.de", true },
   { "berlin.dating", true },
   { "bermeitinger.eu", true },
@@ -4682,7 +4757,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bertsmithvwparts.com", true },
   { "beryl.net", true },
   { "besb.io", true },
-  { "besb66.com", true },
   { "beschriftung-metz.de", true },
   { "bescover.com", true },
   { "beserberg.tk", true },
@@ -4726,6 +4800,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestbyte.com.br", true },
   { "bestcellular.com", false },
   { "bestdating.today", false },
+  { "bestdoc.com.br", true },
   { "bestdownloadscenter.com", true },
   { "bestelectricnd.com", true },
   { "bestemailmarketingsoftware.org", true },
@@ -4734,9 +4809,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestfriendsequality.org", true },
   { "bestgiftever.ca", true },
   { "bestgifts4you.com", true },
+  { "besti.it", true },
   { "bestinductioncooktop.us", true },
   { "bestinshowing.com", true },
-  { "bestinver.es", true },
+  { "bestinver.es", false },
   { "bestjumptrampolines.be", true },
   { "bestkenmoredentists.com", true },
   { "bestlashesandbrows.com", true },
@@ -4749,11 +4825,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestperfumebrands.com", true },
   { "bestpig.fr", true },
   { "bestplumbing.com", true },
+  { "bestpractice.domains", true },
   { "bestschools.io", true },
   { "bestschools.top", true },
   { "bestseries.tv", true },
   { "bestshoesmix.com", true },
   { "bestwebsite.gallery", true },
+  { "bet.eu", true },
   { "betaal.my", true },
   { "betacavi.com", true },
   { "betacloud.io", true },
@@ -4763,12 +4841,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "betaworx.de", true },
   { "betaworx.eu", true },
   { "betecnet.de", true },
+  { "bethanyduke.com", true },
   { "bethpage.net", true },
   { "betleakbot.com", true },
   { "betobaccofree.gov", true },
   { "betonbit.com", true },
+  { "betonmarkets.info", true },
   { "betpamm.com", true },
-  { "betrallyarabia.com", true },
+  { "betrallyarabia.com", false },
   { "bets.gg", true },
   { "betseybuckheit.com", true },
   { "betsharpangles.com", true },
@@ -4841,6 +4921,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bfi.wien", false },
   { "bflix.tv", true },
   { "bforb.sk", true },
+  { "bfp-mail.de", true },
   { "bfpg.org", true },
   { "bft-media.com", true },
   { "bftbradio.com", true },
@@ -4868,14 +4949,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bhxch.moe", true },
   { "bi.search.yahoo.com", false },
   { "biaggeo.com", true },
-  { "biancolievito.it", true },
   { "biano-ai.com", true },
   { "biasmath.es", true },
+  { "biathloncup.ru", true },
+  { "bibica.net", true },
   { "bible-maroc.com", true },
   { "bible.ru", true },
   { "bibleonline.ru", true },
+  { "biblethoughts.blog", true },
   { "bibliaon.com", true },
-  { "biblio.wiki", true },
   { "biblioblog.fr", true },
   { "bibliomarkt.ch", true },
   { "biblionaut.net", true },
@@ -4931,12 +5013,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bignumworks.com", true },
   { "bigorbitgallery.org", true },
   { "bigserp.com", true },
+  { "bigshopper.com", true },
+  { "bigshopper.nl", true },
   { "bigsisterchannel.com", true },
   { "bigskylifestylerealestate.com", true },
   { "bigskymontanalandforsale.com", true },
   { "bigwiseguide.com", true },
   { "bihub.io", true },
   { "biilo.com", true },
+  { "bijancompany.com", true },
+  { "bijoux.com.br", true },
   { "bijouxcherie.com", true },
   { "biju-neko.jp", true },
   { "bike-discount.de", true },
@@ -4946,7 +5032,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bikehistory.org", true },
   { "biker.dating", true },
   { "bikerebel.com", true },
-  { "bikeshopitalia.com", true },
   { "bikiniatoll.com", true },
   { "bikiniseli.com", true },
   { "bikkelbroeders.com", false },
@@ -4958,7 +5043,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bildiri.ci", true },
   { "bildkomponist.de", true },
   { "bildschirmflackern.de", true },
-  { "biletru.net", true },
   { "biletyplus.by", true },
   { "biletyplus.com", true },
   { "biletyplus.ua", true },
@@ -5005,6 +5089,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "binaryappdev.com", true },
   { "binarycreations.scot", true },
   { "binarydream.fi", true },
+  { "binaryevolved.com", true },
   { "binaryrebel.net", true },
   { "binarystud.io", true },
   { "binding-problem.com", true },
@@ -5014,10 +5099,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "binhex.net", true },
   { "binkconsulting.be", true },
   { "binnenmeer.de", true },
-  { "binsp.net", true },
   { "bintangsyurga.com", true },
   { "bintelligence.info", true },
-  { "bintelligence.nl", true },
   { "binti.com", true },
   { "bintooshoots.com", true },
   { "bio-disinfestazione.it", true },
@@ -5026,6 +5109,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bioatelier.it", true },
   { "biobuttons.ch", true },
   { "biocheminee.com", true },
+  { "biocrafting.net", false },
   { "biodiagnostiki.clinic", true },
   { "biodieseldata.com", true },
   { "biodots.at", true },
@@ -5053,6 +5137,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "biomed-hospital.ch", true },
   { "biomed.ch", true },
   { "biometrics.es", true },
+  { "biomin.co.uk", true },
   { "biomodra.cz", true },
   { "biopsychiatry.com", true },
   { "bioresonanz-ibiza.com", true },
@@ -5066,7 +5151,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "biotin.ch", true },
   { "bipyo.com", true },
   { "birbaumer.li", true },
-  { "birchbarkfurniture.ch", true },
   { "birchbarkfurniture.com", true },
   { "birchbarkfurniture.fr", true },
   { "birdbrowser.com", true },
@@ -5090,6 +5174,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "biscoint.io", true },
   { "biscuitcute.com.br", true },
   { "biser-borisov.eu", true },
+  { "bishopscourt-hawarden.co.uk", true },
+  { "bismarck-tb.de", true },
   { "biso.ga", true },
   { "bison.co", true },
   { "bisq.community", true },
@@ -5113,7 +5199,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitbucket.org", true },
   { "bitburner.de", true },
   { "bitcalt.eu.org", true },
-  { "bitcalt.ga", true },
   { "bitchigo.com", true },
   { "bitcoin-india.net", true },
   { "bitcoin-india.org", true },
@@ -5132,11 +5217,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitcoinkarlsruhe.de", true },
   { "bitcoinrealestate.com.au", true },
   { "bitcointhefts.com", true },
-  { "bitcoinwalletscript.tk", true },
   { "bitcoinx.gr", true },
   { "bitcoinx.ro", true },
   { "bitcork.io", true },
   { "bitcqr.io", true },
+  { "bitenose.com", true },
   { "bitex.la", true },
   { "bitfasching.de", false },
   { "bitfehler.net", true },
@@ -5192,22 +5277,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "biupay.com.br", true },
   { "biurokarier.edu.pl", true },
   { "bixservice.com", true },
-  { "biyori.moe", true },
   { "biyou-homme.com", true },
   { "biz4x.com", true },
   { "bizbudding.com", true },
   { "bizcash.co.za", true },
   { "bizeau.ch", true },
+  { "biznesonline.info", true },
   { "bizniskatalog.mk", true },
   { "biznpro.ru", true },
   { "bizstarter.cz", true },
   { "biztera.com", true },
   { "biztok.eu", true },
   { "biztouch.work", true },
+  { "bizzdesign.com", true },
   { "bjarnerest.de", true },
   { "bjmgeek.science", true },
   { "bjmun.cn", true },
-  { "bjolanta.pl", true },
   { "bjornhelmersson.se", true },
   { "bjornjohansen.no", true },
   { "bjs.gov", true },
@@ -5267,7 +5352,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blackgate.org", true },
   { "blackhat.dk", true },
   { "blackhelicopters.net", true },
-  { "blackhell.xyz", true },
   { "blackhillsinfosec.com", true },
   { "blackilli.de", true },
   { "blackislegroup.com", true },
@@ -5284,14 +5368,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blackphoenix.de", true },
   { "blackpi.dedyn.io", true },
   { "blackroadphotography.de", true },
-  { "blackroot.eu", true },
   { "blackscytheconsulting.com", true },
   { "blackseals.net", true },
+  { "blacktown.eu", true },
   { "blackyau.cc", true },
   { "blackys-chamber.de", true },
   { "blaise.io", true },
   { "blakecoin.org", true },
   { "blakekhan.com", true },
+  { "blakezone.com", true },
   { "blameomar.com", true },
   { "blancodent.com", true },
   { "blankersfamily.com", true },
@@ -5301,6 +5386,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blastersklan.com", true },
   { "blastzoneentertainments.co.uk", true },
   { "blaudev.es", true },
+  { "blauerhunger.de", true },
   { "blayne.me", true },
   { "blayneallan.com", true },
   { "blazing.cz", true },
@@ -5316,6 +5402,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blendle.com", true },
   { "blendle.nl", true },
   { "blendr.com", true },
+  { "blendstudios.com", true },
   { "blenheimears.com", true },
   { "blenneros.net", false },
   { "blessedguy.com", true },
@@ -5326,6 +5413,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blieque.co.uk", true },
   { "bliesekow.net", true },
   { "blikk.no", true },
+  { "blikund.swedbank.se", true },
   { "blinder.com.co", true },
   { "blindpigandtheacorn.com", true },
   { "blinds-unlimited.com", true },
@@ -5338,7 +5426,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blissjoe.com", true },
   { "blissplan.com", true },
   { "blitzprog.org", true },
-  { "blitzvendor.com", true },
   { "blivawesome.dk", true },
   { "blivvektor.dk", true },
   { "blizhost.com", true },
@@ -5393,7 +5480,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blood4pets.tk", true },
   { "bloodhunt.pl", true },
   { "bloodsports.org", true },
+  { "bloody.pw", true },
   { "bloom-avenue.com", true },
+  { "bloom.sh", true },
   { "bltc.co.uk", true },
   { "bltc.com", true },
   { "bltc.net", true },
@@ -5401,12 +5490,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bltc.org.uk", true },
   { "bltdirect.com", true },
   { "blubberladen.de", true },
-  { "bludnykoren.ml", true },
   { "blue-gmbh-erfahrungen.de", true },
   { "blue-gmbh.de", true },
   { "blue-leaf81.net", true },
   { "blue42.net", true },
   { "blueblou.com", true },
+  { "bluecards.eu", true },
   { "bluechilli.com", true },
   { "bluecon.ninja", true },
   { "bluecrazii.nl", true },
@@ -5420,7 +5509,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bluekrypt.com", true },
   { "blueliquiddesigns.com.au", true },
   { "bluemeda.web.id", true },
-  { "bluemosh.com", true },
   { "bluemtnrentalmanagement.ca", true },
   { "bluenote9.com", true },
   { "blueoakart.com", true },
@@ -5442,6 +5530,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bluex.org", true },
   { "blueyed.eu", true },
   { "blui.ml", true },
+  { "bluiandaj.ml", true },
   { "bluimedia.com", true },
   { "blumenfeldart.com", true },
   { "blumiges-fischbachtal.de", false },
@@ -5457,13 +5546,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bm-immo.ch", true },
   { "bmhglobal.com.au", true },
   { "bminton.is-a-geek.net", true },
-  { "bmone.net", true },
+  { "bmk-kramsach.at", true },
   { "bmriv.com", true },
   { "bmros.com.ar", true },
   { "bmw-motorradclub-seefeld.de", true },
   { "bmwcolors.com", true },
   { "bn1digital.co.uk", true },
-  { "bn4t.me", true },
   { "bnbsinflatablehire.co.uk", true },
   { "bngs.pl", true },
   { "bnin.org", true },
@@ -5500,6 +5588,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bodybuildingworld.com", true },
   { "bodyconshop.com", true },
   { "bodygearguide.com", true },
+  { "bodymusclejournal.com", true },
   { "bodypainter.pl", true },
   { "bodypainting.waw.pl", true },
   { "bodyshopnews.net", true },
@@ -5537,6 +5626,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bolte.org", true },
   { "bomb.codes", true },
   { "bombe-lacrymogene.fr", true },
+  { "bomhard.de", true },
   { "bonaccorso.eu", true },
   { "bonami.cz", true },
   { "bonami.hu", true },
@@ -5551,13 +5641,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bondlink.com", true },
   { "bondoer.fr", true },
   { "bondskampeerder.nl", true },
+  { "bondtofte.dk", true },
   { "bonebunny.de", true },
   { "bonesserver.com", true },
   { "bonfi.net", true },
   { "bongo.cat", true },
   { "bonibuty.com", true },
   { "bonifacius.be", true },
-  { "bonita.com.br", true },
   { "bonito.pl", true },
   { "bonnant-associes.ch", true },
   { "bonnant-partners.ch", true },
@@ -5574,7 +5664,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bonqoeur.ca", true },
   { "bonrecipe.com", true },
   { "bonsaimedia.nl", true },
-  { "bonsi.net", true },
   { "bonux.co", true },
   { "boodmo.com", true },
   { "boogaerdtmakelaars.nl", true },
@@ -5583,7 +5672,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "booker.ly", true },
   { "bookingapp.be", true },
   { "bookingapp.nl", true },
-  { "bookingdeluxesp.com", true },
   { "bookingready.com", true },
   { "bookingslog.com", true },
   { "bookingworldspeakers.com", true },
@@ -5591,12 +5679,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bookmein.in", true },
   { "booksearch.jp", true },
   { "booksinthefridge.at", true },
+  { "booksouthafrica.travel", true },
   { "booktracker-org.appspot.com", true },
   { "bool.be", true },
   { "boombv.com", true },
   { "boomersurf.com", true },
   { "boomshelf.com", true },
   { "boomshelf.org", true },
+  { "boomvm.pw", true },
   { "boonbox.com", true },
   { "booox.biz", true },
   { "booox.cc", true },
@@ -5629,6 +5719,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "borneodictionary.com", true },
   { "bornfiber.dk", true },
   { "bornhack.dk", true },
+  { "borowski.pw", true },
   { "borrelpartybus.nl", true },
   { "borysek.net", true },
   { "bosabosa.org", true },
@@ -5644,11 +5735,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "botguard.net", true },
   { "bothellwaygarage.net", true },
   { "botoes-primor.pt", true },
-  { "botserver.de", true },
   { "botsindiscord.me", true },
-  { "botstack.host", true },
   { "bottaerisposta.net", true },
   { "bottineauneighborhood.org", true },
+  { "bottke.berlin", true },
+  { "bottledstories.de", true },
+  { "bou.cloud", true },
   { "bou.lt", true },
   { "bouah.net", true },
   { "bouchard-mathieux.com", true },
@@ -5673,7 +5765,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bouncea-bout.com", true },
   { "bounceaboutandplay.co.uk", true },
   { "bounceaboutnewark.co.uk", true },
-  { "bounceaboutsussex.co.uk", true },
   { "bouncealotcastlehire.co.uk", true },
   { "bouncealotnorthwest.co.uk", true },
   { "bounceandwobble.co.uk", true },
@@ -5765,7 +5856,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bountyfactory.io", true },
   { "bourasse.fr", true },
   { "bourdon.fr.eu.org", true },
-  { "bourgdepabos.com", true },
   { "bourhis.info", true },
   { "bournefun.co.uk", true },
   { "bourqu.in", true },
@@ -5815,6 +5905,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "braams.nl", true },
   { "braathe.no", true },
   { "bracho.xyz", true },
+  { "brachotelborak.com", true },
   { "brackets-salad.com", true },
   { "bradbrockmeyer.com", true },
   { "bradfergusonrealestate.com", true },
@@ -5849,7 +5940,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brakstad.org", true },
   { "bralnik.com", true },
   { "brambogaerts.nl", true },
-  { "bramburek.net", true },
   { "bramhallsamusements.com", true },
   { "brammingfys.dk", true },
   { "bramsikkens.be", true },
@@ -5870,10 +5960,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brandonwalker.me", true },
   { "brandrocket.dk", true },
   { "brandstead.com", true },
-  { "brandtrapselfie.nl", true },
   { "brandweerfraneker.nl", true },
   { "brandweertrainingen.nl", true },
-  { "brandweeruitgeest.nl", true },
   { "brank.as", true },
   { "branw.xyz", true },
   { "brasal.ma", true },
@@ -5904,9 +5992,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brazenfol.io", true },
   { "brazilian.dating", true },
   { "brazillens.com", true },
+  { "brazoriabar.org", true },
   { "brck.nl", true },
   { "brd.ro", true },
   { "breadandlife.org", true },
+  { "breadofgod.org", true },
   { "breakingtech.it", true },
   { "breakpoint.at", true },
   { "breaky.de", true },
@@ -5929,6 +6019,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "breitband.bz.it", true },
   { "breitbild-beamer.de", true },
   { "brejoc.com", true },
+  { "brelahotelberulia.com", true },
   { "bremen-restaurants.de", true },
   { "bremerfriedensforum.de", true },
   { "brendanbatliner.com", true },
@@ -5938,6 +6029,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bressier.fr", true },
   { "bretcarmichael.com", true },
   { "brettabel.com", true },
+  { "brettcornwall.com", true },
   { "brettelliff.com", true },
   { "brettlawyer.com", true },
   { "brettw.xyz", true },
@@ -5966,7 +6058,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bricolajeux.ch", true },
   { "brid.gy", false },
   { "bridalshoes.com", true },
-  { "brideandgroomdirect.ie", true },
   { "bridgedirectoutreach.com", true },
   { "bridgeglobalmarketing.com", true },
   { "bridgehomeloans.com", true },
@@ -5974,6 +6065,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bridgevest.com", true },
   { "bridgingdirectory.com", true },
   { "bridltaceng.com", true },
+  { "bridzius.lt", true },
   { "brie.tech", true },
   { "briefassistant.com", true },
   { "briefhansa.de", true },
@@ -5995,6 +6087,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brilliantproductions.co.nz", true },
   { "brimspark.systems", true },
   { "brio-shop.ch", true },
+  { "brioukraine.store", true },
   { "brisbanelogistics.com.au", true },
   { "bristebein.com", true },
   { "bristolandwestonsuperbounce.com", true },
@@ -6012,9 +6105,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "britton-photography.com", true },
   { "brk.st", true },
   { "brmsalescommunity.com", true },
-  { "brn.by", true },
   { "brnojebozi.cz", true },
   { "bro.hk", true },
+  { "broadbandnd.com", true },
   { "broadleft.org", true },
   { "broadsheet.com.au", true },
   { "brockmeyer.net", true },
@@ -6025,7 +6118,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "broersma.com", true },
   { "broeselei.at", true },
   { "brokenhands.io", true },
-  { "brokenjoysticks.net", true },
   { "brokervalues.com", true },
   { "brompton-cocktail.com", true },
   { "bronetb2b.com.br", true },
@@ -6047,16 +6139,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "browntowncountryclub.com", true },
   { "browsemycity.com", true },
   { "browserleaks.com", true },
+  { "brrd.io", true },
   { "brring.com", true },
   { "brrr.fr", true },
   { "bru6.de", true },
+  { "brubankv1-staging.azurewebsites.net", true },
   { "brucekovner.com", true },
   { "brucemartin.net", true },
   { "brucemobile.de", false },
   { "bruck.me", true },
+  { "brudkista.nu", true },
   { "brudkista.se", true },
   { "brudkistan.nu", true },
   { "brudkistan.se", true },
+  { "brueser-gmbh.de", true },
   { "bruna-cdn.nl", true },
   { "brunick.de", false },
   { "brunn.email", true },
@@ -6064,10 +6160,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brunohenc.from.hr", true },
   { "brunoproduit.ch", true },
   { "brunoramos.com", true },
-  { "brunoramos.org", true },
   { "brunosouza.org", true },
   { "brush.ninja", true },
+  { "brutus2.ga", true },
   { "bruun.co", true },
+  { "bry.do", true },
   { "bryankaplan.com", true },
   { "bryanquigley.com", true },
   { "bryansmith.net", true },
@@ -6075,7 +6172,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brycecanyon.net", true },
   { "brycecanyonnationalpark.com", true },
   { "bryggebladet.dk", true },
-  { "brztec.com", true },
   { "brzy-svoji.cz", true },
   { "bs-network.net", true },
   { "bs-security.com", true },
@@ -6083,6 +6179,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bs.to", true },
   { "bs12v.ru", true },
   { "bsa157.org", true },
+  { "bsapack564.org", true },
   { "bsatroop794.org", true },
   { "bsc-rietz.at", true },
   { "bscc.support", true },
@@ -6127,7 +6224,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "btth.live", true },
   { "btth.pl", true },
   { "btth.tv", true },
-  { "btth.xyz", true },
   { "bttorj45.com", true },
   { "buayacorp.com", true },
   { "bubblegumblog.com", true },
@@ -6184,8 +6280,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "build.chromium.org", true },
   { "buildbox.io", true },
   { "buildbytes.com", true },
+  { "buildfaith.ca", true },
   { "buildhoscaletraingi.com", true },
-  { "building-cost-estimators.com", true },
   { "buildingclouds.de", true },
   { "buildingcostestimators.co.uk", true },
   { "builditsolutions.net", true },
@@ -6203,6 +6299,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bulario.com", true },
   { "bulario.net", true },
   { "bulbcompare.com", true },
+  { "bulgarianwine.com", true },
   { "bulkcandystore.com", true },
   { "bulkingtime.com", true },
   { "bulkowespacerkowo.nl", true },
@@ -6285,11 +6382,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bustimes.org", true },
   { "bustup-tips.com", true },
   { "busuttil.org.uk", true },
-  { "busyon.cloud", true },
   { "butarque.es", true },
   { "buthowdoyoubuygroceries.com", true },
   { "butikpris.se", true },
   { "butikvip.ru", true },
+  { "butlerfm.dk", true },
   { "butteramotors.com", true },
   { "buttonline.ch", true },
   { "buttonrun.com", true },
@@ -6320,11 +6417,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "buytheway.co.za", true },
   { "buywine.shop", true },
   { "buzz.tools", true },
-  { "buzzconf.io", true },
   { "buzzcontent.com", true },
   { "buzzprint.it", true },
   { "bvalle.com", true },
-  { "bvgg.eu", true },
   { "bvl.aero", true },
   { "bw.codes", true },
   { "bwcscorecard.org", true },
@@ -6340,9 +6435,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bxp40.at", true },
   { "byange.pro", true },
   { "byatte.com", true },
+  { "bye-bye.us", true },
   { "byeskille.no", true },
   { "bygningsregistrering.dk", true },
-  { "byhe.me", true },
   { "byiu.info", false },
   { "byken.cn", true },
   { "bymark.co", true },
@@ -6354,6 +6449,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "byr.moe", true },
   { "byrko.cz", true },
   { "byrko.sk", true },
+  { "byronkg.us", true },
   { "byrtz.de", true },
   { "bytanchan.com", true },
   { "byte-time.com", true },
@@ -6385,7 +6481,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bytrain.net", true },
   { "byvshie.com", true },
   { "bziaks.xyz", true },
-  { "bzsparks.com", true },
+  { "bzsparks.com", false },
   { "bztech.com.br", true },
   { "bztraveler.com", true },
   { "bztraveler.net", true },
@@ -6411,7 +6507,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "c5h8no4na.net", true },
   { "c7dn.com", true },
   { "ca-key.de", true },
-  { "ca-terminal-multiservices.fr", true },
   { "ca.gparent.org", true },
   { "ca.search.yahoo.com", false },
   { "ca5.de", true },
@@ -6437,21 +6532,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cachetagalong.com", true },
   { "cachetur.no", true },
   { "cackette.com", true },
+  { "cacn.pw", true },
   { "cad-noerdlingen.de", true },
   { "cadacoon.com", true },
   { "cadafamilia.de", true },
   { "cadams.io", true },
-  { "cadcreations.co.ke", true },
   { "cadetsge.ch", true },
   { "cadmail.nl", true },
   { "cadman.pw", true },
   { "cadooz.com", true },
   { "cadorama.fr", true },
   { "cadoth.net", true },
-  { "cadra.nl", false },
   { "cadre.com", true },
   { "cadsys.net", true },
-  { "cadusilva.com", true },
   { "caesarkabalan.com", true },
   { "cafedupont.be", true },
   { "cafedupont.co.uk", true },
@@ -6464,9 +6557,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cafericoy.com", true },
   { "cafeterasbaratas.net", true },
   { "caffeinatedcode.com", true },
-  { "cagalogluyayinevi.com", true },
+  { "cafled.org", true },
+  { "cagalogluyayinevi.com", false },
   { "caglarcakici.com", true },
-  { "caijunyi.net", true },
+  { "caibi.io", true },
   { "cainhosting.com", false },
   { "caitcs.com", true },
   { "caiwenjian.xyz", true },
@@ -6475,6 +6569,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cajio.ru", true },
   { "cajunuk.co.uk", true },
   { "cake-time.co.uk", true },
+  { "cakearific.com", true },
   { "cakestart.net", true },
   { "caketoindia.com", true },
   { "cakingandbaking.com", true },
@@ -6519,10 +6614,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "calibso.net", true },
   { "caliderumba.com", true },
   { "calixte-concept.fr", true },
+  { "calkinsmusic.com", true },
   { "call.me", true },
   { "callanan.nl", true },
   { "callantonia.com", true },
-  { "callawayracing.se", false },
   { "callear.org", true },
   { "callhub.io", true },
   { "callidus-vulpes.de", true },
@@ -6531,6 +6626,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "callumsilcock.com", true },
   { "callumsilcock.me", true },
   { "calluna.nl", true },
+  { "calminteractive.fr", true },
   { "calmtech.com", true },
   { "calotte-academy.com", true },
   { "calrotaract.org", true },
@@ -6552,7 +6648,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cambier.org", true },
   { "cambiowatch.ch", true },
   { "cambodian.dating", true },
-  { "cambridge-security.com", true },
+  { "cambreaconsulting.com", true },
+  { "cambridge-examen.nl", true },
   { "cambridgebouncers.co.uk", true },
   { "cambridgesecuritygroup.org", true },
   { "camcapital.com", true },
@@ -6603,6 +6700,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "canadasmotorcycle.ca", true },
   { "canadian-nurse.com", true },
   { "canadian.dating", true },
+  { "canadianatheists.ca", true },
+  { "canadianatheists.com", true },
   { "canadianchristianity.com", false },
   { "canadianoutdoorequipment.com", true },
   { "canadiantouristboard.com", true },
@@ -6623,11 +6722,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "candlcastles.co.uk", true },
   { "cando.eu", true },
   { "candyout.com", true },
-  { "canerkorkmaz.com", true },
   { "cangelloplasticsurgery.com", true },
   { "cangku.in", true },
   { "cangku.moe", false },
-  { "canglong.net", true },
   { "canhazip.com", true },
   { "canicaprice.com", true },
   { "canihavesome.coffee", true },
@@ -6641,18 +6738,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cannoli.london", true },
   { "cannyfoxx.me", true },
   { "canoonic.se", true },
+  { "canopycleaningmelbourne.com.au", true },
   { "cant.at", true },
   { "cantatio.ch", true },
-  { "canterberry.cc", true },
   { "canterburybouncycastlehire.co.uk", true },
+  { "cantonroadjewelry.com", true },
   { "cantrack.com", true },
+  { "canva-dev.com", true },
   { "canva.com", true },
   { "canx.org", true },
   { "canyonshoa.com", true },
   { "canyoupwn.me", true },
   { "cao.gov", true },
   { "cao.la", true },
-  { "caodesantohumberto.com.br", true },
   { "caoshan60.com", true },
   { "capachitos.cl", true },
   { "capacityproject.org", true },
@@ -6681,9 +6779,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "capstansecurity.co.uk", true },
   { "capstansecurity.com", true },
   { "capstoneinsights.com", true },
+  { "capsule.org", true },
   { "capsulesubs.fr", true },
   { "captain-dandelion.com", true },
   { "captainark.net", true },
+  { "captainsfarm.in", true },
   { "captainsinn.com", true },
   { "captivationtheory.com", true },
   { "capturapp.com", false },
@@ -6781,6 +6881,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carlosfelic.io", true },
   { "carlosjeurissen.com", true },
   { "carlot-j.com", true },
+  { "carmelrise.co.uk", true },
   { "carnaticalifornia.com", true },
   { "carnet-du-voyageur.com", true },
   { "carnildo.com", true },
@@ -6806,6 +6907,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carroceriascarluis.com", true },
   { "carrollservicecompany.com", true },
   { "carrosserie-dubois.com", true },
+  { "carrouselcompany.fr", true },
+  { "cars4salecy.com", true },
   { "carseatchecks.ca", true },
   { "carshippingcarriers.com", true },
   { "carson-aviation-adventures.com", true },
@@ -6825,11 +6928,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cartadeviajes.pe", true },
   { "cartadeviajes.uk", true },
   { "carteirasedistintivos.com.br", true },
+  { "cartelcircuit.com", true },
   { "carterstad.se", true },
   { "cartertonscouts.org.nz", true },
   { "cartesentreprises-unicef.fr", true },
   { "carthedral.com", true },
-  { "cartierplan.ga", true },
+  { "cartierplan.ga", false },
   { "carto.la", true },
   { "cartongesso.roma.it", true },
   { "cartooncastles.ie", true },
@@ -6857,6 +6961,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "casadoarbitro.com.br", true },
   { "casadowifi.com.br", true },
   { "casaessencias.com.br", true },
+  { "casalborgo.it", true },
   { "casalindamex.com", true },
   { "casalunchbreak.de", true },
   { "casamariposaspi.com", true },
@@ -6881,7 +6986,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cashbot.cz", true },
   { "cashfazz.com", true },
   { "cashlink.de", true },
-  { "cashlink.io", true },
   { "cashlogic.ch", true },
   { "cashmaxtexas.com", true },
   { "cashplk.com", true },
@@ -6894,6 +6998,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "casinomucho.org", true },
   { "casinomucho.se", true },
   { "casinoonlinesicuri.com", true },
+  { "casinorewards.info", true },
   { "casinovergleich.com", true },
   { "casio-caisses-enregistreuses.fr", true },
   { "casirus.com", true },
@@ -6921,7 +7026,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "castlesrus-kent.com", true },
   { "casualdesignsfurniture.com", true },
   { "casusgrillcaribbean.com", true },
-  { "cat-blum.com", true },
   { "cat-box.de", true },
   { "cat.net", true },
   { "cat73.org", true },
@@ -6973,7 +7077,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "caulong-ao.net", true },
   { "cav.ac", true },
   { "cavac.at", true },
-  { "cave-reynard.ch", true },
   { "cavevinsdefrance.fr", true },
   { "cavzodiaco.com.br", true },
   { "caxalt.com", true },
@@ -6986,8 +7089,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cbcf.info", true },
   { "cbd.casa", true },
   { "cbd.supply", true },
-  { "cbdev.de", true },
+  { "cbdcontact.pl", true },
   { "cbdmarket.space", true },
+  { "cbdoilcures.co", true },
   { "cbecrft.net", true },
   { "cbhq.net", true },
   { "cbin168.com", true },
@@ -6998,6 +7102,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cbw.sh", true },
   { "cc-brantomois.fr", true },
   { "ccac.gov", true },
+  { "ccattestprep.com", true },
   { "ccavenue.com", true },
   { "ccc-ch.ch", true },
   { "cccwien.at", true },
@@ -7027,6 +7132,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cdda.ch", true },
   { "cdepot.eu", true },
   { "cdkeykopen.com", true },
+  { "cdmlb.net", true },
   { "cdn.ampproject.org", true },
   { "cdn6.de", true },
   { "cdncompanies.com", true },
@@ -7040,7 +7146,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cduckett.net", true },
   { "cdvl.org", true },
   { "ce-pimkie.fr", true },
-  { "ceagriproducts.com", true },
+  { "ceanimalhealth.com", true },
   { "cebz.org", true },
   { "cecame.ch", true },
   { "ceciliacolombara.com", true },
@@ -7054,6 +7160,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ceebee.com", true },
   { "cejhon.cz", false },
   { "celcomhomefibre.com.my", true },
+  { "cele.bi", true },
   { "celebmasta.com", true },
   { "celebrityhealthcritic.com", true },
   { "celebrityscope.net", true },
@@ -7065,7 +7172,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "celltesequ.com", true },
   { "celluliteorangeskin.com", true },
   { "celluliteremovaldiet.com", true },
-  { "celtadigital.com", true },
   { "celti.ie.eu.org", true },
   { "celti.name", true },
   { "celuliteonline.com", true },
@@ -7083,12 +7189,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "centennialradon.com", true },
   { "centennialseptic.com", true },
   { "centerpereezd.ru", false },
-  { "centerpoint.ovh", true },
   { "centio.bg", true },
   { "centos.tips", true },
   { "centralbank.ae", true },
   { "centralebigmat.eu", true },
   { "centralegedimat.eu", true },
+  { "centrallotus.com", true },
   { "centralmarket.com", true },
   { "centralmissourifoundationrepair.com", true },
   { "centralpoint.be", false },
@@ -7152,7 +7258,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "certspotter.org", true },
   { "cervejista.com", true },
   { "ces-ltd.co.uk", true },
-  { "cesantias.co", true },
   { "cesboard.com", true },
   { "cesdb.com", true },
   { "cesipagano.com", true },
@@ -7169,8 +7274,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ceyizlikelisleri.com", true },
   { "cf-ide.de", true },
   { "cf-tm.net", true },
-  { "cfa.gov", true },
-  { "cfan.space", true },
   { "cfda.gov", true },
   { "cfdcre5.org", true },
   { "cfh.com", true },
@@ -7194,6 +7297,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cgbassurances.ch", true },
   { "cgbilling.com", true },
   { "cgcookiemarkets.com", true },
+  { "cgminc.net", true },
   { "cgnparts.com", true },
   { "cgpe.com", true },
   { "cgsmart.com", true },
@@ -7211,7 +7315,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chaffeyconstruction.com", true },
   { "chaifeng.com", true },
   { "chainedunion.info", true },
-  { "chaip.org", true },
   { "chaisystems.net", true },
   { "chaletdemontagne.org", true },
   { "chaletmanager.com", true },
@@ -7260,15 +7363,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chaospott.de", true },
   { "chaosriftgames.com", true },
   { "chaoswars.ddns.net", true },
-  { "chaotichive.com", true },
-  { "chapelaria.tf", true },
   { "chapelfordbouncers.co.uk", true },
   { "chapiteauxduleman.fr", true },
   { "chaplain.co", true },
   { "charbonnel.eu", true },
   { "charcoal-se.org", true },
   { "charcoalvenice.com", true },
-  { "charge.co", true },
+  { "charge.co", false },
   { "chargedmonkey.com", true },
   { "chargify.com", true },
   { "charisma.ai", true },
@@ -7295,8 +7396,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "charmander.me", true },
   { "charmanterelefant.at", true },
   { "charmingsaul.com", true },
-  { "charr.xyz", true },
-  { "chars.ga", true },
+  { "charmyadesara.com", true },
+  { "chars.ga", false },
   { "charta-digitale-vernetzung.de", true },
   { "charteroak.org", true },
   { "chartkick.com", true },
@@ -7314,13 +7415,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chat2.cf", true },
   { "chat40.net", true },
   { "chatbelgie.eu", true },
-  { "chatbotclic.com", true },
-  { "chatbotclick.com", true },
   { "chatbots.systems", true },
   { "chatear.social", true },
   { "chateau-de-lisle.fr", true },
   { "chateaudestrainchamps.com", true },
   { "chatfacile.org", true },
+  { "chatforskning.no", true },
   { "chatgrape.com", true },
   { "chatint.com", true },
   { "chatitaly.org", true },
@@ -7344,10 +7444,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chaurocks.com", true },
   { "chaussenot.net", true },
   { "chavetaro.com", true },
-  { "chaz6.com", true },
   { "chazalet.fr", true },
   { "chazay.net", false },
-  { "chazgie.se", true },
   { "chbk.co", true },
   { "chbs.me", true },
   { "chch.it", true },
@@ -7384,6 +7482,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "checkmypsoriasis.com", true },
   { "checkout.google.com", true },
   { "checkpoint-tshirt.com", true },
+  { "checkras.tk", true },
   { "checkrente.nl", true },
   { "checkspf.net", true },
   { "checktype.com", true },
@@ -7397,6 +7496,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cheekymonkeysinflatables.co.uk", true },
   { "cheela.org", true },
   { "cheeseemergency.co.uk", true },
+  { "cheetahwerx.com", true },
   { "cheez.systems", true },
   { "cheezflix.uk", true },
   { "chefwear.com", true },
@@ -7411,6 +7511,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chenapartment.com", true },
   { "chengxindong.com", true },
   { "chenkun.pro", true },
+  { "chenky.com", true },
   { "chenna.me", true },
   { "chennien.com", true },
   { "chenpei.org", true },
@@ -7421,8 +7522,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cheolguso.com", true },
   { "cherevoiture.com", true },
   { "cherie-belle.com", true },
-  { "cherrett.digital", true },
   { "cherry-green.ch", true },
+  { "cherrybread.net", true },
   { "cherryonit.com", true },
   { "cherrywoodtech.com", true },
   { "chertseybouncycastles.co.uk", true },
@@ -7434,6 +7535,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chesspoint.ch", true },
   { "chesterlestreetasc.co.uk", false },
   { "chestnut.cf", true },
+  { "chetwood.se", true },
   { "chevy37.com", true },
   { "chevymotor-occasions.be", true },
   { "chewey.de", true },
@@ -7443,12 +7545,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chez.moe", true },
   { "chfr.search.yahoo.com", false },
   { "chhory.com", true },
-  { "chhy.at", true },
   { "chiaraiuola.com", false },
   { "chiaseeds24.com", true },
   { "chiboard.co", true },
   { "chibr.eu", true },
   { "chic-leather.com", true },
+  { "chicagoemergencyclosings.com", true },
   { "chicagolug.org", true },
   { "chicagostudentactivists.org", true },
   { "chicisimo.com", true },
@@ -7490,7 +7592,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chipglobe.com", true },
   { "chippy.ch", false },
   { "chips-scheduler.de", true },
-  { "chiralsoftware.com", true },
+  { "chipset.no", true },
   { "chireiden.net", true },
   { "chiro-neuchatel.ch", true },
   { "chiropractic.gr", true },
@@ -7527,7 +7629,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chon.io", true },
   { "chonghe.org", true },
   { "chook.as", true },
-  { "choootto.club", true },
+  { "choootto.net", true },
   { "choosemypc.net", true },
   { "chopperdesign.com", true },
   { "chorkley.co.uk", true },
@@ -7540,7 +7642,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chovancova.sk", true },
   { "chowii.com", true },
   { "choyri.com", true },
+  { "chr0me.sh", true },
   { "chris-edwards.net", true },
+  { "chrisahrweileryoga.com", true },
   { "chrisaitch.com", true },
   { "chrisb.me", true },
   { "chrisb.xyz", true },
@@ -7560,6 +7664,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chrisnekarda.com", true },
   { "chrisplankhomes.com", true },
   { "chrispstreet.com", true },
+  { "chrissx.ga", true },
   { "christadelphiananswers.org", true },
   { "christadelphians.eu", true },
   { "christchurchbouncycastles.co.uk", true },
@@ -7624,6 +7729,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chrpaul.de", true },
   { "chrstn.eu", true },
   { "chrysanthos.net", true },
+  { "chrystajewelry.com", true },
   { "chshouyu.com", true },
   { "chsterz.de", true },
   { "chuchote-moi.fr", true },
@@ -7654,9 +7760,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ciaracode.com", true },
   { "ciat.no", false },
   { "cibercactus.com", true },
+  { "cica.es", true },
   { "cidbot.com", true },
   { "cidersus.com.ec", true },
   { "cie-theatre-montfaucon.ch", true },
+  { "ciel.pro", true },
   { "cielbleu.org", true },
   { "cielly.com", true },
   { "cierreperimetral.com", true },
@@ -7664,9 +7772,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ciftlikesintisi.com", true },
   { "cig-dem.com", true },
   { "cigar-cartel.com", true },
-  { "ciiex.co", true },
   { "cilloc.be", true },
   { "cima-idf.fr", true },
+  { "cimbalino.org", true },
   { "cimballa.com", true },
   { "cimfax.com", true },
   { "cinafilm.com", true },
@@ -7679,7 +7787,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cinemasetfree.com", true },
   { "cinemysticism.com", true },
   { "cineplex.my", true },
-  { "cinerama.com.br", false },
   { "cinnabon.com", true },
   { "cinq-elements.com", true },
   { "cinq-elements.fr", true },
@@ -7711,14 +7818,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "circulatedigital.com", true },
   { "circule.cc", true },
   { "ciri.com.co", true },
-  { "cirope.com", true },
   { "cirrus0.de", true },
-  { "cirugiasplasticas.com.mx", true },
-  { "cirujanooral.com", true },
   { "cirurgicagervasio.com.br", true },
   { "cirurgicalucena.com.br", true },
   { "cirurgicasalutar.com.br", true },
-  { "ciscodude.net", true },
+  { "cirurgicavirtual.com.br", true },
+  { "cisa.gov", true },
+  { "ciscodude.net", false },
   { "cisoaid.com", true },
   { "cisofy.com", true },
   { "cispeo.org", true },
@@ -7726,11 +7832,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cisum-cycling.com", true },
   { "cisy.me", true },
   { "citcuit.in", true },
+  { "citfin.cz", true },
   { "cities.cl", true },
   { "citimarinestore.com", true },
   { "citizen-cam.de", true },
   { "citizensbankal.com", true },
   { "citizenscience.gov", false },
+  { "citizenscience.org", true },
   { "citizenslasvegas.com", true },
   { "citizensleague.org", true },
   { "citizenspact.eu", true },
@@ -7742,11 +7850,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "city-walks.info", true },
   { "citya.com", true },
   { "citybeat.de", true },
+  { "citycreek.studio", true },
+  { "cityextra.com.au", true },
   { "cityfloorsupply.com", true },
   { "citylights.eu", true },
   { "citymoobel.ee", true },
   { "cityoftitans.com", true },
-  { "cityoftitansmmo.com", true },
   { "citysportapp.com", true },
   { "cityworksonline.com", true },
   { "ciubotaru.tk", true },
@@ -7781,13 +7890,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cktennis.com", true },
   { "cl.search.yahoo.com", false },
   { "cl0ud.space", true },
-  { "clacetandil.com.ar", true },
   { "claimconnect.com", true },
   { "claimconnect.us", true },
   { "claimjeidee.be", true },
   { "claimnote.com", true },
   { "clairegold.com", true },
   { "clairescastles.co.uk", true },
+  { "clamofon.com", true },
   { "clanebouncycastles.com", true },
   { "clangwarnings.com", true },
   { "clanrose.org.uk", true },
@@ -7795,12 +7904,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clarkeaward.com", true },
   { "clarkwinkelmann.com", true },
   { "clase3.tk", true },
-  { "clash-movies.de", true },
   { "clash.lol", true },
   { "class.com.au", true },
   { "classdojo.com", true },
   { "classicalpilates.ca", true },
-  { "classics.io", true },
   { "classictheatrecumbria.co.uk", true },
   { "classpoint.cz", true },
   { "classroom.google.com", true },
@@ -7837,6 +7944,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clearblueday.co.uk", true },
   { "clearbookscdn.uk", true },
   { "clearbreezesecuritydoors.com.au", true },
+  { "clearer.cloud", true },
   { "clearip.com", true },
   { "clearkonjac.com", true },
   { "clearsettle-admin.com", true },
@@ -7872,7 +7980,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clindoeilmontagne.com", true },
   { "clingout.com", true },
   { "clinicadam.com", true },
-  { "clinicadelogopedia.net", true },
   { "clinicalrehabilitation.info", true },
   { "clinicaltrials.gov", true },
   { "clinicasmedicas.com.br", true },
@@ -7880,7 +7987,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cliniquecomplementaire.com", true },
   { "cliniquevethuy.be", true },
   { "clintonlibrary.gov", true },
-  { "clintonplasticsurgery.com", true },
   { "clipclip.com", true },
   { "clippings.com", true },
   { "clive.io", true },
@@ -7911,11 +8017,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloudbrothers.info", true },
   { "cloudcactuar.com", false },
   { "cloudcaprice.net", true },
+  { "cloudcert.org", true },
   { "cloudchart.site", true },
   { "cloudcite.net", true },
   { "cloudcloudcloud.cloud", true },
   { "cloudcrux.net", true },
   { "cloudey.net", true },
+  { "cloudfiles.at", true },
   { "cloudflare-dns.com", true },
   { "cloudflare.com", true },
   { "cloudflareonazure.com", true },
@@ -7943,6 +8051,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloudtropia.de", true },
   { "cloudtskr.com", true },
   { "cloudup.com", true },
+  { "cloudwellmarketing.com", true },
   { "clouz.de", true },
   { "cloveros.ga", true },
   { "clownindeklas.nl", true },
@@ -7970,13 +8079,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clubempleos.com", true },
   { "clubeohara.com", true },
   { "clubfamily.de", true },
-  { "clubgalaxy.futbol", true },
+  { "clubgalaxy.futbol", false },
   { "clubiconkenosha.com", true },
   { "clubmate.rocks", true },
   { "clubmini.jp", true },
   { "clubnoetig-ink2g.de", true },
   { "clubon.space", true },
-  { "clueful.ca", true },
   { "cluster.biz.tr", true },
   { "clusteranalyse.net", true },
   { "clusterfuck.nz", true },
@@ -8041,6 +8149,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coathangerstrangla.com", true },
   { "coathangerstrangler.com", true },
   { "coatl-industries.com", false },
+  { "coatsandcocktails.org", true },
   { "cobalt.io", true },
   { "cobaltgp.com", true },
   { "cobaltis.co.uk", true },
@@ -8078,7 +8187,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "code67.com", true },
   { "codeandpeace.com", true },
   { "codebrahma.com", false },
-  { "codebreaking.org", true },
   { "codecommunity.io", true },
   { "codedelarouteenligne.fr", true },
   { "codedump.net", true },
@@ -8104,6 +8212,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codereview.appspot.com", false },
   { "codereview.chromium.org", false },
   { "coderme.com", true },
+  { "codersbase.org", true },
   { "coderware.co.uk", true },
   { "codes.pk", true },
   { "codesplain.in", true },
@@ -8125,8 +8234,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codific.com", true },
   { "codific.eu", true },
   { "codigo-bonus-bet.es", true },
+  { "codigodelbonusbet365.com", true },
   { "codigosddd.com.br", true },
-  { "codimaker.com", true },
   { "coding-minds.com", true },
   { "coding.lv", true },
   { "coding.net", true },
@@ -8164,10 +8273,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coinbit.trade", true },
   { "coincealed.com", true },
   { "coinchat.im", true },
-  { "coincoele.com.br", true },
   { "coincoin.eu.org", true },
   { "coincolors.co", true },
-  { "coindatabase.net", true },
   { "coindeal.com", true },
   { "coinf.it", true },
   { "coinflux.com", true },
@@ -8187,7 +8294,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colaborativa.tv", true },
   { "colapsys.net", true },
   { "colasjourdain.fr", true },
-  { "coldawn.com", false },
   { "coldcardwallet.com", true },
   { "coldfff.com", false },
   { "coldhak.ca", true },
@@ -8231,6 +8337,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "collinelhossari.com", true },
   { "collinklippel.com", true },
   { "collinmbarrett.com", true },
+  { "cololi.moe", true },
   { "colombian.dating", true },
   { "coloppe.com", true },
   { "coloraid.net", true },
@@ -8239,6 +8346,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colorcodedlyrics.com", true },
   { "colorectalcompounding.com", true },
   { "colorfuldots.com", true },
+  { "colorguni.com", true },
   { "colorhexa.com", true },
   { "coloristcafe.com", true },
   { "colorsbycarin.com", true },
@@ -8246,6 +8354,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colotimes.com", true },
   { "colourfulcastles.co.uk", true },
   { "colpacpackaging.com", true },
+  { "colpatriaws.azurewebsites.net", true },
   { "colson-occasions.be", true },
   { "coltellisurvival.com", true },
   { "coltonrb.com", true },
@@ -8253,6 +8362,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colyakootees.com", true },
   { "com-in.de", true },
   { "comalia.com", true },
+  { "comame.xyz", true },
   { "comandofilmes.club", true },
   { "comarkinstruments.net", true },
   { "combatircelulitis.com", true },
@@ -8271,6 +8381,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "comestoarra.com", true },
   { "cometcache.com", true },
   { "cometonovascotia.ca", true },
+  { "comevius.com", true },
+  { "comevius.org", true },
+  { "comevius.xyz", true },
   { "comff.net", true },
   { "comfintouch.com", true },
   { "comflores.com.br", true },
@@ -8278,6 +8391,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "comfun.net", true },
   { "comhack.com", true },
   { "comicspornos.com", true },
+  { "comicspornow.com", true },
   { "comicspornoxxx.com", true },
   { "comicwiki.dk", true },
   { "comidasperuanas.net", true },
@@ -8301,16 +8415,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "communitymanagertorrejon.com", true },
   { "communote.net", true },
   { "como-se-escribe.com", true },
+  { "comocurarlagastritis24.online", true },
   { "comocurarlagastritistratamientonatural.com", true },
+  { "comodesinflamarlashemorroides.org", true },
   { "comodo.nl", true },
   { "comodormirmasrapido.com", true },
   { "comodosslstore.com", true },
   { "comoeliminarlaspapulasperladasenelglande.com", true },
   { "comogene.com", true },
   { "comohacerblog.net", true },
+  { "comohacerelamoraunhombrenet.com", true },
   { "comohacerpara.com", true },
   { "comoimportar.net", true },
   { "comopuededejardefumar.net", true },
+  { "comoquitarlacaspa24.com", true },
+  { "comoquitarlasestriasrapidamente.com", true },
   { "comosatisfaceraunhombreenlacamaydejarloloco.com", true },
   { "comosecarabarriga.net", true },
   { "comoseduzir.net", true },
@@ -8321,7 +8440,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "compagniemartin.com", true },
   { "comparatif-moto.fr", true },
   { "compareandrecycle.co.uk", true },
-  { "compareandrecycle.com", false },
   { "compareinsurance.com.au", true },
   { "comparesoft.com", true },
   { "comparexcloudcenter.com", true },
@@ -8341,7 +8459,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "completionist.me", true },
   { "complexart.ro", true },
   { "complexorganizations.com", true },
-  { "complexsystems.fail", true },
   { "compliance-management.ch", true },
   { "compliance-systeme.de", true },
   { "compliancedictionary.com", true },
@@ -8349,20 +8466,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "compostatebien.com.ar", true },
   { "compoundingrxusa.com", true },
   { "compraneta.com", false },
+  { "compraporinternet.online", true },
+  { "comprarimpresoras-3d.com", true },
   { "comprasoffie.com.br", true },
   { "compreautomacao.com.br", true },
   { "compree.com", true },
   { "compservice.in.ua", true },
+  { "comptrollerofthecurrency.gov", true },
   { "comptu.com", true },
   { "compubench.com", true },
-  { "compucastell.ch", true },
   { "compucorner.mx", true },
   { "compunetwor.com", true },
   { "compuplast.cz", true },
   { "computehealth.com", true },
   { "computer-acquisti.com", true },
+  { "computer-menschen.de", true },
   { "computer-science-schools.com", true },
-  { "computeracademy.co.za", true },
   { "computerassistance.co.uk", true },
   { "computerbas.nl", true },
   { "computerbase.de", true },
@@ -8377,7 +8496,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "comtily.com", true },
   { "comunidadmontepinar.es", true },
   { "comvos.de", true },
-  { "comw.cc", true },
   { "conalcorp.com", true },
   { "conatus.ai", true },
   { "conaudisa.com", false },
@@ -8442,7 +8560,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "connorsmith.co", true },
   { "connyduck.at", true },
   { "conociendosalama.com", true },
-  { "conocimientosdigitales.com", true },
   { "conorboyd.info", true },
   { "conory.com", true },
   { "conpath.net", true },
@@ -8452,7 +8569,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "conradsautotransmissionrepair.com", true },
   { "conrail.blue", true },
   { "consagracionamariasantisima.org", true },
-  { "consciousbrand.co", true },
   { "consciouschoices.net", true },
   { "consciousnesschange.com", true },
   { "consec-systems.de", true },
@@ -8482,6 +8598,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "constructive.men", true },
   { "consul.io", true },
   { "consulenza.pro", true },
+  { "consultanta-in-afaceri.ro", true },
   { "consultation.biz.tr", true },
   { "consultimator.com", true },
   { "consultimedia.de", true },
@@ -8497,9 +8614,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "contaquanto.com.br", true },
   { "contemplativeeducation.org", true },
   { "content-api-dev.azurewebsites.net", false },
-  { "content-design.de", true },
   { "contentcoms.co.uk", true },
-  { "contentdesign.de", true },
   { "contentpass.net", true },
   { "contessa32experience.com", true },
   { "contextplatform.com", true },
@@ -8524,7 +8639,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "conversiones.com", true },
   { "conversionsciences.com", true },
   { "convert.im", true },
-  { "convert.zone", true },
   { "converticacommerce.com", false },
   { "convexset.org", true },
   { "convocatoriafundacionpepsicomexico.org", false },
@@ -8561,14 +8675,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coolwallet.io", true },
   { "coonawarrawines.com.au", true },
   { "coopens.com", true },
-  { "cooperativehandmade.com", true },
-  { "cooperativehandmade.pe", true },
+  { "coor.fun", true },
   { "coore.jp", true },
   { "coorpacademy.com", true },
   { "copdfoundation.org", true },
   { "copinstant.com", true },
   { "copperandtileroofing.com", true },
-  { "copperhead.co", true },
   { "copperheados.com", true },
   { "coppermein.co.za", true },
   { "copplaw.com", true },
@@ -8604,7 +8716,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coresolutions.ca", true },
   { "coreum.ca", true },
   { "coreyjmahler.com", true },
-  { "corgi.party", true },
   { "coribi.com", true },
   { "corinastefan.ro", true },
   { "corintech.net", true },
@@ -8622,6 +8733,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "corona-academy.com", true },
   { "corona-renderer.cloud", true },
   { "corona-renderer.com", true },
+  { "coropiacere.org", true },
   { "corourbano.es", true },
   { "corpfin.net", true },
   { "corpio.nl", true },
@@ -8640,6 +8752,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "corpuschristisouthriver.org", true },
   { "corpusslayer.com", true },
   { "corrbee.com", true },
+  { "correct.cf", true },
+  { "correcthorse.cf", true },
   { "correctiv.org", true },
   { "corrick.io", true },
   { "corrupted.io", true },
@@ -8664,16 +8778,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cosmeticappraisal.com", true },
   { "cosmeticasimple.com", true },
   { "cosmeticos-naturales.com", true },
-  { "cosmic-os.org", true },
   { "cosmicnavigator.com", true },
   { "cosmintataru.ro", true },
   { "cosmodacollection.com", true },
   { "cosmofunnel.com", true },
   { "cosmundi.de", true },
-  { "cosni.co", true },
   { "cosplayer.com", true },
   { "cospol.ch", true },
-  { "costa-rica-reisen.ch", true },
   { "costa-rica-reisen.de", true },
   { "costablanca.villas", true },
   { "costablancavoorjou.com", true },
@@ -8698,6 +8809,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "countersolutions.co.uk", true },
   { "countetime.com", true },
   { "countingto.one", true },
+  { "country-creativ.de", true },
   { "countryattire.com", true },
   { "countrybrewer.com.au", true },
   { "countryfrog.uk", true },
@@ -8735,7 +8847,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cozo.me", true },
   { "cozyeggdesigns.com", true },
   { "cp-st-martin.be", true },
-  { "cpahunt.com", false },
   { "cpap.com", true },
   { "cpasperdu.com", true },
   { "cpbapremiocaduceo.com.ar", true },
@@ -8770,11 +8881,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crackers4cheese.com", true },
   { "crackle.io", true },
   { "crackorsquad.in", true },
+  { "crackslut.eu", true },
   { "crackstation.net", true },
   { "cradlepointecm.com", true },
   { "craft-verlag.de", true },
   { "craftandbuild.de", true },
   { "craftcommerce.com", true },
+  { "craftinghand.com", false },
   { "craftinginredlipstick.com", true },
   { "craftist.de", true },
   { "craftsmandruggets.com", true },
@@ -8782,7 +8895,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "craftyguy.net", true },
   { "craftyphotons.net", true },
   { "crag.com.tw", true },
-  { "craigary.net", true },
   { "craigbates.co.uk", true },
   { "craigfrancis.co.uk", true },
   { "craigleclaireteam.com", true },
@@ -8806,6 +8918,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crazy-coders.com", true },
   { "crazybulk.co.uk", true },
   { "crazybulk.com", true },
+  { "crazybulk.de", true },
   { "crazybulk.fr", true },
   { "crazycastles.ie", true },
   { "crazydomains.ae", true },
@@ -8824,6 +8937,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crea-shops.ch", true },
   { "crea.bg", true },
   { "creadstudy.com", true },
+  { "crealogix-online.com", true },
   { "creamcastles.co.uk", true },
   { "creared.edu.co", true },
   { "createcos.com", true },
@@ -8852,7 +8966,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "creativesurvey.com", true },
   { "creativeweb.biz", true },
   { "creativewolf.net", true },
-  { "creativlabor.ch", true },
+  { "creativosonline.org", true },
   { "creatixx-network.de", false },
   { "creators-design.com", true },
   { "creators.direct", true },
@@ -8871,7 +8985,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "credittoken.io", true },
   { "creeks-coworking.com", true },
   { "creep.im", true },
-  { "creepycraft.nl", true },
   { "creepypastas.com", true },
   { "creepypastas.net", true },
   { "creer-une-boutique-en-ligne.com", true },
@@ -8887,7 +9000,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cretdupuy.com", true },
   { "creteangle.com", true },
   { "cretica.no", true },
-  { "creusalp.ch", true },
   { "crew505.org", true },
   { "crgalvin.com", true },
   { "crgm.net", true },
@@ -8912,7 +9024,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crispinusphotography.com", true },
   { "cristarta.com", true },
   { "cristau.org", true },
-  { "cristiandeluxe.com", false },
   { "critical.today", false },
   { "criticalsurveys.co.uk", true },
   { "crizin.io", true },
@@ -8936,6 +9047,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cross-x.com", true },
   { "cross.lol", true },
   { "crossborderreturns.com", true },
+  { "crosscom.ch", true },
   { "crossedwires.net", true },
   { "crossfitblackwater.com", true },
   { "crossfunctional.com", true },
@@ -8980,6 +9092,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crypted.chat", true },
   { "crypteianetworks.com", true },
   { "crypticshell.co.uk", true },
+  { "crypto-armory.com", true },
   { "crypto.cat", false },
   { "crypto.graphics", true },
   { "crypto.is", false },
@@ -9015,13 +9128,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crystalapp.ca", true },
   { "crystalchandelierservices.com", true },
   { "crystalgrid.net", true },
-  { "crystallizedcouture.com", true },
   { "crystaloscillat.com", true },
   { "crystalzoneshop.com", true },
   { "crystone.me", true },
   { "cryz.ru", true },
   { "cs2016.ch", true },
   { "csabg.org", true },
+  { "csacongress.org", true },
   { "csbs.fr", true },
   { "csbuilder.io", true },
   { "csca.me", true },
@@ -9073,6 +9186,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ctomp.io", false },
   { "ctoresms.com", true },
   { "ctpe.net", true },
+  { "ctr.id", true },
   { "ctrl.blog", true },
   { "ctrld.me", true },
   { "cu247secure.ie", true },
@@ -9123,7 +9237,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cup.al", true },
   { "cupcakesandcrinoline.com", true },
   { "cupcao.gov", true },
-  { "cupi.co", true },
   { "cupom.net", true },
   { "cuppycakes.fi", true },
   { "cur.by", true },
@@ -9162,6 +9275,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "curveprotect.org", true },
   { "curvesandwords.com", true },
   { "curvissa.co.uk", true },
+  { "curvylove.de", true },
   { "custodyxchange.com", true },
   { "custombikes.cl", true },
   { "customdissertation.com", true },
@@ -9229,6 +9343,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyberdos.de", false },
   { "cyberduck.io", true },
   { "cyberexplained.info", true },
+  { "cybergates.org", true },
   { "cybergrx.com", true },
   { "cyberguerrilla.info", true },
   { "cyberguerrilla.org", true },
@@ -9236,6 +9351,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyberianhusky.com", true },
   { "cyberkov.com", true },
   { "cyberlab.kiev.ua", false },
+  { "cyberlegal.co", true },
   { "cyberlightapp.com", true },
   { "cybermeldpunt.nl", true },
   { "cyberogism.com", true },
@@ -9245,6 +9361,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyberregister.nl", true },
   { "cyberregister.org", true },
   { "cybersafesolutions.com", true },
+  { "cybersantri.com", true },
   { "cyberscan.io", true },
   { "cybersecurity.nz", true },
   { "cybersecurity.run", true },
@@ -9285,7 +9402,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cylindehea.com", true },
   { "cylindricity.com", true },
   { "cyon.ch", true },
-  { "cypad.cn", true },
   { "cyph.audio", true },
   { "cyph.com", true },
   { "cyph.healthcare", true },
@@ -9312,7 +9428,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "czbix.com", true },
   { "czbtm.com", true },
   { "czc.cz", true },
-  { "czechamlp.com", true },
   { "czechcrystals.co.uk", true },
   { "czechvirus.cz", true },
   { "czerno.com", true },
@@ -9339,8 +9454,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "d2s.uk", true },
   { "d3lab.net", true },
   { "d3xt3r01.tk", true },
+  { "d3xx3r.de", true },
   { "d42.no", true },
   { "d4done.com", true },
+  { "d4rkdeagle.tk", true },
+  { "d4wson.com", true },
   { "d4x.de", true },
   { "d66.nl", true },
   { "d6c5yfulmsbv6.cloudfront.net", true },
@@ -9385,6 +9503,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dailyhealthguard.com", true },
   { "dailykos.com", true },
   { "dailyrover.com", true },
+  { "dailyroverr.com", true },
   { "dailyxenang.com", true },
   { "daintymeal.com", true },
   { "dairyshrine.org", true },
@@ -9403,7 +9522,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dalb.in", true },
   { "dale-electric.com", true },
   { "dalek.co.nz", true },
-  { "dalepresencia.com", true },
   { "dalfsennet.nl", true },
   { "dalingk.com", true },
   { "dallaslu.com", true },
@@ -9412,7 +9530,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dalmatiersheusden.be", true },
   { "damaged.org", true },
   { "damasexpress.com", true },
-  { "damedrogy.cz", true },
   { "damejidlo.cz", true },
   { "dameocio.com", true },
   { "damghaem.ir", true },
@@ -9437,7 +9554,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dance-colleges.com", true },
   { "danchen.org", true },
   { "dancingcubs.co.uk", true },
-  { "dancingshiva.at", true },
   { "dandenongroadapartments.com.au", true },
   { "daneandthepain.com", true },
   { "dangmai.tk", true },
@@ -9460,7 +9576,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danielhinterlechner.eu", true },
   { "danielhochleitner.de", true },
   { "danieljamesscott.org", true },
-  { "danieljireh.com", true },
   { "danieljstevens.com", true },
   { "danielkoster.nl", true },
   { "daniellockyer.com", true },
@@ -9469,9 +9584,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danielmorell.com", true },
   { "danielmostertman.com", true },
   { "danielmostertman.nl", true },
+  { "danieln.tech", true },
   { "danielnaaman.com", true },
-  { "danielnaaman.net", true },
-  { "danielnaaman.org", true },
+  { "danielparker.com.au", true },
   { "danielpeukert.cz", true },
   { "danielran.com", true },
   { "danielrozenberg.com", true },
@@ -9498,6 +9613,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danminkevitch.com", true },
   { "danna-salary.com", true },
   { "dannhanks.com", true },
+  { "dannicholas.net", true },
   { "danny-tittel.de", true },
   { "danny.fm", true },
   { "dannycairns.com", true },
@@ -9506,6 +9622,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danonsecurity.com", true },
   { "danotage.tv", true },
   { "danpiel.net", true },
+  { "dansa.com.co", true },
   { "dansage.co", true },
   { "danscomp.com", true },
   { "dansdiscounttools.com", true },
@@ -9527,6 +9644,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dao.spb.su", true },
   { "daoro.net", true },
   { "daphne.informatik.uni-freiburg.de", true },
+  { "dapim.co.il", true },
   { "daplie.com", true },
   { "dapps.earth", true },
   { "dappworld.com", true },
@@ -9543,6 +9661,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "darinkotter.com", true },
   { "darioackermann.ch", true },
   { "darioclip.com", true },
+  { "dariosirangelo.me", true },
   { "darioturchetti.me", true },
   { "darisni.me", true },
   { "dark-infection.de", true },
@@ -9554,6 +9673,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "darkengine.net", true },
   { "darkerlystormy.com", true },
   { "darkerstormy.com", true },
+  { "darkestproductions.net", true },
   { "darkeststar.org", true },
   { "darkfire.ch", true },
   { "darklaunch.com", true },
@@ -9591,6 +9711,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "das-sommercamp.de", true },
   { "dasgeestig.nl", true },
   { "dashboard.run", true },
+  { "dashcloud.co", true },
   { "dashnearby.com", true },
   { "dashwebconsulting.com", true },
   { "dasignsource.com", true },
@@ -9615,6 +9736,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "datagrail.io", true },
   { "dataguidance.com", true },
   { "dataharvest.at", true },
+  { "datahive360.com", true },
   { "datahjalp.nu", true },
   { "datahoarder.xyz", true },
   { "datajobs.ai", true },
@@ -9680,6 +9802,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "davevelopment.net", true },
   { "davewardle.com", true },
   { "david-corry.com", true },
+  { "david-hinschberger.me", true },
   { "david-jeffery.co.uk", true },
   { "david-pearce.com", true },
   { "david-reess.de", true },
@@ -9688,6 +9811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "davidadrian.org", true },
   { "davidandersson.se", true },
   { "davidbranco.me", true },
+  { "davidbuckell.com", true },
   { "davidcrx.net", true },
   { "daviddever.net", true },
   { "davidfetveit.com", true },
@@ -9721,6 +9845,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "davo-usedcars.be", true },
   { "davy-server.com", true },
   { "davypropper.com", true },
+  { "daw.nz", true },
   { "dawena.de", true },
   { "dawgs.ga", true },
   { "dawnbringer.eu", true },
@@ -9751,6 +9876,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dbldub.net", true },
   { "dbmiller.org", true },
   { "dbmteam.com", true },
+  { "dbmxpca.com", true },
   { "dborcard.com", true },
   { "dbpkg.com", true },
   { "dbq.com", true },
@@ -9780,11 +9906,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dcpower.eu", true },
   { "dcrdev.com", true },
   { "dcw.io", true },
+  { "ddatsh.com", true },
   { "ddays2008.org", true },
   { "ddel.de", true },
   { "dden.ca", true },
   { "ddepot.us", true },
-  { "ddholdingservices.com", true },
   { "ddhosted.com", true },
   { "ddns-test.de", true },
   { "ddnsweb.com", true },
@@ -9844,8 +9970,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "debarrasnanterre.com", true },
   { "debbyefurd.com", true },
   { "debie-usedcars.be", true },
-  { "debigare.com", true },
-  { "debkleinteam.com", true },
   { "debora-singkreis.de", true },
   { "debron-ot.nl", true },
   { "debrusoft.ch", true },
@@ -9856,6 +9980,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "decaffeinated.io", true },
   { "decalquai.ch", true },
   { "decay24.de", true },
+  { "decfun.com", true },
   { "dechat.nl", true },
   { "decher.de", true },
   { "decidetreatment.org", true },
@@ -9877,6 +10002,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "decorestilo.com.br", true },
   { "decosoftware.com", true },
   { "decrousaz-ceramique.ch", true },
+  { "decrypto.net", true },
   { "decs.es", true },
   { "dedelta.net", true },
   { "dedg3.com", true },
@@ -9892,8 +10018,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deejayevents.ro", true },
   { "deelmijnreis.nl", true },
   { "deep-chess.com", true },
-  { "deep.club", true },
-  { "deepaero.com", true },
   { "deeparamaraj.com", true },
   { "deepbluecrafting.co.uk", true },
   { "deepblueemail.com", true },
@@ -9918,6 +10042,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "defendinnovation.org", true },
   { "defendtheweb.co.uk", true },
   { "defero.io", true },
+  { "define-atheism.com", true },
+  { "define-atheist.com", true },
+  { "defineatheism.com", true },
+  { "defineatheist.com", true },
   { "deflect.ca", true },
   { "deflumeri.com", true },
   { "deflumeriker.com", true },
@@ -9948,16 +10076,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deinfoto.ch", true },
   { "deinserverhost.de", true },
   { "deitti.net", true },
-  { "dejan.media", true },
   { "dejandayoff.com", true },
   { "dejure.org", true },
   { "dejw.cz", true },
+  { "dekasegi-kansai.com", true },
   { "dekasiba.com", true },
   { "dekeurslagers.nl", true },
   { "dekka.cz", true },
   { "dekkercreativedesign.nl", true },
   { "dekko.io", true },
-  { "dekoh-shouyu.com", true },
   { "dekonix.ru", true },
   { "dekulk.nl", true },
   { "delahrzolder.nl", true },
@@ -9974,8 +10101,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deliciousmedia.net", true },
   { "delicioustable.com", true },
   { "delid.cz", true },
-  { "delitto.top", true },
   { "delivery.co.at", true },
+  { "deliveryiquique.cl", true },
   { "dellipaoli.com", true },
   { "delogo.nl", true },
   { "delorenzi.dk", true },
@@ -9991,7 +10118,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deltaonlineguards.com", true },
   { "deltaservers.com.br", true },
   { "deltasigmachi.org", true },
-  { "deltasmart.ch", true },
   { "deltava.org", true },
   { "demarle.ch", true },
   { "dementiapraecox.de", true },
@@ -10001,6 +10127,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "demilletech.net", true },
   { "demiranda.com", true },
   { "demmer.one", true },
+  { "demo.swedbank.se", true },
   { "demo9.ovh", true },
   { "democracychronicles.com", true },
   { "democracyineurope.eu", true },
@@ -10013,7 +10140,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dempsters.ca", false },
   { "demuzere.be", true },
   { "demuzere.com", true },
-  { "demuzere.eu", true },
   { "demuzere.net", true },
   { "demuzere.org", true },
   { "denabot.pw", true },
@@ -10038,12 +10164,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dent.uy", true },
   { "dental-colleges.com", true },
   { "dentallaborgeraeteservice.de", true },
+  { "dentechnica.co.uk", true },
   { "dentfix.ro", false },
   { "dentistesdarveauetrioux.com", true },
   { "dentistglasgow.com", true },
   { "dentrassi.de", true },
   { "dentystabirmingham.co.uk", true },
+  { "denvergospelhall.org", true },
   { "denwauranailab.com", true },
+  { "deonlinespecialist.nl", true },
   { "deontology.com", true },
   { "depaddestoeltjes.be", true },
   { "depannage-traceur.fr", true },
@@ -10073,16 +10202,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "derattizzazioni.org", true },
   { "derbuntering.de", true },
   { "derbybouncycastles.com", true },
+  { "derbyware.com", true },
   { "derdewereldrommelmarkt.nl", true },
   { "derechosdigitales.org", true },
   { "dereddingsklos.nl", true },
   { "dereferenced.net", true },
   { "derehamcastles.co.uk", true },
   { "derekheld.com", true },
+  { "derekkent.com", true },
   { "derekseaman.com", true },
   { "derekseaman.studio", true },
   { "dergeilstestammderwelt.de", true },
   { "derhil.de", true },
+  { "derivedata.com", true },
   { "derk-jan.com", true },
   { "derkuki.de", true },
   { "derma-expert.eu", true },
@@ -10105,6 +10237,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "desarrollowp.com", true },
   { "descartes-finance.com", true },
   { "desec.io", true },
+  { "desertmedaesthetics.com", true },
   { "desertsounds.org", true },
   { "desgenst.ch", true },
   { "design-in-bad.eu", true },
@@ -10129,7 +10262,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deskvip.com", true },
   { "desmaakvanplanten.be", true },
   { "desmo.gg", true },
-  { "despachomartinyasociados.com", true },
   { "despertadoronline.com.es", true },
   { "desplats.com.ar", true },
   { "dessinemoilademocratie.ch", true },
@@ -10143,8 +10275,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "desu.ne.jp", true },
   { "desuchan.eu", true },
   { "desuchan.org", true },
-  { "desuperheroes.co", true },
   { "det-te.ch", true },
+  { "detalhecomercio.com.br", true },
   { "detalika.ru", true },
   { "detalyedesigngroup.com", true },
   { "detecmon.com", true },
@@ -10157,7 +10289,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "detoxic.vn", true },
   { "detoxsinutritie.ro", true },
   { "detroit-english.de", true },
-  { "detroitstylepizza.com", true },
+  { "detroitstylepizza.com", false },
   { "detroitzoo.org", true },
   { "detski.center", true },
   { "detskysad.com", true },
@@ -10166,6 +10298,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deuchnord.fr", true },
   { "deude.de", true },
   { "deukie.nl", true },
+  { "deumavan.ch", true },
   { "deurenfabriek.nl", true },
   { "deutsch-vietnamesisch-dolmetscher.com", true },
   { "deutsche-seniorenbetreuung.de", true },
@@ -10202,11 +10335,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "developyourelement.com", true },
   { "develux.com", true },
   { "develux.net", true },
-  { "devh.net", true },
   { "deviant.email", true },
   { "devillers-occasions.be", true },
   { "devilshakerz.com", true },
-  { "deviltraxxx.de", true },
   { "devinfo.net", false },
   { "devirc.net", true },
   { "deviser.wang", true },
@@ -10228,6 +10359,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "devsrvr.ru", true },
   { "devstaff.gr", true },
   { "devstroke.io", true },
+  { "devswag.io", true },
   { "devtty.org", true },
   { "devyn.ca", false },
   { "devzero.io", true },
@@ -10238,6 +10370,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dex.top", true },
   { "dexalo.de", true },
   { "dexigner.com", true },
+  { "dexonrest.azurewebsites.net", true },
   { "deyute.com", true },
   { "dez-online.de", true },
   { "dezeregio.nl", true },
@@ -10266,6 +10399,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dhautefeuille.eu", true },
   { "dhauwer.nl", true },
   { "dhaynes.xyz", true },
+  { "dhbr.org", true },
   { "dhconcept.ch", true },
   { "dheart.net", true },
   { "dhhs.gov", true },
@@ -10276,6 +10410,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "di2pra.com", true },
   { "di2pra.fr", true },
   { "dia-de.com", true },
+  { "dia.com.br", true },
   { "diablovalleytech.com", true },
   { "diadorafitness.es", true },
   { "diadorafitness.it", true },
@@ -10294,6 +10429,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dianurse.com", true },
   { "diare-na-miru.cz", true },
   { "diario-egipto.com", true },
+  { "diaroma.it", true },
   { "diarynote.jp", true },
   { "diasdasemana.com", true },
   { "diasp.org", true },
@@ -10302,6 +10438,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dibiphp.com", true },
   { "diccionarioabierto.com", true },
   { "diccionariodedudas.com", true },
+  { "diccionarqui.com", true },
   { "dice.tokyo", true },
   { "dicelab.co.uk", true },
   { "dicesites.com", true },
@@ -10328,6 +10465,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "didesalud.com", true },
   { "didierghez.com", true },
   { "didigotoffer.com", true },
+  { "didikhari.web.id", true },
   { "die-bergfuehrer.de", true },
   { "die-blahuts.de", true },
   { "die-borts.ch", true },
@@ -10336,6 +10474,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "die-seide.de", true },
   { "die-sinlosen.de", true },
   { "die-speisekammer-reutlingen.de", true },
+  { "diebestengutscheine.de", true },
   { "diedrich.co", true },
   { "diedrich.me", true },
   { "dieecpd.org", true },
@@ -10351,6 +10490,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dienchaninstitute.com", true },
   { "dienstplan.cc", true },
   { "dienstplan.one", true },
+  { "dierabenmutti.de", true },
   { "dierenartsdeconinck.be", true },
   { "dieselanimals.lt", true },
   { "dieselgalleri.com", true },
@@ -10387,7 +10527,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digilicious.com", true },
   { "digimagical.com", true },
   { "digimedia.cd", false },
-  { "digimomedia.co.uk", true },
   { "digioccumss.ddns.net", true },
   { "digipitch.com", true },
   { "digital-compounds.com", true },
@@ -10400,7 +10539,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digital2web.com", false },
   { "digitalarchitecture.com", true },
   { "digitalbitbox.com", true },
-  { "digitalcash.cf", true },
   { "digitalcitizen.life", true },
   { "digitalcitizen.ro", true },
   { "digitalcraftmarketing.co.uk", true },
@@ -10429,10 +10567,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digitalposition.com", true },
   { "digitalrights.center", true },
   { "digitalrights.fund", true },
+  { "digitalroar.com", true },
   { "digitalskillswap.com", true },
   { "digitalsurge.io", true },
   { "digitaltcertifikat.dk", true },
   { "digitaltechnologies.ltd.uk", true },
+  { "digitalunite.de", true },
   { "digitkon.com", true },
   { "digitreads.com", true },
   { "digminecraft.com", true },
@@ -10486,6 +10626,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dipalma.me", true },
   { "dipdaq.com", true },
   { "dipling.de", true },
+  { "diplomatiq.org", true },
   { "diplona.de", true },
   { "dipulse.it", true },
   { "dir2epub.com", true },
@@ -10524,7 +10665,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dischempharmacie.com", true },
   { "disciples.io", true },
   { "disciplina.io", true },
-  { "discipul.nl", true },
   { "discofitta.com", true },
   { "disconformity.net", true },
   { "discord.gg", true },
@@ -10532,6 +10672,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "discordapp.com", true },
   { "discordghost.space", true },
   { "discordia.me", true },
+  { "discordservers.com", true },
   { "discotek.club", true },
   { "discount24.de", true },
   { "discountlumberspokane.com", true },
@@ -10565,6 +10706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "disinfestazioni.gorizia.it", true },
   { "disinfestazioni.info", true },
   { "disinfestazioni.milano.it", true },
+  { "disinfestazioni.napoli.it", true },
   { "disinfestazioni.net", true },
   { "disinfestazioni.padova.it", true },
   { "disinfestazioni.rimini.it", true },
@@ -10592,7 +10734,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dist-it.com", true },
   { "dist.torproject.org", false },
   { "disti.com", true },
-  { "distiduffer.org", true },
   { "distillery.com", true },
   { "distinguishedprisoner.com", true },
   { "distribuidoracristal.com.br", true },
@@ -10613,6 +10754,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "diveidc.com", true },
   { "diveplan.org", true },
   { "divergenz.org", true },
+  { "diversifiedproduct.com", true },
   { "diversityflags.com", true },
   { "diversityflags.com.au", true },
   { "diversityflags.nz", true },
@@ -10651,15 +10793,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "djeung.org", true },
   { "djipanov.com", true },
   { "djleon.net", true },
+  { "djlinux.cz", true },
   { "djlive.pl", true },
   { "djlnetworks.co.uk", true },
   { "djroynomden.nl", true },
   { "djsbouncycastlehire.com", true },
   { "djt-vom-chausseehaus.de", true },
-  { "djursland-psykologen.dk", true },
   { "djvintagevinyl.nl", true },
   { "djwaynepryke.com", true },
-  { "djz4music.com", false },
   { "dk-kromeriz.cz", true },
   { "dk.com", true },
   { "dk.search.yahoo.com", false },
@@ -10694,10 +10835,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dmatrix.xyz", true },
   { "dmd.lv", true },
   { "dmdd.org.uk", true },
-  { "dmeevalumate.com", true },
   { "dmess.ru", true },
   { "dmi.es", true },
   { "dmitry.sh", true },
+  { "dmmkenya.co.ke", true },
   { "dmmultionderhoud.nl", true },
   { "dmparish.com", true },
   { "dmschilderwerken.nl", true },
@@ -10719,12 +10860,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dns-swiss.ch", true },
   { "dns.google.com", true },
   { "dns8.online", true },
+  { "dnsaio.com", true },
   { "dnscrawler.com", true },
   { "dnscrypt.info", true },
   { "dnscurve.io", true },
   { "dnshallinta.fi", true },
   { "dnsinfo.ml", true },
   { "dnsipv6.srv.br", true },
+  { "dnskeep.com", true },
+  { "dnskeeper.com", true },
   { "dnsman.se", true },
   { "dnspod.ml", true },
   { "dnstwister.report", true },
@@ -10734,11 +10878,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "do13.net", true },
   { "do67.de", true },
   { "do67.net", true },
+  { "doanhnhanplus.vn", true },
   { "dobraprace.cz", true },
+  { "dobrev.family", true },
   { "dobrisan.ro", true },
   { "dobsnet.net", true },
   { "doc.python.org", true },
-  { "doc.to", true },
+  { "doc.to", false },
   { "doc8643.com", true },
   { "docabo.ch", true },
   { "docbox.ch", true },
@@ -10766,21 +10912,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "doctorwho.cz", true },
   { "docubox.info", true },
   { "docucopies.com", true },
+  { "docudanang.com.vn", true },
   { "documaniatv.com", true },
-  { "docupet.com", true },
   { "docusearch.com", true },
+  { "dodds.cc", true },
+  { "dodomu.ddns.net", true },
   { "dodopri.com", true },
   { "doenjoylife.com", true },
   { "does.one", true },
   { "doesburg-comp.nl", true },
   { "dofuspvp.com", true },
   { "dofux.org", true },
-  { "dog-blum.com", true },
   { "dogadayiz.net", true },
   { "dogan.ch", false },
   { "dogcontrol.ca", true },
   { "doge.me", true },
-  { "doge.town", true },
   { "dogear.ch", true },
   { "dogft.com", true },
   { "doggedbyirs.com", true },
@@ -10834,12 +10980,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "domakidis.com", true },
   { "domaxpoker.com", true },
   { "domeconseil.fr", true },
-  { "domein-direct.nl", true },
+  { "domein-direct.nl", false },
   { "domenic.me", true },
   { "domenicam.com", true },
   { "domesticcleaners.co.uk", true },
   { "domhaase.me", true },
-  { "domian.cz", true },
   { "dominationgame.co.uk", true },
   { "dominicself.co.uk", true },
   { "dominik-schlueter.de", true },
@@ -10861,7 +11006,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "domster.com", true },
   { "domus-global.com", true },
   { "domus-global.cz", true },
-  { "domwkwiatach.pl", true },
   { "domyassignments.com", true },
   { "domycasestudy.com", true },
   { "domycoursework.com", true },
@@ -10902,6 +11046,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "donnaandscottmcelweerealestate.com", true },
   { "donnacha.blog", true },
   { "donnachie.net", true },
+  { "donnajeanbooks.com", true },
   { "donner-reuschel.de", true },
   { "donnons.org", false },
   { "donnoval.ru", false },
@@ -10909,14 +11054,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "donotlink.it", true },
   { "donovand.info", true },
   { "donovankraag.nl", true },
+  { "donpomodoro.com.co", true },
   { "dont.re", true },
   { "dont.watch", true },
+  { "dontbeevil.com", true },
   { "dontbubble.me", true },
   { "dontcageus.org", true },
   { "dontpayfull.com", true },
   { "donttrust.me", true },
   { "donutcompany.co.jp", true },
-  { "donzool.es", true },
   { "dooby.fr", true },
   { "dooleylabs.com", true },
   { "dooleytackaberry.com", true },
@@ -10930,9 +11076,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "doorflow.com", true },
   { "doorhandlese.com", true },
   { "doorshingekit.com", true },
+  { "doorswest.net", true },
   { "dopesoft.de", true },
   { "dopetrue.com", true },
-  { "doppenpost.nl", true },
+  { "dophys.top", true },
   { "dopply.com", true },
   { "dopravni-modely.cz", true },
   { "dopsi.ch", true },
@@ -10976,6 +11123,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dosvientosoutdoorlighting.com", true },
   { "doswap.com", true },
   { "dosyauzantisi.com", true },
+  { "dot.ro", true },
   { "dot42.no", true },
   { "dota2huds.com", true },
   { "dotacni-parazit.cz", true },
@@ -11016,7 +11164,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "douzer.de", true },
   { "douzer.industries", true },
   { "dovenzorgmalawi.nl", true },
-  { "dovro.de", true },
   { "dowell.media", true },
   { "dowellconsulting.com", true },
   { "dowhatmakegood.de", true },
@@ -11034,6 +11181,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "downtimerobot.nl", true },
   { "downtownautospecialists.com", true },
   { "downtownvernon.com", true },
+  { "dox-box.eu", true },
   { "doyoucheck.com", false },
   { "doyouedc.com", true },
   { "doyoutax.com", true },
@@ -11069,6 +11217,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dr-stoetter.de", true },
   { "dr-www.de", true },
   { "dr2dr.ca", true },
+  { "draadloze-noodstop.nl", true },
   { "drabadir.com", true },
   { "drabim.org", true },
   { "drach.xyz", true },
@@ -11090,6 +11239,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "draghive.tv", true },
   { "dragon-chem.eu", true },
   { "dragon-hearts.co.uk", true },
+  { "dragon.nu", true },
   { "dragoncave.me", true },
   { "dragonclean.gr", true },
   { "dragonfly.co.uk", true },
@@ -11106,7 +11256,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dragonsunited.org", true },
   { "dragonwolfpackaquaria.com", true },
   { "dragonwork.me", true },
-  { "drahcro.uk", true },
+  { "drainagedirect.com", true },
+  { "draintechnorthwest.net", true },
   { "drakecommercial.com", true },
   { "drakeluce.com", true },
   { "drakenson.de", true },
@@ -11121,7 +11272,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drawingcode.net", true },
   { "drawtwo.gg", true },
   { "drawxp.com", true },
-  { "drbethanybarnes.com", true },
   { "drbriones.com", true },
   { "drcarolynquist.com", true },
   { "drchrislivingston.com", true },
@@ -11143,15 +11293,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dreammaker-nw.com", true },
   { "dreammakerremodelil.com", true },
   { "dreammakerutah.com", true },
-  { "dreamof.net", true },
+  { "dreamof.net", false },
   { "dreamonkey.com", true },
   { "dreamrae.net", true },
+  { "dreamstream.mobi", true },
   { "dreamstream.network", true },
   { "dreamstream.nl", true },
   { "dreamstream.tv", true },
   { "dreamstream.video", true },
-  { "dreamtechie.com", true },
-  { "dreatho.com", true },
   { "dreemurr.com", true },
   { "drei01.com", true },
   { "drei01.de", true },
@@ -11169,7 +11318,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dressify.co", true },
   { "dressify.in", true },
   { "drevanbeale.com", true },
-  { "drevo-door.cz", true },
+  { "drevo-door.cz", false },
   { "drew.beer", true },
   { "drew.red", true },
   { "drewapianostudio.com", true },
@@ -11183,9 +11332,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drgn.no", true },
   { "drhathazi.hu", true },
   { "drheibel.com", true },
+  { "drhoseyni.com", true },
   { "driesjtuver.nl", true },
   { "driessoftsec.tk", true },
   { "driftdude.nl", true },
+  { "driftingruby.com", true },
   { "drighes.com", true },
   { "drillingsupply.info", true },
   { "drillingsupplystore.com", true },
@@ -11223,8 +11374,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drmcdaniel.com", true },
   { "drms.us", true },
   { "drmtransit.com", true },
+  { "drmyco.net", true },
   { "drnow.ru", true },
   { "drogueriaelbarco.com", true },
+  { "droidandy.com", true },
   { "droidapp.nl", true },
   { "droidgyan.com", true },
   { "droidhere.com", true },
@@ -11251,8 +11404,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drpetervoigt.ddns.net", true },
   { "drpetervoigt.de", true },
   { "drpico.com.au", true },
-  { "drpure.top", true },
-  { "drrodina.com", true },
   { "drrr.chat", true },
   { "drrr.wiki", true },
   { "drsajjadian.com", true },
@@ -11266,6 +11417,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drugs.com", true },
   { "drumbe.at", true },
   { "drummondframing.com", true },
+  { "drunkscifi.com", true },
   { "drupal-expert.it", true },
   { "drupal.org", true },
   { "drupalspb.org", true },
@@ -11301,15 +11453,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dshield.org", true },
   { "dsm5.com", true },
   { "dsmjs.com", true },
+  { "dsmstainlessproducts.co.uk", true },
   { "dso-imaging.co.uk", true },
   { "dso-izlake.si", true },
   { "dsol.hu", true },
   { "dssale.com", true },
   { "dstamou.de", true },
+  { "dstat.cc", true },
   { "dsteiner.at", true },
   { "dstvinstallalberton.co.za", true },
+  { "dstvinstalledenvale.co.za", true },
   { "dstvinstallfourways.co.za", true },
+  { "dstvinstallkemptonpark.co.za", true },
   { "dstvinstallrandburg.co.za", true },
+  { "dstvsandton.co.za", true },
+  { "dstvsouthafrica.com", true },
   { "dt27.org", true },
   { "dtbouncycastles.co.uk", true },
   { "dtdsh.com", true },
@@ -11328,6 +11486,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dtx.sk", true },
   { "dualascent.com", true },
   { "dub.cz", true },
+  { "dubai-company.ae", true },
   { "dubaieveningsafari.com", true },
   { "dubbingkursus.dk", true },
   { "dubious-website.com", true },
@@ -11338,12 +11497,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dubtrack.fm", true },
   { "ducalendars.com", true },
   { "duch.cloud", true },
-  { "ducius.net", true },
   { "duckbase.com", true },
+  { "duckblade.com", true },
   { "duckduck.horse", true },
   { "duckduckstart.com", true },
   { "duckeight.win", true },
   { "duckinc.net", true },
+  { "duckyubuntu.tk", true },
   { "duct.me", true },
   { "due-diligence-security.com", true },
   { "duerlund-falkenberg.dk", true },
@@ -11385,12 +11545,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dundalkdonnie.com", true },
   { "dunesadventure.net", true },
   { "dungeon-bbs.de", true },
+  { "dunklau.fr", true },
   { "dunkle-seite.org", true },
   { "dunloptrade.com", true },
   { "dunmanelectric.com", true },
   { "duobus.nl", true },
   { "duoluodeyu.com", true },
-  { "duonganhtuan.com", true },
   { "duoquadragintien.fr", true },
   { "dupisces.com.tw", true },
   { "dupree.co", true },
@@ -11411,12 +11571,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dusnan.com", true },
   { "dustplanet.de", true },
   { "dustri.org", true },
-  { "dustycloth.com", true },
   { "dustygroove.com", true },
   { "dustyspokesbnb.ca", true },
   { "dutch.desi", true },
   { "dutchdare.nl", true },
-  { "dutchessuganda.com", true },
   { "dutchforkrunners.com", true },
   { "dutchrank.nl", true },
   { "dutchwanderers.nl", true },
@@ -11446,7 +11604,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dx-revision.com", true },
   { "dxgl.info", true },
   { "dxgl.org", true },
-  { "dxm.no-ip.biz", true },
   { "dybuster.at", true },
   { "dybuster.ch", true },
   { "dybuster.com", true },
@@ -11513,6 +11670,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dyscalculia-blog.com", true },
   { "dysthymia.com", true },
   { "dyyn.de", true },
+  { "dzar.nsupdate.info", true },
   { "dzeina.ch", true },
   { "dzet.de", true },
   { "dziary.com", true },
@@ -11526,7 +11684,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dzsula.hu", true },
   { "dzyabchenko.com", true },
   { "dzyszla.pl", true },
-  { "e-apack.com.br", true },
   { "e-bikesdirect.co.uk", true },
   { "e-biografias.net", true },
   { "e-borneoshop.com", true },
@@ -11534,7 +11691,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "e-colle.info", true },
   { "e-cottage.com.br", true },
   { "e-enterprise.gov", false },
-  { "e-gemeinde.at", true },
   { "e-hon.link", true },
   { "e-id.ee", true },
   { "e-imzo.uz", true },
@@ -11556,7 +11712,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "e-tonery.cz", true },
   { "e-traceur-france.fr", true },
   { "e-tresor.at", true },
-  { "e-tune-mt.net", true },
   { "e-typ.eu", true },
   { "e-verify.gov", false },
   { "e-worksmedia.com", true },
@@ -11597,12 +11752,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "earticleblog.com", true },
   { "earvinkayonga.com", false },
   { "easelforart.com", true },
-  { "easez.net", true },
   { "eashwar.com", true },
   { "eastarm.net", true },
   { "eastblue.org", true },
   { "easterncapebirding.co.za", true },
   { "eastlothianbouncycastles.co.uk", true },
+  { "eastman.space", true },
   { "eastmanbusinessinstitute.com", true },
   { "eastnorschool.co.uk", true },
   { "eastplan.co.kr", true },
@@ -11615,7 +11770,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "easyconstat.com", true },
   { "easycosmetic.ch", true },
   { "easycup.com", false },
-  { "easydumpsterrental.com", false },
+  { "easydumpsterrental.com", true },
   { "easyeigo.com", true },
   { "easyfiles.ch", true },
   { "easyhaul.com", true },
@@ -11673,7 +11828,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eboutic.ch", true },
   { "eboyer.com", true },
   { "ebpglobal.com", false },
-  { "ebrnd.de", true },
   { "ec-current.com", true },
   { "ec.mine.nu", true },
   { "eca.edu.au", true },
@@ -11687,6 +11841,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ecco-verde.com", false },
   { "ecdn.cz", true },
   { "ecfnorte.com.br", true },
+  { "ecfunstalls.com", true },
   { "echatta.net", true },
   { "echatta.org", true },
   { "echi.pw", true },
@@ -11701,6 +11856,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "echoit.net.au", true },
   { "echoit.services", true },
   { "echopaper.com", true },
+  { "echorecovery.org", true },
   { "echosim.io", true },
   { "echosixmonkey.com", true },
   { "echosystem.fr", true },
@@ -11710,7 +11866,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "echternach-immobilien.de", true },
   { "echtes-hutzelbrot.de", true },
   { "echtgeld-casinos.de", true },
-  { "ecir.pro", true },
   { "ecir.ru", true },
   { "ecirtam.net", true },
   { "eckel.co", true },
@@ -11754,15 +11909,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "econverter.cloud", true },
   { "ecorp.cc", true },
   { "ecos-ev.de", true },
-  { "ecos.srl", true },
   { "ecoshare.info", true },
-  { "ecoskif.ru", true },
   { "ecosm.com.au", true },
   { "ecosound.ch", true },
   { "ecostruxureit.com", true },
   { "ecosystem.atlassian.net", true },
   { "ecosystemmanager-uat1.azurewebsites.net", true },
-  { "ecosystemmanager.azurewebsites.net", true },
+  { "ecotaxi2airport.com", true },
   { "ecoterramedia.com", true },
   { "ecotur.org", true },
   { "ecovision.com.br", true },
@@ -11828,6 +11981,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "edragneainpuscarie.ro", true },
   { "edsby.com", true },
   { "edservicing.com", true },
+  { "edshogg.co.uk", true },
   { "edsm.net", true },
   { "edstep.com", true },
   { "edtech-hub.com", true },
@@ -11875,7 +12029,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eellak.gr", true },
   { "eelsden.net", true },
   { "eelzak.nl", true },
-  { "eemcevn.com", true },
   { "eentweevijf.be", true },
   { "eer.io", true },
   { "eerlijktransport.nl", true },
@@ -11899,7 +12052,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "effero.net", true },
   { "effex.ru", true },
   { "effinfun.com", true },
-  { "effizienta.ch", true },
   { "efflam.net", true },
   { "effortlesshr.com", true },
   { "efg-darmstadt.de", false },
@@ -11932,7 +12084,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eggert.org", false },
   { "eggplant.today", true },
   { "egiftcards.be", true },
+  { "eglek.com", true },
   { "egles.eu", true },
+  { "eglisedenantes.fr", true },
   { "ego4u.com", true },
   { "ego4u.de", true },
   { "egoroof.ru", true },
@@ -11948,6 +12102,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ehandel.com", true },
   { "ehazi.hu", true },
   { "ehbssl.com", true },
+  { "ehcommerce.com", true },
   { "eheliche-disziplin.schule", true },
   { "ehertz.uk", true },
   { "ehipaa.com", true },
@@ -11957,11 +12112,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ehne.de", true },
   { "ehomusicgear.com", true },
   { "ehrenburg.info", true },
-  { "ehsellert.com", true },
+  { "ehseller.com", true },
   { "ehub.cz", true },
   { "ehub.hu", true },
   { "ehub.pl", true },
   { "ehub.sk", true },
+  { "eiao.me", true },
   { "eichel.eu", true },
   { "eichler.work", true },
   { "eichornenterprises.com", true },
@@ -11978,6 +12134,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eigpropertyauctions.co.uk", true },
   { "eihaikyo.com", true },
   { "eika.as", true },
+  { "eikounoayumi.jp", true },
   { "eilandprojectkeukens.nl", true },
   { "eilhan.com", true },
   { "eimacs.com", true },
@@ -12008,16 +12165,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ejkmuseum.nl", true },
   { "ejknet.nl", true },
   { "ejkwebdesign.nl", true },
-  { "ek-networks.de", true },
+  { "ek-networks.de", false },
   { "ekaigotenshoku.com", true },
   { "ekati.ru", true },
+  { "ekawaiishop.com", true },
   { "ekb-avia.ru", true },
   { "ekd.de", true },
   { "ekedc.com", true },
   { "ekedp.com", true },
   { "eklepka.com", true },
   { "eklitzke.org", true },
-  { "ekodevices.com", true },
   { "ekokontakt.cz", true },
   { "ekonbenefits.com", true },
   { "ekostecki.de", true },
@@ -12049,11 +12206,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elderjustice.gov", true },
   { "elderoost.com", true },
   { "eldertons.co.uk", true },
+  { "eldevo.com", true },
   { "eldinhadzic.com", true },
   { "eldisagjapi.com", true },
   { "eldrid.ge", true },
   { "eldritchfiction.net", true },
-  { "eleaut.com.br", true },
   { "electionsbycounty.com", true },
   { "electionsdatabase.com", true },
   { "electmikewaters.com", true },
@@ -12179,9 +12336,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elettricista-roma.it", true },
   { "elettricista-roma.org", true },
   { "eleusis-zur-verschwiegenheit.de", true },
-  { "elevator.ee", true },
   { "elevatoraptitudetest.com", true },
-  { "elexel.ru", true },
   { "elexprimidor.com", true },
   { "elexwong.com", true },
   { "elfe.de", true },
@@ -12201,7 +12356,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eliaskordelakos.com", true },
   { "elibom.com", true },
   { "elie.net", true },
-  { "elielaloum.com", true },
   { "elifesciences.org", true },
   { "eligibilis.com", true },
   { "eligible.com", true },
@@ -12221,7 +12375,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elite12.de", true },
   { "elitebouncingfun.com", true },
   { "elitegameservers.net", true },
-  { "elitehosting.de", false },
   { "elitenutritionoficial.com", true },
   { "elixi.re", true },
   { "elixir.bzh", true },
@@ -12231,7 +12384,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elizabethrominski.com", true },
   { "eljef.me", true },
   { "elkoy.org", true },
-  { "ell-net.tokyo", true },
   { "ella-kwikmed.com", false },
   { "ellak.gr", true },
   { "ellegaard.dk", true },
@@ -12252,7 +12404,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elohellp.com", false },
   { "elonaspitze.de", true },
   { "elosrah.com", true },
-  { "elosuite.com", true },
   { "elpado.de", true },
   { "elpo.net", true },
   { "elpoderdelespiritu.org", true },
@@ -12260,6 +12411,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elrinconderovica.com", true },
   { "elsagradocoran.org", true },
   { "elshou.com", true },
+  { "elsignificadodesonar.com", true },
   { "elstopstelten.nl", true },
   { "elsvanderlugt.nl", true },
   { "eltagroup.co.uk", true },
@@ -12288,20 +12440,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "em-biotek.cz", true },
   { "emaging-productions.fr", true },
   { "emaging.fr", true },
-  { "emailalaperformance.fr", true },
   { "emailconfiguration.com", true },
   { "emailfuermich.de", true },
   { "emailhunter.co", true },
-  { "emailing.alsace", true },
+  { "emailmeform.com", true },
   { "emailprivacytester.com", true },
   { "emailtools.io", true },
   { "emaily.eu", true },
+  { "emanol.co.uk", true },
   { "emanuel.photography", true },
   { "emanuela-gabriela.co.uk", true },
   { "emanuelduss.ch", true },
   { "emanueleanastasio.com", true },
   { "emanuelemazzotta.com", true },
   { "emarketingmatters.com", true },
+  { "emasex.com", true },
   { "embassycargo.eu", true },
   { "emberlife.com", true },
   { "embox.net", true },
@@ -12328,7 +12481,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emil-reimann.com", true },
   { "emil.click", true },
   { "emilecourriel.com", true },
-  { "emiliendevos.be", true },
+  { "emilio.media", true },
   { "emilong.com", true },
   { "emilreimann.de", true },
   { "emils-1910.de", true },
@@ -12345,7 +12498,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emkanrecords.com", true },
   { "emkei.cz", true },
   { "emkrivoy.com", true },
-  { "emma.ca", true },
   { "emmababy420.com", true },
   { "emmagraystore.com", true },
   { "emobilityforum.org", true },
@@ -12360,6 +12512,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emperor-penguins.com", true },
   { "empese.com", true },
   { "empherino.net", true },
+  { "empire-univ.com", true },
   { "emploi-collectivites.fr", true },
   { "employeeexpress.gov", true },
   { "employer.gov", true },
@@ -12372,6 +12525,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emporioviverbem.com.br", false },
   { "empower.net", true },
   { "empowerdb.com", true },
+  { "emprechtinger.com", true },
   { "emprego.pt", true },
   { "emprunterlivre.ci", true },
   { "empyrean-advisors.com", true },
@@ -12386,7 +12540,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "en-crypt.me", true },
   { "en-maktoob.search.yahoo.com", false },
   { "en4rab.co.uk", true },
-  { "enaim.de", true },
+  { "enaah.de", true },
   { "enalean.com", true },
   { "enamae.net", true },
   { "enbecom.net", true },
@@ -12394,6 +12548,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "encircleapp.com", true },
   { "encnet.de", true },
   { "encode.host", true },
+  { "encoderx.uk", true },
+  { "encore.io", false },
   { "encouragemarketing.com", true },
   { "encredible.de", false },
   { "encredible.org", false },
@@ -12406,12 +12562,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "encryptmysite.net", true },
   { "encuentraprecios.es", true },
   { "encycarpedia.com", true },
+  { "encyclopedia-titanica.org", true },
   { "endeal.nl", true },
   { "ender.co.at", true },
   { "enderbycamping.com", true },
   { "enderszone.com", true },
   { "endingthedocumentgame.gov", true },
+  { "endlessdiy.ca", true },
   { "endlessvideo.com", true },
+  { "endofodo.goip.de", true },
   { "endoftenancycleaninglondon.co.uk", true },
   { "endoftennancycleaning.co.uk", true },
   { "endpointsystems.com", true },
@@ -12424,6 +12583,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "energy-in-balance.eu", true },
   { "energy-infra.nl", true },
   { "energy-initiative.com", true },
+  { "energy.eu", true },
   { "energyatlas.com", true },
   { "energyaupair.se", true },
   { "energycodes.gov", true },
@@ -12447,6 +12607,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "engiedev.net", true },
   { "enginepit.com", true },
   { "enginsight.com", true },
+  { "engl-systems.de", true },
   { "englishbulgaria.net", true },
   { "englishcast.com.br", true },
   { "englishforums.com", true },
@@ -12457,15 +12618,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "enigma.swiss", true },
   { "enijew.com", true },
   { "enitso.de", true },
+  { "enixgaming.com", true },
   { "enjin.io", true },
   { "enjincoin.io", true },
   { "enjinwallet.io", true },
+  { "enjinx.cn", true },
   { "enjinx.io", true },
   { "enjoy-drive.com", true },
   { "enjoy-israel.ru", true },
   { "enjoyphoneblog.it", true },
   { "enlight.no", true },
-  { "enlighten10x.ga", true },
   { "enlightenedhr.com", true },
   { "enlightenment.org", true },
   { "enlnf.link", true },
@@ -12499,7 +12661,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "entercenter.ru", true },
   { "enterprisey.enterprises", true },
   { "entersoftsecurity.com", true },
-  { "entersynapse.com", false },
   { "entheogens.com", true },
   { "enthusiaformazione.com", true },
   { "entradaweb.cl", true },
@@ -12510,6 +12671,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "entrusted.io", true },
   { "entryboss.cc", true },
   { "entrypoint.sh", true },
+  { "entwickler.land", true },
   { "enuchi.jp", true },
   { "envant.co.uk", true },
   { "enveloppenopmaat.nl", true },
@@ -12538,7 +12700,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "epi.one", true },
   { "epic-vistas.com", true },
   { "epic-vistas.de", true },
-  { "epicbouncycastlehirenorwich.co.uk", true },
   { "epicbouncycastles.co.uk", true },
   { "epicdowney.com", true },
   { "epicenter.work", true },
@@ -12547,8 +12708,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "epichouse.net", false },
   { "epicinflatables.co.uk", true },
   { "epickitty.co.uk", true },
-  { "epicpages.com", true },
   { "epicsecure.de", true },
+  { "epicsoft.de", false },
   { "epicvistas.com", true },
   { "epicvistas.de", true },
   { "epicwalnutcreek.com", true },
@@ -12594,7 +12755,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "epublibre.org", true },
   { "epyonsuniverse.net", true },
   { "eq-serve.com", true },
-  { "eqibank.com", true },
   { "equalcloud.com", true },
   { "equallove.me", true },
   { "equeim.ru", true },
@@ -12609,6 +12769,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "er-mgmt.com", true },
   { "er.tl", true },
   { "er1s.xyz", true },
+  { "erasmo.info", true },
   { "erasmusplusrooms.com", true },
   { "erate.fi", true },
   { "erath.fr", true },
@@ -12639,7 +12800,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ericspeidel.de", true },
   { "ericvaughn-flam.com", true },
   { "ericwie.se", true },
-  { "eridanus.uk", true },
+  { "ericyl.com", true },
   { "erigrid.eu", true },
   { "eriix.org", true },
   { "erikheemskerk.nl", true },
@@ -12658,7 +12819,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ero.ink", true },
   { "eron.info", true },
   { "eroskines.com", true },
-  { "eroticforce.com", true },
   { "erp-band.ru", true },
   { "erp.band", true },
   { "erpax.com", true },
@@ -12696,7 +12856,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "erythroxylum-coca.com", true },
   { "es-geenen.de", true },
   { "es.search.yahoo.com", false },
-  { "esaborit.ddns.net", true },
   { "esafar.cz", false },
   { "esagente.com", true },
   { "esailinggear.com", true },
@@ -12707,7 +12866,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "esc.chat", true },
   { "esc.gov", true },
   { "escael.org", true },
-  { "escape2rooms.fr", true },
   { "escapeplaza.de", true },
   { "escapetalk.nl", true },
   { "escargotbistro.com", true },
@@ -12731,7 +12889,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eshspotatoes.com", true },
   { "esibun.net", true },
   { "esigmbh.de", true },
-  { "esipublications.com", true },
   { "esite.ch", true },
   { "eskdale.net", true },
   { "eskriett.com", true },
@@ -12777,13 +12934,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "essaychecker.com", true },
   { "essaydirectory.com", true },
   { "essayforsale.net", true },
+  { "essayjob.com", true },
   { "essaynews.com", true },
   { "essaypro.net", true },
   { "essaytalk.com", true },
   { "essaywriting.biz", true },
   { "essca.fr", true },
   { "essenalablog.de", true },
-  { "essencesdeprana.org", true },
   { "essenciasparis.com.br", true },
   { "essex.cc", true },
   { "essite.net", true },
@@ -12810,6 +12967,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "estoic.net", true },
   { "estoniantrade.ee", true },
   { "estonoentraenelexamen.com", true },
+  { "estoppels.com", true },
   { "estudiarparaser.com", true },
   { "estudiserradal.com", true },
   { "estufitas.com", true },
@@ -12847,6 +13005,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "etfacta.com", true },
   { "eth-faucet.net", true },
   { "eth0.nl", true },
+  { "etha.nz", true },
   { "ethack.org", true },
   { "ethaligan.fr", true },
   { "ethan.pm", true },
@@ -12855,7 +13014,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ethercalc.org", true },
   { "ethergeist.de", false },
   { "etherium.org", true },
-  { "etherpad.fr", true },
   { "etherpad.nl", true },
   { "ethers.news", true },
   { "ethicaldata.co.uk", true },
@@ -12882,9 +13040,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "etudesbibliques.fr", true },
   { "etudesbibliques.net", true },
   { "etudesbibliques.org", true },
+  { "eturist.si", true },
   { "etv.cx", true },
   { "etyd.org", true },
-  { "etzi.myds.me", true },
   { "eu-darlehen-finanzierung.de", true },
   { "eu-datenbank.de", true },
   { "eu-gamers.com", true },
@@ -12922,12 +13080,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "euroalter.com", true },
   { "eurocars2000.es", true },
   { "eurocenterobuda.hu", true },
-  { "euroconthr.ro", true },
   { "eurodentaire.com", true },
   { "euroflora.com", true },
   { "euroflora.mobi", true },
   { "eurofrank.eu", true },
   { "eurolocarno.es", true },
+  { "europapier.com", true },
   { "europapier.hu", true },
   { "europapier.net", true },
   { "europapier.sk", true },
@@ -12951,6 +13109,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eurousa.us", true },
   { "eurovision.ie", true },
   { "euteamo.cn", true },
+  { "euterpiaradio.ch", true },
   { "eutotal.com", true },
   { "eutram.com", true },
   { "euwid-energie.de", true },
@@ -12959,7 +13118,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eva-select.com", true },
   { "eva.cz", true },
   { "evaartinger.de", true },
-  { "evadifranco.com", true },
   { "evafojtova.cz", true },
   { "evailoil.ee", true },
   { "evailoil.eu", true },
@@ -12969,6 +13127,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evamira.com", true },
   { "evanfiddes.com", true },
   { "evangelicalmagazine.com", true },
+  { "evangelosm.com", true },
   { "evansdesignstudio.com", true },
   { "evantageglobal.com", true },
   { "evanwang0.com", true },
@@ -12978,12 +13137,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evavolfova.cz", true },
   { "eve.ac", true },
   { "eve0s.com", true },
+  { "eveadmin.azurewebsites.net", true },
   { "evelienzorgt.nl", true },
   { "evelyndayman.com", true },
   { "evemarketer.com", true },
   { "evemodx.com", true },
   { "evenementenhoekvanholland.nl", true },
   { "evenstargames.com", true },
+  { "event-blick.de", true },
   { "event4fun.no", true },
   { "eventaro.com", true },
   { "eventide.space", true },
@@ -13018,7 +13179,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "everygayporn.com", false },
   { "everything-everywhere.com", true },
   { "everythingaccess.com", true },
-  { "everythingstech.com", true },
   { "everythinq.com", true },
   { "everytrycounts.gov", false },
   { "everywhere.cloud", true },
@@ -13030,8 +13190,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evidenceusa.com.br", true },
   { "evidencija.ba", true },
   { "evidentiasoftware.com", true },
-  { "evilarmy.com", true },
   { "evilbunnyfufu.com", true },
+  { "evileden.com", true },
   { "evilized.de", true },
   { "evilmartians.com", true },
   { "evilsite.cf", true },
@@ -13042,7 +13202,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evodation.org", true },
   { "evodia-spirits.de", true },
   { "evok.com.co", false },
-  { "evokepk.com", true },
   { "evolutioninflatables.co.uk", true },
   { "evolutionlending.co.uk", true },
   { "evolutionpets.com", true },
@@ -13070,6 +13229,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ewhitehat.com", true },
   { "ewie.name", true },
   { "ewizmo.com", true },
+  { "ewok.io", true },
   { "ewout.io", true },
   { "ewsfeed.com", true },
   { "ewtl.es", true },
@@ -13092,6 +13252,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "excel-utbildning.nu", true },
   { "excelhot.com", true },
   { "excelkurs.one", true },
+  { "excella.me", true },
   { "exceltechdubai.com", true },
   { "exceltechoman.com", true },
   { "exceltobarcode.com", true },
@@ -13114,15 +13275,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exeria.de", true },
   { "exexcarriers.com", true },
   { "exgen.io", true },
-  { "exhaledayspa.com.au", true },
   { "exhalespa.com", true },
   { "exhibityour.com", true },
   { "exiahost.com", true },
   { "exit9wineandliquor.com", true },
   { "exitooutdoor.com", true },
+  { "exmart.ng", true },
   { "exmoe.com", true },
   { "exon.io", true },
-  { "exoplatform.com", true },
   { "exordiumconcepts.com", true },
   { "exoscale.ch", true },
   { "exoscale.com", true },
@@ -13222,6 +13382,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exxo.tk", true },
   { "exyplis.com", true },
   { "eydesignguidelines.com", true },
+  { "eye-encounters.com", true },
   { "eyeandfire.com", true },
   { "eyecandy.gr", true },
   { "eyeglasses.com", false },
@@ -13234,15 +13395,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eynio.com", true },
   { "eyona.com", true },
   { "eyps.net", true },
+  { "eyrelles-tissus.com", true },
   { "eyyit.com", false },
   { "eyyubyilmaz.com", true },
   { "ez3d.eu", true },
   { "ezakazivanje.rs", true },
   { "ezdog.press", true },
-  { "ezequiel-garzon.net", true },
   { "ezesec.com", true },
   { "ezgif.com", true },
   { "ezhik-din.ru", true },
+  { "ezpzdelivery.com", true },
   { "eztvtorrent.com", true },
   { "ezwritingservice.com", true },
   { "ezzhole.net", true },
@@ -13281,7 +13443,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fabian-klose.com", true },
   { "fabian-klose.de", true },
   { "fabian-klose.net", true },
-  { "fabian-koeppen.de", true },
   { "fabianackle.ch", true },
   { "fabianbeiner.com", false },
   { "fabianbeiner.de", false },
@@ -13342,6 +13503,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "faelix.net", true },
   { "faerb.it", true },
   { "faerie-art.com", true },
+  { "faeservice.eu", true },
+  { "fafarishoptrading.com", true },
   { "fahnamporn.com", true },
   { "fahnen-fanwelt.de", true },
   { "fahrenwal.de", true },
@@ -13382,10 +13545,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "falaeapp.org", true },
   { "falaowang.com", true },
   { "falbros.com", true },
+  { "falce.in", true },
+  { "falcema.com", true },
   { "falcona.io", true },
   { "falconfrag.com", true },
   { "falconvintners.com", true },
-  { "falcoz.co", true },
+  { "falcoz.co", false },
   { "faldoria.de", true },
   { "falegname-roma.it", true },
   { "falkhusemann.de", true },
@@ -13411,6 +13576,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "familie-kruithof.nl", true },
   { "familie-kupschke.de", true },
   { "familie-leu.ch", true },
+  { "familie-mischak.de", true },
   { "familie-monka.de", true },
   { "familie-poeppinghaus.de", true },
   { "familie-remke.de", true },
@@ -13451,6 +13617,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fantastici.de", true },
   { "fantasticservices.com", true },
   { "fantasticservicesgroup.com.au", true },
+  { "fantasy-judo.com", true },
   { "fantasycastles.co.uk", true },
   { "fantasycdn.com", true },
   { "fantasydrop.com", true },
@@ -13465,12 +13632,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fanyue123.tk", true },
   { "fanz.pro", true },
   { "fanzlive.com", true },
+  { "fapplepie.com", true },
   { "faq.ie", true },
   { "fara.gov", true },
   { "faradji.nu", true },
   { "faradome.ws", true },
   { "faraslot8.com", true },
   { "farcecrew.de", true },
+  { "farces.com", false },
   { "farfallapets.com.br", true },
   { "farfetchos.com", true },
   { "fargtorget.se", true },
@@ -13487,15 +13656,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "faroes.net", true },
   { "faroes.org", true },
   { "farrel-f.cf", true },
-  { "farrel-f.id", true },
   { "farrel-f.tk", true },
   { "farrelf.blog", true },
-  { "farsil.eu", true },
   { "fart.wtf", true },
   { "farthing.xyz", true },
   { "farwat.ru", true },
   { "faschingmd.com", true },
-  { "fascia.fit", true },
   { "fashion-stoff.de", true },
   { "fashion24.de", true },
   { "fashion4ever.pl", true },
@@ -13529,8 +13695,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fastcash.com.br", true },
   { "fastcomcorp.com", true },
   { "fastcommerce.org", true },
-  { "fastcp.top", true },
   { "fastest-hosting.co.uk", true },
+  { "fastforwardsociety.nl", true },
   { "fastforwardthemes.com", true },
   { "fastlike.co", true },
   { "fastmail.com", false },
@@ -13539,10 +13705,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fastrevision.com", true },
   { "fastvistorias.com.br", true },
   { "faszienrollen-info.de", false },
+  { "fatalerrorcoded.eu", true },
   { "fateandirony.com", true },
   { "fatecdevday.com.br", true },
   { "fatedata.com", true },
   { "fateitalia.it", true },
+  { "fatherhood.gov", true },
   { "fathers4equalrights.org", true },
   { "fatidique.com", true },
   { "fatimamoldes.com.br", true },
@@ -13620,7 +13788,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fedshirevets.gov", true },
   { "fedux.com.ar", true },
   { "fedvan.com", true },
-  { "fee-hosting.com", true },
   { "feedbin.com", false },
   { "feedfall.com", true },
   { "feedhq.org", true },
@@ -13654,10 +13821,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "feisim.org", true },
   { "feistyduck.com", true },
   { "feizhujianzhi.com", true },
-  { "fejes.house", true },
   { "feld.design", true },
   { "feld.saarland", true },
   { "feldhousen.com", true },
+  { "feldmann-stachelscheid.de", true },
   { "felett.es", true },
   { "feli.games", true },
   { "felicifia.org", true },
@@ -13668,7 +13835,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "felixcrux.com", true },
   { "felixgenicio.com", true },
   { "felixkauer.de", true },
-  { "felixqu.com", true },
   { "felixsanz.com", true },
   { "felixseele.de", true },
   { "felsing.net", true },
@@ -13677,6 +13843,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "femastudios.com", true },
   { "femiluna.com", true },
   { "feminina.pt", true },
+  { "feminism.lgbt", true },
   { "femradio.es", true },
   { "femtomind.com", true },
   { "fence-stlouis.com", true },
@@ -13709,6 +13876,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ferret.zone", true },
   { "ferreteriaxerez.com", true },
   { "ferrolatino.ch", true },
+  { "ferrone.ru", true },
   { "ferrousmoon.com", true },
   { "ferry.tw", true },
   { "ferticare.pt", true },
@@ -13743,13 +13911,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ff-obersunzing-niedersunzing.de", true },
   { "ff14-mstdn.xyz", false },
   { "ffb.gov", false },
-  { "ffbans.org", true },
   { "ffbsee.net", true },
+  { "ffh.me", true },
   { "ffiec.gov", true },
   { "ffis.me", true },
   { "ffkoenigsberg.de", true },
   { "ffmradio.de", true },
   { "ffprofile.com", true },
+  { "ffrev.de", true },
+  { "ffsociety.nl", true },
   { "ffta.eu", true },
   { "ffw-zeven.de", true },
   { "ffzeven.de", true },
@@ -13786,10 +13956,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fidelis-it.net", true },
   { "fidhouriet.ch", true },
   { "fiduciaire-ratio.ch", true },
-  { "fieldwork-paysage.com", true },
+  { "fieldwork-paysage.com", false },
   { "fierlafijn.net", true },
   { "fierscleaning.nl", true },
   { "fiery.me", true },
+  { "fiestagenial.com", true },
   { "fifautstore.com", true },
   { "fifei.de", true },
   { "fifichachnil.paris", true },
@@ -13806,7 +13977,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "figurasdelinguagem.com.br", true },
   { "figure.nz", true },
   { "fiilr.com", true },
-  { "fiissh.tech", true },
   { "fiix.io", true },
   { "fijnefeestdageneneengelukkignieuwjaar.nl", true },
   { "fijnewoensdag.nl", true },
@@ -13844,6 +14014,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "filmers.net", true },
   { "filmesonline.online", true },
   { "filmitis.com", true },
+  { "filmovizija.mk", true },
   { "filmreviewonline.com", true },
   { "filmserver.de", true },
   { "filmsite-studio.com", true },
@@ -13883,11 +14054,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "findthatnude.com", true },
   { "findyourtrainer.com", true },
   { "findyourvoice.ca", true },
-  { "fine-services.paris", true },
-  { "finecocoin.io", true },
+  { "finecocoin.io", false },
+  { "finecraft.cc", true },
   { "finefriends.nl", true },
   { "finelovedolls.com", true },
   { "finenet.com.tw", true },
+  { "finesoon.net", true },
   { "finevegashomes.com", true },
   { "finfev.de", true },
   { "finflix.net", true },
@@ -13906,6 +14078,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fintry.ca", true },
   { "finvantage.com", true },
   { "finwe.info", true },
+  { "finzy.com", true },
   { "fionafuchs.de", true },
   { "fionamcbride.com", true },
   { "fioristionline.it", true },
@@ -13926,6 +14099,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "firefly-iii.org", true },
   { "firegoby.jp", true },
   { "firegore.com", true },
+  { "firekoi.com", true },
   { "fireleadership.gov", true },
   { "firemudfm.com", true },
   { "firenza.org", true },
@@ -13939,6 +14113,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "firevap.org", true },
   { "firewallconsultants.com", true },
   { "fireworksshowvr.com", true },
+  { "firexfly.com", true },
   { "firma-cerny.cz", true },
   { "firma-offshore.com", true },
   { "firmament.space", true },
@@ -13960,7 +14135,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "firstinnovationltd.com", true },
   { "firstmall.de", true },
   { "firstq.xyz", true },
-  { "fischer-its.com", false },
   { "fischer-kundendienst.de", true },
   { "fischers.cc", true },
   { "fischers.it", true },
@@ -13978,6 +14152,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fishserver.net", true },
   { "fishtacos.blog", true },
   { "fisinfomanagerdr.com", true },
+  { "fisiobox.eu", true },
+  { "fiskalnepretor.pl", true },
   { "fistu.la", true },
   { "fit-4u.ch", true },
   { "fit-mit-nina.com", true },
@@ -13989,6 +14165,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fitmeat.at", true },
   { "fitness-challenge.co.uk", true },
   { "fitness.gov", true },
+  { "fitseven.ru", true },
   { "fittelo.cz", true },
   { "fitzsim.org", true },
   { "fiuxy.bz", true },
@@ -14075,6 +14252,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fleuryfleury.com", true },
   { "flexapplications.se", true },
   { "flexfunding.com", true },
+  { "fleximaal.com", true },
   { "fleximal.com", true },
   { "fleximus.org", false },
   { "flexport.com", true },
@@ -14082,6 +14260,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flextrack.dk", true },
   { "fliacuello.com.ar", true },
   { "flickcritter.com", true },
+  { "flieger-funk-runde.de", true },
   { "fliesen-waldschmidt.de", true },
   { "flight.school", true },
   { "flightdeckfriend.com", true },
@@ -14132,7 +14311,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "floresvilleedc.org", true },
   { "florian-bachelet.fr", true },
   { "florian-thie.de", true },
-  { "florian2833z.de", true },
   { "floriankarmen.com", true },
   { "floriankeller.de", true },
   { "florianmitrea.uk", true },
@@ -14158,7 +14336,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flowinvoice.com", true },
   { "flowreader.com", true },
   { "flra.gov", true },
-  { "flucky.xyz", true },
   { "fluffycloud.de", true },
   { "fluggesellschaft.de", true },
   { "fluhrers.de", true },
@@ -14194,7 +14371,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flypenge.dk", true },
   { "flyserver.co.il", true },
   { "flyshe.co.uk", true },
-  { "flyssh.net", true },
   { "flyswoop.com", true },
   { "flyt.online", true },
   { "flytoadventures.com", true },
@@ -14223,6 +14399,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "focuspointtechnologies.com", true },
   { "foej-aktiv.de", true },
   { "foej.net", true },
+  { "foerster.gmbh", true },
   { "fogpublishingph.com", true },
   { "fogway.net", true },
   { "foia.gov", true },
@@ -14249,6 +14426,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foluomeng.net", true },
   { "folv.es", true },
   { "folwark.krakow.pl", true },
+  { "folwarkwiazy.pl", true },
   { "fomopop.com", true },
   { "fondationwiggli.ch", true },
   { "fondsdiscountbroker.de", true },
@@ -14267,6 +14445,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foodattitude.ch", true },
   { "foodblogger.club", true },
   { "foodev.de", true },
+  { "foodloader.net", true },
   { "foodsafety.gov", true },
   { "foodsafetyjobs.gov", true },
   { "foodsouvenirs.it", true },
@@ -14302,12 +14481,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foresdon.jp", true },
   { "foresthillhomes.ca", true },
   { "forestraven.net", true },
+  { "foreverssl.com", true },
   { "foreversummertime.com", true },
   { "forewordreviews.com", true },
   { "forex.ee", true },
   { "forexchef.de", true },
   { "forexee.com", true },
-  { "forexsignals7.com", true },
   { "forextickler.com", true },
   { "forextimes.ru", false },
   { "forfunssake.co.uk", true },
@@ -14321,6 +14500,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "formation-assureur.com", true },
   { "formation-mac.ch", true },
   { "formationseeker.com", true },
+  { "formbetter.com", true },
   { "formini.dz", true },
   { "formsbyair.com", true },
   { "formula-ot.ru", true },
@@ -14334,7 +14514,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "forokd.com", true },
   { "forologikidilosi.com.gr", true },
   { "forourselves.com", true },
-  { "forpc.us", true },
   { "forrestheller.com", true },
   { "forro.berlin", true },
   { "forro.info", true },
@@ -14343,8 +14522,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "forsec.nl", true },
   { "forstbetrieb-hennecke.de", true },
   { "forstprodukte.de", true },
+  { "fort.eu", true },
   { "forteggz.nl", true },
   { "fortesanshop.it", true },
+  { "fortknox.cz", true },
   { "fortnine.ca", true },
   { "fortnitemagic.ga", true },
   { "fortran.io", true },
@@ -14410,6 +14591,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foutrelis.com", true },
   { "fowlervwparts.com", true },
   { "fowlsmurf.net", true },
+  { "fox.my", false },
   { "foxbnc.co.uk", true },
   { "foxdev.co", true },
   { "foxesare.sexy", true },
@@ -14420,6 +14602,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foxquill.com", true },
   { "foxstreetcomms.co.za", true },
   { "fpaci.org", true },
+  { "fpasca.com", true },
   { "fpc.gov", false },
   { "fpersona.com", true },
   { "fpgradosuperior.com", true },
@@ -14435,6 +14618,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fracreazioni.it", true },
   { "fraesentest.de", true },
   { "fragmentspuren.de", true },
+  { "fragrances.bg", true },
   { "fragstore.net", true },
   { "fraho.eu", true },
   { "framapiaf.org", true },
@@ -14481,6 +14665,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frankwei.xyz", true },
   { "frankyan.com", true },
   { "frantic1048.com", true },
+  { "frantorregrosa.me", true },
   { "franz-vatter.de", true },
   { "franz.beer", true },
   { "franziska-pascal.de", true },
@@ -14506,64 +14691,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frdl.ch", true },
   { "freaksites.dk", true },
   { "freaksports.com.au", true },
-  { "freakyaweso.me", true },
+  { "freakyawesome.agency", true },
+  { "freakyawesome.art", true },
   { "freakyawesome.band", true },
-  { "freakyawesome.blog", true },
-  { "freakyawesome.club", true },
-  { "freakyawesome.co", true },
-  { "freakyawesome.company", true },
-  { "freakyawesome.email", true },
-  { "freakyawesome.events", true },
-  { "freakyawesome.fashion", true },
-  { "freakyawesome.fitness", true },
-  { "freakyawesome.fm", true },
-  { "freakyawesome.fun", true },
-  { "freakyawesome.fyi", true },
-  { "freakyawesome.games", true },
-  { "freakyawesome.guide", true },
-  { "freakyawesome.guru", true },
-  { "freakyawesome.info", true },
-  { "freakyawesome.io", true },
-  { "freakyawesome.life", true },
-  { "freakyawesome.live", true },
-  { "freakyawesome.marketing", true },
-  { "freakyawesome.me", true },
-  { "freakyawesome.media", true },
-  { "freakyawesome.network", true },
-  { "freakyawesome.news", true },
-  { "freakyawesome.online", true },
+  { "freakyawesome.business", true },
+  { "freakyawesome.ca", true },
+  { "freakyawesome.co.uk", true },
+  { "freakyawesome.in", true },
+  { "freakyawesome.net", true },
   { "freakyawesome.org", true },
-  { "freakyawesome.photography", true },
-  { "freakyawesome.photos", true },
-  { "freakyawesome.press", true },
-  { "freakyawesome.recipes", true },
-  { "freakyawesome.rentals", true },
-  { "freakyawesome.reviews", true },
-  { "freakyawesome.services", true },
-  { "freakyawesome.shop", true },
-  { "freakyawesome.site", true },
-  { "freakyawesome.social", true },
-  { "freakyawesome.software", true },
-  { "freakyawesome.solutions", true },
-  { "freakyawesome.store", true },
-  { "freakyawesome.team", true },
-  { "freakyawesome.tips", true },
-  { "freakyawesome.today", true },
-  { "freakyawesome.tours", true },
-  { "freakyawesome.tv", true },
-  { "freakyawesome.video", true },
-  { "freakyawesome.website", true },
-  { "freakyawesome.work", true },
-  { "freakyawesome.world", true },
-  { "freakyawesome.xyz", true },
-  { "frebi.org", true },
-  { "frebib.co.uk", true },
-  { "frebib.com", true },
-  { "frebib.net", true },
   { "freddieonfire.tk", false },
   { "freddyfazbearspizzeria.com", true },
   { "freddysfuncastles.co.uk", true },
-  { "fredericcote.com", true },
   { "frederik-braun.com", false },
   { "frederikvig.com", true },
   { "fredloya.com", true },
@@ -14573,6 +14712,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "free-ss.site", true },
   { "free.ac.cn", true },
   { "free.com.tw", true },
+  { "freeassangenow.org", true },
   { "freeasyshop.com", true },
   { "freebarrettbrown.org", true },
   { "freebcard.com", true },
@@ -14582,7 +14722,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freebus.org", true },
   { "freecam2cam.site", true },
   { "freecloud.at", true },
-  { "freecookies.nl", true },
   { "freecycleusa.com", true },
   { "freedev.cz", true },
   { "freedom.nl", true },
@@ -14602,12 +14741,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freeinoutboard.com", true },
   { "freejasongoudlock.org", true },
   { "freejeremy.net", true },
+  { "freekdevries.nl", true },
+  { "freeks.com.br", true },
   { "freela.ch", true },
   { "freelance.boutique", true },
   { "freelance.guide", true },
   { "freelance.nl", true },
   { "freelanceessaywriters.com", true },
   { "freelancehunt.com", true },
+  { "freelancejobs.org.uk", true },
   { "freelauri.com", true },
   { "freelifer.jp", true },
   { "freelo.cz", true },
@@ -14622,7 +14764,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freenetproject.org", true },
   { "freeonplate.com", true },
   { "freepnglogos.com", true },
-  { "freepoints.us", true },
   { "freepublicprofile.com", true },
   { "freergform.org", true },
   { "freeshell.de", true },
@@ -14639,8 +14780,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freesslcertificate.me", true },
   { "freethetv.ie", true },
   { "freetsa.org", true },
-  { "freevps.us", false },
   { "freeweibo.com", true },
+  { "freewoodfactory.com", true },
   { "freeyourmusic.com", true },
   { "freezion.com", true },
   { "frei.social", true },
@@ -14656,8 +14797,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freifunk-remscheid.de", true },
   { "freimeldungen.de", true },
   { "freims.cc", true },
-  { "freitasul.com.br", true },
-  { "freitasul.io", true },
   { "freiwurst.net", true },
   { "freizeitbad-riff.de", true },
   { "freizeitplaza.de", true },
@@ -14675,6 +14814,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freshislandfish.com", true },
   { "freshlymind.com", true },
   { "freshmaza.net", true },
+  { "freshpounds.com", true },
   { "fretscha.com", true },
   { "frettirnar.is", true },
   { "fretworksec.com", true },
@@ -14692,6 +14832,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "friederloch.de", true },
   { "friedrich-foto-art.de", true },
   { "friedsamphotography.com", true },
+  { "friendlysiberia.com", true },
   { "friendowment.us", true },
   { "friends-of-naz.com", true },
   { "friends-socialgroup.org", true },
@@ -14714,6 +14855,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fritzrepair.com", true },
   { "frizo.com", true },
   { "frly.de", true },
+  { "frnco.uk", true },
   { "frob.nl", true },
   { "froehliche-hessen.de", true },
   { "frogatto.com", true },
@@ -14804,7 +14946,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fuglede.dk", true },
   { "fuite.ch", true },
   { "fuites.ch", true },
+  { "fujianshipbuilding.com", true },
   { "fujiwaraqol.com", true },
+  { "fujiwarashinzo.com", true },
   { "fukakukeiba.com", true },
   { "fukikaeru.com", true },
   { "fukuiedu.com", true },
@@ -14819,6 +14963,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fullbundle.com", true },
   { "fullereno.com", true },
   { "fullerlife.org.uk", true },
+  { "fullfilez.com", true },
   { "fullhost.com", true },
   { "fullhub.ru", true },
   { "fullmatch.net", true },
@@ -14834,6 +14979,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fun4ubouncycastles.co.uk", true },
   { "fun888city.com", true },
   { "fun888city.net", true },
+  { "fun88city.com", true },
   { "funadvisor.ca", true },
   { "funadvisorfrance.com", true },
   { "funandbounce.com", true },
@@ -14845,7 +14991,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fundays.nl", true },
   { "fundchan.com", true },
   { "fundeego.com", true },
-  { "fundingempire.com", true },
   { "fundort.ch", true },
   { "funds.ddns.net", true },
   { "funfactorleeds.co.uk", true },
@@ -14862,6 +15007,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "funkygamer1.de", true },
   { "funniestclip.com", true },
   { "funnybikini.com", true },
+  { "funoverip.net", true },
   { "funsochi.ru", true },
   { "funspins.com", true },
   { "funtasticinflatablesdurham.co.uk", true },
@@ -14871,9 +15017,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "funtimeentertainment.co.uk", true },
   { "funtimesbouncycastles.co.uk", true },
   { "fur.red", true },
-  { "furaje-iasi.com", true },
   { "furcdn.net", true },
-  { "furcity.me", true },
+  { "furgetmeknot.org", true },
   { "furgo.love", true },
   { "furigana.info", true },
   { "furkancaliskan.com", true },
@@ -14891,7 +15036,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "furry.dk", true },
   { "furrybot.me", true },
   { "furrytech.network", true },
-  { "furrytf.club", true },
+  { "furrytf.club", false },
   { "furryyiff.site", true },
   { "fursuitbutts.com", true },
   { "fusa-miyamoto.jp", true },
@@ -14901,6 +15046,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fusiongaming.de", true },
   { "fussball-xxl.de", true },
   { "fussell.io", true },
+  { "fuszara.eu", true },
   { "futa.moe", true },
   { "futaba-works.com", true },
   { "futagro.com", true },
@@ -14914,6 +15060,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "futurehack.io", true },
   { "futurenda.com", true },
   { "futureoceans.org", true },
+  { "futuressm.com", true },
   { "futuretimes.io", true },
   { "futurezone.at", true },
   { "futurope.com", true },
@@ -14947,7 +15094,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fxwebsites.com.au", true },
   { "fxwebsites.net.au", true },
   { "fxwebstudio.net.au", true },
-  { "fydjbsd.cn", true },
   { "fyfywka.com", true },
   { "fyksen.me", true },
   { "fyn.nl", true },
@@ -14984,7 +15130,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "g3rv4.com", true },
   { "g4w.co", true },
   { "g5.gov", true },
-  { "g6666g.tk", true },
   { "g8energysolutions.co.uk", true },
   { "gaaz.fr", true },
   { "gabe565.com", true },
@@ -14992,6 +15137,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gabecook.com", true },
   { "gabemack.com", true },
   { "gabinetpsychoterapii.krakow.pl", true },
+  { "gabiocs.com", true },
   { "gabriel.to", true },
   { "gabriele.tips", true },
   { "gabrielsteens.nl", true },
@@ -15010,7 +15156,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gaflooring.com", true },
   { "gafunds.com", true },
   { "gagliarducci.it", true },
-  { "gagne-enterprises.com", true },
   { "gagne.tk", true },
   { "gagnerplusdargent.info", true },
   { "gagniard.org", true },
@@ -15025,24 +15170,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gaitandmobility.com", true },
   { "gaitrehabilitation.com", true },
   { "gaitresearch.com", true },
-  { "gakkainavi-epsilon.jp", true },
   { "gakkainavi-epsilon.net", true },
   { "gakkainavi.jp", true },
+  { "gakkainavi.net", true },
   { "gakkainavi4.jp", true },
   { "gakkainavi4.net", true },
   { "gaku-architect.com", true },
-  { "gala.kiev.ua", false },
   { "galabau-maurmann.de", true },
   { "galacg.me", true },
   { "galactic-crew.org", true },
   { "galak.ch", true },
   { "galanight.cz", true },
   { "galaxy.edu.pe", true },
+  { "galaxymimi.com", true },
   { "galecia.com", true },
   { "galeria42.com", true },
   { "galerialottus.com.br", true },
   { "galeriarr.pl", true },
-  { "galeriart.xyz", true },
   { "galeries.photo", true },
   { "galilahiskye.com", true },
   { "galileanhome.org", true },
@@ -15050,7 +15194,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "galinas-blog.de", true },
   { "galinos.gr", true },
   { "galle.cz", true },
-  { "gallerify.eu", true },
   { "galletasgabi.com.mx", false },
   { "galleyfoods.com", true },
   { "gallicrooster.com", true },
@@ -15067,6 +15210,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gambitprint.com", true },
   { "gamblerhealing.com", true },
   { "gamblersgaming.eu", true },
+  { "game-files.net", false },
+  { "game-topic.ru", true },
   { "game4less.com", true },
   { "game7.de", true },
   { "game88city.net", true },
@@ -15114,12 +15259,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gamingrealms.net", true },
   { "gamingwithcromulent.com", true },
   { "gamingzoneservers.com", true },
+  { "gamisalya.com", true },
   { "gamishou.fr", true },
   { "gamismodernshop.com", true },
   { "gamismurahonline.com", true },
   { "gamivo.com", true },
   { "gamoloco.com", true },
-  { "gan.wtf", true },
   { "ganado.org", true },
   { "ganaenergia.com", true },
   { "ganasoku.net", true },
@@ -15192,10 +15337,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gaussianwaves.com", true },
   { "gauthier.dk", true },
   { "gautvedt.no", true },
+  { "gavin.sh", true },
   { "gavins.stream", true },
   { "gavinsblog.com", true },
   { "gawrimanecuta.com", true },
   { "gaycc.cc", true },
+  { "gayhotti.es", true },
   { "gaymerconnect.net", true },
   { "gaymerx.com", true },
   { "gaymerx.net", true },
@@ -15210,6 +15357,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gbcsummercamps.com", true },
   { "gbl.selfip.net", true },
   { "gboys.net", true },
+  { "gbs-uk.com", true },
   { "gc-mc.de", true },
   { "gc.gy", true },
   { "gc.ru.net", true },
@@ -15231,7 +15379,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gdpr-pohotovost.cz", true },
   { "gdv.me", true },
   { "gdz-spishy.com", true },
-  { "gdz.tv", true },
   { "ge3k.net", false },
   { "gear4you.shop", true },
   { "gearallnews.com", true },
@@ -15254,8 +15401,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gee.is", true },
   { "geecrat.com", true },
   { "geek-hub.de", true },
-  { "geek.ch", true },
-  { "geek1.de", true },
   { "geekabit.nl", true },
   { "geekandi.com", true },
   { "geekariom.com", true },
@@ -15290,6 +15435,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geigenbauer.in", false },
   { "geiser-family.ch", true },
   { "geisser-elektronikdata.de", true },
+  { "geitenijs.com", true },
   { "gelb-computer.de", true },
   { "geld-im-blick.de", true },
   { "geld24.nl", true },
@@ -15304,12 +15450,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geluidsstudio.com", true },
   { "geluk.io", true },
   { "gem-indonesia.net", false },
+  { "gem-info.fr", true },
   { "gemeentemolenwaard.nl", true },
   { "gemeinsam-ideen-verwirklichen.de", true },
   { "gemgroups.in", true },
   { "gemini.com", true },
   { "gemquery.com", true },
-  { "genbright.com", true },
   { "genchev.io", true },
   { "gencmedya.com", true },
   { "genderidentiteit.nl", true },
@@ -15364,7 +15510,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gentoo-blog.de", true },
   { "gentooblog.de", true },
   { "genusshotel-riegersburg.at", true },
-  { "genuxtsg.com", true },
   { "geocar.com", true },
   { "geocompass.at", true },
   { "geofox.org", true },
@@ -15384,7 +15529,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "george-orwell.com", true },
   { "georgebrighton.co.uk", true },
   { "georgecolgrove.com", true },
-  { "georgehalachev.com", true },
+  { "georgedesign.ch", true },
   { "georgemaschke.com", true },
   { "georgemaschke.net", true },
   { "georgepancescu.ro", true },
@@ -15393,6 +15538,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "georgiaautoglass.net", true },
   { "georgiaglassrepair.com", true },
   { "georgiastuartyoga.co.uk", true },
+  { "georgiatransport.com", true },
   { "georgiaurologist.com", true },
   { "georgioskontaxis.com", true },
   { "georgioskontaxis.net", true },
@@ -15413,7 +15559,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gerbyte.co.uk", true },
   { "gerbyte.com", true },
   { "gerbyte.uk", true },
-  { "germancraft.net", true },
   { "germandarknes.net", true },
   { "germanssky.de", true },
   { "germanticz.de", true },
@@ -15445,6 +15590,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getbooks.co.il", true },
   { "getbox.me", true },
   { "getbreadcrumbs.com", true },
+  { "getbrowink.com", true },
   { "getbutterfly.com", true },
   { "getcloak.com", false },
   { "getcolq.com", true },
@@ -15452,7 +15598,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getdash.io", true },
   { "getdeveloper.de", true },
   { "geteckeld.nl", true },
-  { "geteduroam.no", true },
   { "getenv.io", true },
   { "geterp.ru", true },
   { "getfedora.org", true },
@@ -15495,6 +15640,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getteamninja.com", true },
   { "getthefriendsyouwant.com", true },
   { "getticker.com", true },
+  { "gettodoing.com", true },
   { "gettopquality.com", true },
   { "getts.ro", true },
   { "getupandbounce.co.uk", true },
@@ -15559,20 +15705,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "giardinaggio.napoli.it", true },
   { "giardiniere.bologna.it", true },
   { "giardiniere.milano.it", true },
-  { "gibraltar.at", true },
   { "gichigamigames.com", true },
-  { "gicl.dk", true },
   { "giebel.it", true },
   { "gierds.de", true },
   { "giethoorn.com", true },
   { "gietvloergarant.nl", false },
   { "giftcard.net", true },
   { "giftcardgranny.com", true },
-  { "giftedconsortium.com", true },
   { "giftking.nl", false },
   { "giftmaniabrilhos.com.br", true },
   { "gifts.best", true },
   { "gifts365.co.uk", true },
+  { "giftya.com", true },
   { "gifudodo.com", true },
   { "gig-raiffeisen.de", true },
   { "giga.nl", true },
@@ -15605,7 +15749,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gilmoreid.com.au", true },
   { "gilmourluna.com", true },
   { "gilnet.be", true },
-  { "gilpinmanagement.com", true },
   { "gimme.money", true },
   { "gina-architektur.design", true },
   { "ginabaum.com", true },
@@ -15613,7 +15756,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gingersutton.com", true },
   { "ginionusedcars.be", true },
   { "ginja.co.th", true },
-  { "ginnegappen.nl", true },
   { "ginniemae.gov", true },
   { "gino-gelati.de", true },
   { "ginza-luce.net", true },
@@ -15625,7 +15767,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gioielleriamolena.com", true },
   { "gippert-klein.de", true },
   { "giraffeduck.com", true },
-  { "giraffeinflatables.co.uk", true },
   { "giraffenland.de", true },
   { "giraffes.org", true },
   { "giri.co", true },
@@ -15668,14 +15809,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "given2.com", true },
   { "givesunlight.com", true },
   { "givingnexus.org", false },
-  { "givip.eu", true },
   { "gixtools.com", true },
   { "gixtools.net", true },
   { "gj-bochum.de", true },
   { "gjcampbell.co.uk", true },
   { "gjengset.com", true },
   { "gjspunk.de", false },
-  { "gkimanyar.org", true },
   { "gkoenig-innenausbau.de", true },
   { "gkralik.eu", true },
   { "gl.search.yahoo.com", false },
@@ -15683,21 +15822,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "glaciernursery.com", true },
   { "gladiatorboost.com", true },
   { "gladwellentertainments.co.uk", true },
-  { "glahcks.com", true },
   { "glamguru.co.il", true },
   { "glamguru.world", true },
   { "glamour4you.de", true },
   { "glamourdaze.com", true },
+  { "glamouria.com.br", true },
   { "glasdon.com", true },
   { "glasen-hardt.de", true },
   { "glasfaser-im-hanseviertel.de", true },
   { "glasgestaltung.biz", true },
   { "glasner.photo", true },
-  { "glaspe.com", true },
   { "glass.google.com", true },
   { "glasschmuck-millefiori.de", true },
   { "glassexpertswa.com", true },
   { "glassrainbowtrust.org.je", true },
+  { "glassrom.pw", true },
   { "glasweld.com", true },
   { "glavsudexpertiza.ru", true },
   { "glazedmag.fr", true },
@@ -15720,7 +15859,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "global-lights.ma", true },
   { "global-office.com", true },
   { "global-village.koeln", true },
-  { "global.hr", true },
   { "globalcanineregistry.com", true },
   { "globalchokepoints.org", true },
   { "globalcomix.com", true },
@@ -15740,8 +15878,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "globelink-group.com", true },
   { "glocalworks.jp", true },
   { "glofox.com", true },
+  { "glolighting.co.za", true },
   { "gloneta.com", false },
   { "gloning.name", true },
+  { "glont.net", true },
   { "gloria.tv", true },
   { "glosiko.com", true },
   { "glossopnorthendafc.co.uk", true },
@@ -15750,6 +15890,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "glotechrepairs.co.uk", true },
   { "glu3cifer.rocks", true },
   { "glueck-im-norden.de", true },
+  { "gluecksgriff-taschen.de", true },
   { "glueckskindter.de", true },
   { "gluedtomusic.com", true },
   { "gluit.de", true },
@@ -15798,6 +15939,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gnucashtoqif.us", true },
   { "gnunet.org", true },
   { "gnuplus.me", true },
+  { "gnwp.eu", true },
   { "go-dutch.eu", true },
   { "go-embedded.de", true },
   { "go-propiedades.cl", true },
@@ -15825,7 +15967,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "godaxen.tv", true },
   { "godclan.hu", true },
   { "godesigner.ru", true },
-  { "godofnea.com", true },
   { "godrive.ga", true },
   { "godsofhell.com", true },
   { "godsofhell.de", true },
@@ -15873,6 +16014,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "goldendawnapersonalaffair.com", true },
   { "goldenhillsoftware.com", true },
   { "goldenhost.ca", true },
+  { "goldenmonrepos.com", true },
   { "goldenplate.com.sg", true },
   { "goldenruleemail.com", true },
   { "goldfmromania.ro", true },
@@ -15893,6 +16035,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "golser-schuh.at", true },
   { "golser.info", true },
   { "gomasy.jp", true },
+  { "gomel.chat", true },
   { "gomelchat.com", true },
   { "gomena.io", true },
   { "gommista.roma.it", true },
@@ -15914,6 +16057,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "google", true },
   { "google-analytics.com", true },
   { "googleandroid.cz", true },
+  { "googlehosts.org", true },
   { "googlemail.com", false },
   { "googleplex.com", true },
   { "googlesource.com", true },
@@ -15926,10 +16070,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "goow.in", true },
   { "goozp.com", true },
   { "gopher.tk", true },
+  { "gophoto.it", true },
+  { "goplex.com.au", true },
   { "goproallaccess.com", true },
   { "goproinspectiongroup.com", true },
   { "goquiq.com", true },
   { "gordeijnsbouw.nl", true },
+  { "gordonobrecht.com", true },
   { "gordonscouts.com.au", true },
   { "gorealya.com", true },
   { "gorf.chat", true },
@@ -15943,6 +16090,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gosforthdentalsurgery.co.uk", true },
   { "goshawkdb.io", true },
   { "goshin-group.co.jp", true },
+  { "gosolockpicks.com", true },
   { "gospelfollower.com", true },
   { "gospelofmark.ch", true },
   { "gospelvestcination.de", true },
@@ -15965,6 +16113,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gotoxy.at", true },
   { "gotrail.fr", true },
   { "gottcode.org", false },
+  { "gottfridsberg.org", true },
   { "goudenharynck.be", true },
   { "gouforit.com", true },
   { "gouldcooksey.com", true },
@@ -15978,21 +16127,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "governorhub.com", true },
   { "govisitcostarica.co.cr", true },
   { "govisitcostarica.com", true },
+  { "govtjobs.blog", true },
   { "govtrack.us", true },
   { "govype.com", true },
+  { "gowancommunications.com", true },
   { "gowe.wang", false },
   { "gowildrodeo.co.uk", true },
   { "gowithflo.de", true },
   { "gozenhost.com", true },
   { "gpcsolutions.fr", true },
   { "gpdimaranathasiantar.org", false },
-  { "gpfclan.de", true },
   { "gpgscoins.com", true },
   { "gplans.us", true },
   { "gpm.ltd", true },
   { "gprs.uk.com", true },
   { "gpscamera.nl", true },
-  { "gpsfix.cz", true },
   { "gpsolarpanels.com", true },
   { "gpsvideocanada.com", true },
   { "gpureport.cz", true },
@@ -16065,6 +16214,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "graonatural.com.br", true },
   { "grapee.jp", true },
   { "grapeintentions.com", true },
+  { "grapevine.is", true },
   { "graphcommons.com", true },
   { "graphene.software", true },
   { "graphic-schools.com", true },
@@ -16096,6 +16246,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grayowlworks.com", true },
   { "grayscale.co", true },
   { "grayson.sh", true },
+  { "graz2020.com", true },
   { "grazieitalian.com", true },
   { "grc.com", false },
   { "greatagain.gov", true },
@@ -16112,17 +16263,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "greditsoft.com", true },
   { "greek.dating", true },
   { "greeklish.gr", true },
+  { "greekmusic.academy", true },
   { "green-attitude.be", true },
   { "green-care.nl", true },
   { "green-light.co.nz", true },
   { "greenaddress.it", true },
   { "greenapproach.ca", true },
-  { "greenbaysecuritysolutions.com", true },
   { "greencircleplantnursery.com.au", true },
   { "greencircleplantnursery.net.au", true },
   { "greener.pl", true },
-  { "greenglam.biz", true },
-  { "greengoblindev.com", true },
   { "greenhats.de", true },
   { "greenliquidsystem.com", true },
   { "greenliv.pl", true },
@@ -16131,6 +16280,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "greenoutdoor.dk", false },
   { "greenpanda.de", true },
   { "greenpartyofnewmilford.org", true },
+  { "greenpaws.ee", true },
   { "greenpeace-magazin.de", true },
   { "greenpeace.berlin", true },
   { "greenroach.ru", true },
@@ -16146,7 +16296,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gregbrimble.com", true },
   { "greger.me", true },
   { "gregmarziomedia-dev.com", true },
+  { "gregmarziomedia.co.za", true },
   { "gregmarziomedia.com", true },
+  { "gregmilton.com", true },
   { "gregmote.com", true },
   { "grego.pt", true },
   { "gregoirow.be", true },
@@ -16170,6 +16322,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grexx.de", true },
   { "grexx.nl", true },
   { "grey.house", true },
+  { "greybeards.ca", true },
   { "greyhash.se", true },
   { "greymattertechs.com", true },
   { "greysky.me", true },
@@ -16180,8 +16333,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grh.am", true },
   { "griassdi-reseller.de", true },
   { "gricargo.com", true },
+  { "gridsmartercities.com", true },
   { "griechische-pfoetchen.de", true },
-  { "griecopelino.com", true },
+  { "griefheart.com", true },
   { "grieg-gaarden.no", true },
   { "grieg.com", true },
   { "grieg.net", true },
@@ -16217,6 +16371,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gronau-it-cloud-computing.de", true },
   { "grondius.com", true },
   { "groomershop.ru", true },
+  { "groomscroft.co.uk", true },
+  { "groomscroft.com", true },
   { "grootinadvies.nl", true },
   { "groovydisk.com", true },
   { "groovygoldfish.org", true },
@@ -16254,6 +16410,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gruenstreifen-ev.de", true },
   { "grumpy.fr", true },
   { "grumpygamers.com", true },
+  { "grundlage.com.ua", true },
   { "grunwaldzki.center", true },
   { "grunwasser.fr", true },
   { "grupomakben.com", true },
@@ -16292,7 +16449,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gtopala.net", true },
   { "gtour.info", false },
   { "gtravers-basketmaker.co.uk", true },
-  { "gts-dp.de", true },
   { "gtxbbs.com", true },
   { "gtxmail.de", true },
   { "guajars.cl", true },
@@ -16350,8 +16506,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gulchuk.com", true },
   { "gulenbase.no", true },
   { "gulfstream.ru", true },
-  { "gumballs.com", true },
   { "gume4you.com", true },
+  { "gumeyamall.jp", true },
   { "gumi.ca", true },
   { "gunauc.net", true },
   { "gunceloyunhileleri.com", true },
@@ -16362,6 +16518,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "guochang.xyz", true },
   { "guodong.net", true },
   { "guoke.com", true },
+  { "guolaw.ca", true },
   { "guoliang.me", true },
   { "guozeyu.com", true },
   { "gupfen.ch", true },
@@ -16396,6 +16553,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gviedu.com", true },
   { "gvitiming.ch", true },
   { "gvobgyn.ca", true },
+  { "gvoetbaldagenalcides.nl", true },
   { "gvt2.com", true },
   { "gvt3.com", true },
   { "gvwgroup.com", true },
@@ -16455,11 +16613,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haazen.xyz", true },
   { "habarisoft.com", true },
   { "habbig.cc", true },
-  { "habbos.es", true },
   { "haberer.me", true },
   { "habitat-domotique.fr", true },
   { "habr.com", true },
-  { "habtium.com", true },
   { "habtium.es", true },
   { "habview.net", true },
   { "hacc.top", true },
@@ -16469,7 +16625,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hacertest.com", true },
   { "hacettepeteknokent.com.tr", true },
   { "hachre.de", false },
-  { "hack.club", true },
   { "hackademix.net", true },
   { "hackanders.com", true },
   { "hackattack.com", true },
@@ -16479,7 +16634,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hackdown.me", true },
   { "hackenkunjeleren.nl", true },
   { "hackenturet.dk", true },
-  { "hacker.club", true },
   { "hacker.holiday", true },
   { "hacker.im", true },
   { "hacker.one", true },
@@ -16487,7 +16641,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hacker1.com", true },
   { "hacker101.com", true },
   { "hackerchai.com", true },
-  { "hackerco.com", true },
   { "hackereyes.com", true },
   { "hackergateway.com", true },
   { "hackernet.se", true },
@@ -16498,7 +16651,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hackerone.net", true },
   { "hackerone.org", true },
   { "hackerschat.net", true },
-  { "hackerstxt.org", true },
   { "hackettrecipes.com", true },
   { "hackgins.com", true },
   { "hackingand.coffee", false },
@@ -16516,6 +16668,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hadleighswimmingclub.co.uk", true },
   { "hadouk.in", true },
   { "hadrons.org", true },
+  { "hady.fr", true },
   { "haefligermedia.ch", true },
   { "haemka.de", true },
   { "haens.li", true },
@@ -16530,7 +16683,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haha-raku.com", true },
   { "hahay.es", true },
   { "haiboxu.com", true },
-  { "haidihai.ro", true },
   { "hailer.com", true },
   { "hailstorm.nl", true },
   { "haim.bio", true },
@@ -16542,6 +16694,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hairtonic-lab.com", true },
   { "haixihui.cn", true },
   { "hajekdavid.cz", true },
+  { "hajekj.cz", true },
   { "hajekj.net", true },
   { "hajnzic.at", true },
   { "hak5.org", true },
@@ -16561,8 +16714,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "halitopuroprodutos.com.br", true },
   { "halkirkbouncycastles.co.uk", true },
   { "halkyon.net", true },
-  { "halledesprix.fr", true },
   { "hallelujahsoftware.com", true },
+  { "halletienne.fr", true },
   { "hallettxn.com", true },
   { "hallhuber.com", true },
   { "halliday.work", true },
@@ -16579,6 +16732,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haltegame.com", true },
   { "hamacho-kyudo.com", true },
   { "hamali.bg", true },
+  { "hamburg40grad.de", true },
   { "hamburgerbesteld.nl", true },
   { "hamcocc.com", true },
   { "hamcram.io", true },
@@ -16591,6 +16745,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hamsters-uk.org", true },
   { "hana.ondemand.com", true },
   { "hanakaraku.com", true },
+  { "hanakatova.com", true },
   { "hanashi.eu", true },
   { "hanbing.it", true },
   { "handbrake.fr", true },
@@ -16621,6 +16776,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hanoibuffet.com", true },
   { "hanpenblog.com", true },
   { "hansahome.ddns.net", true },
+  { "hansashop.eu", true },
   { "hansbijster.nl", true },
   { "hanschventures.com", true },
   { "hansen-kronshagen.de", true },
@@ -16635,6 +16791,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hanyibo.com", true },
   { "hanzubon.jp", true },
   { "hao-zhang.com", true },
+  { "haocq3.com", true },
   { "haogoodair.ca", true },
   { "haoqi.men", true },
   { "haorenka.cc", true },
@@ -16669,7 +16826,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haptemic.com", true },
   { "haraj.com.sa", true },
   { "harald-d.dyndns.org", true },
-  { "harald-pfeiffer.de", true },
   { "harapecorita.com", true },
   { "harbor-light.net", true },
   { "hardeman.nu", true },
@@ -16703,7 +16859,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "harringtonca.com", true },
   { "harrisonswebsites.com", true },
   { "harrisonvillenaz.org", true },
-  { "harry-baker.com", true },
   { "harrymclaren.co.uk", true },
   { "harryphoto.fr", true },
   { "harrysgardengamehire.co.uk", true },
@@ -16714,6 +16869,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hartlieb.me", true },
   { "hartzer.com", true },
   { "harukakikuchi.com", true },
+  { "harukawa.moe", true },
   { "haruue.moe", true },
   { "harvarddharma.org", true },
   { "harvestapp.com", true },
@@ -16728,6 +16884,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hash-archive.org", true },
   { "hash.army", true },
   { "hash.works", true },
+  { "hashcashconsultants.com", true },
   { "hashcat.net", true },
   { "hashemian.com", true },
   { "hashes.org", true },
@@ -16781,6 +16938,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haverstack.com", true },
   { "havetherelationshipyouwant.com", true },
   { "hawaar.com", true },
+  { "hawaiianchoice.com", true },
   { "hawaya.com", true },
   { "hawkeyeinsight.com", true },
   { "hawkinsonkiaparts.com", true },
@@ -16801,8 +16959,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hayvid.com", true },
   { "haz.cat", true },
   { "haze.productions", true },
-  { "hazeltime.se", true },
   { "hazeover.com", true },
+  { "hazloconlapix.com", true },
   { "hazukilab.com", true },
   { "hb8522.com", true },
   { "hbcu-colleges.com", true },
@@ -16817,6 +16975,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hd-offensive.at", false },
   { "hd-only.org", true },
   { "hd-outillage.com", true },
+  { "hd1tj.org", true },
   { "hdc.cz", true },
   { "hdcamvids.com", true },
   { "hdcenter.cc", true },
@@ -16833,6 +16992,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hds-lan.de", true },
   { "hdv.paris", true },
   { "heaaart.com", true },
+  { "head.org", true },
   { "head.ru", true },
   { "headjapan.com", true },
   { "headlinepublishing.be", true },
@@ -16840,9 +17000,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "headshotharp.de", true },
   { "healey.io", true },
   { "health-and-beauty-news.net", true },
-  { "health-booster.com", true },
+  { "health-booster.com", false },
   { "health-plan-news.com", true },
-  { "health.gov", true },
   { "health.graphics", true },
   { "healthand-beautynews.net", true },
   { "healthandskinbeauty.com", true },
@@ -16852,7 +17011,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "healtheals.com", true },
   { "healtheffectsofasbestos.com", true },
   { "healthery.com", true },
-  { "healthfinder.gov", true },
   { "healthfoam.com", true },
   { "healthgames.co.uk", true },
   { "healthiercompany.com", true },
@@ -16889,7 +17047,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hearty.org.tw", true },
   { "hearty.taipei", true },
   { "hearty.tw", true },
-  { "hearty.us", true },
   { "heartyapp.tw", true },
   { "heartycraft.com", true },
   { "heatershop.co.uk", true },
@@ -16898,7 +17055,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heavensattic.co.uk", true },
   { "heavensinferno.net", true },
   { "heavyequipments.org", true },
-  { "heayao.com", true },
   { "hebamme-cranio.ch", true },
   { "hebergeurssd.com", true },
   { "hebikhiv.nl", true },
@@ -16906,7 +17062,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hebocon.nl", true },
   { "hec-espace-entreprise.ch", true },
   { "hec.global", true },
-  { "hechamano.es", true },
   { "heckelektro.de", true },
   { "heckerundknopp.de", true },
   { "heckticmedia.com", true },
@@ -16947,16 +17102,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heinzelmann.co", true },
   { "heiraten-gardasee.de", true },
   { "heiraten-venedig.de", true },
+  { "heisenberg.co", true },
   { "heissluft-fritteuse.com", true },
   { "heistheguy.com", true },
   { "heitland-it.de", true },
   { "heiwa-valve.co.jp", true },
-  { "hejahanif.se", true },
   { "hejianpeng.cn", true },
   { "heka.ai", true },
   { "helber-it-services.de", true },
   { "helden-spielen.de", true },
   { "heldenhalde.de", true },
+  { "heldtech.services", true },
   { "heldundsexgott.de", true },
   { "heleendebruyne.be", true },
   { "helenaknowledge.com", true },
@@ -16964,6 +17120,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "helenelefauconnier.com", true },
   { "helenkellersimulator.org", true },
   { "helfordriversc.co.uk", true },
+  { "helgaschultz.de", true },
   { "helichat.de", true },
   { "helikon.ro", true },
   { "helioanodyne.eu", true },
@@ -16974,7 +17131,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hellenicagora.co.uk", true },
   { "hellerarko.de", true },
   { "hellersgas.com", true },
-  { "hellerup.net", true },
   { "helles-koepfchen.de", true },
   { "helloacm.com", true },
   { "hellobrian.me", true },
@@ -16989,11 +17145,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "helpmij.cf", true },
   { "helpscoutdocs.com", true },
   { "helpstarloja.com.br", true },
+  { "helpwithmybank.gov", true },
   { "helsinki.dating", true },
   { "helvella.de", true },
   { "hematoonkologia.pl", true },
   { "hemdal.se", true },
   { "hemnet.se", true },
+  { "hems.si", true },
   { "hemtest.com", true },
   { "hen.ne.ke", true },
   { "henchman.io", true },
@@ -17001,7 +17159,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hendric.us", false },
   { "hendrik.li", true },
   { "hendrinortier.nl", true },
-  { "hendyisaac.com", true },
   { "hengelsportdeal.com", true },
   { "hengstumone.com", true },
   { "henkboelman.com", true },
@@ -17031,7 +17188,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heppler.net", true },
   { "heptafrogs.de", true },
   { "her25.com", false },
-  { "heracles-hotel.eu", true },
   { "herberichfamily.com", true },
   { "herbert.io", true },
   { "herbhuang.com", true },
@@ -17047,12 +17203,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "herkam.pl", true },
   { "hermanbrouwer.nl", true },
   { "hermes-net.de", true },
-  { "hermes.cat", true },
   { "herminghaus24.de", true },
   { "herndl.org", true },
   { "herni-kupony.cz", true },
   { "hernn.com", true },
   { "herocentral.de", true },
+  { "heroco.xyz", true },
   { "herofil.es", true },
   { "herohirehq.co.uk", true },
   { "heroiclove.com", true },
@@ -17070,6 +17226,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "herrtxbias.net", false },
   { "hertsbouncycastles.com", true },
   { "hertz.bj", true },
+  { "hervespanneut.com", true },
   { "herzbotschaft.de", true },
   { "herzfuersoziales.at", true },
   { "herzig.cc", true },
@@ -17084,7 +17241,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hestia-systeme.fr", true },
   { "hesyifei.com", true },
   { "hetene.nl", true },
+  { "hethely.ch", true },
   { "hetluisterbos.be", true },
+  { "hetmer.cz", true },
   { "heute-kaufen.de", true },
   { "heute.training", true },
   { "hevertonfreitas.com.br", true },
@@ -17141,8 +17300,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hieu.com.au", true },
   { "higgsboson.tk", true },
   { "higgstools.org", true },
+  { "highair.net", true },
   { "higherpress.org", true },
-  { "highlatitudestravel.com", true },
   { "highlegshop.com", true },
   { "highlevelwoodlands.com", true },
   { "highlightsfootball.com", true },
@@ -17176,6 +17335,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "himecorazon.com", true },
   { "himekomi.com", true },
   { "himens.com", true },
+  { "himiku.com", true },
   { "hin10.com", true },
   { "hinata-hidetoshi.com", true },
   { "hindi-movie.org", true },
@@ -17186,13 +17346,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hinterposemuckel.de", true },
   { "hiparish.org", true },
   { "hiphop.ren", true },
+  { "hipnos.net", true },
   { "hippies.com.br", true },
   { "hippo.ge", true },
   { "hippomovers.com", true },
   { "hippopotamuses.org", true },
   { "hips.com", true },
   { "hipstercat.fr", true },
-  { "hiqfleet.co.uk", true },
   { "hiqfranchise.co.uk", true },
   { "hiqhub.co.uk", false },
   { "hiqonline.co.uk", true },
@@ -17212,12 +17372,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hisbrucker.net", true },
   { "hisgifts.com.au", true },
   { "hisingensck.se", true },
+  { "hisnet.de", true },
   { "hispanic.dating", true },
   { "histocamp.de", true },
   { "histoire-cite.ch", true },
   { "historia-arte.com", true },
   { "history-schools.com", true },
   { "history.google.com", false },
+  { "history.gov", true },
   { "hitandhealth.nl", true },
   { "hiteco.com", true },
   { "hiteshbrahmbhatt.com", true },
@@ -17273,7 +17435,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hlidacnajemneho.cz", true },
   { "hlin.cloud", true },
   { "hlinformatics.nl", true },
-  { "hloe0xff.ru", true },
   { "hlsmandarincentre.com", true },
   { "hlucas.de", true },
   { "hm773.net", true },
@@ -17287,13 +17448,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hnfertilizermachine.com", true },
   { "hnn.net.br", true },
   { "hnonline.sk", true },
-  { "hnwebi.com", true },
+  { "hnrk.io", true },
   { "hnyp.hu", true },
   { "hoaas.no", true },
   { "hoahau.org", true },
   { "hoarding.me", true },
   { "hobby-drechselei.de", true },
   { "hobbyspeed.com", true },
+  { "hochdorf-tennis.de", true },
   { "hochhaus.us", true },
   { "hochoukikikiraku.com", true },
   { "hochyi.com", true },
@@ -17320,12 +17482,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hofauer.de", true },
   { "hoflerlawfirm.com", true },
   { "hogarthdavieslloyd.com", true },
+  { "hoge.se", true },
   { "hogepad.com", true },
   { "hogl.dk", true },
   { "hogrebe.de", true },
   { "hogwarts.io", true },
   { "hohenleimbach.de", true },
-  { "hohm.in", true },
   { "hoikuen-now.top", true },
   { "hoiquanadida.com", true },
   { "hoish.in", true },
@@ -17356,6 +17518,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "holofox.ru", true },
   { "holoxplor.space", true },
   { "holvonix.com", true },
+  { "holy-hi.com", false },
   { "holycrossphl.org", true },
   { "holycrossverobeach.org", true },
   { "holydragoon.jp", true },
@@ -17370,6 +17533,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "holytransaction.com", true },
   { "holywhite.com", true },
   { "holz.nu", true },
+  { "holzed.com", true },
   { "holzheizer-forum.de", true },
   { "holzheizerforum.de", true },
   { "holzschutz-holzbearbeitung.de", true },
@@ -17412,6 +17576,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hommeatoutfaire.be", true },
   { "homophoni.com", true },
   { "hompus.nl", false },
+  { "homunyan.com", true },
   { "homyremedies.com", true },
   { "hon-matsuba.co.jp", true },
   { "honda-centrum.cz", true },
@@ -17491,7 +17656,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hospitality-colleges.com", true },
   { "hostadvice.com", true },
   { "hostarea51.com", true },
-  { "hostcoz.com", true },
   { "hosteasy.nl", false },
   { "hostedcomments.com", true },
   { "hostedtalkgadget.google.com", true },
@@ -17506,6 +17670,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hostinglogin.net", true },
   { "hostingphp.ch", true },
   { "hostingpunt.be", true },
+  { "hostingsams.com", true },
   { "hostingsolutions.cz", true },
   { "hostix.de", true },
   { "hostma.ma", true },
@@ -17519,6 +17684,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hotchillibox.com", true },
   { "hotcoin.io", true },
   { "hotdoc.com.au", true },
+  { "hotel-alan.hr", true },
   { "hotel-kontorhaus-stralsund.de", true },
   { "hotel-kontorhaus.de", true },
   { "hotel-kronjuwel.de", true },
@@ -17527,13 +17693,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hotel-rosner.at", true },
   { "hotelamgarnmarkt.at", false },
   { "hotelarevalo.com", true },
+  { "hotelbonacabol.com", true },
   { "hotelbretagne.dk", true },
   { "hotelcoliber.pl", true },
+  { "hotelelaphusabrac.com", true },
   { "hoteles4you.com", true },
   { "hotelflow.com.br", true },
   { "hotelident.de", true },
-  { "hotello.io", true },
+  { "hotelkaj.hr", true },
   { "hotelmap.com", true },
+  { "hotelmarinaadria.com", true },
+  { "hotelneptundalmatien.com", true },
   { "hotelpostaorvieto.it", true },
   { "hotelromacuernavaca.com.mx", true },
   { "hotels-insolites.com", true },
@@ -17542,6 +17712,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hotelsinbuxton.com", true },
   { "hotelsinformer.com", true },
   { "hotelsinncoventry.com", true },
+  { "hotelsolinebrela.com", true },
   { "hotelvalena.com", true },
   { "hotelvillaluisa.de", true },
   { "hothbricks.com", true },
@@ -17561,6 +17732,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "house-sparrow.com", true },
   { "houseboydesigns.com", true },
   { "housekeeperlondon.co.uk", true },
+  { "houselocal.co.uk", true },
   { "houseofherbs.gr", true },
   { "houseofhouston.com", true },
   { "houseofyee.com", true },
@@ -17578,6 +17750,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "howbehealthy.com", true },
   { "howbigismybuilding.com", true },
   { "howellaccounts.co.uk", true },
+  { "howesky.com", true },
   { "howgoodwasmysex.com", true },
   { "howieisawesome.com", true },
   { "howlongtobeatsteam.com", true },
@@ -17590,6 +17763,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "howtogeekpro.com", true },
   { "howtogosolar.org", true },
   { "howtolaser.com", true },
+  { "howtomovetheneedle.com", true },
   { "howtoteachviolin.com", true },
   { "howtotech.de", true },
   { "hozana.si", false },
@@ -17618,6 +17792,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hreflang.info", true },
   { "hrjfeedstock.org", true },
   { "hrltech.com.br", true },
+  { "hro.to", true },
   { "hrobert.hu", true },
   { "hroling.nl", true },
   { "hroschyk.cz", true },
@@ -17638,13 +17813,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hsr.gov", false },
   { "hsts.eu", true },
   { "hsts.me", true },
+  { "hsts.ovh", true },
   { "hstsfail.appspot.com", true },
   { "hstspreload.appspot.com", true },
   { "hstspreload.com", true },
   { "hstspreload.de", true },
   { "hstspreload.org", true },
-  { "hsulei.com", true },
   { "hszemi.de", true },
+  { "ht.mk", true },
   { "htaccessbook.com", true },
   { "htaps.com", true },
   { "hte.ovh", true },
@@ -17683,7 +17859,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hu8hu8.com", true },
   { "huagati.com", true },
   { "huahinpropertylisting.com", true },
-  { "huang-haitao.com", true },
+  { "hualao.co", true },
+  { "huang.nu", true },
+  { "huangh.com", true },
   { "huangjia71.com", true },
   { "huangjia72.com", true },
   { "huangjia73.com", true },
@@ -17696,12 +17874,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "huangjia99.com", true },
   { "huangjiaint.com", true },
   { "huangjingjing.com", true },
+  { "huangliangbo.com", true },
   { "huangzenghao.cn", false },
   { "huaqian.art", true },
   { "huashan.co.uk", true },
   { "hub.org.ua", true },
   { "hub385.com", true },
   { "hubapi.com", true },
+  { "hubchain.com", true },
+  { "hubchain.com.br", true },
+  { "hubchain.fr", true },
+  { "hubchain.io", true },
+  { "hubchain.org", true },
   { "huber-informatik.de", true },
   { "hubok.net", true },
   { "hubspot.com", true },
@@ -17790,9 +17974,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hundeformel.de", true },
   { "hundesport-psvhalle.de", true },
   { "hundeverwaltung.de", true },
+  { "hundhausen.de", true },
   { "hundter.com", true },
   { "hunger.im", true },
-  { "huniverse.co", true },
   { "hunstoncanoeclub.co.uk", true },
   { "hunter-read.com", true },
   { "hunter.io", true },
@@ -17828,7 +18012,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "huynhviet.com", true },
   { "huyvu.nl", true },
   { "hvdbox.de", true },
-  { "hveradistributions.com", true },
   { "hverdagogkink.no", true },
   { "hvh.no", true },
   { "hvmk.nl", true },
@@ -17841,6 +18024,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hxp.io", true },
   { "hxsf.me", true },
   { "hxying.com", true },
+  { "hy1.com", true },
   { "hybridworx.com", true },
   { "hybridworx.de", true },
   { "hybridworx.eu", true },
@@ -17863,10 +18047,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hylemorphica.org", true },
   { "hynek.me", true },
   { "hyparia.fr", true },
+  { "hyparia.org", true },
   { "hype.ru", true },
   { "hypeitems.pl", true },
   { "hypemgmt.com", true },
   { "hyper-text.org", true },
+  { "hyperactive.am", true },
   { "hyperalgesia.com", true },
   { "hyperautomotive.com.au", true },
   { "hyperbolic-mayonnaise-interceptor.ovh", true },
@@ -17883,11 +18069,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hypothes.is", true },
   { "hypothyroidmom.com", true },
   { "hyr.mn", true },
-  { "hytzongxuan.com", true },
+  { "hysh.jp", true },
   { "hyundai.no", true },
   { "hyvanilmankampaamo.fi", true },
+  { "hyvanolonterapia.fi", true },
   { "hyvinvointineuvoja.fi", true },
   { "hztgzz.com", true },
+  { "i--b.com", true },
+  { "i-0v0.in", true },
   { "i-aloks.ru", true },
   { "i-geld.de", true },
   { "i-hakul.net", true },
@@ -17910,6 +18099,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "i5y.org", true },
   { "i66.me", true },
   { "i879.com", true },
+  { "i9s.in", true },
+  { "ia.cafe", true },
   { "ia.net", true },
   { "iaco.li", true },
   { "iacono.com.br", false },
@@ -17932,11 +18123,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iamhansen.xyz", true },
   { "iaminashittymood.today", true },
   { "iamjoshellis.com", true },
-  { "iamlbk.com", true },
-  { "iamlzh.com", true },
   { "iamtheib.me", true },
   { "iamtonyarthur.com", true },
-  { "iamusingtheinter.net", true },
+  { "iamusingtheinter.net", false },
   { "iamwoodbeard.com", true },
   { "ianbrault.com", true },
   { "iandouglasscott.com", true },
@@ -17965,10 +18154,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ibexcore.com", true },
   { "ibigawamizueco.com", true },
   { "ibin.co", true },
-  { "ibiu.xyz", true },
   { "ibiz.mk", true },
   { "iblackfriday.ro", true },
   { "ibodyiq.com", true },
+  { "ibps-recruitment.in", true },
   { "ibrainmedicine.org", true },
   { "ibrom.eu", true },
   { "ibstyle.tk", true },
@@ -17983,12 +18172,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "icanhasht.ml", true },
   { "icarlos.net", true },
   { "icasture.top", true },
-  { "icbemp.gov", true },
   { "iccpublisher.com", true },
   { "ice.xyz", true },
   { "iceberg.academy", true },
   { "icebook.co.uk", true },
   { "icecars.net", true },
+  { "icecontrol.ro", true },
+  { "icedream.tech", true },
   { "icetiger.eu", true },
   { "ich-hab-die-schnauze-voll-von-der-suche-nach-ner-kurzen-domain.de", true },
   { "ich-tanke.de", true },
@@ -18001,6 +18191,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "icmhd.ch", true },
   { "icmp2018.org", true },
   { "icnsoft.cf", true },
+  { "icnsoft.ml", true },
   { "icobench.com", true },
   { "icodeconnect.com", true },
   { "icoh.it", true },
@@ -18013,6 +18204,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "icsfinomornasco.it", true },
   { "ict-concept.nl", false },
   { "ict-crew.nl", true },
+  { "ict-helpteam.nl", true },
   { "ict-radar.com", true },
   { "ict-radar.nl", true },
   { "ictcareer.ch", true },
@@ -18029,6 +18221,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "id0-rsa.pub", true },
   { "id7.fr", true },
   { "idaeus.eu", true },
+  { "idafauziyah.com", true },
   { "idahoansforliberty.net", true },
   { "idarv.com", true },
   { "idaspis.com", true },
@@ -18047,7 +18240,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ideashop.com", true },
   { "ideaweb.de", true },
   { "idenamaislami.com", true },
-  { "idensys.nl", false },
+  { "idensys.nl", true },
   { "ident-clinic.be", true },
   { "identassist.com", true },
   { "identifyme.net", true },
@@ -18074,6 +18267,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "idoc24.com", true },
   { "idodiandina.com", true },
   { "idolf.dk", true },
+  { "idolish7.fun", false },
   { "idolknow.com", true },
   { "idolshop.dk", true },
   { "idolshop.me", true },
@@ -18091,7 +18285,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "idtheft.gov", true },
   { "idubaj.cz", true },
   { "idunno.org", true },
-  { "idvl.de", true },
   { "idxforza.com", true },
   { "ie.search.yahoo.com", false },
   { "iea-annex61.org", true },
@@ -18101,7 +18294,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ieeesbe.nl", true },
   { "ieeespmb.org", true },
   { "ieffalot.me", true },
-  { "ieji.de", false },
+  { "ieji.de", true },
   { "iemb.tk", true },
   { "ienakanote.com", false },
   { "ies-italia.it", true },
@@ -18164,11 +18357,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ih8sn0w.com", true },
   { "ihacklabs.com", true },
   { "ihakkitekin.com", true },
-  { "ihatethissh.it", true },
   { "ihcprofile.com", true },
   { "iheartmary.org", true },
   { "ihkk.net", true },
   { "ihls.stream", true },
+  { "ihls.world", true },
   { "ihmphila.org", true },
   { "ihoey.com", true },
   { "ihollaback.org", true },
@@ -18186,7 +18379,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iix.se", true },
   { "ijm.io", true },
   { "ijohan.nl", true },
-  { "ijr.com", true },
   { "ijsbaanwitten.nl", true },
   { "ijsblokjesvormen.nl", true },
   { "ijsclubtilburg.nl", true },
@@ -18212,10 +18404,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ikkev.de", true },
   { "ikkoku.de", true },
   { "iklive.org", false },
-  { "ikraenglish.com", true },
+  { "ikraenglish.com", false },
+  { "iktisatbank.com", true },
   { "ikulist.me", true },
   { "ikumi.us", true },
-  { "ikuuuu.com", true },
   { "ikvts.de", true },
   { "ikwilthepiratebay.org", true },
   { "ikxkx.com", true },
@@ -18227,7 +18419,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ilamparas.com.ve", true },
   { "ilamparas.mx", true },
   { "ilard.fr", true },
-  { "ilazycat.com", true },
   { "ile-kalorii.pl", true },
   { "ile-sapporo.jp", true },
   { "ileci.de", true },
@@ -18255,6 +18446,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "illsley.org", true },
   { "illumed.net", true },
   { "illuminationis.com", true },
+  { "illuminatisofficial.org", true },
   { "illusionephemere.com", true },
   { "illusionunlimited.com", true },
   { "illustrate.biz", true },
@@ -18271,6 +18463,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ilrg.com", true },
   { "iltec-prom.ru", true },
   { "iltec.ru", true },
+  { "iltuogiardino.org", true },
   { "ilweb.es", true },
   { "ilya.pp.ua", true },
   { "im-c-shop.com", true },
@@ -18286,7 +18479,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imagebin.ca", true },
   { "imagefu.com", true },
   { "imageination.co", true },
-  { "imagenesdedibujosalapizfacilesdehacer.com", true },
   { "imagerive.ch", true },
   { "imagescostumes.com", true },
   { "imaginair.es", true },
@@ -18342,12 +18534,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "immersionwealth.com", true },
   { "immigrantdad.com", true },
   { "immigrationdirect.com.au", true },
-  { "immo-agentur.com", true },
+  { "immo-agentur.com", false },
   { "immo-passion.net", true },
   { "immo-vk.de", true },
   { "immobilien-badlippspringe.de", true },
   { "immobilien-in-istanbul.de", true },
   { "immobilien-zirm.de", true },
+  { "immobiliengutachter-holland.de", true },
   { "immobilier-nice.fr", true },
   { "immobilier92.net", true },
   { "immobiza.com", false },
@@ -18365,9 +18558,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "impelup.com", true },
   { "impendulo.org", true },
   { "impera.at", true },
-  { "imperdin.com", true },
   { "imperial-legrand.com", true },
   { "imperialmiami.com", true },
+  { "imperiodigital.online", true },
   { "imperiumglass.com.au", true },
   { "imperiumnova.info", true },
   { "impex.com.bd", true },
@@ -18400,11 +18593,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imrunner.ru", true },
   { "ims-sargans.ch", true },
   { "imscompany.com", true },
+  { "imtikai.ml", true },
   { "imwalking.de", true },
   { "imwnk.cn", true },
-  { "imydl.com", true },
   { "imydl.tech", true },
-  { "imyjy.cn", true },
   { "imyrs.cn", true },
   { "imyunya.com", true },
   { "imyvm.com", true },
@@ -18456,7 +18648,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "indianaantlersupply.com", true },
   { "indianaberry.com", true },
   { "indianafoundationpros.com", true },
+  { "indianamoldrepairpros.com", true },
   { "indianapolislocksmithinc.com", true },
+  { "indianawaterdamagerepairpros.com", true },
   { "indiatrademarkwatch.com", true },
   { "indiayogastudio.net", true },
   { "indicateurs-flash.fr", true },
@@ -18468,19 +18662,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "indigoinflatables.com", true },
   { "indigosakura.com", true },
   { "indigotreeservice.com", true },
+  { "indika.pe", true },
+  { "indio.co.jp", true },
   { "inditip.com", true },
-  { "indochina.io", true },
   { "indogermanstartup.com", true },
   { "indoorcomfortteam.com", true },
-  { "indoorplantsexpert.com", true },
   { "indovinabank.com.vn", true },
   { "indusap.com", true },
   { "indusfastremit-us.com", true },
-  { "indusfastremit.com", true },
   { "indust.me", true },
   { "industriafranchini.com", true },
   { "industrialstarter.com", true },
-  { "industriasrenova.com", true },
   { "industriemeister.io", true },
   { "indybay.org", true },
   { "ineardisplay.com", true },
@@ -18498,6 +18690,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inference.biz.tr", true },
   { "infermiere.roma.it", true },
   { "inff.info", true },
+  { "inffin-portal.de", true },
+  { "inffin-tec.de", true },
   { "inficom.org", true },
   { "infinite.hosting", true },
   { "infinitegroup.info", true },
@@ -18527,6 +18721,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "info-screen.me", true },
   { "info-screw.com", true },
   { "infobae.com", true },
+  { "infobrain.net", true },
   { "infocity-tech.fr", true },
   { "infocommsociety.com", true },
   { "infocon.org", true },
@@ -18537,11 +18732,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "infomegastore.com", true },
   { "infomir.eu", true },
   { "infomisto.com", true },
-  { "infopagina.es", true },
   { "infopier.sg", true },
   { "infopulsa.com", true },
   { "infopuntzorg.nl", true },
   { "infor-allaitement.be", true },
+  { "inforaga.com", true },
+  { "informaciondeciclismo.com", true },
   { "informatiebeveiliging.nl", true },
   { "informatik-handwerk.de", true },
   { "informationrx.org", true },
@@ -18560,7 +18756,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "infotune.nl", true },
   { "infovision-france.com", true },
   { "infoweb.ee", true },
-  { "infr.red", true },
   { "infra.land", true },
   { "infra.press", true },
   { "infrabeep.com", true },
@@ -18609,6 +18804,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inglebycakes.co.uk", true },
   { "inglesnarede.com.br", true },
   { "ingo-schlueter.de", true },
+  { "ingolonde.pw", true },
   { "ingoschlueter.de", true },
   { "ingredientdaddy.ro", true },
   { "inhaltsangabe.de", true },
@@ -18637,6 +18833,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inmateintake.com", true },
   { "inmobillium.fr", true },
   { "inmoodforsex.com", true },
+  { "inmusrv.de", true },
   { "innerfence.com", true },
   { "innerlightcrystals.co.uk", true },
   { "innermostparts.org", true },
@@ -18660,6 +18857,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "innover.se", true },
   { "innovum.cz", false },
   { "innsalzachsingles.de", true },
+  { "innwan.com", true },
   { "inoa8.com", true },
   { "inobun.jp", true },
   { "inovat.ma", true },
@@ -18673,6 +18871,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "insblauehinein.nl", true },
   { "inscomers.net", true },
   { "inscripcionessena.com", true },
+  { "insecret.co.ua", true },
   { "insecret.com.ua", true },
   { "insecret.trade", true },
   { "insecure.org.je", true },
@@ -18719,6 +18918,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "instantluxe.de", true },
   { "instantluxe.it", true },
   { "instantphotocamera.com", true },
+  { "instantphotoprinter.com", true },
   { "instava.cz", true },
   { "instead.com.au", true },
   { "insteagle.com", true },
@@ -18750,6 +18950,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "integratedmedicalonline.com", true },
   { "integrateur-web-paris.com", true },
   { "integrity.gov", true },
+  { "integrityfortcollins.com", true },
   { "integrityokc.com", true },
   { "integrityoklahoma.com", true },
   { "integrogroup.com", true },
@@ -18765,20 +18966,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "intellar.com", true },
   { "intellectdynamics.com", true },
   { "intelligence-explosion.com", true },
+  { "intelligenetics.com", true },
   { "intellinetixvibration.com", true },
+  { "intellitonic.com", true },
   { "intelly.nl", true },
   { "intelly365.nl", true },
   { "intencje.pl", true },
   { "intensifyrsvp.com.au", true },
   { "inter-corporate.com", true },
   { "inter-culinarium.com", true },
-  { "interabbit.com", true },
+  { "interabbit.co", true },
   { "interaffairs.com", true },
   { "interaktiva.fi", true },
   { "interasistmen.se", true },
   { "interchangedesign.com", true },
-  { "intercom.com", true },
-  { "intercom.io", true },
   { "interessiert-uns.net", true },
   { "interfesse.net", true },
   { "interflores.com.br", true },
@@ -18795,6 +18996,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "interlingvo.biz", true },
   { "intermax.nl", true },
   { "intermedinet.nl", true },
+  { "intern.tax", true },
   { "internalkmc.com", true },
   { "internaluse.net", true },
   { "international-arbitration-attorney.com", true },
@@ -18816,6 +19018,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "internethealthreport.org", true },
   { "internethering.de", true },
   { "internetinhetbuitengebied.nl", true },
+  { "internetmedia.si", true },
   { "internetmuseum.se", true },
   { "internetofdon.gs", true },
   { "internetoffensive.fail", true },
@@ -18844,14 +19047,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inton.biz", true },
   { "intoparking.com", false },
   { "intpforum.com", true },
-  { "intracom.com", true },
+  { "intr0.com", true },
   { "intradayseasonals.com", true },
   { "intramanager.dk", true },
   { "intranetsec-regionra.fr", true },
   { "intraobes.com", true },
   { "intrasoft.com.au", true },
   { "intraxia.com", true },
-  { "introverted.ninja", true },
+  { "intrp.net", true },
   { "intune.life", true },
   { "intvonline.com", true },
   { "intxt.net", true },
@@ -18892,6 +19095,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "invisionita.com", true },
   { "invisiverse.com", true },
   { "invitacionesytarjetas.gratis", true },
+  { "invitemember.com", true },
+  { "invitescene.com", true },
   { "invitethemhome.com", true },
   { "invkao.com", true },
   { "invoiced.com", true },
@@ -18901,6 +19106,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "invuite.com", true },
   { "inwao.com", true },
   { "inwestcorp.se", true },
+  { "inxtravel.com.br", true },
   { "inzdr.com", true },
   { "inzelabs.com", true },
   { "inzestfreunde.de", true },
@@ -18910,7 +19116,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iochen.com", true },
   { "iocurrents.com", true },
   { "iodine.com", true },
-  { "ioerror.us", true },
   { "iofort.com", true },
   { "iojo.net", true },
   { "ioliver.co.uk", true },
@@ -18919,6 +19124,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iomstamps.com", true },
   { "ionlabs.kr", true },
   { "ionovia.de", true },
+  { "ionspin.com", true },
   { "ionx.co.uk", true },
   { "ioover.net", true },
   { "iosartstudios.gr", true },
@@ -18953,13 +19159,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iphonekaitori.tokyo", true },
   { "iphoneunlock.nu", true },
   { "iphonote.com", true },
-  { "ipid.me", true },
   { "ipintel.io", true },
-  { "iplabs.de", true },
   { "iplantom.com", true },
   { "iplayradio.net", false },
   { "ipleak.net", true },
   { "ipledgeonline.org", false },
+  { "iplog.info", false },
   { "ipmonitoring.hu", true },
   { "ipo-times.jp", true },
   { "ipokabu.net", true },
@@ -18967,12 +19172,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ipop.gr", true },
   { "iposm.net", true },
   { "ipplans.com", true },
+  { "iprcenter.gov", true },
   { "ipresent.com", true },
   { "iprim.ru", true },
   { "iproducemusic.com", true },
   { "ipsec.pl", true },
   { "ipssl.li", true },
-  { "ipstoragesolutions.com", true },
   { "ipstream.it", true },
   { "ipswitch.com.tw", true },
   { "iptvzoom.xyz", true },
@@ -18987,7 +19192,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ipv6.jetzt", true },
   { "ipv6vpn.net", true },
   { "ipv6wallofshame.com", true },
-  { "ipv8.net", true },
   { "iqboxy.com", true },
   { "iqsmn.org", true },
   { "ir1s.com", true },
@@ -18995,7 +19199,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iranian.lgbt", true },
   { "iranianholiday.com", true },
   { "iranjeunesse.com", true },
-  { "irasandi.com", true },
   { "irayo.net", true },
   { "irc-results.com", true },
   { "irdvb.com", true },
@@ -19012,12 +19215,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iriomote.com", true },
   { "iris-design.info", true },
   { "iris-insa.com", true },
+  { "irisdesideratum.com", true },
   { "irish.dating", true },
   { "irish.radio", true },
   { "irishradioplayer.radio", true },
   { "irisjieun.com", true },
   { "irkfap.com", true },
   { "irland-firma.com", true },
+  { "irmag.ru", true },
   { "irmgard-woelfle.de", true },
   { "irmgardkoch.com", true },
   { "iro-iro.xyz", true },
@@ -19062,18 +19267,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "isecrets.se", true },
   { "iservicio.mx", true },
   { "iseulde.com", true },
-  { "isfff.com", true },
   { "isg-tech.com", true },
   { "isgp-studies.com", true },
   { "ishamf.com", true },
   { "ishangirdhar.com", true },
-  { "ishet.al", true },
   { "ishiharaken.com", true },
+  { "ishome.org", true },
   { "ishtarfreya.com", true },
   { "isil.fi", true },
   { "isimonbrown.co.uk", true },
   { "isincheck.com", true },
   { "isinolsun.com", true },
+  { "isiso.com.tr", true },
   { "isistomie.com", true },
   { "isitchristmas.com", true },
   { "isitcoffeetime.com", true },
@@ -19108,6 +19313,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "isolta.fi", true },
   { "isolta.lv", true },
   { "isolta.se", true },
+  { "isondo.com", true },
   { "isonet.fr", true },
   { "isopres.de", true },
   { "isotope.gov", true },
@@ -19156,12 +19362,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "isyu.xyz", true },
   { "isz-berlin.de", true },
   { "isz.no", true },
-  { "iszy.me", true },
   { "it-academy.sk", true },
   { "it-boss.ro", true },
   { "it-faul.de", true },
   { "it-fernau.com", true },
   { "it-jobbank.dk", true },
+  { "it-kron.de", true },
   { "it-maker.eu", true },
   { "it-rotter.de", true },
   { "it-schamans.de", true },
@@ -19176,12 +19382,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "it-support-stockholm.se", true },
   { "it-support.one", true },
   { "it-supportistockholm.se", true },
+  { "it-supportnu.se", true },
   { "it-sysoft.com", true },
   { "it-tekniker.nu", true },
   { "it-ti.me", true },
   { "it-uws.com", true },
   { "it-world.eu", true },
   { "it.search.yahoo.com", false },
+  { "it1b.com", true },
   { "itactiq.com", true },
   { "itactiq.info", true },
   { "itaiferber.net", true },
@@ -19197,6 +19405,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itamservices.nl", true },
   { "itap.gov", true },
   { "itb-online.co.uk", true },
+  { "itbox.cl", true },
+  { "itchy.nl", true },
   { "itcko.sk", true },
   { "itdashboard.gov", true },
   { "itecor.net", true },
@@ -19204,8 +19414,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iteha.de", true },
   { "iteke.ml", true },
   { "iteke.tk", true },
+  { "iteli.eu", true },
   { "iterader.com", true },
-  { "iterasoft.de", true },
+  { "iterror.co", true },
   { "itesign.de", true },
   { "itfh.eu", true },
   { "itfix.cz", true },
@@ -19218,14 +19429,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ithjalpforetag.se", true },
   { "itikon.com", true },
   { "itilo.de", true },
+  { "itinthebubble.com", true },
   { "itis.gov", true },
   { "itis4u.ch", true },
   { "itjob.ma", true },
   { "itkaufmann.at", true },
+  { "itkonsultstockholm.se", true },
   { "itlitera.com", true },
   { "itludens.com", true },
   { "itm-c.de", true },
-  { "itmanie.cz", true },
   { "itmindscape.com", true },
   { "itn.co.uk", true },
   { "itneeds.tech", true },
@@ -19241,7 +19453,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itruth.tk", true },
   { "its-future.com", true },
   { "its-gutachten.de", true },
-  { "its4living.com", true },
   { "itsabouncything.com", true },
   { "itsanicedoor.co.uk", true },
   { "itsasaja.com", true },
@@ -19259,7 +19470,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itsnotquitethehilton.com", true },
   { "itsok.de", true },
   { "itspartytimeonline.co.uk", true },
-  { "itspartytimesweetinflations.com", true },
   { "itspecialista.eu", true },
   { "itspersonaltraining.nl", true },
   { "itsryan.com", true },
@@ -19312,6 +19522,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iwanttoliveinabunker.com", true },
   { "iwanttrack.com", true },
   { "iwascoding.com", true },
+  { "iwatchcops.com", true },
+  { "iwatchcops.org", true },
   { "iwch.tk", true },
   { "iwebolutions.com", true },
   { "iwell.de", true },
@@ -19335,14 +19547,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iyuanbao.net", true },
   { "iz8mbw.net", true },
   { "izaakbeekman.com", true },
-  { "izevg.ru", true },
-  { "izhaojie.com", true },
   { "izodiacsigns.com", true },
   { "izuba.info", true },
   { "izumi.tv", true },
-  { "izxxs.com", true },
-  { "izxxs.net", true },
-  { "izxzw.net", true },
   { "izzys.casa", true },
   { "j-elliott.co.uk", true },
   { "j-navi.com", true },
@@ -19355,7 +19562,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "j3e.de", true },
   { "ja-dyck.de", true },
   { "ja-gps.com.au", true },
-  { "ja-publications.agency", true },
   { "ja.md", true },
   { "jaakkohannikainen.fi", true },
   { "jaalits.com", true },
@@ -19415,6 +19621,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jaion.xyz", true },
   { "jaispirit.com", false },
   { "jaitnetworking.com", false },
+  { "jajsemjachym.cz", true },
   { "jakarta.dating", true },
   { "jakdelatseo.cz", true },
   { "jake.eu.org", true },
@@ -19490,6 +19697,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jan-and-maaret.de", true },
   { "jan-bucher.ch", true },
   { "jan-hill.com", true },
+  { "jan-reiss.de", true },
   { "jan-rieger.de", true },
   { "jan-roenspies.de", true },
   { "jan-von.de", true },
@@ -19518,40 +19726,39 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "janokacer.sk", true },
   { "janschaumann.de", true },
   { "jansen-schilders.nl", true },
-  { "janssenwigman.nl", true },
   { "janterpstra.eu", true },
   { "jantinaboelens.nl", true },
   { "janvari.com", true },
   { "janvaribalint.com", true },
   { "jaot.info", true },
   { "japanesemotorsports.net", true },
-  { "japangids.nl", true },
   { "japaniac.de", false },
   { "japanphilosophy.com", false },
   { "japanwatches.xyz", true },
   { "japon-japan.com", true },
+  { "jar.io", true },
   { "jardin-exotique-rennes.fr", true },
   { "jardinderline.ch", true },
   { "jardineriaon.com", true },
   { "jardiniersduminotaure.fr", true },
   { "jaredeberle.org", false },
   { "jaredfernandez.com", true },
+  { "jario.com.br", true },
   { "jarniashop.se", true },
   { "jaroku.com", true },
   { "jarondl.net", true },
-  { "jaroslavc.eu", true },
   { "jarrettgraham.com", true },
   { "jarroba.com", true },
   { "jas-team.net", true },
   { "jashvaidya.com", true },
-  { "jasl.works", true },
   { "jasmijnwagenaar.nl", true },
   { "jasminefields.net", true },
   { "jason.re", true },
+  { "jasonadam.de", true },
   { "jasonamorrow.com", true },
   { "jasongerber.ch", true },
   { "jasonmili.online", true },
-  { "jasonsansone.com", true },
+  { "jasonsplecoscichlids.com", true },
   { "jasper.link", true },
   { "jasperhammink.com", true },
   { "jasperhuttenmedia.com", true },
@@ -19561,7 +19768,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "javamilk.com", true },
   { "javierburgos.net", true },
   { "javierlorente.es", true },
-  { "javik.net", true },
   { "jaxfstk.com", true },
   { "jaxxnet.co.uk", true },
   { "jaxxnet.org", true },
@@ -19569,6 +19775,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jayf.de", true },
   { "jayfreestone.com", true },
   { "jaymecd.rocks", true },
+  { "jaypandit.me", true },
   { "jayrl.com", true },
   { "jaysaw.me", true },
   { "jaytx.com", true },
@@ -19627,8 +19834,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jeannecalment.com", true },
   { "jeannelucienne.fr", true },
   { "jeanneret-combustibles.ch", true },
+  { "jec-dekrone.be", true },
+  { "jecho.cn", true },
   { "jeda.ch", true },
-  { "jedayoshi.tk", true },
   { "jedepannetonordi.fr", true },
   { "jedidiah.eu", false },
   { "jedipedia.net", true },
@@ -19646,7 +19854,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jeffersonregan.com", true },
   { "jeffersonregan.net", true },
   { "jeffhaferman.com", true },
-  { "jeffmcneill.com", true },
   { "jeffreyhaferman.com", true },
   { "jeffrhinelander.com", true },
   { "jeffri.me", true },
@@ -19654,6 +19861,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jefftickle.com", true },
   { "jeffwebb.com", true },
   { "jefrydco.id", true },
+  { "jefsweden.eu", true },
   { "jehovahsays.net", true },
   { "jej.cz", true },
   { "jej.sk", true },
@@ -19679,7 +19887,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jemangeducheval.com", true },
   { "jembatankarir.com", true },
   { "jemefaisdesamis.com", true },
-  { "jena.space", true },
   { "jennierobinson.com", true },
   { "jenniferengerwingaantrouwen.nl", true },
   { "jennifermason.eu", true },
@@ -19688,13 +19895,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jenolson.net", true },
   { "jenprace.cz", true },
   { "jensrex.dk", true },
-  { "jeparamedia.com", true },
   { "jepertinger-itconsulting.de", true },
   { "jeproteste.info", true },
   { "jeremiahbenes.com", true },
   { "jeremy-chen.org", true },
   { "jeremy.hu", true },
   { "jeremybentham.com", true },
+  { "jeremybloomfield.co.uk", true },
   { "jeremyc.ca", false },
   { "jeremycantu.com", true },
   { "jeremycrews.com", true },
@@ -19705,7 +19912,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jericamacmillan.com", true },
   { "jering.tech", true },
   { "jeroendeneef.com", true },
-  { "jeroensangers.com", true },
   { "jerret.de", true },
   { "jerryweb.org", true },
   { "jerryyu.ca", true },
@@ -19739,6 +19945,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jf-fotos.de", true },
   { "jfbst.net", true },
   { "jfmhero.me", true },
+  { "jfr.im", true },
   { "jfreitag.de", true },
   { "jfsa.jp", true },
   { "jgid.de", true },
@@ -19754,15 +19961,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jhf.io", true },
   { "jhill.de", true },
   { "jhollandtranslations.com", true },
+  { "jhservicos.net.br", true },
   { "jhuang.me", true },
   { "jhwestover.com", true },
   { "jiahao.codes", true },
   { "jiangxu.site", true },
   { "jianji.de", true },
+  { "jianny.me", true },
   { "jianshu.com", true },
   { "jianyuan.pro", true },
   { "jiatingtrading.com", true },
-  { "jiazhao.ga", true },
   { "jicaivvip.com", true },
   { "jichi.io", true },
   { "jichi000.win", true },
@@ -19775,7 +19983,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jimfranke.nl", true },
   { "jimizhou.xyz", true },
   { "jimmycai.com", false },
-  { "jimmycn.com", false },
   { "jimmyroura.ch", true },
   { "jimshaver.net", true },
   { "jimslop.nl", true },
@@ -19790,12 +19997,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jinshuju.net", true },
   { "jintaiyang123.org", true },
   { "jiogo.com", true },
+  { "jiosongs.biz", true },
   { "jirav.com", true },
   { "jiripudil.cz", true },
   { "jirosworld.com", true },
   { "jisai.net.cn", true },
   { "jisha.site", true },
   { "jixun.moe", true },
+  { "jiyue.moe", true },
   { "jiyusu.com", true },
   { "jiyuu-ni.com", true },
   { "jiyuu-ni.net", true },
@@ -19814,7 +20023,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jkinteriorspa.com", true },
   { "jkirsche.com", true },
   { "jkrippen.com", true },
-  { "jkyuan.tk", true },
   { "jl-dns.eu", true },
   { "jl-dns.nl", true },
   { "jl-exchange.nl", true },
@@ -19822,7 +20030,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jlink.nl", true },
   { "jlkhosting.com", true },
   { "jloh.codes", true },
-  { "jlot.org", true },
   { "jlpn.eu", true },
   { "jlpn.nl", true },
   { "jlponsetto.com", true },
@@ -19889,6 +20096,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jockbusuttil.com", true },
   { "jockbusuttil.uk", true },
   { "jodaniels.photography", true },
+  { "jodbush.com", true },
   { "jodlajodla.si", true },
   { "joduska.me", true },
   { "jodyboucher.com", false },
@@ -19922,12 +20130,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joestead.codes", true },
   { "joetsutj.com", true },
   { "joetyson.me", true },
-  { "joeyfelix.com", true },
   { "joeygitalian.com", true },
   { "joeyhoer.com", true },
   { "joeysmith.com", true },
   { "joeyvanvenrooij.nl", true },
-  { "joeyvilaro.com", true },
   { "jogi-server.de", true },
   { "jogorama.com.br", false },
   { "jogwitz.de", true },
@@ -19952,12 +20158,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "johndball.com", true },
   { "johnfulgenzi.com", true },
   { "johngallias.com", true },
-  { "johngo.tk", false },
   { "johnguant.com", true },
+  { "johnhgaunt.com", true },
   { "johnkastler.net", true },
   { "johnmcc.net", true },
   { "johnmcintosh.pro", true },
   { "johnmh.me", true },
+  { "johnmichel.org", true },
   { "johnno.be", true },
   { "johnnybet.com", true },
   { "johnnybsecure.com", true },
@@ -19998,22 +20205,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jonasled.de", true },
   { "jonaswitmer.ch", true },
   { "jonathan-apps.com", true },
-  { "jonathancarter.org", true },
   { "jonathandupree.com", true },
   { "jonathanha.as", true },
   { "jonathanj.nl", true },
   { "jonathanlara.com", true },
   { "jonathanschle.de", true },
-  { "jonathanselea.se", true },
+  { "jonathanscott.me", true },
   { "jonblankenship.com", true },
   { "jondarby.com", true },
   { "jondevin.com", true },
   { "jondowdle.com", true },
   { "jonespayne.com", false },
-  { "jonferwerda.net", true },
   { "jong030.nl", true },
   { "jongbloed.nl", true },
   { "jongcs.com", true },
+  { "jongpay.com", true },
   { "jonilar.com", true },
   { "jonincharacter.com", true },
   { "jonirrings.com", true },
@@ -20026,7 +20232,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jonola.com", true },
   { "jonpads.com", true },
   { "jonpavelich.com", true },
-  { "jons.org", true },
   { "jonscaife.com", true },
   { "jooksms.com", true },
   { "jooksuratas.ee", true },
@@ -20046,9 +20251,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jordanscorporatelaw.com", true },
   { "jordanstrustcompany.com", true },
   { "jordhy.com", true },
+  { "jorexenterprise.com", true },
   { "jorgerosales.org", true },
   { "jorisdalderup.nl", true },
   { "jornalalerta.com.br", true },
+  { "josc.com.au", true },
   { "joscares.com", true },
   { "jose-alexand.re", true },
   { "jose-lesson.com", true },
@@ -20057,6 +20264,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "josefjanosec.com", true },
   { "josefottosson.se", true },
   { "joseitoda.org", true },
+  { "josemikkola.fi", true },
   { "josepbel.com", true },
   { "josephbleroy.com", true },
   { "josephgeorge.com.au", true },
@@ -20071,7 +20279,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joshharmon.me", true },
   { "joshics.in", true },
   { "joshlovephotography.co.uk", true },
-  { "joshpanter.com", false },
+  { "joshpanter.com", true },
   { "joshrickert.com", true },
   { "joshruppe.com", true },
   { "joshschmelzle.com", true },
@@ -20094,6 +20302,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joynadvisors.com", true },
   { "joyofcookingandbaking.com", true },
   { "joysinventingblog.com", true },
+  { "jpbe-network.de", true },
   { "jpbe.de", true },
   { "jpdeharenne.be", true },
   { "jpeg.io", true },
@@ -20125,16 +20334,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jrtapsell.co.uk", true },
   { "jrxpress.com", true },
   { "js-web.eu", true },
-  { "js3311.com", true },
   { "js8855.com", true },
-  { "js93029.com", true },
   { "jschoi.org", true },
   { "jschumacher.info", true },
   { "jsd-cog.org", true },
   { "jsdelivr.com", true },
   { "jselby.net", true },
   { "jsent.co.uk", true },
-  { "jsevilleja.org", true },
   { "jskier.com", false },
   { "jskoelliken.ch", true },
   { "jsmetallerie.fr", true },
@@ -20142,7 +20348,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jsnfwlr.io", true },
   { "jsonsinc.com", true },
   { "jsteward.moe", true },
-  { "jtcat.com", true },
+  { "jstore.ch", true },
   { "jtconsultancy.sg", true },
   { "jthackery.com", false },
   { "jtl-software.com", true },
@@ -20189,7 +20395,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "juku-info.top", true },
   { "juku-wing.jp", true },
   { "jule-spil.dk", true },
-  { "julenlanda.com", false },
   { "julian-uphoff.de", true },
   { "julian-weigle.de", true },
   { "juliangonggrijp.com", true },
@@ -20251,7 +20456,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "junglist.org", true },
   { "jungundwild-design.de", false },
   { "juni.io", true },
-  { "junias-fenske.de", true },
   { "juniperroots.ca", true },
   { "junjhome.com", true },
   { "junjun-web.net", true },
@@ -20278,13 +20482,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "justgalak.org", true },
   { "justice.gov", true },
   { "justice4assange.com", true },
-  { "justin-tech.com", false },
-  { "justinharrison.ca", true },
+  { "justin-tech.com", true },
   { "justinho.com", true },
   { "justinmuturifoundation.org", true },
   { "justinribeiro.com", true },
   { "justinstandring.com", true },
   { "justmensgloves.com", true },
+  { "justonce.net", true },
   { "justpaste.it", true },
   { "justsmart.io", true },
   { "justsome.info", true },
@@ -20299,7 +20503,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "juusujanar.eu", true },
   { "juvenex.co", true },
   { "juwelierstoopman.nl", true },
-  { "jva-wuerzburg.de", true },
   { "jvandenbroeck.com", true },
   { "jvanerp.nl", true },
   { "jvbouncycastlehire.co.uk", true },
@@ -20308,7 +20511,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jvphotoboothhire.co.uk", true },
   { "jvsticker.com", true },
   { "jvwdev.nl", true },
-  { "jwallet.cc", true },
   { "jwatt.org", true },
   { "jwe.nl", true },
   { "jwilsson.com", true },
@@ -20319,6 +20521,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jwplay.ml", true },
   { "jwschuepfheim.ch", true },
   { "jwsoft.nl", true },
+  { "jxir.de", true },
   { "jxltom.com", true },
   { "jxm.in", true },
   { "jydemarked.dk", true },
@@ -20338,7 +20541,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "k1024.org", true },
   { "k258059.net", true },
   { "k2mts.org", true },
-  { "k3508.com", true },
+  { "k33k00.com", false },
   { "k3nny.fr", true },
   { "k4law.com", true },
   { "k4r.ru", true },
@@ -20354,14 +20557,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kaatha-kamrater.se", true },
   { "kab-s.de", true },
   { "kabaca.design", true },
-  { "kabarlinux.id", true },
   { "kabashop.com.br", true },
   { "kabat-fans.cz", true },
   { "kabeltv.co.nz", true },
   { "kabeuchi.com", true },
   { "kaboom.pw", true },
+  { "kabos.art", true },
   { "kabu-abc.com", true },
   { "kabulpress.org", true },
+  { "kabus.org", true },
   { "kacgal.com", true },
   { "kachelfm.nl", true },
   { "kachlikova2.cz", true },
@@ -20411,14 +20615,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kaltenbrunner.it", true },
   { "kalterersee.ch", true },
   { "kalwestelectric.com", true },
+  { "kalyanmatka.guru", true },
   { "kam-serwis.pl", true },
+  { "kamata-shinkyu-seikotsu.jp", true },
+  { "kameari-za.space", true },
   { "kamikaichimaru.com", false },
   { "kamikatse.net", true },
+  { "kamilki.me", true },
   { "kaminbau-laub.de", true },
   { "kamisato-ent.com", true },
   { "kamixa.se", true },
   { "kamppailusali.fi", true },
-  { "kampunginggris-ue.com", true },
   { "kamranmirhazar.com", true },
   { "kamui.co.uk", true },
   { "kan3.de", true },
@@ -20446,6 +20653,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kanis.ag", true },
   { "kankimaru.com", true },
   { "kanna.cf", true },
+  { "kannchen.de", true },
   { "kanobu.ru", true },
   { "kansaiyamamoto.jp", true },
   { "kantankye.nl", true },
@@ -20461,6 +20669,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kanzlei-oehler.com", true },
   { "kanzlei-sixt.de", true },
   { "kap-genial.de", true },
+  { "kap.pe", true },
   { "kapgy-moto.com", true },
   { "kappenstein.org", false },
   { "kapseli.net", true },
@@ -20512,7 +20721,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kartonmodellbau.org", true },
   { "karula.org", true },
   { "karupp-did.net", true },
-  { "kasadara.com", true },
   { "kasei.im", true },
   { "kashinavi.com", true },
   { "kashmirobserver.net", true },
@@ -20526,6 +20734,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kat.marketing", true },
   { "katagena.com", true },
   { "katalogbajugamismu.com", true },
+  { "katarsisuib.no", true },
   { "katata-kango.ac.jp", true },
   { "katcleaning.com.au", true },
   { "katedra.de", true },
@@ -20541,6 +20750,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "katieskandy.co.uk", true },
   { "katieskastles.co.uk", true },
   { "katja-und-ronny.de", true },
+  { "katjavoneysmondt.de", true },
   { "katka.info", true },
   { "katnunn.co.uk", true },
   { "kato-yane.com", true },
@@ -20556,7 +20766,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kaufberatung.community", true },
   { "kaufmanbankruptcylaw.com", true },
   { "kavovary-kava.cz", true },
-  { "kawaii.io", true },
+  { "kawaiii.link", true },
   { "kaweus.de", true },
   { "kay.la", true },
   { "kayakabovegroundswimmingpools.com", true },
@@ -20569,6 +20779,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kazekprzewozy.pl", true },
   { "kazu.click", true },
   { "kazuhirohigashi.com", true },
+  { "kazumi.ooo", true },
   { "kazumi.ro", true },
   { "kazy111.info", true },
   { "kb3.net", true },
@@ -20613,7 +20824,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kedv.es", true },
   { "keeleysam.com", true },
   { "keelove.net", true },
-  { "keematdekho.com", true },
   { "keengamer.com", true },
   { "keepa.com", true },
   { "keeperapp.com", true },
@@ -20621,6 +20831,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keepersecurity.com", true },
   { "keepingtheplot.co.uk", true },
   { "keepiteasy.eu", true },
+  { "keepsight.org.au", true },
   { "keevitaja.com", true },
   { "keeweb.info", true },
   { "keezin.ga", true },
@@ -20651,7 +20862,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kellyskastles.co.uk", true },
   { "kellyssportsbarandgrill.com", true },
   { "kelsa.io", true },
-  { "kelvinfichter.com", true },
+  { "kelvinfichter.com", false },
   { "kemmerer-net.de", true },
   { "kempkens.io", true },
   { "kempo-sissach.ch", true },
@@ -20660,7 +20871,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kemptown.net", true },
   { "ken.fm", true },
   { "kenalsworld.com", true },
-  { "kenbillionsyuan.tk", true },
   { "kenbonny.net", true },
   { "kengilmour.com", true },
   { "kenguntokku.jp", true },
@@ -20687,6 +20897,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keops-spine.fr", true },
   { "keops-spine.us", true },
   { "kepkonyvtar.hu", true },
+  { "keponews.com", true },
   { "keralit.nl", true },
   { "kerebro.com", true },
   { "kerforhome.com", true },
@@ -20696,6 +20907,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kermadec.net", true },
   { "kernel-error.de", true },
   { "kernelpanics.nl", true },
+  { "kernelprogrammer.com", true },
   { "kerrfrequencycombs.org", true },
   { "kerrnel.com", true },
   { "kersbergen.nl", true },
@@ -20721,8 +20933,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kevinbowers.me", true },
   { "kevinbusse.de", true },
   { "kevincox.ca", false },
+  { "kevinfoley.cc", true },
+  { "kevinfoley.org", true },
   { "kevingsky.com", true },
-  { "kevinheslinphoto.com", true },
   { "kevinhill.nl", true },
   { "kevinhq.com", true },
   { "kevinkla.es", true },
@@ -20749,8 +20962,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keylaserinstitute.com", true },
   { "keylength.com", true },
   { "keymach.com", true },
-  { "keypersonins.com", true },
   { "keys.jp", true },
+  { "keys247.co.uk", true },
   { "keystoneok.com", false },
   { "keysupport.org", true },
   { "keywebdesign.nl", true },
@@ -20758,10 +20971,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kfassessment.com", true },
   { "kffs.ru", true },
   { "kfirba.me", true },
-  { "kfm.ink", true },
   { "kforesund.se", true },
   { "kfv-kiel.de", false },
   { "kfz-hantschel.de", true },
+  { "kg7.pl", true },
   { "kgm-irm.be", true },
   { "kgnk.ru", true },
   { "kgv-schlauroth.de", true },
@@ -20773,7 +20986,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "khetzal.info", true },
   { "khipu.com", true },
   { "khlee.net", true },
-  { "khmb.ru", true },
+  { "khmb.ru", false },
   { "khoury-dulla.ch", true },
   { "khs1994.com", true },
   { "khslaw.com", true },
@@ -20793,6 +21006,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kickedmycat.com", true },
   { "kickstart.com.pk", false },
   { "kicou.info", true },
+  { "kidaptive.com", true },
   { "kiddieschristian.academy", true },
   { "kiddyboom.ua", true },
   { "kids-at-home.ch", true },
@@ -20815,17 +21029,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kiekin.org", true },
   { "kiekko.pro", true },
   { "kiel-kind.de", true },
-  { "kieran.ie", true },
-  { "kieranjones.uk", true },
   { "kiesuwkerstkaart.nl", true },
   { "kiffmarks.com", true },
   { "kigmbh.com", true },
   { "kiisu.club", true },
   { "kikbb.com", true },
   { "kiki-voice.jp", true },
-  { "kikimilyatacado.com.br", true },
   { "kiku.pw", true },
-  { "kilerd.me", true },
   { "kilianvalkhof.com", true },
   { "killaraapartments.com.au", true },
   { "killdeer.com", true },
@@ -20838,6 +21048,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kilogram.nl", true },
   { "kilometertje.nl", true },
   { "kimamass.com", true },
+  { "kimbal.co.uk", true },
   { "kimdumaine.com", true },
   { "kimiris.com", true },
   { "kimis.gr", true },
@@ -20921,13 +21132,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kirkforillinois.com", true },
   { "kirkify.com", true },
   { "kirkovsky.com", true },
+  { "kirrie.pe.kr", true },
   { "kirsch-gestaltung.de", true },
   { "kirschbaum.me", true },
   { "kirslis.com", true },
   { "kirstenbos.ca", true },
   { "kirstin-peters.de", true },
   { "kirwandigital.com", true },
-  { "kis-toitoidixi.de", true },
   { "kisallatorvos.hu", true },
   { "kisalt.im", true },
   { "kisel.org", true },
@@ -20937,7 +21148,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kissflow.com", true },
   { "kissgyms.com", true },
   { "kissmycreative.com", true },
-  { "kissoft.ro", true },
   { "kitabnamabayi.com", true },
   { "kitacoffee.com", true },
   { "kitbag.com.au", true },
@@ -20971,7 +21181,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kjellner.com", true },
   { "kjelltitulaer.com", true },
   { "kjellvn.net", true },
-  { "kjg-ummeln.de", true },
   { "kk-neudorf-duissern.de", false },
   { "kkaefer.com", true },
   { "kki.org", true },
@@ -21001,7 +21210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kleaning.by", true },
   { "klebeband.eu", true },
   { "klebetape.de", true },
-  { "kleding.website", true },
   { "kledingrekken.nl", false },
   { "kleim.fr", true },
   { "kleinblogje.nl", false },
@@ -21017,6 +21225,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kleinreich.de", true },
   { "kleinsys.com", true },
   { "kleintransporte.net", true },
+  { "klemkow.net", true },
+  { "klemkow.org", true },
   { "kleppe.co", true },
   { "kleteckova.cz", true },
   { "klicke-gemeinsames.de", true },
@@ -21029,9 +21239,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "klimchuk.by", true },
   { "klimchuk.com", true },
   { "klingenundmesser.com", true },
+  { "klinik-fuer-aesthetische-zahnheilkunde.de", true },
   { "klinikac.co.id", false },
   { "klinkenberg.ws", true },
-  { "klinkerstreet.com.ua", false },
   { "klm-huisjes.nl", true },
   { "klmhouses.com", true },
   { "klocker-ausserlechner.com", true },
@@ -21064,13 +21274,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kndrd.io", true },
   { "kneblinghausen.de", true },
   { "knechtology.com", true },
+  { "knegten-agilis.com", true },
   { "knep.me", true },
   { "knetterbak.nl", true },
   { "kngk-group.ru", true },
   { "kngk-transavto.ru", true },
   { "kngk.org", true },
   { "kngkng.com", true },
-  { "kniga.market", false },
   { "knight-industries.org", true },
   { "knightsblog.de", true },
   { "knightsbridge.net", true },
@@ -21087,9 +21297,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "knowarth.com", true },
   { "knowledgeforce.com", true },
   { "knowlevillagecc.co.uk", true },
+  { "knowyourday.ai", true },
   { "knthost.com", true },
   { "knurps.de", true },
-  { "knuthildebrandt.de", true },
+  { "knuthildebrandt.de", false },
   { "knutur.is", true },
   { "knygos.lt", true },
   { "ko-sys.com", true },
@@ -21114,10 +21325,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "koe.hn", true },
   { "koebbes.de", true },
   { "koecollege.com", true },
-  { "koehn.com", true },
-  { "koelbli.ch", true },
   { "koelnmafia.de", true },
-  { "koenen-bau.de", true },
   { "koenigsbrunner-tafel.de", true },
   { "koenleemans.nl", true },
   { "koenrouwhorst.nl", true },
@@ -21153,12 +21361,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kokona.ch", true },
   { "kokumoto.com", true },
   { "kolania.de", true },
+  { "kolania.net", true },
   { "kolbeinsson.se", true },
   { "kolcsey.eu", true },
   { "koldanews.com", true },
   { "kolin.org", true },
   { "kolizaskrap.bg", true },
   { "kolja-engelmann.de", true },
+  { "koljakrekow.de", true },
   { "kolkataflowermall.com", true },
   { "kollect.ie", true },
   { "kollega.it", true },
@@ -21171,7 +21381,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "koluke.com", true },
   { "komall.net", true },
   { "komandakovalchuk.com", false },
-  { "kombidorango.com.br", true },
   { "komelin.com", true },
   { "komenamanda.de", true },
   { "komicloud.com", true },
@@ -21192,11 +21401,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kondi.net", true },
   { "kondou-butsudan.com", true },
   { "kongar.org", true },
+  { "kongsecuritydata.com", true },
   { "koniecfica.sk", true },
   { "konijntjes.nl", true },
   { "koningskwartiertje.nl", true },
   { "koninkrijk.net", true },
-  { "konkai.store", true },
   { "konklone.com", true },
   { "konoe.studio", true },
   { "konosuke.jp", true },
@@ -21207,7 +21416,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kontaxis.org", true },
   { "kontorhaus-schlachte.de", true },
   { "kontorhaus-stralsund.de", true },
-  { "kontrolapovinnosti.cz", true },
   { "konventa.net", true },
   { "konyalian.com", true },
   { "konzertheld.de", true },
@@ -21229,9 +21437,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "koptev.ru", true },
   { "kopteva.ru", true },
   { "korben.info", true },
+  { "korea-dpr.org", true },
   { "korea.dating", true },
   { "koreaboo.com", true },
-  { "koretech.nl", true },
   { "korinar.com", true },
   { "kornrunner.net", true },
   { "korobi.io", true },
@@ -21244,8 +21452,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kortgebyr.dk", true },
   { "kortic.com", true },
   { "koryfi.com", true },
+  { "kos4all.com", true },
   { "kosaki.moe", true },
   { "koscielniak-nieruchomosci.pl", true },
+  { "kosherjava.com", true },
   { "kosho.org", true },
   { "kosonaudioteca.com", true },
   { "kost-magazin.de", true },
@@ -21274,7 +21484,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kovals.sk", true },
   { "kovehitus.ee", true },
   { "kovspace.com", true },
-  { "kovuthehusky.com", true },
   { "kowalmik.tk", true },
   { "kowalstwo.com.pl", true },
   { "kowarschick.de", true },
@@ -21309,6 +21518,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kralovstvimap.cz", true },
   { "kram.nz", true },
   { "krambeutel.de", true },
+  { "kramer-edelstahl.de", true },
   { "krampus-fischamend.at", true },
   { "kramsj.uk", true },
   { "krang.org.uk", true },
@@ -21350,6 +21560,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krislamoureux.com", true },
   { "krismurray.co.uk", true },
   { "krisstarkey.co.uk", true },
+  { "kristall-energie.at", true },
   { "kristenpaigejohnson.com", true },
   { "kristiehill.com", true },
   { "kristikala.nl", true },
@@ -21376,6 +21587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krumberconsulting.com", true },
   { "krupa.net.pl", false },
   { "kruselegal.com.au", true },
+  { "krusesec.com", true },
   { "krutka.cz", true },
   { "kruu.de", true },
   { "kruzhki-s-kartinkami.ru", true },
@@ -21386,22 +21598,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krypsys.com", true },
   { "krypt.com", true },
   { "kryptera.se", true },
+  { "kryptomech.com", true },
   { "krytykawszystkiego.com", true },
   { "krytykawszystkiego.pl", true },
   { "kryx.de", true },
   { "ks-watch.de", true },
+  { "ks88.com", true },
   { "kschv-rdeck.de", true },
   { "kselenia.ee", true },
   { "ksero.center", true },
   { "ksero.wroclaw.pl", true },
   { "ksham.net", true },
   { "kshlm.in", true },
-  { "kspg.tv", true },
+  { "ksmmmo.org.tr", true },
   { "kssk.de", true },
   { "ksukelife.com", true },
   { "kt-zoe.com", true },
   { "ktbnetbank.com", true },
   { "kthnxbai.xyz", true },
+  { "ktm-troxler.de", true },
   { "kts-thueringen.de", true },
   { "ktsee.eu.org", true },
   { "ktsofas.gr", true },
@@ -21427,6 +21642,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kucnibudzet.com", true },
   { "kucukayvaz.com", true },
   { "kudo.co.id", true },
+  { "kueche-co.de", false },
   { "kuechenprofi-group.de", false },
   { "kuehndel.org", true },
   { "kuehnel-bs.de", true },
@@ -21455,6 +21671,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kunstdrucke-textildruck.de", true },
   { "kunstundunrat.de", true },
   { "kuoruan.com", true },
+  { "kupaa.ink", true },
   { "kupferstichshop.com", true },
   { "kupid.com", true },
   { "kupiec.eu.org", true },
@@ -21463,7 +21680,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kuponrazzi.com", true },
   { "kuponydoher.cz", true },
   { "kupschke.net", true },
-  { "kurashino-mall.com", true },
+  { "kurniadwin.to", true },
   { "kuro.link", true },
   { "kurofuku.me", true },
   { "kuroha.co.uk", true },
@@ -21492,6 +21709,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kvalitnitesneni.cz", true },
   { "kvantel.no", true },
   { "kvcc.com.au", true },
+  { "kvestmaster.ru", true },
   { "kvetinymilt.cz", true },
   { "kvhile.com", true },
   { "kvilt.dk", true },
@@ -21503,12 +21721,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kwcolville.com", true },
   { "kwedo.com", true },
   { "kwench.com", true },
+  { "kwok.cc", true },
   { "kwoll.de", true },
   { "kwyxz.org", true },
   { "kx197.com", true },
   { "kxah35.com", true },
   { "kxline.com", true },
-  { "kxnrl.com", false },
+  { "kxnrl.com", true },
   { "kxway.com", true },
   { "kybi.sk", true },
   { "kydara.com", true },
@@ -21521,6 +21740,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kyobostory-events.com", true },
   { "kyoko.org", true },
   { "kyosaku.org", true },
+  { "kyoto-k9.com", false },
   { "kyoto-mic.com", true },
   { "kyoto-tomikawa.jp", true },
   { "kyoto-tomoshibi.jp", true },
@@ -21532,10 +21752,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kz.search.yahoo.com", false },
   { "kzar.co.uk", true },
   { "kzsdabas.hu", true },
+  { "l-atelier-c.com", true },
   { "l-lab.org", true },
   { "l0re.com", true },
   { "l17r.eu", true },
   { "l2guru.ru", true },
+  { "l3.ee", true },
   { "l33te.net", true },
   { "l4n-clan.de", true },
   { "l7plumbing.com.au", true },
@@ -21561,6 +21783,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "labanskollermark.se", true },
   { "labcenter.com", true },
   { "labcoat.jp", true },
+  { "labeled.vn", true },
   { "labms.com.au", true },
   { "labobooks.com", true },
   { "laboitebio-logique.ca", true },
@@ -21573,6 +21796,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "labrat.mobi", false },
   { "labspack.com", true },
   { "labtest.ltd", true },
+  { "lacaey.se", true },
   { "lacantine.xyz", true },
   { "lacaserita.org", true },
   { "lacaveducinquantenaire.com", true },
@@ -21598,7 +21822,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lacyc3.eu", true },
   { "ladbroke.net", true },
   { "ladenzeile.at", true },
-  { "ladenzeile.de", true },
   { "ladislavbrezovnik.com", true },
   { "ladraiglaan.com", true },
   { "lady-2.jp", true },
@@ -21609,9 +21832,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laextra.mx", true },
   { "lafayette-rushford.com", true },
   { "lafcheta.info", true },
+  { "lafema.de", true },
   { "lafillepolyvalente.ca", true },
   { "lafillepolyvalente.com", true },
-  { "lafka.org", true },
   { "lafkor.de", true },
   { "laflash.com", true },
   { "lagarderob.ru", false },
@@ -21653,26 +21876,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lakeshowlife.com", true },
   { "lakewoodcityglass.com", true },
   { "lakhesis.net", true },
+  { "lakkt.de", true },
   { "lakonia.com.br", true },
   { "lalalab.com", true },
   { "lalaya.fr", true },
   { "laled.ch", true },
+  { "lalingua.ir", true },
   { "lalucioledigitale.com", true },
   { "lalunecreative.com", true },
   { "lalyre-corcelles.ch", true },
-  { "lamaisondelatransformationculturelle.com", true },
   { "lamakat.de", true },
-  { "lamanwebinfo.com", true },
   { "lamapoll.de", true },
   { "lamarieealhonneur.com", false },
   { "lambauer.com", true },
+  { "lambdaof.xyz", true },
   { "lambertshealthcare.co.uk", true },
   { "lamboo.be", true },
   { "lamclam.site", true },
+  { "lamconnect.com", true },
   { "lame1337.xyz", true },
   { "lamed.se", true },
   { "lamikvah.org", true },
   { "laminine.info", true },
+  { "lammersmarketing.com", true },
   { "lamontre.ru", true },
   { "lamp.re", false },
   { "lamp24.se", true },
@@ -21686,14 +21912,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lampenwelt.ch", true },
   { "lampenwelt.de", true },
   { "lampposthomeschool.com", true },
+  { "lampsh.ml", true },
   { "lampy.pl", true },
   { "lamunyon.com", true },
   { "lan.biz.tr", true },
+  { "lana.swedbank.se", true },
   { "lanahallen.com", true },
   { "lanbroa.eu", true },
   { "lancashirecca.org.uk", true },
   { "lancejames.com", true },
   { "lancelafontaine.com", true },
+  { "lancelhoff.com", true },
+  { "lancemanion.com", true },
   { "lanceyip.com", true },
   { "lancyvbc.ch", true },
   { "land.nrw", false },
@@ -21741,9 +21971,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "languageterminal.com", true },
   { "langworth.com", true },
   { "langzijn.nl", true },
-  { "lanhhuyet510.tk", true },
   { "lanna.io", true },
-  { "lannainnovation.com", true },
   { "lanodan.eu", true },
   { "lanostrasalute.it", true },
   { "lanre.org", true },
@@ -21764,6 +21992,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lapetition.be", true },
   { "lapicena.eu", true },
   { "lapidge.net", true },
+  { "lapix.com.co", true },
   { "laplacesicherheit.de", true },
   { "laplanetebleue.com", true },
   { "lapolla.com", true },
@@ -21788,6 +22017,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lariscus.eu", true },
   { "larky.top", true },
   { "larondinedisinfestazione.com", true },
+  { "larotayogaming.com", true },
   { "larptreff.de", true },
   { "larraz.es", true },
   { "larryli.cn", true },
@@ -21806,7 +22036,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lasavonnerieducroisic.fr", true },
   { "lascana.co.uk", true },
   { "lasereyess.net", true },
-  { "laserfuchs.de", true },
   { "laserpc.net", true },
   { "laserplaza.de", true },
   { "laserplaza.net", true },
@@ -21822,8 +22051,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lasseleegaard.dk", true },
   { "lasseleegaard.net", true },
   { "lasseleegaard.org", true },
-  { "lassesworld.com", true },
-  { "lassesworld.se", true },
   { "lastbutnotyeast.com", true },
   { "lastchancetraveler.com", true },
   { "lastharo.com", true },
@@ -21842,11 +22069,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lateralsecurity.com", true },
   { "latestbuy.com.au", true },
   { "latestdeals.co.uk", true },
-  { "latiendadelbebefeliz.com", true },
   { "latiendauno.com", true },
   { "latiendawapa.com", true },
+  { "latinmusicrecords.com", true },
   { "latino.dating", true },
-  { "latinphone.com", true },
   { "latintoy.com", true },
   { "latitudesign.com", true },
   { "latremebunda.com", true },
@@ -21856,7 +22082,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laubacher.io", true },
   { "lauchundei.at", true },
   { "lauensteiner.de", false },
-  { "laufers.pl", true },
   { "laufpix.de", true },
   { "lauftreff-himmelgeist.de", true },
   { "laughinggrapepublishing.com", true },
@@ -21866,6 +22091,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "launchmylifend.com", true },
   { "launchpad-app2.com", true },
   { "launchpadder2.com", true },
+  { "laupv.online", true },
   { "lauraandwill.wedding", false },
   { "lauraenvoyage.fr", true },
   { "laurakashiwase.com", true },
@@ -21874,6 +22100,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laurelblack.com", true },
   { "laurenceplouffe.com", true },
   { "laurenlobue.com", true },
+  { "laurensvanderblom.nl", true },
   { "lauriemilne.com", true },
   { "lauriuc.sk", true },
   { "lausannedentiste.ch", true },
@@ -21930,7 +22157,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lbmblaasmuziek.nl", true },
   { "lbphacker.pw", true },
   { "lbs-logics.com", true },
-  { "lbsi-nordwest.de", true },
   { "lbux.org", true },
   { "lc-cs.com", false },
   { "lc-promiss.de", true },
@@ -21938,15 +22164,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lca.gov", true },
   { "lcacommons.gov", true },
   { "lcars-sv.info", true },
-  { "lcbizsolutions.com", true },
   { "lce-events.com", true },
   { "lcgaj.com", true },
   { "lcht.ch", false },
   { "lcrmscp.gov", true },
-  { "lcy.cat", true },
-  { "lcy.im", true },
+  { "lcy.im", false },
   { "lcy.moe", true },
-  { "lcybox.com", true },
   { "ld-begunjscica.si", true },
   { "ldc.com.br", false },
   { "ldjb.jp", true },
@@ -21976,6 +22199,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leadingsalons.com", true },
   { "leadplan.ru", true },
   { "leadquest.nl", true },
+  { "leaf-consulting.de", true },
   { "leafandseed.co.uk", true },
   { "leafans.tk", false },
   { "leafinote.com", true },
@@ -21986,7 +22210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leanplando.com", true },
   { "leap-it.be", true },
   { "leapandjump.co.uk", true },
-  { "learn-smart.uk", true },
   { "learndev.info", true },
   { "learnflakes.net", true },
   { "learnforestry.com", true },
@@ -22041,6 +22264,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leerliga.de", true },
   { "leertipp.de", true },
   { "leesilvey.com", true },
+  { "leet2.com", true },
   { "leetcode.com", true },
   { "leetcode.net", true },
   { "leetgamers.asia", true },
@@ -22075,7 +22299,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "legrandvtc.fr", true },
   { "legumeinfo.org", true },
   { "lehighmathcircle.org", true },
+  { "lehmitz-weinstuben.de", true },
   { "lehti-tarjous.net", true },
+  { "leibniz-gymnasium-altdorf.de", true },
   { "leibniz-remscheid.de", false },
   { "leideninternationalreview.com", true },
   { "leilautourdumon.de", true },
@@ -22085,7 +22311,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leipziger-triathlon.de", true },
   { "leisure-blog.com", true },
   { "leisure-supplies-show.co.uk", true },
-  { "leiyun.me", true },
   { "lejardindesmesanges.fr", true },
   { "lektier.cf", true },
   { "lel.ovh", true },
@@ -22095,11 +22320,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lemni.top", true },
   { "lemoine.at", true },
   { "lemondenumerique.com", true },
+  { "lemondrops.xyz", true },
   { "lemonlawnow.com", true },
   { "lemonop.com", true },
   { "lemonparty.co", true },
   { "lemonrockbiketours.com", true },
-  { "lemonthy.ca", true },
   { "lemonthy.com", true },
   { "lemouillour.fr", true },
   { "lemuslimpost.com", true },
@@ -22130,11 +22355,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leominstercu.com", false },
   { "leon-tech.com", true },
   { "leon.net", true },
-  { "leonauto.de", true },
   { "leonax.net", true },
   { "leonbuitendam.nl", true },
   { "leondenard.com", true },
   { "leonklingele.de", true },
+  { "leonmahler.consulting", true },
   { "leontiekoetter.de", true },
   { "leopoldina.net", true },
   { "leovanna.co.uk", true },
@@ -22146,6 +22371,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leppis-it.de", true },
   { "lepsos.com", true },
   { "lequerceagriturismo.com", true },
+  { "lequest.dk", true },
   { "lereporter.ma", true },
   { "leretour.ch", true },
   { "lerku.com", true },
@@ -22164,12 +22390,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lesarts.com", true },
   { "lesberger.ch", true },
   { "lesbrillantsdaristide.com", true },
-  { "lescourtiersbordelais.com", true },
   { "leseditionsbraquage.com", true },
   { "lesfilmsavivre.com", true },
   { "lesgoodnews.fr", true },
-  { "leshervelines.com", true },
   { "lesjardinsdemathieu.net", true },
+  { "lesjardinsdubanchet.fr", true },
   { "lesmamy.ch", true },
   { "lesmontagne.net", true },
   { "lesnet.co.uk", true },
@@ -22177,6 +22402,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lespecialiste-pradelexcellence.com", true },
   { "lesplatanes.ch", true },
   { "lespret.nl", true },
+  { "lesquerda.cat", false },
   { "lesscloud.com", true },
   { "lessets-graphiques.com", true },
   { "lessis.moe", true },
@@ -22184,8 +22410,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lesterrassesdusoleil.ch", true },
   { "lesyndicat.info", true },
   { "letemps.ch", true },
+  { "letertrefleuri.com", true },
   { "leto12.xyz", true },
-  { "letraba.com", true },
   { "letranif.net", true },
   { "lets-bounce.com", true },
   { "lets-go-acoustic.de", true },
@@ -22214,6 +22440,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leuthardtfamily.com", true },
   { "levans.fr", true },
   { "levanscatering.com", true },
+  { "level-10.de", true },
   { "levelaccordingly.com", true },
   { "levelcheat.com", true },
   { "levelonetrainingandfitness.com", true },
@@ -22224,6 +22451,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leverj.io", true },
   { "levermann.eu", true },
   { "leviaan.nl", true },
+  { "leviathan-studio.com", true },
   { "levineteamestates.com", true },
   { "levinus.de", true },
   { "leviscop.com", true },
@@ -22240,7 +22468,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lexicography.online", true },
   { "lexpierce.social", true },
   { "lexway.pk", true },
-  { "lexxyn.nl", true },
   { "leymaritima.com", true },
   { "lezard-com.fr", true },
   { "lfashion.eu", true },
@@ -22259,8 +22486,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lhajn.cz", true },
   { "lhakustik.se", true },
   { "lhalbert.xyz", true },
-  { "lhamaths.online", true },
+  { "lhamaths.online", false },
   { "lhconsult.tk", false },
+  { "lhero.org", true },
   { "lhgavarain.com", true },
   { "lhost.su", true },
   { "li-ke.co.jp", true },
@@ -22275,10 +22503,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lianye4.cc", true },
   { "lianye5.cc", true },
   { "lianye6.cc", true },
+  { "liautard.fr", true },
   { "lib64.net", true },
   { "libbitcoin.org", true },
   { "libble.eu", true },
   { "liberapay.com", true },
+  { "liberation2020.com", true },
   { "liberdademg.com.br", true },
   { "libgame.com", true },
   { "libmpq.org", true },
@@ -22297,6 +22527,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "libreduca.com", true },
   { "librelamp.com", true },
   { "libremail.nl", true },
+  { "librends.org", true },
   { "libreoffice-from-collabora.com", true },
   { "libreofficefromcollabora.com", true },
   { "librervac.org", true },
@@ -22336,14 +22567,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lieuu.com", true },
   { "lifanov.com", true },
   { "life-emotions.pt", true },
+  { "life-like.com", true },
   { "lifeartstudios.net", true },
   { "lifebetweenlives.com.au", true },
   { "lifeboxhealthcare.co.uk", true },
   { "lifecism.com", true },
   { "lifeenrichmentnc.com", true },
+  { "lifefoto.de", true },
   { "lifegrip.com.au", true },
   { "lifeinhex.com", true },
   { "lifeinsurancepro.org", true },
+  { "lifeisabug.com", true },
+  { "lifekiss.ru", true },
   { "lifelenz.com", true },
   { "lifematenutrition.com", true },
   { "lifemstyle.com", true },
@@ -22351,18 +22586,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lifequotes-uk.co.uk", true },
   { "lifereset.it", true },
   { "lifesafety.com.br", true },
-  { "lifestyle7788.com", true },
   { "lifestylecent.com", true },
   { "lifestylefinancial.ca", true },
   { "lifetree.network", true },
+  { "lifeupgame.fr", true },
   { "lifi.digital", true },
   { "lifi.is", true },
+  { "lift-wise.com", true },
   { "liftie.info", true },
   { "ligadosgames.com", true },
   { "light-up.xyz", true },
   { "light.mail.ru", true },
   { "lightbox.co", true },
-  { "lightdark.xyz", true },
   { "lightdream.tech", true },
   { "lighting-centres.co.uk", true },
   { "lightingagoura.com", true },
@@ -22423,7 +22658,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "limawi.io", true },
   { "limberg.me", true },
   { "limbo.services", true },
-  { "limeburst.net", true },
   { "limelabs.de", true },
   { "limelabs.io", true },
   { "limeres.com", true },
@@ -22451,13 +22685,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lindeskar.se", true },
   { "lindholmen.club", true },
   { "lindnerhof-taktik.de", true },
-  { "lindnerhof.info", true },
   { "lindo.ru", true },
   { "lindon.pw", true },
   { "lindsayanderson.com", true },
   { "lindsaygorski.com", true },
   { "lindskogen.se", true },
   { "lindy.co", false },
+  { "line-wise.com", true },
   { "line.biz", true },
   { "line.co.nz", true },
   { "lineageos.org", true },
@@ -22472,6 +22706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linguatrip.com", false },
   { "lingvo-svoboda.ru", true },
   { "linherest.tk", true },
+  { "linhua.org", true },
   { "link-sanitizer.com", true },
   { "link2serve.com", true },
   { "linkat4.cz", true },
@@ -22482,6 +22717,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linklocker.co", true },
   { "linkmaker.co.uk", true },
   { "linkmauve.fr", true },
+  { "linkopia.com", true },
   { "linkstream.live", true },
   { "linkthis.me", true },
   { "linkthis.ml", true },
@@ -22491,6 +22727,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linkycat.com", true },
   { "linode.com", false },
   { "linost.com", true },
+  { "linpx.com", true },
   { "linqhost.nl", true },
   { "linss.com", true },
   { "lintellift.com", true },
@@ -22503,7 +22740,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linux.cn", true },
   { "linux.conf.au", true },
   { "linux.fi", true },
-  { "linux.im", true },
   { "linux.pizza", true },
   { "linux3.org", true },
   { "linuxadictos.com", true },
@@ -22523,7 +22759,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linx.net", true },
   { "linzgau.de", true },
   { "linzyjx.com", true },
-  { "lionhosting.nl", true },
+  { "lionlyrics.com", true },
   { "lionsdeal.com", true },
   { "lipartydepot.com", true },
   { "lipex.com", true },
@@ -22572,6 +22808,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "littleboutiqueshop.co.uk", true },
   { "littleboutiqueshop.com", true },
   { "littleboutiqueshop.uk", true },
+  { "littledev.nl", true },
   { "littlefairy.no", true },
   { "littlefamilyadventure.com", true },
   { "littlegreece.ae", true },
@@ -22585,6 +22822,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "littleredsbakeshop.com", true },
   { "littlericket.me", false },
   { "littlescallywagsplay.co.uk", true },
+  { "littleskin.cn", true },
   { "littleswitch.co.jp", true },
   { "littlewatcher.com", true },
   { "litvideoserver.de", true },
@@ -22596,6 +22834,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "liul.in", true },
   { "liupeicheng.top", true },
   { "liv3d.stream", true },
+  { "livaniaccesorios.com", true },
   { "live4k.media", false },
   { "livebandphotos.com", true },
   { "livebetterwith.com", true },
@@ -22608,6 +22847,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "livedesign24.de", true },
   { "liveflightapp.com", true },
   { "liveforspeed.se", true },
+  { "livehomecams.co.uk", true },
   { "livekaarten.be", true },
   { "livekaarten.nl", true },
   { "livekarten.at", true },
@@ -22647,7 +22887,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "livnev.xyz", true },
   { "livolett.de", true },
   { "livres-et-stickers.com", true },
-  { "livroseuniformes.com.br", true },
   { "lixiaoyu.live", true },
   { "lixtick.com", true },
   { "liyang.pro", false },
@@ -22655,12 +22894,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "liyunbin.com", true },
   { "liz.ee", true },
   { "lizardsystems.com", true },
+  { "lizheng.de", true },
   { "lizhi.io", true },
   { "lizhi123.net", true },
   { "lizmooredestinationweddings.com", true },
   { "lizzaran.io", true },
   { "lizzwood.com", true },
-  { "ljason.cn", true },
   { "ljc.ro", true },
   { "ljs.io", true },
   { "ljskool.com", true },
@@ -22681,16 +22920,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lmbyrne.com", true },
   { "lmcm.io", true },
   { "lmddgtfy.net", true },
-  { "lmerza.com", true },
   { "lmintlcx.com", true },
   { "lmmi.nl", true },
   { "lmmtfy.io", true },
   { "lmsptfy.com", true },
   { "lmtls.me", true },
   { "lmtm.eu", true },
+  { "lmtravis.com", true },
   { "lng-17.org", true },
   { "lnhequipmentltd.com", true },
-  { "lnmp.me", true },
   { "lntu.org", true },
   { "lnx.li", true },
   { "lnyltx.cn", true },
@@ -22715,13 +22953,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "localblock.co.za", true },
   { "localbouncycastle.com", true },
   { "localdecor.com.br", true },
+  { "localea.com", true },
   { "localethereum.com", true },
   { "localhorst.duckdns.org", true },
-  { "localhorst.xyz", true },
   { "localhost.ee", true },
   { "localprideart.com", true },
+  { "localsource.eu", true },
   { "localspot.pl", true },
   { "locapos.com", true },
+  { "location-fichier-email.com", true },
   { "locationvoitureallemagne.com", true },
   { "locationvoitureangleterre.com", true },
   { "locationvoitureaustralie.com", true },
@@ -22732,6 +22972,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "locatorplus.gov", true },
   { "locauxrama.fr", true },
   { "locker.plus", true },
+  { "locklock.com.br", true },
+  { "locklockbrasil.com.br", true },
+  { "locknlock.com.br", true },
+  { "locknlockbrasil.com.br", true },
   { "lockpick.nl", true },
   { "lockpicks.se", true },
   { "lockr.io", true },
@@ -22833,17 +23077,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lojasceletro.com.br", true },
   { "lojaterrazul.com.br", true },
   { "lojavirtualfc.com.br", true },
-  { "lojavirtualfct.com.br", true },
   { "lojavisamed.com.br", true },
   { "lojix.com", true },
   { "lojj.pt", true },
   { "lok.space", true },
   { "lokaal.org", true },
+  { "loker.id", true },
   { "loket.nl", true },
   { "lolcorp.pl", true },
   { "lolcow.farm", true },
+  { "lolhax.org", true },
+  { "loli.ee", true },
   { "loli.net", true },
   { "loli.pet", true },
+  { "loli.ski", true },
   { "loli.tube", true },
   { "loli.world", true },
   { "lolibrary.org", true },
@@ -22851,6 +23098,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lolico.moe", true },
   { "lolicon.eu", true },
   { "lolkot.ru", true },
+  { "lolly.cc", true },
   { "lolnames.gg", true },
   { "lolpatrol.de", true },
   { "lolpatrol.wtf", true },
@@ -22870,7 +23118,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lonesomecosmonaut.com", true },
   { "lonestarlandandcommercial.com", true },
   { "long-journey.com", true },
-  { "long18.cc", true },
   { "longboat.io", true },
   { "longhaircareforum.com", true },
   { "longhorn-imports.com", true },
@@ -22915,6 +23162,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loricozengeller.com", true },
   { "lorientlejour.com", true },
   { "loritaboegl.de", true },
+  { "lormansas.com", true },
   { "losangelestown.com", true },
   { "losless.fr", true },
   { "losreyesdeldescanso.com.ar", true },
@@ -22962,7 +23210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loverepublic.ru", true },
   { "lovesmagical.com", true },
   { "lovesupremefestival.com", true },
-  { "lovetravel360.com", true },
   { "lovevape.co", true },
   { "loveyounastya.com", true },
   { "loveysa.ch", true },
@@ -22982,34 +23229,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loyaleco.it", true },
   { "loyaltyondemand.club", true },
   { "loyaltyondemand.eu", true },
-  { "lpcom.de", true },
+  { "lp-support.nl", true },
   { "lprcommunity.co.za", true },
   { "lpt-nebreziny.eu", true },
-  { "lqs.me", true },
   { "lra-cloud.de", true },
   { "lrdo.net", true },
+  { "lriese.ch", true },
   { "lrssystems.com", true },
   { "ls-alarm.de", true },
   { "lsal.me", true },
   { "lsc-dillingen.de", true },
   { "lsc.gov", true },
-  { "lshiy.com", true },
   { "lsmpx.com", true },
   { "lsquo.com", true },
   { "lsscreens.de", true },
-  { "lsy.cn", true },
+  { "lsys.ac", true },
   { "lt.search.yahoo.com", false },
   { "ltaake.com", true },
   { "ltecode.com", true },
   { "ltib.com.au", true },
   { "ltls.org", true },
   { "ltn-tom-morel.fr", true },
+  { "lty.space", true },
   { "lu.search.yahoo.com", false },
+  { "luan.ma", true },
   { "luav.org", true },
   { "lubar.me", true },
   { "lubbockyounglawyers.org", true },
   { "lublin.toys", true },
-  { "lubomirkazakov.com", true },
   { "luc-oberson.ch", true },
   { "luca-steeb.com", true },
   { "luca.swiss", true },
@@ -23022,9 +23269,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lucasgaland.com", true },
   { "lucasgymnastics.com", true },
   { "lucaslarson.net", true },
+  { "lucassoler.com.ar", false },
   { "luce.life", true },
   { "luchscheider.de", false },
-  { "lucianoalbanes.com", true },
   { "lucid-light.de", true },
   { "lucidframeworks.com", true },
   { "lucidlight.de", true },
@@ -23064,7 +23311,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "luiscapelo.info", true },
   { "luismaier.de", true },
   { "luisyr.com", true },
-  { "luizkowalski.net", true },
   { "luk.earth", true },
   { "lukas-gorr.de", true },
   { "lukas-meixner.com", true },
@@ -23089,6 +23335,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lukmanulhakim.id", true },
   { "lukull-pizza.de", true },
   { "luloboutique.com", true },
+  { "lumbercartel.ca", true },
   { "lumen.sh", true },
   { "lumi.pw", true },
   { "lumiere.com", true },
@@ -23105,6 +23352,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lunarichter.de", true },
   { "lunarlog.com", true },
   { "lunarshark.com", true },
+  { "lunarsoft.net", true },
   { "lunartail.nl", true },
   { "lunasqu.ee", true },
   { "lunastrail.com", true },
@@ -23125,14 +23373,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "luongvu.com", true },
   { "luoshifeng.com", true },
   { "luowu.cc", true },
+  { "lupa.cz", true },
   { "lupecode.com", true },
   { "lupinencyclopedia.com", true },
   { "lupinenorthamerica.com", true },
+  { "luqsus.pl", true },
   { "lusitom.com", true },
   { "luso-livros.net", true },
   { "lusoft.cz", true },
   { "lusteniny.cz", true },
-  { "lustige-zitate.com", true },
   { "lustin.fr", true },
   { "lustrum.ch", true },
   { "lusynth.com", true },
@@ -23192,7 +23441,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lynxpro.nl", true },
   { "lyon-interactive.com", true },
   { "lyon-synergie.com", true },
-  { "lyoness.digital", true },
   { "lyrical-nonsense.com", true },
   { "lyricfm.ie", true },
   { "lys.ch", true },
@@ -23237,6 +23485,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mac-i-tea.ch", true },
   { "mac-service-stockholm.se", true },
   { "mac-servicen.se", true },
+  { "mac-support.nu", true },
+  { "mac-support.se", true },
   { "mac.biz.tr", true },
   { "mac1.net", true },
   { "macaw.nl", true },
@@ -23244,12 +23494,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "macbook.es", true },
   { "maceinturecuir.com", true },
   { "maces-net.de", true },
+  { "macgeneral.de", true },
   { "macgenius.com", true },
   { "mach-politik.ch", true },
   { "macha.cloud", true },
   { "machbach.com", true },
   { "machetewp.com", true },
-  { "machijun.net", true },
   { "machikka.com", false },
   { "machinetransport.com", true },
   { "macht-elektro.de", true },
@@ -23258,7 +23508,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "macil.tech", true },
   { "macinyasha.net", true },
   { "macker.io", true },
-  { "mackey7.net", true },
   { "mackeysack.com", true },
   { "mackiehouse.ca", true },
   { "macksproductions.in", true },
@@ -23280,7 +23529,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "madae.nl", true },
   { "madandpissedoff.com", true },
   { "madars.org", false },
-  { "madbicicletas.com", true },
   { "madbin.com", true },
   { "madbouncycastles.co.uk", true },
   { "maddi.biz", true },
@@ -23289,7 +23537,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maddistonpsa.co.uk", true },
   { "maddreefer.com", true },
   { "made-in-earth.co.jp", true },
-  { "made-to-usb.com", true },
   { "madebydusk.com", true },
   { "madebyshore.com", true },
   { "madeinchezmoi.net", true },
@@ -23340,6 +23587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "magentaize.net", true },
   { "magentapinkinteriors.co.uk", true },
   { "magentoeesti.eu", true },
+  { "magepro.fr", true },
   { "magewell.nl", true },
   { "maggie.com", true },
   { "magi-cake.com", true },
@@ -23350,9 +23598,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "magicalcircuslv.com", true },
   { "magicalshuttle.fr", true },
   { "magicamulet.me", true },
+  { "magicball.co", true },
   { "magicbroccoli.de", true },
   { "magiccards.info", true },
   { "magicdaysomagh.co.uk", true },
+  { "magicdlp.com", true },
   { "magiclen.org", true },
   { "magicspaceninjapirates.de", true },
   { "magictable.com", true },
@@ -23409,6 +23659,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maillady-susume.com", true },
   { "mailmag.net", false },
   { "mailnara.co.kr", true },
+  { "mailtelligent.com", true },
   { "mailto.space", true },
   { "mailum.org", false },
   { "mainechiro.com", true },
@@ -23424,8 +23675,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maispa.com", true },
   { "maisretorno.com", true },
   { "maisvitaminas.com.br", true },
+  { "maitemerino.net", true },
   { "maitheme.com", true },
-  { "maitrechaton.fr", true },
   { "maitrise-orthopedique.com", true },
   { "majahoidja.ee", true },
   { "majaweb.cz", true },
@@ -23435,9 +23686,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "majkassab.com", true },
   { "majkassab.net", true },
   { "majkassab.org", true },
-  { "majkl.me", true },
-  { "majkl.xyz", true },
-  { "majkl578.cz", true },
   { "majkyto.cz", true },
   { "majlovesreg.one", true },
   { "majolka.com", true },
@@ -23448,6 +23696,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "makeaboldmove.com", true },
   { "makechanges.com.au", true },
   { "makedin.net", true },
+  { "makedonija.net.mk", true },
   { "makem-bounce.co.uk", true },
   { "makenaiyo-fx.com", true },
   { "makera.ga", true },
@@ -23498,7 +23747,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "malscan.com", true },
   { "malscan.org", true },
   { "malta-firma.com", true },
-  { "malte-kiefer.de", true },
   { "malufs.com.br", true },
   { "malware.watch", true },
   { "malwareinvestigator.gov", true },
@@ -23537,6 +23785,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "manager-efficacement.com", true },
   { "manager.linode.com", false },
   { "managewp.org", true },
+  { "manaonetrading.com", true },
   { "manatees.com.au", true },
   { "manatees.net", true },
   { "manavgabhawala.com", true },
@@ -23599,7 +23848,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "manufacturing.gov", true },
   { "manufacturinginmexico.org", true },
   { "manufacturingusa.com", true },
-  { "manuscript.com", true },
   { "manuscriptlink.com", true },
   { "manutd.org.np", true },
   { "manuth.life", true },
@@ -23622,6 +23870,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mapchange.org", true },
   { "mapeo.io", true },
   { "maplanetebeaute.fr", true },
+  { "maplegate.info", true },
   { "maplehome.tk", true },
   { "mapletime.com", true },
   { "maps.net", true },
@@ -23660,6 +23909,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marcelwolf.coach", true },
   { "marcgoertz.de", true },
   { "marche-contre-monsanto.ch", true },
+  { "marchhappy.tech", false },
   { "marchukov.com", true },
   { "marchwj.pl", true },
   { "marciaimportados.com.br", true },
@@ -23680,6 +23930,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marek.su", true },
   { "marelijah.org", true },
   { "margagriesser.de", true },
+  { "margays.de", true },
   { "margecommunication.com", true },
   { "margo-co.ch", true },
   { "margotlondon.co.uk", true },
@@ -23687,7 +23938,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "margots.life", true },
   { "margots.tech", true },
   { "marguerite-maison.fr", true },
-  { "mariacorzo.com", true },
   { "mariage-photo.ch", true },
   { "mariaheidemann.nl", true },
   { "marianatherapy.com", true },
@@ -23716,6 +23966,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marinela.com.mx", false },
   { "marinelausa.com", false },
   { "marines-shop.com", true },
+  { "mario.party", false },
   { "mariogeckler.de", true },
   { "mariposah.ch", true },
   { "marisamorby.com", false },
@@ -23753,7 +24004,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marketingtrendnews.com", true },
   { "marketingvirtuales.com", true },
   { "marketizare.ro", true },
-  { "marketlinks.org", true },
   { "marketnsight.com", true },
   { "markfordelegate.com", true },
   { "markhaehnel.de", true },
@@ -23783,6 +24033,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "markt-heiligenstadt.de", false },
   { "marktcontact.com", true },
   { "marktissink.nl", true },
+  { "marktplaatshelper.nl", true },
   { "markup-ua.com", true },
   { "markus-blog.de", true },
   { "markus-dev.com", true },
@@ -23791,7 +24042,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "markus-ullmann.de", true },
   { "markus.design", true },
   { "markusehrlicher.de", true },
-  { "markusgran.de", true },
   { "markuskeppeler.de", true },
   { "markuskeppeler.no-ip.biz", true },
   { "marl.fr", true },
@@ -23941,7 +24191,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mathematik.rocks", false },
   { "mathembedded.com", true },
   { "matheo-schefczyk.de", true },
-  { "matheusmacedo.ddns.net", true },
   { "mathfinder.org", true },
   { "mathhire.org", true },
   { "mathias.is", true },
@@ -23949,15 +24198,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mathiasgarbe.de", true },
   { "mathiaswagner.org", true },
   { "mathieuguimond.com", true },
-  { "mathieui.net", true },
   { "mathis.com.tr", true },
   { "maths.network", true },
-  { "mathsource.ga", true },
   { "mathspace.co", true },
-  { "mathsweek.nz", true },
-  { "mathsweek.org.nz", true },
-  { "mathsweek.school.nz", true },
   { "mathys.io", true },
+  { "matijakolaric.com", true },
   { "matildajaneclothing.com", true },
   { "matjaz.it", true },
   { "matlss.com", true },
@@ -23967,6 +24212,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "matoutepetiteboutique.com", true },
   { "matratzentester.com", true },
   { "matridiana.com", true },
+  { "matrieux.dk", true },
   { "matrimoni.uk", true },
   { "matriterie-sdv.ro", true },
   { "matrixim.cc", true },
@@ -24000,6 +24246,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "matthewgrow.com", true },
   { "matthewj.ca", true },
   { "matthewkenny.co.uk", true },
+  { "matthewljiang.com", true },
   { "matthewohare.com", true },
   { "matthewsetter.com", true },
   { "matthey.nl", true },
@@ -24025,6 +24272,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "matway.net", true },
   { "matze.co", true },
   { "mauerwerkstag.info", true },
+  { "mauiticketsforless.com", true },
   { "mauldincookfence.com", true },
   { "mauran.me", true },
   { "maurice-walker.com", false },
@@ -24053,7 +24301,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maxbruckner.de", true },
   { "maxbruckner.org", true },
   { "maxchan.info", true },
-  { "maxdev72.freeboxos.fr", true },
   { "maxh.me.uk", true },
   { "maxhamon.ovh", true },
   { "maxhoechtl.at", true },
@@ -24069,9 +24316,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maxipcalls.com", true },
   { "maxisito.it", true },
   { "maxkaul.de", true },
+  { "maxlaumeister.com", true },
   { "maxmatthe.ws", true },
   { "maxmilton.com", true },
   { "maxmind.com", true },
+  { "maxmobiles.ru", true },
   { "maxp.info", true },
   { "maxpl0it.com", true },
   { "maxr1998.de", true },
@@ -24087,11 +24336,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mayavi.co.in", true },
   { "maydex.info", true },
   { "mayerbrownllz.com", true },
-  { "mayoimobiliare.ro", true },
   { "mayomarquees.com", true },
   { "mayopartyhire.com", true },
   { "maypolevilla.co.uk", true },
-  { "mayrhofer.eu.org", true },
+  { "mayrhofer.eu.org", false },
   { "mazda-mps.de", true },
   { "mazda-thermote.com", true },
   { "mazda626.net", true },
@@ -24099,7 +24347,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maze.design", false },
   { "maze.fr", true },
   { "mazenjobs.com", true },
-  { "mazternet.ru", true },
   { "mazurlabs.tk", true },
   { "mazzotta.me", true },
   { "mb-is.info", true },
@@ -24123,6 +24370,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mbr-net.de", true },
   { "mbrooks.info", true },
   { "mbs-journey.com", true },
+  { "mbsec.net", true },
   { "mburaks.com", true },
   { "mburns.duckdns.org", true },
   { "mbweir.com", true },
@@ -24138,6 +24386,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mccrackon.com", true },
   { "mcculloughjchris.com", true },
   { "mcdermottautomotive.com", true },
+  { "mcdona1d.me", true },
   { "mcdonalds.be", true },
   { "mcdonalds.design", true },
   { "mce.eu", true },
@@ -24152,7 +24401,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mcgarderen.nl", true },
   { "mcgovernance.com", true },
   { "mchel.net", true },
-  { "mchopkins.net", true },
   { "mchristopher.com", true },
   { "mchuiji.com", true },
   { "mcinterface.de", true },
@@ -24164,6 +24412,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mcl.de", false },
   { "mclinflatables.co.uk", true },
   { "mclmotors.co.uk", true },
+  { "mclyr.com", true },
   { "mcmillansedationdentistry.com", false },
   { "mcmillanskiclub.com.au", true },
   { "mcneill.io", true },
@@ -24187,8 +24436,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "md5file.com", true },
   { "md5hashing.net", true },
   { "mdazo.net", true },
-  { "mdbouncycastlehirelondon.co.uk", true },
-  { "mdcloudpracticesolutions.com", true },
   { "mdcloudps.com", true },
   { "mdek.at", true },
   { "mdewendt.de", true },
@@ -24217,6 +24464,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meadowfenfarm.com", true },
   { "mealgoo.com", true },
   { "meamod.com", false },
+  { "meangirl.club", true },
   { "meany.xyz", true },
   { "meap.xyz", true },
   { "measureyourpenis.today", true },
@@ -24243,7 +24491,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "medellinapartamentos.com", true },
   { "medexpress.co.uk", true },
   { "medhy.fr", true },
-  { "medi-link.co.il", true },
   { "medi.com.br", true },
   { "media-credit.eu", true },
   { "media-instance.ru", true },
@@ -24254,7 +24501,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mediaarea.net", true },
   { "mediabackoffice.co.jp", true },
   { "mediablaster.com", true },
-  { "mediabm.jp", true },
   { "mediabogen.net", true },
   { "mediaburst.co.uk", true },
   { "mediadex.be", true },
@@ -24272,7 +24518,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mediapath.gr", true },
   { "mediarithmics.com", true },
   { "mediarithmics.io", true },
-  { "mediarocks.de", true },
   { "mediaselection.eu", true },
   { "mediathekview.de", true },
   { "mediationculturelleclp.ch", true },
@@ -24292,6 +24537,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "medicareinfo.org", true },
   { "medicinesfast.com", false },
   { "medicinia.com.br", true },
+  { "medicm.jp", true },
   { "medicocompetente.it", true },
   { "medicoresponde.com.br", true },
   { "medienweite.de", true },
@@ -24344,6 +24590,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meetingmanage.nl", true },
   { "meetingmanager.ovh", true },
   { "meetings2.com", true },
+  { "meetmibaby.co.uk", true },
   { "meetmygoods.com", true },
   { "meetscompany.jp", true },
   { "meeusen-usedcars.be", true },
@@ -24374,6 +24621,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "megasslstore.com", true },
   { "megauction.tk", true },
   { "megaxchange.com", true },
+  { "meggidesign.com", true },
   { "mego.cloud", true },
   { "megumico.net", true },
   { "megustariasaber.com", true },
@@ -24392,12 +24640,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meikan.moe", true },
   { "meillard-auto-ecole.ch", true },
   { "meilleur.info", true },
+  { "meimeistartup.com", true },
   { "mein-kuechenhelfer.de", true },
   { "mein-muehlhausen.bayern", true },
   { "mein-webportal.de", true },
   { "meinbetriebsrat24.de", true },
   { "meincenter-meinemeinung.de", true },
   { "meincoach.at", true },
+  { "meine-cloud-online.de", true },
   { "meine-email-im.net", true },
   { "meine-finanzanalyse.de", true },
   { "meine-immofinanzierung.de", true },
@@ -24406,11 +24656,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meinstartinsleben.de", true },
   { "meintragebaby.de", true },
   { "meinv.asia", true },
+  { "meiodomato.com.br", true },
   { "meiqia.cn", true },
   { "meiqia.com", true },
   { "meisterlabs.com", true },
   { "meistertask.com", true },
   { "meitan.gz.cn", true },
+  { "meizitang.es", true },
   { "mekatro.tech", true },
   { "mekatrotekno.com", true },
   { "mekesh.com", true },
@@ -24433,6 +24685,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "melissaadkins.com", true },
   { "melissaauclaire.com", true },
   { "melissameuwszen.nl", true },
+  { "mellitus.org", true },
   { "melnessgroup.com", true },
   { "melnikov.ch", true },
   { "melodicprogressivehouse.com", true },
@@ -24443,11 +24696,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "melodrom.de", true },
   { "melopie.com", true },
   { "melted.me", true },
+  { "meltzow.net", true },
   { "members-arbourlake.com", true },
   { "members-only-shopping.com", true },
   { "members.nearlyfreespeech.net", false },
   { "membershipservices.org.uk", true },
-  { "memberstweets.com", true },
   { "meme-photostudio.com.tw", true },
   { "meme.fi", true },
   { "meme.institute", true },
@@ -24473,16 +24726,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "menole.com", true },
   { "menole.de", true },
   { "menole.net", true },
-  { "menotag.com", true },
   { "mensagemaniversario.com.br", true },
   { "mensagemdaluz.com", true },
   { "mensagensaniversario.com.br", true },
   { "mensagensdeconforto.com.br", true },
   { "mensagensperfeitas.com.br", true },
+  { "mensarena.gr", true },
   { "mensch-peter.me", true },
   { "mentalhealthmn.org", true },
   { "mentaltraining-fuer-musiker.ch", true },
   { "mentiq.az", true },
+  { "mentorithm.com", true },
   { "mentz.info", true },
   { "menudieta.com", true },
   { "menuel.me", true },
@@ -24493,7 +24747,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mer.gd", true },
   { "merakilp.com", true },
   { "meransuedtirol.com", true },
-  { "meraseo.com", true },
   { "mercadobitcoin.com.br", true },
   { "mercadobitcoin.net", true },
   { "mercadoleal.com.br", true },
@@ -24504,6 +24757,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mercedes-ig.de", true },
   { "mercedespartscenter.com", true },
   { "merchant-automotive.com", true },
+  { "merchcity.com", true },
   { "mercier-auto.com", true },
   { "mercier-cars.co.uk", true },
   { "mercredifiction.io", true },
@@ -24538,6 +24792,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mesappros.com", true },
   { "mescaline.com", true },
   { "mescaline.org", true },
+  { "mesec.cz", true },
   { "mesh.gov", true },
   { "meshok.info", true },
   { "mesicka.com", true },
@@ -24622,7 +24877,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mexicom.org", true },
   { "meyash.co", true },
   { "mf-fischer.de", true },
-  { "mfacko.cz", true },
   { "mfen.de", true },
   { "mfgusa.com", true },
   { "mfits.co.uk", true },
@@ -24644,7 +24898,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mheistermann.de", true },
   { "mhermans.nl", true },
   { "mhi.web.id", true },
-  { "mhjuma.com", true },
   { "mhmfoundationrepair.com", true },
   { "mi-beratung.de", true },
   { "mi-so-ji.com", true },
@@ -24692,7 +24945,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "michal-s.net", true },
   { "michal-spacek.com", true },
   { "michal-spacek.cz", true },
-  { "michalp.pl", true },
+  { "michaldudek.it", true },
+  { "michalpodraza.pl", true },
   { "michalspacek.com", true },
   { "michalspacek.cz", true },
   { "michalwiglasz.cz", true },
@@ -24715,9 +24969,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "microco.sm", true },
   { "microcomploja.com.br", true },
   { "microdots.de", true },
+  { "microfonejts.com.br", true },
   { "microlinks.org", true },
   { "microlog.org", true },
   { "micromata.de", true },
+  { "micromind.io", true },
   { "microneedlingstudio.se", true },
   { "microsoftaffiliates.azurewebsites.net", true },
   { "microvb.com", true },
@@ -24725,6 +24981,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "microzubr.com", true },
   { "midair.io", true },
   { "midasjewellery.com.au", true },
+  { "midcarolinaregionalairport.com", true },
+  { "midcarolinaregionalairport.org", true },
   { "midgawash.com", true },
   { "midislandrealty.com", true },
   { "midistop.org", true },
@@ -24734,7 +24992,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "midlandroofingri.com", true },
   { "midlandsfundays.co.uk", true },
   { "midlandsphotobooths.co.uk", true },
-  { "midlgx.com", true },
   { "midnight-visions.de", true },
   { "midnightmango.co.uk", true },
   { "midnightmango.de", true },
@@ -24745,7 +25002,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "midtowndentistry.com", true },
   { "midwestbloggers.org", true },
   { "midwestplus.com", true },
-  { "midweststructuralrepair.com", true },
   { "miegl.com", true },
   { "miembarcacion.com", true },
   { "miemus.eu", true },
@@ -24768,7 +25024,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mijailovic.net", true },
   { "mijcorijneveld.nl", true },
   { "mijn-financien.be", true },
-  { "mijnetickets.nl", false },
+  { "mijnavg.eu", true },
   { "mijnetz.nl", true },
   { "mijnkerstkaarten.be", true },
   { "mijnkinderkleding.com", true },
@@ -24799,6 +25055,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mikevesch.com", true },
   { "mikewest.org", true },
   { "mikewillia.ms", true },
+  { "mikewrites.online", true },
   { "mikewritesstuff.com", true },
   { "mikeybailey.org", true },
   { "mikhirev.ru", true },
@@ -24819,7 +25076,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mikywow.eu", true },
   { "mil-spec.ch", true },
   { "mil0.com", true },
+  { "milakirschner.de", true },
   { "milania.de", true },
+  { "milanpala.cz", false },
   { "milanstephan.de", true },
   { "milcahsmusings.com", true },
   { "milchbuchstabe.de", true },
@@ -24828,76 +25087,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "milesapart.dating", true },
   { "milhoazul.com.br", true },
   { "milionshop.sk", true },
+  { "milkameglepetes.hu", true },
   { "milkandcookies.ca", true },
   { "milkingit.co.uk", true },
+  { "milktea.info", true },
   { "millanova.wedding", false },
   { "milldyke.com", true },
   { "milldyke.nl", true },
   { "millefleurs.eu", true },
   { "millennium-thisiswhoweare.net", true },
+  { "millenniumstem.org", true },
   { "millenniumweb.com", false },
   { "millersminibarns.com", true },
   { "millettable.com", true },
   { "millhousenchurch.com", true },
-  { "million5.com", true },
-  { "million6.com", true },
-  { "million8.com", true },
   { "millionairegames.com", true },
   { "millions1.com", true },
-  { "millions11.com", true },
-  { "millions13.com", true },
-  { "millions14.com", true },
-  { "millions15.com", true },
-  { "millions16.com", true },
-  { "millions17.com", true },
-  { "millions19.com", true },
-  { "millions20.com", true },
-  { "millions22.com", true },
-  { "millions25.com", true },
-  { "millions26.com", true },
-  { "millions27.com", true },
-  { "millions28.com", true },
-  { "millions29.com", true },
-  { "millions31.com", true },
   { "millions32.com", true },
-  { "millions33.com", true },
-  { "millions35.com", true },
-  { "millions36.com", true },
-  { "millions37.com", true },
-  { "millions38.com", true },
-  { "millions39.com", true },
-  { "millions40.com", true },
-  { "millions41.com", true },
-  { "millions42.com", true },
-  { "millions43.com", true },
-  { "millions5.com", true },
-  { "millions50.com", true },
   { "millions51.com", true },
   { "millions52.com", true },
   { "millions53.com", true },
-  { "millions55.com", true },
-  { "millions56.com", true },
   { "millions57.com", true },
-  { "millions58.com", true },
-  { "millions59.com", true },
-  { "millions6.com", true },
   { "millions60.com", true },
-  { "millions61.com", true },
-  { "millions62.com", true },
-  { "millions63.com", true },
-  { "millions66.com", true },
-  { "millions7.com", true },
-  { "millions70.com", true },
-  { "millions71.com", true },
-  { "millions72.com", true },
   { "millions77.com", true },
   { "millions8.com", true },
-  { "millions80.com", true },
-  { "millions81.com", true },
-  { "millions82.com", true },
-  { "millions88.com", true },
-  { "millions9.com", true },
-  { "millions99.com", true },
   { "millistream.com", true },
   { "milnes.org", true },
   { "milsonhypnotherapyservices.com", true },
@@ -24906,9 +25119,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mimemoriadepez.com", true },
   { "mimeo.digital", true },
   { "mimithedog.com", true },
-  { "mimobile.website", true },
+  { "mimmog.it", true },
   { "mimocad.io", true },
   { "mimovrste.com", true },
+  { "mimusic.cf", true },
   { "min-datorsupport.se", true },
   { "min-sky.no", true },
   { "minakov.pro", true },
@@ -24918,9 +25132,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minaprine.com", true },
   { "mind-box.ch", true },
   { "mind-hochschul-netzwerk.de", true },
-  { "mind-moves.es", true },
   { "mindatasupport.nu", true },
   { "mindatasupport.se", true },
+  { "mindatorsupport.se", true },
   { "mindcoding.ro", true },
   { "mindercasso.nl", true },
   { "mindfactory.de", true },
@@ -24938,11 +25152,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minecraft-server.eu", true },
   { "minecraftforum.de", true },
   { "minecraftforum.ovh", true },
-  { "minecraftjson.com", true },
+  { "minecraftjson.com", false },
   { "minecraftstal.com", true },
   { "minehattan.de", true },
   { "minehub.de", true },
-  { "minei.me", true },
   { "minenash.com", true },
   { "minepack.net", true },
   { "minepay.net", true },
@@ -24974,11 +25187,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minimbah.com.au", true },
   { "minimvc.com", true },
   { "miningtronics.com", true },
+  { "minisoft4u.ir", true },
   { "ministeriumfuerinternet.de", true },
   { "minitruckin.net", true },
   { "minitrucktalk.com", true },
   { "minivaro.de", true },
-  { "miniwallaby.com", true },
   { "minkymoon.jp", true },
   { "minnesotakinkyyouth.org", true },
   { "minnesotamathcorps.org", true },
@@ -24992,12 +25205,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mintosherbs.com", true },
   { "mintrak2.com", true },
   { "mintse.com", true },
-  { "minu.link", true },
   { "minube.co.cr", true },
   { "minutashop.ru", true },
   { "minux.info", true },
   { "mipapo.de", true },
-  { "mipla.ch", true },
   { "miproximopaso.org", true },
   { "mipueblohoy.com", true },
   { "mipymesenlinea.com", true },
@@ -25012,6 +25223,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mirepublic.co.nz", true },
   { "mireservaonline.es", true },
   { "mirfire.com", true },
+  { "mirjamderijk.nl", false },
   { "mirkofranz.de", true },
   { "mironet.cz", true },
   { "mirrorbot.ga", true },
@@ -25022,6 +25234,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "misakacloud.net", true },
   { "misakiya.co.jp", true },
   { "misanci.cz", true },
+  { "mischak.net", true },
   { "misclick.nl", true },
   { "mishkovskyi.net", true },
   { "misinstrumentos.com", true },
@@ -25078,11 +25291,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mitsukabose.com", true },
   { "mittagonggardencentre.com.au", true },
   { "mittagonghomestead.com.au", true },
+  { "mittbolan.se", true },
   { "mittelunsachlich.de", true },
   { "mittenofficesystems.com", true },
   { "mitylite.com", true },
   { "mitzpettel.com", true },
   { "miui-germany.de", true },
+  { "mivestuariolaboral.com", true },
   { "mivzak.im", true },
   { "mivzakim.biz", true },
   { "mivzakim.info", true },
@@ -25090,8 +25305,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mivzakim.net", true },
   { "mivzakim.org", true },
   { "mivzakim.tv", true },
+  { "mivzaklive.co.il", true },
   { "miweb.cr", false },
   { "mixinglight.com", true },
+  { "mixmister.com", true },
   { "mixnshake.com", true },
   { "mixposure.com", true },
   { "mixrepairs.co.uk", true },
@@ -25106,6 +25323,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mizu.coffee", true },
   { "mizucoffee.net", true },
   { "mizuho-trade.net", true },
+  { "mizuhobank.co.id", true },
   { "mj420.com", true },
   { "mjacobson.net", true },
   { "mjanja.ch", true },
@@ -25130,6 +25348,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mkg-scherer.de", true },
   { "mkg-wiebelskirchen.de", true },
   { "mkhsoft.eu", true },
+  { "mkie.cf", true },
   { "mkimage.com", true },
   { "mkjl.ml", true },
   { "mkk.de", true },
@@ -25167,10 +25386,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mmt.my", true },
   { "mmucha.de", true },
   { "mncloud.de", true },
-  { "mncr.nl", true },
   { "mnd.sc", true },
   { "mne.moe", true },
   { "mnedc.org", true },
+  { "mneerup.dk", true },
   { "mnemonic.ninja", true },
   { "mnguyen.io", true },
   { "mnitro.com", true },
@@ -25185,8 +25404,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mo.nl", true },
   { "mo2021.de", true },
   { "moa.moe", true },
+  { "moabpapier.de", true },
+  { "moabygg.se", true },
   { "moahmo.com", true },
+  { "mobag.ru", false },
   { "mobal.com", true },
+  { "mobi2go.com", true },
   { "mobidea.com", true },
   { "mobifinans.ru", true },
   { "mobil-bei-uns.de", true },
@@ -25221,6 +25444,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moc.ac", true },
   { "mocarps.hk", true },
   { "mochanstore.com", true },
+  { "mochiyuki.net", true },
   { "mockerel.com", true },
   { "mococo.co.uk", true },
   { "modaexecutiva.com.br", true },
@@ -25254,6 +25478,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "modistry.com", true },
   { "modistryusercontent.com", true },
   { "modmountain.com", true },
+  { "modnitsa.info", true },
   { "modosaude.com.br", true },
   { "modul21.com", true },
   { "modul21.eu", true },
@@ -25272,7 +25497,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moeqing.net", true },
   { "moetrack.com", true },
   { "moeyoo.net", true },
+  { "mofidmed.com", true },
   { "mofohome.dyndns.org", true },
+  { "mogooin.com", true },
   { "moha-swiss.com", true },
   { "mohanmekap.com", true },
   { "mohela.com", true },
@@ -25289,8 +25516,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mojefedora.cz", true },
   { "mojilitygroup.com", true },
   { "mojizuri.com", true },
-  { "mojnet.eu", true },
-  { "mojnet.net", true },
   { "mojoco.co.za", true },
   { "mojzis.com", true },
   { "mojzis.cz", true },
@@ -25314,7 +25539,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "momentum.photos", true },
   { "momentumdash.com", true },
   { "momirfarooq.com", true },
-  { "momjoyas.com", true },
   { "momo0v0.club", true },
   { "momozeit.de", true },
   { "momstableonline.com", true },
@@ -25333,7 +25557,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "monarchcleanersnc.com", true },
   { "monbudget.org", true },
   { "moncoach.ch", true },
-  { "mondedesnovels.com", true },
   { "mondedie.fr", true },
   { "mondial-movers.nl", true },
   { "mondo-it.ch", true },
@@ -25355,7 +25578,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "monix.io", true },
   { "monkay.de", true },
   { "monkeybusiness.agency", true },
-  { "monkeydust.net", true },
   { "monkeyhill.us", true },
   { "monkeytek.ca", true },
   { "monkieteel.com", true },
@@ -25365,6 +25587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mono.cafe", true },
   { "mono0x.net", true },
   { "monobank.no", true },
+  { "monobunt.at", true },
   { "monodukuri.com", true },
   { "monokoo.com", true },
   { "monolithapps.com", true },
@@ -25419,6 +25642,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moonmelo.com", true },
   { "moonraptor.co.uk", true },
   { "moonraptor.com", true },
+  { "moonrhythm.io", true },
   { "moonshyne.org", true },
   { "moontaj.com", true },
   { "moonvpn.org", true },
@@ -25434,6 +25658,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moosmann-moehrle.de", true },
   { "moot-info.co.za", true },
   { "moovablestorage.com", true },
+  { "mop321.com", true },
   { "moparcraft.net", true },
   { "moparisthebest.com", true },
   { "moparisthebest.net", true },
@@ -25442,6 +25667,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mopedreifen.de", false },
   { "mopie.de", true },
   { "mople71.cz", true },
+  { "moplx.com", true },
   { "moppeleinhorn.de", true },
   { "moppy.org", true },
   { "morbatex.com", true },
@@ -25511,6 +25737,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mothereff.in", false },
   { "motifstudio.com.ua", true },
   { "motionless.nl", true },
+  { "motionvideos.uk", true },
   { "motiweb.fr", true },
   { "motocollection.pl", true },
   { "motohell.com", true },
@@ -25549,7 +25776,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moviedeposit.com", true },
   { "moviefreeze.com", true },
   { "movieguys.org", true },
-  { "movienized.de", true },
   { "moviepilot.com", true },
   { "moviesetc.net", true },
   { "moviko.nz", true },
@@ -25563,6 +25789,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moy.cat", true },
   { "moyer.pub", true },
   { "moylen.eu", true },
+  { "moysovet.info", false },
   { "mozartgroup.hu", true },
   { "mozektevidi.net", true },
   { "mozilla.cz", true },
@@ -25574,6 +25801,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mpetroff.net", true },
   { "mpg-universal.com", true },
   { "mpgaming.pro", true },
+  { "mphwinkel.nl", true },
   { "mpkrachtig.nl", true },
   { "mpkshop.com.br", true },
   { "mplanetphl.fr", true },
@@ -25603,6 +25831,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mrgasfires.co.uk", true },
   { "mrgiveaways.com", true },
   { "mrhc.ru", true },
+  { "mrhookupsd.com", true },
   { "mrinalpurohit.in", true },
   { "mrjhnsn.com", true },
   { "mrjooz.com", true },
@@ -25665,8 +25894,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mtasa.hu", true },
   { "mtauburnassociates.com", true },
   { "mtb.wtf", true },
-  { "mtcq.jp", true },
   { "mtd.org", true },
+  { "mteleport.net", true },
   { "mtg-tutor.de", true },
   { "mtgeni.us", true },
   { "mtgenius.com", true },
@@ -25689,7 +25918,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mtsolar.es", true },
   { "mu.search.yahoo.com", false },
   { "muabannhanh.com", false },
-  { "muahahahaha.co.uk", true },
   { "mubiflex.nl", true },
   { "muckingabout.eu", true },
   { "muckrack.com", true },
@@ -25699,6 +25927,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mudbenesov.cz", true },
   { "mudcrab.us", false },
   { "muehlemann.net", true },
+  { "muel.io", true },
   { "muelhau.pt", true },
   { "muell-weg.de", true },
   { "muellapp.com", true },
@@ -25717,6 +25946,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mulej.net", true },
   { "muling.lu", true },
   { "mullens-usedcars.be", true },
+  { "mullerimoveisrj.com.br", true },
   { "multi-vpn.biz", true },
   { "multibit.org", true },
   { "multibomasm.com.br", true },
@@ -25730,7 +25960,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "multimedia-pool.com", true },
   { "multiplayernow.com", true },
   { "multipleservers.com", true },
-  { "multiplexcy.com", true },
   { "multirep.ch", true },
   { "multiroom-streaming.de", true },
   { "multisite.ovh", true },
@@ -25750,7 +25979,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mundoconejos.com", true },
   { "mundodapoesia.com", true },
   { "mundodasmensagens.com", true },
-  { "mundodoscarbonos.com.br", true },
   { "mundogamers.top", true },
   { "mundokinderland.com.br", true },
   { "mundolarraz.es", true },
@@ -25809,16 +26037,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "musicwear.cz", true },
   { "musicworkout.de", true },
   { "musik-mentaltraining.ch", true },
+  { "musikholics.com", true },
   { "musikverein-elten.de", true },
   { "musikzentrale.net", true },
-  { "musique2nuit.com", true },
   { "musketonhaken.nl", false },
   { "muslim.singles", true },
   { "musmann.io", true },
   { "muspla.com", true },
   { "muspla.com.br", true },
   { "musselsblog.com", true },
-  { "mustafa.space", true },
   { "mustafaturhan.com", true },
   { "mustard.co.uk", true },
   { "mustardking.me", true },
@@ -25834,12 +26061,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "muthai.in.th", true },
   { "mutuals.cool", true },
   { "mutuelle.fr", true },
+  { "muunnin.net", true },
   { "muurlingoogzorg.nl", true },
   { "muusikoiden.net", true },
   { "muwatenraqamy.org", true },
   { "muz2u.ru", true },
   { "muzeumkomiksu.eu", true },
-  { "muzhijy.com", false },
+  { "muzhijy.com", true },
   { "muzikantine.nl", true },
   { "mv-schnuppertage.de", true },
   { "mv-wohnen.de", true },
@@ -25852,6 +26080,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mw.search.yahoo.com", false },
   { "mwainc.org", true },
   { "mwalz.com", true },
+  { "mwamitours.com", true },
   { "mware-staging.azurewebsites.net", true },
   { "mwavuli.co.ke", true },
   { "mwba.org", true },
@@ -25936,12 +26165,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myconnect.cn", true },
   { "myconsulting.ch", true },
   { "mycookrecetas.com", true },
+  { "mycoupons.com", true },
   { "mycr.eu", true },
-  { "mycreativeartsconsulting.com", true },
   { "mycreativenook.com", true },
   { "mycreditcardcenter.com", true },
   { "mycrypnet.io", true },
-  { "mycrypto.com", true },
+  { "mycrypto.com", false },
   { "mycrystalgrove.com", true },
   { "mycuco.it", true },
   { "mycustomwriting.com", true },
@@ -25962,12 +26191,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mydreamshaadi.in", true },
   { "mydroneservices.ca", true },
   { "mydroneservices.com", true },
-  { "myeasybooking.de", true },
+  { "myduffyfamily.com", true },
   { "myeberspaecher.com", true },
   { "myeffect.today", true },
   { "myeisenbahn.de", true },
   { "myetherwallet.com", true },
   { "myf.cloud", true },
+  { "myfae.eu", true },
   { "myfantasysportstalk.com", true },
   { "myfedloan.org", true },
   { "myfirenet.com", true },
@@ -25980,6 +26210,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mygallery.homelinux.net", true },
   { "mygate.at", false },
   { "mygedit.com", true },
+  { "mygeneral.org", true },
   { "mygeotrip.com", true },
   { "mygest.me", true },
   { "mygigabitnation.com", true },
@@ -26005,6 +26236,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myipv4.de", true },
   { "myjudo.net", true },
   { "myjumparoo.co.uk", true },
+  { "myjumpsuit.de", true },
   { "myki.co", true },
   { "mykontool.de", true },
   { "mykumedir.com", true },
@@ -26036,6 +26268,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mymx.lu", true },
   { "myna.go.jp", true },
   { "mynameistavis.com", true },
+  { "myndcoin.com", true },
   { "mynetworkingbuddy.com", true },
   { "mynext.events", true },
   { "mynextmove.org", true },
@@ -26057,10 +26290,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myownconference.ru", true },
   { "myowndisk.com", true },
   { "myowndisk.net", true },
-  { "myownwebinar.com", true },
   { "mypaperdone.com", true },
   { "mypartnernews.com", true },
   { "mypartybynoelia.es", true },
+  { "mypay.fr", true },
   { "mypayoffloan.com", true },
   { "mypcqq.cc", true },
   { "myperfecthome.ca", true },
@@ -26137,6 +26370,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myrewardspoints.com", true },
   { "myriadof.com", true },
   { "myrig.com", true },
+  { "myrig.net", true },
   { "myrnabiondo.com.br", true },
   { "myrotvorets.center", true },
   { "myrotvorets.news", true },
@@ -26144,6 +26378,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mysber.ru", true },
   { "myschoolphoto.org", true },
   { "myseatime.com", true },
+  { "mysecretcase.com", false },
   { "mysectools.org", true },
   { "myself5.de", true },
   { "myservicearl.com", true },
@@ -26170,7 +26405,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mysticplumes.com", true },
   { "mystorymonster.com", true },
   { "mystudycart.com", true },
-  { "mysupboard.de", true },
   { "myswissmailaddress.com", true },
   { "mytfg.de", true },
   { "mythemeshop.com", false },
@@ -26236,6 +26470,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "n4v.eu", true },
   { "n5118.com", true },
   { "n6a.net", true },
+  { "n7.education", true },
+  { "n8ch.net", true },
   { "n8mgt.com", true },
   { "n8nvi.com", true },
   { "n8solutions.net", true },
@@ -26254,9 +26490,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nachtmuziek.info", true },
   { "nacin.com", true },
   { "nacktetatsachen.at", false },
-  { "nacktwanderfreunde.de", true },
   { "nacyklo.cz", true },
-  { "nadaquenosepas.com", true },
   { "nadejeproninu.cz", true },
   { "nadelholzkulturen.de", true },
   { "naders.com", true },
@@ -26288,6 +26522,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "najany.fr", true },
   { "najany.nl", true },
   { "najany.se", true },
+  { "najedlo.sk", true },
   { "naji-astier.com", true },
   { "nakada4610.com", true },
   { "nakalabo.jp", true },
@@ -26297,6 +26532,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nakedalarmclock.me", true },
   { "nakedtruthbeauty.com", true },
   { "nakene.com", true },
+  { "nakladki.su", true },
   { "nakliyat.name.tr", true },
   { "nakliyatsirketi.biz.tr", true },
   { "nako.no", true },
@@ -26314,7 +26550,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "namethissymbol.com", true },
   { "nametiles.co", true },
   { "nami.bo", true },
-  { "nami.exchange", true },
   { "nami.trade", true },
   { "naminam.de", true },
   { "namrs.net", true },
@@ -26333,6 +26568,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nano.voting", true },
   { "nanofy.org", true },
   { "nanogi.ga", true },
+  { "nanogramme.fr", true },
   { "nanollet.org", true },
   { "nanotechnologist.com", true },
   { "nanotechnologysolutions.com.au", true },
@@ -26355,7 +26591,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "narakenkoland.net", true },
   { "naralogics.com", true },
   { "narardetval.se", true },
-  { "narazaka.net", true },
   { "narduin.xyz", true },
   { "narenderchopra.com", true },
   { "narfation.org", true },
@@ -26392,6 +26627,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nathaliebaroncoaching.ch", true },
   { "nathaliedijkxhoorn.com", true },
   { "nathaliedijkxhoorn.nl", true },
+  { "nathan.io", true },
   { "nathanaeldawe.com", true },
   { "nathancheek.com", false },
   { "nathankonopinski.com", true },
@@ -26426,6 +26662,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "naturalspacesdomes.com", true },
   { "naturaum.de", true },
   { "nature-et-bio.fr", true },
+  { "natureclaim.com", true },
   { "natureflo.net", true },
   { "naturesbest.co.uk", true },
   { "naturesorganichaven.com", true },
@@ -26445,17 +26682,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nautsch.de", true },
   { "navarralanparty.org", true },
   { "navdeep.ca", true },
-  { "navenlle.com", true },
   { "navienna.com", true },
   { "navient.com", true },
   { "navigate-it-services.de", false },
   { "navstevnik.sk", true },
-  { "navstivime.cz", true },
   { "navycs.com", true },
   { "nawir.de", true },
   { "nayahe.ru", true },
   { "nayami64.xyz", true },
   { "nayanaas.com", true },
+  { "nayr.us", true },
   { "nazevfirmy.cz", true },
   { "nazukebanashi.com", true },
   { "nazuna.blue", true },
@@ -26518,7 +26754,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nbhorsetraining.com", true },
   { "nbib.gov", true },
   { "nbnnetwork.com", true },
-  { "nbp.com.pk", true },
   { "nbrain.de", true },
   { "nbrii.com", true },
   { "nbriresearch.com", true },
@@ -26528,6 +26763,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nc-formation.fr", true },
   { "nc-network.io", true },
   { "nc99.co", true },
+  { "nca.ink", true },
   { "ncamarquee.co.uk", true },
   { "ncands.net", true },
   { "ncc-efm.com", true },
@@ -26536,6 +26772,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nccemail.net", true },
   { "ncdc.pt", true },
   { "ncea.net.au", true },
+  { "ncgt.se", true },
   { "nchangfong.com", true },
   { "nchponline.org", true },
   { "ncic.gg", true },
@@ -26546,7 +26783,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ncstep.org", true },
   { "nctx.co.uk", true },
   { "ndarville.com", true },
-  { "ndatc.com", true },
   { "ndbt.com", true },
   { "ndcpolipak.com", true },
   { "ndeoffshore.com", true },
@@ -26562,7 +26798,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ndy.sex", true },
   { "ne-on.org", true },
   { "nea.gov", true },
-  { "nearbi.com.mx", true },
   { "nearby.in.th", true },
   { "neartothesky.com", true },
   { "neatous.cz", true },
@@ -26576,6 +26811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nebra.io", true },
   { "nebracy.com", true },
   { "nebul.at", true },
+  { "nebula.exchange", true },
   { "nebulae.co", true },
   { "nebuluxcapital.com", true },
   { "necessaryandproportionate.net", true },
@@ -26629,12 +26865,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nekowa.moe", true },
   { "nekusoul.de", true },
   { "nelhage.com", true },
-  { "nella-project.org", true },
-  { "nellacms.com", true },
-  { "nellacms.org", true },
-  { "nellafw.org", true },
   { "nemcd.com", true },
-  { "nemecl.eu", true },
   { "nemez.net", true },
   { "nemo.run", true },
   { "nemopan.com", true },
@@ -26655,7 +26886,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neohu.com", true },
   { "neojo.org", true },
   { "neolaudia.es", true },
-  { "neolink.dk", true },
   { "neonataleducationalresources.org", true },
   { "neonatalgoldenhours.org", true },
   { "neonknight.ch", true },
@@ -26691,11 +26921,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nerot.eu", true },
   { "nerpa-club.ru", true },
   { "nerull7.info", true },
-  { "nerven.se", false },
+  { "nerven.se", true },
   { "nesbase.com", true },
   { "nesolabs.com", true },
   { "nesolabs.de", true },
-  { "nestedquotes.ca", true },
   { "nestor.nu", true },
   { "neswec.org.uk", true },
   { "net-masters.pl", true },
@@ -26716,6 +26945,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "netbuzz.ru", true },
   { "netconnect.at", true },
   { "netcoolusers.org", true },
+  { "netd.at", true },
   { "netdex.co", true },
   { "netera.se", true },
   { "neteraser.de", true },
@@ -26752,6 +26982,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "netsparker.com.tr", true },
   { "netspeedia.net", true },
   { "netsphere.cz", true },
+  { "nettacompany.com.tr", true },
   { "nettamente.com", true },
   { "nette.org", true },
   { "nettegeschenke.de", true },
@@ -26759,7 +26990,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nettilamppu.fi", true },
   { "netto-service.ch", true },
   { "nettools.link", true },
-  { "nettoyage.email", true },
   { "nettx.co.uk", true },
   { "netulo.com", true },
   { "netvizura.co.uk", true },
@@ -26792,7 +27022,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neurochip.com", true },
   { "neurocny.cloud", true },
   { "neuroethics.com", true },
-  { "neurogroove.info", true },
   { "neurolab.no", true },
   { "neuropharmacology.com", true },
   { "neurostimtms.com", true },
@@ -26816,9 +27045,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "new-process.com", true },
   { "new-process.de", true },
   { "new-process.eu", true },
+  { "new-web-studio.com", true },
   { "new.travel.pl", true },
   { "newaccess.ch", true },
-  { "newbasemedia.us", true },
   { "newbietech.cn", false },
   { "newborncryptocoin.com", true },
   { "newburybouncycastles.co.uk", true },
@@ -26828,6 +27057,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newburyparkexteriorlighting.com", true },
   { "newburyparklandscapelighting.com", true },
   { "newburyparkoutdoorlighting.com", true },
+  { "newcab.de", true },
   { "newcitygas.ca", true },
   { "newcityinfo.ch", true },
   { "newcitystudio.ch", true },
@@ -26851,8 +27081,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newmovements.net", true },
   { "newmusicjackson.org", true },
   { "newodesign.com", true },
+  { "newposts.ru", true },
   { "newreleases.io", true },
-  { "news47ell.com", true },
+  { "newsgroups.io", true },
+  { "newsletteralerts.com", true },
   { "newsmotor.info", true },
   { "newspsychology.com", true },
   { "newstone-tech.com", true },
@@ -26862,8 +27094,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newvehicle.com", true },
   { "nex.li", true },
   { "nex.sx", true },
+  { "nexd.com", true },
   { "nexicafiles.com", true },
-  { "nexril.net", true },
   { "next-web.ad.jp", true },
   { "next176.sk", true },
   { "next24.io", true },
@@ -26873,14 +27105,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nextcasino.com", true },
   { "nextcloud.co.za", true },
   { "nextcloud.com", true },
-  { "nextcloud.nerdpol.ovh", true },
+  { "nextcloud.li", true },
   { "nextclouddarwinkel.nl", true },
   { "nextevolution.co.uk", true },
   { "nextgen.sk", true },
   { "nextgencel.com", true },
   { "nextgenthemes.com", true },
   { "nextgreatmess.com", true },
-  { "nexthop.jp", true },
   { "nextiot.de", true },
   { "nextmbta.com", true },
   { "nextme.se", true },
@@ -26908,6 +27139,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nfl.duckdns.org", true },
   { "nflchan.org", true },
   { "nflmocks.com", true },
+  { "nfls.io", true },
   { "nflsic.org", true },
   { "nfpors.gov", true },
   { "nframe.io", true },
@@ -26922,10 +27154,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nginxconfig.io", true },
   { "ngndn.jp", true },
   { "ngt.gr", true },
+  { "nguyenminhhung.com", true },
   { "ngvf.de", true },
   { "ngx.hk", true },
   { "ngxpkg.com", true },
-  { "nhccnews.org", true },
   { "nhchalton.com", true },
   { "nhdsilentheroes.org", true },
   { "nhgteam.hu", true },
@@ -26966,13 +27198,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nickhitch.co.uk", true },
   { "nickloose.de", true },
   { "nicklord.com", true },
+  { "nickmertin.ca", true },
+  { "nickmorri.com", true },
   { "nickplotnek.co.uk", true },
   { "nickrickard.co.uk", true },
   { "nicks-autos.com", true },
   { "nickscomputers.nl", true },
   { "nickserve.com", true },
   { "nickstories.de", true },
-  { "nicktheitguy.com", true },
   { "niclasreich.de", true },
   { "nicn.me", true },
   { "nico.st", true },
@@ -27000,7 +27233,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nidro.de", true },
   { "nidsuber.ch", true },
   { "niederohmig.de", true },
-  { "niedrigsterpreis.de", true },
   { "niehage.name", true },
   { "nielshoogenhout.be", true },
   { "nielshoogenhout.eu", true },
@@ -27057,13 +27289,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nikklassen.ca", true },
   { "niklas.pw", true },
   { "niklasbabel.com", true },
+  { "nikolainevalainen.fi", true },
   { "nikomo.fi", false },
   { "nikoninframe.co.uk", true },
   { "nikonlibrary.co.uk", true },
   { "nikonnps.co.uk", true },
   { "nikonpromotions.co.uk", true },
   { "nikonschool.co.uk", true },
-  { "nikz.in", true },
+  { "niktok.com", true },
   { "nil.gs", true },
   { "nil.mx", true },
   { "niles.xyz", true },
@@ -27102,6 +27335,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nirjonmela.com", true },
   { "nirjonmela.net", true },
   { "nirudo.me", true },
+  { "niscats.com", true },
   { "nissanofbismarckparts.com", true },
   { "nitifilter.com", true },
   { "nitix.games", true },
@@ -27114,7 +27348,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nitrous-networks.com", true },
   { "nitschinger.at", true },
   { "niu.moe", true },
-  { "nivi.ca", true },
   { "nix.black", true },
   { "nixonlibrary.gov", true },
   { "nixtest.net", true },
@@ -27152,9 +27385,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "no-xice.com", true },
   { "no.search.yahoo.com", false },
   { "noagendahr.org", true },
+  { "noah-witt.com", true },
   { "noahjacobson.com", true },
   { "noahmodas.com.br", true },
   { "noahsaso.com", true },
+  { "noahwitt.me", true },
   { "nobitakun.com", true },
   { "nobledust.com", true },
   { "nobleparkapartments.com.au", true },
@@ -27162,7 +27397,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noc.org", true },
   { "nocit.dk", true },
   { "nocks.com", true },
-  { "nocmd.com", true },
   { "nocs.cn", true },
   { "nodari.com.ar", true },
   { "nodariweb.com.ar", true },
@@ -27172,11 +27406,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nodelia.com", true },
   { "nodesec.cc", true },
   { "nodesonic.com", true },
+  { "nodespin.com", true },
   { "nodevops.com", true },
+  { "nodist.club", true },
   { "noeatnosleep.me", true },
   { "noedidacticos.com", true },
   { "noelclaremont.com", true },
   { "noellabo.jp", true },
+  { "noellimpag.me", true },
   { "noematic.space", true },
   { "noemax.com", true },
   { "noexec.org", true },
@@ -27211,7 +27448,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nomial.co.uk", true },
   { "nomifensine.com", true },
   { "nomsy.net", true },
-  { "nonabytes.xyz", true },
+  { "nonabytes.xyz", false },
   { "noname-ev.de", true },
   { "nonametheme.com", true },
   { "noncombatant.org", true },
@@ -27226,7 +27463,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noomist.com", true },
   { "noon-entertainments.com", true },
   { "noop.ch", true },
+  { "nooranevalainen.fi", true },
   { "noordsee.de", true },
+  { "noordwesthoekrit.nl", true },
   { "noorsolidarity.com", true },
   { "noortronic.com", true },
   { "nootronerd.com", true },
@@ -27239,7 +27478,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nord-restaurant-bar.de", true },
   { "nord-sud.be", true },
   { "nordakademie.de", true },
-  { "nordicess.dk", true },
+  { "norden.eu.org", true },
   { "nordicirc.com", true },
   { "nordinfo.fi", true },
   { "nordlichter-brv.de", true },
@@ -27276,6 +27515,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "northerngate.net", true },
   { "northernhamsterclub.com", true },
   { "northernpage.com", true },
+  { "northernpowertrain.com", true },
   { "northernselfstorage.co.za", true },
   { "northfieldyarn.com", true },
   { "northokanaganbookkeeping.com", true },
@@ -27290,7 +27530,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noscript.net", true },
   { "noscura.nl", true },
   { "nosecrets.ch", true },
-  { "nosfermiers.com", true },
   { "noslite.nl", true },
   { "nospoint.cz", true },
   { "nosqlzoo.net", true },
@@ -27375,11 +27614,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "np.search.yahoo.com", false },
   { "npath.de", true },
   { "npcrcss.org", true },
+  { "nphrm.com", true },
   { "npmcdn.com", true },
   { "npregion.org", true },
   { "npsas.org", true },
   { "npw.net", true },
-  { "nqeshreviewer.com", true },
   { "nrd.li", true },
   { "nrdstd.io", true },
   { "nrev.ch", true },
@@ -27414,6 +27653,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nte.email", true },
   { "nti.de", true },
   { "ntia.gov", true },
+  { "ntlabs.org", true },
   { "ntotten.com", true },
   { "ntppool.org", false },
   { "ntsb.gov", true },
@@ -27424,7 +27664,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nu3tion.cz", true },
   { "nuacht.ie", true },
   { "nuamooreaindonesia.com", true },
-  { "nubella.com.au", true },
   { "nubu.at", true },
   { "nuclea.id", true },
   { "nuclea.site", true },
@@ -27435,6 +27674,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nuevaimagenpublicidad.es", true },
   { "nuffield.nl", true },
   { "nugdev.co", true },
+  { "nukleosome.com", true },
   { "null-life.com", true },
   { "nullday.de", true },
   { "nulle-part.org", true },
@@ -27505,6 +27745,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nwerc.party", true },
   { "nwgh.org", false },
   { "nwimports.com", true },
+  { "nwitt.us", true },
   { "nwk1.com", true },
   { "nwperformanceandoffroad.com", true },
   { "nwr-waffenbuch.de", true },
@@ -27537,6 +27778,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nyoronfansubs.org", true },
   { "nyphox.ovh", true },
   { "nys-hk.com", false },
+  { "nysteak5.com", true },
   { "nytrafficticket.com", true },
   { "nyxi.eu", true },
   { "nyyu.tk", true },
@@ -27544,7 +27786,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nzbr.de", true },
   { "nzstudy.ac.nz", true },
   { "nzws.me", true },
-  { "o-loska.cz", true },
   { "o-results.ch", true },
   { "o-sp.com", true },
   { "o2careers.co.uk", true },
@@ -27563,6 +27804,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oakparklighting.com", true },
   { "oakparkoutdoorlighting.com", true },
   { "oakslighting.co.uk", true },
+  { "oaktree-realtors.com", true },
   { "oanalista.com.br", true },
   { "oasisdabeleza.com.br", true },
   { "oasisim.net", false },
@@ -27573,7 +27815,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "obamawhitehouse.gov", true },
   { "oberhofdrinks.com", true },
   { "obermeiers.eu", true },
-  { "oberoi.de", true },
   { "obesidadlavega.com", true },
   { "obfuscate.xyz", true },
   { "obg-global.com", true },
@@ -27583,11 +27824,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "objectif-terre.ch", true },
   { "objekt-textil.ch", true },
   { "oblast45.ru", false },
+  { "obligacjekk.pl", true },
   { "oboeta.com", true },
   { "obono.at", true },
   { "obrienswine.ie", true },
   { "obs.group", true },
-  { "obscur.us", true },
   { "observer.name", true },
   { "obsessharness.com", true },
   { "obsidianirc.net", true },
@@ -27599,6 +27840,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oc-sa.ch", true },
   { "ocalaflwomenshealth.com", true },
   { "ocarupo.com", true },
+  { "occ.gov", true },
   { "occenterprises.org", true },
   { "occentus.net", true },
   { "occmon.net", true },
@@ -27652,6 +27894,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oddsandevensbookkeeping.ca", true },
   { "oddtime.net", true },
   { "odensc.me", true },
+  { "odense3dprint.dk", true },
   { "odhosc.ca", true },
   { "odifi.com", true },
   { "odinseye.net", true },
@@ -27675,6 +27918,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oemspace.nl", true },
   { "oemwolf.com", true },
   { "oenings.eu", true },
+  { "oessi.eu", true },
   { "of2m.fr", true },
   { "ofcampuslausanne.ch", true },
   { "ofda.gov", true },
@@ -27688,6 +27932,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "offertegiuste.com", true },
   { "offfbynight.be", true },
   { "offgames.io", true },
+  { "offgridauto.com", true },
   { "offgridhub.com", true },
   { "office-discount.at", true },
   { "office-discount.de", true },
@@ -27697,7 +27942,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "officeinteriors.co.nz", true },
   { "officemovepro.com", true },
   { "officiants.wedding", false },
-  { "officium.tech", true },
   { "offroadeq.com", true },
   { "offroadhoverboard.net", true },
   { "offshoot.ie", true },
@@ -27718,6 +27962,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oh14.de", true },
   { "ohadsoft.com", true },
   { "ohai.su", true },
+  { "ohartl.de", true },
   { "ohchouette.com", true },
   { "ohd.dk", true },
   { "oheila.com", true },
@@ -27731,15 +27976,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ohsohairy.co.uk", true },
   { "ohyooo.com", true },
   { "oi-wiki.org", true },
+  { "oil-ecn.ru", true },
   { "oilpaintingsonly.com", true },
   { "oirealtor.com", true },
   { "oisd.nl", true },
   { "oita-homes.com", true },
   { "ojaioliveoil.com", true },
-  { "ojanaho.com", true },
   { "ojdip.net", true },
   { "ojomovies.com", true },
   { "ojp.gov", true },
+  { "okaidi.fr", true },
   { "okakuro.org", true },
   { "okanaganrailtrail.ca", true },
   { "okashi.me", true },
@@ -27772,10 +28018,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olbat.net", true },
   { "olcayanar.com", true },
   { "olcbrookhaven.org", true },
-  { "oldbrookinflatables.co.uk", true },
   { "oldbrookmarqueehire.co.uk", true },
   { "oldchaphome.nl", true },
-  { "oldenglishsheepdog.com.br", true },
   { "older-racer.com", true },
   { "oldita.ru", true },
   { "oldking.net", true },
@@ -27787,6 +28031,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oldsticker.com", true },
   { "oldstmary.com", true },
   { "oldtimerreifen-moeller.de", true },
+  { "olecoin.io", true },
   { "olegon.ru", true },
   { "olegs.be", true },
   { "oleksii.name", true },
@@ -27798,6 +28043,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olgui.net", true },
   { "olgun.eu", true },
   { "olhcparish.net", true },
+  { "olifant.fr", true },
   { "olightstore.ro", true },
   { "oliveoil.bot", true },
   { "oliveoilschool.org", true },
@@ -27839,9 +28085,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olympeakgaming.tv", true },
   { "olympiads.ca", true },
   { "olympic-research.com", true },
+  { "om.yoga", true },
   { "om1.com", true },
   { "omanko.porn", true },
-  { "omar.yt", true },
   { "omarh.net", true },
   { "omdesign.cz", true },
   { "omegahosting.net", true },
@@ -27862,8 +28108,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "omniasl.com", true },
   { "omniatv.com", true },
   { "omnibot.tv", true },
-  { "omnisafira.com", true },
   { "omniscimus.net", false },
+  { "omnisiens.se", true },
   { "omnisky.dk", true },
   { "omnitrack.org", true },
   { "omniverse.ru", true },
@@ -27872,6 +28118,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "omoteura.com", true },
   { "omranic.com", true },
   { "omronwellness.com", true },
+  { "omsdieppe.fr", true },
   { "on-tech.co.uk", true },
   { "on.tax", true },
   { "ona.io", true },
@@ -27907,7 +28154,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onedrive.live.com", false },
   { "onee3.org", true },
   { "onefour.ga", false },
-  { "onegoodthingbyjillee.com", true },
   { "oneheartbali.church", true },
   { "oneidentity.me", true },
   { "oneiroi.co.uk", true },
@@ -27916,11 +28162,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oneononeonone.de", true },
   { "oneononeonone.tv", true },
   { "onepercentrentals.com", true },
-  { "onepointsafeband.ca", true },
-  { "onepointsafeband.com", true },
   { "onepointzero.com", true },
   { "oneprediction.com", true },
-  { "onesnzeroes.com", false },
+  { "onesnzeroes.com", true },
   { "onesports.cz", true },
   { "onestepfootcare.com", true },
   { "onestopcastles.co.uk", true },
@@ -27929,6 +28173,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onetech.it", true },
   { "onetime.info", true },
   { "onetonline.org", true },
+  { "onetouchrevealplus.com", true },
+  { "onetwentyseven001.com", true },
   { "oneway.ga", true },
   { "onewaymail.com", true },
   { "oneweb.hu", true },
@@ -27943,11 +28189,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onionplay.net", true },
   { "onionplay.org", true },
   { "onionscan.org", true },
+  { "onionyst.com", true },
   { "oniria.ch", true },
   { "onix.eu.com", true },
   { "onixcco.com.br", true },
   { "onkentessegertdij.hu", true },
   { "onlfait.ch", true },
+  { "online-backup.se", true },
   { "online-bouwmaterialen.nl", true },
   { "online-calculator.com", true },
   { "online-consulting-corp.com", true },
@@ -27956,13 +28204,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "online-health-insurance.com", true },
   { "online-lernprogramme.de", true },
   { "online-pr.at", true },
-  { "online-results.dk", true },
   { "online-stopwatch.com", true },
   { "online-textil.com", true },
   { "online-textil.cz", true },
   { "online-textil.sk", true },
   { "online.marketing", true },
   { "online.net.gr", true },
+  { "online.swedbank.se", true },
   { "online24.pt", true },
   { "onlinebizdirect.com", false },
   { "onlinecasino.vlaanderen", true },
@@ -28056,6 +28304,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "openings.ninja", true },
   { "openintelligence.uk", true },
   { "openitforum.pl", true },
+  { "openjur.de", true },
   { "openkim.org", true },
   { "openkvk.nl", true },
   { "openmirrors.ml", true },
@@ -28075,6 +28324,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "openscreen.lu", true },
   { "opensource-cms.nl", true },
   { "opensource-training.de", true },
+  { "opensourcesurvey.org", true },
   { "openspa.webhop.info", true },
   { "openssl.org", true },
   { "openstem.com.au", true },
@@ -28128,18 +28378,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "opticaltest.com", true },
   { "optik-trosdorff.de", true },
   { "optimalsetup.com", true },
-  { "optimised.cloud", true },
-  { "optimised.io", true },
   { "optimisedlabs.co.uk", true },
   { "optimisedlabs.com", true },
-  { "optimisedlabs.info", true },
-  { "optimisedlabs.net", true },
-  { "optimisedlabs.uk", true },
   { "optimist.bg", true },
-  { "optimizedlabs.co.uk", true },
-  { "optimizedlabs.info", true },
-  { "optimizedlabs.net", true },
-  { "optimizedlabs.uk", true },
   { "optimumwebdesigns.com", true },
   { "optimus.io", true },
   { "optimuscrime.net", true },
@@ -28156,7 +28397,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orangejetpack.com", true },
   { "orangenbaum.at", true },
   { "orangenuts.in", true },
+  { "orangetravel.eu", true },
   { "orangutan-appeal.org.uk", true },
+  { "oranjee.net", true },
   { "orbital3.com", true },
   { "orbu.net", true },
   { "orca.pet", true },
@@ -28187,7 +28430,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orians.eu", true },
   { "oribia.net", true },
   { "orientalart.nl", true },
-  { "orientravelmacas.com", true },
   { "oriflameszepsegkozpont.hu", true },
   { "origami.to", true },
   { "origamika.com", true },
@@ -28207,13 +28449,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oriongames.eu", true },
   { "orkestar-krizevci.hr", true },
   { "orkiv.com", true },
+  { "orlandobalbas.com", true },
   { "orlandoprojects.com", true },
   { "orleika.io", true },
   { "orlives.de", false },
   { "ormer.nl", true },
   { "orocojuco.com", true },
-  { "orovillelaw.com", true },
-  { "orro.ro", true },
   { "orrs.de", true },
   { "orthocop.cz", true },
   { "orthodontiste-geneve-docteur-rioux.com", true },
@@ -28221,10 +28462,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orthotictransfers.com", true },
   { "ortlepp.eu", true },
   { "oruggt.is", true },
-  { "orum.in", true },
   { "orwell1984.today", true },
   { "oryva.com", true },
-  { "orz.uno", true },
   { "os-chrome.ru", true },
   { "os-s.net", true },
   { "os-t.de", true },
@@ -28246,6 +28485,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oshrc.gov", true },
   { "osielnava.com", true },
   { "osirisrp.online", true },
+  { "osirium.com", true },
   { "oskrba.net", true },
   { "oskuro.net", true },
   { "osla.org", true },
@@ -28267,6 +28507,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "osti.gov", true },
   { "ostimwebyazilim.com", true },
   { "ostr.io", true },
+  { "ostrov8.com", true },
   { "osusume-houhou.com", true },
   { "oswalds.co.uk", true },
   { "oswaldsmillaudio.com", true },
@@ -28278,13 +28519,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "otakubox.de", true },
   { "otakurepublic.com", true },
   { "otakurumi.de", true },
+  { "otakuyun.com", true },
   { "otellio.com", true },
   { "otellio.de", true },
   { "otellio.it", true },
   { "other98.com", true },
   { "oticasaopaulo.com.br", true },
   { "oticasvisao.net.br", true },
-  { "otoblok.com", true },
   { "otokiralama.name.tr", true },
   { "otorrino.pt", true },
   { "otoy.com", true },
@@ -28302,10 +28543,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ouattara.ch", true },
   { "ouestsolutions.com", true },
   { "ouglor.com", true },
-  { "ouimoove.com", true },
   { "ouin.land", true },
   { "oulunjujutsu.com", true },
-  { "ouowo.gq", true },
   { "our-box.net", true },
   { "ourai.ws", true },
   { "ourcloud.at", true },
@@ -28350,10 +28589,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ovelhaostra.com", true },
   { "overalglas.nl", true },
   { "overamsteluitgevers.nl", true },
-  { "overceny.cz", true },
   { "overclockers.ge", true },
   { "overdrive-usedcars.be", true },
   { "overkillshop.com", true },
+  { "overseamusic.de", true },
   { "oversight.garden", true },
   { "oversight.gov", true },
   { "overstap.deals", true },
@@ -28362,7 +28601,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "overthecloud.it", true },
   { "overthinkingit.com", true },
   { "overtrolls.de", true },
-  { "overwall.org", true },
   { "overzicht.pro", true },
   { "overzicht.ws", true },
   { "oveweddings.com", true },
@@ -28385,6 +28623,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ownmay.com", true },
   { "oxborrow.ca", true },
   { "oxelie.com", true },
+  { "oxia.me", true },
+  { "oxiame.eu", true },
   { "oxo.cloud", true },
   { "oxygin.net", true },
   { "oxytocin.org", true },
@@ -28430,6 +28670,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pabloarteaga.eu", true },
   { "pabloarteaga.info", true },
   { "pabloarteaga.me", true },
+  { "pabloarteaga.name", true },
   { "pabloarteaga.net", true },
   { "pabloarteaga.nom.es", true },
   { "pabloarteaga.org", true },
@@ -28437,6 +28678,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pabloarteaga.tech", true },
   { "pabloarteaga.uk", true },
   { "pabloarteaga.xyz", true },
+  { "pablofain.com", true },
   { "pabuzo.vn", true },
   { "pacaom.com", true },
   { "pacatlantic.com", true },
@@ -28449,7 +28691,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pacificcashforcars.com.au", true },
   { "pacificpalisadeselectric.com", true },
   { "pacificpalisadeselectrical.com", true },
-  { "pacificpalisadeselectrician.com", true },
   { "pacificpalisadeslandscapelighting.com", true },
   { "pacificpalisadeslighting.com", true },
   { "pacifictilkin-occasions.be", true },
@@ -28493,6 +28734,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pagewizz.com", true },
   { "pagiamtzis.com", true },
   { "pagina.com.mx", true },
+  { "pagina394.com.br", true },
   { "paginaweb4u.com", true },
   { "pagure.io", true },
   { "pahae.de", true },
@@ -28508,6 +28750,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paintball-shop.sk", true },
   { "paintcolorsbysue.com", true },
   { "paintingindurban.co.za", true },
+  { "paintsealdirect.com", true },
   { "paipuman.jp", true },
   { "pajadam.me", true },
   { "pajuvuo.fi", true },
@@ -28519,7 +28762,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pakistani.dating", true },
   { "pakitow.fr", true },
   { "pakke.de", true },
-  { "pakowanie-polska.pl", true },
   { "pakroyalpress.com", true },
   { "paktolos.net", true },
   { "palabr.as", true },
@@ -28576,11 +28818,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "panj.ws", true },
   { "panjiva.com", true },
   { "panmetro.com", true },
-  { "panoma.de", true },
   { "panomizer.de", true },
   { "panopy.co", true },
   { "panopy.me", true },
-  { "panoti.com", false },
   { "panoxadrez.com.br", true },
   { "panpa.ca", true },
   { "panpsychism.com", true },
@@ -28612,6 +28852,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paperlesssolutionsltd.com.ng", true },
   { "papertracker.net", true },
   { "paperturn.com", true },
+  { "paperworld.online", true },
   { "paperwritinghelp.net", true },
   { "papiermakerijdehoop.nl", true },
   { "papiermeteenverhaal.nl", true },
@@ -28638,12 +28879,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paranormalweirdo.com", true },
   { "paranoxer.hu", true },
   { "parasitologyclub.org", true },
+  { "parasosto.fi", true },
   { "paratlan.hu", true },
   { "paratxt.org", true },
   { "parcelbroker.co.uk", false },
   { "parchcraftaustralia.com", true },
   { "parckwart.de", true },
   { "parcon.it", true },
+  { "parcoursup.fr", true },
   { "parentelement.com", true },
   { "parentheseardenne.be", true },
   { "parentinterview.com", true },
@@ -28657,17 +28900,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "parisfranceparking.de", true },
   { "parisfranceparking.fr", true },
   { "parisfranceparking.nl", true },
-  { "parisprovincedemenagements.fr", true },
   { "parkeren.in", true },
   { "parkfans.net", true },
   { "parkhost.eu", true },
   { "parkinginparis.fr", true },
+  { "parkingparisnord.fr", true },
   { "parkingpoint.co.uk", true },
   { "parkrunstats.servehttp.com", true },
   { "parkviewmotorcompany.com", true },
   { "parkwayminyan.org", true },
   { "parlamento.gub.uy", true },
   { "parleamonluc.fr", true },
+  { "parleu2016.nl", true },
   { "parmels.com.br", true },
   { "parnassys.net", true },
   { "parodesigns.com", true },
@@ -28687,8 +28931,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "partijtjevoordevrijheid.nl", false },
   { "partiono.com", true },
   { "partner.sh", true },
+  { "partnercardservices.com", true },
   { "partnermobil.de", true },
-  { "partnersfcu.org", true },
   { "partou.de", true },
   { "partridge.tech", true },
   { "parts4phone.com", true },
@@ -28722,20 +28966,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pasarella.eu", true },
   { "pascal-bourhis.com", true },
   { "pascal-bourhis.net", true },
+  { "pascal-kannchen.de", true },
   { "pascal-wittmann.de", true },
   { "pascaline-jouis.fr", true },
   { "pascalleguern.com", true },
   { "pascalmathis.com", true },
   { "pascalmathis.me", true },
   { "pascalmathis.net", true },
-  { "pascalspoerri.ch", false },
   { "pascualinmuebles.com", true },
   { "pasearch.nl", true },
   { "pashminacachemire.com", true },
   { "pass.org.my", true },
   { "passabook.com", true },
   { "passcod.name", true },
-  { "passendonderwijs.nl", true },
   { "passfilesafe.com", true },
   { "passfoto-deinfoto.ch", true },
   { "passieposse.nl", true },
@@ -28744,7 +28987,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "passionatehorsemanship.com", true },
   { "passionatelife.com.au", true },
   { "passionbyd.com", true },
-  { "passionebenessere.com", true },
   { "passionpictures.eu", true },
   { "passions-art.com", true },
   { "passover-fun.com", true },
@@ -28785,9 +29027,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pasternok.org", true },
   { "pasticcerialorenzetti.com", true },
   { "pastoral-verbund.de", true },
-  { "pastorbelgagroenendael.com.br", true },
   { "pastordocaucaso.com.br", true },
-  { "pastormaremanoabruzes.com.br", true },
   { "pasztor.at", true },
   { "patapwn.com", true },
   { "patatbesteld.nl", true },
@@ -28803,8 +29043,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "patika-biztositas.hu", true },
   { "patikabiztositas.hu", true },
   { "patineteselectricosbaratos.net", true },
-  { "patouille-et-gribouille.fr", true },
-  { "patric-lenhart.de", true },
   { "patrick-othmer.de", true },
   { "patrick-robrecht.de", true },
   { "patrick.my-gateway.de", true },
@@ -28830,6 +29068,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paudley.com", true },
   { "paudley.org", true },
   { "paul-barton.co.uk", true },
+  { "paul-bronski.de", true },
   { "paul.reviews", true },
   { "pauladamsmith.com", true },
   { "paulbakaus.com", true },
@@ -28850,6 +29089,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paulrotter.de", true },
   { "paulschreiber.com", true },
   { "paulscustomauto.com", true },
+  { "paulshir.com", true },
+  { "paulshir.is", true },
   { "paulsnar.lv", true },
   { "paulswartz.net", true },
   { "paulus-foto.pl", true },
@@ -28860,6 +29101,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pauly-stahlhandel.de", true },
   { "pauspam.net", true },
   { "pautadiaria.com", true },
+  { "pavamtio.cz", true },
   { "pavando.com", true },
   { "pavelfojt.cz", true },
   { "pavelrebrov.com", true },
@@ -28869,6 +29111,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pawel-international.com", true },
   { "pawelnazaruk.com", true },
   { "pawelurbanek.com", true },
+  { "pawfriends.org.za", true },
   { "pawsomebox.co.uk", true },
   { "pawsr.us", true },
   { "paxerahealth.com", true },
@@ -28905,7 +29148,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paytonmoledor.com", true },
   { "payupay.ru", true },
   { "payzang.com", true },
-  { "pb.ax", false },
   { "pback.se", true },
   { "pbosquet.com", true },
   { "pbourhis.me", true },
@@ -29029,11 +29271,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pekoe.se", true },
   { "pelanucto.cz", true },
   { "pelican.ie", true },
+  { "peliculator.com", true },
+  { "pellet.pordenone.it", true },
   { "pelletizermill.com", true },
   { "pelletsprice.com", true },
   { "pelopogrund.com", true },
   { "pelopoplot.com", true },
   { "pelotonimports.com", true },
+  { "pemborongbangunan.id", true },
   { "pems.gov.au", true },
   { "penaugustin.com", true },
   { "pencepay.com", true },
@@ -29089,14 +29334,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "perd.re", true },
   { "perecraft.com", true },
   { "perezdecastro.org", true },
+  { "perfect-carstyle.de", true },
   { "perfect.in.th", true },
   { "perfectbalance.tech", true },
   { "perfectcloud.org", true },
+  { "perfectfocuseyecare.com", true },
+  { "perfectgift.com", true },
   { "perfectoparty.co.uk", true },
   { "perfectsnap.co.uk", true },
   { "perfectstreaming.systems", true },
   { "perfektesgewicht.com", true },
   { "perfektesgewicht.de", true },
+  { "perfmatters.io", true },
   { "performancehealth.com", false },
   { "performing-art-schools.com", true },
   { "perfumeaz.com", true },
@@ -29108,7 +29357,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "perm4.com", true },
   { "permajackofstlouis.com", true },
   { "permeance108.com", true },
-  { "permiscoderoute.fr", true },
   { "permistheorique.be", true },
   { "permistheoriqueenligne.be", true },
   { "perniciousgames.com", true },
@@ -29183,7 +29431,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "petrostathis.com", true },
   { "petrpikora.com", true },
   { "petrucciresidential.com", true },
-  { "petruzz.net", true },
+  { "pets4life.com.au", true },
   { "petschnighof.at", true },
   { "pettitcoat.com", true },
   { "petwall.info", true },
@@ -29193,6 +29441,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "peyote.com", true },
   { "pfa.or.jp", true },
   { "pfadfinder-aurich.de", true },
+  { "pfadfinder-grossauheim.de", true },
   { "pfarchimedes-pensioen123.nl", true },
   { "pfarre-kremsmuenster.at", true },
   { "pfcafeen.dk", true },
@@ -29210,6 +29459,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pflug.email", true },
   { "pfmeasure.com", true },
   { "pfotentour-berlin.de", true },
+  { "pfrost.me", true },
   { "pfudor.tk", true },
   { "pg-forum.de", true },
   { "pg-mana.net", true },
@@ -29220,10 +29470,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pgp.guru", true },
   { "pgp.network", true },
   { "pgpmail.cc", true },
+  { "pgregg.com", true },
   { "ph-blog.de", true },
   { "ph.search.yahoo.com", false },
   { "ph3r3tz.net", true },
-  { "phantasie.cc", true },
   { "phantastikon.de", true },
   { "pharma-display.com", true },
   { "pharmaabsoluta.com.br", true },
@@ -29243,13 +29493,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phasersec.com", false },
   { "phasme-2016.com", true },
   { "phattea.tk", true },
-  { "phaux.uno", true },
   { "phcimages.com", true },
   { "phcnetworks.net", true },
   { "phcorner.net", true },
   { "phdhub.it", true },
   { "phellowseven.com", true },
   { "phelx.de", true },
+  { "phen-garcinia.info", true },
   { "phenixairsoft.com", true },
   { "phenq.com", true },
   { "phget.com", true },
@@ -29265,6 +29515,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "philia-sa.com", true },
   { "philipdb.com", true },
   { "philipdb.nl", true },
+  { "philipkobelt.ch", true },
   { "philipp-trulson.de", true },
   { "philipp-winkler.de", true },
   { "philipp1994.de", true },
@@ -29274,7 +29525,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "philippebonnard.fr", true },
   { "philipperoose.be", true },
   { "philippheenen.de", true },
-  { "philippinedroneassociation.org", true },
   { "philippkeschl.at", true },
   { "philipssupportforum.com", true },
   { "philipzhan.tk", true },
@@ -29296,9 +29546,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phishing-studie.org", true },
   { "phishingusertraining.com", true },
   { "phligence.com", true },
-  { "phoenics.de", true },
+  { "phocean.net", true },
   { "phoenixlogan.com", true },
   { "phoenixurbanspaces.com", true },
+  { "pholder.com", true },
   { "phone-service-center.de", true },
   { "phonix-company.fr", true },
   { "phormance.com", true },
@@ -29313,6 +29564,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "photoancestry.com", true },
   { "photoartelle.com", true },
   { "photodeal.fr", true },
+  { "photofilmcamera.com", true },
   { "photographe-reims.com", true },
   { "photographersdaydream.com", true },
   { "photography-workshops.net", true },
@@ -29320,15 +29572,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "photomodelcasting.com", true },
   { "phototravel.uk", true },
   { "phototrio.com", true },
+  { "phoxden.net", true },
   { "phoxmeh.com", true },
   { "php-developer.org", true },
   { "php-tuning.de", true },
+  { "php.watch", true },
   { "phparcade.com", true },
   { "phpartners.org", true },
   { "phpbbchinese.com", true },
   { "phpdorset.co.uk", true },
   { "phpinfo.in.th", true },
-  { "phpkari.cz", true },
   { "phpliteadmin.org", true },
   { "phpmyadmin.net", true },
   { "phpower.com", true },
@@ -29336,7 +29589,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phpsecure.info", true },
   { "phpstan.org", true },
   { "phpunit.de", true },
-  { "phrive.space", true },
   { "phryanjr.com", false },
   { "phuket-idc.com", true },
   { "phuket-idc.de", true },
@@ -29344,12 +29596,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phurl.de", true },
   { "phurl.io", true },
   { "phus.lu", true },
+  { "phyley.com", true },
   { "physicalism.com", true },
   { "physicalist.com", true },
   { "physicaltherapist.com", false },
   { "physics-schools.com", true },
   { "physiotherapie-seiwald.de", true },
   { "physiovesenaz.ch", true },
+  { "pi-box.ml", true },
   { "pi-control.de", true },
   { "pi-dash.com", true },
   { "pi-net.dedyn.io", true },
@@ -29378,7 +29632,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "picoauto.com", true },
   { "piconepress.com", true },
   { "picotech.com", true },
-  { "picotronic.de", true },
   { "picster.at", true },
   { "picsto.re", true },
   { "pictorial.com.sg", true },
@@ -29397,6 +29650,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pieland.eu", true },
   { "pieldenaranja.com", true },
   { "piem.org", true },
+  { "piepermail.nl", true },
   { "pieq.eu", true },
   { "pieq.eu.org", true },
   { "pier28.com", true },
@@ -29404,6 +29658,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "piercraft.com", true },
   { "pierre-denoblens.net", true },
   { "pierre-schmitz.com", true },
+  { "pierreblake.com", true },
   { "pierrefv.com", true },
   { "pierreprinetti.com", true },
   { "pierrickdeniel.fr", true },
@@ -29414,8 +29669,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pietz.uk", true },
   { "pigs.pictures", true },
   { "pijuice.com", true },
+  { "pijusmagnificus.com", true },
   { "pik.bzh", true },
-  { "pikeitservices.com.au", true },
   { "pikimusic.moe", true },
   { "pilani.ch", true },
   { "pilarguineagil.com", true },
@@ -29424,12 +29679,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pileofgarbage.net", true },
   { "piliszek.net", true },
   { "pill.id", true },
+  { "pillowfort.pub", true },
   { "pilot-colleges.com", true },
   { "pilot.co", true },
   { "pilotgrowth.com", true },
   { "pilsoncontracting.com", true },
   { "pilvin.pl", true },
-  { "pimg136.com", true },
   { "pimhaarsma.nl", true },
   { "pimhaarsmamedia.nl", true },
   { "pimpmyperf.fr", true },
@@ -29462,6 +29717,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pinnaclelife.nz", true },
   { "pinnacles.com", true },
   { "pinner.io", true },
+  { "pinot.it", true },
   { "pinoydailytvshow.net", true },
   { "pinoyonlinetv.com", true },
   { "pinoytech.ph", true },
@@ -29477,9 +29733,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pinterest.info", true },
   { "pinterest.jp", true },
   { "pinterjann.is", true },
+  { "pintosbeeremovals.co.za", true },
   { "pintosplumbing.co.za", true },
   { "pioneer-car.eu", true },
   { "pioneer-rus.ru", true },
+  { "pipenny.net", true },
   { "pipfrosch.com", true },
   { "pipocao.com", true },
   { "pirate.trade", true },
@@ -29515,6 +29773,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pissblau.com", true },
   { "pissflaps.co.uk", true },
   { "pisupp.ly", true },
+  { "pitaiabank.com", true },
+  { "pitaiatrade.com", true },
   { "pitbullsecuritysolutions.ca", true },
   { "pitchpinecapital.com", true },
   { "pitchupp.com", true },
@@ -29543,7 +29803,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pixelz.cc", true },
   { "pixiv.cat", true },
   { "pixiv.moe", true },
-  { "pixiv.rip", true },
   { "pixlfox.com", true },
   { "pixloc.fr", true },
   { "pizza-show.fr", true },
@@ -29558,12 +29817,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pizzeriacolore.com", true },
   { "pj539999.com", true },
   { "pjentertainments.co.uk", true },
-  { "pjili.com", true },
   { "pjleisure.co.uk", true },
   { "pjo.no", true },
   { "pjuu.com", false },
   { "pk.search.yahoo.com", false },
   { "pkbjateng.com", true },
+  { "pkbjateng.or.id", true },
+  { "pkeus.de", true },
   { "pkgt.de", false },
   { "pkirwan.com", true },
   { "pkisolutions.com", true },
@@ -29616,6 +29876,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "planmemberpartners.com", true },
   { "plannedlink.com", true },
   { "planningexcellence.com.au", true },
+  { "planolowcarb.com", true },
   { "plant-gift.jp", true },
   { "plantarum.com.br", true },
   { "plantastique.ch", true },
@@ -29630,6 +29891,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "planview.com", true },
   { "plaque-funeraire.fr", true },
   { "plassmann.ws", true },
+  { "plasticsurgerynola.com", true },
+  { "plasticsurgeryservices.com", true },
   { "plastovelehatko.cz", true },
   { "plateformecandidature.com", true },
   { "platformadmin.com", true },
@@ -29638,7 +29901,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "platschi.net", true },
   { "platten-nach-mass.de", true },
   { "platterlauncher.com", true },
-  { "plattner.club", true },
   { "play-casino-japan.com", true },
   { "play-charades.com", true },
   { "play.cash", true },
@@ -29651,7 +29913,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "players2gather.com", true },
   { "playerscout.net", true },
   { "playform.cloud", true },
-  { "playhappywheelsunblocked.com", true },
   { "playnation.io", true },
   { "playocean.net", true },
   { "playpirates.com", true },
@@ -29673,11 +29934,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pleier.it", false },
   { "pleine-conscience.ch", true },
   { "plenigo.com", true },
+  { "plentybetter.com", true },
+  { "plentybetter.org", true },
   { "plesse.pl", true },
   { "plexa.de", true },
   { "plexhome13.ddns.net", true },
   { "plexmark.tk", true },
-  { "plextv.de", true },
   { "plicca.com", true },
   { "pliosoft.com", true },
   { "plissee-experte.de", true },
@@ -29708,7 +29970,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "plumbingcentral.com.au", true },
   { "plumbingglenvista.co.za", true },
   { "plumlocosoft.com", true },
-  { "plumnet.ch", true },
   { "plumpie.net", false },
   { "plumplat.com", true },
   { "plur.com.au", true },
@@ -29717,12 +29978,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "plus-5.com", true },
   { "plus.google.com", false },
   { "plus.sandbox.google.com", true },
-  { "plus1s.site", true },
   { "pluscbdoil.com", true },
   { "pluslink.co.jp", true },
   { "plusstreamfeed.appspot.com", true },
-  { "plustech.id", true },
-  { "pluta.net", true },
+  { "pluta.net", false },
   { "plutiedev.com", true },
   { "pluto.life", true },
   { "plutokorea.com", true },
@@ -29786,7 +30045,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "poc13.com", true },
   { "poc15.com", true },
   { "poc16.com", true },
-  { "poc17.com", true },
   { "poc18.com", true },
   { "poc19.com", true },
   { "poc21.com", true },
@@ -29859,16 +30117,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pocqipai.com", true },
   { "podemos.info", true },
   { "podia.com.gr", false },
+  { "podo-podo.com", true },
   { "podroof.com", true },
   { "podroof.com.au", true },
   { "podshrink.de", true },
   { "poe.digital", true },
   { "poed.net.au", true },
   { "poedgirl.com", true },
+  { "poemlife.com", true },
   { "poezja.com.pl", true },
   { "poezjagala.pl", true },
   { "poffenhouse.ddns.net", true },
   { "pogera.com", true },
+  { "pogetback.pl", true },
   { "pogrebisky.net", true },
   { "pohlednice-tap.cz", true },
   { "pohlmann.io", true },
@@ -29891,6 +30152,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pokemori.jp", true },
   { "pokepon.center", true },
   { "pokl.cz", true },
+  { "pokrowcecardo.pl", true },
   { "polaire.org", true },
   { "polanda.com", true },
   { "polar-baer.com", true },
@@ -29932,6 +30194,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "polleverywhere.com", true },
   { "pollingplace.uk", true },
   { "polly.spdns.org", true },
+  { "polomack.eu", true },
   { "poloniainfo.com", true },
   { "polska-robota.com.ua", true },
   { "polskiemalzenstwo.org", true },
@@ -29950,6 +30213,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "polytekniskforening.dk", true },
   { "pomar.club", false },
   { "pomelo-paradigm.com", true },
+  { "pomfe.co", true },
   { "pomfeed.fr", true },
   { "pommedepain.fr", true },
   { "pomockypredeti.sk", true },
@@ -29991,6 +30255,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "popoway.cloud", true },
   { "popoway.me", true },
   { "poppetsphere.de", true },
+  { "poptimize.net", true },
   { "population-ethics.com", true },
   { "popvitrin.com", true },
   { "poquvi.net", true },
@@ -30016,6 +30281,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pornstop.net", true },
   { "pornsuper.net", true },
   { "porny.xyz", true },
+  { "porpcr.com", true },
   { "pors-sw.cz", true },
   { "port443.hamburg", true },
   { "port443.se", true },
@@ -30056,12 +30322,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "posijson.stream", true },
   { "positionus.io", true },
   { "positive.com.cy", true },
+  { "positivenames.net", true },
   { "posobota.cz", true },
-  { "posoiu.net", true },
   { "post-darwinian.com", true },
   { "post-darwinism.com", true },
   { "post.com.ar", true },
   { "post.io", true },
+  { "post.we.bs", true },
   { "post4me.at", true },
   { "postal.dk", true },
   { "postal3.es", true },
@@ -30071,6 +30338,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "postcodewise.co.uk", true },
   { "postdarwinian.com", true },
   { "postdarwinism.com", true },
+  { "postdeck.de", true },
   { "posteo.de", false },
   { "posterspy.com", true },
   { "postfalls-naturopathic.com", true },
@@ -30143,6 +30411,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ppmathis.ch", true },
   { "ppmathis.com", true },
   { "ppmoon.com", true },
+  { "ppoozl.com", true },
   { "ppro.com", true },
   { "pptavmdata.org", true },
   { "ppy.la", true },
@@ -30168,12 +30437,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "praguepsychology.cz", true },
   { "pragueswim.cz", true },
   { "praha-9.eu", true },
-  { "prajwalkoirala.com", true },
   { "prakhar.uk", true },
   { "prakharprasad.com", true },
   { "praktijkdevecht.nl", true },
   { "praktijkpassepartout.nl", true },
   { "prashchar.uk", true },
+  { "prateep.io", true },
   { "pratopronto.org", true },
   { "pratorotoli.it", true },
   { "praxino.de", true },
@@ -30217,6 +30486,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prelved.pl", true },
   { "prelved.se", true },
   { "prematureacceleration.club", true },
+  { "preme.name", true },
   { "premierbouncycastles.co.uk", true },
   { "premieresloges.ca", false },
   { "premierevents.ie", true },
@@ -30234,7 +30504,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prepaidkredietkaart.be", true },
   { "prepare-job-hunting.com", true },
   { "prepavesale.fr", true },
-  { "presbee.com", true },
   { "presbvm.org", true },
   { "presbyterian-colleges.com", true },
   { "prescotonline.co.uk", true },
@@ -30263,21 +30532,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prestonbrant.com", true },
   { "pretachique.com.br", true },
   { "pretix.eu", true },
+  { "pretor.com.pl", true },
+  { "pretor.eu", true },
+  { "pretor.pl", true },
+  { "pretorcup.pl", true },
   { "pretrialservices.gov", true },
   { "pretty.hu", true },
   { "prettygirlcheats.com", true },
-  { "prettynode.com", true },
+  { "prettynode.com", false },
+  { "pretwolk.nl", true },
   { "pretzelx.com", true },
   { "prevenir.ch", true },
   { "preventshare.com", true },
   { "preview-it-now.com", true },
   { "priceremoval.net", true },
   { "pricesniffer.co", true },
+  { "prideindomination.com", true },
   { "pridetechdesign.com", false },
   { "prielwurmjaeger.de", true },
   { "prihatno.my.id", true },
+  { "primaconsulting.net", true },
   { "primalbase.com", true },
   { "primalinea.pro", true },
+  { "primalshop.dk", true },
+  { "primananda.com", true },
   { "primates.com", true },
   { "primeequityproperties.com", true },
   { "primoloyalty.com", true },
@@ -30286,7 +30564,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "princesparktouch.com", true },
   { "princessefoulard.com", true },
   { "principalsexam.com", true },
-  { "principalship.net", true },
   { "principalstest.com", true },
   { "principalstest.ph", true },
   { "principalstest.review", true },
@@ -30356,7 +30633,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "privatecapsecurity.org", true },
   { "privateideas.de", true },
   { "privateimarketing.com", true },
-  { "privatepokertour.com", true },
   { "privatepropertymallorca.com", true },
   { "privatestatic.com", false },
   { "privatevoid.net", true },
@@ -30396,6 +30672,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "procharter.com", true },
   { "procinorte.net", true },
   { "proclib.org", true },
+  { "procrastinatingengineer.uk", true },
   { "procrastinationland.com", true },
   { "procreditbank-kos.com", true },
   { "procreditbank.com.al", true },
@@ -30405,7 +30682,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prodietix.cz", true },
   { "prodigia.com", false },
   { "prodinger.com", true },
-  { "prodottogiusto.com", true },
   { "prodsim.ninja", true },
   { "producepromotions.com", true },
   { "producertools.io", true },
@@ -30414,10 +30690,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "productdesignsoftware.com.au", true },
   { "production.vn", true },
   { "productlondon.com", true },
-  { "productoinnovador.com", true },
   { "productpeo.pl", true },
   { "products4more.at", true },
-  { "produkttest-online.com", true },
   { "prodware.fr", true },
   { "prodware.nl", true },
   { "proeflokaalbakker.nl", true },
@@ -30459,7 +30733,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "progressnet.nl", true },
   { "progresswww.nl", true },
   { "prohrcloud.com", true },
-  { "proimpact.it", true },
   { "project.supply", true },
   { "project86fashion.com", true },
   { "projectarmy.net", false },
@@ -30472,10 +30745,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "projectsafechildhood.gov", true },
   { "projectsecretidentity.com", true },
   { "projectsecretidentity.org", true },
+  { "projectunity.io", true },
   { "projectxyz.eu", true },
   { "projektarbeit-projektplanung.de", true },
   { "projektzentrisch.de", true },
   { "projest.ch", true },
+  { "projet-fly.ch", true },
   { "prolan.pw", true },
   { "prolearningcentre.com", true },
   { "prolinos.de", true },
@@ -30503,7 +30778,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pronto-intervento.net", true },
   { "prontointerventoimmediato.it", true },
   { "prontossl.com", true },
-  { "proobec.cz", true },
   { "proofwiki.org", true },
   { "proos.nl", true },
   { "proovn.com", true },
@@ -30516,6 +30790,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "propertygroup.pl", true },
   { "propertyinside.id", true },
   { "propertyone.mk", true },
+  { "propertysales-almeria.com", true },
   { "propipesystem.com", true },
   { "proposalonline.com", true },
   { "propr.no", true },
@@ -30533,7 +30808,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prostoporno.vip", true },
   { "prostye-recepty.com", true },
   { "prosurveillancegear.com", true },
-  { "prot.ch", false },
+  { "prot.ch", true },
   { "protech.ge", true },
   { "protectedreport.com", true },
   { "protectem.de", true },
@@ -30542,6 +30817,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "protege.moi", true },
   { "protegetudescanso.com", true },
   { "protein-riegel-test.de", true },
+  { "proteinnuts.sk", false },
   { "protempore.fr", true },
   { "proteogenix-products.com", true },
   { "proteogenix.science", true },
@@ -30572,6 +30848,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prowise.com", true },
   { "prowise.me", true },
   { "proximityradio.fr", true },
+  { "proxybay.bet", true },
   { "proxybay.bz", true },
   { "proxybay.co", true },
   { "proxybay.eu.org", true },
@@ -30637,7 +30914,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "psw-consulting.de", true },
   { "psw-group.de", true },
   { "psw.net", true },
-  { "psxtr.com", true },
   { "psyao.ch", true },
   { "psychedelia.com", true },
   { "psychedelics.org", true },
@@ -30648,6 +30924,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "psycho.space", true },
   { "psychoactive.com", true },
   { "psychoco.net", false },
+  { "psychotechnique.be", true },
+  { "psychotechnique.ch", true },
+  { "psychotechniquetest.fr", true },
   { "psychotherapie-kp.de", true },
   { "psycolleges.com", true },
   { "psydix.org", true },
@@ -30676,7 +30955,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "puac.de", true },
   { "pubclub.com", true },
   { "pubean.com", true },
-  { "pubi.me", true },
+  { "pubi.me", false },
   { "publanda.nl", true },
   { "public-g.de", true },
   { "public-projects.com", true },
@@ -30699,16 +30978,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "puestosdeferia.mx", true },
   { "puggan.se", true },
   { "pugovka72.ru", true },
-  { "puhka.me", true },
   { "puissancemac.ch", true },
   { "pukfalkenberg.dk", true },
   { "pulizieuffici.milano.it", true },
   { "pulpproject.org", true },
+  { "pulsarsecurity.com", true },
   { "pulser.stream", true },
   { "pulsnitzer-lebkuchen-shop.de", true },
+  { "pulsnitzer-lebkuchen.de", true },
   { "pulsnitzer-lebkuchen.shop", true },
   { "pulsnitzer-pfefferkuchen-shop.de", true },
   { "pulsnitzer-pfefferkuchen.shop", true },
+  { "pumpandcash.com", true },
   { "pumperszene.com", true },
   { "punchlinetheatre.co.uk", true },
   { "punchunique.com", true },
@@ -30730,7 +31011,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "purefkh.xyz", true },
   { "purefreefrom.co.uk", true },
   { "pureitsolutionsllp.com", true },
-  { "purelunch.co.uk", true },
   { "pureluxemedical.com", true },
   { "purenvi.ca", true },
   { "purevapeofficial.com", true },
@@ -30759,7 +31039,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pusatinkubatorbayi.com", true },
   { "pushers.com.mx", true },
   { "pushoflove.com", true },
-  { "pushphp.com", true },
   { "pushrax.com", true },
   { "pusichatka.ddns.net", true },
   { "pussr.com", true },
@@ -30780,6 +31059,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "puzzle-welt.ch", true },
   { "puzzlepoint.ch", true },
   { "pv-paderborn-now.de", true },
+  { "pvamg.org", true },
   { "pvcvoordeel.nl", false },
   { "pvda.nl", true },
   { "pvmotorco.com", true },
@@ -30793,6 +31073,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pwnedpass.tk", true },
   { "pwnies.dk", true },
   { "pwolk.com", true },
+  { "pxgamer.xyz", true },
   { "pxl-mailtracker.com", true },
   { "pxl.cl", true },
   { "pxx.io", true },
@@ -30836,6 +31117,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qambarraza.com", true },
   { "qani.me", true },
   { "qaq.sh", true },
+  { "qarea.com", true },
   { "qaz.cloud", true },
   { "qbeing.info", true },
   { "qbiju.com.br", true },
@@ -30878,11 +31160,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qis.fr", true },
   { "qitarabutrans.com", true },
   { "qiu521119.host", true },
-  { "qiuri.org", true },
+  { "qiukong.com", true },
+  { "qiuri.org", false },
   { "qivonline.pt", true },
   { "qiwi.be", true },
   { "qixi.biz", true },
   { "qkmortgage.com", true },
+  { "qlcvea.com", true },
   { "qldconservation.org.au", true },
   { "qldformulaford.org", true },
   { "qledtech.com", false },
@@ -30895,6 +31179,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qonto.eu", true },
   { "qoor.io", true },
   { "qotw.net", true },
+  { "qpcna.org", true },
   { "qponverzum.hu", true },
   { "qq-navi.com", true },
   { "qq52o.me", true },
@@ -30919,6 +31204,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qtvr.com", true },
   { "qtxh.net", true },
   { "quackerswaterproofing.com", true },
+  { "quadra.srl", true },
   { "quaggan.co", true },
   { "quai10.org", false },
   { "qualite-ecole-et-formation.ch", true },
@@ -30957,8 +31243,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "queens.lgbt", true },
   { "queensrdapartments.com.au", true },
   { "queer.party", true },
-  { "queercinema.ch", true },
   { "queercoders.com", false },
+  { "queextensiones.com", true },
   { "quehacerencusco.com", true },
   { "quelle.at", true },
   { "quelle.ch", true },
@@ -30974,18 +31260,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "quermail.com", true },
   { "query-massage.com", true },
   { "question.com", true },
-  { "questoj.cn", true },
   { "questsocial.it", true },
   { "quevisiongrafica.com", true },
   { "quic.stream", true },
   { "quickboysvrouwen2.nl", true },
   { "quickinfosystem.com", true },
+  { "quickrelations.de", true },
   { "quieroserbombero.org", true },
   { "quiet-waters.org", true },
   { "quietapple.org", true },
+  { "quietboy.net", true },
   { "quikchange.net", true },
   { "quikpay.com.au", true },
-  { "quilmo.com", true },
   { "quimatic.com.br", true },
   { "quinnlabs.com", true },
   { "quinoa24.com", true },
@@ -31029,7 +31315,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "r-ay.cn", true },
   { "r-rwebdesign.com", true },
   { "r-t-b.fr", true },
-  { "r0t.co", true },
   { "r1a.eu", true },
   { "r1ch.net", true },
   { "r2d2pc.com", true },
@@ -31052,7 +31337,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "raah.co", true },
   { "rabbit.wales", false },
   { "rabbitfinance.com", true },
+  { "rabbitinternet.com", true },
   { "rabica.de", true },
+  { "rabotaescort.com", true },
   { "rabynska.eu", true },
   { "raccoltarifiuti.com", true },
   { "racermaster.xyz", true },
@@ -31065,6 +31352,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rachelreagan.com", true },
   { "rachelsbouncycastles.co.uk", true },
   { "rachida-dati.eu", true },
+  { "rachurch.net", true },
   { "racius.com", true },
   { "rackerlab.com", false },
   { "raclet.co.uk", true },
@@ -31074,6 +31362,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "racunovodstvo-prina.si", true },
   { "radar.sx", true },
   { "radaravia.ru", true },
+  { "radarbanyumas.co.id", true },
   { "radartatska.se", true },
   { "radartek.com", true },
   { "radcube.hu", true },
@@ -31086,6 +31375,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "radio-pulsar.eu", true },
   { "radio-utopie.de", true },
   { "radio1.ie", true },
+  { "radiobox.net", true },
   { "radiocommg.com.br", true },
   { "radiocomsaocarlos.com.br", true },
   { "radiofmimagen.net", true },
@@ -31094,7 +31384,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "radiom.fr", true },
   { "radiomodem.dk", true },
   { "radiomontebianco.it", true },
-  { "radionicabg.com", true },
   { "radiopolarniki.spb.ru", true },
   { "radiormi.com", true },
   { "radiorsvp.com", false },
@@ -31115,13 +31404,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rafleatherdesign.com", true },
   { "rafting-japan.com", true },
   { "ragasto.nl", true },
+  { "rage-overload.ch", true },
+  { "rage.rip", true },
   { "rage4.com", true },
-  { "raghavdua.in", true },
   { "rahulpnath.com", true },
   { "raidensnakesden.co.uk", true },
   { "raidensnakesden.com", true },
   { "raidensnakesden.net", true },
   { "raidstone.net", true },
+  { "raiffeisen-kosovo.com", true },
   { "rail-o-rama.nl", true },
   { "rail24.nl", true },
   { "rail360.nl", true },
@@ -31149,6 +31440,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rainville.me", true },
   { "rainway.io", true },
   { "raipet.no-ip.biz", true },
+  { "raisecorp.com", true },
   { "raiseyourflag.com", true },
   { "raissarobles.com", true },
   { "raito.win", true },
@@ -31180,6 +31472,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ramrecha.com", false },
   { "ramsor-gaming.de", true },
   { "randc.org", true },
+  { "randolf.ca", true },
   { "random-samplings.org", true },
   { "randomadversary.com", true },
   { "randombit.eu", false },
@@ -31199,11 +31492,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ranktopay.com", true },
   { "ranson.com.au", true },
   { "rante.com", true },
-  { "ranyeh.co", true },
   { "ranyeh.com", true },
   { "ranzbak.nl", true },
   { "raoul-kieffer.net", true },
-  { "rapdogg.com", true },
   { "rapenroer.com", true },
   { "rapenroer.nl", true },
   { "raphael.li", true },
@@ -31225,9 +31516,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rascals-castles.co.uk", true },
   { "rascalscastles.co.uk", true },
   { "rascalscastlesdoncaster.co.uk", true },
-  { "rasebo.ro", true },
   { "raspii.tech", true },
-  { "raspitec.ddns.net", true },
   { "rasty.cz", true },
   { "ratd.net", true },
   { "ratebridge.com", true },
@@ -31243,14 +31532,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rault.io", true },
   { "rauros.net", true },
   { "rautelow.de", true },
+  { "ravada-vdi.com", true },
+  { "ravanalk.com", true },
   { "ravchat.com", true },
   { "raven.dog", true },
   { "ravenger.net", true },
   { "ravensbuch.de", true },
-  { "ravenx.me", true },
   { "ravhaaglanden.org", true },
   { "ravindran.me", true },
-  { "raviparekh.co.uk", true },
   { "ravis.org", true },
   { "ravkr.duckdns.org", true },
   { "rawdutch.nl", true },
@@ -31276,6 +31565,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rbensch.com", true },
   { "rbflote.lv", true },
   { "rbltracker.com", true },
+  { "rbmland.com", true },
   { "rbnet.xyz", true },
   { "rbran.com", true },
   { "rbx-talk.xyz", true },
@@ -31300,11 +31590,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rct.uk", true },
   { "rctalk.com", true },
   { "rdfproject.it", true },
+  { "rdh.asia", true },
   { "rdjb2b.com", true },
   { "rdl.at", false },
   { "rdmc.fr", true },
   { "rdmrotterdam.nl", true },
   { "rdmtaxservice.com", true },
+  { "rdns.cc", true },
   { "rdv-cni.fr", true },
   { "rdv-prefecture.com", true },
   { "rdwh.tech", true },
@@ -31315,11 +31607,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reachrss.com", true },
   { "reaconverter.com", true },
   { "react-db.com", true },
+  { "reactions.studio", true },
   { "reactivarte.es", true },
   { "reactive-press.com", true },
   { "reactpwa.com", true },
   { "read.sc", true },
   { "reades.co.uk", true },
+  { "reades.uk", true },
   { "readheadcopywriting.com", true },
   { "readingandmath.org", true },
   { "readingrats.de", true },
@@ -31328,6 +31622,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "readouble.com", false },
   { "reads.wang", true },
   { "readybetwin.com", true },
+  { "readyrowan.com", true },
+  { "readyrowan.org", true },
   { "readysell.net", true },
   { "readytobattle.net", true },
   { "readytongue.com", true },
@@ -31353,6 +31649,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "realloc.me", true },
   { "really-simple-plugins.com", true },
   { "really-simple-ssl.com", true },
+  { "really.ai", true },
   { "reallytrusted.com", true },
   { "realme.govt.nz", true },
   { "realmofespionage.xyz", true },
@@ -31371,6 +31668,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reancos.report", true },
   { "reanimated.eu", true },
   { "reath.me", true },
+  { "reath.xyz", true },
   { "reaven.nl", true },
   { "rebane2001.com", true },
   { "rebeagle.com", true },
@@ -31381,12 +31679,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rebirthia.me", true },
   { "reboxetine.com", true },
   { "reboxonline.com", true },
-  { "rebtoor.com", true },
   { "recalls.gov", true },
   { "recantoshop.com", true },
   { "recantoshop.com.br", true },
   { "recapp.ch", true },
   { "recaptcha-demo.appspot.com", true },
+  { "recard.vn", true },
   { "receiliart.com", true },
   { "receptionpoint.com", true },
   { "recepty.eu", true },
@@ -31418,10 +31716,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "recuerdafilms.com", true },
   { "recuperodatiraidfastec.it", true },
   { "recurly.com", true },
+  { "recurrentmeningitis.org", true },
   { "recursosdeautoayuda.com", true },
   { "recyclingpromotions.us", true },
   { "red-t-shirt.ru", true },
-  { "red-trigger.net", true },
   { "red2fred2.com", true },
   { "redable.hosting", true },
   { "redable.nl", true },
@@ -31454,7 +31752,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rede-reim.de", true },
   { "rede-t.com", true },
   { "redelectrical.co.uk", true },
-  { "redespaulista.com", true },
   { "redessantaluzia.com.br", true },
   { "redflare.com.au", true },
   { "redfox-infosec.de", true },
@@ -31463,7 +31760,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "redgoose.ca", true },
   { "redhandedsecurity.com.au", true },
   { "redicals.com", true },
-  { "redigest.it", true },
   { "redir.me", true },
   { "redirect.fedoraproject.org", true },
   { "redirect.stg.fedoraproject.org", true },
@@ -31472,7 +31768,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rediverge.com", true },
   { "redivis.com", true },
   { "redleslie.com", true },
-  { "redletter.link", true },
   { "redlinelap.com", true },
   { "redlink.de", true },
   { "redmind.se", true },
@@ -31482,6 +31777,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rednsx.org", true },
   { "redpact.com", true },
   { "redprice.by", true },
+  { "redscan.com", true },
+  { "redshell.pw", true },
   { "redshield.co", true },
   { "redshiftlabs.com.au", true },
   { "redshoeswalking.net", true },
@@ -31491,6 +31788,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "redteam-pentesting.de", true },
   { "redwaterhost.com", true },
   { "redweek.com", true },
+  { "redwhey.com", true },
   { "redwoodpaddle.es", true },
   { "redwoodpaddle.pt", true },
   { "redzonedaily.com", true },
@@ -31500,6 +31798,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reedyforkfarm.com", true },
   { "reegle.com", true },
   { "reening.net", true },
+  { "reensshop.com", true },
   { "rees-carter.net", true },
   { "reesmichael1.com", true },
   { "reevaappliances.co.uk", true },
@@ -31532,6 +31831,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reganclassics.com", true },
   { "reganparty.com", true },
   { "regar42.fr", false },
+  { "regasportshop.it", true },
   { "regeneo.cz", true },
   { "regenerapoint.it", true },
   { "regenerescence.com", true },
@@ -31563,12 +31863,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "regraph.de", true },
   { "regresionavidaspasadas.com", true },
   { "regularflolloping.com", true },
+  { "regularizaeudora.com.br", true },
   { "regulations.gov", true },
   { "reha-honpo.jp", true },
   { "rehabili-shigoto.com", true },
   { "rehabilitation.network", true },
   { "rehabmail.com", true },
   { "rehabphilippines.com", true },
+  { "rehabreviews.com", true },
   { "rehabthailand.com", true },
   { "rehabthailand.org", true },
   { "rei.ki", true },
@@ -31597,7 +31899,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reinouthoornweg.nl", true },
   { "reinventetoi.com", false },
   { "reisekosten-gorilla.com", true },
-  { "reisenbauer.ee", true },
   { "reiseversicherung-werner-hahn.de", true },
   { "reishunger.de", true },
   { "reisslittle.com", true },
@@ -31632,7 +31933,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "remax.at", true },
   { "remedi.tokyo", true },
   { "remedionaturales.com", true },
-  { "remedioscaserosparalacistitis.com", true },
+  { "remedioparaherpes.com", true },
+  { "remedios-caserospara.com", true },
   { "remejeanne.com", true },
   { "rememberthemilk.com", false },
   { "remi-saurel.com", true },
@@ -31644,6 +31946,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "remitatm.com", false },
   { "remonti.info", true },
   { "remote.so", true },
+  { "remoteham.com", true },
   { "remoteutilities.com", true },
   { "removalcellulite.com", true },
   { "removedrepo.com", true },
@@ -31663,10 +31966,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "renee.today", true },
   { "reneleu.ch", true },
   { "renem.net", false },
-  { "renemayrhofer.com", true },
+  { "renemayrhofer.com", false },
   { "reneschmidt.de", true },
   { "renewablefreedom.org", true },
   { "renewablemaine.org", true },
+  { "renewed.technology", true },
   { "renewgsa.com", true },
   { "renewmedispa.com", true },
   { "renewpfc.com", true },
@@ -31679,25 +31983,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "renrenche.com", false },
   { "rens.nu", true },
   { "rensa-datorn.se", true },
-  { "renscreations.com", true },
   { "rent-a-c.io", true },
   { "rent-a-coder.de", true },
   { "rentacaramerica.com", true },
-  { "rentasweb.gob.ar", true },
+  { "rentandgo.it", true },
   { "rentayventadecarpas.com", true },
   { "renthelper.us", true },
   { "rentinsingapore.com.sg", true },
   { "rentourhomeinprovence.com", true },
   { "renuo.ch", true },
   { "renxinge.cn", false },
-  { "reo.gov", true },
-  { "reorz.com", true },
   { "reox.at", false },
   { "repaik.com", true },
   { "repair.by", true },
   { "repaper.org", true },
   { "repaxan.com", true },
   { "repkord.com", true },
+  { "replace.ninja", true },
   { "replicaswiss.nl", true },
   { "repology.org", true },
   { "report-uri.com", true },
@@ -31718,7 +32020,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "repugnant-conclusion.com", true },
   { "repugnantconclusion.com", true },
   { "reputationweaver.com", true },
-  { "reqrut.net", true },
   { "requestr.co.uk", true },
   { "res-kc.com", true },
   { "resama.eu", true },
@@ -31768,8 +32069,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "restaurantguru.com", true },
   { "restaurantmaan.nl", true },
   { "restauranttester.at", true },
-  { "rester-a-domicile.ch", true },
-  { "rester-autonome-chez-soi.ch", true },
   { "restoran-radovce.me", true },
   { "restorethegulf.gov", true },
   { "restoruns.com", true },
@@ -31780,6 +32079,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "resursedigitale.ro", true },
   { "retefarmaciecostadamalfi.it", true },
   { "retetenoi.net", true },
+  { "reticket.me", true },
   { "reticon.de", true },
   { "retmig.dk", true },
   { "reto.ch", true },
@@ -31798,9 +32098,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "retrofitlab.com", true },
   { "retroity.net", true },
   { "retrojar.top", true },
+  { "retroride.cz", true },
   { "retroroundup.com", true },
   { "retrotracks.net", true },
   { "retrovideospiele.com", true },
+  { "returnonerror.com", true },
   { "returnpath.com", true },
   { "reucon.com", true },
   { "reulitz.de", true },
@@ -31846,7 +32148,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rezosup.org", true },
   { "rezultant.ru", true },
   { "rftoon.com", true },
-  { "rfxanalyst.com", true },
   { "rga.sh", true },
   { "rgavmf.ru", true },
   { "rgbinnovation.com", true },
@@ -31865,7 +32166,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rhinelander.ca", true },
   { "rhinobase.net", true },
   { "rhinoceroses.org", true },
-  { "rhnet.at", true },
   { "rhodenmanorcattery.co.uk", true },
   { "rhodri.io", true },
   { "rhowell.io", true },
@@ -31876,6 +32176,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "riajenaka.com", true },
   { "riaki.net", true },
   { "rial.space", true },
+  { "riaucybersolution.net", false },
   { "ribs.com", true },
   { "ricardo.nu", true },
   { "ricardobalk.nl", true },
@@ -31903,8 +32204,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "richardson.pictures", true },
   { "richardson.software", true },
   { "richardson.systems", true },
+  { "richardson.tw", true },
   { "richardstonerealestate.com", true },
   { "richardwarrender.com", true },
+  { "richeyweb.com", true },
   { "richie.fi", true },
   { "ricketyspace.net", true },
   { "ricki-z.com", true },
@@ -31924,6 +32227,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rideways.com", true },
   { "rideyourdamn.bike", true },
   { "ridgelandchurch.org", true },
+  { "ridhaan.co", true },
   { "ridingboutique.de", true },
   { "ridwan.co", false },
   { "riederle.com", true },
@@ -31939,7 +32243,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "righettod.eu", true },
   { "righini.ch", true },
   { "rightbrain.training", true },
-  { "rightcapital.com", true },
   { "rightmovecanada.com", true },
   { "rightnetworks.com", true },
   { "rightstuff.link", true },
@@ -31956,7 +32259,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rileyevans.co.uk", true },
   { "rimax.vn", true },
   { "rimcountrymuseum.org", true },
-  { "rimediogiusto.com", true },
   { "rimeto.io", true },
   { "rimo.site", true },
   { "rimorrecherche.nl", true },
@@ -31975,6 +32277,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ripmixmake.org", true },
   { "riqy86.nl", true },
   { "ris-bad-wurzach.de", true },
+  { "ris.fi", true },
   { "risada.nl", true },
   { "risaphuketproperty.com", true },
   { "riscascape.net", true },
@@ -31991,6 +32294,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ristoviitanen.fi", true },
   { "ristrutturazioneappartamento.roma.it", true },
   { "rit.space", false },
+  { "ritirocalcinacci.viterbo.it", true },
   { "rittau.biz", true },
   { "rittau.org", true },
   { "ritzlux.com.tw", true },
@@ -32010,6 +32314,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rivoflor.it", true },
   { "rivus.net", true },
   { "rivy.org", true },
+  { "riwick.com", false },
   { "rix.ninja", true },
   { "rixter.com", true },
   { "rixzz.ovh", true },
@@ -32032,6 +32337,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rmcbs.de", true },
   { "rmeuropean.com", true },
   { "rmf.io", true },
+  { "rmi.com.ar", true },
   { "rmm-i.com", true },
   { "rmmanfredi.com", true },
   { "rmpsolution.de", true },
@@ -32059,10 +32365,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "robertattfield.com", true },
   { "robertayamashita.com", true },
   { "robertayamashita.com.br", true },
-  { "robertg.me", true },
-  { "robertglastra.com", true },
+  { "robertbln.com", true },
   { "roberthurlbut.com", true },
   { "robertkrueger.de", true },
+  { "robertlluberes.com", true },
   { "robertlysik.com", true },
   { "robertnemec.com", true },
   { "robertoentringer.com", true },
@@ -32104,7 +32410,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "robpol86.com", true },
   { "robspc.repair", true },
   { "robspeed.rocks", true },
-  { "robtatemusic.com", true },
   { "robtex.com", true },
   { "robu.in", true },
   { "robud.info", true },
@@ -32118,7 +32423,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rockenfuerlachenhelfen.de", true },
   { "rocket-wars.de", true },
   { "rocketevents.com.au", true },
-  { "rocketgnomes.com", true },
   { "rocketr.net", true },
   { "rocketsandtutus.com", true },
   { "rockfax.com", true },
@@ -32145,6 +32449,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rodomonte.org", true },
   { "rodrigocarvalho.blog.br", true },
   { "rody-design.com", true },
+  { "rodykossen.com", true },
   { "rodzina-kupiec.eu.org", true },
   { "roeckx.be", true },
   { "roeitijd.nl", false },
@@ -32169,7 +32474,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "roguefortgame.com", true },
   { "roguenation.space", true },
   { "roguenetworks.me", true },
-  { "roguesignal.net", true },
   { "roguetechhub.org", true },
   { "rohedaten.de", true },
   { "rohitagr.com", true },
@@ -32221,6 +32525,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rondouin.fr", true },
   { "rondreis-amerika.be", true },
   { "rondreis-schotland.nl", true },
+  { "ronem.com.au", true },
   { "roninf.ch", true },
   { "roninitconsulting.com", true },
   { "ronniegane.kiwi", true },
@@ -32239,11 +32544,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "room2d.com", true },
   { "room3b.eu", true },
   { "roombase.nl", true },
+  { "roomguide.info", true },
   { "roomhub.jp", true },
+  { "roomsatevents.eu", true },
   { "rooneytours.nl", true },
   { "roopakv.com", true },
   { "roosabels.nl", false },
-  { "roosterpgplus.nl", true },
+  { "roosteroriginals.com", false },
   { "root-space.eu", true },
   { "root.bg", true },
   { "root.cz", true },
@@ -32279,7 +32586,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rosemariefloydballet.com", true },
   { "rosenheimsingles.de", true },
   { "rosenkeller.org", true },
-  { "roseofyork.com", true },
   { "roseofyorkbooking.com", true },
   { "roseon.net", true },
   { "roseparkhouse.com", true },
@@ -32290,12 +32596,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rosnertexte.at", true },
   { "rosset.me", true },
   { "rosset.net", true },
-  { "rossfrancis.co.uk", true },
   { "rossmacphee.com", true },
   { "rostclub.ro", true },
   { "rostov-avia.ru", true },
   { "rostros.eu", true },
   { "rot47.net", true },
+  { "rotapalor.com", true },
   { "rotek.at", true },
   { "roten.email", true },
   { "rothe.io", true },
@@ -32325,64 +32631,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "routetracker.co", true },
   { "rove3d.com", true },
   { "rowancasting.ie", true },
+  { "rowancounty911.com", true },
+  { "rowancounty911.org", true },
+  { "rowancountyairport.com", true },
   { "rowancountync.gov", true },
   { "rowankaag.nl", true },
+  { "rowanpubliclibrary.com", true },
+  { "rowansheriff.com", true },
+  { "rowansheriff.org", true },
+  { "rowantransit.com", true },
+  { "rowantransit.org", true },
   { "rowlog.com", true },
   { "rows.io", true },
   { "roxiesbouncycastlehire.co.uk", true },
   { "roxtri.cz", true },
   { "royal-rangers.de", true },
-  { "royal806.com", true },
-  { "royal810.com", true },
-  { "royal811.com", true },
   { "royal812.com", true },
   { "royal813.com", true },
-  { "royal816.com", true },
-  { "royal817.com", true },
   { "royal818.com", true },
-  { "royal830.com", true },
-  { "royal833.com", true },
   { "royal850.com", true },
-  { "royal851.com", true },
-  { "royal852.com", true },
   { "royal853.com", true },
-  { "royal855.com", true },
-  { "royal856.com", true },
-  { "royal857.com", true },
-  { "royal859.com", true },
-  { "royal86.com", true },
-  { "royal861.com", true },
   { "royal862.com", true },
   { "royal863.com", true },
-  { "royal865.com", true },
   { "royal867.com", true },
   { "royal868.com", true },
-  { "royal869.com", true },
   { "royal871.com", true },
-  { "royal872.com", true },
-  { "royal873.com", true },
-  { "royal875.com", true },
-  { "royal877.com", true },
-  { "royal879.com", true },
   { "royal88.com", true },
-  { "royal88.tech", true },
-  { "royal881.com", true },
-  { "royal882.com", true },
-  { "royal883.com", true },
-  { "royal885.com", true },
-  { "royal886.com", true },
-  { "royal887.com", true },
-  { "royal888888.com", true },
-  { "royal889.com", true },
-  { "royal890.com", true },
-  { "royal891.com", true },
-  { "royal892.com", true },
-  { "royal893.com", true },
-  { "royal894.com", true },
-  { "royal895.com", true },
-  { "royal896.com", true },
   { "royal898.com", true },
-  { "royal899.com", true },
   { "royalacademy.org.uk", true },
   { "royalasianescorts.co.uk", true },
   { "royalbeautyclinic.ir", true },
@@ -32396,15 +32671,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "royalpub.net", false },
   { "royalrangers.fi", true },
   { "royalty-market.com", true },
-  { "royalyule.com", true },
   { "royceandsteph.com", true },
   { "roycewilliams.net", true },
   { "roygerritse.nl", true },
   { "rozalynne-dawn.ga", true },
+  { "rozar.eu", true },
   { "rozhodce.cz", true },
+  { "rpadonline.com", true },
   { "rpadovani.com", true },
   { "rpauto.ru", true },
   { "rpgcampaign.website", true },
+  { "rpgchan.cf", true },
   { "rpgmaker.es", true },
   { "rpherbig.com", true },
   { "rphl.net", true },
@@ -32417,7 +32694,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rraesthetics.com", true },
   { "rrdesignsuisse.com", true },
   { "rrg-partner.ch", true },
-  { "rro.rs", true },
   { "rrudnik.com", true },
   { "rrwolfe.com", true },
   { "rs-maschinenverleih.de", true },
@@ -32441,7 +32717,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rtate.ca", true },
   { "rtate.se", true },
   { "rtcx.net", true },
-  { "rtd.uk.com", true },
   { "rte.eu", true },
   { "rte.radio", true },
   { "rte2fm.ie", true },
@@ -32482,8 +32757,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruby-auf-schienen.de", true },
   { "rubyist.today", true },
   { "rubymartin.com.au", true },
-  { "rubyquincunx.com", true },
-  { "rubyquincunx.org", true },
   { "rubytune.com", true },
   { "rucksack-rauf-und-weg.de", true },
   { "ruckzuck-privatpatient.de", true },
@@ -32529,9 +32802,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rumplesinflatables.co.uk", true },
   { "rumtaste.com", true },
   { "rumtaste.de", true },
+  { "run-forrest.run", false },
   { "run-it-direct.co.uk", true },
   { "runagain.ch", true },
   { "runebet.com", true },
+  { "runefake.com", true },
   { "runklesecurity.com", true },
   { "runnergrapher.com", true },
   { "runreport.fr", true },
@@ -32559,6 +32834,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "russia.dating", true },
   { "russiaeconomy.org", true },
   { "russianorthodoxchurch.co.uk", true },
+  { "russpuss.ru", true },
   { "russt.me", true },
   { "rust.mn", true },
   { "rustable.com", true },
@@ -32569,6 +32845,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruthmontenegro.com", false },
   { "rutiger.com", true },
   { "rutika.ru", true },
+  { "rutten.me", true },
   { "ruudkoot.nl", true },
   { "ruwhof.net", true },
   { "ruya.com", true },
@@ -32582,19 +32859,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rvsbevestigingen.nl", true },
   { "rw.search.yahoo.com", false },
   { "rwky.net", true },
+  { "rws-cc.com", true },
   { "rws-vertriebsportal.de", true },
   { "rwx.ovh", true },
   { "rx-contact.com", false },
   { "rxbn.de", true },
   { "rxbusiness.com", true },
   { "rxcheck.com", true },
-  { "rxgroup.io", true },
   { "rxight.com", true },
   { "ryan-design.com", true },
   { "ryan-gehring.com", true },
   { "ryan-goldstein.com", true },
   { "ryanbritton.com", true },
-  { "ryancarter.co.uk", true },
   { "ryanhowell.io", false },
   { "ryankearney.com", false },
   { "ryanmcdonough.co.uk", false },
@@ -32603,12 +32879,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rychlikoderi.cz", true },
   { "rydermais.tk", true },
   { "rynekpierwotny.pl", true },
+  { "rynkebo.dk", true },
   { "ryois.me", true },
   { "rys.pw", true },
   { "ryssl.com", true },
   { "ryu22e.org", true },
   { "ryuu.es", true },
-  { "ryyule.com", true },
   { "ryzhov.me", true },
   { "rzentarzewski.net", true },
   { "s-a.xyz", true },
@@ -32621,13 +32897,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "s-pegasus.com", true },
   { "s-s-paint.com", true },
   { "s007.co", true },
+  { "s0laris.co.uk", true },
   { "s10y.eu", true },
   { "s13d.fr", true },
   { "s16e.no", true },
   { "s2member.com", true },
   { "s2p.moe", true },
+  { "s2t.net", true },
   { "s3cur3.it", true },
-  { "s3gfault.com", true },
   { "s3robertomarini.it", true },
   { "s404.de", true },
   { "s44.eu", true },
@@ -32635,6 +32912,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "s4media.org", true },
   { "s4q.me", true },
   { "s4tips.com", true },
+  { "s4ur0n.com", true },
   { "s5118.com", true },
   { "s64.cz", true },
   { "s8a.us", true },
@@ -32644,12 +32922,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sa.net", true },
   { "saabpartsdistribution.com", true },
   { "saamhorigheidsfonds.nl", false },
+  { "saas.de", true },
   { "saastopankki.fi", true },
   { "saba-piserver.info", true },
   { "sabahattin-gucukoglu.com", true },
   { "sabe.cz", true },
   { "sabine-forschbach.de", true },
   { "sabineforschbach.de", true },
+  { "sablyrics.com", true },
   { "sabrinajoias.com.br", true },
   { "sacaentradas.com", true },
   { "saccani.net", true },
@@ -32657,6 +32937,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saclier.at", true },
   { "sacprincesse.com", true },
   { "sacred-knights.net", true },
+  { "sacredheart-cliftonheights.net", true },
   { "sacrome.com", true },
   { "sadbox.es", true },
   { "sadbox.org", true },
@@ -32666,7 +32947,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sadhana.cz", true },
   { "sadhawkict.org", true },
   { "sadiejewellery.co.uk", true },
-  { "sadmansh.com", true },
   { "sadou.kyoto.jp", true },
   { "saechsischer-christstollen.shop", true },
   { "saengsook.com", true },
@@ -32688,6 +32968,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "safeguardcommerce.com", true },
   { "safeguardhosting.ca", true },
   { "safeinfra.nl", true },
+  { "safeitup.se", true },
   { "safejourney.education", true },
   { "safematix.com", true },
   { "safeme.ga", true },
@@ -32732,12 +33013,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sailormoonlibrary.org", true },
   { "sailwiz.com", true },
   { "saimoe.moe", true },
+  { "saimoe.org", true },
   { "sainetworks.net", true },
   { "saint-bernard-gouesch.fr", true },
   { "saint-cyril.com", true },
   { "saintaardvarkthecarpeted.com", true },
   { "saintanne.net", true },
   { "saintanthonyscorner.com", true },
+  { "sainteugenechurch.net", true },
+  { "sainteugeneschurch.com", true },
+  { "saintfrancescabrini.net", true },
+  { "saintfrancisdesales.net", true },
   { "sainth.de", true },
   { "sainthedwig-saintmary.org", true },
   { "sainthelena-centersquare.net", true },
@@ -32748,12 +33034,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saintjosephschurch.net", true },
   { "saintmarkchurch.net", true },
   { "saintmaryna.com", true },
+  { "saintmaryscathedral-trenton.org", true },
   { "saintpatrick-norristown.net", true },
   { "saintpeterchurch.net", true },
   { "saintphilipneri.org", true },
   { "saintpius.net", true },
   { "saintpolycarp.org", true },
   { "saintsrobotics.com", true },
+  { "saintw.com", true },
   { "saipariwar.com", true },
   { "saiputra.com", true },
   { "saitrance.com", true },
@@ -32797,9 +33085,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sallydowns.name", true },
   { "salmododia.net", true },
   { "salmonella.co.uk", true },
+  { "salmonrecovery.gov", true },
   { "salmonvision.com.tw", true },
   { "salmos91.com", true },
   { "salmotierra-salvatierra.com", true },
+  { "salon-hinata.biz", true },
   { "salon-minipli.de", true },
   { "salon.io", false },
   { "salon1.ee", true },
@@ -32822,9 +33112,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "salva.re", true },
   { "salvagedfurnitureparlour.com", true },
   { "sam-football.fr", true },
-  { "samanacafe.com", true },
   { "samanthasgeckos.com", true },
-  { "samanthasicecream.com", true },
   { "samappleton.com", true },
   { "samara-avia.ru", true },
   { "samaritainsmeyrin.ch", true },
@@ -32844,7 +33132,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "samgrayson.me", true },
   { "samhuri.net", true },
   { "samifar.in", true },
-  { "samip.fi", true },
   { "samitechnic.com", true },
   { "samizdat.cz", true },
   { "samkelleher.com", true },
@@ -32852,10 +33139,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "samlaw.co.nz", true },
   { "samlivogarv.dk", true },
   { "sammamish--locksmith.com", true },
+  { "sammyjohnson.com", true },
   { "sammyservers.com", true },
   { "sammyservers.net", true },
-  { "sammyslimos.com", true },
-  { "samnya.cn", true },
+  { "samnya.cn", false },
+  { "samplefashion.nl", true },
+  { "samri.pt", true },
   { "samrobertson.co.uk", true },
   { "samshouseofspaghetti.net", true },
   { "samsungmobile.it", true },
@@ -32908,7 +33197,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sandtears.com", true },
   { "sandtonescorts.com", true },
   { "sandtonplumber24-7.co.za", true },
-  { "sandtonvipcompanions.com", true },
   { "sandyrobsonhypnotherapy.co.uk", true },
   { "sanemind.de", true },
   { "sanemind.eu", true },
@@ -32923,6 +33211,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sanitairwinkel.com", true },
   { "sanitairwinkel.nl", true },
   { "sanitrak.cz", true },
+  { "sanjotech.space", true },
   { "sannesfotklinikk.no", true },
   { "sanpham-balea.org", true },
   { "sanskritiyoga.com", true },
@@ -32955,6 +33244,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sapphirepearl.com.sg", true },
   { "sapprendre.ch", true },
   { "saprima.de", true },
+  { "sarabara.com", true },
   { "sarahbeckettharpist.com", true },
   { "sarahboydrealty.com", true },
   { "sarahcorliss.com", true },
@@ -33001,6 +33291,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saterdalen.net", true },
   { "satimagingcorp.com", true },
   { "satinn.pl", true },
+  { "satisperfectacollections.com", true },
   { "satmd.de", true },
   { "satoshinumbers.com", true },
   { "sattamatkachart.in", true },
@@ -33017,6 +33308,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sauerbrey.eu", true },
   { "sauerland-schnittgruen.de", true },
   { "saulchristie.com", true },
+  { "saultdefencelaw.ca", true },
   { "saumon-de-france.com", true },
   { "saumon-france.com", true },
   { "saumondefrance.fr", true },
@@ -33037,6 +33329,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saveya.com", true },
   { "savic.com", false },
   { "saviezvousque.net", true },
+  { "savilleassessment.com", true },
   { "savingrecipe.com", true },
   { "savingsoftheyear.com", true },
   { "savingsomegreen.com", true },
@@ -33067,6 +33360,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sbanken.no", true },
   { "sber.us", true },
   { "sberbank.ch", true },
+  { "sberna-fotofast.cz", true },
   { "sbf888.com", true },
   { "sbiewald.de", true },
   { "sbir.gov", true },
@@ -33086,8 +33380,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sbytes.info", true },
   { "sc-artworks.co.uk", true },
   { "sc5.jp", true },
-  { "scaarus.com", true },
   { "scaffalature.roma.it", true },
+  { "scaffoldhirefourways.co.za", true },
+  { "scaffoldhirerandburg.co.za", true },
   { "scalacollege.nl", true },
   { "scalaire.com", true },
   { "scalaire.fr", true },
@@ -33103,6 +33398,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scanleasing.net", true },
   { "scanpay.dk", true },
   { "scarafaggio.it", true },
+  { "scarvespalace.com", true },
   { "scatsbouncingcastles.ie", true },
   { "scbdh.org", true },
   { "scbreed.com", true },
@@ -33116,8 +33412,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scepticism.com", true },
   { "schadevergoedingen.eu", true },
   { "schaefer-reifen.de", true },
+  { "schaffensdrang.at", true },
   { "schamlosharmlos.de", true },
-  { "schaper-sport.com", true },
   { "schatzibaers.de", true },
   { "schawe.me", true },
   { "schbebtv.fr", true },
@@ -33160,6 +33456,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schmid.tv", true },
   { "schmidthomes.com", true },
   { "schmidtplasticsurgery.com", true },
+  { "schmitt-etienne.fr", true },
   { "schmitt-max.com", true },
   { "schnapke.name", true },
   { "schneeketten-ratgeber.de", true },
@@ -33167,6 +33464,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schneidr.de", true },
   { "schneids.me", true },
   { "schnellno.de", true },
+  { "schnellsuche.de", true },
   { "schnouki.net", true },
   { "schnuckenhof-wesseloh.de", true },
   { "schnyder-werbung.ch", true },
@@ -33187,8 +33485,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scholarshipplatform.com", true },
   { "scholarshipsplatform.com", true },
   { "scholarstyle.com", true },
+  { "scholieren.com", true },
   { "scholierenvervoerzeeland.nl", true },
-  { "schollbox.de", false },
   { "scholledev.com", true },
   { "scholz-kallies.de", true },
   { "schont.org", true },
@@ -33247,6 +33545,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schwabenhaus-ka.de", true },
   { "schwalliers.com", true },
   { "schwanke.in", true },
+  { "schwano-dent.at", true },
   { "schwarz-gelbe-fuechse.de", true },
   { "schwarzegar.de", true },
   { "schwarzer.it", true },
@@ -33290,9 +33589,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scooterservis.com", true },
   { "scootfleet.com", true },
   { "scorerealtygroup.com", true },
-  { "scorobudem.ru", true },
-  { "scorocode.ru", true },
   { "scorp13.com", true },
+  { "scorpowines.com", true },
   { "scottah.com", true },
   { "scottgalvin.com", true },
   { "scottgruber.me", true },
@@ -33310,7 +33608,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scouttrails.com", true },
   { "scp-trens.notaires.fr", true },
   { "scp500.com", true },
-  { "scpartyentertainment.co.uk", true },
   { "scpslgame.com", true },
   { "scra.gov", true },
   { "scrabble-solver.com", true },
@@ -33318,6 +33615,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scramget.com", true },
   { "scramsoft.com", true },
   { "scrap.tf", true },
+  { "scrapdealers.eu", true },
   { "scratchandscuffs.co.uk", true },
   { "scratchandscuffs.com", true },
   { "scratchandscuffs.uk", true },
@@ -33340,6 +33638,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scriptgates.ru", true },
   { "scriptum.gr", true },
   { "scrisulfacebine.ro", true },
+  { "scrivito.com", true },
   { "scrod.me", true },
   { "scroll.in", true },
   { "scrtch.fr", true },
@@ -33358,8 +33657,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scul.net", true },
   { "sculpture.support", true },
   { "scuolaguidalame.ch", true },
-  { "scuters.club", true },
-  { "scw.com", true },
   { "sd.af", true },
   { "sdayman.com", true },
   { "sdcardrecovery.de", true },
@@ -33390,6 +33687,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sealbaker.com", true },
   { "sealoffantasy.de", true },
   { "sealtitebasement.com", true },
+  { "seamester.com", true },
   { "seamless.no", true },
   { "seamoo.se", true },
   { "sean-wright.com", true },
@@ -33420,17 +33718,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seareytraining.com", true },
   { "searsucker.com", true },
   { "searx.ru", true },
+  { "searx.xyz", true },
   { "seasidestudios.co.uk", true },
   { "season.moe", true },
+  { "seasons-vintage.com", true },
   { "seasons.nu", false },
   { "seatbeltpledge.com", true },
-  { "seatshare.co.uk", true },
   { "seattle-life.net", true },
   { "seattlefabrication.com", true },
   { "seattlemesh.net", true },
-  { "seattleprivacy.org", true },
   { "seattlewalkinbathtubs.com", true },
   { "seb-mgl.de", true },
+  { "seb-net.com", true },
   { "sebald.com", true },
   { "sebald.org", true },
   { "sebascelis.com", true },
@@ -33447,6 +33746,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sebasveeke.nl", true },
   { "sebepoznani.eu", true },
   { "sebi.org", true },
+  { "sebjacobs.com", true },
   { "seby.io", true },
   { "sec-mails.de", true },
   { "sec-research.com", true },
@@ -33506,11 +33806,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "secureim.de", true },
   { "securejabber.me", true },
   { "securelect-inspection.com", true },
+  { "securemailbox.com", true },
+  { "securemessage.nl", true },
   { "secureobscure.com", true },
   { "secureonline.co", false },
   { "securethe.news", true },
   { "securetheorem.com", true },
-  { "securetronic.ch", true },
   { "securetrustbank.com", true },
   { "securi-tay.co.uk", true },
   { "securify.nl", true },
@@ -33558,6 +33859,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sedmicka.sk", true },
   { "sedomicilier.fr", true },
   { "sedussa.ro", true },
+  { "see.asso.fr", true },
   { "see.wtf", true },
   { "seeclop.ch", true },
   { "seedandleisure.co.uk", true },
@@ -33566,9 +33868,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seednode.co", true },
   { "seedsofangelica.net", true },
   { "seekers.ch", true },
+  { "seekfirstthekingdom.ca", true },
   { "seeks.ru", true },
   { "seemeagain.com", true },
-  { "seesuite.com", true },
+  { "seesuite.com", false },
   { "seewhatididhere.com", true },
   { "seeworkdone.com", true },
   { "seezeitlodge-bostalsee.de", true },
@@ -33581,6 +33884,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "segnidisegni.eu", true },
   { "segulink.com", true },
   { "seguridadconsumidor.gov", true },
+  { "seguridadysaludeneltrabajo.com.co", true },
   { "seguros-de-salud-y-vida.com", true },
   { "segurosbalboa.com.ec", false },
   { "segurosdecarroshialeah.org", true },
@@ -33626,6 +33930,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "selfoutlet.com", true },
   { "selkiemckatrick.com", true },
   { "sellajoch.com", true },
+  { "selldorado.com", true },
   { "selldurango.com", true },
   { "sellguard.pl", true },
   { "sellme.biz", true },
@@ -33633,6 +33938,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sello.com", true },
   { "sellorbuy.uk", true },
   { "sellorbuy.us", true },
+  { "seloc.org", true },
   { "semacode.com", true },
   { "semaf.at", true },
   { "semaflex.it", true },
@@ -33642,7 +33948,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "semenov.su", false },
   { "seminariruum.ee", true },
   { "semiocast.com", true },
-  { "semirben.de", true },
   { "semiread.com", true },
   { "semjonov.de", true },
   { "semox.de", true },
@@ -33678,6 +33983,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "senorcontento.com", true },
   { "sens2lavie.com", true },
   { "sensavi.ua", true },
+  { "sense.hamburg", true },
   { "sensebridge.com", true },
   { "sensebridge.net", true },
   { "sensepixel.com", true },
@@ -33685,9 +33991,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sensoft-int.org", true },
   { "sensound.ml", true },
   { "sentandsecure.com", true },
+  { "sentic.info", true },
   { "sentidosdelatierra.org", true },
+  { "sentiments.io", true },
   { "sentinel.gov", true },
   { "sentinelproject.io", true },
+  { "sentirmebien.org", true },
   { "sentry.io", true },
   { "sentry.nu", true },
   { "senzaparole.de", true },
@@ -33714,7 +34023,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seon.me", true },
   { "seoprovider.nl", true },
   { "seoquake.com", true },
-  { "seosec.xyz", true },
   { "seosof.com", true },
   { "seostepbysteplab.com", false },
   { "seoul.dating", true },
@@ -33722,7 +34030,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seovision.se", true },
   { "sepalandseed.com", true },
   { "seppelec.com", true },
-  { "seproco.com", true },
   { "septentrionalist.org", true },
   { "septfinance.ch", true },
   { "septicrepairspecialists.com", true },
@@ -33739,7 +34046,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "serendeputy.com", true },
   { "serf.io", true },
   { "serge-design.ch", true },
-  { "sergeemond.ca", true },
   { "sergefonville.nl", true },
   { "sergeyreznikov.com", true },
   { "sergije-stanic.me", true },
@@ -33772,6 +34078,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "server92.tk", true },
   { "serveradium.com", true },
   { "serveradminz.com", true },
+  { "serverangels.co.uk", true },
   { "serverco.com", true },
   { "serverd.de", true },
   { "serverexpose.com", true },
@@ -33793,6 +34100,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "serviceboss.de", true },
   { "servicemembers.gov", true },
   { "servida.ch", true },
+  { "servidoresweb.online", true },
   { "serviettenhaus.de", true },
   { "servingbaby.com", true },
   { "servious.org", true },
@@ -33805,6 +34113,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "serwusik.pl", true },
   { "seryox.com", true },
   { "sesam-biotech.com", true },
+  { "sesrdcem.cz", true },
+  { "session.bbc.co.uk", true },
+  { "session.bbc.com", true },
   { "sessionslogning.dk", true },
   { "sesslerimmo.ch", true },
   { "sestra.in", true },
@@ -33824,6 +34135,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "setyoursite.nl", true },
   { "seva.fashion", true },
   { "seven-purple.com", true },
+  { "seven-shadows.de", true },
   { "sevencooks.com", true },
   { "sevenhillsapartments.com.au", true },
   { "sevenicealimentos.com.br", true },
@@ -33868,8 +34180,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sgi.org", true },
   { "sgitc.de", true },
   { "sglibellen.de", true },
-  { "sgroup-hitoduma.com", true },
-  { "sgroup-rec.com", true },
+  { "sgrmreproduccionapp.azurewebsites.net", true },
   { "sgs-systems.de", true },
   { "sgs.camera", true },
   { "sgs.systems", true },
@@ -33948,6 +34259,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sharescope.co.uk", false },
   { "shareselecttools.com", true },
   { "sharevari.com", true },
+  { "sharing-kyoto.com", true },
   { "sharisharpe.com", true },
   { "shark.cat", true },
   { "shark5060.net", true },
@@ -33984,7 +34296,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sheilasdrivingschool.com", true },
   { "shek.zone", true },
   { "shelfordsandstaplefordscouts.org.uk", true },
-  { "shellday.cc", true },
   { "shelleystoybox.com", true },
   { "shellfire.de", true },
   { "shellgame.io", true },
@@ -33992,11 +34303,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shelljuggler.com", false },
   { "shellshock.eu", true },
   { "shellvatore.us", true },
+  { "shemissed.me", true },
   { "shemsconseils.ma", true },
   { "shengbao.org", true },
   { "shenghaiautoparts.com", true },
   { "shenghaiautoparts.net", true },
-  { "shens.ai", true },
   { "shenyuqi.com", false },
   { "sherbers.de", true },
   { "sherrikehoetherapy.com", true },
@@ -34013,7 +34324,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shieldcomputer.com", true },
   { "shielder.it", true },
   { "shieldfe.com", true },
-  { "shieldofachilles.in", true },
   { "shift-record.com", true },
   { "shift-to.co.jp", true },
   { "shiftdevices.com", true },
@@ -34025,7 +34335,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shijing.me", true },
   { "shikimori.one", true },
   { "shikimori.org", true },
+  { "shimi.blog", true },
+  { "shimi.guru", true },
   { "shimi.net", true },
+  { "shimmy1996.com", true },
   { "shimo.im", true },
   { "shinghoi.com", true },
   { "shinglereplacementlv.com", true },
@@ -34044,6 +34357,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shiqi.ca", true },
   { "shiqi.lol", true },
   { "shiqi.one", true },
+  { "shiqi.se", true },
   { "shiqi.tv", true },
   { "shiqisifu.cc", true },
   { "shirakaba-cc.com", true },
@@ -34061,12 +34375,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shitposts.se", true },
   { "shitproductions.org", true },
   { "shitsta.in", true },
+  { "shivamber.com", true },
   { "shivammaheshwari.com", true },
   { "shivammathur.com", true },
   { "shivatattvayoga.com", true },
   { "shlmail.info", true },
-  { "shmibbles.me", true },
-  { "shmunky.co.uk", true },
   { "shobhanayogsadan.com", true },
   { "shock.ee", true },
   { "shockercityservices.com", true },
@@ -34133,16 +34446,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "showbits.net", true },
   { "showersnet.com", true },
   { "showf.om", true },
+  { "showfom.sb", true },
   { "showmax.com", true },
   { "showmethemoney.ru", true },
   { "showpassword.net", true },
   { "showroom.cam", true },
   { "showroom.co.uk", true },
   { "showroom.uk", true },
-  { "showroom113.ru", true },
   { "showsonar.com", true },
   { "shredriteservices.com", true },
   { "shrike.me", false },
+  { "shrimpcam.pw", true },
   { "shrinidhiclinic.in", true },
   { "shrinkhub.com", true },
   { "shrub.ca", true },
@@ -34169,7 +34483,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shwrm.ch", true },
   { "shyuka.me", true },
   { "si-benelux.nl", true },
-  { "si.to", true },
   { "si2b.fr", true },
   { "siaggiusta.com", true },
   { "siamdevsqua.re", true },
@@ -34177,6 +34490,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "siamsnus.com", true },
   { "sianbryn.co.uk", true },
   { "sianjhon.com", true },
+  { "siava.ru", true },
   { "siberas.de", true },
   { "siberkulupler.com", true },
   { "sibertakvim.com", true },
@@ -34188,8 +34502,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sicilianbalm.com", true },
   { "siciliapulizie.it", true },
   { "sicken.eu", true },
-  { "sickfile.com", true },
-  { "siconnect.us", true },
+  { "sicurezzalavoro24.com", true },
   { "sicurled.com", false },
   { "sidelka-tver.ru", true },
   { "sidema.be", true },
@@ -34203,11 +34516,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sidnicio.us", true },
   { "sidonge.com", true },
   { "sidongkim.com", true },
-  { "sidpod.ru", true },
-  { "siduga.com", true },
   { "siegemund-frankfurt.de", true },
   { "siel.nl", true },
   { "sielsystems.nl", true },
+  { "siemencaes.tk", true },
   { "sientemendoza.com.ar", true },
   { "sierpinska.co", true },
   { "sierpinska.eu", true },
@@ -34228,8 +34540,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "signage.red", true },
   { "signal.org", true },
   { "signalmaps.co.uk", true },
-  { "signaltransmitter.de", true },
-  { "signdesk.com", true },
   { "significados.com", true },
   { "significados.com.br", true },
   { "significantbanter.com", true },
@@ -34276,7 +34586,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silverdragonart.com", true },
   { "silverfirsdental.com", true },
   { "silvergoldbull.be", true },
-  { "silvergoldbull.bg", true },
   { "silvergoldbull.bj", true },
   { "silvergoldbull.by", true },
   { "silvergoldbull.ca", true },
@@ -34318,9 +34627,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silvergoldbull.is", true },
   { "silvergoldbull.it", true },
   { "silvergoldbull.kr", true },
-  { "silvergoldbull.ky", true },
   { "silvergoldbull.li", true },
   { "silvergoldbull.lk", true },
+  { "silvergoldbull.lt", true },
   { "silvergoldbull.lv", true },
   { "silvergoldbull.ma", true },
   { "silvergoldbull.mk", true },
@@ -34355,6 +34664,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silvobeat.com", true },
   { "sim-karten.net", true },
   { "sim-minaoshi.jp", true },
+  { "sim-usa.mobi", true },
   { "sim4seed.org", true },
   { "simam.de", true },
   { "simark.ca", true },
@@ -34400,7 +34710,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "simphony.cz", true },
   { "simpip.com", true },
   { "simple.com", false },
-  { "simpleclassiclife.com", true },
   { "simplecmsdemo.com", true },
   { "simplecoding.click", true },
   { "simplecontacts.com", true },
@@ -34424,7 +34733,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "simplycloud.de", true },
   { "simplyfixit.co.uk", true },
   { "simplyhelen.de", true },
-  { "simplylifetips.com", true },
+  { "simplylifetips.com", false },
   { "simplylovejesus.com", true },
   { "simplymozzo.se", true },
   { "simplyregister.net", true },
@@ -34439,9 +34748,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sin.swiss", true },
   { "sinaryuda.web.id", true },
   { "sinatrafamily.com", true },
+  { "sincemydivorce.com", true },
   { "sinclairinat0r.com", true },
   { "sinde.ru", true },
-  { "sinefili.com", true },
   { "sinergy.ch", true },
   { "sinfonietta-meridiana.de", true },
   { "sinfulforums.net", true },
@@ -34467,7 +34776,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sinusitis-bronchitis.ch", true },
   { "sioeckes.hu", true },
   { "sion.info", true },
-  { "sipc.org", true },
   { "sipstix.co.za", true },
   { "siratalmustaqim.com", true },
   { "siraweb.org", true },
@@ -34508,9 +34816,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sitesko.de", true },
   { "sitevandaag.nl", true },
   { "sitischu.com", true },
+  { "sitiweb.nl", true },
   { "sivale.mx", true },
   { "sivyerge.com", true },
   { "siw64.com", true },
+  { "six-o-one.com", true },
   { "sixcorners.info", true },
   { "sixcorners.net", true },
   { "sixpackholubice.cz", true },
@@ -34519,6 +34829,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sjaakgilsingfashion.nl", true },
   { "sjbwoodstock.org", true },
   { "sjd.is", true },
+  { "sjdaws.com", true },
   { "sjis.me", true },
   { "sjleisure.co.uk", true },
   { "sjoorm.com", true },
@@ -34528,6 +34839,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skanvordoff.ru", true },
   { "skanword.info", true },
   { "skatclub-beratzhausen.de", true },
+  { "skateaustria.at", true },
   { "skatesins.ch", true },
   { "skatingchina.com", true },
   { "skatn.de", true },
@@ -34577,6 +34889,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skks.cz", true },
   { "sklepsamsung.pl", true },
   { "sklepwielobranzowymd.com", true },
+  { "sklotechnik.cz", true },
   { "sknclinics.co.uk", true },
   { "skogsbruket.fi", true },
   { "skogskultur.fi", true },
@@ -34588,7 +34901,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skommettiamo.it", true },
   { "skontakt.cz", true },
   { "skontorp-enterprise.no", true },
-  { "skoolergraph.azurewebsites.net", true },
   { "skorepova.info", true },
   { "skortekaas.nl", false },
   { "skory.us", true },
@@ -34598,6 +34910,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skryptersi.pl", true },
   { "sksdrivingschool.com.au", true },
   { "sktan.com", true },
+  { "skulblaka.ch", true },
   { "skuldwyrm.no", true },
   { "skutry-levne.cz", true },
   { "skutry.cz", true },
@@ -34607,11 +34920,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sky-coach.nl", true },
   { "sky-live.fr", true },
   { "skyanchor.com", true },
-  { "skybloom.io", true },
   { "skycmd.net", true },
   { "skyderby.ru", true },
   { "skydragoness.com", true },
   { "skydrive.live.com", false },
+  { "skyeeverest.tk", true },
   { "skyem.co.uk", true },
   { "skyfone.cz", true },
   { "skyger.cz", true },
@@ -34625,11 +34938,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skynet233.ch", true },
   { "skynethk.com", true },
   { "skynetnetwork.eu.org", true },
+  { "skynetz.tk", true },
   { "skype.com", true },
   { "skyquid.co.uk", true },
   { "skys-entertainment.com", true },
   { "skyscapecanopies.com", true },
   { "skysuite.nl", true },
+  { "skywalkers.cz", true },
   { "skyynet.de", true },
   { "skyzimba.com.br", true },
   { "sl-bildermacher.de", true },
@@ -34670,16 +34985,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slevomat.cz", true },
   { "slicklines.co.uk", true },
   { "slidebatch.com", true },
-  { "slightfuture.com", true },
   { "slik.ai", true },
   { "slim-slender.com", true },
   { "slimspots.com", true },
   { "slingo-sta.com", true },
   { "slingooriginals.com", true },
+  { "slingoweb.com", true },
   { "slink.hr", true },
   { "slip-gaming.tk", true },
   { "slneighbors.org", true },
-  { "slo-net.net", true },
   { "slo-tech.com", true },
   { "sloancom.com", true },
   { "slonep.net", true },
@@ -34695,9 +35009,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slowgames.xyz", true },
   { "slpower.com", true },
   { "slrd-isperih.com", true },
+  { "slt24.de", true },
   { "sluciaconstruccion.com", true },
   { "sluimann.de", false },
   { "sluitkampzeist.nl", false },
+  { "slunecnice.cz", true },
   { "slusham.com", true },
   { "slvh.fr", true },
   { "slwilde.ca", true },
@@ -34716,16 +35032,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smalldogbreeds.net", true },
   { "smalle-voet.de", true },
   { "smallhadroncollider.com", true },
-  { "smallpath.me", true },
   { "smalltalkconsulting.com", true },
   { "smaltimento-rifiuti.org", true },
   { "smaltimento.caserta.it", true },
+  { "smaltimento.milano.it", true },
   { "smaltimento.napoli.it", true },
   { "smaltimento.roma.it", true },
   { "smaltimentoamianto.frosinone.it", true },
   { "smaltimentoamianto.latina.it", true },
   { "smaltimentorifiuti.firenze.it", true },
   { "smaltimentorifiuti.livorno.it", true },
+  { "smaltimentorifiuti.prato.it", true },
   { "smaltimentorifiuti.veneto.it", true },
   { "smares.de", true },
   { "smart-cp.jp", true },
@@ -34734,10 +35051,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smart-shapes.co.uk", true },
   { "smart-wohnen.net", true },
   { "smart.gov", true },
+  { "smart.vet", true },
   { "smartacademy.ge", true },
   { "smartairkey.com", true },
   { "smartandcom.ch", true },
-  { "smartandhappychild.ro", true },
+  { "smartandhappychild.ro", false },
   { "smartcheck.gov", true },
   { "smartcleaningcenter.nl", true },
   { "smartcpa.ca", true },
@@ -34760,6 +35078,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smartphonechecker.co.uk", true },
   { "smartphones-baratos.com", true },
   { "smartpolicingplatform.com", true },
+  { "smartpti.net", true },
   { "smartrecruit.ro", true },
   { "smartservices.nl", true },
   { "smartshiftme.com", true },
@@ -34786,6 +35105,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smiatek.name", true },
   { "smileandpay.com", true },
   { "smiledirectsales.com", true },
+  { "smilenwa.com", true },
   { "smilessoftplay.co.uk", true },
   { "smileytechguy.com", true },
   { "smilingmiao.com", true },
@@ -34800,16 +35120,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smithchow.com", true },
   { "smithchung.eu", true },
   { "smithfieldbaptist.org", true },
+  { "smitug.pw", true },
   { "smkw.com", false },
   { "smm.im", true },
   { "smmlaba.io", true },
   { "smokeandmirrors.agency", true },
   { "smokefree.gov", true },
+  { "smokefreerowan.org", true },
   { "smokeus.dk", true },
   { "smol.cat", true },
   { "smoo.st", true },
   { "smoothcomp.com", true },
   { "smoothgesturesplus.com", true },
+  { "smoothics.at", true },
+  { "smoothics.com", true },
+  { "smoothics.eu", true },
+  { "smoothics.mobi", true },
+  { "smoothics.net", true },
   { "smoothtalker.com", true },
   { "smorgasblog.ie", true },
   { "smow.com", true },
@@ -34828,8 +35155,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smsprivacy.org", true },
   { "smspujcka24.eu", true },
   { "smtp.in.th", true },
+  { "smtparish.org", true },
   { "smuncensored.com", true },
-  { "smutba.se", true },
   { "smutek.net", true },
   { "smvcm.com", true },
   { "smx.net.br", true },
@@ -34842,7 +35169,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "snakafya.com", true },
   { "snap.com", true },
   { "snapappointments.com", true },
-  { "snapappts.com", true },
   { "snapchat.com", true },
   { "snapfinance.com", true },
   { "snapserv.ch", true },
@@ -34887,6 +35213,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sno-kingroofing-gutters.com", true },
   { "snoerendevelopment.nl", true },
   { "snohomishsepticservice.com", true },
+  { "snoot.club", true },
   { "snopyta.com", true },
   { "snortfroken.net", true },
   { "snote.io", true },
@@ -34909,7 +35236,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "snowyluma.com", true },
   { "snowyluma.me", true },
   { "snperformance.gr", true },
-  { "snrat.com", true },
+  { "snroth.de", true },
   { "snrub.co", true },
   { "sntravel.co.uk", true },
   { "snuff.porn", true },
@@ -34928,7 +35255,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sobieray.dyndns.org", true },
   { "sobotkama.eu", true },
   { "sobreporcentagem.com", true },
-  { "soc.net", true },
   { "soccorso-stradale.org", true },
   { "sochi-sochno.ru", true },
   { "sociability.dk", true },
@@ -34956,12 +35282,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sociopathy.org", true },
   { "sockeye.io", true },
   { "sockscap64.com", true },
-  { "socoastal.com", true },
   { "sodadigital.com.au", true },
   { "sodafilm.de", true },
   { "sodexam.pro", true },
   { "sodi.nl", true },
-  { "sodiao.cc", true },
   { "sodomojo.com", true },
   { "soe-server.com", true },
   { "sofa-rockers.org", true },
@@ -35041,7 +35365,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "solicafe.at", true },
   { "solidarita-kosovo.net", true },
   { "solidshield.com", true },
-  { "solidtuesday.com", true },
   { "solihullcarnival.co.uk", true },
   { "solihullinflatables.com", true },
   { "solihulllionsclub.org.uk", true },
@@ -35074,7 +35397,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "somanao.com", true },
   { "somcase.com.br", true },
   { "somecrazy.com", true },
-  { "somersetscr.nhs.uk", true },
   { "somersetwellbeing.nhs.uk", true },
   { "somethingsketchy.net", true },
   { "sommefeldt.com", true },
@@ -35105,9 +35427,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sonic.studio", true },
   { "sonicdoe.com", true },
   { "sonixonline.com", true },
-  { "sonoecoracao.com.br", true },
   { "sonyunlock.nu", true },
-  { "soodwatthanaphon.net", true },
   { "soohealthy.nl", true },
   { "soomee.be", true },
   { "soomee1.be", true },
@@ -35143,12 +35463,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sos-falegname.it", true },
   { "sos-idraulico.it", true },
   { "sos-muratore.it", true },
-  { "sosesh.shop", true },
   { "sosoftplay.co.uk", true },
   { "sospromotions.com.au", true },
   { "sostacancun.com", true },
   { "sosteam.jp", true },
   { "sosteric.si", true },
+  { "sot.blue", true },
+  { "sot.red", true },
   { "sotadb.info", true },
   { "sotai.tk", true },
   { "sotar.us", true },
@@ -35186,10 +35507,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sourcecode.tw", true },
   { "sourceway.de", true },
   { "souris.ch", true },
+  { "sous-surveillance.net", false },
   { "southafrican.dating", true },
   { "southambouncycastle.co.uk", true },
   { "southamerican.dating", true },
   { "southbankregister.com.au", true },
+  { "southbendflooring.com", true },
   { "southcountyplumbing.com", true },
   { "southdakotahealthnetwork.com", true },
   { "southeastvalleyurology.com", true },
@@ -35254,6 +35577,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sparklebastard.com", true },
   { "sparkz.no", true },
   { "sparprofi.at", true },
+  { "sparta-en.org", true },
   { "sparta-solutions.de", true },
   { "spartaconsulting.fi", true },
   { "spartacuslife.com", true },
@@ -35267,7 +35591,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spazturtle.co.uk", true },
   { "spazzacamino.roma.it", true },
   { "spbet99.com", true },
-  { "spd-pulheim-mitte.de", true },
   { "spdepartamentos.com.br", true },
   { "spdf.net", true },
   { "spdillini.com", true },
@@ -35295,6 +35618,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "speedsportofhull.co.uk", true },
   { "speedtailors.com", true },
   { "speedtest-russia.com", true },
+  { "speedwaybusinesspark.com", true },
   { "speeltoneel.nl", true },
   { "speerpunt.info", true },
   { "speets.ca", true },
@@ -35308,11 +35632,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spenny.tf", true },
   { "sperandii.it", true },
   { "sperec.fr", true },
+  { "spero.solutions", true },
   { "sperrstun.de", true },
   { "spesys-services.fr", true },
   { "spha.info", true },
   { "sphere-realty.com", true },
   { "sphereblur.com", true },
+  { "spherenix.org", true },
   { "sphido.org", true },
   { "spicejungle.com", true },
   { "spicydog.org", true },
@@ -35324,19 +35650,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spielezar.ch", true },
   { "spielland.ch", true },
   { "spiellawine.de", true },
+  { "spieltexte.de", true },
   { "spiet.nl", true },
   { "spiff.eu", true },
   { "spiga.ch", true },
   { "spikelands.com", true },
+  { "spilled.ink", true },
+  { "spillmaker.no", false },
   { "spilogkoder.dk", true },
   { "spinalien.net", false },
   { "spinalo.se", true },
   { "spindle.com.ph", true },
   { "spindrift.com", true },
   { "spingenie.com", true },
-  { "spinor.im", true },
   { "spins.fedoraproject.org", true },
   { "spinspin.wtf", true },
+  { "spira-group.eu", true },
+  { "spira.kiev.ua", true },
   { "spiralschneiderkaufen.de", true },
   { "spirella-shop.ch", true },
   { "spirit55555.dk", true },
@@ -35402,6 +35732,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sportxt.ru", true },
   { "spot-lumiere-led.com", true },
   { "spotrebitelskecentrum.sk", true },
+  { "spotswoodvet.com", true },
   { "spottedpenguin.co.uk", true },
   { "spotupload.com", true },
   { "sppin.fr", true },
@@ -35417,7 +35748,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "springerundpartner.de", true },
   { "springfieldbricks.com", true },
   { "springhillmaine.com", true },
-  { "springreizen.nl", true },
   { "sprinklermanohio.com", true },
   { "spritmonitor.de", true },
   { "spritsail.io", true },
@@ -35432,6 +35762,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spsnewengland.org", true },
   { "spt.re", true },
   { "sptk.org", true },
+  { "sptr.blog", true },
   { "spuffin.com", true },
   { "spufpowered.com", true },
   { "spunkt.fr", true },
@@ -35451,7 +35782,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "square-gaming.org", true },
   { "square-src.de", false },
   { "square.com", false },
-  { "squarelab.it", true },
   { "squareup.com", false },
   { "squawk.cc", true },
   { "squeakql.online", true },
@@ -35467,7 +35797,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "src-el-main.com", true },
   { "src.fedoraproject.org", true },
   { "srchub.org", true },
-  { "srichan.net", true },
   { "srife.net", true },
   { "srigc.com", true },
   { "srihash.org", true },
@@ -35517,7 +35846,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ssldecoder.org", true },
   { "ssldev.net", true },
   { "sslmate.com", true },
-  { "sslok.com", true },
+  { "sslok.com", false },
   { "sslping.com", true },
   { "sslpoint.com", true },
   { "ssls.cz", true },
@@ -35579,6 +35908,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "staklim-malang.info", true },
   { "stako.jp", true },
   { "staktrace.com", true },
+  { "stal-rulon.ru", true },
+  { "stalder.work", true },
   { "staljedevledder.nl", true },
   { "stalker-shop.com", true },
   { "stalkerteam.pl", true },
@@ -35602,6 +35933,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stanthonymaryclaret.org", true },
   { "staparishgm.org", true },
   { "star-clean.it", true },
+  { "star.watch", true },
   { "starcoachservices.ca", true },
   { "starcomproj.com", true },
   { "stardanceacademy.net", true },
@@ -35631,6 +35963,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "startergen.com", true },
   { "startlab.sk", true },
   { "startle.cloud", true },
+  { "startliste.info", true },
   { "startpage.com", true },
   { "startpage.info", true },
   { "startrek.in", true },
@@ -35681,6 +36014,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stcu.org", false },
   { "std-home-test.com", true },
   { "stderr.cc", true },
+  { "stdev.top", true },
   { "stdrc.cc", false },
   { "steakhaus-zumdorfbrunnen.de", true },
   { "steakovercooked.com", true },
@@ -35695,13 +36029,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "steamtrades.com", true },
   { "steamwhale.com", true },
   { "stebet.net", true },
-  { "steborio.pw", true },
-  { "steckel.cc", true },
   { "stedb.eu", true },
   { "stedbg.net", true },
   { "steef389.eu", true },
   { "steel-roses.de", true },
+  { "steelbeasts.org", true },
   { "steelephys.com.au", true },
+  { "steelmounta.in", true },
   { "steemit.com", true },
   { "steemyy.com", true },
   { "steerty.com", true },
@@ -35732,6 +36066,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stellarium-gornergrat.ch", true },
   { "stellarx.com", true },
   { "stelleninserate.de", true },
+  { "stellenticket.de", true },
   { "stellmacher.name", true },
   { "stemapp.io", true },
   { "stembureauledenindenhaag.nl", true },
@@ -35748,7 +36083,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stephenhaunts.com", true },
   { "stephenhorler.com.au", true },
   { "stephenj.co.uk", true },
-  { "stephenjvoiceovers.com", true },
   { "stephenperreira.com", true },
   { "stephenreescarter.com", true },
   { "stephenreescarter.net", true },
@@ -35777,8 +36111,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sternenbund.info", true },
   { "sternplastic.com", true },
   { "sternsinus.com", true },
+  { "stetson.edu", true },
   { "stetspa.it", true },
   { "steuer-voss.de", true },
+  { "steuerberater-essen-steele.com", true },
   { "steuerkanzlei-edel.de", true },
   { "steuern-recht-wirtschaft.de", true },
   { "steuerseminare-graf.de", true },
@@ -35797,14 +36133,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stevenroddis.com", true },
   { "stevens.se", false },
   { "steventress.com", true },
-  { "steventruesdell.com", true },
   { "stevenwooding.com", true },
   { "stevenz.net", true },
   { "stevenz.science", true },
   { "stevenz.xyz", true },
   { "stevesdrivingschooltyneside.com", true },
   { "stewartswines.com", true },
-  { "stewpolley.com", true },
+  { "stewpolley.com", false },
   { "steyaert.be", false },
   { "stforex.com", false },
   { "stfrancisnaugatuck.org", true },
@@ -35823,7 +36158,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stickandpoketattookit.com", true },
   { "stickeramoi.com", true },
   { "stickergiant.com", true },
-  { "stickertuningfetzt.de", false },
+  { "stickertuningfetzt.de", true },
   { "stickies.io", true },
   { "stickmanventures.com", true },
   { "stickstueb.de", true },
@@ -35836,7 +36171,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stikic.me", true },
   { "stilartmoebel.de", true },
   { "stilecop.com", true },
-  { "stillnessproject.com", true },
   { "stilmobil.se", true },
   { "stiltmedia.com", true },
   { "stimmgabel.lu", true },
@@ -35853,13 +36187,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stitchfiddle.com", true },
   { "stitchinprogress.com", true },
   { "stivesbouncycastlehire.co.uk", true },
+  { "stjameslititz.org", true },
   { "stjohnin.com", true },
   { "stjohnsottsville.org", true },
   { "stjoseph-stcatherine.org", true },
+  { "stjosephri.org", true },
+  { "stjosephsoswego.com", true },
   { "stjosephspringcity.com", true },
   { "stjosephtheworker.net", true },
   { "stjscatholicchurch.org", true },
   { "stjustin.org", true },
+  { "stkevin-stbenedict.org", true },
   { "stln.ml", true },
   { "stlu.de", true },
   { "stlukenh.org", true },
@@ -35870,6 +36208,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stmarkseagirt.com", true },
   { "stmarthachurch.com", true },
   { "stmaryextra.uk", true },
+  { "stmarysnutley.org", true },
+  { "stmaryswestwarwick.org", true },
   { "stmatthewri.org", true },
   { "stmattsparish.com", true },
   { "stmichaellvt.com", true },
@@ -35877,17 +36217,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stmlearning.com", true },
   { "stmsolutions.pl", true },
   { "stneotsbouncycastlehire.co.uk", true },
+  { "stnevis.ru", true },
   { "stockpile.com", true },
   { "stockrow.com", true },
   { "stockstuck.com", true },
   { "stocktout.info", true },
   { "stocktrader.com", true },
+  { "stocp.org", true },
   { "stodieck.com", true },
   { "stoebermehl.at", true },
   { "stoffelnet.de", true },
   { "stogiesandmash.com", true },
   { "stokvistrading.nl", true },
-  { "stolbart.com", true },
   { "stolin.info", true },
   { "stolina.de", false },
   { "stolkpotplanten.nl", true },
@@ -35898,6 +36239,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stoneagehealth.com.au", true },
   { "stonechatjewellers.ie", true },
   { "stonedworms.de", true },
+  { "stoneedgeconcrete.com", true },
   { "stonehammerhead.org", true },
   { "stonehurstcap.com", true },
   { "stonewuu.com", true },
@@ -35912,7 +36254,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "storedsafe.com", true },
   { "storeit.co.uk", true },
   { "storeprice.co.uk", true },
-  { "storeprijs.nl", true },
   { "storillo.com", true },
   { "storm-family.com", true },
   { "stormi.io", true },
@@ -35927,6 +36268,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stouter.nl", true },
   { "stoxford.com", true },
   { "stpatrickbayshore.org", true },
+  { "stpatrickkennettsquare.org", true },
+  { "stpatrickri.org", true },
+  { "stpatricks-pelham.com", true },
   { "stpaulcatholicchurcheastnorriton.net", true },
   { "str8hd.com", true },
   { "straatderzotten.nl", true },
@@ -35935,10 +36279,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "strahlende-augen.info", true },
   { "strajnar.si", true },
   { "straka.name", true },
+  { "strandedinotter.space", true },
+  { "strandom.ru", true },
   { "strandschnuppern.de", true },
   { "strangelane.com", true },
   { "strangemusicinc.com", true },
   { "strangemusicinc.net", true },
+  { "strangeways.ca", true },
+  { "straphael-holyangels.com", true },
   { "strate.io", true },
   { "strategiccapital.com", true },
   { "strategiclivingblog.com", true },
@@ -35969,7 +36317,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stremio.com", true },
   { "strengthroots.com", true },
   { "stretchmyan.us", true },
-  { "stretchpc.com", true },
   { "striata.com", true },
   { "striatadev.com", true },
   { "stricted.net", true },
@@ -35985,6 +36332,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "strobeto.de", true },
   { "strobotti.com", true },
   { "stroccounioncity.org", true },
+  { "stroeder.com", true },
   { "stroeerdigital.de", true },
   { "stroginohelp.ru", true },
   { "strom.family", true },
@@ -36007,6 +36355,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "strutta.me", true },
   { "strydom.me.uk", true },
   { "stsolarenerji.com", true },
+  { "ststanislaus.com", true },
   { "ststanstrans.org", true },
   { "stt.wiki", true },
   { "sttg.com.au", true },
@@ -36026,6 +36375,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "student-eshop.sk", true },
   { "studentfinancecountdown.com", true },
   { "studentforums.biz", true },
+  { "studentklinikk.no", true },
   { "studentloans.gov", true },
   { "studentpop.com", true },
   { "studentrightsadvocate.org", true },
@@ -36038,6 +36388,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "studio-architetto.com", true },
   { "studio-art.pro", true },
   { "studio-fotografico.ru", true },
+  { "studio-happyvalley.com", true },
   { "studio44.fit", true },
   { "studioadevents.com", true },
   { "studioavvocato24.it", true },
@@ -36066,6 +36417,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "studiovaud.com", true },
   { "studipro-formation.fr", true },
   { "studipro-marketing.fr", true },
+  { "studisys.net", true },
   { "studium.cz", true },
   { "studyin.jp", true },
   { "studyspy.ac.nz", true },
@@ -36092,7 +36444,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stuvus.uni-stuttgart.de", true },
   { "stw-group.at", true },
   { "stygium.net", false },
-  { "stylaq.com", true },
   { "stylebajumuslim.com", true },
   { "styleci.io", true },
   { "stylecollective.us", true },
@@ -36109,6 +36460,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "subastasdecarros.net", true },
   { "subculture.live", true },
   { "subdev.org", true },
+  { "subdimension.org", true },
   { "sublimebits.com", true },
   { "sublocale.com", true },
   { "submedia.tv", true },
@@ -36118,10 +36470,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "subrosr.com", true },
   { "subsistence.wiki", true },
   { "substitutealert.com", true },
-  { "subterfuge.io", true },
   { "suburban-landscape.net", true },
   { "suburbaninfinitioftroyparts.com", true },
   { "subversive-tech.com", true },
+  { "subzerotech.co.uk", true },
   { "succ.in", true },
   { "succesprojekter.dk", true },
   { "successdeliv.com", true },
@@ -36137,6 +36489,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sudo.org.au", true },
   { "sudo.ws", true },
   { "sudokian.io", true },
+  { "sudoschool.com", true },
   { "suelyonjones.com", true },
   { "suessdeko.de", true },
   { "suevia-ka.de", true },
@@ -36152,7 +36505,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "suggea.com", true },
   { "suggestim.ch", true },
   { "suisui.stream", true },
-  { "suited21.com", true },
   { "suitesapp.com", true },
   { "sujal.com", true },
   { "sujatadev.in", true },
@@ -36169,7 +36521,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sullenholland.nl", true },
   { "suluvir.com", true },
   { "sumguy.com", true },
-  { "summa-prefis.com", true },
   { "summa.eu", false },
   { "summercampthailand.com", true },
   { "summershomes.com", true },
@@ -36191,7 +36542,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sunjiutuo.com", true },
   { "sunlit.cloud", true },
   { "sunn.ie", true },
+  { "sunny.co.uk", true },
   { "sunnylyx.com", true },
+  { "sunnysidechurchofchrist.org", true },
   { "sunoikisis.org", true },
   { "sunred.info", true },
   { "sunred.org", true },
@@ -36247,7 +36600,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "supertechcrew.com", true },
   { "supertutorial.com.br", true },
   { "supervisionassist.com", true },
-  { "superway.es", true },
   { "supeuro.com", true },
   { "supioka.com", true },
   { "supmil.net", true },
@@ -36267,10 +36619,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "supriville.com.br", true },
   { "sur-v.com", true },
   { "surao.cz", true },
-  { "surasak.io", true },
   { "surasak.net", true },
   { "surasak.org", true },
-  { "surdam.casa", true },
   { "sure-it.de", true },
   { "surefit-oms.com", true },
   { "suretone.co.za", true },
@@ -36282,13 +36632,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "surgicalassociateswny.com", true },
   { "suroil.com", true },
   { "surpreem.com", true },
+  { "surrealcoder.com", true },
   { "surreyheathyc.org.uk", true },
   { "suruifu.com", true },
   { "survature.com", true },
   { "surveillance104.com", true },
   { "surveyhealthcare.com", true },
   { "surveymill.co.uk", true },
-  { "survivalistplanet.com", true },
   { "survivalmonkey.com", true },
   { "susanbpilates.co", true },
   { "susanbpilates.com", true },
@@ -36332,7 +36682,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "svdb.co", false },
   { "svdreamcatcher.com", true },
   { "sveinerik.org", true },
-  { "svendubbeld.nl", true },
   { "sveneckelmann.de", true },
   { "svenjaundchristian.de", true },
   { "svenluijten.com", false },
@@ -36347,6 +36696,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "svm-it.eu", true },
   { "svobodnyblog.cz", true },
   { "svorcikova.cz", true },
+  { "svsb-live.azurewebsites.net", false },
   { "sw-servers.net", true },
   { "sw33tp34.com", true },
   { "swagsocial.net", true },
@@ -36356,6 +36706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "swapadoodle.com", true },
   { "swaptaxdata.com", true },
   { "swarfarm.com", true },
+  { "swarovski-lov.cz", true },
   { "swat4stats.com", true },
   { "swattransport.ae", true },
   { "sway-cdn.com", true },
@@ -36369,12 +36720,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sweepay.ch", true },
   { "sweet-as.co.uk", true },
   { "sweet-orr.com", true },
+  { "sweet-spatula.com", true },
   { "sweetair.com", true },
   { "sweetbridge.com", true },
   { "sweetgood.de", true },
   { "sweethomesnohomishrenovations.com", true },
   { "sweets-mimatsu.com", true },
-  { "swehack.org", true },
   { "sweharris.org", true },
   { "swerve-media-testbed-03.co.uk", true },
   { "swetrust.com", true },
@@ -36395,14 +36746,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "swiss-cyber-experts.ch", true },
   { "swiss-vanilla.ch", true },
   { "swiss-vanilla.com", true },
-  { "swisscannabis.club", true },
   { "swissdojo.ch", true },
   { "swisselement365.com", true },
   { "swissfreshaircan.ch", true },
   { "swissid.ch", true },
   { "swisslinux.org", true },
   { "swisstechassociation.ch", true },
-  { "swisstechtalks.ch", true },
   { "swissvanilla.ch", true },
   { "swissvanilla.com", true },
   { "switch-trader.com", true },
@@ -36411,6 +36760,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "switcheo.rocks", true },
   { "switzerland-family-office.com", true },
   { "swivells.com", true },
+  { "swkdevserver.tk", true },
+  { "swktestserver.tk", true },
   { "swn-nec.de", true },
   { "swordfeng.xyz", true },
   { "swqa.hu", true },
@@ -36423,6 +36774,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sy-anduril.de", true },
   { "sy24.ru", true },
   { "syajvo.if.ua", true },
+  { "syakonavi.com", true },
   { "syamutodon.xyz", true },
   { "sycamorememphis.org", true },
   { "sychov.pro", true },
@@ -36433,9 +36785,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "syenar.net", true },
   { "syezd.com.au", true },
   { "syha.org.uk", true },
-  { "syhost.at", true },
-  { "syhost.ch", true },
-  { "syhost.de", true },
   { "sykepleien.no", false },
   { "sylaps.com", true },
   { "syleam.in", true },
@@ -36444,8 +36793,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sylvaindurand.fr", true },
   { "sylvaindurand.org", true },
   { "sylvaloir.fr", true },
-  { "sylvan.me", true },
-  { "sylvangarden.net", true },
   { "sylve.ch", true },
   { "sym01.com", true },
   { "symb.ch", true },
@@ -36454,6 +36801,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "symbiose-immobilier.ch", true },
   { "symbiose.com", true },
   { "symbiosecom.ch", true },
+  { "symdevinc.com", true },
   { "symeda.de", true },
   { "symetria.io", true },
   { "symfora-meander.nl", true },
@@ -36474,6 +36822,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "synchrolarity.com", true },
   { "synchronicity.cz", true },
   { "synchronyse.com", true },
+  { "synchtu.be", false },
   { "syncrise.co.jp", true },
   { "syneart.com", true },
   { "synecek11.cz", true },
@@ -36488,7 +36837,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "syntheticgrassliving.com.au", true },
   { "syntheticurinereview.com", true },
   { "synthetik.com", true },
-  { "syoier.com", true },
   { "syplasticsurgery.com", true },
   { "syriatalk.biz", true },
   { "syriatalk.org", true },
@@ -36526,7 +36874,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sysystems.cz", true },
   { "syt3.net", true },
   { "syukatsu-net.jp", true },
-  { "syunpay.cn", true },
   { "syy.im", true },
   { "syzygy-tables.info", true },
   { "sz-ideenlos.de", true },
@@ -36541,6 +36888,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "szentistvanpt.sk", true },
   { "szepsegbennedrejlik.hu", true },
   { "szerelem.love", true },
+  { "szeretekvajpolni.hu", true },
   { "szetowah.org.hk", true },
   { "szunia.com", true },
   { "szybkiebieganie.pl", true },
@@ -36556,7 +36904,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "t12u.com", true },
   { "t23m-navi.jp", false },
   { "t2i.nl", true },
-  { "t3rror.net", true },
   { "t47.io", true },
   { "t4c.link", true },
   { "t4cc0.re", true },
@@ -36567,6 +36914,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ta-sports.net", true },
   { "ta65.com", true },
   { "taabe.net", true },
+  { "taalcursusvolgen.nl", true },
   { "taartbesteld.nl", true },
   { "tabarnak.ga", true },
   { "tabernadovinho.com.br", true },
@@ -36587,11 +36935,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tacklinglife.com", true },
   { "tacklog.com", true },
   { "tacomafia.net", true },
-  { "tacostea.net", true },
   { "tacticalsquare.com", true },
   { "taddiestales.com", true },
   { "tadeo.ca", true },
   { "tadiranbatteries.de", true },
+  { "tadj-mahalat.com", true },
+  { "tadlab.cl", true },
   { "tadluedtke.com", true },
   { "tadtadya.com", true },
   { "tadu.de", true },
@@ -36612,6 +36961,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tails.boum.org", true },
   { "taimane.com", true },
   { "taiphanmem.net", true },
+  { "taishokudaiko.com", true },
   { "taishon.nagoya", true },
   { "taitmacleod.com", true },
   { "taiwan.dating", true },
@@ -36655,6 +37005,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "talkwithyourbaby.org", true },
   { "tallcraft.com", true },
   { "talldude.net", true },
+  { "tallinnsec.ee", true },
+  { "tallinnsex.ee", true },
   { "talltreeskv.com.au", true },
   { "tallyfy.com", true },
   { "talon.rip", true },
@@ -36674,18 +37026,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tamposign.fr", true },
   { "tamriel-rebuilt.org", true },
   { "tanacio.com", true },
+  { "tanak3n.xyz", false },
   { "tancredi.nl", true },
   { "tandem-trade.ru", false },
   { "tandemexhibits.com", true },
   { "tandempartnerships.com", true },
-  { "tandilmap.com.ar", true },
   { "tandk.com.vn", true },
   { "tandzorg.link", true },
   { "tangel.me", true },
   { "tangemann.org", true },
   { "tango-ouest.com", true },
   { "tangoalpha.co.uk", true },
-  { "tanhit.com", true },
   { "taniafitness.co.uk", true },
   { "taniafitness.com", true },
   { "tanie-uslugi-ksiegowe.pl", true },
@@ -36715,6 +37066,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tapsnapp.co", true },
   { "taquilla.com", true },
   { "tar-mag.com", true },
+  { "taranis.re", true },
   { "tarasecurity.co.uk", true },
   { "tarasecurity.com", true },
   { "tarasevich.by", true },
@@ -36726,6 +37078,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tarik.io", true },
   { "tarmexico.com", true },
   { "taron.top", true },
+  { "tarot-cartas.com", true },
   { "tarsan.cz", true },
   { "tartaneagle.org.uk", true },
   { "tartanhamedshop.com.br", true },
@@ -36757,7 +37110,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tattvaayoga.com", true },
   { "tatuantes.com", true },
   { "taunhanh.us", true },
-  { "tauschen.info", true },
+  { "taustyle.ru", true },
   { "tavolaquadrada.com.br", true },
   { "tavsys.net", true },
   { "tax-guard.com", true },
@@ -36795,6 +37148,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tbuchloh.de", true },
   { "tc-st-leonard.ch", true },
   { "tc.nz", true },
+  { "tcade.co", true },
   { "tcb-a.org", true },
   { "tcb-b.org", true },
   { "tccmb.com", true },
@@ -36808,6 +37162,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tchebotarev.com", true },
   { "tchnics.de", true },
   { "tchoukball.ch", true },
+  { "tcit.fr", true },
   { "tcmwellnessclinic.com", true },
   { "tcnapplications.com", true },
   { "tcpweb.net", true },
@@ -36823,6 +37178,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tdsinflatables.co.uk", true },
   { "tdude.co", true },
   { "tea.codes", true },
+  { "tea.in.th", true },
   { "teabagdesign.co.uk", true },
   { "teachbiz.net", true },
   { "teachercreatedmaterials.com", true },
@@ -36838,8 +37194,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teachwithouttears.com", true },
   { "teahut.net", true },
   { "team-azerty.com", true },
-  { "team-bbd.com", true },
-  { "team-pancake.eu", true },
   { "team.house", true },
   { "team3482.com", true },
   { "teambeam.at", true },
@@ -36861,7 +37215,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teamspeak-serverlist.xyz", true },
   { "teamtouring.net", true },
   { "teamtrack.uk", true },
-  { "teamtravel.co", true },
   { "teamup.com", true },
   { "teamup.rocks", true },
   { "teamupturn.com", true },
@@ -36891,7 +37244,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techamigo.in", true },
   { "techarea.fr", true },
   { "techaulogy.com", true },
-  { "techbelife.com", true },
   { "techbrown.com", true },
   { "techcracky.com", true },
   { "techcultivation.de", false },
@@ -36901,6 +37253,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techdroid.eu", true },
   { "techendeavors.com", true },
   { "techformator.pl", true },
+  { "techforthepeople.org", true },
   { "techglover.com", true },
   { "techhappy.ca", true },
   { "techinet.pl", true },
@@ -36915,11 +37268,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "technicabv.nl", true },
   { "technicalbrothers.cf", true },
   { "technicallyeasy.net", true },
+  { "technicalramblings.com", true },
   { "technicalsystemsprocessing.com", true },
   { "techniclab.net", true },
   { "techniclab.org", true },
   { "techniclab.ru", true },
-  { "technifocal.com", true },
   { "technik-boeckmann.de", true },
   { "technikblase.fm", true },
   { "technikman.de", true },
@@ -36951,7 +37304,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techviewforum.com", true },
   { "techwayz.com", true },
   { "techwithcromulent.com", true },
-  { "techwords.io", true },
   { "techzero.cn", true },
   { "teckids.org", true },
   { "tecma.com", true },
@@ -36962,6 +37314,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tecnoarea.com.ar", true },
   { "tecnobrasilloja.com.br", true },
   { "tecnodritte.it", true },
+  { "tecnogaming.com", true },
   { "tecnogazzetta.it", true },
   { "tecnologiasurbanas.com", true },
   { "tecon.co.at", true },
@@ -36984,6 +37337,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teensexgo.com", true },
   { "teeworlds-friends.de", true },
   { "tefek.cz", true },
+  { "teganlaw.ca", true },
+  { "teganlaw.com", true },
   { "tege-elektronik.hu", true },
   { "tehrabbitt.com", false },
   { "tehranperfume.com", true },
@@ -36991,6 +37346,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tejarat98.com", true },
   { "teknemodus.com.au", true },
   { "teknik.io", true },
+  { "tekniksnack.se", true },
   { "tekniskakustik.se", true },
   { "tekno.de", true },
   { "teknoforums.com", true },
@@ -36999,10 +37355,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tekuteku.jp", true },
   { "telamon.eu", true },
   { "telamon.fr", true },
-  { "tele-alarme.ch", true },
+  { "telco.at", true },
   { "tele-online.com", true },
   { "telealarme.ch", true },
-  { "telealarmevalais.ch", true },
   { "telecamera.pro", false },
   { "telecomwestland.nl", true },
   { "teledivi.com", true },
@@ -37015,6 +37370,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "telefoon.nl", true },
   { "telefoonabonnement.nl", true },
   { "telegenisys.com", true },
+  { "telegram.org", true },
   { "telegramdr.com", true },
   { "telehealthventures.com", false },
   { "telekothonbd.com", true },
@@ -37028,6 +37384,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tellcorpassessoria.com.br", true },
   { "telling.xyz", true },
   { "tellingua.com", false },
+  { "tellthemachines.com", true },
   { "tellusaboutus.com", true },
   { "telly.site", true },
   { "tellygames.com", true },
@@ -37061,8 +37418,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tendoryu-aikido.org", false },
   { "tenenz.com", true },
   { "tenisservis.eu", true },
+  { "tenkdigitalt.no", true },
   { "tenkofx.com", true },
-  { "tennisadmin.com", true },
   { "tennismindgame.com", true },
   { "tenno.tools", true },
   { "tenpo-iku.com", true },
@@ -37076,6 +37433,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tenyx.de", true },
   { "tenzer.dk", true },
   { "teoleonie.com", true },
+  { "tepautotuning.com", true },
   { "tepid.org", true },
   { "tepitus.de", true },
   { "teplofom.ru", true },
@@ -37108,6 +37466,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "terralimno.eu", true },
   { "terraluna.space", true },
   { "terranova-nutrition.dk", true },
+  { "terranova.fi", true },
   { "terrapay.com", true },
   { "terrastaffinggroup.com", false },
   { "terraweb.net", true },
@@ -37133,6 +37492,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "testeveonline.com", true },
   { "testgeomed.ro", true },
   { "testomato.com", true },
+  { "testoon.com", true },
   { "testosteronedetective.com", true },
   { "testsuite.org", true },
   { "testsvigilantesdeseguridad.es", true },
@@ -37176,7 +37536,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teyssedre.ca", true },
   { "tf2b.com", true },
   { "tf2calculator.com", true },
-  { "tf7879.com", true },
   { "tfb.az", true },
   { "tfg-bouncycastles.com", true },
   { "tfk.fr", true },
@@ -37202,7 +37561,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thablubb.de", true },
   { "thaedal.net", true },
   { "thai.dating", true },
-  { "thai.land", false },
+  { "thai.land", true },
   { "thaicyberpoint.com", true },
   { "thaiforest.ch", true },
   { "thaihomecooking.com", true },
@@ -37217,6 +37576,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thalia.nu", true },
   { "thaliagetaway.com.au", true },
   { "thallinger.me", true },
+  { "thambaru.com", true },
   { "thamesfamilydentistry.com", true },
   { "thamtubinhminh.com", true },
   { "thanabh.at", true },
@@ -37226,6 +37586,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thatquiz.org", true },
   { "thatsme.io", true },
   { "thca.ca", true },
+  { "thcpbees.co.uk", true },
   { "the-arabs.com", true },
   { "the-bermanns.com", true },
   { "the-big-bang-theory.com", true },
@@ -37254,11 +37615,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theaps.net", true },
   { "theastrocoach.com", true },
   { "theatre-schools.com", true },
+  { "theazoorsociety.org", true },
   { "thebakers.com.br", true },
   { "thebakery2go.de", true },
   { "thebannerstore.com", true },
   { "thebarbdemariateam.com", true },
-  { "thebarneystyle.com", true },
   { "thebarrens.nu", true },
   { "thebasebk.org", true },
   { "thebcm.co.uk", true },
@@ -37311,7 +37672,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thecrazytravel.com", true },
   { "thecrescentchildcarecenter.com", true },
   { "thecrew-exchange.com", true },
-  { "thecrochetcottage.net", true },
   { "thecstick.com", true },
   { "thecuppacakery.co.uk", true },
   { "thecuriousdev.com", true },
@@ -37319,6 +37679,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thecustomdroid.com", true },
   { "theda.co.za", true },
   { "thedark1337.com", true },
+  { "thedebug.life", true },
   { "thederminstitute.com", true },
   { "thedhs.com", true },
   { "thediamondcenter.com", true },
@@ -37339,6 +37700,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theemasphere.com", true },
   { "theender.net", true },
   { "theepiclounge.com", true },
+  { "theeverycompany.com", true },
+  { "theeyeopener.com", true },
   { "thefairieswantmedead.com", true },
   { "thefanimatrix.net", true },
   { "thefashionpolos.com", true },
@@ -37348,7 +37711,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thefilmphotography.com", true },
   { "theflowerbasketonline.com", true },
   { "theflowershopdeddington.com", true },
-  { "theflyingbear.net", true },
   { "thefnafarchive.org", true },
   { "theforkedspoon.com", true },
   { "thefourthmoira.com", true },
@@ -37388,6 +37750,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thehotness.tech", true },
   { "thehouseofgod.org.nz", true },
   { "thehowtohome.com", true },
+  { "thehub.ai", true },
+  { "theideaskitchen.com.au", true },
   { "theidiotboard.com", true },
   { "theig.co", true },
   { "theillustrationstudio.com.au", true },
@@ -37399,6 +37763,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theinitium.com", true },
   { "theintercept.com", true },
   { "theinternationalgeekconspiracy.eu", true },
+  { "theissue.com.au", true },
   { "theitsage.com", false },
   { "thejacksoninstitute.com.au", true },
   { "thekev.in", true },
@@ -37443,7 +37808,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "themusecollaborative.org", true },
   { "themusicinnoise.net", true },
   { "thenanfang.com", true },
-  { "thenarcissisticlife.com", true },
   { "theneatgadgets.com", true },
   { "thenerdic.com", true },
   { "thenexwork.com", true },
@@ -37480,7 +37844,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thepharm.co.nz", true },
   { "thephonecaseplace.com", true },
   { "thephp.cc", true },
-  { "thepiabo.ovh", true },
   { "thepieslicer.com", true },
   { "thepiratesociety.org", true },
   { "theplaidpoodle.com", true },
@@ -37492,11 +37855,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thepriorybandbsyresham.co.uk", true },
   { "theproductpoet.com", true },
   { "thepromisemusic.com", true },
-  { "thepythianseed.com", true },
   { "theragran.co.id", true },
   { "theralino.de", true },
   { "theramo.re", true },
-  { "therandombits.com", true },
+  { "therandombits.com", false },
   { "therapiemi.ch", true },
   { "therapynotes.com", true },
   { "therapyportal.com", true },
@@ -37565,13 +37927,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thestyleforme.com", true },
   { "thesuppercircle.com", true },
   { "theswissbay.ch", true },
+  { "theteacherscorner.net", true },
   { "thetechnical.me", true },
   { "thetenscrolls.com", true },
   { "thethreepercent.marketing", true },
   { "thetiedyelab.com", true },
   { "thetinylife.com", true },
   { "thetomharling.com", true },
+  { "thetorlock.com", true },
+  { "thetorrentfunk.com", true },
   { "thetotalemaildelivery.com", true },
+  { "thetravelczar.com", true },
   { "thetree.ro", true },
   { "thetrendspotter.net", true },
   { "thetuxkeeper.de", false },
@@ -37584,6 +37950,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thevgg.com", false },
   { "thevisasofoz.com", true },
   { "thevoya.ga", true },
+  { "thevyra.com", true },
   { "thewagesroom.co.uk", true },
   { "thewarrencenter.org", true },
   { "thewaxhouse.academy", true },
@@ -37598,6 +37965,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thewoodkid.com.au", true },
   { "thewoolroom.com.au", true },
   { "theworld.tk", true },
+  { "theworldbattle.com", true },
   { "theworldexchange.com", true },
   { "theworldexchange.net", true },
   { "theworldexchange.org", true },
@@ -37609,14 +37977,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theyear199x.org", true },
   { "theyearinpictures.co.uk", true },
   { "theyosh.nl", true },
+  { "theyourbittorrent.com", true },
   { "thezero.org", true },
   { "thezillersathenshotel.com", true },
   { "thiagohersan.com", true },
-  { "thibaultwalle.com", true },
   { "thiepcuoidep.com", true },
   { "thiepxinh.net", true },
   { "thierry-daellenbach.com", true },
   { "thierrybasset.ch", true },
+  { "thietbithoathiem.net", true },
   { "thijmenmathijs.nl", true },
   { "thijsalders.nl", false },
   { "thijsbekke.nl", true },
@@ -37639,6 +38008,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thinkquality.nl", true },
   { "thinkrealty.com", true },
   { "thinktux.net", true },
+  { "thirdbearsolutions.com", true },
   { "thirdgenphoto.co.uk", true },
   { "thiry-automobiles.net", true },
   { "this-server-will-be-the-death-of-me.com", true },
@@ -37656,6 +38026,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thisoldearth.com", true },
   { "thisserver.dontexist.net", true },
   { "thistleandleaves.com", true },
+  { "thitruongsi.com", true },
   { "thm.vn", true },
   { "thole.org", true },
   { "thom4s.info", true },
@@ -37667,6 +38038,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thomas-sammut.com", true },
   { "thomas-schmittner.de", true },
   { "thomas-suchon.fr", true },
+  { "thomas.computer", true },
   { "thomas.love", false },
   { "thomasbeckers.be", true },
   { "thomasbreads.com", false },
@@ -37686,6 +38058,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thomasverhelst.be", true },
   { "thomasvochten.com", true },
   { "thomaswoo.com", true },
+  { "thomien.de", true },
   { "thompsonfamily.cloud", true },
   { "thomsonscleaning.co.uk", true },
   { "thomspooren.nl", true },
@@ -37742,12 +38115,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thunraz.com", true },
   { "thusoy.com", true },
   { "thuthuatios.com", true },
+  { "thuviensoft.com", true },
   { "thuybich.com", false },
   { "thw-bernburg.de", true },
   { "thxandbye.de", true },
   { "thycotic.ru", true },
   { "thyngster.com", true },
-  { "thynx.io", true },
   { "thzone.net", true },
   { "ti-pla.net", true },
   { "ti-planet.org", true },
@@ -37759,6 +38132,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tibicinagarricola.com", true },
   { "tibipg.com", true },
   { "tibovanheule.space", true },
+  { "ticfleet.com", true },
+  { "tichieru.pw", true },
   { "ticketassist.nl", true },
   { "ticketdriver.com", true },
   { "ticketluck.com", true },
@@ -37783,6 +38158,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tier-1-entrepreneur.com", true },
   { "tierarztpraxis-bogenhausen.de", true },
   { "tierarztpraxis-weinert.de", true },
+  { "tierraprohibida.net", true },
   { "ties.com", true },
   { "tiew.pl", true },
   { "tifan.net", true },
@@ -37801,6 +38177,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tik.edu.ee", true },
   { "tik.help", true },
   { "tiki-god.co.uk", true },
+  { "tilde.institute", true },
   { "tildes.net", true },
   { "tildesnyder.com", true },
   { "tilesbay.com", true },
@@ -37834,15 +38211,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "time2choose.com", true },
   { "timeauction.hk", true },
   { "timebox.tk", true },
+  { "timebutler.de", true },
   { "timeglass.de", true },
   { "timeless-photostudio.com", true },
   { "timelessskincare.co.uk", true },
+  { "timelockstash.com", true },
   { "timetech.io", true },
   { "timetotrade.com", true },
   { "timewasters.nl", true },
   { "timewk.cn", true },
   { "timfiedler.net", true },
-  { "timhieuthuoc.com", true },
   { "timi-matik.hu", true },
   { "timing.com.br", true },
   { "timjk.de", true },
@@ -37860,6 +38238,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "timtj.ca", true },
   { "timvivian.ca", true },
   { "timweb.ca", true },
+  { "timx.uk", true },
   { "timysewyn.be", true },
   { "tina-zander.de", true },
   { "tina.media", true },
@@ -37909,6 +38288,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tis.ph", true },
   { "tischlerei-klettke.de", true },
   { "tissot-mayenfisch.com", true },
+  { "tisvapo.it", true },
   { "tit-cdn.de", true },
   { "tit-dev.de", true },
   { "tit-dns.de", true },
@@ -37924,7 +38304,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "titouan.co", false },
   { "tittelbach.at", true },
   { "titusetcompagnies.net", true },
-  { "tivido.nl", true },
   { "tiwag.at", true },
   { "tixeconsulting.com", true },
   { "tixify.com", true },
@@ -37939,8 +38318,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tkanemoto.com", true },
   { "tkat.ch", true },
   { "tkgpm.com", true },
+  { "tkirch.de", true },
   { "tkjg.fi", true },
   { "tkn.me", true },
+  { "tkn.tokyo", true },
   { "tkusano.jp", true },
   { "tkw01536.de", false },
   { "tl.gg", true },
@@ -37952,7 +38333,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tlo.xyz", true },
   { "tloxygen.com", true },
   { "tls-proxy.de", true },
-  { "tls.builders", true },
   { "tls.care", true },
   { "tls1914.org", true },
   { "tlsrobot.se", true },
@@ -37960,6 +38340,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tlumaczenie.com", true },
   { "tlyphed.net", true },
   { "tlys.de", true },
+  { "tm80plus.com", true },
   { "tmakiguchi.org", true },
   { "tmas.dk", true },
   { "tmberg.cf", true },
@@ -37989,7 +38370,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tnl.cloud", true },
   { "tntmobi.com", true },
   { "tny.link", true },
-  { "toabsentfamily.com", true },
   { "toad.ga", true },
   { "toast.al", false },
   { "tob-rulez.de", true },
@@ -37997,8 +38377,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tobedo.net", true },
   { "tober-cpag.de", true },
   { "tobi-mayer.de", true },
-  { "tobi-server.goip.de", true },
-  { "tobi-videos.goip.de", true },
   { "tobias-bauer.de", true },
   { "tobias-haenel.de", true },
   { "tobias-kleinmann.de", true },
@@ -38017,6 +38395,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tobiassachs.de", true },
   { "tobiassattler.com", true },
   { "tobiaswiese.com", true },
+  { "tobiaswiese.eu", true },
+  { "tobiaswiese.org", true },
+  { "tobiaswiese.work", true },
   { "tobiemilford.com", true },
   { "tobis-rundfluege.de", true },
   { "tobischo.de", true },
@@ -38024,6 +38405,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tobyalden.com", true },
   { "tobyx.com", true },
   { "tobyx.de", true },
+  { "tobyx.eu", true },
   { "tobyx.net", true },
   { "tobyx.org", true },
   { "tocaro.im", true },
@@ -38046,6 +38428,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toeightycountries.com", true },
   { "toekomstperspectief.be", true },
   { "toerclub-ing-arnhem.nl", true },
+  { "toerschaatsenknsb.nl", true },
   { "toetsplatform.be", true },
   { "tofe.io", true },
   { "tofliving.nl", true },
@@ -38055,14 +38438,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toheb.de", false },
   { "tohochofu-sportspark.com", true },
   { "tohokinemakan.tk", true },
-  { "tohokufd.com", true },
+  { "toihoctiengtrung.com", true },
   { "tokaido-kun.jp", true },
   { "tokaido.com", true },
   { "tokainafb.net", true },
   { "tokainakurasi.net", true },
-  { "tokbijouxs.com.br", true },
   { "tokenmarket.net", true },
   { "tokens.net", true },
+  { "tokfun.com", true },
   { "tokic.hr", true },
   { "tokinoha.net", true },
   { "tokio.fi", true },
@@ -38102,7 +38485,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tomatenaufdenaugen.de", true },
   { "tomatis-nantes.com", true },
   { "tomaw.net", true },
-  { "tomaz.eu", true },
   { "tombaker.me", true },
   { "tombroker.org", true },
   { "tombrossman.com", true },
@@ -38167,7 +38549,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tonermonster.de", true },
   { "tonex.de", true },
   { "tonex.nl", true },
-  { "toni-dis.ch", true },
   { "tonifarres.net", true },
   { "tonigallagherinteriors.com", true },
   { "tonkayagran.com", true },
@@ -38232,6 +38613,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "topeyelashenhancerserumreviews.com", true },
   { "topfivepercent.co.uk", true },
   { "topgshop.ru", true },
+  { "tophat.studio", true },
   { "topicdesk.com", true },
   { "topicit.net", true },
   { "topirishcasinos.com", true },
@@ -38239,6 +38621,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "topkek.ml", true },
   { "toplist.cz", true },
   { "toplist.eu", true },
+  { "toplist.sk", true },
   { "topnotepad.com", true },
   { "topodin.com", true },
   { "toponlinecasinosites.co.uk", true },
@@ -38263,6 +38646,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "torfbahn.de", true },
   { "torg-room.ru", true },
   { "torkware.com", true },
+  { "torlock.com", true },
+  { "torlock.host", true },
+  { "torlock.icu", true },
+  { "torlock.pw", true },
+  { "torlock2.com", true },
   { "tormakristof.eu", true },
   { "tormentedradio.com", false },
   { "torn1.se", true },
@@ -38271,11 +38659,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "torontoaccesscontrol.com", true },
   { "torontocorporatelimo.services", true },
   { "torontostarts.com", true },
+  { "toros.co", true },
+  { "toros2.com", true },
   { "torproject.org", false },
   { "torprojects.com", true },
   { "torquato.de", false },
   { "torrent.fedoraproject.org", true },
   { "torrent.is", true },
+  { "torrent.tm", true },
+  { "torrentfunk.host", true },
+  { "torrentfunk.icu", true },
+  { "torrentfunk.pw", true },
+  { "torrentfunk2.com", true },
   { "torrentpier.me", true },
   { "torrentz2.al", true },
   { "torresygutierrez.com", true },
@@ -38287,18 +38682,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "torte.roma.it", true },
   { "tortoises-turtles.com", true },
   { "tortugan.com.br", true },
-  { "tosainu.com.br", true },
   { "tosamja.net", true },
   { "toscer.me", false },
   { "toschool.com.br", true },
   { "toshen.com", true },
   { "toshkov.com", true },
+  { "toskana-appartement.de", false },
   { "tosolini.info", true },
   { "tosostav.cz", true },
   { "tosteberg.se", true },
   { "tostu.de", true },
   { "tot-radio.com", true },
-  { "totaku.ru", true },
+  { "totaku.ru", false },
+  { "totalaccess.com.ua", true },
   { "totalbike.com.br", true },
   { "totalcarcheck.co.uk", true },
   { "totalchecklist.com", true },
@@ -38320,6 +38716,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "touchoflife.in", true },
   { "touchscreentills.com", true },
   { "touchstone.io", true },
+  { "touchsupport.com", true },
   { "touchtable.nl", true },
   { "touchweb.fr", true },
   { "touchwoodtrees.com.au", true },
@@ -38331,7 +38728,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tourgest.net", true },
   { "tourify.me", true },
   { "tourismwithme.com", true },
-  { "tourispo.com", true },
   { "tournamentmgr.com", true },
   { "tournevis.ch", true },
   { "toursthatmatter.com", true },
@@ -38342,6 +38738,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toushi-return.xyz", true },
   { "toushi-shakkin.com", true },
   { "touslesdrivers.com", true },
+  { "tout-art.ch", true },
+  { "toutart.ch", true },
   { "toutelathailande.fr", true },
   { "toutenmusic.fr", true },
   { "toutmonexam.fr", true },
@@ -38356,7 +38754,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toutvendre.us", true },
   { "tovare.com", true },
   { "toverland-tickets.nl", true },
-  { "tovp.org", true },
   { "towandalibrary.org", true },
   { "tower.land", true },
   { "townandcountryus.com", true },
@@ -38369,7 +38766,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toycu.de", true },
   { "toymagazine.com.br", true },
   { "toyota-kinenkan.com", true },
-  { "toysale.by", true },
+  { "toysale.by", false },
   { "toysperiod.com", true },
   { "tp-iryuubun.com", true },
   { "tp-kabushiki.com", true },
@@ -38397,13 +38794,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "traceroute.guru", true },
   { "traceroute.link", true },
   { "traceroute.network", true },
+  { "traces.ml", true },
   { "tracetracker.no", true },
   { "tracfinancialservices.com", true },
   { "tracinsurance.com", true },
+  { "track.plus", true },
   { "trackchair.com", true },
   { "trackdomains.com", true },
   { "trackersimulator.org", true },
   { "trackeye.dk", true },
+  { "tracking.best", true },
   { "trackingstream.com", true },
   { "trackrecordpro.co.uk", true },
   { "tracksa.com.ar", true },
@@ -38432,6 +38832,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trafarm.ro", true },
   { "trafas.nl", true },
   { "traffic.az", true },
+  { "trafficmanager.com", true },
   { "trafficmanager.ltd", true },
   { "trafficmanager.xxx", true },
   { "trafficmgr.cn", true },
@@ -38482,6 +38883,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trajano.net", true },
   { "trajectfoto.nl", true },
   { "trajectvideo.nl", true },
+  { "trakkr.tk", true },
+  { "tramclub-basel.ch", true },
   { "tran.pw", true },
   { "trance-heal.com", true },
   { "trance-heal.de", true },
@@ -38490,6 +38893,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tranceheal.de", true },
   { "tranceheal.me", true },
   { "trangcongnghe.com", true },
+  { "trangell.com", true },
   { "tranglenull.xyz", true },
   { "tranhsondau.net", false },
   { "tranquillity.se", true },
@@ -38531,6 +38935,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "transoil.co.uk", true },
   { "transpak-cn.com", true },
   { "transparentcorp.com", true },
+  { "transport.eu", true },
   { "transporta.it", true },
   { "transporterlock.com", true },
   { "transumption.com", true },
@@ -38550,8 +38955,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "travador.com", true },
   { "travaux-toiture-idf.fr", true },
   { "travel-dealz.de", true },
-  { "travel-to-nature.ch", true },
-  { "travel.co.za", true },
   { "travel365.it", true },
   { "travelarmenia.org", true },
   { "traveleets.com", true },
@@ -38575,8 +38978,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trea98.org", true },
   { "treaslockbox.gov", true },
   { "trebarov.cz", true },
+  { "trebek.club", true },
   { "tree0.xyz", true },
-  { "treebaglia.xyz", true },
   { "treehouseresort.nl", true },
   { "trees.chat", true },
   { "treeschat.com", true },
@@ -38624,13 +39027,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tribly.de", true },
   { "tribut.de", true },
   { "tributh.cf", true },
+  { "tributh.ga", true },
+  { "tributh.gq", true },
+  { "tributh.ml", true },
   { "tributh.net", true },
+  { "tributh.tk", true },
   { "tricefy4.com", true },
   { "triciaree.com", true },
   { "trident-online.de", true },
   { "trietment.com", true },
   { "trigardon-rg.de", true },
   { "trik.es", false },
+  { "trilex.be", true },
   { "trilithsolutions.com", true },
   { "trillian.im", true },
   { "trilliumvacationrentals.ca", true },
@@ -38642,20 +39050,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trineco.com", true },
   { "trineco.fi", true },
   { "tringavillasyala.com", true },
-  { "trink-und-partyspiele.de", true },
   { "trinnes.net", true },
   { "trio.online", true },
   { "triop.se", true },
   { "trior.net", true },
   { "triplekeys.net", true },
   { "tripolistars.com", true },
-  { "tripout.tech", true },
   { "tripp.xyz", true },
   { "tripseats.com", true },
   { "tripsinc.com", true },
   { "trisect.eu", true },
   { "trish-mcevoy.ru", true },
-  { "triticeaetoolbox.org", true },
   { "trix360.com", true },
   { "trixexpressweb.nl", true },
   { "triz.co.uk", true },
@@ -38670,6 +39075,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trollope-apollo.com", true },
   { "trommelwirbel.com", true },
   { "tronatic-studio.com", true },
+  { "tronmeo.com", true },
   { "troomcafe.com", true },
   { "troopaid.info", true },
   { "trophee-discount.com", true },
@@ -38695,6 +39101,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "true-itk.de", true },
   { "trueachievements.com", true },
   { "trueassignmenthelp.co.uk", true },
+  { "trueblueessentials.com", true },
   { "trueduality.net", true },
   { "truehempculture.com.au", true },
   { "trueinstincts.ca", true },
@@ -38730,6 +39137,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "truyenfull.vn", true },
   { "trw-reseller.com", true },
   { "try2admin.pw", true },
+  { "try2services.cm", true },
   { "trybabyschoice.com", true },
   { "trybooking.com", true },
   { "tryfabulousskincream.com", true },
@@ -38782,6 +39190,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ttclub.fr", true },
   { "ttdsevaonline.com", true },
   { "ttll.de", true },
+  { "ttrade.ga", true },
   { "ttsoft.pl", true },
   { "ttsweb.org", true },
   { "ttt.tt", true },
@@ -38799,6 +39208,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tubepro.de", true },
   { "tubs4fun.co.uk", true },
   { "tubul.net", true },
+  { "tucepihotelalga.com", true },
   { "tucny.com", true },
   { "tucsonfcu.com", true },
   { "tucsonpcrepair.com", true },
@@ -38816,11 +39226,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tuitle.com", true },
   { "tuja.hu", true },
   { "tulumplayarealestate.com", true },
-  { "tumagiri.net", true },
   { "tumblenfun.com", true },
   { "tumedico.es", true },
   { "tumelum.de", true },
-  { "tumutanzi.com", true },
   { "tunai.id", true },
   { "tunaut.com", true },
   { "tune-web.de", true },
@@ -38843,6 +39251,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "turigum.com", true },
   { "turismodubrovnik.com", true },
   { "turkish.dating", true },
+  { "turkiyen.com", true },
+  { "turkrock.com", true },
   { "turl.pl", true },
   { "turnaroundforum.de", true },
   { "turncircles.com", true },
@@ -38872,7 +39282,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tuversionplus.com", true },
   { "tuwaner.com", true },
   { "tuxcloud.net", true },
-  { "tuxflow.de", false },
   { "tuxgeo.com", false },
   { "tuxie.com", true },
   { "tuxlife.net", true },
@@ -38894,6 +39303,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tverskaya-outlet.ru", true },
   { "tvhshop.be", true },
   { "tvipper.com", true },
+  { "tvlanguedoc.com", true },
   { "tvleaks.se", true },
   { "tvlplus.net", true },
   { "tvseries.info", true },
@@ -38939,8 +39349,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tworaz.net", true },
   { "twtimmy.com", true },
   { "twtremind.com", true },
-  { "twun.io", true },
-  { "twuni.org", true },
   { "txcap.org", true },
   { "txdivorce.org", true },
   { "txi.su", true },
@@ -38951,18 +39359,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tyche.io", true },
   { "tycho.org", true },
   { "tycom.cz", true },
+  { "tyil.nl", true },
   { "tyil.work", true },
   { "tykeplay.com", true },
   { "tyler.rs", true },
   { "tylerdavies.net", true },
   { "tylerfreedman.com", true },
-  { "tylerharcourt.net", true },
+  { "tylerharcourt.ca", true },
+  { "tylerharcourt.com", true },
+  { "tylerharcourt.org", true },
   { "tyleromeara.com", true },
   { "tylerschmidtke.com", true },
   { "typcn.com", true },
   { "typeblog.net", true },
   { "typecodes.com", true },
   { "typeof.pw", true },
+  { "typeonejoe.com", true },
   { "typeria.net", true },
   { "typewolf.com", true },
   { "typewritten.net", true },
@@ -38980,6 +39392,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tyuo-keibi.co.jp", true },
   { "tzermias.gr", true },
   { "tzifas.com", true },
+  { "u-he.com", true },
   { "u-martfoods.com", true },
   { "u-tokyo.club", true },
   { "u.nu", true },
@@ -38999,9 +39412,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "u4mh-dev-portal.azurewebsites.net", true },
   { "u5.re", true },
   { "u5b.de", false },
+  { "u5eu.com", true },
   { "u5r.nl", true },
   { "ua.search.yahoo.com", false },
-  { "uaci.edu.mx", true },
   { "uae-company-service.com", true },
   { "uangteman.com", true },
   { "uasmi.com", true },
@@ -39013,7 +39426,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uberbkk.com", true },
   { "uberboxen.net", true },
   { "uberestimator.com", true },
-  { "ubertt.org", true },
+  { "ubermail.me", true },
   { "uberwald.de", true },
   { "uberwald.ws", true },
   { "ubezpieczeniepsa.com", true },
@@ -39042,71 +39455,44 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "udomain.net", true },
   { "udp.sh", false },
   { "udruga-point.hr", true },
+  { "udsocial.com", true },
   { "udvoukocek.eu", true },
   { "ueba1085.jp", true },
   { "ueberdosis.io", true },
   { "ueberwachungspaket.at", true },
   { "uedaviolin.com", true },
   { "uefeng.com", true },
-  { "uel-thompson-okanagan.ca", true },
   { "ueni.com", true },
   { "uevan.com", true },
   { "uex.im", true },
   { "ufanisi.mx", true },
   { "ufindme.at", true },
+  { "ufocentre.com", true },
   { "ufplanets.com", true },
   { "ugb-verlag.de", true },
   { "uggedal.com", true },
   { "ugx-mods.com", true },
   { "uhappy1.com", true },
-  { "uhappy11.com", true },
   { "uhappy2.com", true },
-  { "uhappy21.com", true },
   { "uhappy22.com", true },
-  { "uhappy23.com", true },
-  { "uhappy24.com", true },
-  { "uhappy25.com", true },
-  { "uhappy26.com", true },
-  { "uhappy27.com", true },
-  { "uhappy28.com", true },
-  { "uhappy29.com", true },
-  { "uhappy3.com", true },
   { "uhappy30.com", true },
-  { "uhappy31.com", true },
-  { "uhappy33.com", true },
   { "uhappy50.com", true },
-  { "uhappy55.com", true },
-  { "uhappy56.com", true },
   { "uhappy57.com", true },
-  { "uhappy58.com", true },
-  { "uhappy59.com", true },
   { "uhappy6.com", true },
-  { "uhappy60.com", true },
-  { "uhappy61.com", true },
-  { "uhappy62.com", true },
-  { "uhappy66.com", true },
-  { "uhappy67.com", true },
-  { "uhappy71.com", true },
-  { "uhappy73.com", true },
-  { "uhappy74.com", true },
-  { "uhappy75.com", true },
-  { "uhappy76.com", true },
-  { "uhappy77.com", true },
-  { "uhappy78.com", true },
+  { "uhappy69.com", true },
+  { "uhappy70.com", true },
+  { "uhappy72.com", true },
   { "uhappy79.com", true },
-  { "uhappy8.com", true },
+  { "uhappy80.com", true },
+  { "uhappy81.com", true },
   { "uhappy82.com", true },
   { "uhappy83.com", true },
   { "uhappy85.com", true },
-  { "uhappy86.com", true },
   { "uhappy88.com", true },
-  { "uhappy9.com", true },
   { "uhappy90.com", true },
-  { "uhappy99.com", true },
   { "uhc.gg", true },
   { "uhlhosting.ch", true },
   { "uhrenlux.de", true },
-  { "uhssl.com", true },
   { "uhurl.net", true },
   { "ui8.net", true },
   { "uiberlay.cz", true },
@@ -39153,7 +39539,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ultimateanu.com", true },
   { "ultimatemafia.net", true },
   { "ultraseopro.com", true },
-  { "ultrasite.tk", true },
   { "ultratech.software", true },
   { "ultratechlp.com", true },
   { "ultrautoparts.com.au", true },
@@ -39164,11 +39549,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "umenlisam.com", true },
   { "umisonoda.com", true },
   { "umsapi.com", true },
-  { "umwandeln-online.de", true },
   { "un-framed.co.za", true },
   { "un-zero-un.fr", true },
   { "un.fo", true },
-  { "unapolegetic.co", true },
   { "unapp.me", true },
   { "unatco.noip.me", true },
   { "unausa.com.br", true },
@@ -39199,7 +39582,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uncensoreddns.dk", true },
   { "uncensoreddns.org", true },
   { "undeadbrains.de", true },
-  { "undecidable.de", true },
   { "undeductive.media", true },
   { "undef.in", false },
   { "underbridgeleisure.co.uk", true },
@@ -39220,7 +39602,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unfettered.net", false },
   { "unga.dk", true },
   { "ungaeuropeer.se", true },
-  { "ungeek.eu", true },
   { "ungeek.fr", true },
   { "ungegamere.dk", true },
   { "unghie.com", true },
@@ -39236,6 +39617,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unicefkartkidlafirm.pl", true },
   { "unicefkepeslapok.hu", true },
   { "unicefvoscilnice.si", true },
+  { "unicioushop.com", true },
   { "unicolabo.jp", true },
   { "unicorn-systems.net", true },
   { "unicorn.melbourne", true },
@@ -39252,6 +39634,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uniform-agri.com", true },
   { "unijob.com.br", true },
   { "unikoingold.com", true },
+  { "unikrn.space", true },
   { "unila.edu.br", true },
   { "unimbalr.com", true },
   { "unioils.la", true },
@@ -39280,7 +39663,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unityconsciousnessbooks.com", true },
   { "univercite.ch", true },
   { "univeril.com", false },
-  { "univerpack.net", true },
   { "universal-happiness.com", true },
   { "universal.at", true },
   { "universalcarremote.com", true },
@@ -39290,10 +39672,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "univitale.fr", true },
   { "unix.se", true },
   { "unixadm.org", true },
-  { "unixapp.ml", true },
   { "unixattic.com", true },
   { "unixforum.org", true },
-  { "unixfox.eu", true },
   { "unixtime.date", true },
   { "unkrn.com", true },
   { "unlax.com", true },
@@ -39342,8 +39722,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "upbad.com", true },
   { "upbeatrobot.com", true },
   { "upbeatrobot.eu", true },
+  { "upcambio.com", true },
   { "upd.jp", true },
-  { "updatehub.io", true },
+  { "upengo.com", true },
   { "upgamerengine.com", true },
   { "upgamerengine.com.br", true },
   { "upgamerengine.net", true },
@@ -39363,6 +39744,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "upplevelse.com", true },
   { "upr.com.ua", true },
   { "uprint.it", true },
+  { "uprospr.com", true },
   { "uprouteyou.com", true },
   { "upsettunnel.com", true },
   { "upsiteseo.com", true },
@@ -39391,7 +39773,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "urbancreators.dk", true },
   { "urbandance.club", true },
   { "urbanesecurity.com", true },
-  { "urbanfi.sh", true },
   { "urbanguerillas.de", true },
   { "urbanhotbed.eu", true },
   { "urbanietz-immobilien.de", true },
@@ -39409,19 +39790,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "urcentral.nl", true },
   { "ureka.org", true },
   { "urep.us", true },
-  { "urgences-valais.ch", true },
   { "urinedrugtesthq.com", true },
+  { "uriport.com", true },
+  { "uriports.com", true },
   { "uripura.de", true },
   { "urist1011.ru", true },
   { "url.fi", true },
   { "url.fm", true },
   { "url.rw", false },
   { "url0.eu", true },
+  { "urlakite.com", true },
   { "urlaub-busreisen.de", true },
   { "urlaub-leitner.at", true },
+  { "urlgot.com", true },
   { "urlscan.io", true },
   { "urltell.com", true },
   { "urltodomain.com", true },
+  { "urnes.org", true },
   { "urown.net", true },
   { "ursa-minor-beta.org", true },
   { "ursae.co", true },
@@ -39451,12 +39836,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "usbevents.co.uk", true },
   { "usbr.gov", true },
   { "uscloud.nl", true },
+  { "uscurrency.gov", true },
   { "usd.de", true },
   { "usdoj.gov", true },
   { "usds.gov", true },
   { "use.be", true },
   { "usebean.com", true },
-  { "usedu.us", true },
+  { "usemusic.com.br", true },
   { "user-re.com", true },
   { "userra.gov", true },
   { "usetypo3.com", true },
@@ -39486,13 +39872,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "usweme.info", true },
   { "uswitch.com", true },
   { "ut-addicted.com", true },
-  { "utahfireinfo.gov", true },
+  { "utahblackplate.com", true },
+  { "utahblackplates.com", true },
+  { "utahcanyons.org", true },
   { "utahlocal.net", true },
   { "utahtravelcenter.com", true },
   { "utazas-nyaralas.info", true },
   { "utazine.com", true },
   { "utcast-mate.com", true },
-  { "utdsgda.com", true },
   { "utepils.de", true },
   { "utgifter.no", true },
   { "utilia.tools", true },
@@ -39513,7 +39900,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "utw.me", true },
   { "utwente.io", true },
   { "utzon.net", true },
-  { "uuid.cf", true },
   { "uuit.nl", true },
   { "uv.uy", true },
   { "uvenuse.cz", true },
@@ -39521,6 +39907,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uw1008.com", true },
   { "uw2333.com", true },
   { "uwac.co.uk", false },
+  { "uwat.cf", true },
   { "uwelilienthal.de", true },
   { "uwsoftware.be", true },
   { "uwvloereruit.nl", true },
@@ -39529,6 +39916,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uxtechnologist.com", true },
   { "uy.search.yahoo.com", false },
   { "uz.search.yahoo.com", false },
+  { "uzayliyiz.biz", true },
   { "uzaymedya.com.tr", true },
   { "uziregister.nl", true },
   { "uzpirksana.lv", true },
@@ -39548,6 +39936,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "v4s.ro", true },
   { "va-reitartikel.com", true },
   { "va.gov", true },
+  { "va1der.ca", true },
   { "vacationsbyvip.com", true },
   { "vaccines.gov", true },
   { "vacuumpump.co.id", true },
@@ -39578,6 +39967,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "valenciadevops.me", true },
   { "valentin-dederer.de", true },
   { "valentin-sundermann.de", true },
+  { "valentin.ml", true },
   { "valentinberclaz.com", true },
   { "valentineapparel.com", true },
   { "valentineforpresident.com", true },
@@ -39594,7 +39984,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "valika.ee", true },
   { "valis.sx", true },
   { "valkohattu.fi", true },
-  { "valkor.pro", true },
   { "valkova.net", true },
   { "vallei-veluwe.nl", true },
   { "valleyautofair.com", true },
@@ -39613,11 +40002,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "valskis.lt", true },
   { "valtlai.fi", true },
   { "valtoaho.com", true },
+  { "valtool.uk", true },
   { "valudo.st", true },
   { "valuechain.me", true },
+  { "valuemyhome.co.uk", true },
+  { "valuemyhome.uk", true },
   { "valueng.com", true },
   { "valueofblog.com", true },
   { "valueseed.net", true },
+  { "valuuttamuunnin.com", true },
+  { "vampire142.fr", true },
   { "vampyrium.net", false },
   { "van11y.net", true },
   { "vanagamsanthai.com", true },
@@ -39648,7 +40042,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vanmalland.com", true },
   { "vannaos.com", true },
   { "vannaos.net", true },
-  { "vanohaker.ru", true },
   { "vanouwerkerk.net", true },
   { "vantagepointpreneed.com", true },
   { "vante.me", true },
@@ -39657,15 +40050,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vanvoro.us", false },
   { "vanwunnik.com", true },
   { "vapecrunch.com", true },
-  { "vapehour.com", true },
   { "vapensiero.co.uk", true },
   { "vaperolles.ch", true },
   { "vapesense.co.uk", true },
   { "vapesupplies.com.au", true },
+  { "vapex.pl", true },
   { "vaphone.co", true },
   { "vapingdaily.com", true },
   { "vapor.cloud", false },
   { "vapordepot.jp", true },
+  { "varaeventos.com", true },
   { "varalwamp.com", true },
   { "varcare.jp", true },
   { "varden.info", true },
@@ -39729,6 +40123,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vc.gg", true },
   { "vcam.org", true },
   { "vccmurah.net", true },
+  { "vcelin-na-doliku.cz", true },
   { "vcf.gov", true },
   { "vcientertainment.com", false },
   { "vcmi.download", true },
@@ -39737,6 +40132,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vcsjones.codes", true },
   { "vcsjones.com", true },
   { "vcti.cloud", true },
+  { "vctor.net", true },
   { "vd42.net", true },
   { "vda.li", true },
   { "vdanker.net", true },
@@ -39768,9 +40164,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vegekoszyk.pl", true },
   { "vegepa.com", true },
   { "vegetariantokyo.net", true },
+  { "veggie-einhorn.de", true },
   { "veggie-treff.de", true },
   { "vegguide.org", true },
-  { "vehicletransportservices.co", true },
   { "veii.de", true },
   { "veil-framework.com", true },
   { "veincenterbrintonlake.com", true },
@@ -39787,6 +40183,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vendreacheter.net", true },
   { "vendserve.eu", true },
   { "veneerssandiego.com", true },
+  { "venenum.org", true },
   { "venev.name", true },
   { "venje.pro", true },
   { "ventajasdesventajas.com", true },
@@ -39802,7 +40199,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "venturum.net", true },
   { "ventzke.com", true },
   { "venuedriver.com", true },
-  { "venusbymariatash.com", true },
   { "ver.ma", true },
   { "vera.bg", true },
   { "veramagazine.jp", true },
@@ -39820,7 +40216,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verfassungsklage.at", true },
   { "verge.capital", true },
   { "vergelijksimonly.nl", true },
-  { "vergessen.cn", true },
   { "verhovs.ky", false },
   { "veri2.com", true },
   { "verifalia.com", true },
@@ -39859,6 +40254,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "versalhost.com", true },
   { "versalhost.nl", true },
   { "versbesteld.nl", true },
+  { "verschurendegroot.nl", true },
   { "verses.space", true },
   { "versicherungen-werner-hahn.de", true },
   { "versicherungskontor.net", true },
@@ -39867,6 +40263,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verstraetenusedcars.be", true },
   { "vertebrates.com", true },
   { "verteilergetriebe.info", true },
+  { "verticrew.com", true },
   { "vertigo.name", false },
   { "vertner.net", true },
   { "vertrieb-strategie.de", true },
@@ -39875,11 +40272,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verwayen.com", true },
   { "very-kids.fr", true },
   { "veryapt.com", true },
-  { "veryimportantusers.com", true },
   { "verymelon.de", true },
   { "verymetal.nl", true },
   { "verzekeringencambier.be", true },
   { "verzekeringsacties.nl", true },
+  { "verzick.com", true },
   { "vescudero.net", true },
   { "veslosada.com", true },
   { "vespacascadia.com", true },
@@ -39933,26 +40330,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vicicode.com", true },
   { "vicjuwelen-annelore.be", true },
   { "victora.com", true },
+  { "victorblomberg.se", true },
   { "victorcanera.com", true },
   { "victordiaz.me", true },
-  { "victoreriksson.ch", true },
-  { "victoreriksson.co", true },
-  { "victoreriksson.com", true },
-  { "victoreriksson.eu", true },
-  { "victoreriksson.info", true },
-  { "victoreriksson.me", true },
-  { "victoreriksson.net", true },
-  { "victoreriksson.nu", true },
-  { "victoreriksson.org", true },
-  { "victoreriksson.se", true },
-  { "victoreriksson.us", true },
   { "victorgbustamante.com", true },
   { "victorhawk.com", true },
   { "victoriaartist.ru", true },
   { "victoriastudio.ru", true },
   { "victorjacobs.com", true },
   { "victornet.de", true },
-  { "victornilsson.pw", true },
   { "victoroilpress.com", true },
   { "victorricemill.com", true },
   { "victory.radio", true },
@@ -39966,6 +40352,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vidarity.com", true },
   { "vidbooster.com", true },
   { "vide-greniers.org", false },
+  { "videobrochuresmarketing.com", true },
   { "videogamesartwork.com", true },
   { "videojuegos.com", true },
   { "videokaufmann.at", true },
@@ -39994,6 +40381,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vietnamluxurytravelagency.com", true },
   { "vietnamphotoblog.com", true },
   { "vietnamwomenveterans.org", true },
+  { "vietplan.vn", true },
   { "vieux.pro", true },
   { "viewbook.com", true },
   { "viewey.com", true },
@@ -40022,7 +40410,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vikaviktoria.com", true },
   { "viking-style.ru", true },
   { "vikings.net", true },
-  { "vikodek.com", true },
   { "viktorbarzin.me", true },
   { "viktorprevaric.eu", true },
   { "vila-eden.cz", true },
@@ -40054,6 +40441,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vinahost.vn", true },
   { "vinarstvimodryhrozen.cz", true },
   { "vincentcox.com", false },
+  { "vincentiliano.tk", true },
   { "vincentoshana.com", true },
   { "vincentpancol.com", true },
   { "vincentswordpress.nl", true },
@@ -40062,11 +40450,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vincitraining.com", true },
   { "vinetech.co.nz", true },
   { "vingt.me", true },
-  { "vinigas.com", true },
   { "vinilosdecorativos.net", true },
   { "vinistas.com", true },
   { "vinner.com.au", true },
-  { "vinnie.gq", true },
   { "vinnyandchristina.com", true },
   { "vinnyvidivici.com", true },
   { "vinokurov.tk", true },
@@ -40085,10 +40471,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vinticom.ch", true },
   { "vinyculture.com", true },
   { "vinzite.com", true },
+  { "violauotila.fi", true },
   { "violin4fun.nl", true },
   { "vionicbeach.com", true },
+  { "vionicshoes.co.uk", true },
   { "vionicshoes.com", true },
-  { "vip4553.com", true },
   { "vip8522.com", true },
   { "vipi.es", true },
   { "viptamin.eu", true },
@@ -40101,7 +40488,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "viralsouls.in", true },
   { "viralsv.com", true },
   { "virgopolymer.com", true },
-  { "virial.de", true },
   { "viridis-milites.cz", true },
   { "virtit.fr", true },
   { "virtual.hk", true },
@@ -40129,7 +40515,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vishwashantiyoga.com", true },
   { "visibox.nl", true },
   { "visikom.de", true },
-  { "visioflux-premium.com", true },
   { "visionarymedia.nl", true },
   { "visiondirectionaldrilling.com", true },
   { "visionexpress.com", true },
@@ -40158,8 +40543,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "visualmasters.nl", true },
   { "visudira.com", true },
   { "vitahook.pw", true },
-  { "vitalamin.com", true },
-  { "vitalamin.de", true },
+  { "vitalia.cz", true },
   { "vitalismaatjes.nl", true },
   { "vitalityscience.com", true },
   { "vitalium-therme.de", true },
@@ -40179,10 +40563,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vitra-vcare.co.uk", true },
   { "vitrado.de", true },
   { "vitsoft.by", true },
+  { "viva2000.com", true },
   { "vivaldi-fr.com", true },
   { "vivaldi.club", true },
   { "vivaldi.com", true },
-  { "vivamusic.es", true },
   { "vivanosports.com.br", false },
   { "vivatv.com.tw", true },
   { "vivendi.de", true },
@@ -40235,7 +40619,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vm-co.ch", true },
   { "vm0.eu", true },
   { "vmc.co.id", true },
-  { "vmem.jp", false },
   { "vmgirls.com", true },
   { "vmhydro.ru", false },
   { "vmis.nl", true },
@@ -40247,6 +40630,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vncg.org", true },
   { "vnd.cloud", true },
   { "vnfs-team.com", true },
+  { "vnpay.vn", true },
   { "vnpem.org", true },
   { "vnvisa.center", true },
   { "vnvisa.ru", true },
@@ -40270,12 +40654,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "voidpay.com", true },
   { "voidptr.eu", true },
   { "voidx.top", true },
+  { "voidzehn.com", true },
   { "voipdigit.nl", true },
   { "voipsun.com", true },
   { "vojtechpavelka.cz", true },
   { "vokativy.cz", true },
   { "vokeapp.com", true },
-  { "vokurka.net", true },
   { "volcanconcretos.com", true },
   { "volcano-kazan.ru", true },
   { "volcano-spb.ru", true },
@@ -40322,6 +40706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vosgym.jp", true },
   { "vosky.fr", true },
   { "vosn.de", true },
+  { "voss-klinik.com", true },
   { "vosselaer.com", true },
   { "vossenack.nrw", true },
   { "vosser.de", true },
@@ -40331,17 +40716,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "votocek.cz", true },
   { "votockova.cz", true },
   { "votoot.com", true },
-  { "votre-site-internet.ch", true },
   { "vouchinsurance.sg", true },
   { "vovladikavkaze.ru", true },
   { "vowsy.club", true },
-  { "vox.vg", true },
   { "voxfilmeonline.net", true },
   { "voxml.com", true },
   { "voxographe.com", false },
   { "voya.ga", true },
   { "voyage-martinique.fr", true },
   { "voyageforum.com", true },
+  { "voyageofyume.com", true },
   { "voyagesaufildespages.be", true },
   { "voyageschine.com", true },
   { "voyagesdetective.fr", true },
@@ -40351,13 +40735,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vpnpro.com", true },
   { "vpnservice.nl", true },
   { "vpntech.net", true },
+  { "vpsao.org", true },
   { "vpsboard.com", true },
   { "vpsdream.dk", true },
   { "vpsou.com", true },
   { "vpsport.ch", true },
+  { "vpsproj.dynu.net", true },
   { "vpsvz.net", true },
   { "vrandopulo.ru", true },
   { "vrcholovka.cz", true },
+  { "vrcprofile.com", true },
   { "vreaulafacultate.ro", true },
   { "vreeman.com", true },
   { "vretmaskin.se", true },
@@ -40367,6 +40754,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vrijgezellenfeestzwolle.com", true },
   { "vrjetpackgame.com", true },
   { "vroedvrouwella.be", true },
+  { "vroyaltours.com", true },
   { "vrsystem.com.br", true },
   { "vrtak-cz.net", true },
   { "vscale.io", true },
@@ -40385,6 +40773,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vsx.ch", true },
   { "vtaxi.se", true },
   { "vtipe-vylez.cz", true },
+  { "vtt-hautsdefrance.fr", true },
   { "vtuber.art", true },
   { "vuakhuyenmai.vn", true },
   { "vubey.yt", true },
@@ -40392,7 +40781,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vuljespaarpot.nl", true },
   { "vullriede-multimedia.de", true },
   { "vulndetect.com", true },
-  { "vulndetect.org", true },
   { "vulnerability.ch", true },
   { "vulners.com", true },
   { "vulns.sexy", true },
@@ -40413,13 +40801,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vvw-8522.com", true },
   { "vvzero.cf", true },
   { "vvzero.com", true },
+  { "vvzero.me", true },
   { "vwbusje.com", true },
   { "vwfsrentacar.co.uk", true },
   { "vwhcare.com", true },
   { "vwittich.de", true },
   { "vwo.com", true },
   { "vwsoft.de", true },
-  { "vww-8522.com", true },
   { "vx.hn", true },
   { "vxstream-sandbox.com", true },
   { "vybeministry.org", true },
@@ -40436,7 +40824,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "w-spotlight.appspot.com", true },
   { "w-w-auto.de", true },
   { "w.wiki", true },
-  { "w1221.com", true },
   { "w1n73r.de", true },
   { "w2n.me", true },
   { "w3ctag.org", true },
@@ -40451,6 +40838,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "w889-line.net", true },
   { "w889889.com", true },
   { "w889889.net", true },
+  { "w88info.com", true },
+  { "w88info.win", true },
+  { "w88xinxi.com", true },
   { "w8less.nl", true },
   { "w95.pw", true },
   { "wa-stromerzeuger.de", false },
@@ -40468,6 +40858,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waffle.at", false },
   { "wafuton.com", true },
   { "wagyu-bader.de", true },
+  { "wahhoi.net", true },
   { "wahidhasan.com", true },
   { "wahlen-bad-wurzach.de", true },
   { "wahlman.org", true },
@@ -40479,6 +40870,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waigel.org", true },
   { "waikatowebdesigners.com", true },
   { "wains.be", false },
+  { "wait.jp", true },
   { "waiterwheels.com", true },
   { "waits.io", true },
   { "wajtc.com", true },
@@ -40493,7 +40885,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waldvogel.family", true },
   { "walent.in", true },
   { "walentin.co", true },
-  { "waligorska.pl", true },
   { "walk.onl", true },
   { "walkera-fans.de", true },
   { "walkhighlandsandislands.com", true },
@@ -40542,10 +40933,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wangbangyu.gq", true },
   { "wangbangyu.ml", true },
   { "wangbangyu.tk", true },
+  { "wangejiba.com", true },
   { "wangqiliang.cn", true },
   { "wangqiliang.com", true },
   { "wangql.net", true },
   { "wangqr.tk", true },
+  { "wangriwu.com", true },
   { "wangtanzhang.com", true },
   { "wangwill.me", true },
   { "wangyubao.cn", true },
@@ -40553,7 +40946,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wangzuan168.cc", true },
   { "wanlieyan.com", true },
   { "wannaridecostarica.com", true },
+  { "wanvi.net", false },
   { "wanybug.cf", true },
+  { "wanybug.com", true },
   { "wanybug.ga", true },
   { "wanybug.gq", true },
   { "wanybug.tk", true },
@@ -40609,7 +41004,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waterbrook.com.au", true },
   { "waterdogsmokedfish.com", true },
   { "waterdrop.tk", true },
-  { "waterfedpole.com", true },
   { "waterleeftinbeek.nl", true },
   { "watermonitor.gov", true },
   { "wateroutlook.com", true },
@@ -40617,7 +41011,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waterschaplimburg.nl", true },
   { "waterside-residents.org.uk", true },
   { "waterslide-austria.at", true },
-  { "watertrails.io", true },
   { "waterworkscondos.com", true },
   { "watfordjc.uk", true },
   { "watoo.tech", true },
@@ -40634,7 +41027,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waxdramatic.com", true },
   { "waycraze.com", true },
   { "wayfair.de", true },
-  { "wayfairertravel.com", true },
+  { "waylandss.com", true },
   { "waynefranklin.com", true },
   { "wayohoo.com", true },
   { "wayohoo.net", true },
@@ -40670,6 +41063,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "we-run-linux.de", true },
   { "we-use-linux.de", true },
   { "weacceptbitcoin.gr", true },
+  { "wealthcentral.com.au", true },
   { "wealthprojector.com", true },
   { "wealthprojector.com.au", true },
   { "wealthreport.com.au", true },
@@ -40688,7 +41082,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "web-apps.tech", true },
   { "web-art.cz", true },
   { "web-design.co.il", true },
-  { "web-dl.cc", true },
   { "web-hotel.gr", true },
   { "web-jive.com", true },
   { "web-kouza.com", true },
@@ -40697,7 +41090,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "web-redacteuren.nl", true },
   { "web-siena.it", true },
   { "web-smart.com", true },
-  { "web-thinker.ru", true },
   { "web-wave.jp", true },
   { "web.bzh", true },
   { "web.cc", false },
@@ -40715,14 +41107,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webais.ru", true },
   { "webalert.cz", true },
   { "webambacht.nl", true },
-  { "webandmore.de", false },
+  { "webandmore.de", true },
   { "webappky.cz", true },
   { "webartex.ru", true },
   { "webbiz.co.uk", true },
   { "webbson.net", false },
   { "webcamtoy.com", true },
   { "webcasinos.com", true },
-  { "webcatchers.nl", true },
+  { "webcatchers.nl", false },
   { "webcatechism.com", false },
   { "webclimbers.ch", true },
   { "webcollect.org.uk", true },
@@ -40755,12 +41147,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webfilings-mirror-hrd.appspot.com", true },
   { "webfilings.appspot.com", true },
   { "webfixers.nl", true },
-  { "webfox.com.br", true },
   { "webgap.io", false },
   { "webgarten.ch", true },
   { "webgears.com", true },
   { "webharvest.gov", true },
   { "webhooks.stream", true },
+  { "webhost.guide", true },
   { "webhostingzzp.nl", false },
   { "webhostplan.info", true },
   { "webies.ro", true },
@@ -40795,6 +41187,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webpostingreviews.com", true },
   { "webproject.rocks", true },
   { "webpubsub.com", true },
+  { "webpulser.com", true },
   { "webqualitat.com.br", true },
   { "webrebels.org", false },
   { "webrentcars.com", true },
@@ -40835,16 +41228,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webtorrent.io", true },
   { "webtrh.cz", true },
   { "webtropia.com", false },
+  { "webukhost.com", true },
   { "webutils.io", true },
   { "webvisum.de", true },
   { "webwednesday.nl", true },
+  { "webwelearn.com", true },
   { "webwinkelexploitatie.nl", true },
   { "webwinkelwestland.nl", true },
   { "webwit.nl", true },
   { "webworkshop.ltd", true },
   { "webxr.today", true },
   { "webyazilimankara.com", true },
-  { "webz.one", true },
   { "wechatify.com", true },
   { "weck.alsace", true },
   { "wecleanbins.com", true },
@@ -40881,8 +41275,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wefinanceinc.com", true },
   { "wefitboilers.com", true },
   { "weforgood.org.tw", true },
-  { "wegethitched.co.uk", true },
-  { "weggeweest.nl", true },
   { "wegonnagetsued.org", true },
   { "wegotcookies.com", true },
   { "wegrzynek.org", true },
@@ -40931,6 +41323,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wellnessever.com", true },
   { "wellsolveit.com", false },
   { "welovecatsandkittens.com", true },
+  { "welovemaira.com", true },
   { "welshccf.org.uk", true },
   { "welteneroberer.de", true },
   { "weltengilde.de", true },
@@ -40957,6 +41350,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "weplaynaked.dk", true },
   { "wer-kommt-her.de", true },
   { "werally.com", true },
+  { "werbe-markt.de", true },
   { "werbe-sonnenbrillen.de", true },
   { "werbeagentur.de", true },
   { "werbedesign-tauber.de", true },
@@ -40999,6 +41393,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wesleywarnell.com", true },
   { "wesoco.de", true },
   { "wesreportportal.com", true },
+  { "wessner.co", true },
   { "wessner.org", true },
   { "west-contemporary.com", true },
   { "west-trans.com.au", true },
@@ -41040,6 +41435,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wette.de", true },
   { "wetten.eu", true },
   { "wevenues.com", true },
+  { "wevg.org", true },
   { "wew881.com", true },
   { "wew882.com", true },
   { "wewin88.com", true },
@@ -41063,7 +41459,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wf-trial-hrd.appspot.com", true },
   { "wfh.ovh", true },
   { "wfh.se", true },
-  { "wfl.ro", true },
+  { "wforum.nl", true },
   { "wft-portfolio.nl", true },
   { "wg-steubenstrasse.de", true },
   { "wg3k.us", false },
@@ -41151,7 +41547,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whitelabelcashback.nl", true },
   { "whitelabeltickets.com", false },
   { "whitepharmacy.co.uk", true },
-  { "whiterose.goip.de", true },
   { "whiteshadowimperium.com", true },
   { "whitewebhosting.co.za", true },
   { "whitewebhosting.com", true },
@@ -41176,9 +41571,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whoiswp.com", true },
   { "wholesalecbd.com", true },
   { "wholesomeharvestbread.com", false },
+  { "whollyskincare.com", true },
   { "whonix.org", true },
   { "whosyourdaddy.ml", true },
   { "whoturgled.com", true },
+  { "whqqq.com", true },
   { "whqtravel.org", false },
   { "whs-music.org", true },
   { "whta.se", true },
@@ -41193,7 +41590,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whyworldhot.com", true },
   { "whyz1722.tk", true },
   { "wibbe.link", true },
+  { "wiberg.nu", true },
+  { "wicharypawel.com", true },
   { "wichitafoundationpros.com", true },
+  { "wick-machinery.com", true },
+  { "wickelfischfrance.fr", true },
   { "wickrath.net", true },
   { "wideboxmacau.com", false },
   { "widegab.com", true },
@@ -41216,6 +41617,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wieobensounten.de", true },
   { "wifi-hack.com", true },
   { "wifi-names.com", true },
+  { "wifimask.com", true },
   { "wifipineapple.com", true },
   { "wifirst.net", true },
   { "wifree.lv", true },
@@ -41262,7 +41664,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wilcodeboer.me", true },
   { "wild-turtles.com", true },
   { "wildboaratvparts.com", true },
+  { "wildcatdiesel.com.au", true },
   { "wilddogdesign.co.uk", true },
+  { "wildercerron.com", true },
   { "wildewood.ca", true },
   { "wildlifeadaptationstrategy.gov", true },
   { "wildnisfamilie.net", true },
@@ -41290,6 +41694,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "williamscomposer.com", true },
   { "williamsonshore.com", true },
   { "williamsportmortgages.com", true },
+  { "williamsroom.com", true },
   { "williamtm.com", true },
   { "willnorris.com", true },
   { "willow.technology", true },
@@ -41315,11 +41720,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "winbuzzer.com", true },
   { "wincasinowin.click", true },
   { "winch-center.de", true },
-  { "wind.moe", true },
   { "winddan.nz", true },
   { "windelnkaufen24.de", true },
   { "windforme.com", true },
   { "windowcleaningexperts.net", true },
+  { "windows-support.nu", true },
+  { "windows-support.se", true },
   { "windowslatest.com", true },
   { "windowsnerd.com", true },
   { "windowsnoticias.com", true },
@@ -41396,7 +41802,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wittu.fi", true },
   { "witway.nl", false },
   { "wivoc.nl", true },
-  { "wixguide.co", true },
   { "wiz.at", true },
   { "wiz.biz", true },
   { "wiz.farm", true },
@@ -41432,13 +41837,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wmaccess.de", true },
   { "wmfusercontent.org", true },
   { "wmkowa.de", true },
-  { "wmustore.com", true },
   { "wnu.com", true },
   { "wo-ist-elvira.net", true },
   { "wo2forum.nl", true },
   { "woah.how", true },
   { "wobble.ninja", true },
   { "wobblywotnotz.co.uk", true },
+  { "woblex.cz", true },
   { "wodinaz.com", true },
   { "wodka-division.de", true },
   { "woelkchen.me", true },
@@ -41475,7 +41880,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wollwerk.org", true },
   { "wolszon.me", true },
   { "woltlab-demo.com", true },
-  { "womb.city", true },
   { "wombatalla.com.au", true },
   { "wombatnet.com", true },
   { "wombats.net", true },
@@ -41485,7 +41889,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "womensalespros.com", true },
   { "womenshairlossproject.com", true },
   { "womensmedassoc.com", true },
-  { "wonabo.com", true },
   { "wonder.com.mx", false },
   { "wonderbill.com", true },
   { "wonderbits.net", true },
@@ -41496,6 +41899,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wonderlandmovies.de", true },
   { "wondermags.com", true },
   { "wonghome.net", true },
+  { "wooc.org", true },
   { "wood-crafted.co.uk", true },
   { "wood-crafted.uk", true },
   { "woodbury.io", true },
@@ -41541,9 +41945,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "workgrouptech.org", true },
   { "workingclassmedia.com", true },
   { "workinginsync.co.uk", true },
-  { "workingmachine.info", true },
   { "worklizard.com", true },
   { "workmart.mx", true },
+  { "worknrby.com", true },
   { "workoptions.com", true },
   { "workraw.com", true },
   { "workray.com", true },
@@ -41555,7 +41959,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "world-lolo.com", true },
   { "worldcareers.dk", true },
   { "worldcigars.com.br", true },
-  { "worldcrafts.org", true },
   { "worldcubeassociation.org", true },
   { "worldessays.com", true },
   { "worldeventscalendars.com", true },
@@ -41578,8 +41981,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wort-suchen.de", true },
   { "woshiluo.site", true },
   { "wot-tudasbazis.hu", true },
-  { "woti.dedyn.io", true },
   { "wotra-register.com", true },
+  { "wotsunduk.ru", true },
   { "woudenberg.nl", true },
   { "woudenbergsedrukkerij.nl", true },
   { "woufbox.com", true },
@@ -41587,7 +41990,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wouterslop.com", true },
   { "wouterslop.eu", true },
   { "wouterslop.nl", true },
-  { "wow-foederation.de", true },
   { "wow-screenshots.net", true },
   { "wowaffixes.info", true },
   { "wowbouncycastles.co.uk", true },
@@ -41613,7 +42015,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wpcharged.nz", true },
   { "wpdirecto.com", true },
   { "wpenhance.com", true },
-  { "wpexplainer.com", true },
   { "wpexplorer.com", true },
   { "wpformation.com", true },
   { "wpgoblin.com", true },
@@ -41627,6 +42028,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wpno.com", true },
   { "wpoptimalizace.cz", true },
   { "wpostats.com", false },
+  { "wprodevs.com", true },
   { "wpscans.com", true },
   { "wpsec.nl", true },
   { "wpserp.com", true },
@@ -41643,8 +42045,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wpvulndb.com", true },
   { "wq.ro", true },
   { "wr.su", true },
+  { "wrara.org", true },
   { "wrathofgeek.com", true },
   { "wrc-results.com", true },
+  { "wrd48.net", true },
   { "wrdcfiles.ca", true },
   { "wrdx.io", true },
   { "wrenwrites.com", true },
@@ -41674,11 +42078,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wrp-timber-mouldings.co.uk", true },
   { "wrp.gov", true },
   { "wryoutube.com", true },
+  { "ws-meca.com", true },
   { "wsa.poznan.pl", true },
   { "wsadek.ovh", true },
   { "wsb.pl", true },
   { "wscales.com", false },
   { "wscbiolo.id", true },
+  { "wscore.me", true },
   { "wsdcapital.com", true },
   { "wselektro.de", true },
   { "wsgvet.com", true },
@@ -41703,7 +42109,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wucke13.de", true },
   { "wuerfel.wf", true },
   { "wuerfelmail.de", true },
-  { "wufu.org", false },
   { "wug.jp", true },
   { "wug.news", true },
   { "wuifan.com", true },
@@ -41715,23 +42120,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wunderlist.com", true },
   { "wundernas.ch", true },
   { "wundi.net", true },
+  { "wunschpreisauto.de", true },
   { "wunschzettel.de", true },
   { "wuppertal-2018.de", false },
   { "wuppertaler-kurrende.com", false },
   { "wuppertaler-kurrende.de", false },
   { "wutianyi.com", true },
-  { "wuwuwu.me", false },
+  { "wuwuwu.me", true },
   { "wuxiaobai.win", true },
   { "wuxiaohen.com", true },
+  { "wuyang.ws", true },
   { "wuyue.photo", true },
   { "wv-n.de", true },
   { "wvg.myds.me", true },
-  { "wvw-8522.com", true },
   { "ww0512.com", true },
   { "ww2onlineshop.com", true },
   { "wweforums.net", true },
   { "wweichen.com.cn", true },
   { "wwgc2011.se", true },
+  { "wwjd.dynu.net", true },
   { "wwv-8722.com", true },
   { "www-33445.com", true },
   { "www-49889.com", true },
@@ -41742,7 +42149,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "www-86499.com", true },
   { "www-8722.com", true },
   { "www-9822.com", true },
-  { "www-pj009.com", true },
   { "www.aclu.org", false },
   { "www.airbnb.com", true },
   { "www.amazon.ca", true },
@@ -41785,7 +42191,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "www.heliosnet.com", true },
   { "www.honeybadger.io", false },
   { "www.hyatt.com", false },
-  { "www.intercom.io", true },
+  { "www.icann.org", false },
   { "www.irccloud.com", false },
   { "www.lastpass.com", false },
   { "www.linode.com", false },
@@ -41882,7 +42288,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xb983.com", true },
   { "xbb.hk", true },
   { "xbb.li", true },
-  { "xbertschy.com", true },
   { "xblau.com", true },
   { "xboxdownloadthat.com", true },
   { "xboxlivegoldshop.nl", true },
@@ -41903,6 +42308,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xdawn.cn", true },
   { "xdeftor.com", true },
   { "xdos.io", true },
+  { "xdtag.com", true },
+  { "xdty.org", true },
   { "xecure.zone", true },
   { "xecureit.com", true },
   { "xeedbeam.me", true },
@@ -41911,6 +42318,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xeiropraktiki.gr", true },
   { "xelesante.jp", true },
   { "xendo.net", true },
+  { "xenolith.eu", true },
   { "xenomedia.nl", true },
   { "xenon.cloud", true },
   { "xenoncloud.net", true },
@@ -41937,6 +42345,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xhily.com", true },
   { "xhmikosr.io", true },
   { "xho.me", true },
+  { "xhotlips.date", true },
   { "xia.de", true },
   { "xiamenshipbuilding.com", true },
   { "xiamuzi.com", true },
@@ -41945,9 +42354,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xiangweiqing.co.uk", true },
   { "xiangwenquan.me", true },
   { "xianjianruishiyouyiyuan.com", true },
-  { "xiaobude.cn", true },
   { "xiaocg.xyz", true },
-  { "xiaofengsky.com", true },
   { "xiaoguo.net", false },
   { "xiaolanglang.net", true },
   { "xiaolong.link", true },
@@ -41969,20 +42376,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xilou.org", true },
   { "ximble.com", true },
   { "ximbo.net", true },
-  { "xinbo270.com", true },
   { "xinbo676.com", true },
   { "xinboyule.com", true },
   { "xinj.com", true },
   { "xinlandm.com", true },
   { "xinnixdeuren-shop.be", true },
-  { "xinplay.net", true },
   { "xinu.xyz", true },
   { "xinuspeed.com", true },
   { "xinuspeedtest.com", true },
   { "xinuurl.com", true },
+  { "xiongx.cn", true },
   { "xjd.vision", true },
   { "xjf6.com", true },
   { "xjjeeps.com", true },
+  { "xjoi.net", true },
   { "xjoin.de", true },
   { "xjpvictor.info", true },
   { "xkblog.xyz", true },
@@ -41993,14 +42400,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xlange.com", true },
   { "xldl.ml", true },
   { "xliang.co", true },
-  { "xlui.me", true },
   { "xluxes.jp", true },
   { "xmedius.ca", true },
   { "xmedius.com", false },
   { "xmedius.eu", true },
   { "xmenrevolution.com", true },
+  { "xmflyrk.com", true },
   { "xmine128.tk", true },
   { "xmlbeam.org", true },
+  { "xmlogin288.com", true },
   { "xmodule.org", true },
   { "xmpp.dk", true },
   { "xmppwocky.net", true },
@@ -42017,8 +42425,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--0kq33cz5c8wmwrqqw1d.com", true },
   { "xn--158h.ml", true },
   { "xn--15tx89ctvm.xn--6qq986b3xl", true },
+  { "xn--1yst51avkr.ga", true },
+  { "xn--1yst51avkr.xn--6qq986b3xl", true },
   { "xn--24-6kch4bfqee.xn--p1ai", true },
   { "xn--24-glcia8dc.xn--p1ai", true },
+  { "xn--2sxs9ol7o.com", true },
   { "xn--48jwg508p.net", true },
   { "xn--4dbfsnr.xn--9dbq2a", true },
   { "xn--4kro7fswi.xn--6qq986b3xl", true },
@@ -42027,6 +42438,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--5dbkjqb0d.com", true },
   { "xn--5dbkjqb0d.net", true },
   { "xn--6o8h.cf", true },
+  { "xn--6qq52xuogcjfw8pwqp.ga", true },
+  { "xn--6qq62xsogfjfs8p1qp.ga", true },
   { "xn--6x6a.life", true },
   { "xn--79q87uvkclvgd56ahq5a.net", true },
   { "xn--7ca.co", true },
@@ -42041,7 +42454,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--90accgba6bldkcbb7a.xn--p1acf", true },
   { "xn--allgu-biker-o8a.de", true },
   { "xn--aviao-dra1a.pt", true },
+  { "xn--b3c4f.xn--o3cw4h", true },
   { "xn--baron-bonzenbru-elb.com", true },
+  { "xn--bckerei-trster-5hb11a.de", true },
   { "xn--ben-bank-8za.dk", true },
   { "xn--benbank-dxa.dk", true },
   { "xn--berwachungspaket-izb.at", true },
@@ -42059,12 +42474,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--detrkl13b9sbv53j.com", true },
   { "xn--detrkl13b9sbv53j.org", true },
   { "xn--dmonenjger-q5ag.net", true },
+  { "xn--dmontaa-9za.com", true },
   { "xn--dragni-g1a.de", true },
   { "xn--dtursfest-72a.dk", true },
   { "xn--e1aoahhqgn.xn--p1ai", true },
   { "xn--ecki0cd0bu9a4nsjb.com", true },
-  { "xn--eckle6c0exa0b0modc7054g7h8ajw6f.com", true },
   { "xn--ehqw04eq6e.jp", true },
+  { "xn--elsignificadodesoar-c4b.com", true },
   { "xn--erklderbarenben-slbh.dk", true },
   { "xn--et8h.cf", true },
   { "xn--f9jh4f4b4993b66s.tokyo", true },
@@ -42111,15 +42527,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--mgbpkc7fz3awhe.com", true },
   { "xn--mgbuq0c.net", true },
   { "xn--mllers-wxa.info", true },
+  { "xn--mntsamling-0cb.dk", true },
   { "xn--myrepubic-wub.net", true },
   { "xn--myrepublc-x5a.net", true },
   { "xn--n8j7dygrbu0c31a5861bq8qb.com", true },
   { "xn--n8jp5083dnzs.net", true },
   { "xn--n8jtcugp92n4wc738f.net", true },
+  { "xn--nf1a578axkh.xn--fiqs8s", true },
   { "xn--nrrdetval-v2ab.se", true },
   { "xn--o38h.tk", true },
   { "xn--obt757c.com", true },
-  { "xn--oiqt18e8e2a.eu.org", true },
   { "xn--p8j9a0d9c9a.xn--q9jyb4c", true },
   { "xn--pbt947am3ab71g.com", true },
   { "xn--pe-bka.ee", true },
@@ -42127,10 +42544,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--q9jb1h5dvcspke3218b9mn4p0c.com", true },
   { "xn--q9ji3c6d.xn--q9jyb4c", true },
   { "xn--qckss0j.tk", true },
-  { "xn--qfun83b.ga", true },
   { "xn--r8jzaf7977b09e.com", true },
   { "xn--rdiger-kuhlmann-zvb.de", true },
   { "xn--reisebro-herrsching-bbc.de", true },
+  { "xn--rlcus7b3d.xn--xkc2dl3a5ee0h", true },
   { "xn--roselire-60a.ch", true },
   { "xn--roselire-60a.com", true },
   { "xn--rt-cja.ie", true },
@@ -42155,10 +42572,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--v6q426ishax2a.xyz", true },
   { "xn--woistdermlleimer-rzb.de", true },
   { "xn--wq9h.ml", true },
+  { "xn--xft85up3jca.ga", true },
   { "xn--y-5ga.com", true },
   { "xn--y8j148r.xn--q9jyb4c", true },
   { "xn--y8jarb5hca.jp", true },
   { "xn--yrvp1ac68c.xn--6qq986b3xl", true },
+  { "xn--z1tq4ldt4b.com", true },
   { "xn--zettlmeil-n1a.de", true },
   { "xn--zr9h.cf", true },
   { "xn--zr9h.ga", true },
@@ -42168,7 +42587,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xnaas.info", true },
   { "xnet-x.net", true },
   { "xninja.xyz", true },
-  { "xnode.org", true },
   { "xntrik.wtf", true },
   { "xnu.kr", true },
   { "xo.tc", true },
@@ -42178,18 +42596,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xombitmusic.com", true },
   { "xone.cz", false },
   { "xonn.de", true },
-  { "xoonth.net", true },
   { "xp-ochrona.pl", true },
+  { "xp.nsupdate.info", true },
   { "xp2.de", true },
   { "xpd.se", true },
   { "xperiacode.com", true },
   { "xperidia.com", true },
   { "xpletus.nl", true },
-  { "xplore-dna.net", true },
   { "xpoc.pro", true },
   { "xposedornot.com", true },
-  { "xps2pdf.co.uk", true },
-  { "xps2pdf.info", true },
   { "xqk7.com", true },
   { "xr.cx", true },
   { "xr1s.me", true },
@@ -42247,6 +42662,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xxiz.com", true },
   { "xxxlbox.com", true },
   { "xxxsuper.net", true },
+  { "xy6161.com", true },
+  { "xy6262.com", true },
+  { "xy6363.com", true },
+  { "xy7171.com", true },
+  { "xy7272.com", true },
+  { "xy7373.com", true },
   { "xyenon.bid", true },
   { "xyfun.net", false },
   { "xywing.com", true },
@@ -42284,6 +42705,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yanaduday.com", true },
   { "yanbao.xyz", true },
   { "yandere.moe", true },
+  { "yangcs.net", true },
   { "yangjingwen.cn", true },
   { "yangmaodang.org", true },
   { "yangmi.blog", true },
@@ -42293,6 +42715,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yannick.cloud", true },
   { "yannik-buerkle.de", true },
   { "yannikbloscheck.com", true },
+  { "yannis.codes", true },
   { "yanovich.net", true },
   { "yanqiyu.info", true },
   { "yans.io", true },
@@ -42310,14 +42733,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yaup.tk", true },
   { "yawen.me", true },
   { "yaxim.org", true },
-  { "yazaral.com", true },
   { "ybin.me", true },
   { "ybresson.com", true },
   { "ybsul.com", true },
-  { "ybt520.com", true },
   { "ybti.net", true },
   { "ybzhao.com", true },
   { "ych.art", true },
+  { "ycherbonnel.fr", true },
   { "ychon.com", true },
   { "ychong.com", true },
   { "yclan.net", true },
@@ -42369,7 +42791,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yenpape.com", true },
   { "yep-pro.ch", true },
   { "yephy.com", true },
-  { "yesiammaisey.me", true },
   { "yeskx.com", true },
   { "yeswecan.co.bw", true },
   { "yeswehack.com", true },
@@ -42390,6 +42811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yhe.me", true },
   { "yhenke.de", true },
   { "yhfou.com", true },
+  { "yhhh.org", true },
   { "yhndnzj.com", true },
   { "yhong.me", true },
   { "yhrd.org", true },
@@ -42397,6 +42819,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yiheng.moe", true },
   { "yii2.cc", true },
   { "yikeyong.com", true },
+  { "yimgo.fr", true },
   { "yinfor.com", true },
   { "yingatech.com", true },
   { "yinglinda.love", true },
@@ -42406,18 +42829,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yiyueread.com", true },
   { "yiz96.com", true },
   { "yjsoft.me", true },
+  { "ykhut.com", true },
   { "yksityisyydensuoja.fi", true },
+  { "ylde.de", true },
   { "ylinternal.com", true },
   { "ymarion.de", true },
   { "ymblaw.com", true },
   { "ymoah.nl", true },
   { "ymtsonline.org", true },
   { "ynnovasport.be", true },
-  { "ynxfh.cn", true },
   { "yoa.st", true },
   { "yoast.com", true },
   { "yobai-grouprec.jp", true },
-  { "yobai28.com", true },
   { "yobbelwobbel.de", false },
   { "yobify.com", true },
   { "yoga-alliance-teacher-training.com", true },
@@ -42429,6 +42852,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yogabhawnamission.com", true },
   { "yogacentric.co.uk", true },
   { "yogahealsinc.org", true },
+  { "yogamea.school", true },
   { "yogananda-roma.org", true },
   { "yogaschoolrishikesh.com", true },
   { "yoibyoin.info", true },
@@ -42446,6 +42870,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yongbin.org", true },
   { "yoonas.com", true },
   { "yooooex.com", true },
+  { "yoplate.com", true },
   { "yoppoy.com", true },
   { "yopuedo.co", true },
   { "yoramvandevelde.net", true },
@@ -42453,6 +42878,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yorcool.nl", true },
   { "yorkshiredalesinflatables.co.uk", true },
   { "yorkshireinflatables.co.uk", true },
+  { "yorname.ml", false },
   { "yosbeda.com", true },
   { "yosemo.de", true },
   { "yoshibaworks.com", true },
@@ -42468,9 +42894,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "youareme.ca", true },
   { "youc.ir", true },
   { "youcanfuckoff.xyz", true },
+  { "youcanmakeit.at", true },
   { "youcruit.com", true },
   { "youdungoofd.com", true },
-  { "youftp.tk", true },
   { "yougee.ml", true },
   { "youhacked.me", true },
   { "youhavewords.com", true },
@@ -42480,7 +42906,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "youked.com", true },
   { "youkok2.com", true },
   { "youlovehers.com", true },
-  { "youmiracle.com", true },
   { "youms.de", true },
   { "young-sheldon.com", true },
   { "youngauthentic.cf", true },
@@ -42492,10 +42917,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "youpark.no", true },
   { "youpickfarms.org", true },
   { "your-erotic-stories.com", true },
+  { "your-idc.tk", true },
   { "your-out.com", true },
   { "your-waterserver.com", true },
   { "youracnepro.com", true },
   { "youran.me", true },
+  { "yourbittorrent.com", true },
+  { "yourbittorrent.host", true },
+  { "yourbittorrent.icu", true },
+  { "yourbittorrent.pw", true },
+  { "yourbittorrent2.com", true },
   { "yourbonus.click", true },
   { "yourciso.com", true },
   { "yourcomputer.expert", true },
@@ -42510,6 +42941,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yourskin.nl", true },
   { "yourstake.org", true },
   { "yourticketbooking.com", true },
+  { "yourtrainer.com", true },
   { "yousei.ne.jp", true },
   { "yout.com", true },
   { "youth.gov", true },
@@ -42525,6 +42957,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ypart.eu", true },
   { "ypid.de", true },
   { "yplanapp.com", true },
+  { "ypse.com.br", true },
   { "yqjf68.com", true },
   { "yr166166.com", true },
   { "yrjanheikki.com", true },
@@ -42544,7 +42977,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yuan.ga", true },
   { "yuanben.io", true },
   { "yuanjiazhao.com", true },
-  { "yuanjiazhao.tk", true },
   { "yubi.co", true },
   { "yubicloud.io", true },
   { "yubico.ae", true },
@@ -42601,6 +43033,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yubiking.com", true },
   { "yue.la", true },
   { "yuexiangzs.com", true },
+  { "yugasun.com", true },
   { "yuisyo.ml", true },
   { "yukari.cafe", true },
   { "yukari.cloud", true },
@@ -42616,6 +43049,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yunzhu.li", true },
   { "yuricarlenzoli.it", true },
   { "yurikirin.me", true },
+  { "yurimoens.be", true },
   { "yurisviridov.com", true },
   { "yusa.me", true },
   { "yushi.moe", true },
@@ -42638,8 +43072,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yvonnehaeusser.de", true },
   { "yvonnethomet.ch", true },
   { "yvonnewilhelmi.com", true },
-  { "yxs.me", true },
-  { "yxt521.com", true },
   { "yya.me", true },
   { "yyc.city", true },
   { "yyyy.xyz", true },
@@ -42677,6 +43109,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zaclys.com", false },
   { "zafirus.name", true },
   { "zaghyr.org", true },
+  { "zagluszaczgps.pl", true },
   { "zahe.me", true },
   { "zahnaerzte-bohne.de", true },
   { "zahnarzt-duempten.de", true },
@@ -42687,6 +43120,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zajazd.biz", true },
   { "zakariya.blog", true },
   { "zakcutner.uk", true },
+  { "zakelijketaalcursus.nl", true },
+  { "zakelijkgoedengelsleren.nl", true },
   { "zakladam.cz", true },
   { "zakmccrac.de", true },
   { "zakojifarm.jp", true },
@@ -42725,6 +43160,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zbanks.cn", true },
   { "zbrane-doplnky.cz", true },
   { "zbut.bg", true },
+  { "zby.io", true },
   { "zbyga.cz", true },
   { "zbyte.it", true },
   { "zcarot.com", true },
@@ -42743,7 +43179,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zdrojak.cz", true },
   { "zdymak.by", true },
   { "ze3kr.com", true },
-  { "zeal-and.jp", true },
   { "zeal-interior.com", true },
   { "zealworks.jp", true },
   { "zebbra.ro", true },
@@ -42752,7 +43187,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zeds-official.com", true },
   { "zeebrieshoekvanholland.nl", true },
   { "zeel.com", true },
-  { "zeelynk.com", true },
   { "zeestraten.nl", true },
   { "zeetoppers.nl", true },
   { "zeeuw.nl", true },
@@ -42778,14 +43212,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zenithmedia.ca", true },
   { "zenk-security.com", true },
   { "zenlogic.com", true },
-  { "zenmate.com.tr", true },
+  { "zenluxuryliving.com", true },
   { "zennzimie.be", true },
   { "zennzimie.com", true },
   { "zenofa.co.id", true },
-  { "zenram.com", true },
   { "zentask.io", true },
   { "zenti.cloud", true },
   { "zenvideocloud.com", true },
+  { "zenvite.com", true },
+  { "zenycosta.com", true },
   { "zephyrbk.com", true },
   { "zephyrbookkeeping.com", true },
   { "zephyretcoraline.com", true },
@@ -42803,7 +43238,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zerossl.com", true },
   { "zerosync.com", true },
   { "zerotoone.de", true },
-  { "zertif.info", true },
+  { "zerowastesavvy.com", true },
   { "zertitude.com", true },
   { "zeryn.net", true },
   { "zespia.tw", false },
@@ -42826,7 +43261,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhangge.net", true },
   { "zhanghao.me", true },
   { "zhangheda.cf", true },
+  { "zhangshuqiao.org", true },
   { "zhangsidan.com", true },
+  { "zhangwendao.com", true },
   { "zhangyuhao.com", true },
   { "zhangzifan.com", false },
   { "zhaoeq.com", true },
@@ -42834,6 +43271,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhaopage.com", true },
   { "zhaoxixiangban.cc", true },
   { "zhcexo.com", true },
+  { "zhdd.pl", true },
   { "zhen-chen.com", true },
   { "zhengjie.com", true },
   { "zhenic.ir", true },
@@ -42844,6 +43282,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhl123.com", true },
   { "zhome.info", true },
   { "zhongzicili.ws", true },
+  { "zhost.io", true },
+  { "zhouba.cz", true },
   { "zhoushuo.me", false },
   { "zhoutiancai.cn", true },
   { "zhovner.com", true },
@@ -42851,7 +43291,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhuihoude.com", true },
   { "zhuji.com", true },
   { "zi.is", true },
-  { "ziegler-family.com", true },
   { "ziegler-heizung-frankfurt.de", true },
   { "zielonakarta.com", true },
   { "ziemlich-zackig.de", true },
@@ -42884,14 +43323,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zionsvillelocksmiths.com", true },
   { "zip.ch", true },
   { "zipkey.de", true },
-  { "ziptie.com", true },
   { "zircode.com", true },
   { "zirka24.net", true },
   { "ziroh.be", true },
+  { "zirrka.de", true },
   { "zirtek.ie", true },
   { "zirtual.com", true },
   { "zitseng.com", true },
   { "zittingskalender.be", true },
+  { "zivagold.com", true },
   { "zivava.ge", true },
   { "zivmergers.com", true },
   { "zivver.be", true },
@@ -42904,7 +43344,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zivyruzenec.cz", true },
   { "zixiao.wang", true },
   { "zizcollections.com", true },
-  { "zjuqsc.com", true },
+  { "zjateaucafe.be", true },
   { "zjv.me", true },
   { "zk.com.co", true },
   { "zk.gd", true },
@@ -42950,6 +43390,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zollihood.ch", true },
   { "zom.bi", true },
   { "zomerschoen.nl", true },
+  { "zomiac.pp.ua", true },
   { "zonadigital.co", true },
   { "zone-produkte.de", false },
   { "zone39.com", true },
@@ -42966,10 +43407,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zook.systems", true },
   { "zoola.io", true },
   { "zoolaboo.de", true },
+  { "zoological-gardens.eu", true },
   { "zoom.earth", true },
   { "zoomcar.pro", true },
   { "zoomek.com", true },
-  { "zoomseoservices.com", false },
   { "zooom.azurewebsites.net", true },
   { "zooom2.azurewebsites.net", true },
   { "zoop.ml", true },
@@ -42995,9 +43436,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zqwqz.com", true },
   { "zr.is", true },
   { "zravypapir.cz", true },
+  { "zrhdwz.cn", true },
+  { "zrkr.de", true },
   { "zrniecka-pre-sny.sk", true },
   { "zrnieckapresny.sk", true },
-  { "zrt.io", true },
+  { "zrt.io", false },
   { "zry-blog.top", true },
   { "zs-ohradni.cz", true },
   { "zs-reporyje.cz", true },
@@ -43006,10 +43449,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zskomenskeho.cz", true },
   { "zskomenskeho.eu", true },
   { "zsoltsandor.me", true },
+  { "zsq.im", true },
   { "zsrbcs.com", true },
   { "zten.org", true },
   { "ztjuh.tk", true },
   { "zubel.it", false },
+  { "zubr.net", true },
   { "zubro.net", true },
   { "zuefle.net", true },
   { "zug-anwalt.de", true },
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
deleted file mode 100644
index a004fa449..000000000
--- a/security/nss/TAG-INFO
+++ /dev/null
@@ -1 +0,0 @@
-NSS_3_38_RTM
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
index e69de29bb..fa6e67412 100644
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -0,0 +1,18 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2203:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
index efc7d6d67..971365c68 100644
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -1,4 +1,18 @@
 
-1 Added function:
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2217:1 has some indirect sub-type changes:
+    parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
 
-  'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)'    {SECITEM_MakeItem@@NSSUTIL_3.38}
diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
index e69de29bb..f4870feec 100644
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -0,0 +1,48 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:363:1 has some indirect sub-type changes:
+    parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+      in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+        underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+          type size hasn't changed
+          1 data member changes (2 filtered):
+           type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+             underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+               type size hasn't changed
+               1 data member changes (3 filtered):
+                type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+                  in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+                    underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+                      type size hasn't changed
+                      1 data member changes (1 filtered):
+                       type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+                         in pointed to type 'NSSCMSAttribute*':
+                           in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+                             underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+                               type size hasn't changed
+                               1 data member change:
+                                type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+                                  in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+                                    underlying type 'struct SECOidDataStr' at secoidt.h:513:1 changed:
+                                      type size hasn't changed
+                                      1 data member change:
+                                       type of 'SECOidTag SECOidDataStr::offset' changed:
+                                         underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+                                           type size hasn't changed
+                                           4 enumerator insertions:
+                                             '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+                                           1 enumerator change:
+                                             '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+
+
+
+
+
+
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index c52061e7e..13a0361e3 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_37_BRANCH
+NSS_3_40_BRANCH
diff --git a/security/nss/automation/clang-format/Dockerfile b/security/nss/automation/clang-format/Dockerfile
index 163c9b8fa..e74dac09f 100644
--- a/security/nss/automation/clang-format/Dockerfile
+++ b/security/nss/automation/clang-format/Dockerfile
@@ -1,26 +1,35 @@
-FROM ubuntu:16.04
-MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
 
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Entrypoint.
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+USER $USER
+
+# Entrypoint - which only works if /home/worker/nss is mounted.
 ENTRYPOINT ["/home/worker/nss/automation/clang-format/run_clang_format.sh"]
diff --git a/security/nss/automation/clang-format/setup.sh b/security/nss/automation/clang-format/setup.sh
deleted file mode 100644
index beac9e905..000000000
--- a/security/nss/automation/clang-format/setup.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Install packages.
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('xz-utils')
-apt_packages+=('mercurial')
-apt_packages+=('git')
-apt_packages+=('locales')
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify clang.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-
-# Cleanup.
-function cleanup() {
-  rm -f clang.tar.xz clang.tar.xz.sig
-}
-trap cleanup ERR EXIT
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-
-# We're done. Remove this script.
-rm $0
diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt
index 701680d2c..102def16d 100644
--- a/security/nss/automation/release/nspr-version.txt
+++ b/security/nss/automation/release/nspr-version.txt
@@ -1,4 +1,4 @@
-4.19
+4.20
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR
diff --git a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
index 2d7ade357..aca173cd0 100644
--- a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
@@ -20,7 +20,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
diff --git a/security/nss/automation/taskcluster/docker-arm/Dockerfile b/security/nss/automation/taskcluster/docker-arm/Dockerfile
index 9a7e50201..5b8cfca20 100644
--- a/security/nss/automation/taskcluster/docker-arm/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-arm/Dockerfile
@@ -17,7 +17,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
diff --git a/security/nss/automation/taskcluster/docker-builds/Dockerfile b/security/nss/automation/taskcluster/docker-builds/Dockerfile
new file mode 100644
index 000000000..9f0bb2034
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile
@@ -0,0 +1,75 @@
+# Dockerfile for building extra builds.  This includes more tools than the
+# default image, so it's a fair bit bigger.  Only use this for builds where
+# the smaller docker image is missing something.  These builds will run on
+# the leaner configuration.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang-4.0 \
+    clang \
+    cmake \
+    curl \
+    g++-4.8-multilib \
+    g++-5-multilib \
+    g++-6-multilib \
+    g++-multilib \
+    git \
+    gyp \
+    libelf-dev \
+    libdw-dev \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Latest version of abigail-tools
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends automake libtool libxml2-dev \
+ && git clone git://sourceware.org/git/libabigail.git /tmp/libabigail \
+ && cd /tmp/libabigail \
+ && autoreconf -fi \
+ && ./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual \
+ && make && make install \
+ && rm -rf /tmp/libabigail \
+ && apt-get remove -y automake libtool libxml2-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh b/security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
index 9167f6bda..9167f6bda 100644
--- a/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh
+++ b/security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile b/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
deleted file mode 100644
index 473ce64ba..000000000
--- a/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
+++ /dev/null
@@ -1,30 +0,0 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
-
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
-
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
-ENV SHELL /bin/bash
-ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
-ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
-ENV HOST localhost
-ENV DOMSUF localdomain
-
-# Set a default command for debugging.
-CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
deleted file mode 100644
index 3076667a6..000000000
--- a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('locales')
-apt_packages+=('xz-utils')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify *.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-# Cleanup.
-rm *.tar.xz*
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-clang-format/Dockerfile b/security/nss/automation/taskcluster/docker-clang-format/Dockerfile
new file mode 100644
index 000000000..c9f8b8b0e
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-format/Dockerfile
@@ -0,0 +1,38 @@
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh b/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-decision/Dockerfile b/security/nss/automation/taskcluster/docker-decision/Dockerfile
index 473ce64ba..e0a31641e 100644
--- a/security/nss/automation/taskcluster/docker-decision/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-decision/Dockerfile
@@ -1,30 +1,37 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Minimal image for running the decision task.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    locales \
+    mercurial \
+    nodejs \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-decision/setup.sh b/security/nss/automation/taskcluster/docker-decision/setup.sh
deleted file mode 100644
index 51938529c..000000000
--- a/security/nss/automation/taskcluster/docker-decision/setup.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need those to install newer packages below.
-apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
-
-# Latest Mercurial.
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update && apt-get install -y --no-install-recommends mercurial
-
-# Latest Node.JS.
-curl -sL https://deb.nodesource.com/setup_6.x | bash -
-apt-get install -y --no-install-recommends nodejs
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
index 254f166c8..24f939946 100644
--- a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
@@ -1,33 +1,59 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Dockerfile for running fuzzing tests.
+#
+# Note that when running this, you need to add `--cap-add SYS_PTRACE` to the
+# docker invocation or ASAN won't work.
+# On taskcluster use `features: ["allowPtrace"]`.
+# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    clang-tools \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# LLVM 4.0
-ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-fuzz/setup.sh b/security/nss/automation/taskcluster/docker-fuzz/setup.sh
deleted file mode 100644
index fcb72346e..000000000
--- a/security/nss/automation/taskcluster/docker-fuzz/setup.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('git')
-apt_packages+=('gyp')
-apt_packages+=('libssl-dev')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# 32-bit builds
-dpkg --add-architecture i386
-apt-get -y update
-apt-get install -y --no-install-recommends libssl-dev:i386
-
-# Install LLVM/clang-4.0.
-mkdir clang-tmp
-git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
-git -C clang-tmp/clang checkout HEAD scripts/update.py
-clang-tmp/clang/scripts/update.py
-rm -fr clang-tmp
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
new file mode 100644
index 000000000..f5fd3cfd5
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
@@ -0,0 +1,73 @@
+# Dockerfile for running fuzzing tests on linux32.
+#
+# This is a temporary workaround for bugs in clang that make it incompatible
+# with Ubuntu 18.04 (see bug 1488148). This image can be removed once a new
+# release of LLVM includes the necessary fixes.
+
+FROM ubuntu:16.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    software-properties-common \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Install clang and tools from the LLVM PPA.
+RUN curl -sf https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - \
+ && apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-6.0 main" \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+    clang-6.0 \
+    clang-tools-6.0 \
+    llvm-6.0-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Alias all the clang commands.
+RUN for i in $(dpkg -L clang-6.0 clang-tools-6.0 | grep '^/usr/bin/' | xargs -i basename {} -6.0); do \
+      update-alternatives --install "/usr/bin/$i" "$i" "/usr/bin/${i}-6.0" 10; \
+    done
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh b/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile b/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
index 3330c007f..69538322a 100644
--- a/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
@@ -1,30 +1,39 @@
 FROM ubuntu:14.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    g++-4.4 \
+    gcc-4.4 \
+    locales \
+    make \
+    mercurial \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh b/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh
deleted file mode 100644
index f6325d966..000000000
--- a/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('g++-4.4')
-apt_packages+=('gcc-4.4')
-apt_packages+=('locales')
-apt_packages+=('make')
-apt_packages+=('mercurial')
-apt_packages+=('zlib1g-dev')
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-interop/Dockerfile b/security/nss/automation/taskcluster/docker-interop/Dockerfile
new file mode 100644
index 000000000..fb4e15d93
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-interop/Dockerfile
@@ -0,0 +1,56 @@
+# Dockerfile for running interop tests.
+# This includes Rust, golang, and nodejs.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    cmake \
+    curl \
+    g++-multilib \
+    git \
+    golang \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    npm \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Install Rust stable as $USER.
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh b/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile
index b3c2516ba..6df17c5e1 100644
--- a/security/nss/automation/taskcluster/docker/Dockerfile
+++ b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -1,30 +1,49 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Lean image for running the bulk of the NSS CI tests on taskcluster.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Rust + Go
-ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker/setup.sh b/security/nss/automation/taskcluster/docker/setup.sh
deleted file mode 100644
index 7b90b2e69..000000000
--- a/security/nss/automation/taskcluster/docker/setup.sh
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('clang-5.0')
-apt_packages+=('curl')
-apt_packages+=('npm')
-apt_packages+=('git')
-apt_packages+=('golang-1.6')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('lib32z1-dev')
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# ct-verif and sanitizers
-apt_packages+=('valgrind')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# gcc 4.8 and 6
-apt_packages+=('g++-6')
-apt_packages+=('g++-4.8')
-apt_packages+=('g++-6-multilib')
-apt_packages+=('g++-4.8-multilib')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
-echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Latest version of abigail-tools
-apt-get install -y libxml2-dev autoconf libelf-dev libdw-dev libtool
-git clone git://sourceware.org/git/libabigail.git
-cd ./libabigail
-autoreconf -fi
-./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual
-make
-make install
-cd ..
-apt-get remove -y libxml2-dev autoconf libtool
-rm -rf libabigail
-
-# Install latest Rust (stable).
-su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index 5305325c5..1302602bc 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -10,9 +10,19 @@ const LINUX_IMAGE = {
   path: "automation/taskcluster/docker"
 };
 
-const LINUX_CLANG39_IMAGE = {
-  name: "linux-clang-3.9",
-  path: "automation/taskcluster/docker-clang-3.9"
+const LINUX_BUILDS_IMAGE = {
+  name: "linux-builds",
+  path: "automation/taskcluster/docker-builds"
+};
+
+const LINUX_INTEROP_IMAGE = {
+  name: "linux-interop",
+  path: "automation/taskcluster/docker-interop"
+};
+
+const CLANG_FORMAT_IMAGE = {
+  name: "clang-format",
+  path: "automation/taskcluster/docker-clang-format"
 };
 
 const LINUX_GCC44_IMAGE = {
@@ -25,6 +35,12 @@ const FUZZ_IMAGE = {
   path: "automation/taskcluster/docker-fuzz"
 };
 
+// Bug 1488148 - temporary image for fuzzing 32-bit builds.
+const FUZZ_IMAGE_32 = {
+  name: "fuzz32",
+  path: "automation/taskcluster/docker-fuzz32"
+};
+
 const HACL_GEN_IMAGE = {
   name: "hacl",
   path: "automation/taskcluster/docker-hacl"
@@ -59,7 +75,7 @@ queue.filter(task => {
     }
   }
 
-  if (task.tests == "bogo" || task.tests == "interop") {
+  if (task.tests == "bogo" || task.tests == "interop" || task.tests == "tlsfuzzer") {
     // No windows
     if (task.platform == "windows2012-64" ||
         task.platform == "windows2012-32") {
@@ -89,7 +105,9 @@ queue.filter(task => {
 
   if (task.group == "Test") {
     // Don't run test builds on old make platforms, and not for fips gyp.
-    if (task.collection == "make" || task.collection == "fips") {
+    // Disable on aarch64, see bug 1488331.
+    if (task.collection == "make" || task.collection == "fips"
+        || task.platform == "aarch64") {
       return false;
     }
   }
@@ -134,13 +152,13 @@ export default async function main() {
   await scheduleLinux("Linux 32 (opt)", {
     platform: "linux32",
     image: LINUX_IMAGE
-  }, "-m32 --opt");
+  }, "-t ia32 --opt");
 
   await scheduleLinux("Linux 32 (debug)", {
     platform: "linux32",
     collection: "debug",
     image: LINUX_IMAGE
-  }, "-m32");
+  }, "-t ia32");
 
   await scheduleLinux("Linux 64 (opt)", {
     platform: "linux64",
@@ -193,8 +211,8 @@ export default async function main() {
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
       NSS_DISABLE_UNLOAD: "1",
-      CC: "clang-5.0",
-      CCC: "clang++-5.0",
+      CC: "clang",
+      CCC: "clang++",
     },
     platform: "linux64",
     collection: "asan",
@@ -230,12 +248,12 @@ export default async function main() {
 
   await scheduleWindows("Windows 2012 32 (opt)", {
     platform: "windows2012-32",
-  }, "build_gyp.sh --opt -m32");
+  }, "build_gyp.sh --opt -t ia32");
 
   await scheduleWindows("Windows 2012 32 (debug)", {
     platform: "windows2012-32",
     collection: "debug"
-  }, "build_gyp.sh -m32");
+  }, "build_gyp.sh -t ia32");
 
   await scheduleFuzzing();
   await scheduleFuzzing32();
@@ -251,29 +269,29 @@ export default async function main() {
   };
 
   await scheduleLinux("Linux AArch64 (debug)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
       ],
       collection: "debug",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (opt)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
       ],
       collection: "opt",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (debug, make)",
-    merge({
+    merge(aarch64_base, {
       env: {USE_64: "1"},
       command: [
          "/bin/bash",
@@ -281,7 +299,7 @@ export default async function main() {
          "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       ],
       collection: "make",
-    }, aarch64_base)
+    })
   );
 
   await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
@@ -303,7 +321,7 @@ async function scheduleMac(name, base, args = "") {
   });
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(mac_base, {
     command: [
       MAC_CHECKOUT_CMD,
       ["bash", "-c",
@@ -320,7 +338,7 @@ async function scheduleMac(name, base, args = "") {
     }],
     kind: "build",
     symbol: "B"
-  }, mac_base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -351,14 +369,18 @@ async function scheduleMac(name, base, args = "") {
 
 /*****************************************************************************/
 
-async function scheduleLinux(name, base, args = "") {
-  // Build base definition.
-  let build_base = merge({
+async function scheduleLinux(name, overrides, args = "") {
+  // Construct a base definition.  This takes |overrides| second because
+  // callers expect to be able to overwrite the |command| key.
+  let base = merge({
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh " + args
     ],
+  }, overrides);
+  // The base for building.
+  let build_base = merge(base, {
     artifacts: {
       public: {
         expires: 24 * 7,
@@ -367,8 +389,8 @@ async function scheduleLinux(name, base, args = "") {
       }
     },
     kind: "build",
-    symbol: "B"
-  }, base);
+    symbol: "B",
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -434,14 +456,17 @@ async function scheduleLinux(name, base, args = "") {
   }));
 
   // Extra builds.
-  let extra_base = merge({group: "Builds"}, build_base);
+  let extra_base = merge(build_base, {
+    group: "Builds",
+    image: LINUX_BUILDS_IMAGE,
+  });
   queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ clang-5.0`,
+    name: `${name} w/ clang-4`,
     env: {
-      CC: "clang-5.0",
-      CCC: "clang++-5.0",
+      CC: "clang-4.0",
+      CCC: "clang++-4.0",
     },
-    symbol: "clang-5.0"
+    symbol: "clang-4"
   }));
 
   queue.scheduleTask(merge(extra_base, {
@@ -474,16 +499,26 @@ async function scheduleLinux(name, base, args = "") {
   }));
 
   queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ gcc-6.1`,
+    name: `${name} w/ gcc-5`,
+    env: {
+      CC: "gcc-5",
+      CCC: "g++-5"
+    },
+    symbol: "gcc-5"
+  }));
+
+  queue.scheduleTask(merge(extra_base, {
+    name: `${name} w/ gcc-6`,
     env: {
       CC: "gcc-6",
       CCC: "g++-6"
     },
-    symbol: "gcc-6.1"
+    symbol: "gcc-6"
   }));
 
   queue.scheduleTask(merge(extra_base, {
     name: `${name} w/ modular builds`,
+    image: LINUX_IMAGE,
     env: {NSS_BUILD_MODULAR: "1"},
     command: [
       "/bin/bash",
@@ -493,7 +528,7 @@ async function scheduleLinux(name, base, args = "") {
     symbol: "modular"
   }));
 
-  await scheduleTestBuilds(merge(base, {group: "Test"}), args);
+  await scheduleTestBuilds(name + " Test", merge(base, {group: "Test"}), args);
 
   return queue.submit();
 }
@@ -534,7 +569,7 @@ async function scheduleFuzzing() {
   };
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(base, {
     command: [
       "/bin/bash",
       "-c",
@@ -550,7 +585,7 @@ async function scheduleFuzzing() {
     },
     kind: "build",
     symbol: "B"
-  }, base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {
@@ -635,16 +670,16 @@ async function scheduleFuzzing32() {
     features: ["allowPtrace"],
     platform: "linux32",
     collection: "fuzz",
-    image: FUZZ_IMAGE
+    image: FUZZ_IMAGE_32
   };
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(base, {
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -t ia32"
     ],
     artifacts: {
       public: {
@@ -655,7 +690,7 @@ async function scheduleFuzzing32() {
     },
     kind: "build",
     symbol: "B"
-  }, base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {
@@ -671,7 +706,7 @@ async function scheduleFuzzing32() {
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -t ia32"
     ],
   }));
 
@@ -728,9 +763,9 @@ async function scheduleFuzzing32() {
 
 /*****************************************************************************/
 
-async function scheduleTestBuilds(base, args = "") {
+async function scheduleTestBuilds(name, base, args = "") {
   // Build base definition.
-  let build = merge({
+  let build = merge(base, {
     command: [
       "/bin/bash",
       "-c",
@@ -746,8 +781,15 @@ async function scheduleTestBuilds(base, args = "") {
     },
     kind: "build",
     symbol: "B",
-    name: "Linux 64 (debug, test)"
-  }, base);
+    name: `${name} build`,
+  });
+
+  // On linux we have a specialized build image for building.
+  if (build.platform === "linux32" || build.platform === "linux64") {
+    build = merge(build, {
+      image: LINUX_BUILDS_IMAGE,
+    });
+  }
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(build);
@@ -755,7 +797,7 @@ async function scheduleTestBuilds(base, args = "") {
   // Schedule tests.
   queue.scheduleTask(merge(base, {
     parent: task_build,
-    name: "mpi",
+    name: `${name} mpi tests`,
     command: [
       "/bin/bash",
       "-c",
@@ -773,7 +815,7 @@ async function scheduleTestBuilds(base, args = "") {
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
     ],
-    name: "Gtests",
+    name: `${name} gtests`,
     symbol: "Gtest",
     tests: "gtests",
     cycle: "standard",
@@ -790,12 +832,12 @@ async function scheduleWindows(name, base, build_script) {
   base = merge(base, {
     workerType: "nss-win2012r2",
     env: {
-      PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;" +
-            "c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;" +
-            "c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;" +
-            "c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;" +
-            "c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;" +
-            "c:\\mozilla-build\\wget",
+      PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
+	    "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
+	    "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
+	    "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
+	    "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
+	    "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
       DOMSUF: "localdomain",
       HOST: "localhost",
     }
@@ -881,7 +923,7 @@ async function scheduleWindows(name, base, build_script) {
 /*****************************************************************************/
 
 function scheduleTests(task_build, task_cert, test_base) {
-  test_base = merge({kind: "test"}, test_base);
+  test_base = merge(test_base, {kind: "test"});
 
   // Schedule tests that do NOT need certificates.
   let no_cert_base = merge(test_base, {parent: task_build});
@@ -889,10 +931,21 @@ function scheduleTests(task_build, task_cert, test_base) {
     name: "Gtests", symbol: "Gtest", tests: "ssl_gtests gtests", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Bogo tests", symbol: "Bogo", tests: "bogo", cycle: "standard"
+    name: "Bogo tests",
+    symbol: "Bogo",
+    tests: "bogo",
+    cycle: "standard",
+    image: LINUX_INTEROP_IMAGE,
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Interop tests", symbol: "Interop", tests: "interop", cycle: "standard"
+    name: "Interop tests",
+    symbol: "Interop",
+    tests: "interop",
+    cycle: "standard",
+    image: LINUX_INTEROP_IMAGE,
+  }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "tlsfuzzer tests", symbol: "tlsfuzzer", tests: "tlsfuzzer", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "Chains tests", symbol: "Chains", tests: "chains"
@@ -928,6 +981,9 @@ function scheduleTests(task_build, task_cert, test_base) {
   queue.scheduleTask(merge(no_cert_base, {
     name: "SDR tests", symbol: "SDR", tests: "sdr"
   }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "Policy tests", symbol: "Policy", tests: "policy"
+  }));
 
   // Schedule tests that need certificates.
   let cert_base = merge(test_base, {parent: task_cert});
@@ -971,11 +1027,11 @@ async function scheduleTools() {
     kind: "test"
   };
 
-  //ABI check task
+  // ABI check task
   queue.scheduleTask(merge(base, {
     symbol: "abi",
     name: "abi",
-    image: LINUX_IMAGE,
+    image: LINUX_BUILDS_IMAGE,
     command: [
       "/bin/bash",
       "-c",
@@ -984,9 +1040,9 @@ async function scheduleTools() {
   }));
 
   queue.scheduleTask(merge(base, {
-    symbol: "clang-format-3.9",
-    name: "clang-format-3.9",
-    image: LINUX_CLANG39_IMAGE,
+    symbol: "clang-format",
+    name: "clang-format",
+    image: CLANG_FORMAT_IMAGE,
     command: [
       "/bin/bash",
       "-c",
@@ -1049,7 +1105,7 @@ async function scheduleTools() {
     command: [
       "/bin/bash",
       "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -m32"
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -t ia32"
     ]
   }));
 
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index 214793bd5..f1772a658 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -37,7 +37,7 @@ function parseOptions(opts) {
   let aliases = {"gtests": "gtest"};
   let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
                       "gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
-                      "ssl", "mpi", "scert", "spki"];
+                      "ssl", "mpi", "scert", "spki", "policy", "tlsfuzzer"];
   let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
     return aliases[t] || t;
   }), allUnitTests);
diff --git a/security/nss/automation/taskcluster/scripts/build_image.sh b/security/nss/automation/taskcluster/scripts/build_image.sh
index b422214e7..b8715dbe9 100644
--- a/security/nss/automation/taskcluster/scripts/build_image.sh
+++ b/security/nss/automation/taskcluster/scripts/build_image.sh
@@ -13,12 +13,12 @@ raise_error() {
 test -n "$PROJECT" || raise_error "Project must be provided."
 test -n "$HASH" || raise_error "Context Hash must be provided."
 
-CONTEXT_PATH=/home/worker/nss/$CONTEXT_PATH
+CONTEXT_PATH="/home/worker/nss/$CONTEXT_PATH"
 
-test -d $CONTEXT_PATH || raise_error "Context Path $CONTEXT_PATH does not exist."
+test -d "$CONTEXT_PATH" || raise_error "Context Path $CONTEXT_PATH does not exist."
 test -f "$CONTEXT_PATH/Dockerfile" || raise_error "Dockerfile must be present in $CONTEXT_PATH."
 
-docker build -t $PROJECT:$HASH $CONTEXT_PATH
+docker build -t "$PROJECT:$HASH" "$CONTEXT_PATH"
 
 mkdir /artifacts
-docker save $PROJECT:$HASH > /artifacts/image.tar
+docker save "$PROJECT:$HASH" > /artifacts/image.tar
diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh
index 534cb32ce..63a6ee8de 100644
--- a/security/nss/automation/taskcluster/scripts/tools.sh
+++ b/security/nss/automation/taskcluster/scripts/tools.sh
@@ -2,12 +2,11 @@
 
 set -v -e -x
 
+# Assert that we're not running as root.
 if [[ $(id -u) -eq 0 ]]; then
-    # Stupid Docker. It works without sometimes... But not always.
-    echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
-
-    # Drop privileges by re-running this script.
-    # Note: this mangles arguments, better to avoid running scripts as root.
+    # This exec is still needed until aarch64 images are updated (Bug 1488325).
+    # Remove when images are updated.  Until then, assert that things are good.
+    [[ $(uname -m) == aarch64 ]]
     exec su worker -c "$0 $*"
 fi
 
diff --git a/security/nss/automation/taskcluster/windows/build.sh b/security/nss/automation/taskcluster/windows/build.sh
index 46136153d..eebb41535 100644
--- a/security/nss/automation/taskcluster/windows/build.sh
+++ b/security/nss/automation/taskcluster/windows/build.sh
@@ -2,12 +2,12 @@
 
 set -v -e -x
 
-# Set up the toolchain.
-if [ "$USE_64" = 1 ]; then
-  source $(dirname $0)/setup64.sh
+if [[ "$USE_64" == 1 ]]; then
+    m=x64
 else
-  source $(dirname $0)/setup32.sh
+    m=x86
 fi
+source "$(dirname "$0")/setup.sh"
 
 # Clone NSPR.
 hg_clone https://hg.mozilla.org/projects/nspr nspr default
diff --git a/security/nss/automation/taskcluster/windows/build_gyp.sh b/security/nss/automation/taskcluster/windows/build_gyp.sh
index cc829ca99..c0f38f948 100644
--- a/security/nss/automation/taskcluster/windows/build_gyp.sh
+++ b/security/nss/automation/taskcluster/windows/build_gyp.sh
@@ -2,33 +2,37 @@
 
 set -v -e -x
 
-# Set up the toolchain.
-if [[ "$@" == *"-m32"* ]]; then
-  source $(dirname $0)/setup32.sh
-else
-  source $(dirname $0)/setup64.sh
-fi
+# Parse for the -t option.
+m=x64
+for i in "$@"; do
+    case "$i" in
+        -t|--target) m= ;;
+        --target=*) m="${i#*=}" ;;
+        *) [[ -z "$m" ]] && m="$i" ;;
+    esac
+done
+[[ "$m" == "ia32" ]] && m=x86
+source "$(dirname "$0")/setup.sh"
 
 # Install GYP.
-cd gyp
+pushd gyp
 python -m virtualenv test-env
 test-env/Scripts/python setup.py install
 test-env/Scripts/python -m pip install --upgrade pip
 test-env/Scripts/pip install --upgrade setuptools
-cd ..
-
-export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
-export GYP_MSVS_VERSION="2015"
-export GYP="${PWD}/gyp/test-env/Scripts/gyp"
-
 # Fool GYP.
 touch "${VSPATH}/VC/vcvarsall.bat"
+export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
+export GYP_MSVS_VERSION=2015
+popd
+
+export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts"
 
 # Clone NSPR.
 hg_clone https://hg.mozilla.org/projects/nspr nspr default
 
 # Build with gyp.
-GYP=${GYP} ./nss/build.sh -g -v "$@"
+./nss/build.sh -g -v "$@"
 
 # Package.
 7z a public/build/dist.7z dist
diff --git a/security/nss/automation/taskcluster/windows/setup.sh b/security/nss/automation/taskcluster/windows/setup.sh
index 36a040ba1..93c0cdbd5 100644
--- a/security/nss/automation/taskcluster/windows/setup.sh
+++ b/security/nss/automation/taskcluster/windows/setup.sh
@@ -2,13 +2,6 @@
 
 set -v -e -x
 
-export VSPATH="$(pwd)/vs2017_15.4.2"
-export NINJA_PATH="$(pwd)/ninja/bin"
-
-export WINDOWSSDKDIR="${VSPATH}/SDK"
-export VS90COMNTOOLS="${VSPATH}/VC"
-export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.15063.0/ucrt:${VSPATH}/SDK/Include/10.0.15063.0/shared:${VSPATH}/SDK/Include/10.0.15063.0/um"
-
 # Usage: hg_clone repo dir [revision=@]
 hg_clone() {
     repo=$1
@@ -22,5 +15,42 @@ hg_clone() {
     exit 1
 }
 
-hg_clone https://hg.mozilla.org/build/tools tools default
-tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
+hg_clone https://hg.mozilla.org/build/tools tools b8d7c263dfc3
+tools/scripts/tooltool/tooltool_wrapper.sh \
+    $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ \
+    non-existant-file.sh /c/mozilla-build/python/python.exe \
+    /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok \
+    -c /c/builds/tooltool_cache
+
+# This needs $m to be set.
+[[ -n "$m" ]]
+
+# Setup MSVC paths.
+export VSPATH="${PWD}/vs2017_15.4.2"
+UCRTVersion="10.0.15063.0"
+
+export WINDOWSSDKDIR="${VSPATH}/SDK"
+export VS90COMNTOOLS="${VSPATH}/VC"
+export WIN32_REDIST_DIR="${VSPATH}/VC/redist/${m}/Microsoft.VC141.CRT"
+export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/${m}"
+
+if [ "$m" == "x86" ]; then
+    PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x86"
+    PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x64"
+fi
+PATH="${PATH}:${VSPATH}/VC/bin/Host${m}/${m}"
+PATH="${PATH}:${WIN32_REDIST_DIR}"
+PATH="${PATH}:${WIN_UCRT_REDIST_DIR}"
+PATH="${PATH}:${VSPATH}/SDK/bin/${UCRTVersion}/x64"
+export PATH
+
+LIB="${LIB}:${VSPATH}/VC/lib/${m}"
+LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/ucrt/${m}"
+LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/um/${m}"
+export LIB
+
+INCLUDE="${INCLUDE}:${VSPATH}/VC/include"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/ucrt"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/shared"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/um"
+export INCLUDE
diff --git a/security/nss/automation/taskcluster/windows/setup32.sh b/security/nss/automation/taskcluster/windows/setup32.sh
deleted file mode 100644
index 19bed284d..000000000
--- a/security/nss/automation/taskcluster/windows/setup32.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-source $(dirname $0)/setup.sh
-
-export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT"
-export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86"
-export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x86:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${PATH}"
-export LIB="${VSPATH}/VC/lib/x86:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.15063.0/um/x86"
diff --git a/security/nss/automation/taskcluster/windows/setup64.sh b/security/nss/automation/taskcluster/windows/setup64.sh
deleted file mode 100644
index d16cb0ec9..000000000
--- a/security/nss/automation/taskcluster/windows/setup64.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-source $(dirname $0)/setup.sh
-
-export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT"
-export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
-export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/bin/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
-export LIB="${VSPATH}/VC/lib/x64:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.15063.0/um/x64"
diff --git a/security/nss/build.sh b/security/nss/build.sh
index 338e14beb..4c6d513cd 100755
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -50,75 +50,86 @@ fuzz=0
 fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
-armhf=0
 
 gyp_params=(--depth="$cwd" --generator-output=".")
-nspr_params=()
 ninja_params=()
 
-# try to guess sensible defaults
-arch=$(python "$cwd"/coreconf/detect_host_arch.py)
-if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
-    build_64=1
-elif [ "$arch" = "arm" ]; then
-    armhf=1
+# Assume that the target architecture is the same as the host by default.
+host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
+target_arch=$host_arch
+
+# Assume that MSVC is wanted if this is running on windows.
+platform=$(uname -s)
+if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then
+    msvc=1
 fi
 
-# parse command line arguments
+# Parse command line arguments.
 while [ $# -gt 0 ]; do
-    case $1 in
+    case "$1" in
         -c) clean=1 ;;
         -cc) clean_only=1 ;;
-        --gyp|-g) rebuild_gyp=1 ;;
-        --nspr) nspr_clean; rebuild_nspr=1 ;;
-        -j) ninja_params+=(-j "$2"); shift ;;
         -v) ninja_params+=(-v); verbose=1 ;;
-        --test) gyp_params+=(-Dtest_build=1) ;;
-        --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
-        --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
-        --fuzz) fuzz=1 ;;
-        --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
-        --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
+        -j) ninja_params+=(-j "$2"); shift ;;
+        --gyp|-g) rebuild_gyp=1 ;;
+        --opt|-o) opt_build=1 ;;
+        -m32|--m32) target_arch=ia32; echo 'Warning: use -t instead of -m32' 1>&2 ;;
+        -t|--target) target_arch="$2"; shift ;;
+        --target=*) target_arch="${1#*=}" ;;
+        --clang) export CC=clang; export CCC=clang++; export CXX=clang++; msvc=0 ;;
+        --gcc) export CC=gcc; export CCC=g++; export CXX=g++; msvc=0 ;;
+        --msvc) msvc=1 ;;
         --scan-build) enable_scanbuild  ;;
         --scan-build=?*) enable_scanbuild "${1#*=}" ;;
-        --opt|-o) opt_build=1 ;;
-        -m32|--m32) build_64=0 ;;
+        --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
+        --pprof) gyp_params+=(-Duse_pprof=1) ;;
         --asan) enable_sanitizer asan ;;
         --msan) enable_sanitizer msan ;;
         --ubsan) enable_ubsan ;;
         --ubsan=?*) enable_ubsan "${1#*=}" ;;
+        --fuzz) fuzz=1 ;;
+        --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
+        --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
         --sancov) enable_sancov ;;
         --sancov=?*) enable_sancov "${1#*=}" ;;
-        --pprof) gyp_params+=(-Duse_pprof=1) ;;
-        --ct-verif) gyp_params+=(-Dct_verif=1) ;;
         --emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
-        --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
         --no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
-        --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
+        --test) gyp_params+=(-Dtest_build=1) ;;
+        --ct-verif) gyp_params+=(-Dct_verif=1) ;;
+        --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
-        --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
+        --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
+        --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
+        --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
+# Set the target architecture and build type.
+gyp_params+=(-Dtarget_arch="$target_arch")
 if [ "$opt_build" = 1 ]; then
     target=Release
 else
     target=Debug
 fi
-if [ "$build_64" = 1 ]; then
-    nspr_params+=(--enable-64bit)
-elif [ ! "$armhf" = 1 ]; then
-    gyp_params+=(-Dtarget_arch=ia32)
-fi
+
+# Do special setup.
 if [ "$fuzz" = 1 ]; then
     source "$cwd"/coreconf/fuzz.sh
 fi
+nspr_set_flags $sanitizer_flags
+if [ ! -z "$sanitizer_flags" ]; then
+    gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
+fi
 
-# set paths
+if [ "$msvc" = 1 ]; then
+    source "$cwd"/coreconf/msvc.sh
+fi
+
+# Setup build paths.
 target_dir="$cwd"/out/$target
 mkdir -p "$target_dir"
 dist_dir="$cwd"/../dist
@@ -149,6 +160,7 @@ check_config()
     echo CC="$CC" >"$newconf"
     echo CCC="$CCC" >>"$newconf"
     echo CXX="$CXX" >>"$newconf"
+    echo target_arch="$target_arch" >>"$newconf"
     for i in "$@"; do echo $i; done | sort >>"$newconf"
 
     # Note: The following diff fails if $oldconf isn't there as well, which
@@ -159,6 +171,7 @@ check_config()
 gyp_config="$cwd"/out/gyp_config
 nspr_config="$cwd"/out/$target/nspr_config
 
+# Now check what needs to be rebuilt.
 # If we don't have a build directory make sure that we rebuild.
 if [ ! -d "$target_dir" ]; then
     rebuild_nspr=1
@@ -167,33 +180,28 @@ elif [ ! -d "$dist_dir"/$target ]; then
     rebuild_nspr=1
 fi
 
-# Update NSPR ${C,CXX,LD}FLAGS.
-nspr_set_flags $sanitizer_flags
-
-if check_config "$nspr_config" "${nspr_params[@]}" \
+if check_config "$nspr_config" \
                  nspr_cflags="$nspr_cflags" \
                  nspr_cxxflags="$nspr_cxxflags" \
                  nspr_ldflags="$nspr_ldflags"; then
     rebuild_nspr=1
 fi
 
-# Forward sanitizer flags.
-if [ ! -z "$sanitizer_flags" ]; then
-    gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
-fi
-
 if check_config "$gyp_config" "${gyp_params[@]}"; then
     rebuild_gyp=1
 fi
 
-# save the chosen target
+# Save the chosen target.
 mkdir -p "$dist_dir"
 echo $target > "$dist_dir"/latest
 
+# Build.
+# NSPR.
 if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
-    nspr_build "${nspr_params[@]}"
+    nspr_build
     mv -f "$nspr_config".new "$nspr_config"
 fi
+# gyp.
 if [ "$rebuild_gyp" = 1 ]; then
     if ! hash ${GYP} 2> /dev/null; then
         echo "Please install gyp" 1>&2
@@ -211,11 +219,11 @@ if [ "$rebuild_gyp" = 1 ]; then
     mv -f "$gyp_config".new "$gyp_config"
 fi
 
-# Run ninja.
-if hash ninja 2>/dev/null; then
-    ninja=ninja
-elif hash ninja-build 2>/dev/null; then
+# ninja.
+if hash ninja-build 2>/dev/null; then
     ninja=ninja-build
+elif hash ninja 2>/dev/null; then
+    ninja=ninja
 else
     echo "Please install ninja" 1>&2
     exit 1
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index dbb93c922..df02e4439 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -741,6 +741,9 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
         case 'V':
             usage = certificateUsageSSLServer;
             break;
+        case 'I':
+            usage = certificateUsageIPsec;
+            break;
         case 'S':
             usage = certificateUsageEmailSigner;
             break;
@@ -856,41 +859,59 @@ SECItemToHex(const SECItem *item, char *dst)
 }
 
 static const char *const keyTypeName[] = {
-    "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
+    "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep"
 };
 
 #define MAX_CKA_ID_BIN_LEN 20
 #define MAX_CKA_ID_STR_LEN 40
 
-/* print key number, key ID (in hex or ASCII), key label (nickname) */
-static SECStatus
-PrintKey(PRFileDesc *out, const char *nickName, int count,
-         SECKEYPrivateKey *key, void *pwarg)
+/* output human readable key ID in buffer, which should have at least
+ * MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */
+static void
+formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer)
 {
     SECItem *ckaID;
-    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
 
-    pwarg = NULL;
-    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
+    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey);
     if (!ckaID) {
-        strcpy(ckaIDbuf, "(no CKA_ID)");
+        strcpy(buffer, "(no CKA_ID)");
     } else if (ItemIsPrintableASCII(ckaID)) {
         int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
-        ckaIDbuf[0] = '"';
-        memcpy(ckaIDbuf + 1, ckaID->data, len);
-        ckaIDbuf[1 + len] = '"';
-        ckaIDbuf[2 + len] = '\0';
+        buffer[0] = '"';
+        memcpy(buffer + 1, ckaID->data, len);
+        buffer[1 + len] = '"';
+        buffer[2 + len] = '\0';
     } else {
         /* print ckaid in hex */
         SECItem idItem = *ckaID;
         if (idItem.len > MAX_CKA_ID_BIN_LEN)
             idItem.len = MAX_CKA_ID_BIN_LEN;
-        SECItemToHex(&idItem, ckaIDbuf);
+        SECItemToHex(&idItem, buffer);
     }
+    SECITEM_ZfreeItem(ckaID, PR_TRUE);
+}
+
+/* print key number, key ID (in hex or ASCII), key label (nickname) */
+static SECStatus
+PrintKey(PRFileDesc *out, const char *nickName, int count,
+         SECKEYPrivateKey *key, void *pwarg)
+{
+    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
+    CERTCertificate *cert;
+    KeyType keyType;
+
+    pwarg = NULL;
 
+    formatPrivateKeyID(key, ckaIDbuf);
+    cert = PK11_GetCertFromPrivateKey(key);
+    if (cert) {
+        keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
+        CERT_DestroyCertificate(cert);
+    } else {
+        keyType = key->keyType;
+    }
     PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count,
-               keyTypeName[key->keyType], ckaIDbuf, nickName);
-    SECITEM_ZfreeItem(ckaID, PR_TRUE);
+               keyTypeName[keyType], ckaIDbuf, nickName);
 
     return SECSuccess;
 }
@@ -1002,7 +1023,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index,
 }
 
 static SECStatus
-DeleteKey(char *nickname, secuPWData *pwdata)
+DeleteCertAndKey(char *nickname, secuPWData *pwdata)
 {
     SECStatus rv;
     CERTCertificate *cert;
@@ -1031,6 +1052,61 @@ DeleteKey(char *nickname, secuPWData *pwdata)
     return rv;
 }
 
+static SECKEYPrivateKey *
+findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg)
+{
+    PORTCheapArenaPool arena;
+    SECItem ckaIDItem = { 0 };
+    SECKEYPrivateKey *privkey = NULL;
+    SECStatus rv;
+
+    if (PK11_NeedLogin(slot)) {
+        rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return NULL;
+        }
+    }
+
+    if (0 == PL_strncasecmp("0x", ckaID, 2)) {
+        ckaID += 2; /* skip leading "0x" */
+    }
+    PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
+    if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) {
+        privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg);
+    }
+    PORT_DestroyCheapArena(&arena);
+    return privkey;
+}
+
+static SECStatus
+DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg)
+{
+    SECStatus rv;
+    PK11SlotInfo *slot;
+
+    slot = PK11_GetSlotFromPrivateKey(privkey);
+    if (PK11_NeedLogin(slot)) {
+        rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return SECFailure;
+        }
+    }
+
+    rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
+    if (rv != SECSuccess) {
+        char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
+        formatPrivateKeyID(privkey, ckaIDbuf);
+        SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf);
+    }
+
+    PK11_FreeSlot(slot);
+    return rv;
+}
+
 /*
  *  L i s t M o d u l e s
  *
@@ -1100,7 +1176,9 @@ PrintSyntax()
         "\t\t [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
         progName);
-    FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
+    FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n",
+        progName);
+    FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
         progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
         "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
@@ -1390,6 +1468,8 @@ luF(enum usage_level ul, const char *command)
         return;
     FPS "%-20s The nickname of the key to delete\n",
         "   -n cert-name");
+    FPS "%-20s The key id of the key to delete, obtained using -K\n",
+        "   -k key-id");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
@@ -1629,6 +1709,7 @@ luV(enum usage_level ul, const char *command)
     FPS "%-20s Specify certificate usage:\n", "   -u certusage");
     FPS "%-25s C \t SSL Client\n", "");
     FPS "%-25s V \t SSL Server\n", "");
+    FPS "%-25s I \t IPsec\n", "");
     FPS "%-25s L \t SSL CA\n", "");
     FPS "%-25s A \t Any CA\n", "");
     FPS "%-25s Y \t Verify CA\n", "");
@@ -2944,10 +3025,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
         readOnly = !certutil.options[opt_RW].activated;
     }
 
-    /*  -A, -D, -F, -M, -S, -V, and all require -n  */
+    /*  -A, -D, -M, -S, -V, and all require -n  */
     if ((certutil.commands[cmd_AddCert].activated ||
          certutil.commands[cmd_DeleteCert].activated ||
-         certutil.commands[cmd_DeleteKey].activated ||
          certutil.commands[cmd_DumpChain].activated ||
          certutil.commands[cmd_ModifyCertTrust].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated ||
@@ -3034,6 +3114,16 @@ certutil_main(int argc, char **argv, PRBool initialize)
         return 255;
     }
 
+    /* Delete needs a nickname or a key ID */
+    if (certutil.commands[cmd_DeleteKey].activated &&
+        !(certutil.options[opt_Nickname].activated || keysource)) {
+        PR_fprintf(PR_STDERR,
+                   "%s -%c: specify a nickname (-n) or\n"
+                   "   a key ID (-k).\n",
+                   commandToRun, progName);
+        return 255;
+    }
+
     /* Upgrade/Merge needs a source database and a upgrade id. */
     if (certutil.commands[cmd_UpgradeMerge].activated &&
         !(certutil.options[opt_SourceDir].activated &&
@@ -3396,7 +3486,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
     }
     /*  Delete key (-F)  */
     if (certutil.commands[cmd_DeleteKey].activated) {
-        rv = DeleteKey(name, &pwdata);
+        if (certutil.options[opt_Nickname].activated) {
+            rv = DeleteCertAndKey(name, &pwdata);
+        } else {
+            privkey = findPrivateKeyByID(slot, keysource, &pwdata);
+            if (!privkey) {
+                SECU_PrintError(progName, "%s is not a key-id", keysource);
+                rv = SECFailure;
+            } else {
+                rv = DeleteKey(privkey, &pwdata);
+                /* already destroyed by PK11_DeleteTokenPrivateKey */
+                privkey = NULL;
+            }
+        }
         goto shutdown;
     }
     /*  Modify trust attribute for cert (-M)  */
@@ -3468,30 +3570,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
             if (keycert) {
                 privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
             } else {
-                PLArenaPool *arena = NULL;
-                SECItem keyidItem = { 0 };
-                char *keysourcePtr = keysource;
                 /* Interpret keysource as CKA_ID */
-                if (PK11_NeedLogin(slot)) {
-                    rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
-                    if (rv != SECSuccess) {
-                        SECU_PrintError(progName, "could not authenticate to token %s.",
-                                        PK11_GetTokenName(slot));
-                        return SECFailure;
-                    }
-                }
-                if (0 == PL_strncasecmp("0x", keysource, 2)) {
-                    keysourcePtr = keysource + 2; // skip leading "0x"
-                }
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (!arena) {
-                    SECU_PrintError(progName, "unable to allocate arena");
-                    return SECFailure;
-                }
-                if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
-                    privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
-                }
-                PORT_FreeArena(arena, PR_FALSE);
+                privkey = findPrivateKeyByID(slot, keysource, &pwdata);
             }
 
             if (!privkey) {
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c
index c5527fc93..be2e47a6c 100644
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -232,10 +232,6 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
     SECItem crlDER;
     PK11SlotInfo *slot = NULL;
     int rv;
-#if defined(DEBUG_jp96085)
-    PRIntervalTime starttime, endtime, elapsed;
-    PRUint32 mins, secs, msecs;
-#endif
 
     crlDER.data = NULL;
 
@@ -256,19 +252,9 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
             goto loser;
     }
 
-#if defined(DEBUG_jp96085)
-    starttime = PR_IntervalNow();
-#endif
     crl = PK11_ImportCRL(slot, &crlDER, url, type,
                          NULL, importOptions, NULL, decodeOptions);
-#if defined(DEBUG_jp96085)
-    endtime = PR_IntervalNow();
-    elapsed = endtime - starttime;
-    mins = PR_IntervalToSeconds(elapsed) / 60;
-    secs = PR_IntervalToSeconds(elapsed) % 60;
-    msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
-    printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
-#endif
+
     if (!crl) {
         const char *errString;
 
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.c b/security/nss/cmd/crmf-cgi/crmfcgi.c
index 07b81f233..9f6174383 100644
--- a/security/nss/cmd/crmf-cgi/crmfcgi.c
+++ b/security/nss/cmd/crmf-cgi/crmfcgi.c
@@ -4,7 +4,7 @@
 
 #include "seccomon.h"
 #include "nss.h"
-#include "key.h"
+#include "keyhi.h"
 #include "cert.h"
 #include "pk11func.h"
 #include "secmod.h"
diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c
index 1c1359b1b..3fe5725bf 100644
--- a/security/nss/cmd/crmftest/testcrmf.c
+++ b/security/nss/cmd/crmftest/testcrmf.c
@@ -66,7 +66,7 @@
 #include "crmf.h"
 #include "secerr.h"
 #include "pk11func.h"
-#include "key.h"
+#include "keyhi.h"
 #include "cmmf.h"
 #include "plgetopt.h"
 #include "secutil.h"
diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c
index 74d21d85e..5b7e0549d 100644
--- a/security/nss/cmd/dbck/dbrecover.c
+++ b/security/nss/cmd/dbck/dbrecover.c
@@ -288,7 +288,8 @@ addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info,
 
     /*  If user chooses so, ignore expired certificates.  */
     allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                             (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+                             (oldCert->keyUsage == certUsageSSLServerWithStepUp) ||
+                             (oldCert->keyUsage == certUsageIPsec));
     validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
     /*  If cert expired and user wants to delete it, ignore it. */
     if ((validity != secCertTimeValid) &&
diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c
index 061f3dde0..5d00b3070 100644
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -2335,6 +2335,34 @@ sha_get_hashType(int hashbits)
     return hashType;
 }
 
+HASH_HashType
+hash_string_to_hashType(const char *src)
+{
+    HASH_HashType shaAlg = HASH_AlgNULL;
+    if (strncmp(src, "SHA-1", 5) == 0) {
+        shaAlg = HASH_AlgSHA1;
+    } else if (strncmp(src, "SHA-224", 7) == 0) {
+        shaAlg = HASH_AlgSHA224;
+    } else if (strncmp(src, "SHA-256", 7) == 0) {
+        shaAlg = HASH_AlgSHA256;
+    } else if (strncmp(src, "SHA-384", 7) == 0) {
+        shaAlg = HASH_AlgSHA384;
+    } else if (strncmp(src, "SHA-512", 7) == 0) {
+        shaAlg = HASH_AlgSHA512;
+    } else if (strncmp(src, "SHA1", 4) == 0) {
+        shaAlg = HASH_AlgSHA1;
+    } else if (strncmp(src, "SHA224", 6) == 0) {
+        shaAlg = HASH_AlgSHA224;
+    } else if (strncmp(src, "SHA256", 6) == 0) {
+        shaAlg = HASH_AlgSHA256;
+    } else if (strncmp(src, "SHA384", 6) == 0) {
+        shaAlg = HASH_AlgSHA384;
+    } else if (strncmp(src, "SHA512", 6) == 0) {
+        shaAlg = HASH_AlgSHA512;
+    }
+    return shaAlg;
+}
+
 /*
  * Perform the ECDSA Key Pair Generation Test.
  *
@@ -2628,17 +2656,8 @@ ecdsa_siggen_test(char *reqfn)
             *dst = '\0';
             src++; /* skip the comma */
             /* set the SHA Algorithm */
-            if (strncmp(src, "SHA-1", 5) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(src, "SHA-224", 7) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(src, "SHA-256", 7) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(src, "SHA-384", 7) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(src, "SHA-512", 7) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(src);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(ecdsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -2798,17 +2817,8 @@ ecdsa_sigver_test(char *reqfn)
             *dst = '\0';
             src++; /* skip the comma */
             /* set the SHA Algorithm */
-            if (strncmp(src, "SHA-1", 5) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(src, "SHA-224", 7) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(src, "SHA-256", 7) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(src, "SHA-384", 7) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(src, "SHA-512", 7) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(src);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(ecdsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -2956,6 +2966,932 @@ loser:
     fclose(ecdsareq);
 }
 
+/*
+ * Perform the ECDH Functional Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+#define MAX_ECC_PARAMS 256
+void
+ecdh_functional(char *reqfn, PRBool response)
+{
+    char buf[256];  /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdhreq;  /* input stream from the REQUEST file */
+    FILE *ecdhresp; /* output stream to the RESPONSE file */
+    char curve[16]; /* "nistxddd" */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    ECParams *ecparams[MAX_ECC_PARAMS] = { NULL };
+    ECPrivateKey *ecpriv = NULL;
+    ECParams *current_ecparams = NULL;
+    SECItem pubkey;
+    SECItem ZZ;
+    unsigned int i;
+    unsigned int len = 0;
+    unsigned int uit_len = 0;
+    int current_curve = -1;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    ecdhreq = fopen(reqfn, "r");
+    ecdhresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Ex] */
+            if (buf[1] == 'E' && buf[3] == ']') {
+                current_curve = buf[2] - 'A';
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Curve selected: x-nnn */
+            if (strncmp(buf, "[Curve ", 7) == 0) {
+                const char *src;
+                char *dst;
+                SECItem *encodedparams;
+
+                if ((current_curve < 0) || (current_curve > MAX_ECC_PARAMS)) {
+                    fprintf(stderr, "No curve type defined\n");
+                    goto loser;
+                }
+
+                src = &buf[1];
+                /* skip passed the colon */
+                while (*src && *src != ':')
+                    src++;
+                if (*src != ':') {
+                    fprintf(stderr,
+                            "No colon in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                dst = &curve[4];
+                *dst++ = tolower(*src);
+                src += 2; /* skip the hyphen */
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst = '\0';
+                if (ecparams[current_curve] != NULL) {
+                    PORT_FreeArena(ecparams[current_curve]->arena, PR_FALSE);
+                    ecparams[current_curve] = NULL;
+                }
+                encodedparams = getECParams(curve);
+                if (encodedparams == NULL) {
+                    fprintf(stderr, "Unknown curve %s.", curve);
+                    goto loser;
+                }
+                if (EC_DecodeParams(encodedparams, &ecparams[current_curve]) != SECSuccess) {
+                    fprintf(stderr, "Curve %s not supported.\n", curve);
+                    goto loser;
+                }
+                SECITEM_FreeItem(encodedparams, PR_TRUE);
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Ex - SHAxxx] */
+            if (buf[1] == 'E' && buf[3] == ' ') {
+                const char *src;
+                current_curve = buf[2] - 'A';
+                if ((current_curve < 0) || (current_curve > 256)) {
+                    fprintf(stderr, "bad curve type defined (%c)\n", buf[2]);
+                    goto loser;
+                }
+                current_ecparams = ecparams[current_curve];
+                if (current_ecparams == NULL) {
+                    fprintf(stderr, "no curve defined for type %c defined\n",
+                            buf[2]);
+                    goto loser;
+                }
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr,
+                            "No data in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(ecdhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type %c defined\n",
+                        buf[2]);
+                goto loser;
+            }
+            len = (current_ecparams->fieldID.size + 7) >> 3;
+            if (pubkey.data != NULL) {
+                PORT_Free(pubkey.data);
+                pubkey.data = NULL;
+            }
+            SECITEM_AllocItem(NULL, &pubkey, EC_GetPointSize(current_ecparams));
+            if (pubkey.data == NULL) {
+                goto loser;
+            }
+            pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+            continue;
+        }
+        /* QeCAVSx = ... */
+        if (strncmp(buf, "QeCAVSx", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1], len, &buf[i]);
+            continue;
+        }
+        /* QeCAVSy = ... */
+        if (strncmp(buf, "QeCAVSy", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1 + len], len, &buf[i]);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined\n");
+                goto loser;
+            }
+            /* validate CAVS public key */
+            if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) {
+                fprintf(stderr, "BAD key detected\n");
+                goto loser;
+            }
+
+            /* generate ECC key pair */
+            if (EC_NewKey(current_ecparams, &ecpriv) != SECSuccess) {
+                fprintf(stderr, "Failed to generate new key\n");
+                goto loser;
+            }
+            /* validate UIT generated public key */
+            if (EC_ValidatePublicKey(current_ecparams, &ecpriv->publicValue) !=
+                SECSuccess) {
+                fprintf(stderr, "generate key did not validate\n");
+                goto loser;
+            }
+            /* output UIT public key */
+            uit_len = ecpriv->publicValue.len;
+            if (uit_len % 2 == 0) {
+                fprintf(stderr, "generate key had invalid public value len\n");
+                goto loser;
+            }
+            uit_len = (uit_len - 1) / 2;
+            if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+                fprintf(stderr, "generate key was compressed\n");
+                goto loser;
+            }
+            fputs("QeIUTx = ", ecdhresp);
+            to_hex_str(buf, &ecpriv->publicValue.data[1], uit_len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            fputs("QeIUTy = ", ecdhresp);
+            to_hex_str(buf, &ecpriv->publicValue.data[1 + uit_len], uit_len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            /* ECDH */
+            if (ECDH_Derive(&pubkey, current_ecparams, &ecpriv->privateValue,
+                            PR_FALSE, &ZZ) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+            /* output hash of ZZ */
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+            fputs("HashZZ = ", ecdhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            fputc('\n', ecdhresp);
+            PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+            ecpriv = NULL;
+            continue;
+        }
+    }
+loser:
+    if (ecpriv != NULL) {
+        PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+    }
+    for (i = 0; i < MAX_ECC_PARAMS; i++) {
+        if (ecparams[i] != NULL) {
+            PORT_FreeArena(ecparams[i]->arena, PR_FALSE);
+            ecparams[i] = NULL;
+        }
+    }
+    if (pubkey.data != NULL) {
+        PORT_Free(pubkey.data);
+    }
+    fclose(ecdhreq);
+}
+
+#define MATCH_OPENSSL 1
+/*
+ * Perform the ECDH Validity Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdh_verify(char *reqfn, PRBool response)
+{
+    char buf[256];  /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdhreq;  /* input stream from the REQUEST file */
+    FILE *ecdhresp; /* output stream to the RESPONSE file */
+    char curve[16]; /* "nistxddd" */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    unsigned char cavsHashBuf[HASH_LENGTH_MAX];
+    unsigned char private_data[MAX_ECKEY_LEN];
+    ECParams *ecparams[MAX_ECC_PARAMS] = { NULL };
+    ECParams *current_ecparams = NULL;
+    SECItem pubkey;
+    SECItem ZZ;
+    SECItem private_value;
+    unsigned int i;
+    unsigned int len = 0;
+    int current_curve = -1;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    ecdhreq = fopen(reqfn, "r");
+    ecdhresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Ex] */
+            if (buf[1] == 'E' && buf[3] == ']') {
+                current_curve = buf[2] - 'A';
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Curve selected: x-nnn */
+            if (strncmp(buf, "[Curve ", 7) == 0) {
+                const char *src;
+                char *dst;
+                SECItem *encodedparams;
+
+                if ((current_curve < 0) || (current_curve > MAX_ECC_PARAMS)) {
+                    fprintf(stderr, "No curve type defined\n");
+                    goto loser;
+                }
+
+                src = &buf[1];
+                /* skip passed the colon */
+                while (*src && *src != ':')
+                    src++;
+                if (*src != ':') {
+                    fprintf(stderr,
+                            "No colon in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                dst = &curve[4];
+                *dst++ = tolower(*src);
+                src += 2; /* skip the hyphen */
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst = '\0';
+                if (ecparams[current_curve] != NULL) {
+                    PORT_FreeArena(ecparams[current_curve]->arena, PR_FALSE);
+                    ecparams[current_curve] = NULL;
+                }
+                encodedparams = getECParams(curve);
+                if (encodedparams == NULL) {
+                    fprintf(stderr, "Unknown curve %s.\n", curve);
+                    goto loser;
+                }
+                if (EC_DecodeParams(encodedparams, &ecparams[current_curve]) != SECSuccess) {
+                    fprintf(stderr, "Curve %s not supported.\n", curve);
+                    goto loser;
+                }
+                SECITEM_FreeItem(encodedparams, PR_TRUE);
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Ex - SHAxxx] */
+            if (buf[1] == 'E' && buf[3] == ' ') {
+                const char *src;
+                current_curve = buf[2] - 'A';
+                if ((current_curve < 0) || (current_curve > 256)) {
+                    fprintf(stderr, "bad curve type defined (%c)\n", buf[2]);
+                    goto loser;
+                }
+                current_ecparams = ecparams[current_curve];
+                if (current_ecparams == NULL) {
+                    fprintf(stderr, "no curve defined for type %c defined\n",
+                            buf[2]);
+                    goto loser;
+                }
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr,
+                            "No data in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(ecdhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type %c defined\n",
+                        buf[2]);
+                goto loser;
+            }
+            len = (current_ecparams->fieldID.size + 7) >> 3;
+            if (pubkey.data != NULL) {
+                PORT_Free(pubkey.data);
+                pubkey.data = NULL;
+            }
+            SECITEM_AllocItem(NULL, &pubkey, EC_GetPointSize(current_ecparams));
+            if (pubkey.data == NULL) {
+                goto loser;
+            }
+            pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+            continue;
+        }
+        /* QeCAVSx = ... */
+        if (strncmp(buf, "QeCAVSx", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1], len, &buf[i]);
+            continue;
+        }
+        /* QeCAVSy = ... */
+        if (strncmp(buf, "QeCAVSy", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1 + len], len, &buf[i]);
+            continue;
+        }
+        if (strncmp(buf, "deIUT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(private_data, len, &buf[i]);
+            private_value.data = private_data;
+            private_value.len = len;
+            continue;
+        }
+        if (strncmp(buf, "QeIUTx", 6) == 0) {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (strncmp(buf, "QeIUTy", 6) == 0) {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+            fputs(buf, ecdhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type defined\n");
+                goto loser;
+            }
+            /* validate CAVS public key */
+            if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) {
+#ifdef MATCH_OPENSSL
+                fprintf(ecdhresp, "Result = F\n");
+#else
+                fprintf(ecdhresp, "Result = F # key didn't validate\n");
+#endif
+                continue;
+            }
+
+            /* ECDH */
+            if (ECDH_Derive(&pubkey, current_ecparams, &private_value,
+                            PR_FALSE, &ZZ) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+/* output  ZZ */
+#ifndef MATCH_OPENSSL
+            fputs("Z = ", ecdhresp);
+            to_hex_str(buf, ZZ.data, ZZ.len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+#endif
+
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+#ifndef MATCH_NIST
+            fputs("IUTHashZZ = ", ecdhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+#endif
+            if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
+#ifdef MATCH_OPENSSL
+                fprintf(ecdhresp, "Result = F\n");
+#else
+                fprintf(ecdhresp, "Result = F # hash doesn't match\n");
+#endif
+            } else {
+                fprintf(ecdhresp, "Result = P\n");
+            }
+#ifndef MATCH_OPENSSL
+            fputc('\n', ecdhresp);
+#endif
+            continue;
+        }
+    }
+loser:
+    for (i = 0; i < MAX_ECC_PARAMS; i++) {
+        if (ecparams[i] != NULL) {
+            PORT_FreeArena(ecparams[i]->arena, PR_FALSE);
+            ecparams[i] = NULL;
+        }
+    }
+    if (pubkey.data != NULL) {
+        PORT_Free(pubkey.data);
+    }
+    fclose(ecdhreq);
+}
+
+/*
+ * Perform the DH Functional Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+#define MAX_ECC_PARAMS 256
+void
+dh_functional(char *reqfn, PRBool response)
+{
+    char buf[1024]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "YephCAVS = <512 hex digits>\n".
+                         */
+    FILE *dhreq;    /* input stream from the REQUEST file */
+    FILE *dhresp;   /* output stream to the RESPONSE file */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    DSAPrivateKey *dsapriv = NULL;
+    PQGParams pqg = { 0 };
+    unsigned char pubkeydata[DSA_MAX_P_BITS / 8];
+    SECItem pubkey;
+    SECItem ZZ;
+    unsigned int i, j;
+    unsigned int pgySize;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    dhreq = fopen(reqfn, "r");
+    dhresp = stdout;
+    while (fgets(buf, sizeof buf, dhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Fx - SHAxxx] */
+            if (buf[1] == 'F' && buf[3] == ' ') {
+                const char *src;
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr, "No hash specified\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(dhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                /* clear the PQG parameters */
+                if (pqg.prime.data) { /* P */
+                    SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+                }
+                if (pqg.subPrime.data) { /* Q */
+                    SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+                }
+                if (pqg.base.data) { /* G */
+                    SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+                }
+                pgySize = DSA_MAX_P_BITS / 8; /* change if more key sizes are supported in CAVS */
+                SECITEM_AllocItem(NULL, &pqg.prime, pgySize);
+                SECITEM_AllocItem(NULL, &pqg.base, pgySize);
+                pqg.prime.len = pqg.base.len = pgySize;
+
+                /* set q to the max allows */
+                SECITEM_AllocItem(NULL, &pqg.subPrime, DSA_MAX_Q_BITS / 8);
+                pqg.subPrime.len = DSA_MAX_Q_BITS / 8;
+                fputs(buf, dhresp);
+                continue;
+            }
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.prime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.prime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.subPrime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.subPrime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.base.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.base.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.base.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* YephemCAVS = ... */
+        if (strncmp(buf, "YephemCAVS", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(pubkeydata, pqg.prime.len, &buf[i]);
+            pubkey.data = pubkeydata;
+            pubkey.len = pqg.prime.len;
+
+            /* generate FCC key pair, nist uses pqg rather then pg,
+             * so use DSA to generate the key */
+            if (DSA_NewKey(&pqg, &dsapriv) != SECSuccess) {
+                fprintf(stderr, "Failed to generate new key\n");
+                goto loser;
+            }
+            fputs("XephemIUT = ", dhresp);
+            to_hex_str(buf, dsapriv->privateValue.data, dsapriv->privateValue.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            fputs("YephemIUT = ", dhresp);
+            to_hex_str(buf, dsapriv->publicValue.data, dsapriv->publicValue.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            /* DH */
+            if (DH_Derive(&pubkey, &pqg.prime, &dsapriv->privateValue,
+                          &ZZ, pqg.prime.len) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+            /* output hash of ZZ */
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+            fputs("HashZZ = ", dhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            fputc('\n', dhresp);
+            PORT_FreeArena(dsapriv->params.arena, PR_TRUE);
+            dsapriv = NULL;
+            continue;
+        }
+    }
+loser:
+    if (dsapriv != NULL) {
+        PORT_FreeArena(dsapriv->params.arena, PR_TRUE);
+    }
+    fclose(dhreq);
+}
+
+#define MATCH_OPENSSL 1
+/*
+ * Perform the DH Validity Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dh_verify(char *reqfn, PRBool response)
+{
+    char buf[1024]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "YephCAVS = <512 hex digits>\n".
+                         */
+    FILE *dhreq;    /* input stream from the REQUEST file */
+    FILE *dhresp;   /* output stream to the RESPONSE file */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    unsigned char cavsHashBuf[HASH_LENGTH_MAX];
+    PQGParams pqg = { 0 };
+    unsigned char pubkeydata[DSA_MAX_P_BITS / 8];
+    unsigned char privkeydata[DSA_MAX_P_BITS / 8];
+    SECItem pubkey;
+    SECItem privkey;
+    SECItem ZZ;
+    unsigned int i, j;
+    unsigned int pgySize;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    dhreq = fopen(reqfn, "r");
+    dhresp = stdout;
+    while (fgets(buf, sizeof buf, dhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Fx - SHAxxx] */
+            if (buf[1] == 'F' && buf[3] == ' ') {
+                const char *src;
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr, "No hash specified\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(dhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                /* clear the PQG parameters */
+                if (pqg.prime.data) { /* P */
+                    SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+                }
+                if (pqg.subPrime.data) { /* Q */
+                    SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+                }
+                if (pqg.base.data) { /* G */
+                    SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+                }
+                pgySize = DSA_MAX_P_BITS / 8; /* change if more key sizes are supported in CAVS */
+                SECITEM_AllocItem(NULL, &pqg.prime, pgySize);
+                SECITEM_AllocItem(NULL, &pqg.base, pgySize);
+                pqg.prime.len = pqg.base.len = pgySize;
+
+                /* set q to the max allows */
+                SECITEM_AllocItem(NULL, &pqg.subPrime, DSA_MAX_Q_BITS / 8);
+                pqg.subPrime.len = DSA_MAX_Q_BITS / 8;
+                fputs(buf, dhresp);
+                continue;
+            }
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.prime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.prime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.subPrime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.subPrime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.base.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.base.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.base.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* YephemCAVS = ... */
+        if (strncmp(buf, "YephemCAVS", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(pubkeydata, pqg.prime.len, &buf[i]);
+            pubkey.data = pubkeydata;
+            pubkey.len = pqg.prime.len;
+            continue;
+        }
+        /* XephemUIT = ... */
+        if (strncmp(buf, "XephemIUT", 9) == 0) {
+            fputs(buf, dhresp);
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(privkeydata, pqg.subPrime.len, &buf[i]);
+            privkey.data = privkeydata;
+            privkey.len = pqg.subPrime.len;
+            continue;
+        }
+        /* YephemUIT = ... */
+        if (strncmp(buf, "YephemIUT", 9) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+        /* CAVSHashZZ = ... */
+        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
+            /* do the DH operation*/
+            if (DH_Derive(&pubkey, &pqg.prime, &privkey,
+                          &ZZ, pqg.prime.len) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+/* output  ZZ */
+#ifndef MATCH_OPENSSL
+            fputs("Z = ", dhresp);
+            to_hex_str(buf, ZZ.data, ZZ.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+#endif
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+#ifndef MATCH_NIST_
+            fputs("IUTHashZZ = ", dhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+#endif
+            if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
+                fprintf(dhresp, "Result = F\n");
+            } else {
+                fprintf(dhresp, "Result = P\n");
+            }
+#ifndef MATCH_OPENSSL
+            fputc('\n', dhresp);
+#endif
+            continue;
+        }
+    }
+loser:
+    fclose(dhreq);
+}
+
 PRBool
 isblankline(char *b)
 {
@@ -5342,17 +6278,8 @@ rsa_siggen_test(char *reqfn)
                 i++;
             }
             /* set the SHA Algorithm */
-            if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(&buf[i], "SHA224", 6) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(&buf[i]);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -5537,17 +6464,8 @@ rsa_sigver_test(char *reqfn)
                 i++;
             }
             /* set the SHA Algorithm */
-            if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(&buf[i], "SHA224", 6) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(&buf[i]);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -6108,6 +7026,34 @@ main(int argc, char **argv)
             ecdsa_sigver_test(argv[3]);
         }
         /*************/
+        /*   ECDH   */
+        /*************/
+    } else if (strcmp(argv[1], "ecdh") == 0) {
+        /* argv[2]={init|resp}-{func|verify} argv[3]=<test name>.req */
+        if (strcmp(argv[2], "init-func") == 0) {
+            ecdh_functional(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-func") == 0) {
+            ecdh_functional(argv[3], 1);
+        } else if (strcmp(argv[2], "init-verify") == 0) {
+            ecdh_verify(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-verify") == 0) {
+            ecdh_verify(argv[3], 1);
+        }
+        /*************/
+        /*   DH   */
+        /*************/
+    } else if (strcmp(argv[1], "dh") == 0) {
+        /* argv[2]={init|resp}-{func|verify} argv[3]=<test name>.req */
+        if (strcmp(argv[2], "init-func") == 0) {
+            dh_functional(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-func") == 0) {
+            dh_functional(argv[3], 1);
+        } else if (strcmp(argv[2], "init-verify") == 0) {
+            dh_verify(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-verify") == 0) {
+            dh_verify(argv[3], 1);
+        }
+        /*************/
         /*   RNG     */
         /*************/
     } else if (strcmp(argv[1], "rng") == 0) {
diff --git a/security/nss/cmd/fipstest/kas.sh b/security/nss/cmd/fipstest/kas.sh
new file mode 100644
index 000000000..9aa5387a8
--- /dev/null
+++ b/security/nss/cmd/fipstest/kas.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/KAS
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+
+#
+if [ ${COMMAND} = "verify" ]; then
+#
+# need verify for KAS tests
+
+# verify generated keys
+#    name=KeyPair
+#    echo ">>>>>  $name"
+#    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify generated pqg values
+#    name=PQGGen
+#    echo ">>>>>  $name"
+#    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify PQGVer with known answer
+#    sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+# verify signatures
+#    name=SigGen
+#    echo ">>>>>  $name"
+#    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify SigVer with known answer
+#    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
+    exit 0
+fi
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
diff --git a/security/nss/cmd/fipstest/runtest.sh b/security/nss/cmd/fipstest/runtest.sh
index 5f8e66a08..fcb16348b 100644
--- a/security/nss/cmd/fipstest/runtest.sh
+++ b/security/nss/cmd/fipstest/runtest.sh
@@ -6,7 +6,7 @@
 #
 TESTDIR=${1-.}
 COMMAND=${2-run}
-TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea"
+TESTS="aes aesgcm dsa ecdsa hmac kas tls rng rsa sha tdea"
 for i in $TESTS
 do
     echo "********************Running $i tests"
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index 6be2df432..97c7f750a 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -3799,7 +3799,7 @@ SECU_ParseSSLVersionRangeString(const char *input,
     return SECSuccess;
 }
 
-SSLNamedGroup
+static SSLNamedGroup
 groupNameToNamedGroup(char *name)
 {
     if (PL_strlen(name) == 4) {
@@ -3837,6 +3837,23 @@ groupNameToNamedGroup(char *name)
     return ssl_grp_none;
 }
 
+static SECStatus
+countItems(const char *arg, unsigned int *numItems)
+{
+    char *str = PORT_Strdup(arg);
+    if (!str) {
+        return SECFailure;
+    }
+    char *p = strtok(str, ",");
+    while (p) {
+        ++(*numItems);
+        p = strtok(NULL, ",");
+    }
+    PORT_Free(str);
+    str = NULL;
+    return SECSuccess;
+}
+
 SECStatus
 parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
                unsigned int *enabledGroupsCount)
@@ -3847,21 +3864,12 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
     unsigned int numValues = 0;
     unsigned int count = 0;
 
-    /* Count the number of groups. */
-    str = PORT_Strdup(arg);
-    if (!str) {
+    if (countItems(arg, &numValues) != SECSuccess) {
         return SECFailure;
     }
-    p = strtok(str, ",");
-    while (p) {
-        ++numValues;
-        p = strtok(NULL, ",");
-    }
-    PORT_Free(str);
-    str = NULL;
     groups = PORT_ZNewArray(SSLNamedGroup, numValues);
     if (!groups) {
-        goto done;
+        return SECFailure;
     }
 
     /* Get group names. */
@@ -3881,9 +3889,7 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
     }
 
 done:
-    if (str) {
-        PORT_Free(str);
-    }
+    PORT_Free(str);
     if (!count) {
         PORT_Free(groups);
         return SECFailure;
@@ -3893,3 +3899,83 @@ done:
     *enabledGroups = groups;
     return SECSuccess;
 }
+
+SSLSignatureScheme
+schemeNameToScheme(const char *name)
+{
+#define compareScheme(x)                                \
+    do {                                                \
+        if (!PORT_Strncmp(name, #x, PORT_Strlen(#x))) { \
+            return ssl_sig_##x;                         \
+        }                                               \
+    } while (0)
+
+    compareScheme(rsa_pkcs1_sha1);
+    compareScheme(rsa_pkcs1_sha256);
+    compareScheme(rsa_pkcs1_sha384);
+    compareScheme(rsa_pkcs1_sha512);
+    compareScheme(ecdsa_sha1);
+    compareScheme(ecdsa_secp256r1_sha256);
+    compareScheme(ecdsa_secp384r1_sha384);
+    compareScheme(ecdsa_secp521r1_sha512);
+    compareScheme(rsa_pss_rsae_sha256);
+    compareScheme(rsa_pss_rsae_sha384);
+    compareScheme(rsa_pss_rsae_sha512);
+    compareScheme(ed25519);
+    compareScheme(ed448);
+    compareScheme(rsa_pss_pss_sha256);
+    compareScheme(rsa_pss_pss_sha384);
+    compareScheme(rsa_pss_pss_sha512);
+    compareScheme(dsa_sha1);
+    compareScheme(dsa_sha256);
+    compareScheme(dsa_sha384);
+    compareScheme(dsa_sha512);
+
+#undef compareScheme
+
+    return ssl_sig_none;
+}
+
+SECStatus
+parseSigSchemeList(const char *arg, const SSLSignatureScheme **enabledSigSchemes,
+                   unsigned int *enabledSigSchemeCount)
+{
+    SSLSignatureScheme *schemes;
+    unsigned int numValues = 0;
+    unsigned int count = 0;
+
+    if (countItems(arg, &numValues) != SECSuccess) {
+        return SECFailure;
+    }
+    schemes = PORT_ZNewArray(SSLSignatureScheme, numValues);
+    if (!schemes) {
+        return SECFailure;
+    }
+
+    /* Get group names. */
+    char *str = PORT_Strdup(arg);
+    if (!str) {
+        goto done;
+    }
+    char *p = strtok(str, ",");
+    while (p) {
+        SSLSignatureScheme scheme = schemeNameToScheme(p);
+        if (scheme == ssl_sig_none) {
+            count = 0;
+            goto done;
+        }
+        schemes[count++] = scheme;
+        p = strtok(NULL, ",");
+    }
+
+done:
+    PORT_Free(str);
+    if (!count) {
+        PORT_Free(schemes);
+        return SECFailure;
+    }
+
+    *enabledSigSchemeCount = count;
+    *enabledSigSchemes = schemes;
+    return SECSuccess;
+}
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index fe07aca60..90d763909 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -9,7 +9,7 @@
 #include "secport.h"
 #include "prerror.h"
 #include "base64.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secpkcs7.h"
 #include "secasn1.h"
 #include "secder.h"
@@ -406,7 +406,9 @@ SECU_ParseSSLVersionRangeString(const char *input,
 
 SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
                          unsigned int *enabledGroupsCount);
-SSLNamedGroup groupNameToNamedGroup(char *name);
+SECStatus parseSigSchemeList(const char *arg,
+                             const SSLSignatureScheme **enabledSigSchemes,
+                             unsigned int *enabledSigSchemeCount);
 
 /*
  *
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
index 567c6bb9d..be53d3c4e 100644
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -47,6 +47,7 @@ NSS_SRCDIRS = \
  listsuites \
  makepqg  \
  multinit \
+ nss-policy-check \
  ocspclnt  \
  ocspresp \
  oidcalc  \
diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h
index d9f06592f..33ed7bde7 100644
--- a/security/nss/cmd/modutil/error.h
+++ b/security/nss/cmd/modutil/error.h
@@ -131,6 +131,7 @@ typedef enum {
     UNDEFAULT_SUCCESS_MSG,
     BROWSER_RUNNING_MSG,
     ABORTING_MSG,
+    P11_KIT_ENABLED_MSG,
 
     LAST_MSG /* must be last */
 } Message;
diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c
index c1b44be53..f04ad3d92 100644
--- a/security/nss/cmd/modutil/modutil.c
+++ b/security/nss/cmd/modutil/modutil.c
@@ -138,7 +138,11 @@ char* msgStrings[] = {
     "\ncorruption of your security databases. If the browser is currently running,"
     "\nyou should exit browser before continuing this operation. Type "
     "\n'q <enter>' to abort, or <enter> to continue: ",
-    "\nAborting...\n"
+    "\nAborting...\n",
+    "\nWARNING: Manually adding a module while p11-kit is enabled could cause"
+    "\nduplicate module registration in your security database. It is suggested "
+    "\nto configure the module through p11-kit configuration file instead.\n"
+    "\nType 'q <enter>' to abort, or <enter> to continue: "
 };
 
 /* Increment i if doing so would have i still be less than j.  If you
@@ -856,6 +860,28 @@ main(int argc, char* argv[])
         goto loser;
     }
 
+    /* Warn if we are adding a module while p11-kit is enabled in the
+     * database. */
+    if ((command == ADD_COMMAND || command == RAW_ADD_COMMAND) &&
+        IsP11KitEnabled()) {
+        char* response;
+
+        PR_fprintf(PR_STDOUT, msgStrings[P11_KIT_ENABLED_MSG]);
+        if (!PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
+            PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
+            errcode = STDIN_READ_ERR;
+            goto loser;
+        }
+        if ((response = strtok(stdinbuf, " \r\n\t"))) {
+            if (!PL_strcasecmp(response, "q")) {
+                PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
+                errcode = SUCCESS;
+                goto loser;
+            }
+        }
+        PR_fprintf(PR_STDOUT, "\n");
+    }
+
     /* Execute the command */
     switch (command) {
         case ADD_COMMAND:
diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h
index 04aa908c8..1981fec7b 100644
--- a/security/nss/cmd/modutil/modutil.h
+++ b/security/nss/cmd/modutil/modutil.h
@@ -36,6 +36,7 @@ Error RawAddModule(char *dbmodulespec, char *modulespec);
 Error RawListModule(char *modulespec);
 Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
 Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
+PRBool IsP11KitEnabled(void);
 void out_of_memory(void);
 
 #endif /*MODUTIL_H*/
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
index 1efc1895c..6d17a3365 100644
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -259,6 +259,55 @@ getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
     return buf;
 }
 
+static PRBool
+IsP11KitProxyModule(SECMODModule *module)
+{
+    CK_INFO modinfo;
+    static const char p11KitManufacturerID[33] =
+        "PKCS#11 Kit                     ";
+    static const char p11KitLibraryDescription[33] =
+        "PKCS#11 Kit Proxy Module        ";
+
+    if (PK11_GetModInfo(module, &modinfo) == SECSuccess &&
+        PORT_Memcmp(modinfo.manufacturerID,
+                    p11KitManufacturerID,
+                    sizeof(modinfo.manufacturerID)) == 0 &&
+        PORT_Memcmp(modinfo.libraryDescription,
+                    p11KitLibraryDescription,
+                    sizeof(modinfo.libraryDescription)) == 0) {
+        return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+PRBool
+IsP11KitEnabled(void)
+{
+    SECMODListLock *lock;
+    SECMODModuleList *mlp;
+    PRBool found = PR_FALSE;
+
+    lock = SECMOD_GetDefaultModuleListLock();
+    if (!lock) {
+        PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
+        return found;
+    }
+
+    SECMOD_GetReadLock(lock);
+
+    mlp = SECMOD_GetDefaultModuleList();
+    for (; mlp != NULL; mlp = mlp->next) {
+        if (IsP11KitProxyModule(mlp->module)) {
+            found = PR_TRUE;
+            break;
+        }
+    }
+
+    SECMOD_ReleaseReadLock(lock);
+    return found;
+}
+
 /**********************************************************************
  *
  * A d d M o d u l e
diff --git a/security/nss/cmd/nss-policy-check/Makefile b/security/nss/cmd/nss-policy-check/Makefile
new file mode 100644
index 000000000..6e1d4ecdf
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/Makefile
@@ -0,0 +1,47 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/nss-policy-check/manifest.mn b/security/nss/cmd/nss-policy-check/manifest.mn
new file mode 100644
index 000000000..8fb9abf00
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/manifest.mn
@@ -0,0 +1,15 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+MODULE = nss
+
+CSRCS = nss-policy-check.c
+
+REQUIRES = seccmd
+
+PROGRAM = nss-policy-check
+
diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.c b/security/nss/cmd/nss-policy-check/nss-policy-check.c
new file mode 100644
index 000000000..b83003874
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/nss-policy-check.c
@@ -0,0 +1,206 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This program can be used to check the validity of a NSS crypto policy
+ * configuration file, specified using a config= line.
+ *
+ * Exit codes:
+ *  failure: 2
+ *  warning: 1
+ *  success: 0
+ */
+
+#include <limits.h>
+#include <errno.h>
+#include <stdio.h>
+#include "utilparst.h"
+#include "nss.h"
+#include "secport.h"
+#include "secutil.h"
+#include "secmod.h"
+#include "ssl.h"
+#include "prenv.h"
+
+const char *sWarn = "WARN";
+const char *sInfo = "INFO";
+
+void
+get_tls_info(SSLProtocolVariant protocolVariant, const char *display)
+{
+    SSLVersionRange vrange_supported, vrange_enabled;
+    unsigned num_enabled = 0;
+    PRBool failed = PR_FALSE;
+
+    /* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault
+     * gives complete information. */
+    if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) ||
+        (SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) ||
+        !vrange_enabled.min ||
+        !vrange_enabled.max ||
+        vrange_enabled.max < vrange_supported.min ||
+        vrange_enabled.min > vrange_supported.max) {
+        failed = PR_TRUE;
+    } else {
+        if (vrange_enabled.min < vrange_supported.min) {
+            vrange_enabled.min = vrange_supported.min;
+        }
+        if (vrange_enabled.max > vrange_supported.max) {
+            vrange_enabled.max = vrange_supported.max;
+        }
+        if (vrange_enabled.min > vrange_enabled.max) {
+            failed = PR_TRUE;
+        }
+    }
+    if (failed) {
+        num_enabled = 0;
+    } else {
+        num_enabled = vrange_enabled.max - vrange_enabled.min + 1;
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n",
+            num_enabled ? sInfo : sWarn, display, num_enabled);
+    if (!num_enabled) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+}
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+int
+main(int argc, char **argv)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int i;
+    SECStatus rv;
+    SECMODModule *module = NULL;
+    char path[PATH_MAX];
+    const char *filename;
+    char moduleSpec[1024 + PATH_MAX];
+    unsigned num_enabled = 0;
+    int result = 0;
+    int fullPathLen;
+
+    if (argc != 2) {
+        fprintf(stderr, "Syntax: nss-policy-check <path-to-policy-file>\n");
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    fullPathLen = strlen(argv[1]);
+
+    if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) {
+        fprintf(stderr, "Error: cannot read file %s\n", argv[1]);
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    if (fullPathLen >= PATH_MAX) {
+        fprintf(stderr, "Error: filename parameter is too long\n");
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    path[0] = 0;
+    filename = argv[1] + fullPathLen - 1;
+    while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) {
+        filename--;
+    }
+
+    if (filename == argv[1]) {
+        PORT_Strcpy(path, ".");
+    } else {
+        filename++; /* Go past the path separator. */
+        PORT_Strncat(path, argv[1], (filename - argv[1]));
+    }
+
+    PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1");
+    rv = NSS_NoDB_Init(NULL);
+    if (rv != SECSuccess) {
+        fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    PR_SetEnv("NSS_POLICY_LOADED=0");
+    PR_SetEnv("NSS_POLICY_FAIL=0");
+    PR_SetEnv("NSS_POLICY_WARN=0");
+
+    sprintf(moduleSpec,
+            "name=\"Policy File\" "
+            "parameters=\"configdir='sql:%s' "
+            "secmod='%s' "
+            "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+            "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"",
+            path, filename);
+
+    module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
+    if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) {
+        fprintf(stderr, "Error: failed to load policy file\n");
+        result = 2;
+        goto loser;
+    }
+
+    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+    if (rv != SECSuccess) {
+        fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+        goto loser;
+    }
+
+    for (i = 0; i < SSL_NumImplementedCiphers; i++) {
+        PRUint16 suite = cipherSuites[i];
+        PRBool enabled;
+        SSLCipherSuiteInfo info;
+
+        rv = SSL_CipherPrefGetDefault(suite, &enabled);
+        if (rv != SECSuccess) {
+            fprintf(stderr,
+                    "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
+                    suite, i, PORT_ErrorToString(PR_GetError()));
+            continue;
+        }
+        rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
+        if (rv != SECSuccess) {
+            fprintf(stderr,
+                    "SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
+                    suite, i, PORT_ErrorToString(PR_GetError()));
+            continue;
+        }
+        if (enabled) {
+            ++num_enabled;
+            fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName);
+        }
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled);
+    if (!num_enabled) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+
+    get_tls_info(ssl_variant_stream, "TLS");
+    get_tls_info(ssl_variant_datagram, "DTLS");
+
+    if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) {
+        result = 2;
+    } else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) {
+        result = 1;
+    }
+
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    rv = NSS_Shutdown();
+    if (rv != SECSuccess) {
+        fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+    }
+loser_no_shutdown:
+    if (result == 2) {
+        fprintf(stderr, "NSS-POLICY-FAIL\n");
+    } else if (result == 1) {
+        fprintf(stderr, "NSS-POLICY-WARN\n");
+    }
+    return result;
+}
diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.gyp b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp
new file mode 100644
index 000000000..877a5bc06
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../../cmd/platlibs.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'nss-policy-check',
+      'type': 'executable',
+      'sources': [
+        'nss-policy-check.c'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
+\ No newline at end of file
diff --git a/security/nss/cmd/ocspclnt/ocspclnt.c b/security/nss/cmd/ocspclnt/ocspclnt.c
index 0927f8ef6..359dbc217 100644
--- a/security/nss/cmd/ocspclnt/ocspclnt.c
+++ b/security/nss/cmd/ocspclnt/ocspclnt.c
@@ -134,6 +134,8 @@ long_usage(char *progname)
     PR_fprintf(pr_stderr,
                "%-17s s   SSL Server\n", "");
     PR_fprintf(pr_stderr,
+               "%-17s I   IPsec\n", "");
+    PR_fprintf(pr_stderr,
                "%-17s e   Email Recipient\n", "");
     PR_fprintf(pr_stderr,
                "%-17s E   Email Signer\n", "");
@@ -908,6 +910,9 @@ cert_usage_from_char(const char *cert_usage_str, SECCertUsage *cert_usage)
         case 's':
             *cert_usage = certUsageSSLServer;
             break;
+        case 'I':
+            *cert_usage = certUsageIPsec;
+            break;
         case 'e':
             *cert_usage = certUsageEmailRecipient;
             break;
diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c
index ba38e1158..5cbb4dcae 100644
--- a/security/nss/cmd/p7verify/p7verify.c
+++ b/security/nss/cmd/p7verify/p7verify.c
@@ -117,6 +117,7 @@ Usage(char *progName)
     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
 
     exit(-1);
 }
diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c
index 7762a465b..292b40b0f 100644
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -21,8 +21,8 @@
 #define DEFAULT_THREADS 1
 #define DEFAULT_EXPONENT 0x10001
 
-extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(void);
-extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(void);
+extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(int);
+extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(int);
 
 secuPWData pwData = { PW_NONE, NULL };
 
@@ -580,9 +580,9 @@ main(int argc, char **argv)
             /* use a hardcoded key */
             printf("Using hardcoded %ld bits key.\n", keybits);
             if (doPub) {
-                pubKey = getDefaultRSAPublicKey();
+                pubKey = getDefaultRSAPublicKey(keybits);
             } else {
-                privKey = getDefaultRSAPrivateKey();
+                privKey = getDefaultRSAPrivateKey(keybits);
             }
         }
 
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index c372ec9b8..1784c9ee3 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -165,9 +165,8 @@ PrintUsageHeader(const char *progName)
             "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
             "         [-V [min-version]:[max-version]] [-a sni_name]\n"
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
-            "         [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
-            " [-e ec_nickname]"
-            "\n"
+            "         [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
+            "         [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
             "         -U [0|1] -H [0|1|2] -W [0|1]\n"
             "\n",
             progName);
@@ -179,7 +178,7 @@ PrintParameterUsage()
     fputs(
         "-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
         "   All versions are enabled by default.\n"
-        "   Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
+        "   Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n"
         "   Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
         "-D means disable Nagle delays in TCP\n"
         "-R means disable detection of rollback from TLS to SSL3\n"
@@ -195,7 +194,6 @@ PrintParameterUsage()
         "-s means disable SSL socket locking for performance\n"
         "-u means enable Session Ticket extension for TLS.\n"
         "-v means verbose output\n"
-        "-z means enable compression.\n"
         "-L seconds means log statistics every 'seconds' seconds (default=30).\n"
         "-M maxProcs tells how many processes to run in a multi-process server\n"
         "-N means do NOT use the server session cache.  Incompatible with -M.\n"
@@ -228,6 +226,13 @@ PrintParameterUsage()
         "-I comma separated list of enabled groups for TLS key exchange.\n"
         "   The following values are valid:\n"
         "   P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n"
+        "-J comma separated list of enabled signature schemes in preference order.\n"
+        "   The following values are valid:\n"
+        "     rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+        "     ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+        "     ecdsa_secp521r1_sha512,\n"
+        "     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+        "     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
         "-Z enable 0-RTT (for TLS 1.3; also use -u)\n",
         stderr);
 }
@@ -795,13 +800,14 @@ PRBool NoReuse = PR_FALSE;
 PRBool hasSidCache = PR_FALSE;
 PRBool disableLocking = PR_FALSE;
 PRBool enableSessionTickets = PR_FALSE;
-PRBool enableCompression = PR_FALSE;
 PRBool failedToNegotiateName = PR_FALSE;
 PRBool enableExtendedMasterSecret = PR_FALSE;
 PRBool zeroRTT = PR_FALSE;
 PRBool enableALPN = PR_FALSE;
 SSLNamedGroup *enabledGroups = NULL;
 unsigned int enabledGroupsCount = 0;
+const SSLSignatureScheme *enabledSigSchemes = NULL;
+unsigned int enabledSigSchemeCount = 0;
 
 static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
 static int virtServerNameIndex = 1;
@@ -1857,13 +1863,6 @@ server_main(
         }
     }
 
-    if (enableCompression) {
-        rv = SSL_OptionSet(model_sock, SSL_ENABLE_DEFLATE, PR_TRUE);
-        if (rv != SECSuccess) {
-            errExit("error enabling compression ");
-        }
-    }
-
     if (virtServerNameIndex > 1) {
         rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
                                      (void *)&virtServerNameArray);
@@ -1970,6 +1969,13 @@ server_main(
         }
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes, enabledSigSchemeCount);
+        if (rv < 0) {
+            errExit("SSL_SignatureSchemePrefSet failed");
+        }
+    }
+
     /* This cipher is not on by default. The Acceptance test
      * would like it to be. Turn this cipher on.
      */
@@ -2214,9 +2220,10 @@ main(int argc, char **argv)
     /* please keep this list of options in ASCII collating sequence.
     ** numbers, then capital letters, then lower case, alphabetical.
     ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
-    **      in 3.28, please leave some time before resuing those. */
+    **      in 3.28, please leave some time before resuing those.
+    **      'z' was removed in 3.39. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
+                                 "2:A:C:DGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         ++optionsFound;
         switch (optstate->option) {
@@ -2429,10 +2436,6 @@ main(int argc, char **argv)
                 debugCache = PR_TRUE;
                 break;
 
-            case 'z':
-                enableCompression = PR_TRUE;
-                break;
-
             case 'Z':
                 zeroRTT = PR_TRUE;
                 break;
@@ -2451,6 +2454,16 @@ main(int argc, char **argv)
                 }
                 break;
 
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+                    exit(5);
+                }
+                break;
+
             default:
             case '?':
                 fprintf(stderr, "Unrecognized or bad option specified.\n");
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
index 7106521c1..9106d9955 100644
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -115,6 +115,7 @@ Usage(void)
     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
 
     exit(-1);
 }
diff --git a/security/nss/cmd/tests/nonspr10.c b/security/nss/cmd/tests/nonspr10.c
index 295484a1c..fc700407a 100644
--- a/security/nss/cmd/tests/nonspr10.c
+++ b/security/nss/cmd/tests/nonspr10.c
@@ -26,9 +26,7 @@
 #include "cryptoht.h"
 #include "ecl-exp.h"
 #include "hasht.h"
-#include "key.h"
 #include "keyhi.h"
-#include "keyt.h"
 #include "keythi.h"
 #include "nss.h"
 #include "nssb64.h"
diff --git a/security/nss/cmd/tstclnt/Makefile b/security/nss/cmd/tstclnt/Makefile
index a27a3ce97..aae7b445c 100644
--- a/security/nss/cmd/tstclnt/Makefile
+++ b/security/nss/cmd/tstclnt/Makefile
@@ -1,5 +1,5 @@
 #! gmake
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 6f5a43146..520eeff64 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -28,6 +28,7 @@
 #include "prio.h"
 #include "prnetdb.h"
 #include "nss.h"
+#include "nssb64.h"
 #include "ocsp.h"
 #include "ssl.h"
 #include "sslproto.h"
@@ -106,6 +107,45 @@ secuPWData pwdata = { PW_NONE, 0 };
 
 SSLNamedGroup *enabledGroups = NULL;
 unsigned int enabledGroupsCount = 0;
+const SSLSignatureScheme *enabledSigSchemes = NULL;
+unsigned int enabledSigSchemeCount = 0;
+
+const char *
+signatureSchemeName(SSLSignatureScheme scheme)
+{
+    switch (scheme) {
+#define strcase(x)    \
+    case ssl_sig_##x: \
+        return #x
+        strcase(none);
+        strcase(rsa_pkcs1_sha1);
+        strcase(rsa_pkcs1_sha256);
+        strcase(rsa_pkcs1_sha384);
+        strcase(rsa_pkcs1_sha512);
+        strcase(ecdsa_sha1);
+        strcase(ecdsa_secp256r1_sha256);
+        strcase(ecdsa_secp384r1_sha384);
+        strcase(ecdsa_secp521r1_sha512);
+        strcase(rsa_pss_rsae_sha256);
+        strcase(rsa_pss_rsae_sha384);
+        strcase(rsa_pss_rsae_sha512);
+        strcase(ed25519);
+        strcase(ed448);
+        strcase(rsa_pss_pss_sha256);
+        strcase(rsa_pss_pss_sha384);
+        strcase(rsa_pss_pss_sha512);
+        strcase(dsa_sha1);
+        strcase(dsa_sha256);
+        strcase(dsa_sha384);
+        strcase(dsa_sha512);
+#undef strcase
+        case ssl_sig_rsa_pkcs1_sha1md5:
+            return "RSA PKCS#1 SHA1+MD5";
+        default:
+            break;
+    }
+    return "Unknown Scheme";
+}
 
 void
 printSecurityInfo(PRFileDesc *fd)
@@ -132,11 +172,13 @@ printSecurityInfo(PRFileDesc *fd)
                     suite.macBits, suite.macAlgorithmName);
             FPRINTF(stderr,
                     "tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n"
-                    "         Compression: %s, Extended Master Secret: %s\n",
+                    "         Compression: %s, Extended Master Secret: %s\n"
+                    "         Signature Scheme: %s\n",
                     channel.authKeyBits, suite.authAlgorithmName,
                     channel.keaKeyBits, suite.keaTypeName,
                     channel.compressionMethodName,
-                    channel.extendedMasterSecretUsed ? "Yes" : "No");
+                    channel.extendedMasterSecretUsed ? "Yes" : "No",
+                    signatureSchemeName(channel.signatureScheme));
         }
     }
     cert = SSL_RevealCert(fd);
@@ -178,11 +220,13 @@ PrintUsageHeader()
 {
     fprintf(stderr,
             "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
-            "[-D | -d certdir] [-C] [-b | -R root-module] \n"
-            "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
-            "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
-            "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
-            "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n"
+            "  [-D | -d certdir] [-C] [-b | -R root-module] \n"
+            "  [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
+            "  [-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
+            "  [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n"
+            "  [-I groups] [-J signatureschemes]\n"
+            "  [-A requestfile] [-L totalconnections] [-P {client,server}]\n"
+            "  [-N encryptedSniKeys] [-Q]\n"
             "\n",
             progName);
 }
@@ -225,7 +269,6 @@ PrintParameterUsage()
     fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
-    fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
     fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
@@ -255,9 +298,19 @@ PrintParameterUsage()
                     "%-20s The following values are valid:\n"
                     "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
             "-I", "", "");
+    fprintf(stderr, "%-20s Comma separated list of signature schemes in preference order.\n"
+                    "%-20s The following values are valid:\n"
+                    "%-20s rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+                    "%-20s ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+                    "%-20s ecdsa_secp521r1_sha512,\n"
+                    "%-20s rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+                    "%-20s rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
+                    "%-20s dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
+            "-J", "", "", "", "", "", "", "");
     fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
     fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
     fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
+    fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N");
 }
 
 static void
@@ -906,7 +959,6 @@ int multiplier = 0;
 SSLVersionRange enabledVersions;
 int disableLocking = 0;
 int enableSessionTickets = 0;
-int enableCompression = 0;
 int enableFalseStart = 0;
 int enableCertStatus = 0;
 int enableSignedCertTimestamps = 0;
@@ -936,6 +988,7 @@ PRBool stopAfterHandshake = PR_FALSE;
 PRBool requestToExit = PR_FALSE;
 char *versionString = NULL;
 PRBool handshakeComplete = PR_FALSE;
+char *encryptedSNIKeys = NULL;
 
 static int
 writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb)
@@ -1283,14 +1336,6 @@ run()
         goto done;
     }
 
-    /* enable compression. */
-    rv = SSL_OptionSet(s, SSL_ENABLE_DEFLATE, enableCompression);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "error enabling compression");
-        error = 1;
-        goto done;
-    }
-
     /* enable false start. */
     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
     if (rv != SECSuccess) {
@@ -1374,6 +1419,35 @@ run()
         }
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(s, enabledSigSchemes, enabledSigSchemeCount);
+        if (rv < 0) {
+            SECU_PrintError(progName, "SSL_SignatureSchemePrefSet failed");
+            error = 1;
+            goto done;
+        }
+    }
+
+    if (encryptedSNIKeys) {
+        SECItem esniKeysBin = { siBuffer, NULL, 0 };
+
+        if (!NSSBase64_DecodeBuffer(NULL, &esniKeysBin, encryptedSNIKeys,
+                                    strlen(encryptedSNIKeys))) {
+            SECU_PrintError(progName, "ESNIKeys record is invalid base64");
+            error = 1;
+            goto done;
+        }
+
+        rv = SSL_EnableESNI(s, esniKeysBin.data, esniKeysBin.len,
+                            "dummy.invalid");
+        SECITEM_FreeItem(&esniKeysBin, PR_FALSE);
+        if (rv < 0) {
+            SECU_PrintError(progName, "SSL_EnableESNI failed");
+            error = 1;
+            goto done;
+        }
+    }
+
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@@ -1628,10 +1702,12 @@ main(int argc, char **argv)
         }
     }
 
-    /* XXX: 'B' was used in the past but removed in 3.28,
-     *      please leave some time before resuing it. */
+    /* Note: 'B' was used in the past but removed in 3.28
+     *       'z' was removed in 3.39
+     * Please leave some time before reusing these.
+     */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+                                 "46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1708,6 +1784,10 @@ main(int argc, char **argv)
                 };
                 break;
 
+            case 'N':
+                encryptedSNIKeys = PORT_Strdup(optstate->value);
+                break;
+
             case 'P':
                 useDTLS = PR_TRUE;
                 if (!strcmp(optstate->value, "server")) {
@@ -1850,10 +1930,6 @@ main(int argc, char **argv)
                 pwdata.data = PORT_Strdup(optstate->value);
                 break;
 
-            case 'z':
-                enableCompression = 1;
-                break;
-
             case 'I':
                 rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
                 if (rv != SECSuccess) {
@@ -1862,6 +1938,15 @@ main(int argc, char **argv)
                     Usage();
                 }
                 break;
+
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    Usage();
+                }
+                break;
         }
     }
     PL_DestroyOptState(optstate);
@@ -2051,6 +2136,7 @@ done:
     PORT_Free(pwdata.data);
     PORT_Free(host);
     PORT_Free(zeroRttData);
+    PORT_Free(encryptedSNIKeys);
 
     if (enabledGroups) {
         PORT_Free(enabledGroups);
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
index d42274c12..c01cdd08e 100644
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -64,7 +64,8 @@ Usage(const char *progName)
             "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
             "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
             "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
-            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA,\n"
+            "\t\t\t 12=IPsec\n"
             "\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
             "\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
             "\t\t\t or to trust the database if there are certificates marked -t.)\n"
diff --git a/security/nss/cmd/vfyserv/vfyserv.h b/security/nss/cmd/vfyserv/vfyserv.h
index 00afc8049..5bcc51a50 100644
--- a/security/nss/cmd/vfyserv/vfyserv.h
+++ b/security/nss/cmd/vfyserv/vfyserv.h
@@ -24,7 +24,7 @@
 #include "certt.h"
 #include "nss.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "sslproto.h"
 
 /* Custom header files */
diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
index 58137872c..ba1b0c8c5 100644
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -108,8 +108,12 @@
     'emit_llvm%': 0,
     'nss_public_dist_dir%': '<(nss_dist_dir)/public',
     'nss_private_dist_dir%': '<(nss_dist_dir)/private',
+    # This is only needed when building with --mozpkix-only and might not work
+    # on all machines.
+    'nss_include_dir%': '/usr/include/nss',
     'only_dev_random%': 1,
     'disable_fips%': 1,
+    'mozpkix_only%': 0,
   },
   'target_defaults': {
     # Settings specific to targets should go here.
@@ -126,6 +130,11 @@
       '<(nss_dist_dir)/private/<(module)',
     ],
     'conditions': [
+      [ 'mozpkix_only==1 and OS=="linux"', {
+        'include_dirs': [
+          '<(nss_include_dir)',
+        ],
+      }],
       [ 'disable_fips==1', {
         'defines': [
           'NSS_FIPS_DISABLED',
diff --git a/security/nss/coreconf/config.mk b/security/nss/coreconf/config.mk
index b62f6cef4..60a08411e 100644
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@@ -185,6 +185,10 @@ ifdef NSS_SEED_ONLY_DEV_URANDOM
 DEFINES += -DSEED_ONLY_DEV_URANDOM
 endif
 
+ifdef NSS_PKCS1_AllowMissingParameters
+DEFINES += -DNSS_PKCS1_AllowMissingParameters
+endif
+
 # Avoid building object leak test code for optimized library
 ifndef BUILD_OPT
 ifdef PKIX_OBJECT_LEAK_TEST
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 590d1bfae..5182f7555 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-
diff --git a/security/nss/coreconf/fuzz.sh b/security/nss/coreconf/fuzz.sh
index 67cb7f594..c7b8844b6 100644
--- a/security/nss/coreconf/fuzz.sh
+++ b/security/nss/coreconf/fuzz.sh
@@ -5,8 +5,7 @@ set +e
 
 # Default to clang if CC is not set.
 if [ -z "$CC" ]; then
-    command -v clang &> /dev/null 2>&1
-    if [ $? != 0 ]; then
+    if ! command -v clang &> /dev/null 2>&1; then
         echo "Fuzzing requires clang!"
         exit 1
     fi
@@ -24,8 +23,8 @@ if [ "$fuzz_oss" = 1 ]; then
   gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
 else
   enable_sanitizer asan
-  # Ubsan doesn't build on 32-bit at the moment. Disable it.
-  if [ "$build_64" = 1 ]; then
+  # Ubsan only builds on x64 for the moment.
+  if [ "$target_arch" = "x64" ]; then
     enable_ubsan
   fi
   enable_sancov
diff --git a/security/nss/coreconf/msvc.sh b/security/nss/coreconf/msvc.sh
new file mode 100644
index 000000000..a592279c9
--- /dev/null
+++ b/security/nss/coreconf/msvc.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+# This configures the environment for running MSVC.  It uses vswhere, the
+# registry, and a little knowledge of how MSVC is laid out.
+
+if ! hash vswhere 2>/dev/null; then
+    echo "Can't find vswhere on the path, aborting" 1>&2
+    exit 1
+fi
+
+if ! hash reg 2>/dev/null; then
+    echo "Can't find reg on the path, aborting" 1>&2
+    exit 1
+fi
+
+# Turn a unix-y path into a windows one.
+fixpath() {
+    if hash cygpath 2>/dev/null; then
+        cygpath --unix "$1"
+    else # haxx
+        echo "$1" | sed -e 's,\\,/,g;s,^\(.\):,/\L\1,;s,/$,,'
+    fi
+}
+
+# Query the registry.  This takes $1 and tags that on the end of several
+# different paths, looking for a value called $2 at that location.
+# e.g.,
+#   regquery Microsoft\Microsoft SDKs\Windows\v10.0 ProductVersion
+# looks for a REG_SZ value called ProductVersion at
+#   HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
+#   HKLU\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
+#   etc...
+regquery() {
+    search=("HKLM\\SOFTWARE\\Wow6432Node" \
+            "HKCU\\SOFTWARE\\Wow6432Node" \
+            "HKLM\\SOFTWARE" \
+            "HKCU\\SOFTWARE")
+    for i in "${search[@]}"; do
+        r=$(reg query "${i}\\${1}" -v "$2" | sed -e 's/ *'"$2"' *REG_SZ *//;t;d')
+        if [ -n "$r" ]; then
+            echo "$r"
+            return 0
+        fi
+    done
+    return 1
+}
+
+VSCOMPONENT=Microsoft.VisualStudio.Component.VC.Tools.x86.x64
+vsinstall=$(vswhere -latest -requires "$VSCOMPONENT" -property installationPath)
+
+# Attempt to setup paths if vswhere returns something and VSPATH isn't set.
+# Otherwise, assume that the env is setup.
+if [[ -n "$vsinstall" && -z "$VSPATH" ]]; then
+
+    case "$target_arch" in
+        ia32) m=x86 ;;
+        x64) m="$target_arch" ;;
+        *)
+            echo "No support for target '$target_arch' with MSVC." 1>&2
+            exit 1
+    esac
+
+    export VSPATH=$(fixpath "$vsinstall")
+    export WINDOWSSDKDIR="${VSPATH}/SDK"
+    export VCINSTALLDIR="${VSPATH}/VC"
+
+    CRTREG="Microsoft\\Microsoft SDKs\\Windows\\v10.0"
+    UniversalCRTSdkDir=$(regquery "$CRTREG" InstallationFolder)
+    UniversalCRTSdkDir=$(fixpath "$UniversalCRTSdkDir")
+    UCRTVersion=$(regquery "$CRTREG" ProductVersion)
+    UCRTVersion=$(cd "${UniversalCRTSdkDir}/include"; ls -d "${UCRTVersion}"* | tail -1)
+
+    VCVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCToolsVersion.default.txt")
+    REDISTVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCRedistVersion.default.txt")
+    export WIN32_REDIST_DIR="${VCINSTALLDIR}/Redist/MSVC/${REDISTVER}/${m}/Microsoft.VC141.CRT"
+    export WIN_UCRT_REDIST_DIR="${UniversalCRTSdkDir}/Redist/ucrt/DLLs/${m}"
+
+    if [ "$m" == "x86" ]; then
+        PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x64"
+        PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x86"
+    fi
+    PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Host${m}/${m}"
+    PATH="${PATH}:${UniversalCRTSdkDir}/bin/${UCRTVersion}/${m}"
+    PATH="${PATH}:${WIN32_REDIST_DIR}"
+    export PATH
+
+    INCLUDE="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/ATLMFC/include"
+    INCLUDE="${INCLUDE}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/include"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/ucrt"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/shared"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/um"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/winrt"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/cppwinrt"
+    export INCLUDE
+
+    LIB="${VCINSTALLDIR}/lib/${m}"
+    LIB="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/lib/${m}"
+    LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/ucrt/${m}"
+    LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/um/${m}"
+    export LIB
+
+    export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
+    export GYP_MSVS_VERSION=$(vswhere -latest -requires "$VSCOMPONENT" -property catalog_productLineVersion)
+else
+    echo Assuming env setup is already done.
+    echo VSPATH=$VSPATH
+fi
diff --git a/security/nss/coreconf/nspr.sh b/security/nss/coreconf/nspr.sh
index d11cd48ed..325a188c3 100644
--- a/security/nss/coreconf/nspr.sh
+++ b/security/nss/coreconf/nspr.sh
@@ -32,6 +32,9 @@ nspr_build()
     if [ "$opt_build" = 1 ]; then
         extra_params+=(--disable-debug --enable-optimize)
     fi
+    if [ "$target_arch" = "x64" ]; then
+        extra_params+=(--enable-64bit)
+    fi
 
     echo "NSPR [1/3] configure ..."
     pushd "$nspr_dir" >/dev/null
diff --git a/security/nss/cpputil/databuffer.h b/security/nss/cpputil/databuffer.h
index 5ec035098..e981a7c22 100644
--- a/security/nss/cpputil/databuffer.h
+++ b/security/nss/cpputil/databuffer.h
@@ -34,7 +34,7 @@ class DataBuffer {
 
   void Allocate(size_t l) {
     delete[] data_;
-    data_ = new uint8_t[l ? l : 1];  // Don't depend on new [0].
+    data_ = new uint8_t[l ? l : 1]();  // Don't depend on new [0].
     len_ = l;
   }
 
diff --git a/security/nss/cpputil/dummy_io.h b/security/nss/cpputil/dummy_io.h
index 797ac6113..e10ee1eee 100644
--- a/security/nss/cpputil/dummy_io.h
+++ b/security/nss/cpputil/dummy_io.h
@@ -8,7 +8,7 @@
 #include "prerror.h"
 #include "prio.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 class DummyIOLayerMethods {
  public:
diff --git a/security/nss/cpputil/scoped_ptrs.h b/security/nss/cpputil/nss_scoped_ptrs.h
index 6ffef4dd3..03979f2c5 100644
--- a/security/nss/cpputil/scoped_ptrs.h
+++ b/security/nss/cpputil/nss_scoped_ptrs.h
@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
+#ifndef nss_scoped_ptrs_h__
+#define nss_scoped_ptrs_h__
 
 #include <memory>
 #include "cert.h"
@@ -13,7 +13,6 @@
 #include "p12.h"
 #include "pk11pub.h"
 #include "pkcs11uri.h"
-#include "sslexp.h"
 
 struct ScopedDelete {
   void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
@@ -29,6 +28,9 @@ struct ScopedDelete {
   void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
   void operator()(PRFileDesc* fd) { PR_Close(fd); }
   void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(SECKEYEncryptedPrivateKeyInfo* e) {
+    SECKEY_DestroyEncryptedPrivateKeyInfo(e, true);
+  }
   void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
   void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
   void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
@@ -39,9 +41,6 @@ struct ScopedDelete {
   void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
   void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
   void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
-  void operator()(SSLResumptionTokenInfo* token) {
-    SSL_DestroyResumptionTokenInfo(token);
-  }
   void operator()(SEC_PKCS12DecoderContext* dcx) {
     SEC_PKCS12DecoderFinish(dcx);
   }
@@ -69,6 +68,7 @@ SCOPED(PK11SlotInfo);
 SCOPED(PK11SymKey);
 SCOPED(PRFileDesc);
 SCOPED(SECAlgorithmID);
+SCOPED(SECKEYEncryptedPrivateKeyInfo);
 SCOPED(SECItem);
 SCOPED(SECKEYPublicKey);
 SCOPED(SECKEYPrivateKey);
@@ -77,10 +77,9 @@ SCOPED(PK11URI);
 SCOPED(PLArenaPool);
 SCOPED(PK11Context);
 SCOPED(PK11GenericObject);
-SCOPED(SSLResumptionTokenInfo);
 SCOPED(SEC_PKCS12DecoderContext);
 SCOPED(CERTDistNames);
 
 #undef SCOPED
 
-#endif  // scoped_ptrs_h__
+#endif  // nss_scoped_ptrs_h__
diff --git a/security/nss/cpputil/scoped_ptrs_ssl.h b/security/nss/cpputil/scoped_ptrs_ssl.h
new file mode 100644
index 000000000..7eeae8f8f
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs_ssl.h
@@ -0,0 +1,35 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_ssl_h__
+#define scoped_ptrs_ssl_h__
+
+#include <memory>
+#include "sslexp.h"
+
+struct ScopedDeleteSSL {
+  void operator()(SSLResumptionTokenInfo* token) {
+    SSL_DestroyResumptionTokenInfo(token);
+  }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSSL {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSSL del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDeleteSSL<x> > Scoped##x
+
+SCOPED(SSLResumptionTokenInfo);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_ssl_h__
diff --git a/security/nss/cpputil/tls_parser.h b/security/nss/cpputil/tls_parser.h
index 56f562e07..cd9e28fc3 100644
--- a/security/nss/cpputil/tls_parser.h
+++ b/security/nss/cpputil/tls_parser.h
@@ -20,13 +20,6 @@
 
 namespace nss_test {
 
-const uint8_t kTlsChangeCipherSpecType = 20;
-const uint8_t kTlsAlertType = 21;
-const uint8_t kTlsHandshakeType = 22;
-const uint8_t kTlsApplicationDataType = 23;
-const uint8_t kTlsAltHandshakeType = 24;
-const uint8_t kTlsAckType = 25;
-
 const uint8_t kTlsHandshakeClientHello = 1;
 const uint8_t kTlsHandshakeServerHello = 2;
 const uint8_t kTlsHandshakeNewSessionTicket = 4;
@@ -48,6 +41,8 @@ const uint8_t kTlsAlertBadRecordMac = 20;
 const uint8_t kTlsAlertRecordOverflow = 22;
 const uint8_t kTlsAlertHandshakeFailure = 40;
 const uint8_t kTlsAlertBadCertificate = 42;
+const uint8_t kTlsAlertCertificateRevoked = 44;
+const uint8_t kTlsAlertCertificateExpired = 45;
 const uint8_t kTlsAlertIllegalParameter = 47;
 const uint8_t kTlsAlertDecodeError = 50;
 const uint8_t kTlsAlertDecryptError = 51;
@@ -60,7 +55,7 @@ const uint8_t kTlsAlertUnrecognizedName = 112;
 const uint8_t kTlsAlertNoApplicationProtocol = 120;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
-    kTlsChangeCipherSpecType,  // Type
+    ssl_ct_change_cipher_spec,  // Type
     0xfe,
     0xff,  // Version
     0x00,
diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml
index 4622c75e4..5c3b3501a 100644
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -84,7 +84,7 @@
 
       <varlistentry>
         <term>-F</term>
-        <listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
+        <listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
 <option>-d</option> argument.
 </para>
 <para>
@@ -258,7 +258,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
 
       <varlistentry>
         <term>-h tokenname</term>
-        <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
+        <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para>
+	<para>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
      <varlistentry>
@@ -292,7 +293,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
 
       <varlistentry>
         <term>-n nickname</term>
-        <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para></listitem>
+        <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para>
+	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1017,9 +1019,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
-   token: NSS Generic Crypto Services</programlisting>
+   token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</programlisting>
 
 	<para><command>Adding Certificates to the Database</command></para>
 	<para>
diff --git a/security/nss/doc/html/certutil.html b/security/nss/doc/html/certutil.html
index 902d1309a..bacb2a5f5 100644
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,8 +1,8 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
-<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm46274732654912"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
+<code class="option">-d</code> argument.
 </p><p>
-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
+Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
@@ -14,13 +14,13 @@ If this option is not used, the validity check defaults to the current system ti
 Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
            </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
- unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
+ unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p><p>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
            The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
-          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
+          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
            If a token is available that supports more curves, the foolowing curves are supported as well:
            sect163k1, nistk163, sect163r1, sect163r2,
            nistb163,  sect193r1, sect193r2, sect233k1, nistk233,
@@ -277,9 +277,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
-   token: NSS Generic Crypto Services</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
+   token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
 		Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the <code class="option">-A</code> command option.
 	</p><pre class="programlisting">certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</pre><p>
 		For example:
diff --git a/security/nss/doc/html/modutil.html b/security/nss/doc/html/modutil.html
index 5c53b0a62..b1adbf212 100644
--- a/security/nss/doc/html/modutil.html
+++ b/security/nss/doc/html/modutil.html
@@ -1,4 +1,4 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233245929376"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm45295675968160"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Security Module Database Tool, <span class="command"><strong>modutil</strong></span>, is a command-line utility for managing PKCS #11 module information both within <code class="filename">secmod.db</code> files and within hardware tokens. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><p>
 		Running <span class="command"><strong>modutil</strong></span> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
 	</p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="option">-slot</code> argument to disable a specific slot.</p><p>The internal NSS PKCS #11 module cannot be disabled.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>With the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Specify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that where the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example:
@@ -63,9 +63,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 -----------------------------------------------------------</pre><p>Passing a specific module name with the <code class="option">-list</code> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</p><pre class="programlisting"> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
 
 -----------------------------------------------------------
diff --git a/security/nss/doc/html/pk12util.html b/security/nss/doc/html/pk12util.html
index 94dbf51e9..d773136c4 100644
--- a/security/nss/doc/html/pk12util.html
+++ b/security/nss/doc/html/pk12util.html
@@ -1,5 +1,5 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm139975398059856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm45659476549872"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
           Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS #12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
     </p><p>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
diff --git a/security/nss/doc/modutil.xml b/security/nss/doc/modutil.xml
index 142aa69da..b757a8731 100644
--- a/security/nss/doc/modutil.xml
+++ b/security/nss/doc/modutil.xml
@@ -322,9 +322,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 -----------------------------------------------------------</programlisting>
 	<para>Passing a specific module name with the <option>-list</option> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</para>
 <programlisting> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1
index 80a02fc27..b6a2e90b2 100644
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -2,12 +2,12 @@
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 27 October 2017
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&.
 .PP
 \-F
 .RS 4
-Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the
+Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the
 \fB\-d\fR
-argument\&. Use the
-\fB\-k\fR
-argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the
-\fB\-k\fR
-argument, the option looks for an RSA key matching the specified nickname\&.
+argument\&.
 .sp
-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&.
+Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&.
 .RE
 .PP
 \-G
@@ -321,6 +317,8 @@ Set a key size to use when generating new public and private key pairs\&. The mi
 \-h tokenname
 .RS 4
 Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&.
+.sp
+The name can also be a PKCS #11 URI\&. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-i input_file
@@ -348,6 +346,8 @@ Assign a unique serial number to a certificate being created\&. This operation s
 \-n nickname
 .RS 4
 Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&.
+.sp
+The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-o output\-file
@@ -1579,9 +1579,11 @@ $ certutil \-U \-d sql:/home/my/sharednssdb
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
    token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 .fi
 .if n \{\
 .RE
diff --git a/security/nss/doc/nroff/modutil.1 b/security/nss/doc/nroff/modutil.1
index 1ce9ab2ce..a2d7fe48b 100644
--- a/security/nss/doc/nroff/modutil.1
+++ b/security/nss/doc/nroff/modutil.1
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: MODUTIL
 .\"    Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "MODUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -515,9 +515,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
 .fi
 .if n \{\
diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1
index e0a8da833..eae5d3616 100644
--- a/security/nss/doc/nroff/pk12util.1
+++ b/security/nss/doc/nroff/pk12util.1
@@ -2,12 +2,12 @@
 .\"     Title: PK12UTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 27 October 2017
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -113,6 +113,8 @@ Specify the desired length of the symmetric key to be used to encrypt the certif
 \-n certname
 .RS 4
 Specify the nickname of the cert and private key to export\&.
+.sp
+The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-P prefix
diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml
index c26794965..3f8eecf1b 100644
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -114,7 +114,8 @@
 
       <varlistentry>
         <term>-n certname</term>
-        <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
+        <listitem><para>Specify the nickname of the cert and private key to export.</para>
+	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/security/nss/exports.gyp b/security/nss/exports.gyp
index 907b5ac88..5cb44157f 100644
--- a/security/nss/exports.gyp
+++ b/security/nss/exports.gyp
@@ -5,9 +5,82 @@
   'includes': [
     'coreconf/config.gypi'
   ],
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_exports',
+          'type': 'none',
+          'direct_dependent_settings': {
+            'include_dirs': [
+              '<(nss_public_dist_dir)/nss',
+            ]
+          },
+          'dependencies': [
+            'cmd/lib/exports.gyp:cmd_lib_exports',
+            'lib/base/exports.gyp:lib_base_exports',
+            'lib/certdb/exports.gyp:lib_certdb_exports',
+            'lib/certhigh/exports.gyp:lib_certhigh_exports',
+            'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
+            'lib/ckfw/exports.gyp:lib_ckfw_exports',
+            'lib/crmf/exports.gyp:lib_crmf_exports',
+            'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
+            'lib/dev/exports.gyp:lib_dev_exports',
+            'lib/freebl/exports.gyp:lib_freebl_exports',
+            'lib/jar/exports.gyp:lib_jar_exports',
+            'lib/nss/exports.gyp:lib_nss_exports',
+            'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
+            'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
+            'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
+            'lib/pki/exports.gyp:lib_pki_exports',
+            'lib/smime/exports.gyp:lib_smime_exports',
+            'lib/softoken/exports.gyp:lib_softoken_exports',
+            'lib/sqlite/exports.gyp:lib_sqlite_exports',
+            'lib/ssl/exports.gyp:lib_ssl_exports',
+            'lib/util/exports.gyp:lib_util_exports',
+            'lib/zlib/exports.gyp:lib_zlib_exports',
+          ],
+          'conditions': [
+            [ 'disable_libpkix==0', {
+              'dependencies': [
+                'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
+                'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
+                'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
+                'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
+                'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
+                'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
+                'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
+                'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
+                'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
+                'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
+                'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
+                'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
+              ],
+            }],
+          ],
+        },
+        {
+          'target_name': 'dbm_exports',
+          'type': 'none',
+          'conditions': [
+            ['disable_dbm==0', {
+              'direct_dependent_settings': {
+                'include_dirs': [
+                  '<(nss_public_dist_dir)/dbm'
+                ]
+              },
+              'dependencies': [
+                'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
+              ],
+            }],
+          ],
+        }
+      ],
+    }],
+  ],
   'targets': [
     {
-      'target_name': 'nss_exports',
+      'target_name': 'nss_mozpkix_exports',
       'type': 'none',
       'direct_dependent_settings': {
         'include_dirs': [
@@ -15,63 +88,9 @@
         ]
       },
       'dependencies': [
-        'cmd/lib/exports.gyp:cmd_lib_exports',
-        'lib/base/exports.gyp:lib_base_exports',
-        'lib/certdb/exports.gyp:lib_certdb_exports',
-        'lib/certhigh/exports.gyp:lib_certhigh_exports',
-        'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
-        'lib/ckfw/exports.gyp:lib_ckfw_exports',
-        'lib/crmf/exports.gyp:lib_crmf_exports',
-        'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
-        'lib/dev/exports.gyp:lib_dev_exports',
-        'lib/freebl/exports.gyp:lib_freebl_exports',
-        'lib/jar/exports.gyp:lib_jar_exports',
-        'lib/nss/exports.gyp:lib_nss_exports',
-        'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
-        'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
-        'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
-        'lib/pki/exports.gyp:lib_pki_exports',
-        'lib/smime/exports.gyp:lib_smime_exports',
-        'lib/softoken/exports.gyp:lib_softoken_exports',
-        'lib/sqlite/exports.gyp:lib_sqlite_exports',
-        'lib/ssl/exports.gyp:lib_ssl_exports',
-        'lib/util/exports.gyp:lib_util_exports',
-        'lib/zlib/exports.gyp:lib_zlib_exports'
-      ],
-      'conditions': [
-        [ 'disable_libpkix==0', {
-          'dependencies': [
-            'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
-            'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
-            'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
-            'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
-            'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
-            'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
-            'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
-            'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
-            'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
-            'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
-            'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
-            'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
-          ],
-        }],
+        'lib/mozpkix/exports.gyp:lib_mozpkix_exports',
+        'lib/mozpkix/exports.gyp:lib_mozpkix_test_exports',
       ],
     },
-    {
-      'target_name': 'dbm_exports',
-      'type': 'none',
-      'conditions': [
-        ['disable_dbm==0', {
-          'direct_dependent_settings': {
-            'include_dirs': [
-              '<(nss_public_dist_dir)/dbm'
-            ]
-          },
-          'dependencies': [
-            'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
-          ],
-        }],
-      ],
-    }
-  ]
+  ],
 }
diff --git a/security/nss/fuzz/config/git-copy.sh b/security/nss/fuzz/config/git-copy.sh
index a9e817e2a..fac8cbecf 100644
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -ex
 
 if [ $# -lt 3 ]; then
   echo "Usage: $0 <repo> <branch> <directory>" 1>&2
@@ -28,7 +28,7 @@ fi
 
 rm -rf "$DIR"
 git init -q "$DIR"
-git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
-git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT"
+git -C "$DIR" reset -q --hard FETCH_HEAD
 git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
 rm -rf "$DIR"/.git
diff --git a/security/nss/fuzz/tls_server_certs.cc b/security/nss/fuzz/tls_server_certs.cc
index 705b6aab3..20732a5e0 100644
--- a/security/nss/fuzz/tls_server_certs.cc
+++ b/security/nss/fuzz/tls_server_certs.cc
@@ -8,7 +8,7 @@
 #include "ssl.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_server_certs.h"
 
 const uint8_t kP256ServerCert[] = {
diff --git a/security/nss/gtests/certdb_gtest/alg1485_unittest.cc b/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
index ef6733092..8daa6660f 100644
--- a/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
+++ b/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
@@ -9,7 +9,7 @@
 #include "gtest/gtest.h"
 
 #include "nss.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "prprf.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc b/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
index ab553ee01..d690a4fec 100644
--- a/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
+++ b/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
@@ -8,7 +8,7 @@
 
 #include "gtest/gtest.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cryptohi.h"
 #include "secitem.h"
 #include "secerr.h"
diff --git a/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc b/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
index 836cc7876..88c283317 100644
--- a/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
+++ b/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
@@ -11,7 +11,7 @@
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/der_gtest/p12_import_unittest.cc b/security/nss/gtests/der_gtest/p12_import_unittest.cc
index 6ffcda348..31020231a 100644
--- a/security/nss/gtests/der_gtest/p12_import_unittest.cc
+++ b/security/nss/gtests/der_gtest/p12_import_unittest.cc
@@ -8,7 +8,7 @@
 #include "p12.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/freebl_gtest/ecl_unittest.cc b/security/nss/gtests/freebl_gtest/ecl_unittest.cc
index fbad0246f..36074be82 100644
--- a/security/nss/gtests/freebl_gtest/ecl_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/ecl_unittest.cc
@@ -7,7 +7,7 @@
 #include <stdint.h>
 
 #include "blapi.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "secerr.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/freebl_gtest/mpi_unittest.cc b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
index 4fed1a40e..2ccb8c351 100644
--- a/security/nss/gtests/freebl_gtest/mpi_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
@@ -15,7 +15,7 @@
 #include "mpi.h"
 namespace nss_test {
 
-void gettime(struct timespec *tp) {
+void gettime(struct timespec* tp) {
 #ifdef __MACH__
   clock_serv_t cclock;
   mach_timespec_t mts;
@@ -69,6 +69,39 @@ class MPITest : public ::testing::Test {
     mp_clear(&b);
     mp_clear(&c);
   }
+
+  void dump(const std::string& prefix, const uint8_t* buf, size_t len) {
+    auto flags = std::cerr.flags();
+    std::cerr << prefix << ": [" << std::dec << len << "] ";
+    for (size_t i = 0; i < len; ++i) {
+      std::cerr << std::hex << std::setw(2) << std::setfill('0')
+                << static_cast<int>(buf[i]);
+    }
+    std::cerr << std::endl << std::resetiosflags(flags);
+  }
+
+  void TestToFixedOctets(const std::vector<uint8_t>& ref, size_t len) {
+    mp_int a;
+    ASSERT_EQ(MP_OKAY, mp_init(&a));
+    ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+    uint8_t buf[len];
+    ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, len));
+    size_t compare;
+    if (len > ref.size()) {
+      for (size_t i = 0; i < len - ref.size(); ++i) {
+        ASSERT_EQ(0U, buf[i]) << "index " << i << " should be zero";
+      }
+      compare = ref.size();
+    } else {
+      compare = len;
+    }
+    dump("value", ref.data(), ref.size());
+    dump("output", buf, len);
+    ASSERT_EQ(0, memcmp(buf + len - compare, ref.data() + ref.size() - compare,
+                        compare))
+        << "comparing " << compare << " octets";
+    mp_clear(&a);
+  }
 };
 
 TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
@@ -113,6 +146,47 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
 }
 #endif
 
+TEST_F(MPITest, MpiFixlenOctetsZero) {
+  std::vector<uint8_t> zero = {0};
+  TestToFixedOctets(zero, 1);
+  TestToFixedOctets(zero, 2);
+  TestToFixedOctets(zero, sizeof(mp_digit));
+  TestToFixedOctets(zero, sizeof(mp_digit) + 1);
+}
+
+TEST_F(MPITest, MpiFixlenOctetsVarlen) {
+  std::vector<uint8_t> packed;
+  for (size_t i = 0; i < sizeof(mp_digit) * 2; ++i) {
+    packed.push_back(0xa4);  // Any non-zero value will do.
+    TestToFixedOctets(packed, packed.size());
+    TestToFixedOctets(packed, packed.size() + 1);
+    TestToFixedOctets(packed, packed.size() + sizeof(mp_digit));
+  }
+}
+
+TEST_F(MPITest, MpiFixlenOctetsTooSmall) {
+  uint8_t buf[sizeof(mp_digit) * 3];
+  std::vector<uint8_t> ref;
+  for (size_t i = 0; i < sizeof(mp_digit) * 2; i++) {
+    ref.push_back(3);  // Any non-zero value will do.
+    dump("ref", ref.data(), ref.size());
+
+    mp_int a;
+    ASSERT_EQ(MP_OKAY, mp_init(&a));
+    ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+#ifdef DEBUG
+    // ARGCHK maps to assert() in a debug build.
+    EXPECT_DEATH(mp_to_fixlen_octets(&a, buf, ref.size() - 1), "");
+#else
+    EXPECT_EQ(MP_BADARG, mp_to_fixlen_octets(&a, buf, ref.size() - 1));
+#endif
+    ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, ref.size()));
+    ASSERT_EQ(0, memcmp(buf, ref.data(), ref.size()));
+
+    mp_clear(&a);
+  }
+}
+
 // This test is slow. Disable it by default so we can run these tests on CI.
 class DISABLED_MPITest : public ::testing::Test {};
 
@@ -127,17 +201,17 @@ TEST_F(DISABLED_MPITest, MpiCmpConstTest) {
 
   mp_read_radix(
       &a,
-      const_cast<char *>(
+      const_cast<char*>(
           "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
       16);
   mp_read_radix(
       &b,
-      const_cast<char *>(
+      const_cast<char*>(
           "FF0FFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
       16);
   mp_read_radix(
       &c,
-      const_cast<char *>(
+      const_cast<char*>(
           "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
       16);
 
diff --git a/security/nss/gtests/freebl_gtest/rsa_unittest.cc b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
index 5c667a1d1..a1453168f 100644
--- a/security/nss/gtests/freebl_gtest/rsa_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
@@ -21,7 +21,7 @@ struct ScopedDelete {
 typedef std::unique_ptr<RSAPrivateKey, ScopedDelete<RSAPrivateKey>>
     ScopedRSAPrivateKey;
 
-class RSANewKeyTest : public ::testing::Test {
+class RSATest : public ::testing::Test {
  protected:
   RSAPrivateKey* CreateKeyWithExponent(int keySizeInBits,
                                        unsigned char publicExponent) {
@@ -34,24 +34,24 @@ class RSANewKeyTest : public ::testing::Test {
   }
 };
 
-TEST_F(RSANewKeyTest, expOneTest) {
+TEST_F(RSATest, expOneTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x01));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, expTwoTest) {
+TEST_F(RSATest, expTwoTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x02));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, expFourTest) {
+TEST_F(RSATest, expFourTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x04));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, WrongKeysizeTest) {
+TEST_F(RSATest, WrongKeysizeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
   ASSERT_TRUE(key == nullptr);
 }
 
-TEST_F(RSANewKeyTest, expThreeTest) {
+TEST_F(RSATest, expThreeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
 #ifdef NSS_FIPS_DISABLED
   ASSERT_TRUE(key != nullptr);
@@ -59,3 +59,39 @@ TEST_F(RSANewKeyTest, expThreeTest) {
   ASSERT_TRUE(key == nullptr);
 #endif
 }
+
+TEST_F(RSATest, DecryptBlockTestErrors) {
+  unsigned char pubExp[3] = {0x01, 0x00, 0x01};
+  SECItem exp = {siBuffer, pubExp, 3};
+  ScopedRSAPrivateKey key(RSA_NewKey(2048, &exp));
+  ASSERT_TRUE(key);
+  uint8_t out[10] = {0};
+  uint8_t in_small[100] = {0};
+  unsigned int outputLen = 0;
+  unsigned int maxOutputLen = sizeof(out);
+
+  // This should fail because input the same size as the modulus (256).
+  SECStatus rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen,
+                                  in_small, sizeof(in_small));
+  EXPECT_EQ(SECFailure, rv);
+
+  uint8_t in[256] = {0};
+  // This should fail because the padding checks will fail.
+  rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in,
+                        sizeof(in));
+  EXPECT_EQ(SECFailure, rv);
+  // outputLen should be maxOutputLen.
+  EXPECT_EQ(maxOutputLen, outputLen);
+
+  // This should fail because the padding checks will fail.
+  uint8_t out_long[260] = {0};
+  maxOutputLen = sizeof(out_long);
+  rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in,
+                        sizeof(in));
+  EXPECT_EQ(SECFailure, rv);
+  // outputLen should <= 256-11=245.
+  EXPECT_LE(outputLen, 245u);
+  // Everything over 256 must be 0 in the output.
+  uint8_t out_long_test[4] = {0};
+  EXPECT_EQ(0, memcmp(out_long_test, &out_long[256], 4));
+}
diff --git a/security/nss/gtests/google_test/VERSION b/security/nss/gtests/google_test/VERSION
new file mode 100644
index 000000000..bcb751e25
--- /dev/null
+++ b/security/nss/gtests/google_test/VERSION
@@ -0,0 +1,2 @@
+release-1.8.1
+2fe3bd994b3189899d93f1d5a881e725e046fdc2
diff --git a/security/nss/gtests/google_test/gtest/CMakeLists.txt b/security/nss/gtests/google_test/gtest/CMakeLists.txt
index bd78cfe67..9ee79408c 100644
--- a/security/nss/gtests/google_test/gtest/CMakeLists.txt
+++ b/security/nss/gtests/google_test/gtest/CMakeLists.txt
@@ -5,10 +5,6 @@
 # ctest.  You can select which tests to run using 'ctest -R regex'.
 # For more options, run 'ctest --help'.
 
-# BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to
-# make it prominent in the GUI.
-option(BUILD_SHARED_LIBS "Build shared libraries (DLLs)." OFF)
-
 # When other libraries are using a shared version of runtime libraries,
 # Google Test also has to use one.
 option(
@@ -22,6 +18,11 @@ option(gtest_build_samples "Build gtest's sample programs." OFF)
 
 option(gtest_disable_pthreads "Disable uses of pthreads in gtest." OFF)
 
+option(
+  gtest_hide_internal_symbols
+  "Build gtest with internal symbols hidden in shared libraries."
+  OFF)
+
 # Defines pre_project_set_up_hermetic_build() and set_up_hermetic_build().
 include(cmake/hermetic_build.cmake OPTIONAL)
 
@@ -39,25 +40,75 @@ endif()
 # as ${gtest_SOURCE_DIR} and to the root binary directory as
 # ${gtest_BINARY_DIR}.
 # Language "C" is required for find_package(Threads).
-project(gtest CXX C)
-cmake_minimum_required(VERSION 2.6.2)
+if (CMAKE_VERSION VERSION_LESS 3.0)
+  project(gtest CXX C)
+else()
+  cmake_policy(SET CMP0048 NEW)
+  project(gtest VERSION ${GOOGLETEST_VERSION} LANGUAGES CXX C)
+endif()
+cmake_minimum_required(VERSION 2.6.4)
+
+if (POLICY CMP0063) # Visibility
+  cmake_policy(SET CMP0063 NEW)
+endif (POLICY CMP0063)
 
 if (COMMAND set_up_hermetic_build)
   set_up_hermetic_build()
 endif()
 
+# These commands only run if this is the main project
+if(CMAKE_PROJECT_NAME STREQUAL "gtest" OR CMAKE_PROJECT_NAME STREQUAL "googletest-distribution")
+
+  # BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to
+  # make it prominent in the GUI.
+  option(BUILD_SHARED_LIBS "Build shared libraries (DLLs)." OFF)
+
+else()
+
+  mark_as_advanced(
+    gtest_force_shared_crt
+    gtest_build_tests
+    gtest_build_samples
+    gtest_disable_pthreads
+    gtest_hide_internal_symbols)
+
+endif()
+
+
+if (gtest_hide_internal_symbols)
+  set(CMAKE_CXX_VISIBILITY_PRESET hidden)
+  set(CMAKE_VISIBILITY_INLINES_HIDDEN 1)
+endif()
+
 # Define helper functions and macros used by Google Test.
 include(cmake/internal_utils.cmake)
 
 config_compiler_and_linker()  # Defined in internal_utils.cmake.
 
-# Where Google Test's .h files can be found.
-include_directories(
-  ${gtest_SOURCE_DIR}/include
-  ${gtest_SOURCE_DIR})
+# Create the CMake package file descriptors.
+if (INSTALL_GTEST)
+  include(CMakePackageConfigHelpers)
+  set(cmake_package_name GTest)
+  set(targets_export_name ${cmake_package_name}Targets CACHE INTERNAL "")
+  set(generated_dir "${CMAKE_CURRENT_BINARY_DIR}/generated" CACHE INTERNAL "")
+  set(cmake_files_install_dir "${CMAKE_INSTALL_LIBDIR}/cmake/${cmake_package_name}")
+  set(version_file "${generated_dir}/${cmake_package_name}ConfigVersion.cmake")
+  write_basic_package_version_file(${version_file} COMPATIBILITY AnyNewerVersion)
+  install(EXPORT ${targets_export_name}
+    NAMESPACE ${cmake_package_name}::
+    DESTINATION ${cmake_files_install_dir})
+  set(config_file "${generated_dir}/${cmake_package_name}Config.cmake")
+  configure_package_config_file("${gtest_SOURCE_DIR}/cmake/Config.cmake.in"
+    "${config_file}" INSTALL_DESTINATION ${cmake_files_install_dir})
+  install(FILES ${version_file} ${config_file}
+    DESTINATION ${cmake_files_install_dir})
+endif()
 
-# Where Google Test's libraries can be found.
-link_directories(${gtest_BINARY_DIR}/src)
+# Where Google Test's .h files can be found.
+set(gtest_build_include_dirs
+  "${gtest_SOURCE_DIR}/include"
+  "${gtest_SOURCE_DIR}")
+include_directories(${gtest_build_include_dirs})
 
 # Summary of tuple support for Microsoft Visual Studio:
 # Compiler    version(MS)  version(cmake)  Support
@@ -65,6 +116,8 @@ link_directories(${gtest_BINARY_DIR}/src)
 # <= VS 2010  <= 10        <= 1600         Use Google Tests's own tuple.
 # VS 2012     11           1700            std::tr1::tuple + _VARIADIC_MAX=10
 # VS 2013     12           1800            std::tr1::tuple
+# VS 2015     14           1900            std::tuple
+# VS 2017     15           >= 1910         std::tuple
 if (MSVC AND MSVC_VERSION EQUAL 1700)
   add_definitions(/D _VARIADIC_MAX=10)
 endif()
@@ -79,7 +132,23 @@ endif()
 # aggressive about warnings.
 cxx_library(gtest "${cxx_strict}" src/gtest-all.cc)
 cxx_library(gtest_main "${cxx_strict}" src/gtest_main.cc)
-target_link_libraries(gtest_main gtest)
+# If the CMake version supports it, attach header directory information
+# to the targets for when we are part of a parent build (ie being pulled
+# in via add_subdirectory() rather than being a standalone build).
+if (DEFINED CMAKE_VERSION AND NOT "${CMAKE_VERSION}" VERSION_LESS "2.8.11")
+  target_include_directories(gtest SYSTEM INTERFACE
+    "$<BUILD_INTERFACE:${gtest_build_include_dirs}>"
+    "$<INSTALL_INTERFACE:$<INSTALL_PREFIX>/${CMAKE_INSTALL_INCLUDEDIR}>")
+  target_include_directories(gtest_main SYSTEM INTERFACE
+    "$<BUILD_INTERFACE:${gtest_build_include_dirs}>"
+    "$<INSTALL_INTERFACE:$<INSTALL_PREFIX>/${CMAKE_INSTALL_INCLUDEDIR}>")
+endif()
+target_link_libraries(gtest_main PUBLIC gtest)
+
+########################################################################
+#
+# Install rules
+install_project(gtest gtest_main)
 
 ########################################################################
 #
@@ -121,28 +190,28 @@ if (gtest_build_tests)
   ############################################################
   # C++ tests built with standard compiler flags.
 
-  cxx_test(gtest-death-test_test gtest_main)
+  cxx_test(googletest-death-test-test gtest_main)
   cxx_test(gtest_environment_test gtest)
-  cxx_test(gtest-filepath_test gtest_main)
-  cxx_test(gtest-linked_ptr_test gtest_main)
-  cxx_test(gtest-listener_test gtest_main)
+  cxx_test(googletest-filepath-test gtest_main)
+  cxx_test(googletest-linked-ptr-test gtest_main)
+  cxx_test(googletest-listener-test gtest_main)
   cxx_test(gtest_main_unittest gtest_main)
-  cxx_test(gtest-message_test gtest_main)
+  cxx_test(googletest-message-test gtest_main)
   cxx_test(gtest_no_test_unittest gtest)
-  cxx_test(gtest-options_test gtest_main)
-  cxx_test(gtest-param-test_test gtest
-    test/gtest-param-test2_test.cc)
-  cxx_test(gtest-port_test gtest_main)
+  cxx_test(googletest-options-test gtest_main)
+  cxx_test(googletest-param-test-test gtest
+    test/googletest-param-test2-test.cc)
+  cxx_test(googletest-port-test gtest_main)
   cxx_test(gtest_pred_impl_unittest gtest_main)
   cxx_test(gtest_premature_exit_test gtest
     test/gtest_premature_exit_test.cc)
-  cxx_test(gtest-printers_test gtest_main)
+  cxx_test(googletest-printers-test gtest_main)
   cxx_test(gtest_prod_test gtest_main
     test/production.cc)
   cxx_test(gtest_repeat_test gtest)
   cxx_test(gtest_sole_header_test gtest_main)
   cxx_test(gtest_stress_test gtest)
-  cxx_test(gtest-test-part_test gtest_main)
+  cxx_test(googletest-test-part-test gtest_main)
   cxx_test(gtest_throw_on_failure_ex_test gtest)
   cxx_test(gtest-typed-test_test gtest_main
     test/gtest-typed-test2_test.cc)
@@ -164,10 +233,10 @@ if (gtest_build_tests)
 
   cxx_test_with_flags(gtest-death-test_ex_nocatch_test
     "${cxx_exception} -DGTEST_ENABLE_CATCH_EXCEPTIONS_=0"
-    gtest test/gtest-death-test_ex_test.cc)
+    gtest test/googletest-death-test_ex_test.cc)
   cxx_test_with_flags(gtest-death-test_ex_catch_test
     "${cxx_exception} -DGTEST_ENABLE_CATCH_EXCEPTIONS_=1"
-    gtest test/gtest-death-test_ex_test.cc)
+    gtest test/googletest-death-test_ex_test.cc)
 
   cxx_test_with_flags(gtest_no_rtti_unittest "${cxx_no_rtti}"
     gtest_main_no_rtti test/gtest_unittest.cc)
@@ -188,73 +257,75 @@ if (gtest_build_tests)
     cxx_library(gtest_main_use_own_tuple "${cxx_use_own_tuple}"
       src/gtest-all.cc src/gtest_main.cc)
 
-    cxx_test_with_flags(gtest-tuple_test "${cxx_use_own_tuple}"
-      gtest_main_use_own_tuple test/gtest-tuple_test.cc)
+    cxx_test_with_flags(googletest-tuple-test "${cxx_use_own_tuple}"
+      gtest_main_use_own_tuple test/googletest-tuple-test.cc)
 
     cxx_test_with_flags(gtest_use_own_tuple_test "${cxx_use_own_tuple}"
       gtest_main_use_own_tuple
-      test/gtest-param-test_test.cc test/gtest-param-test2_test.cc)
+      test/googletest-param-test-test.cc test/googletest-param-test2-test.cc)
   endif()
 
   ############################################################
   # Python tests.
 
-  cxx_executable(gtest_break_on_failure_unittest_ test gtest)
-  py_test(gtest_break_on_failure_unittest)
+  cxx_executable(googletest-break-on-failure-unittest_ test gtest)
+  py_test(googletest-break-on-failure-unittest)
 
   # Visual Studio .NET 2003 does not support STL with exceptions disabled.
   if (NOT MSVC OR MSVC_VERSION GREATER 1310)  # 1310 is Visual Studio .NET 2003
     cxx_executable_with_flags(
-      gtest_catch_exceptions_no_ex_test_
+      googletest-catch-exceptions-no-ex-test_
       "${cxx_no_exception}"
       gtest_main_no_exception
-      test/gtest_catch_exceptions_test_.cc)
+      test/googletest-catch-exceptions-test_.cc)
   endif()
 
   cxx_executable_with_flags(
-    gtest_catch_exceptions_ex_test_
+    googletest-catch-exceptions-ex-test_
     "${cxx_exception}"
     gtest_main
-    test/gtest_catch_exceptions_test_.cc)
-  py_test(gtest_catch_exceptions_test)
+    test/googletest-catch-exceptions-test_.cc)
+  py_test(googletest-catch-exceptions-test)
 
-  cxx_executable(gtest_color_test_ test gtest)
-  py_test(gtest_color_test)
+  cxx_executable(googletest-color-test_ test gtest)
+  py_test(googletest-color-test)
 
-  cxx_executable(gtest_env_var_test_ test gtest)
-  py_test(gtest_env_var_test)
+  cxx_executable(googletest-env-var-test_ test gtest)
+  py_test(googletest-env-var-test)
 
-  cxx_executable(gtest_filter_unittest_ test gtest)
-  py_test(gtest_filter_unittest)
+  cxx_executable(googletest-filter-unittest_ test gtest)
+  py_test(googletest-filter-unittest)
 
   cxx_executable(gtest_help_test_ test gtest_main)
   py_test(gtest_help_test)
 
-  cxx_executable(gtest_list_tests_unittest_ test gtest)
-  py_test(gtest_list_tests_unittest)
+  cxx_executable(googletest-list-tests-unittest_ test gtest)
+  py_test(googletest-list-tests-unittest)
 
-  cxx_executable(gtest_output_test_ test gtest)
-  py_test(gtest_output_test)
+  cxx_executable(googletest-output-test_ test gtest)
+  py_test(googletest-output-test --no_stacktrace_support)
 
-  cxx_executable(gtest_shuffle_test_ test gtest)
-  py_test(gtest_shuffle_test)
+  cxx_executable(googletest-shuffle-test_ test gtest)
+  py_test(googletest-shuffle-test)
 
   # MSVC 7.1 does not support STL with exceptions disabled.
   if (NOT MSVC OR MSVC_VERSION GREATER 1310)
-    cxx_executable(gtest_throw_on_failure_test_ test gtest_no_exception)
-    set_target_properties(gtest_throw_on_failure_test_
+    cxx_executable(googletest-throw-on-failure-test_ test gtest_no_exception)
+    set_target_properties(googletest-throw-on-failure-test_
       PROPERTIES
       COMPILE_FLAGS "${cxx_no_exception}")
-    py_test(gtest_throw_on_failure_test)
+    py_test(googletest-throw-on-failure-test)
   endif()
 
-  cxx_executable(gtest_uninitialized_test_ test gtest)
-  py_test(gtest_uninitialized_test)
+  cxx_executable(googletest-uninitialized-test_ test gtest)
+  py_test(googletest-uninitialized-test)
 
   cxx_executable(gtest_xml_outfile1_test_ test gtest_main)
   cxx_executable(gtest_xml_outfile2_test_ test gtest_main)
   py_test(gtest_xml_outfiles_test)
+  py_test(googletest-json-outfiles-test)
 
   cxx_executable(gtest_xml_output_unittest_ test gtest)
-  py_test(gtest_xml_output_unittest)
+  py_test(gtest_xml_output_unittest --no_stacktrace_support)
+  py_test(googletest-json-output-unittest --no_stacktrace_support)
 endif()
diff --git a/security/nss/gtests/google_test/gtest/Makefile.am b/security/nss/gtests/google_test/gtest/Makefile.am
index 9c96b4257..b44c8416b 100644
--- a/security/nss/gtests/google_test/gtest/Makefile.am
+++ b/security/nss/gtests/google_test/gtest/Makefile.am
@@ -34,6 +34,7 @@ EXTRA_DIST += $(GTEST_SRC)
 # Sample files that we don't compile.
 EXTRA_DIST += \
   samples/prime_tables.h \
+  samples/sample1_unittest.cc \
   samples/sample2_unittest.cc \
   samples/sample3_unittest.cc \
   samples/sample4_unittest.cc \
@@ -52,40 +53,40 @@ EXTRA_DIST += \
   test/gtest-listener_test.cc \
   test/gtest-message_test.cc \
   test/gtest-options_test.cc \
-  test/gtest-param-test2_test.cc \
-  test/gtest-param-test2_test.cc \
-  test/gtest-param-test_test.cc \
-  test/gtest-param-test_test.cc \
+  test/googletest-param-test2-test.cc \
+  test/googletest-param-test2-test.cc \
+  test/googletest-param-test-test.cc \
+  test/googletest-param-test-test.cc \
   test/gtest-param-test_test.h \
   test/gtest-port_test.cc \
   test/gtest_premature_exit_test.cc \
   test/gtest-printers_test.cc \
   test/gtest-test-part_test.cc \
-  test/gtest-tuple_test.cc \
+  test/googletest-tuple-test.cc \
   test/gtest-typed-test2_test.cc \
   test/gtest-typed-test_test.cc \
   test/gtest-typed-test_test.h \
   test/gtest-unittest-api_test.cc \
-  test/gtest_break_on_failure_unittest_.cc \
-  test/gtest_catch_exceptions_test_.cc \
-  test/gtest_color_test_.cc \
-  test/gtest_env_var_test_.cc \
+  test/googletest-break-on-failure-unittest_.cc \
+  test/googletest-catch-exceptions-test_.cc \
+  test/googletest-color-test_.cc \
+  test/googletest-env-var-test_.cc \
   test/gtest_environment_test.cc \
-  test/gtest_filter_unittest_.cc \
+  test/googletest-filter-unittest_.cc \
   test/gtest_help_test_.cc \
-  test/gtest_list_tests_unittest_.cc \
+  test/googletest-list-tests-unittest_.cc \
   test/gtest_main_unittest.cc \
   test/gtest_no_test_unittest.cc \
-  test/gtest_output_test_.cc \
+  test/googletest-output-test_.cc \
   test/gtest_pred_impl_unittest.cc \
   test/gtest_prod_test.cc \
   test/gtest_repeat_test.cc \
-  test/gtest_shuffle_test_.cc \
+  test/googletest-shuffle-test_.cc \
   test/gtest_sole_header_test.cc \
   test/gtest_stress_test.cc \
   test/gtest_throw_on_failure_ex_test.cc \
-  test/gtest_throw_on_failure_test_.cc \
-  test/gtest_uninitialized_test_.cc \
+  test/googletest-throw-on-failure-test_.cc \
+  test/googletest-uninitialized-test_.cc \
   test/gtest_unittest.cc \
   test/gtest_unittest.cc \
   test/gtest_xml_outfile1_test_.cc \
@@ -96,19 +97,19 @@ EXTRA_DIST += \
 
 # Python tests that we don't run.
 EXTRA_DIST += \
-  test/gtest_break_on_failure_unittest.py \
-  test/gtest_catch_exceptions_test.py \
-  test/gtest_color_test.py \
-  test/gtest_env_var_test.py \
-  test/gtest_filter_unittest.py \
+  test/googletest-break-on-failure-unittest.py \
+  test/googletest-catch-exceptions-test.py \
+  test/googletest-color-test.py \
+  test/googletest-env-var-test.py \
+  test/googletest-filter-unittest.py \
   test/gtest_help_test.py \
-  test/gtest_list_tests_unittest.py \
-  test/gtest_output_test.py \
-  test/gtest_output_test_golden_lin.txt \
-  test/gtest_shuffle_test.py \
+  test/googletest-list-tests-unittest.py \
+  test/googletest-output-test.py \
+  test/googletest-output-test_golden_lin.txt \
+  test/googletest-shuffle-test.py \
   test/gtest_test_utils.py \
-  test/gtest_throw_on_failure_test.py \
-  test/gtest_uninitialized_test.py \
+  test/googletest-throw-on-failure-test.py \
+  test/googletest-uninitialized-test.py \
   test/gtest_xml_outfiles_test.py \
   test/gtest_xml_output_unittest.py \
   test/gtest_xml_test_utils.py
@@ -120,16 +121,16 @@ EXTRA_DIST += \
 
 # MSVC project files
 EXTRA_DIST += \
-  msvc/gtest-md.sln \
-  msvc/gtest-md.vcproj \
-  msvc/gtest.sln \
-  msvc/gtest.vcproj \
-  msvc/gtest_main-md.vcproj \
-  msvc/gtest_main.vcproj \
-  msvc/gtest_prod_test-md.vcproj \
-  msvc/gtest_prod_test.vcproj \
-  msvc/gtest_unittest-md.vcproj \
-  msvc/gtest_unittest.vcproj
+  msvc/2010/gtest-md.sln \
+  msvc/2010/gtest-md.vcxproj \
+  msvc/2010/gtest.sln \
+  msvc/2010/gtest.vcxproj \
+  msvc/2010/gtest_main-md.vcxproj \
+  msvc/2010/gtest_main.vcxproj \
+  msvc/2010/gtest_prod_test-md.vcxproj \
+  msvc/2010/gtest_prod_test.vcxproj \
+  msvc/2010/gtest_unittest-md.vcxproj \
+  msvc/2010/gtest_unittest.vcxproj
 
 # xcode project files
 EXTRA_DIST += \
@@ -205,47 +206,79 @@ pkginclude_internal_HEADERS = \
   include/gtest/internal/gtest-param-util-generated.h \
   include/gtest/internal/gtest-param-util.h \
   include/gtest/internal/gtest-port.h \
+  include/gtest/internal/gtest-port-arch.h \
   include/gtest/internal/gtest-string.h \
   include/gtest/internal/gtest-tuple.h \
-  include/gtest/internal/gtest-type-util.h
+  include/gtest/internal/gtest-type-util.h \
+  include/gtest/internal/custom/gtest.h \
+  include/gtest/internal/custom/gtest-port.h \
+  include/gtest/internal/custom/gtest-printers.h
 
 lib_libgtest_main_la_SOURCES = src/gtest_main.cc
 lib_libgtest_main_la_LIBADD = lib/libgtest.la
 
-# Bulid rules for samples and tests. Automake's naming for some of
+# Build rules for samples and tests. Automake's naming for some of
 # these variables isn't terribly obvious, so this is a brief
 # reference:
 #
 # TESTS -- Programs run automatically by "make check"
 # check_PROGRAMS -- Programs built by "make check" but not necessarily run
 
-noinst_LTLIBRARIES = samples/libsamples.la
-
-samples_libsamples_la_SOURCES = \
-  samples/sample1.cc \
-  samples/sample1.h \
-  samples/sample2.cc \
-  samples/sample2.h \
-  samples/sample3-inl.h \
-  samples/sample4.cc \
-  samples/sample4.h
-
 TESTS=
 TESTS_ENVIRONMENT = GTEST_SOURCE_DIR="$(srcdir)/test" \
                     GTEST_BUILD_DIR="$(top_builddir)/test"
 check_PROGRAMS=
 
 # A simple sample on using gtest.
-TESTS += samples/sample1_unittest
-check_PROGRAMS += samples/sample1_unittest
-samples_sample1_unittest_SOURCES = samples/sample1_unittest.cc
+TESTS += samples/sample1_unittest \
+    samples/sample2_unittest \
+    samples/sample3_unittest \
+    samples/sample4_unittest \
+    samples/sample5_unittest \
+    samples/sample6_unittest \
+    samples/sample7_unittest \
+    samples/sample8_unittest \
+    samples/sample9_unittest \
+    samples/sample10_unittest
+check_PROGRAMS += samples/sample1_unittest \
+    samples/sample2_unittest \
+    samples/sample3_unittest \
+    samples/sample4_unittest \
+    samples/sample5_unittest \
+    samples/sample6_unittest \
+    samples/sample7_unittest \
+    samples/sample8_unittest \
+    samples/sample9_unittest \
+    samples/sample10_unittest
+
+samples_sample1_unittest_SOURCES = samples/sample1_unittest.cc samples/sample1.cc
 samples_sample1_unittest_LDADD = lib/libgtest_main.la \
-                                 lib/libgtest.la \
-                                 samples/libsamples.la
-
-# Another sample.  It also verifies that libgtest works.
-TESTS += samples/sample10_unittest
-check_PROGRAMS += samples/sample10_unittest
+                                 lib/libgtest.la
+samples_sample2_unittest_SOURCES = samples/sample2_unittest.cc samples/sample2.cc
+samples_sample2_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample3_unittest_SOURCES = samples/sample3_unittest.cc
+samples_sample3_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample4_unittest_SOURCES = samples/sample4_unittest.cc samples/sample4.cc
+samples_sample4_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample5_unittest_SOURCES = samples/sample5_unittest.cc samples/sample1.cc
+samples_sample5_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample6_unittest_SOURCES = samples/sample6_unittest.cc
+samples_sample6_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample7_unittest_SOURCES = samples/sample7_unittest.cc
+samples_sample7_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample8_unittest_SOURCES = samples/sample8_unittest.cc
+samples_sample8_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+
+# Also verify that libgtest works by itself.
+samples_sample9_unittest_SOURCES = samples/sample9_unittest.cc
+samples_sample9_unittest_LDADD = lib/libgtest.la
 samples_sample10_unittest_SOURCES = samples/sample10_unittest.cc
 samples_sample10_unittest_LDADD = lib/libgtest.la
 
diff --git a/security/nss/gtests/google_test/gtest/README b/security/nss/gtests/google_test/gtest/README
deleted file mode 100644
index 404bf3b83..000000000
--- a/security/nss/gtests/google_test/gtest/README
+++ /dev/null
@@ -1,435 +0,0 @@
-Google C++ Testing Framework
-============================
-
-http://code.google.com/p/googletest/
-
-Overview
---------
-
-Google's framework for writing C++ tests on a variety of platforms
-(Linux, Mac OS X, Windows, Windows CE, Symbian, etc).  Based on the
-xUnit architecture.  Supports automatic test discovery, a rich set of
-assertions, user-defined assertions, death tests, fatal and non-fatal
-failures, various options for running the tests, and XML test report
-generation.
-
-Please see the project page above for more information as well as the
-mailing list for questions, discussions, and development.  There is
-also an IRC channel on OFTC (irc.oftc.net) #gtest available.  Please
-join us!
-
-Requirements for End Users
---------------------------
-
-Google Test is designed to have fairly minimal requirements to build
-and use with your projects, but there are some.  Currently, we support
-Linux, Windows, Mac OS X, and Cygwin.  We will also make our best
-effort to support other platforms (e.g. Solaris, AIX, and z/OS).
-However, since core members of the Google Test project have no access
-to these platforms, Google Test may have outstanding issues there.  If
-you notice any problems on your platform, please notify
-googletestframework@googlegroups.com.  Patches for fixing them are
-even more welcome!
-
-### Linux Requirements ###
-
-These are the base requirements to build and use Google Test from a source
-package (as described below):
-  * GNU-compatible Make or gmake
-  * POSIX-standard shell
-  * POSIX(-2) Regular Expressions (regex.h)
-  * A C++98-standard-compliant compiler
-
-### Windows Requirements ###
-
-  * Microsoft Visual C++ 7.1 or newer
-
-### Cygwin Requirements ###
-
-  * Cygwin 1.5.25-14 or newer
-
-### Mac OS X Requirements ###
-
-  * Mac OS X 10.4 Tiger or newer
-  * Developer Tools Installed
-
-Also, you'll need CMake 2.6.4 or higher if you want to build the
-samples using the provided CMake script, regardless of the platform.
-
-Requirements for Contributors
------------------------------
-
-We welcome patches.  If you plan to contribute a patch, you need to
-build Google Test and its own tests from an SVN checkout (described
-below), which has further requirements:
-
-  * Python version 2.3 or newer (for running some of the tests and
-    re-generating certain source files from templates)
-  * CMake 2.6.4 or newer
-
-Getting the Source
-------------------
-
-There are two primary ways of getting Google Test's source code: you
-can download a stable source release in your preferred archive format,
-or directly check out the source from our Subversion (SVN) repository.
-The SVN checkout requires a few extra steps and some extra software
-packages on your system, but lets you track the latest development and
-make patches much more easily, so we highly encourage it.
-
-### Source Package ###
-
-Google Test is released in versioned source packages which can be
-downloaded from the download page [1].  Several different archive
-formats are provided, but the only difference is the tools used to
-manipulate them, and the size of the resulting file.  Download
-whichever you are most comfortable with.
-
-  [1] http://code.google.com/p/googletest/downloads/list
-
-Once the package is downloaded, expand it using whichever tools you
-prefer for that type.  This will result in a new directory with the
-name "gtest-X.Y.Z" which contains all of the source code.  Here are
-some examples on Linux:
-
-  tar -xvzf gtest-X.Y.Z.tar.gz
-  tar -xvjf gtest-X.Y.Z.tar.bz2
-  unzip gtest-X.Y.Z.zip
-
-### SVN Checkout ###
-
-To check out the main branch (also known as the "trunk") of Google
-Test, run the following Subversion command:
-
-  svn checkout http://googletest.googlecode.com/svn/trunk/ gtest-svn
-
-Setting up the Build
---------------------
-
-To build Google Test and your tests that use it, you need to tell your
-build system where to find its headers and source files.  The exact
-way to do it depends on which build system you use, and is usually
-straightforward.
-
-### Generic Build Instructions ###
-
-Suppose you put Google Test in directory ${GTEST_DIR}.  To build it,
-create a library build target (or a project as called by Visual Studio
-and Xcode) to compile
-
-  ${GTEST_DIR}/src/gtest-all.cc
-
-with ${GTEST_DIR}/include in the system header search path and ${GTEST_DIR}
-in the normal header search path.  Assuming a Linux-like system and gcc,
-something like the following will do:
-
-  g++ -isystem ${GTEST_DIR}/include -I${GTEST_DIR} \
-      -pthread -c ${GTEST_DIR}/src/gtest-all.cc
-  ar -rv libgtest.a gtest-all.o
-
-(We need -pthread as Google Test uses threads.)
-
-Next, you should compile your test source file with
-${GTEST_DIR}/include in the system header search path, and link it
-with gtest and any other necessary libraries:
-
-  g++ -isystem ${GTEST_DIR}/include -pthread path/to/your_test.cc libgtest.a \
-      -o your_test
-
-As an example, the make/ directory contains a Makefile that you can
-use to build Google Test on systems where GNU make is available
-(e.g. Linux, Mac OS X, and Cygwin).  It doesn't try to build Google
-Test's own tests.  Instead, it just builds the Google Test library and
-a sample test.  You can use it as a starting point for your own build
-script.
-
-If the default settings are correct for your environment, the
-following commands should succeed:
-
-  cd ${GTEST_DIR}/make
-  make
-  ./sample1_unittest
-
-If you see errors, try to tweak the contents of make/Makefile to make
-them go away.  There are instructions in make/Makefile on how to do
-it.
-
-### Using CMake ###
-
-Google Test comes with a CMake build script (CMakeLists.txt) that can
-be used on a wide range of platforms ("C" stands for cross-platform.).
-If you don't have CMake installed already, you can download it for
-free from http://www.cmake.org/.
-
-CMake works by generating native makefiles or build projects that can
-be used in the compiler environment of your choice.  The typical
-workflow starts with:
-
-  mkdir mybuild       # Create a directory to hold the build output.
-  cd mybuild
-  cmake ${GTEST_DIR}  # Generate native build scripts.
-
-If you want to build Google Test's samples, you should replace the
-last command with
-
-  cmake -Dgtest_build_samples=ON ${GTEST_DIR}
-
-If you are on a *nix system, you should now see a Makefile in the
-current directory.  Just type 'make' to build gtest.
-
-If you use Windows and have Visual Studio installed, a gtest.sln file
-and several .vcproj files will be created.  You can then build them
-using Visual Studio.
-
-On Mac OS X with Xcode installed, a .xcodeproj file will be generated.
-
-### Legacy Build Scripts ###
-
-Before settling on CMake, we have been providing hand-maintained build
-projects/scripts for Visual Studio, Xcode, and Autotools.  While we
-continue to provide them for convenience, they are not actively
-maintained any more.  We highly recommend that you follow the
-instructions in the previous two sections to integrate Google Test
-with your existing build system.
-
-If you still need to use the legacy build scripts, here's how:
-
-The msvc\ folder contains two solutions with Visual C++ projects.
-Open the gtest.sln or gtest-md.sln file using Visual Studio, and you
-are ready to build Google Test the same way you build any Visual
-Studio project.  Files that have names ending with -md use DLL
-versions of Microsoft runtime libraries (the /MD or the /MDd compiler
-option).  Files without that suffix use static versions of the runtime
-libraries (the /MT or the /MTd option).  Please note that one must use
-the same option to compile both gtest and the test code.  If you use
-Visual Studio 2005 or above, we recommend the -md version as /MD is
-the default for new projects in these versions of Visual Studio.
-
-On Mac OS X, open the gtest.xcodeproj in the xcode/ folder using
-Xcode.  Build the "gtest" target.  The universal binary framework will
-end up in your selected build directory (selected in the Xcode
-"Preferences..." -> "Building" pane and defaults to xcode/build).
-Alternatively, at the command line, enter:
-
-  xcodebuild
-
-This will build the "Release" configuration of gtest.framework in your
-default build location.  See the "xcodebuild" man page for more
-information about building different configurations and building in
-different locations.
-
-If you wish to use the Google Test Xcode project with Xcode 4.x and
-above, you need to either:
- * update the SDK configuration options in xcode/Config/General.xconfig.
-   Comment options SDKROOT, MACOS_DEPLOYMENT_TARGET, and GCC_VERSION. If
-   you choose this route you lose the ability to target earlier versions
-   of MacOS X.
- * Install an SDK for an earlier version. This doesn't appear to be
-   supported by Apple, but has been reported to work
-   (http://stackoverflow.com/questions/5378518).
-
-Tweaking Google Test
---------------------
-
-Google Test can be used in diverse environments.  The default
-configuration may not work (or may not work well) out of the box in
-some environments.  However, you can easily tweak Google Test by
-defining control macros on the compiler command line.  Generally,
-these macros are named like GTEST_XYZ and you define them to either 1
-or 0 to enable or disable a certain feature.
-
-We list the most frequently used macros below.  For a complete list,
-see file include/gtest/internal/gtest-port.h.
-
-### Choosing a TR1 Tuple Library ###
-
-Some Google Test features require the C++ Technical Report 1 (TR1)
-tuple library, which is not yet available with all compilers.  The
-good news is that Google Test implements a subset of TR1 tuple that's
-enough for its own need, and will automatically use this when the
-compiler doesn't provide TR1 tuple.
-
-Usually you don't need to care about which tuple library Google Test
-uses.  However, if your project already uses TR1 tuple, you need to
-tell Google Test to use the same TR1 tuple library the rest of your
-project uses, or the two tuple implementations will clash.  To do
-that, add
-
-  -DGTEST_USE_OWN_TR1_TUPLE=0
-
-to the compiler flags while compiling Google Test and your tests.  If
-you want to force Google Test to use its own tuple library, just add
-
-  -DGTEST_USE_OWN_TR1_TUPLE=1
-
-to the compiler flags instead.
-
-If you don't want Google Test to use tuple at all, add
-
-  -DGTEST_HAS_TR1_TUPLE=0
-
-and all features using tuple will be disabled.
-
-### Multi-threaded Tests ###
-
-Google Test is thread-safe where the pthread library is available.
-After #include "gtest/gtest.h", you can check the GTEST_IS_THREADSAFE
-macro to see whether this is the case (yes if the macro is #defined to
-1, no if it's undefined.).
-
-If Google Test doesn't correctly detect whether pthread is available
-in your environment, you can force it with
-
-  -DGTEST_HAS_PTHREAD=1
-
-or
-
-  -DGTEST_HAS_PTHREAD=0
-
-When Google Test uses pthread, you may need to add flags to your
-compiler and/or linker to select the pthread library, or you'll get
-link errors.  If you use the CMake script or the deprecated Autotools
-script, this is taken care of for you.  If you use your own build
-script, you'll need to read your compiler and linker's manual to
-figure out what flags to add.
-
-### As a Shared Library (DLL) ###
-
-Google Test is compact, so most users can build and link it as a
-static library for the simplicity.  You can choose to use Google Test
-as a shared library (known as a DLL on Windows) if you prefer.
-
-To compile *gtest* as a shared library, add
-
-  -DGTEST_CREATE_SHARED_LIBRARY=1
-
-to the compiler flags.  You'll also need to tell the linker to produce
-a shared library instead - consult your linker's manual for how to do
-it.
-
-To compile your *tests* that use the gtest shared library, add
-
-  -DGTEST_LINKED_AS_SHARED_LIBRARY=1
-
-to the compiler flags.
-
-Note: while the above steps aren't technically necessary today when
-using some compilers (e.g. GCC), they may become necessary in the
-future, if we decide to improve the speed of loading the library (see
-http://gcc.gnu.org/wiki/Visibility for details).  Therefore you are
-recommended to always add the above flags when using Google Test as a
-shared library.  Otherwise a future release of Google Test may break
-your build script.
-
-### Avoiding Macro Name Clashes ###
-
-In C++, macros don't obey namespaces.  Therefore two libraries that
-both define a macro of the same name will clash if you #include both
-definitions.  In case a Google Test macro clashes with another
-library, you can force Google Test to rename its macro to avoid the
-conflict.
-
-Specifically, if both Google Test and some other code define macro
-FOO, you can add
-
-  -DGTEST_DONT_DEFINE_FOO=1
-
-to the compiler flags to tell Google Test to change the macro's name
-from FOO to GTEST_FOO.  Currently FOO can be FAIL, SUCCEED, or TEST.
-For example, with -DGTEST_DONT_DEFINE_TEST=1, you'll need to write
-
-  GTEST_TEST(SomeTest, DoesThis) { ... }
-
-instead of
-
-  TEST(SomeTest, DoesThis) { ... }
-
-in order to define a test.
-
-Upgrating from an Earlier Version
----------------------------------
-
-We strive to keep Google Test releases backward compatible.
-Sometimes, though, we have to make some breaking changes for the
-users' long-term benefits.  This section describes what you'll need to
-do if you are upgrading from an earlier version of Google Test.
-
-### Upgrading from 1.3.0 or Earlier ###
-
-You may need to explicitly enable or disable Google Test's own TR1
-tuple library.  See the instructions in section "Choosing a TR1 Tuple
-Library".
-
-### Upgrading from 1.4.0 or Earlier ###
-
-The Autotools build script (configure + make) is no longer officially
-supportted.  You are encouraged to migrate to your own build system or
-use CMake.  If you still need to use Autotools, you can find
-instructions in the README file from Google Test 1.4.0.
-
-On platforms where the pthread library is available, Google Test uses
-it in order to be thread-safe.  See the "Multi-threaded Tests" section
-for what this means to your build script.
-
-If you use Microsoft Visual C++ 7.1 with exceptions disabled, Google
-Test will no longer compile.  This should affect very few people, as a
-large portion of STL (including <string>) doesn't compile in this mode
-anyway.  We decided to stop supporting it in order to greatly simplify
-Google Test's implementation.
-
-Developing Google Test
-----------------------
-
-This section discusses how to make your own changes to Google Test.
-
-### Testing Google Test Itself ###
-
-To make sure your changes work as intended and don't break existing
-functionality, you'll want to compile and run Google Test's own tests.
-For that you can use CMake:
-
-  mkdir mybuild
-  cd mybuild
-  cmake -Dgtest_build_tests=ON ${GTEST_DIR}
-
-Make sure you have Python installed, as some of Google Test's tests
-are written in Python.  If the cmake command complains about not being
-able to find Python ("Could NOT find PythonInterp (missing:
-PYTHON_EXECUTABLE)"), try telling it explicitly where your Python
-executable can be found:
-
-  cmake -DPYTHON_EXECUTABLE=path/to/python -Dgtest_build_tests=ON ${GTEST_DIR}
-
-Next, you can build Google Test and all of its own tests.  On *nix,
-this is usually done by 'make'.  To run the tests, do
-
-  make test
-
-All tests should pass.
-
-### Regenerating Source Files ###
-
-Some of Google Test's source files are generated from templates (not
-in the C++ sense) using a script.  A template file is named FOO.pump,
-where FOO is the name of the file it will generate.  For example, the
-file include/gtest/internal/gtest-type-util.h.pump is used to generate
-gtest-type-util.h in the same directory.
-
-Normally you don't need to worry about regenerating the source files,
-unless you need to modify them.  In that case, you should modify the
-corresponding .pump files instead and run the pump.py Python script to
-regenerate them.  You can find pump.py in the scripts/ directory.
-Read the Pump manual [2] for how to use it.
-
-  [2] http://code.google.com/p/googletest/wiki/PumpManual
-
-### Contributing a Patch ###
-
-We welcome patches.  Please read the Google Test developer's guide [3]
-for how you can contribute.  In particular, make sure you have signed
-the Contributor License Agreement, or we won't be able to accept the
-patch.
-
-  [3] http://code.google.com/p/googletest/wiki/GoogleTestDevGuide
-
-Happy testing!
diff --git a/security/nss/gtests/google_test/gtest/README.md b/security/nss/gtests/google_test/gtest/README.md
new file mode 100644
index 000000000..e30fe8047
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/README.md
@@ -0,0 +1,341 @@
+### Generic Build Instructions
+
+#### Setup
+
+To build Google Test and your tests that use it, you need to tell your build
+system where to find its headers and source files. The exact way to do it
+depends on which build system you use, and is usually straightforward.
+
+#### Build
+
+Suppose you put Google Test in directory `${GTEST_DIR}`. To build it, create a
+library build target (or a project as called by Visual Studio and Xcode) to
+compile
+
+    ${GTEST_DIR}/src/gtest-all.cc
+
+with `${GTEST_DIR}/include` in the system header search path and `${GTEST_DIR}`
+in the normal header search path. Assuming a Linux-like system and gcc,
+something like the following will do:
+
+    g++ -isystem ${GTEST_DIR}/include -I${GTEST_DIR} \
+        -pthread -c ${GTEST_DIR}/src/gtest-all.cc
+    ar -rv libgtest.a gtest-all.o
+
+(We need `-pthread` as Google Test uses threads.)
+
+Next, you should compile your test source file with `${GTEST_DIR}/include` in
+the system header search path, and link it with gtest and any other necessary
+libraries:
+
+    g++ -isystem ${GTEST_DIR}/include -pthread path/to/your_test.cc libgtest.a \
+        -o your_test
+
+As an example, the make/ directory contains a Makefile that you can use to build
+Google Test on systems where GNU make is available (e.g. Linux, Mac OS X, and
+Cygwin). It doesn't try to build Google Test's own tests. Instead, it just
+builds the Google Test library and a sample test. You can use it as a starting
+point for your own build script.
+
+If the default settings are correct for your environment, the following commands
+should succeed:
+
+    cd ${GTEST_DIR}/make
+    make
+    ./sample1_unittest
+
+If you see errors, try to tweak the contents of `make/Makefile` to make them go
+away. There are instructions in `make/Makefile` on how to do it.
+
+### Using CMake
+
+Google Test comes with a CMake build script (
+[CMakeLists.txt](https://github.com/google/googletest/blob/master/CMakeLists.txt))
+that can be used on a wide range of platforms ("C" stands for cross-platform.).
+If you don't have CMake installed already, you can download it for free from
+<http://www.cmake.org/>.
+
+CMake works by generating native makefiles or build projects that can be used in
+the compiler environment of your choice. You can either build Google Test as a
+standalone project or it can be incorporated into an existing CMake build for
+another project.
+
+#### Standalone CMake Project
+
+When building Google Test as a standalone project, the typical workflow starts
+with:
+
+    mkdir mybuild       # Create a directory to hold the build output.
+    cd mybuild
+    cmake ${GTEST_DIR}  # Generate native build scripts.
+
+If you want to build Google Test's samples, you should replace the last command
+with
+
+    cmake -Dgtest_build_samples=ON ${GTEST_DIR}
+
+If you are on a \*nix system, you should now see a Makefile in the current
+directory. Just type 'make' to build gtest.
+
+If you use Windows and have Visual Studio installed, a `gtest.sln` file and
+several `.vcproj` files will be created. You can then build them using Visual
+Studio.
+
+On Mac OS X with Xcode installed, a `.xcodeproj` file will be generated.
+
+#### Incorporating Into An Existing CMake Project
+
+If you want to use gtest in a project which already uses CMake, then a more
+robust and flexible approach is to build gtest as part of that project directly.
+This is done by making the GoogleTest source code available to the main build
+and adding it using CMake's `add_subdirectory()` command. This has the
+significant advantage that the same compiler and linker settings are used
+between gtest and the rest of your project, so issues associated with using
+incompatible libraries (eg debug/release), etc. are avoided. This is
+particularly useful on Windows. Making GoogleTest's source code available to the
+main build can be done a few different ways:
+
+*   Download the GoogleTest source code manually and place it at a known
+    location. This is the least flexible approach and can make it more difficult
+    to use with continuous integration systems, etc.
+*   Embed the GoogleTest source code as a direct copy in the main project's
+    source tree. This is often the simplest approach, but is also the hardest to
+    keep up to date. Some organizations may not permit this method.
+*   Add GoogleTest as a git submodule or equivalent. This may not always be
+    possible or appropriate. Git submodules, for example, have their own set of
+    advantages and drawbacks.
+*   Use CMake to download GoogleTest as part of the build's configure step. This
+    is just a little more complex, but doesn't have the limitations of the other
+    methods.
+
+The last of the above methods is implemented with a small piece of CMake code in
+a separate file (e.g. `CMakeLists.txt.in`) which is copied to the build area and
+then invoked as a sub-build _during the CMake stage_. That directory is then
+pulled into the main build with `add_subdirectory()`. For example:
+
+New file `CMakeLists.txt.in`:
+
+    cmake_minimum_required(VERSION 2.8.2)
+
+    project(googletest-download NONE)
+
+    include(ExternalProject)
+    ExternalProject_Add(googletest
+      GIT_REPOSITORY    https://github.com/google/googletest.git
+      GIT_TAG           master
+      SOURCE_DIR        "${CMAKE_BINARY_DIR}/googletest-src"
+      BINARY_DIR        "${CMAKE_BINARY_DIR}/googletest-build"
+      CONFIGURE_COMMAND ""
+      BUILD_COMMAND     ""
+      INSTALL_COMMAND   ""
+      TEST_COMMAND      ""
+    )
+
+Existing build's `CMakeLists.txt`:
+
+    # Download and unpack googletest at configure time
+    configure_file(CMakeLists.txt.in googletest-download/CMakeLists.txt)
+    execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
+      RESULT_VARIABLE result
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/googletest-download )
+    if(result)
+      message(FATAL_ERROR "CMake step for googletest failed: ${result}")
+    endif()
+    execute_process(COMMAND ${CMAKE_COMMAND} --build .
+      RESULT_VARIABLE result
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/googletest-download )
+    if(result)
+      message(FATAL_ERROR "Build step for googletest failed: ${result}")
+    endif()
+
+    # Prevent overriding the parent project's compiler/linker
+    # settings on Windows
+    set(gtest_force_shared_crt ON CACHE BOOL "" FORCE)
+
+    # Add googletest directly to our build. This defines
+    # the gtest and gtest_main targets.
+    add_subdirectory(${CMAKE_BINARY_DIR}/googletest-src
+                     ${CMAKE_BINARY_DIR}/googletest-build
+                     EXCLUDE_FROM_ALL)
+
+    # The gtest/gtest_main targets carry header search path
+    # dependencies automatically when using CMake 2.8.11 or
+    # later. Otherwise we have to add them here ourselves.
+    if (CMAKE_VERSION VERSION_LESS 2.8.11)
+      include_directories("${gtest_SOURCE_DIR}/include")
+    endif()
+
+    # Now simply link against gtest or gtest_main as needed. Eg
+    add_executable(example example.cpp)
+    target_link_libraries(example gtest_main)
+    add_test(NAME example_test COMMAND example)
+
+Note that this approach requires CMake 2.8.2 or later due to its use of the
+`ExternalProject_Add()` command. The above technique is discussed in more detail
+in [this separate article](http://crascit.com/2015/07/25/cmake-gtest/) which
+also contains a link to a fully generalized implementation of the technique.
+
+##### Visual Studio Dynamic vs Static Runtimes
+
+By default, new Visual Studio projects link the C runtimes dynamically but
+Google Test links them statically. This will generate an error that looks
+something like the following: gtest.lib(gtest-all.obj) : error LNK2038: mismatch
+detected for 'RuntimeLibrary': value 'MTd_StaticDebug' doesn't match value
+'MDd_DynamicDebug' in main.obj
+
+Google Test already has a CMake option for this: `gtest_force_shared_crt`
+
+Enabling this option will make gtest link the runtimes dynamically too, and
+match the project in which it is included.
+
+### Legacy Build Scripts
+
+Before settling on CMake, we have been providing hand-maintained build
+projects/scripts for Visual Studio, Xcode, and Autotools. While we continue to
+provide them for convenience, they are not actively maintained any more. We
+highly recommend that you follow the instructions in the above sections to
+integrate Google Test with your existing build system.
+
+If you still need to use the legacy build scripts, here's how:
+
+The msvc\ folder contains two solutions with Visual C++ projects. Open the
+`gtest.sln` or `gtest-md.sln` file using Visual Studio, and you are ready to
+build Google Test the same way you build any Visual Studio project. Files that
+have names ending with -md use DLL versions of Microsoft runtime libraries (the
+/MD or the /MDd compiler option). Files without that suffix use static versions
+of the runtime libraries (the /MT or the /MTd option). Please note that one must
+use the same option to compile both gtest and the test code. If you use Visual
+Studio 2005 or above, we recommend the -md version as /MD is the default for new
+projects in these versions of Visual Studio.
+
+On Mac OS X, open the `gtest.xcodeproj` in the `xcode/` folder using Xcode.
+Build the "gtest" target. The universal binary framework will end up in your
+selected build directory (selected in the Xcode "Preferences..." -> "Building"
+pane and defaults to xcode/build). Alternatively, at the command line, enter:
+
+    xcodebuild
+
+This will build the "Release" configuration of gtest.framework in your default
+build location. See the "xcodebuild" man page for more information about
+building different configurations and building in different locations.
+
+If you wish to use the Google Test Xcode project with Xcode 4.x and above, you
+need to either:
+
+*   update the SDK configuration options in xcode/Config/General.xconfig.
+    Comment options `SDKROOT`, `MACOS_DEPLOYMENT_TARGET`, and `GCC_VERSION`. If
+    you choose this route you lose the ability to target earlier versions of
+    MacOS X.
+*   Install an SDK for an earlier version. This doesn't appear to be supported
+    by Apple, but has been reported to work
+    (http://stackoverflow.com/questions/5378518).
+
+### Tweaking Google Test
+
+Google Test can be used in diverse environments. The default configuration may
+not work (or may not work well) out of the box in some environments. However,
+you can easily tweak Google Test by defining control macros on the compiler
+command line. Generally, these macros are named like `GTEST_XYZ` and you define
+them to either 1 or 0 to enable or disable a certain feature.
+
+We list the most frequently used macros below. For a complete list, see file
+[include/gtest/internal/gtest-port.h](https://github.com/google/googletest/blob/master/include/gtest/internal/gtest-port.h).
+
+### Choosing a TR1 Tuple Library
+
+Some Google Test features require the C++ Technical Report 1 (TR1) tuple
+library, which is not yet available with all compilers. The good news is that
+Google Test implements a subset of TR1 tuple that's enough for its own need, and
+will automatically use this when the compiler doesn't provide TR1 tuple.
+
+Usually you don't need to care about which tuple library Google Test uses.
+However, if your project already uses TR1 tuple, you need to tell Google Test to
+use the same TR1 tuple library the rest of your project uses, or the two tuple
+implementations will clash. To do that, add
+
+    -DGTEST_USE_OWN_TR1_TUPLE=0
+
+to the compiler flags while compiling Google Test and your tests. If you want to
+force Google Test to use its own tuple library, just add
+
+    -DGTEST_USE_OWN_TR1_TUPLE=1
+
+to the compiler flags instead.
+
+If you don't want Google Test to use tuple at all, add
+
+    -DGTEST_HAS_TR1_TUPLE=0
+
+and all features using tuple will be disabled.
+
+### Multi-threaded Tests
+
+Google Test is thread-safe where the pthread library is available. After
+`#include "gtest/gtest.h"`, you can check the `GTEST_IS_THREADSAFE` macro to see
+whether this is the case (yes if the macro is `#defined` to 1, no if it's
+undefined.).
+
+If Google Test doesn't correctly detect whether pthread is available in your
+environment, you can force it with
+
+    -DGTEST_HAS_PTHREAD=1
+
+or
+
+    -DGTEST_HAS_PTHREAD=0
+
+When Google Test uses pthread, you may need to add flags to your compiler and/or
+linker to select the pthread library, or you'll get link errors. If you use the
+CMake script or the deprecated Autotools script, this is taken care of for you.
+If you use your own build script, you'll need to read your compiler and linker's
+manual to figure out what flags to add.
+
+### As a Shared Library (DLL)
+
+Google Test is compact, so most users can build and link it as a static library
+for the simplicity. You can choose to use Google Test as a shared library (known
+as a DLL on Windows) if you prefer.
+
+To compile *gtest* as a shared library, add
+
+    -DGTEST_CREATE_SHARED_LIBRARY=1
+
+to the compiler flags. You'll also need to tell the linker to produce a shared
+library instead - consult your linker's manual for how to do it.
+
+To compile your *tests* that use the gtest shared library, add
+
+    -DGTEST_LINKED_AS_SHARED_LIBRARY=1
+
+to the compiler flags.
+
+Note: while the above steps aren't technically necessary today when using some
+compilers (e.g. GCC), they may become necessary in the future, if we decide to
+improve the speed of loading the library (see
+<http://gcc.gnu.org/wiki/Visibility> for details). Therefore you are recommended
+to always add the above flags when using Google Test as a shared library.
+Otherwise a future release of Google Test may break your build script.
+
+### Avoiding Macro Name Clashes
+
+In C++, macros don't obey namespaces. Therefore two libraries that both define a
+macro of the same name will clash if you `#include` both definitions. In case a
+Google Test macro clashes with another library, you can force Google Test to
+rename its macro to avoid the conflict.
+
+Specifically, if both Google Test and some other code define macro FOO, you can
+add
+
+    -DGTEST_DONT_DEFINE_FOO=1
+
+to the compiler flags to tell Google Test to change the macro's name from `FOO`
+to `GTEST_FOO`. Currently `FOO` can be `FAIL`, `SUCCEED`, or `TEST`. For
+example, with `-DGTEST_DONT_DEFINE_TEST=1`, you'll need to write
+
+    GTEST_TEST(SomeTest, DoesThis) { ... }
+
+instead of
+
+    TEST(SomeTest, DoesThis) { ... }
+
+in order to define a test.
diff --git a/security/nss/gtests/google_test/gtest/build-aux/.keep b/security/nss/gtests/google_test/gtest/build-aux/.keep
deleted file mode 100644
index e69de29bb..000000000
--- a/security/nss/gtests/google_test/gtest/build-aux/.keep
+++ /dev/null
diff --git a/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in b/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in
new file mode 100644
index 000000000..12be4498b
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in
@@ -0,0 +1,9 @@
+@PACKAGE_INIT@
+include(CMakeFindDependencyMacro)
+if (@GTEST_HAS_PTHREAD@)
+  set(THREADS_PREFER_PTHREAD_FLAG @THREADS_PREFER_PTHREAD_FLAG@)
+  find_dependency(Threads)
+endif()
+
+include("${CMAKE_CURRENT_LIST_DIR}/@targets_export_name@.cmake")
+check_required_components("@project_name@")
diff --git a/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in b/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in
new file mode 100644
index 000000000..e7967ad56
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in
@@ -0,0 +1,9 @@
+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
+
+Name: gtest
+Description: GoogleTest (without main() function)
+Version: @PROJECT_VERSION@
+URL: https://github.com/google/googletest
+Libs: -L${libdir} -lgtest @CMAKE_THREAD_LIBS_INIT@
+Cflags: -I${includedir} @GTEST_HAS_PTHREAD_MACRO@ @CMAKE_THREAD_LIBS_INIT@
diff --git a/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in b/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in
new file mode 100644
index 000000000..fe25d9c73
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in
@@ -0,0 +1,10 @@
+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
+
+Name: gtest_main
+Description: GoogleTest (with main() function)
+Version: @PROJECT_VERSION@
+URL: https://github.com/google/googletest
+Requires: gtest
+Libs: -L${libdir} -lgtest_main @CMAKE_THREAD_LIBS_INIT@
+Cflags: -I${includedir} @GTEST_HAS_PTHREAD_MACRO@ @CMAKE_THREAD_LIBS_INIT@
diff --git a/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake b/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
index 93e6dbb7c..8c1f9ba99 100644
--- a/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
+++ b/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
@@ -20,7 +20,7 @@ macro(fix_default_compiler_settings_)
   if (MSVC)
     # For MSVC, CMake sets certain flags to defaults we want to override.
     # This replacement code is taken from sample in the CMake Wiki at
-    # http://www.cmake.org/Wiki/CMake_FAQ#Dynamic_Replace.
+    # https://gitlab.kitware.com/cmake/community/wikis/FAQ#dynamic-replace.
     foreach (flag_var
              CMAKE_CXX_FLAGS CMAKE_CXX_FLAGS_DEBUG CMAKE_CXX_FLAGS_RELEASE
              CMAKE_CXX_FLAGS_MINSIZEREL CMAKE_CXX_FLAGS_RELWITHDEBINFO)
@@ -38,6 +38,11 @@ macro(fix_default_compiler_settings_)
       # We prefer more strict warning checking for building Google Test.
       # Replaces /W3 with /W4 in defaults.
       string(REPLACE "/W3" "/W4" ${flag_var} "${${flag_var}}")
+
+      # Prevent D9025 warning for targets that have exception handling
+      # turned off (/EHs-c- flag). Where required, exceptions are explicitly
+      # re-enabled using the cxx_exception_flags variable.
+      string(REPLACE "/EHsc" "" ${flag_var} "${${flag_var}}")
     endforeach()
   endif()
 endmacro()
@@ -46,9 +51,16 @@ endmacro()
 # Google Mock.  You can tweak these definitions to suit your need.  A
 # variable's value is empty before it's explicitly assigned to.
 macro(config_compiler_and_linker)
-  if (NOT gtest_disable_pthreads)
+  # Note: pthreads on MinGW is not supported, even if available
+  # instead, we use windows threading primitives
+  unset(GTEST_HAS_PTHREAD)
+  if (NOT gtest_disable_pthreads AND NOT MINGW)
     # Defines CMAKE_USE_PTHREADS_INIT and CMAKE_THREAD_LIBS_INIT.
+    set(THREADS_PREFER_PTHREAD_FLAG ON)
     find_package(Threads)
+    if (CMAKE_USE_PTHREADS_INIT)
+      set(GTEST_HAS_PTHREAD ON)
+    endif()
   endif()
 
   fix_default_compiler_settings_()
@@ -84,10 +96,13 @@ macro(config_compiler_and_linker)
     set(cxx_base_flags "${cxx_base_flags} -D_UNICODE -DUNICODE -DWIN32 -D_WIN32")
     set(cxx_base_flags "${cxx_base_flags} -DSTRICT -DWIN32_LEAN_AND_MEAN")
     set(cxx_exception_flags "-EHsc -D_HAS_EXCEPTIONS=1")
-    set(cxx_no_exception_flags "-D_HAS_EXCEPTIONS=0")
+    set(cxx_no_exception_flags "-EHs-c- -D_HAS_EXCEPTIONS=0")
     set(cxx_no_rtti_flags "-GR-")
   elseif (CMAKE_COMPILER_IS_GNUCXX)
-    set(cxx_base_flags "-Wall -Wshadow")
+    set(cxx_base_flags "-Wall -Wshadow -Werror")
+    if(NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 7.0.0)
+      set(cxx_base_flags "${cxx_base_flags} -Wno-error=dangling-else")
+    endif()
     set(cxx_exception_flags "-fexceptions")
     set(cxx_no_exception_flags "-fno-exceptions")
     # Until version 4.3.2, GCC doesn't define a macro to indicate
@@ -119,14 +134,16 @@ macro(config_compiler_and_linker)
     set(cxx_no_rtti_flags "")
   endif()
 
-  if (CMAKE_USE_PTHREADS_INIT)  # The pthreads library is available and allowed.
-    set(cxx_base_flags "${cxx_base_flags} -DGTEST_HAS_PTHREAD=1")
+  # The pthreads library is available and allowed?
+  if (DEFINED GTEST_HAS_PTHREAD)
+    set(GTEST_HAS_PTHREAD_MACRO "-DGTEST_HAS_PTHREAD=1")
   else()
-    set(cxx_base_flags "${cxx_base_flags} -DGTEST_HAS_PTHREAD=0")
+    set(GTEST_HAS_PTHREAD_MACRO "-DGTEST_HAS_PTHREAD=0")
   endif()
+  set(cxx_base_flags "${cxx_base_flags} ${GTEST_HAS_PTHREAD_MACRO}")
 
   # For building gtest's own tests and samples.
-  set(cxx_exception "${CMAKE_CXX_FLAGS} ${cxx_base_flags} ${cxx_exception_flags}")
+  set(cxx_exception "${cxx_base_flags} ${cxx_exception_flags}")
   set(cxx_no_exception
     "${CMAKE_CXX_FLAGS} ${cxx_base_flags} ${cxx_no_exception_flags}")
   set(cxx_default "${cxx_exception}")
@@ -146,13 +163,26 @@ function(cxx_library_with_type name type cxx_flags)
   set_target_properties(${name}
     PROPERTIES
     COMPILE_FLAGS "${cxx_flags}")
+  # Generate debug library name with a postfix.
+  set_target_properties(${name}
+    PROPERTIES
+    DEBUG_POSTFIX "d")
   if (BUILD_SHARED_LIBS OR type STREQUAL "SHARED")
     set_target_properties(${name}
       PROPERTIES
       COMPILE_DEFINITIONS "GTEST_CREATE_SHARED_LIBRARY=1")
+    if (NOT "${CMAKE_VERSION}" VERSION_LESS "2.8.11")
+      target_compile_definitions(${name} INTERFACE
+        $<INSTALL_INTERFACE:GTEST_LINKED_AS_SHARED_LIBRARY=1>)
+    endif()
   endif()
-  if (CMAKE_USE_PTHREADS_INIT)
-    target_link_libraries(${name} ${CMAKE_THREAD_LIBS_INIT})
+  if (DEFINED GTEST_HAS_PTHREAD)
+    if ("${CMAKE_VERSION}" VERSION_LESS "3.1.0")
+      set(threads_spec ${CMAKE_THREAD_LIBS_INIT})
+    else()
+      set(threads_spec Threads::Threads)
+    endif()
+    target_link_libraries(${name} PUBLIC ${threads_spec})
   endif()
 endfunction()
 
@@ -174,6 +204,10 @@ endfunction()
 # is built from the given source files with the given compiler flags.
 function(cxx_executable_with_flags name cxx_flags libs)
   add_executable(${name} ${ARGN})
+  if (MSVC AND (NOT (MSVC_VERSION LESS 1700)))  # 1700 is Visual Studio 2012.
+    # BigObj required for tests.
+    set(cxx_flags "${cxx_flags} -bigobj")
+  endif()
   if (cxx_flags)
     set_target_properties(${name}
       PROPERTIES
@@ -210,7 +244,7 @@ find_package(PythonInterp)
 # from the given source files with the given compiler flags.
 function(cxx_test_with_flags name cxx_flags libs)
   cxx_executable_with_flags(${name} "${cxx_flags}" "${libs}" ${ARGN})
-  add_test(${name} ${name})
+  add_test(NAME ${name} COMMAND ${name})
 endfunction()
 
 # cxx_test(name libs srcs...)
@@ -228,15 +262,57 @@ endfunction()
 # creates a Python test with the given name whose main module is in
 # test/name.py.  It does nothing if Python is not installed.
 function(py_test name)
-  # We are not supporting Python tests on Linux yet as they consider
-  # all Linux environments to be google3 and try to use google3 features.
   if (PYTHONINTERP_FOUND)
-    # ${CMAKE_BINARY_DIR} is known at configuration time, so we can
-    # directly bind it from cmake. ${CTEST_CONFIGURATION_TYPE} is known
-    # only at ctest runtime (by calling ctest -c <Configuration>), so
-    # we have to escape $ to delay variable substitution here.
-    add_test(${name}
-      ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
-          --build_dir=${CMAKE_CURRENT_BINARY_DIR}/\${CTEST_CONFIGURATION_TYPE})
+    if (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+      if (CMAKE_CONFIGURATION_TYPES)
+	# Multi-configuration build generators as for Visual Studio save
+	# output in a subdirectory of CMAKE_CURRENT_BINARY_DIR (Debug,
+	# Release etc.), so we have to provide it here.
+        add_test(
+          NAME ${name}
+          COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+              --build_dir=${CMAKE_CURRENT_BINARY_DIR}/$<CONFIG> ${ARGN})
+      else (CMAKE_CONFIGURATION_TYPES)
+	# Single-configuration build generators like Makefile generators
+	# don't have subdirs below CMAKE_CURRENT_BINARY_DIR.
+        add_test(
+          NAME ${name}
+          COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+              --build_dir=${CMAKE_CURRENT_BINARY_DIR} ${ARGN})
+      endif (CMAKE_CONFIGURATION_TYPES)
+    else (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+      # ${CMAKE_CURRENT_BINARY_DIR} is known at configuration time, so we can
+      # directly bind it from cmake. ${CTEST_CONFIGURATION_TYPE} is known
+      # only at ctest runtime (by calling ctest -c <Configuration>), so
+      # we have to escape $ to delay variable substitution here.
+      add_test(
+        ${name}
+        ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+          --build_dir=${CMAKE_CURRENT_BINARY_DIR}/\${CTEST_CONFIGURATION_TYPE} ${ARGN})
+    endif (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+  endif(PYTHONINTERP_FOUND)
+endfunction()
+
+# install_project(targets...)
+#
+# Installs the specified targets and configures the associated pkgconfig files.
+function(install_project)
+  if(INSTALL_GTEST)
+    install(DIRECTORY "${PROJECT_SOURCE_DIR}/include/"
+      DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}")
+    # Install the project targets.
+    install(TARGETS ${ARGN}
+      EXPORT ${targets_export_name}
+      RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
+      ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+      LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}")
+    # Configure and install pkgconfig files.
+    foreach(t ${ARGN})
+      set(configured_pc "${generated_dir}/${t}.pc")
+      configure_file("${PROJECT_SOURCE_DIR}/cmake/${t}.pc.in"
+        "${configured_pc}" @ONLY)
+      install(FILES "${configured_pc}"
+        DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+    endforeach()
   endif()
 endfunction()
diff --git a/security/nss/gtests/google_test/gtest/configure.ac b/security/nss/gtests/google_test/gtest/configure.ac
index cc592e158..254c8c4b3 100644
--- a/security/nss/gtests/google_test/gtest/configure.ac
+++ b/security/nss/gtests/google_test/gtest/configure.ac
@@ -5,7 +5,7 @@ m4_include(m4/acx_pthread.m4)
 # "[1.0.1]"). It also asumes that there won't be any closing parenthesis
 # between "AC_INIT(" and the closing ")" including comments and strings.
 AC_INIT([Google C++ Testing Framework],
-        [1.7.0],
+        [1.8.0],
         [googletestframework@googlegroups.com],
         [gtest])
 
diff --git a/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md b/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md
new file mode 100644
index 000000000..97612894d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md
@@ -0,0 +1,146 @@
+## Using GoogleTest from various build systems ##
+
+GoogleTest comes with pkg-config files that can be used to determine all
+necessary flags for compiling and linking to GoogleTest (and GoogleMock).
+Pkg-config is a standardised plain-text format containing
+
+  * the includedir (-I) path
+  * necessary macro (-D) definitions
+  * further required flags (-pthread)
+  * the library (-L) path
+  * the library (-l) to link to
+
+All current build systems support pkg-config in one way or another. For
+all examples here we assume you want to compile the sample
+`samples/sample3_unittest.cc`.
+
+
+### CMake ###
+
+Using `pkg-config` in CMake is fairly easy:
+
+```
+cmake_minimum_required(VERSION 3.0)
+
+cmake_policy(SET CMP0048 NEW)
+project(my_gtest_pkgconfig VERSION 0.0.1 LANGUAGES CXX)
+
+find_package(PkgConfig)
+pkg_search_module(GTEST REQUIRED gtest_main)
+
+add_executable(testapp samples/sample3_unittest.cc)
+target_link_libraries(testapp ${GTEST_LDFLAGS})
+target_compile_options(testapp PUBLIC ${GTEST_CFLAGS})
+
+include(CTest)
+add_test(first_and_only_test testapp)
+```
+
+It is generally recommended that you use `target_compile_options` + `_CFLAGS`
+over `target_include_directories` + `_INCLUDE_DIRS` as the former includes not
+just -I flags (GoogleTest might require a macro indicating to internal headers
+that all libraries have been compiled with threading enabled. In addition,
+GoogleTest might also require `-pthread` in the compiling step, and as such
+splitting the pkg-config `Cflags` variable into include dirs and macros for
+`target_compile_definitions()` might still miss this). The same recommendation
+goes for using `_LDFLAGS` over the more commonplace `_LIBRARIES`, which
+happens to discard `-L` flags and `-pthread`.
+
+
+### Autotools ###
+
+Finding GoogleTest in Autoconf and using it from Automake is also fairly easy:
+
+In your `configure.ac`:
+
+```
+AC_PREREQ([2.69])
+AC_INIT([my_gtest_pkgconfig], [0.0.1])
+AC_CONFIG_SRCDIR([samples/sample3_unittest.cc])
+AC_PROG_CXX
+
+PKG_CHECK_MODULES([GTEST], [gtest_main])
+
+AM_INIT_AUTOMAKE([foreign subdir-objects])
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
+```
+
+and in your `Makefile.am`:
+
+```
+check_PROGRAMS = testapp
+TESTS = $(check_PROGRAMS)
+
+testapp_SOURCES = samples/sample3_unittest.cc
+testapp_CXXFLAGS = $(GTEST_CFLAGS)
+testapp_LDADD = $(GTEST_LIBS)
+```
+
+
+### Meson ###
+
+Meson natively uses pkgconfig to query dependencies:
+
+```
+project('my_gtest_pkgconfig', 'cpp', version : '0.0.1')
+
+gtest_dep = dependency('gtest_main')
+
+testapp = executable(
+  'testapp',
+  files(['samples/sample3_unittest.cc']),
+  dependencies : gtest_dep,
+  install : false)
+
+test('first_and_only_test', testapp)
+```
+
+
+### Plain Makefiles ###
+
+Since `pkg-config` is a small Unix command-line utility, it can be used
+in handwritten `Makefile`s too:
+
+```
+GTEST_CFLAGS = `pkg-config --cflags gtest_main`
+GTEST_LIBS = `pkg-config --libs gtest_main`
+
+.PHONY: tests all
+
+tests: all
+	./testapp
+
+all: testapp
+
+testapp: testapp.o
+	$(CXX) $(CXXFLAGS) $(LDFLAGS) $< -o $@ $(GTEST_LIBS)
+
+testapp.o: samples/sample3_unittest.cc
+	$(CXX) $(CPPFLAGS) $(CXXFLAGS) $< -c -o $@ $(GTEST_CFLAGS)
+```
+
+
+### Help! pkg-config can't find GoogleTest! ###
+
+Let's say you have a `CMakeLists.txt` along the lines of the one in this
+tutorial and you try to run `cmake`. It is very possible that you get a
+failure along the lines of:
+
+```
+-- Checking for one of the modules 'gtest_main'
+CMake Error at /usr/share/cmake/Modules/FindPkgConfig.cmake:640 (message):
+  None of the required 'gtest_main' found
+```
+
+These failures are common if you installed GoogleTest yourself and have not
+sourced it from a distro or other package manager. If so, you need to tell
+pkg-config where it can find the `.pc` files containing the information.
+Say you installed GoogleTest to `/usr/local`, then it might be that the
+`.pc` files are installed under `/usr/local/lib64/pkgconfig`. If you set
+
+```
+export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig
+```
+
+pkg-config will also try to look in `PKG_CONFIG_PATH` to find `gtest_main.pc`.
diff --git a/security/nss/gtests/google_test/gtest/docs/PumpManual.md b/security/nss/gtests/google_test/gtest/docs/PumpManual.md
new file mode 100644
index 000000000..827bb24b0
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/PumpManual.md
@@ -0,0 +1,177 @@
+
+
+<b>P</b>ump is <b>U</b>seful for <b>M</b>eta <b>P</b>rogramming.
+
+# The Problem #
+
+Template and macro libraries often need to define many classes,
+functions, or macros that vary only (or almost only) in the number of
+arguments they take. It's a lot of repetitive, mechanical, and
+error-prone work.
+
+Variadic templates and variadic macros can alleviate the problem.
+However, while both are being considered by the C++ committee, neither
+is in the standard yet or widely supported by compilers.  Thus they
+are often not a good choice, especially when your code needs to be
+portable. And their capabilities are still limited.
+
+As a result, authors of such libraries often have to write scripts to
+generate their implementation. However, our experience is that it's
+tedious to write such scripts, which tend to reflect the structure of
+the generated code poorly and are often hard to read and edit. For
+example, a small change needed in the generated code may require some
+non-intuitive, non-trivial changes in the script. This is especially
+painful when experimenting with the code.
+
+# Our Solution #
+
+Pump (for Pump is Useful for Meta Programming, Pretty Useful for Meta
+Programming, or Practical Utility for Meta Programming, whichever you
+prefer) is a simple meta-programming tool for C++. The idea is that a
+programmer writes a `foo.pump` file which contains C++ code plus meta
+code that manipulates the C++ code. The meta code can handle
+iterations over a range, nested iterations, local meta variable
+definitions, simple arithmetic, and conditional expressions. You can
+view it as a small Domain-Specific Language. The meta language is
+designed to be non-intrusive (s.t. it won't confuse Emacs' C++ mode,
+for example) and concise, making Pump code intuitive and easy to
+maintain.
+
+## Highlights ##
+
+  * The implementation is in a single Python script and thus ultra portable: no build or installation is needed and it works cross platforms.
+  * Pump tries to be smart with respect to [Google's style guide](https://github.com/google/styleguide): it breaks long lines (easy to have when they are generated) at acceptable places to fit within 80 columns and indent the continuation lines correctly.
+  * The format is human-readable and more concise than XML.
+  * The format works relatively well with Emacs' C++ mode.
+
+## Examples ##
+
+The following Pump code (where meta keywords start with `$`, `[[` and `]]` are meta brackets, and `$$` starts a meta comment that ends with the line):
+
+```
+$var n = 3     $$ Defines a meta variable n.
+$range i 0..n  $$ Declares the range of meta iterator i (inclusive).
+$for i [[
+               $$ Meta loop.
+// Foo$i does blah for $i-ary predicates.
+$range j 1..i
+template <size_t N $for j [[, typename A$j]]>
+class Foo$i {
+$if i == 0 [[
+  blah a;
+]] $elif i <= 2 [[
+  blah b;
+]] $else [[
+  blah c;
+]]
+};
+
+]]
+```
+
+will be translated by the Pump compiler to:
+
+```
+// Foo0 does blah for 0-ary predicates.
+template <size_t N>
+class Foo0 {
+  blah a;
+};
+
+// Foo1 does blah for 1-ary predicates.
+template <size_t N, typename A1>
+class Foo1 {
+  blah b;
+};
+
+// Foo2 does blah for 2-ary predicates.
+template <size_t N, typename A1, typename A2>
+class Foo2 {
+  blah b;
+};
+
+// Foo3 does blah for 3-ary predicates.
+template <size_t N, typename A1, typename A2, typename A3>
+class Foo3 {
+  blah c;
+};
+```
+
+In another example,
+
+```
+$range i 1..n
+Func($for i + [[a$i]]);
+$$ The text between i and [[ is the separator between iterations.
+```
+
+will generate one of the following lines (without the comments), depending on the value of `n`:
+
+```
+Func();              // If n is 0.
+Func(a1);            // If n is 1.
+Func(a1 + a2);       // If n is 2.
+Func(a1 + a2 + a3);  // If n is 3.
+// And so on...
+```
+
+## Constructs ##
+
+We support the following meta programming constructs:
+
+| `$var id = exp` | Defines a named constant value. `$id` is valid util the end of the current meta lexical block. |
+|:----------------|:-----------------------------------------------------------------------------------------------|
+| `$range id exp..exp` | Sets the range of an iteration variable, which can be reused in multiple loops later.          |
+| `$for id sep [[ code ]]` | Iteration. The range of `id` must have been defined earlier. `$id` is valid in `code`.         |
+| `$($)`          | Generates a single `$` character.                                                              |
+| `$id`           | Value of the named constant or iteration variable.                                             |
+| `$(exp)`        | Value of the expression.                                                                       |
+| `$if exp [[ code ]] else_branch` | Conditional.                                                                                   |
+| `[[ code ]]`    | Meta lexical block.                                                                            |
+| `cpp_code`      | Raw C++ code.                                                                                  |
+| `$$ comment`    | Meta comment.                                                                                  |
+
+**Note:** To give the user some freedom in formatting the Pump source
+code, Pump ignores a new-line character if it's right after `$for foo`
+or next to `[[` or `]]`. Without this rule you'll often be forced to write
+very long lines to get the desired output. Therefore sometimes you may
+need to insert an extra new-line in such places for a new-line to show
+up in your output.
+
+## Grammar ##
+
+```
+code ::= atomic_code*
+atomic_code ::= $var id = exp
+    | $var id = [[ code ]]
+    | $range id exp..exp
+    | $for id sep [[ code ]]
+    | $($)
+    | $id
+    | $(exp)
+    | $if exp [[ code ]] else_branch
+    | [[ code ]]
+    | cpp_code
+sep ::= cpp_code | empty_string
+else_branch ::= $else [[ code ]]
+    | $elif exp [[ code ]] else_branch
+    | empty_string
+exp ::= simple_expression_in_Python_syntax
+```
+
+## Code ##
+
+You can find the source code of Pump in [scripts/pump.py](../scripts/pump.py). It is still
+very unpolished and lacks automated tests, although it has been
+successfully used many times. If you find a chance to use it in your
+project, please let us know what you think!  We also welcome help on
+improving Pump.
+
+## Real Examples ##
+
+You can find real-world applications of Pump in [Google Test](https://github.com/google/googletest/tree/master/googletest) and [Google Mock](https://github.com/google/googletest/tree/master/googlemock). The source file `foo.h.pump` generates `foo.h`.
+
+## Tips ##
+
+  * If a meta variable is followed by a letter or digit, you can separate them using `[[]]`, which inserts an empty string. For example `Foo$j[[]]Helper` generate `Foo1Helper` when `j` is 1.
+  * To avoid extra-long Pump source lines, you can break a line anywhere you want by inserting `[[]]` followed by a new line. Since any new-line character next to `[[` or `]]` is ignored, the generated code won't contain this new line.
diff --git a/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md b/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md
new file mode 100644
index 000000000..1c60a33da
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md
@@ -0,0 +1,93 @@
+
+
+This guide will explain how to use the Google Testing Framework in your Xcode projects on Mac OS X. This tutorial begins by quickly explaining what to do for experienced users. After the quick start, the guide goes provides additional explanation about each step.
+
+# Quick Start #
+
+Here is the quick guide for using Google Test in your Xcode project.
+
+  1. Download the source from the [website](https://github.com/google/googletest) using this command: `svn checkout http://googletest.googlecode.com/svn/trunk/ googletest-read-only`.
+  1. Open up the `gtest.xcodeproj` in the `googletest-read-only/xcode/` directory and build the gtest.framework.
+  1. Create a new "Shell Tool" target in your Xcode project called something like "UnitTests".
+  1. Add the gtest.framework to your project and add it to the "Link Binary with Libraries" build phase of "UnitTests".
+  1. Add your unit test source code to the "Compile Sources" build phase of "UnitTests".
+  1. Edit the "UnitTests" executable and add an environment variable named "DYLD\_FRAMEWORK\_PATH" with a value equal to the path to the framework containing the gtest.framework relative to the compiled executable.
+  1. Build and Go.
+
+The following sections further explain each of the steps listed above in depth, describing in more detail how to complete it including some variations.
+
+# Get the Source #
+
+Currently, the gtest.framework discussed here isn't available in a tagged release of Google Test, it is only available in the trunk. As explained at the Google Test [site](https://github.com/google/googletest), you can get the code from anonymous SVN with this command:
+
+```
+svn checkout http://googletest.googlecode.com/svn/trunk/ googletest-read-only
+```
+
+Alternatively, if you are working with Subversion in your own code base, you can add Google Test as an external dependency to your own Subversion repository. By following this approach, everyone that checks out your svn repository will also receive a copy of Google Test (a specific version, if you wish) without having to check it out explicitly. This makes the set up of your project simpler and reduces the copied code in the repository.
+
+To use `svn:externals`, decide where you would like to have the external source reside. You might choose to put the external source inside the trunk, because you want it to be part of the branch when you make a release. However, keeping it outside the trunk in a version-tagged directory called something like `third-party/googletest/1.0.1`, is another option. Once the location is established, use `svn propedit svn:externals _directory_` to set the svn:externals property on a directory in your repository. This directory won't contain the code, but be its versioned parent directory.
+
+The command `svn propedit` will bring up your Subversion editor, making editing the long, (potentially multi-line) property simpler. This same method can be used to check out a tagged branch, by using the appropriate URL (e.g. `https://github.com/google/googletest/releases/tag/release-1.0.1`). Additionally, the svn:externals property allows the specification of a particular revision of the trunk with the `-r_##_` option (e.g. `externals/src/googletest -r60 http://googletest.googlecode.com/svn/trunk`).
+
+Here is an example of using the svn:externals properties on a trunk (read via `svn propget`) of a project. This value checks out a copy of Google Test into the `trunk/externals/src/googletest/` directory.
+
+```
+[Computer:svn] user$ svn propget svn:externals trunk
+externals/src/googletest http://googletest.googlecode.com/svn/trunk
+```
+
+# Add the Framework to Your Project #
+
+The next step is to build and add the gtest.framework to your own project. This guide describes two common ways below.
+
+  * **Option 1** --- The simplest way to add Google Test to your own project, is to open gtest.xcodeproj (found in the xcode/ directory of the Google Test trunk) and build the framework manually. Then, add the built framework into your project using the "Add->Existing Framework..." from the context menu or "Project->Add..." from the main menu. The gtest.framework is relocatable and contains the headers and object code that you'll need to make tests. This method requires rebuilding every time you upgrade Google Test in your project.
+  * **Option 2** --- If you are going to be living off the trunk of Google Test, incorporating its latest features into your unit tests (or are a Google Test developer yourself). You'll want to rebuild the framework every time the source updates. to do this, you'll need to add the gtest.xcodeproj file, not the framework itself, to your own Xcode project. Then, from the build products that are revealed by the project's disclosure triangle, you can find the gtest.framework, which can be added to your targets (discussed below).
+
+# Make a Test Target #
+
+To start writing tests, make a new "Shell Tool" target. This target template is available under BSD, Cocoa, or Carbon. Add your unit test source code to the "Compile Sources" build phase of the target.
+
+Next, you'll want to add gtest.framework in two different ways, depending upon which option you chose above.
+
+  * **Option 1** --- During compilation, Xcode will need to know that you are linking against the gtest.framework. Add the gtest.framework to the "Link Binary with Libraries" build phase of your test target. This will include the Google Test headers in your header search path, and will tell the linker where to find the library.
+  * **Option 2** --- If your working out of the trunk, you'll also want to add gtest.framework to your "Link Binary with Libraries" build phase of your test target. In addition, you'll  want to add the gtest.framework as a dependency to your unit test target. This way, Xcode will make sure that gtest.framework is up to date, every time your build your target. Finally, if you don't share build directories with Google Test, you'll have to copy the gtest.framework into your own build products directory using a "Run Script" build phase.
+
+# Set Up the Executable Run Environment #
+
+Since the unit test executable is a shell tool, it doesn't have a bundle with a `Contents/Frameworks` directory, in which to place gtest.framework. Instead, the dynamic linker must be told at runtime to search for the framework in another location. This can be accomplished by setting the "DYLD\_FRAMEWORK\_PATH" environment variable in the "Edit Active Executable ..." Arguments tab, under "Variables to be set in the environment:". The path for this value is the path (relative or absolute) of the directory containing the gtest.framework.
+
+If you haven't set up the DYLD\_FRAMEWORK\_PATH, correctly, you might get a message like this:
+
+```
+[Session started at 2008-08-15 06:23:57 -0600.]
+  dyld: Library not loaded: @loader_path/../Frameworks/gtest.framework/Versions/A/gtest
+    Referenced from: /Users/username/Documents/Sandbox/gtestSample/build/Debug/WidgetFrameworkTest
+    Reason: image not found
+```
+
+To correct this problem, go to to the directory containing the executable named in "Referenced from:" value in the error message above. Then, with the terminal in this location, find the relative path to the directory containing the gtest.framework. That is the value you'll need to set as the DYLD\_FRAMEWORK\_PATH.
+
+# Build and Go #
+
+Now, when you click "Build and Go", the test will be executed. Dumping out something like this:
+
+```
+[Session started at 2008-08-06 06:36:13 -0600.]
+[==========] Running 2 tests from 1 test case.
+[----------] Global test environment set-up.
+[----------] 2 tests from WidgetInitializerTest
+[ RUN      ] WidgetInitializerTest.TestConstructor
+[       OK ] WidgetInitializerTest.TestConstructor
+[ RUN      ] WidgetInitializerTest.TestConversion
+[       OK ] WidgetInitializerTest.TestConversion
+[----------] Global test environment tear-down
+[==========] 2 tests from 1 test case ran.
+[  PASSED  ] 2 tests.
+
+The Debugger has exited with status 0.  
+```
+
+# Summary #
+
+Unit testing is a valuable way to ensure your data model stays valid even during rapid development or refactoring. The Google Testing Framework is a great unit testing framework for C and C++ which integrates well with an Xcode development environment.
diff --git a/security/nss/gtests/google_test/gtest/docs/advanced.md b/security/nss/gtests/google_test/gtest/docs/advanced.md
new file mode 100644
index 000000000..8065d1962
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/advanced.md
@@ -0,0 +1,2520 @@
+# Advanced googletest Topics
+
+
+## Introduction
+
+Now that you have read the [googletest Primer](primer.md) and learned how to write
+tests using googletest, it's time to learn some new tricks. This document will
+show you more assertions as well as how to construct complex failure messages,
+propagate fatal failures, reuse and speed up your test fixtures, and use various
+flags with your tests.
+
+## More Assertions
+
+This section covers some less frequently used, but still significant,
+assertions.
+
+### Explicit Success and Failure
+
+These three assertions do not actually test a value or expression. Instead, they
+generate a success or failure directly. Like the macros that actually perform a
+test, you may stream a custom failure message into them.
+
+```c++
+SUCCEED();
+```
+
+Generates a success. This does **NOT** make the overall test succeed. A test is
+considered successful only if none of its assertions fail during its execution.
+
+NOTE: `SUCCEED()` is purely documentary and currently doesn't generate any
+user-visible output. However, we may add `SUCCEED()` messages to googletest's
+output in the future.
+
+```c++
+FAIL();
+ADD_FAILURE();
+ADD_FAILURE_AT("file_path", line_number);
+```
+
+`FAIL()` generates a fatal failure, while `ADD_FAILURE()` and `ADD_FAILURE_AT()`
+generate a nonfatal failure. These are useful when control flow, rather than a
+Boolean expression, determines the test's success or failure. For example, you
+might want to write something like:
+
+```c++
+switch(expression) {
+  case 1:
+     ... some checks ...
+  case 2:
+     ... some other checks ...
+  default:
+     FAIL() << "We shouldn't get here.";
+}
+```
+
+NOTE: you can only use `FAIL()` in functions that return `void`. See the
+[Assertion Placement section](#assertion-placement) for more information.
+
+**Availability**: Linux, Windows, Mac.
+
+### Exception Assertions
+
+These are for verifying that a piece of code throws (or does not throw) an
+exception of the given type:
+
+Fatal assertion                            | Nonfatal assertion                         | Verifies
+------------------------------------------ | ------------------------------------------ | --------
+`ASSERT_THROW(statement, exception_type);` | `EXPECT_THROW(statement, exception_type);` | `statement` throws an exception of the given type
+`ASSERT_ANY_THROW(statement);`             | `EXPECT_ANY_THROW(statement);`             | `statement` throws an exception of any type
+`ASSERT_NO_THROW(statement);`              | `EXPECT_NO_THROW(statement);`              | `statement` doesn't throw any exception
+
+Examples:
+
+```c++
+ASSERT_THROW(Foo(5), bar_exception);
+
+EXPECT_NO_THROW({
+  int n = 5;
+  Bar(&n);
+});
+```
+
+**Availability**: Linux, Windows, Mac; requires exceptions to be enabled in the
+build environment (note that `google3` **disables** exceptions).
+
+### Predicate Assertions for Better Error Messages
+
+Even though googletest has a rich set of assertions, they can never be complete,
+as it's impossible (nor a good idea) to anticipate all scenarios a user might
+run into. Therefore, sometimes a user has to use `EXPECT_TRUE()` to check a
+complex expression, for lack of a better macro. This has the problem of not
+showing you the values of the parts of the expression, making it hard to
+understand what went wrong. As a workaround, some users choose to construct the
+failure message by themselves, streaming it into `EXPECT_TRUE()`. However, this
+is awkward especially when the expression has side-effects or is expensive to
+evaluate.
+
+googletest gives you three different options to solve this problem:
+
+#### Using an Existing Boolean Function
+
+If you already have a function or functor that returns `bool` (or a type that
+can be implicitly converted to `bool`), you can use it in a *predicate
+assertion* to get the function arguments printed for free:
+
+| Fatal assertion                    | Nonfatal assertion                 | Verifies                    |
+| ---------------------------------- | ---------------------------------- | --------------------------- |
+| `ASSERT_PRED1(pred1, val1);`       | `EXPECT_PRED1(pred1, val1);`       | `pred1(val1)` is true       |
+| `ASSERT_PRED2(pred2, val1, val2);` | `EXPECT_PRED2(pred2, val1, val2);` | `pred2(val1, val2)` is true |
+| `...`                              | `...`                              | ...                         |
+
+In the above, `predn` is an `n`-ary predicate function or functor, where `val1`,
+`val2`, ..., and `valn` are its arguments. The assertion succeeds if the
+predicate returns `true` when applied to the given arguments, and fails
+otherwise. When the assertion fails, it prints the value of each argument. In
+either case, the arguments are evaluated exactly once.
+
+Here's an example. Given
+
+```c++
+// Returns true if m and n have no common divisors except 1.
+bool MutuallyPrime(int m, int n) { ... }
+
+const int a = 3;
+const int b = 4;
+const int c = 10;
+```
+
+the assertion
+
+```c++
+  EXPECT_PRED2(MutuallyPrime, a, b);
+```
+
+will succeed, while the assertion
+
+```c++
+  EXPECT_PRED2(MutuallyPrime, b, c);
+```
+
+will fail with the message
+
+```none
+MutuallyPrime(b, c) is false, where
+b is 4
+c is 10
+```
+
+> NOTE:
+>
+> 1.  If you see a compiler error "no matching function to call" when using
+>     `ASSERT_PRED*` or `EXPECT_PRED*`, please see
+>     [this](faq.md#OverloadedPredicate) for how to resolve it.
+> 1.  Currently we only provide predicate assertions of arity <= 5. If you need
+>     a higher-arity assertion, let [us](https://github.com/google/googletest/issues) know.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Using a Function That Returns an AssertionResult
+
+While `EXPECT_PRED*()` and friends are handy for a quick job, the syntax is not
+satisfactory: you have to use different macros for different arities, and it
+feels more like Lisp than C++. The `::testing::AssertionResult` class solves
+this problem.
+
+An `AssertionResult` object represents the result of an assertion (whether it's
+a success or a failure, and an associated message). You can create an
+`AssertionResult` using one of these factory functions:
+
+```c++
+namespace testing {
+
+// Returns an AssertionResult object to indicate that an assertion has
+// succeeded.
+AssertionResult AssertionSuccess();
+
+// Returns an AssertionResult object to indicate that an assertion has
+// failed.
+AssertionResult AssertionFailure();
+
+}
+```
+
+You can then use the `<<` operator to stream messages to the `AssertionResult`
+object.
+
+To provide more readable messages in Boolean assertions (e.g. `EXPECT_TRUE()`),
+write a predicate function that returns `AssertionResult` instead of `bool`. For
+example, if you define `IsEven()` as:
+
+```c++
+::testing::AssertionResult IsEven(int n) {
+  if ((n % 2) == 0)
+     return ::testing::AssertionSuccess();
+  else
+     return ::testing::AssertionFailure() << n << " is odd";
+}
+```
+
+instead of:
+
+```c++
+bool IsEven(int n) {
+  return (n % 2) == 0;
+}
+```
+
+the failed assertion `EXPECT_TRUE(IsEven(Fib(4)))` will print:
+
+```none
+Value of: IsEven(Fib(4))
+  Actual: false (3 is odd)
+Expected: true
+```
+
+instead of a more opaque
+
+```none
+Value of: IsEven(Fib(4))
+  Actual: false
+Expected: true
+```
+
+If you want informative messages in `EXPECT_FALSE` and `ASSERT_FALSE` as well
+(one third of Boolean assertions in the Google code base are negative ones), and
+are fine with making the predicate slower in the success case, you can supply a
+success message:
+
+```c++
+::testing::AssertionResult IsEven(int n) {
+  if ((n % 2) == 0)
+     return ::testing::AssertionSuccess() << n << " is even";
+  else
+     return ::testing::AssertionFailure() << n << " is odd";
+}
+```
+
+Then the statement `EXPECT_FALSE(IsEven(Fib(6)))` will print
+
+```none
+  Value of: IsEven(Fib(6))
+     Actual: true (8 is even)
+  Expected: false
+```
+
+**Availability**: Linux, Windows, Mac.
+
+#### Using a Predicate-Formatter
+
+If you find the default message generated by `(ASSERT|EXPECT)_PRED*` and
+`(ASSERT|EXPECT)_(TRUE|FALSE)` unsatisfactory, or some arguments to your
+predicate do not support streaming to `ostream`, you can instead use the
+following *predicate-formatter assertions* to *fully* customize how the message
+is formatted:
+
+Fatal assertion                                  | Nonfatal assertion                               | Verifies
+------------------------------------------------ | ------------------------------------------------ | --------
+`ASSERT_PRED_FORMAT1(pred_format1, val1);`       | `EXPECT_PRED_FORMAT1(pred_format1, val1);`       | `pred_format1(val1)` is successful
+`ASSERT_PRED_FORMAT2(pred_format2, val1, val2);` | `EXPECT_PRED_FORMAT2(pred_format2, val1, val2);` | `pred_format2(val1, val2)` is successful
+`...`                                            | `...`                                            | ...
+
+The difference between this and the previous group of macros is that instead of
+a predicate, `(ASSERT|EXPECT)_PRED_FORMAT*` take a *predicate-formatter*
+(`pred_formatn`), which is a function or functor with the signature:
+
+```c++
+::testing::AssertionResult PredicateFormattern(const char* expr1,
+                                               const char* expr2,
+                                               ...
+                                               const char* exprn,
+                                               T1 val1,
+                                               T2 val2,
+                                               ...
+                                               Tn valn);
+```
+
+where `val1`, `val2`, ..., and `valn` are the values of the predicate arguments,
+and `expr1`, `expr2`, ..., and `exprn` are the corresponding expressions as they
+appear in the source code. The types `T1`, `T2`, ..., and `Tn` can be either
+value types or reference types. For example, if an argument has type `Foo`, you
+can declare it as either `Foo` or `const Foo&`, whichever is appropriate.
+
+As an example, let's improve the failure message in `MutuallyPrime()`, which was
+used with `EXPECT_PRED2()`:
+
+```c++
+// Returns the smallest prime common divisor of m and n,
+// or 1 when m and n are mutually prime.
+int SmallestPrimeCommonDivisor(int m, int n) { ... }
+
+// A predicate-formatter for asserting that two integers are mutually prime.
+::testing::AssertionResult AssertMutuallyPrime(const char* m_expr,
+                                               const char* n_expr,
+                                               int m,
+                                               int n) {
+  if (MutuallyPrime(m, n)) return ::testing::AssertionSuccess();
+
+  return ::testing::AssertionFailure() << m_expr << " and " << n_expr
+      << " (" << m << " and " << n << ") are not mutually prime, "
+      << "as they have a common divisor " << SmallestPrimeCommonDivisor(m, n);
+}
+```
+
+With this predicate-formatter, we can use
+
+```c++
+  EXPECT_PRED_FORMAT2(AssertMutuallyPrime, b, c);
+```
+
+to generate the message
+
+```none
+b and c (4 and 10) are not mutually prime, as they have a common divisor 2.
+```
+
+As you may have realized, many of the built-in assertions we introduced earlier
+are special cases of `(EXPECT|ASSERT)_PRED_FORMAT*`. In fact, most of them are
+indeed defined using `(EXPECT|ASSERT)_PRED_FORMAT*`.
+
+**Availability**: Linux, Windows, Mac.
+
+### Floating-Point Comparison
+
+Comparing floating-point numbers is tricky. Due to round-off errors, it is very
+unlikely that two floating-points will match exactly. Therefore, `ASSERT_EQ` 's
+naive comparison usually doesn't work. And since floating-points can have a wide
+value range, no single fixed error bound works. It's better to compare by a
+fixed relative error bound, except for values close to 0 due to the loss of
+precision there.
+
+In general, for floating-point comparison to make sense, the user needs to
+carefully choose the error bound. If they don't want or care to, comparing in
+terms of Units in the Last Place (ULPs) is a good default, and googletest
+provides assertions to do this. Full details about ULPs are quite long; if you
+want to learn more, see
+[here](https://randomascii.wordpress.com/2012/02/25/comparing-floating-point-numbers-2012-edition/).
+
+#### Floating-Point Macros
+
+| Fatal assertion                 | Nonfatal assertion             | Verifies                                 |
+| ------------------------------- | ------------------------------ | ---------------------------------------- |
+| `ASSERT_FLOAT_EQ(val1, val2);`  | `EXPECT_FLOAT_EQ(val1,val2);`  | the two `float` values are almost equal  |
+| `ASSERT_DOUBLE_EQ(val1, val2);` | `EXPECT_DOUBLE_EQ(val1, val2);`| the two `double` values are almost equal |
+
+By "almost equal" we mean the values are within 4 ULP's from each other.
+
+NOTE: `CHECK_DOUBLE_EQ()` in `base/logging.h` uses a fixed absolute error bound,
+so its result may differ from that of the googletest macros. That macro is
+unsafe and has been deprecated. Please don't use it any more.
+
+The following assertions allow you to choose the acceptable error bound:
+
+| Fatal assertion                       | Nonfatal assertion                    | Verifies                  |
+| ------------------------------------- | ------------------------------------- | ------------------------- |
+| `ASSERT_NEAR(val1, val2, abs_error);` | `EXPECT_NEAR(val1, val2, abs_error);` | the difference between `val1` and `val2` doesn't exceed the given absolute error |
+
+**Availability**: Linux, Windows, Mac.
+
+#### Floating-Point Predicate-Format Functions
+
+Some floating-point operations are useful, but not that often used. In order to
+avoid an explosion of new macros, we provide them as predicate-format functions
+that can be used in predicate assertion macros (e.g. `EXPECT_PRED_FORMAT2`,
+etc).
+
+```c++
+EXPECT_PRED_FORMAT2(::testing::FloatLE, val1, val2);
+EXPECT_PRED_FORMAT2(::testing::DoubleLE, val1, val2);
+```
+
+Verifies that `val1` is less than, or almost equal to, `val2`. You can replace
+`EXPECT_PRED_FORMAT2` in the above table with `ASSERT_PRED_FORMAT2`.
+
+**Availability**: Linux, Windows, Mac.
+
+### Asserting Using gMock Matchers
+
+Google-developed C++ mocking framework [gMock](../../googlemock) comes with a
+library of matchers for validating arguments passed to mock objects. A gMock
+*matcher* is basically a predicate that knows how to describe itself. It can be
+used in these assertion macros:
+
+| Fatal assertion                | Nonfatal assertion             | Verifies              |
+| ------------------------------ | ------------------------------ | --------------------- |
+| `ASSERT_THAT(value, matcher);` | `EXPECT_THAT(value, matcher);` | value matches matcher |
+
+For example, `StartsWith(prefix)` is a matcher that matches a string starting
+with `prefix`, and you can write:
+
+```c++
+using ::testing::StartsWith;
+...
+    // Verifies that Foo() returns a string starting with "Hello".
+    EXPECT_THAT(Foo(), StartsWith("Hello"));
+```
+
+Read this [recipe](../../googlemock/docs/CookBook.md#using-matchers-in-google-test-assertions) in
+the gMock Cookbook for more details.
+
+gMock has a rich set of matchers. You can do many things googletest cannot do
+alone with them. For a list of matchers gMock provides, read
+[this](../../googlemock/docs/CookBook.md#using-matchers). Especially useful among them are
+some [protocol buffer matchers](https://github.com/google/nucleus/blob/master/nucleus/testing/protocol-buffer-matchers.h). It's easy to write
+your [own matchers](../../googlemock/docs/CookBook.md#writing-new-matchers-quickly) too.
+
+For example, you can use gMock's
+[EqualsProto](https://github.com/google/nucleus/blob/master/nucleus/testing/protocol-buffer-matchers.h)
+to compare protos in your tests:
+
+```c++
+#include "testing/base/public/gmock.h"
+using ::testing::EqualsProto;
+...
+    EXPECT_THAT(actual_proto, EqualsProto("foo: 123 bar: 'xyz'"));
+    EXPECT_THAT(*actual_proto_ptr, EqualsProto(expected_proto));
+```
+
+gMock is bundled with googletest, so you don't need to add any build dependency
+in order to take advantage of this. Just include `"testing/base/public/gmock.h"`
+and you're ready to go.
+
+**Availability**: Linux, Windows, and Mac.
+
+### More String Assertions
+
+(Please read the [previous](#AssertThat) section first if you haven't.)
+
+You can use the gMock [string matchers](../../googlemock/docs/CheatSheet.md#string-matchers)
+with `EXPECT_THAT()` or `ASSERT_THAT()` to do more string comparison tricks
+(sub-string, prefix, suffix, regular expression, and etc). For example,
+
+```c++
+using ::testing::HasSubstr;
+using ::testing::MatchesRegex;
+...
+  ASSERT_THAT(foo_string, HasSubstr("needle"));
+  EXPECT_THAT(bar_string, MatchesRegex("\\w*\\d+"));
+```
+
+**Availability**: Linux, Windows, Mac.
+
+If the string contains a well-formed HTML or XML document, you can check whether
+its DOM tree matches an [XPath
+expression](http://www.w3.org/TR/xpath/#contents):
+
+```c++
+// Currently still in //template/prototemplate/testing:xpath_matcher
+#include "template/prototemplate/testing/xpath_matcher.h"
+using prototemplate::testing::MatchesXPath;
+EXPECT_THAT(html_string, MatchesXPath("//a[text()='click here']"));
+```
+
+**Availability**: Linux.
+
+### Windows HRESULT assertions
+
+These assertions test for `HRESULT` success or failure.
+
+Fatal assertion                        | Nonfatal assertion                     | Verifies
+-------------------------------------- | -------------------------------------- | --------
+`ASSERT_HRESULT_SUCCEEDED(expression)` | `EXPECT_HRESULT_SUCCEEDED(expression)` | `expression` is a success `HRESULT`
+`ASSERT_HRESULT_FAILED(expression)`    | `EXPECT_HRESULT_FAILED(expression)`    | `expression` is a failure `HRESULT`
+
+The generated output contains the human-readable error message associated with
+the `HRESULT` code returned by `expression`.
+
+You might use them like this:
+
+```c++
+CComPtr<IShellDispatch2> shell;
+ASSERT_HRESULT_SUCCEEDED(shell.CoCreateInstance(L"Shell.Application"));
+CComVariant empty;
+ASSERT_HRESULT_SUCCEEDED(shell->ShellExecute(CComBSTR(url), empty, empty, empty, empty));
+```
+
+**Availability**: Windows.
+
+### Type Assertions
+
+You can call the function
+
+```c++
+::testing::StaticAssertTypeEq<T1, T2>();
+```
+
+to assert that types `T1` and `T2` are the same. The function does nothing if
+the assertion is satisfied. If the types are different, the function call will
+fail to compile, and the compiler error message will likely (depending on the
+compiler) show you the actual values of `T1` and `T2`. This is mainly useful
+inside template code.
+
+**Caveat**: When used inside a member function of a class template or a function
+template, `StaticAssertTypeEq<T1, T2>()` is effective only if the function is
+instantiated. For example, given:
+
+```c++
+template <typename T> class Foo {
+ public:
+  void Bar() { ::testing::StaticAssertTypeEq<int, T>(); }
+};
+```
+
+the code:
+
+```c++
+void Test1() { Foo<bool> foo; }
+```
+
+will not generate a compiler error, as `Foo<bool>::Bar()` is never actually
+instantiated. Instead, you need:
+
+```c++
+void Test2() { Foo<bool> foo; foo.Bar(); }
+```
+
+to cause a compiler error.
+
+**Availability**: Linux, Windows, Mac.
+
+### Assertion Placement
+
+You can use assertions in any C++ function. In particular, it doesn't have to be
+a method of the test fixture class. The one constraint is that assertions that
+generate a fatal failure (`FAIL*` and `ASSERT_*`) can only be used in
+void-returning functions. This is a consequence of Google's not using
+exceptions. By placing it in a non-void function you'll get a confusing compile
+error like `"error: void value not ignored as it ought to be"` or `"cannot
+initialize return object of type 'bool' with an rvalue of type 'void'"` or
+`"error: no viable conversion from 'void' to 'string'"`.
+
+If you need to use fatal assertions in a function that returns non-void, one
+option is to make the function return the value in an out parameter instead. For
+example, you can rewrite `T2 Foo(T1 x)` to `void Foo(T1 x, T2* result)`. You
+need to make sure that `*result` contains some sensible value even when the
+function returns prematurely. As the function now returns `void`, you can use
+any assertion inside of it.
+
+If changing the function's type is not an option, you should just use assertions
+that generate non-fatal failures, such as `ADD_FAILURE*` and `EXPECT_*`.
+
+NOTE: Constructors and destructors are not considered void-returning functions,
+according to the C++ language specification, and so you may not use fatal
+assertions in them. You'll get a compilation error if you try. A simple
+workaround is to transfer the entire body of the constructor or destructor to a
+private void-returning method. However, you should be aware that a fatal
+assertion failure in a constructor does not terminate the current test, as your
+intuition might suggest; it merely returns from the constructor early, possibly
+leaving your object in a partially-constructed state. Likewise, a fatal
+assertion failure in a destructor may leave your object in a
+partially-destructed state. Use assertions carefully in these situations!
+
+## Teaching googletest How to Print Your Values
+
+When a test assertion such as `EXPECT_EQ` fails, googletest prints the argument
+values to help you debug. It does this using a user-extensible value printer.
+
+This printer knows how to print built-in C++ types, native arrays, STL
+containers, and any type that supports the `<<` operator. For other types, it
+prints the raw bytes in the value and hopes that you the user can figure it out.
+
+As mentioned earlier, the printer is *extensible*. That means you can teach it
+to do a better job at printing your particular type than to dump the bytes. To
+do that, define `<<` for your type:
+
+```c++
+// Streams are allowed only for logging.  Don't include this for
+// any other purpose.
+#include <ostream>
+
+namespace foo {
+
+class Bar {  // We want googletest to be able to print instances of this.
+...
+  // Create a free inline friend function.
+  friend std::ostream& operator<<(std::ostream& os, const Bar& bar) {
+    return os << bar.DebugString();  // whatever needed to print bar to os
+  }
+};
+
+// If you can't declare the function in the class it's important that the
+// << operator is defined in the SAME namespace that defines Bar.  C++'s look-up
+// rules rely on that.
+std::ostream& operator<<(std::ostream& os, const Bar& bar) {
+  return os << bar.DebugString();  // whatever needed to print bar to os
+}
+
+}  // namespace foo
+```
+
+Sometimes, this might not be an option: your team may consider it bad style to
+have a `<<` operator for `Bar`, or `Bar` may already have a `<<` operator that
+doesn't do what you want (and you cannot change it). If so, you can instead
+define a `PrintTo()` function like this:
+
+```c++
+// Streams are allowed only for logging.  Don't include this for
+// any other purpose.
+#include <ostream>
+
+namespace foo {
+
+class Bar {
+  ...
+  friend void PrintTo(const Bar& bar, std::ostream* os) {
+    *os << bar.DebugString();  // whatever needed to print bar to os
+  }
+};
+
+// If you can't declare the function in the class it's important that PrintTo()
+// is defined in the SAME namespace that defines Bar.  C++'s look-up rules rely
+// on that.
+void PrintTo(const Bar& bar, std::ostream* os) {
+  *os << bar.DebugString();  // whatever needed to print bar to os
+}
+
+}  // namespace foo
+```
+
+If you have defined both `<<` and `PrintTo()`, the latter will be used when
+googletest is concerned. This allows you to customize how the value appears in
+googletest's output without affecting code that relies on the behavior of its
+`<<` operator.
+
+If you want to print a value `x` using googletest's value printer yourself, just
+call `::testing::PrintToString(x)`, which returns an `std::string`:
+
+```c++
+vector<pair<Bar, int> > bar_ints = GetBarIntVector();
+
+EXPECT_TRUE(IsCorrectBarIntVector(bar_ints))
+    << "bar_ints = " << ::testing::PrintToString(bar_ints);
+```
+
+## Death Tests
+
+In many applications, there are assertions that can cause application failure if
+a condition is not met. These sanity checks, which ensure that the program is in
+a known good state, are there to fail at the earliest possible time after some
+program state is corrupted. If the assertion checks the wrong condition, then
+the program may proceed in an erroneous state, which could lead to memory
+corruption, security holes, or worse. Hence it is vitally important to test that
+such assertion statements work as expected.
+
+Since these precondition checks cause the processes to die, we call such tests
+_death tests_. More generally, any test that checks that a program terminates
+(except by throwing an exception) in an expected fashion is also a death test.
+
+
+Note that if a piece of code throws an exception, we don't consider it "death"
+for the purpose of death tests, as the caller of the code could catch the
+exception and avoid the crash. If you want to verify exceptions thrown by your
+code, see [Exception Assertions](#exception-assertions).
+
+If you want to test `EXPECT_*()/ASSERT_*()` failures in your test code, see
+Catching Failures
+
+### How to Write a Death Test
+
+googletest has the following macros to support death tests:
+
+Fatal assertion                                | Nonfatal assertion                             | Verifies
+---------------------------------------------- | ---------------------------------------------- | --------
+`ASSERT_DEATH(statement, regex);`              | `EXPECT_DEATH(statement, regex);`              | `statement` crashes with the given error
+`ASSERT_DEATH_IF_SUPPORTED(statement, regex);` | `EXPECT_DEATH_IF_SUPPORTED(statement, regex);` | if death tests are supported, verifies that `statement` crashes with the given error; otherwise verifies nothing
+`ASSERT_EXIT(statement, predicate, regex);`    | `EXPECT_EXIT(statement, predicate, regex);`    | `statement` exits with the given error, and its exit code matches `predicate`
+
+where `statement` is a statement that is expected to cause the process to die,
+`predicate` is a function or function object that evaluates an integer exit
+status, and `regex` is a (Perl) regular expression that the stderr output of
+`statement` is expected to match. Note that `statement` can be *any valid
+statement* (including *compound statement*) and doesn't have to be an
+expression.
+
+
+As usual, the `ASSERT` variants abort the current test function, while the
+`EXPECT` variants do not.
+
+> NOTE: We use the word "crash" here to mean that the process terminates with a
+> *non-zero* exit status code. There are two possibilities: either the process
+> has called `exit()` or `_exit()` with a non-zero value, or it may be killed by
+> a signal.
+>
+> This means that if `*statement*` terminates the process with a 0 exit code, it
+> is *not* considered a crash by `EXPECT_DEATH`. Use `EXPECT_EXIT` instead if
+> this is the case, or if you want to restrict the exit code more precisely.
+
+A predicate here must accept an `int` and return a `bool`. The death test
+succeeds only if the predicate returns `true`. googletest defines a few
+predicates that handle the most common cases:
+
+```c++
+::testing::ExitedWithCode(exit_code)
+```
+
+This expression is `true` if the program exited normally with the given exit
+code.
+
+```c++
+::testing::KilledBySignal(signal_number)  // Not available on Windows.
+```
+
+This expression is `true` if the program was killed by the given signal.
+
+The `*_DEATH` macros are convenient wrappers for `*_EXIT` that use a predicate
+that verifies the process' exit code is non-zero.
+
+Note that a death test only cares about three things:
+
+1.  does `statement` abort or exit the process?
+2.  (in the case of `ASSERT_EXIT` and `EXPECT_EXIT`) does the exit status
+    satisfy `predicate`? Or (in the case of `ASSERT_DEATH` and `EXPECT_DEATH`)
+    is the exit status non-zero? And
+3.  does the stderr output match `regex`?
+
+In particular, if `statement` generates an `ASSERT_*` or `EXPECT_*` failure, it
+will **not** cause the death test to fail, as googletest assertions don't abort
+the process.
+
+To write a death test, simply use one of the above macros inside your test
+function. For example,
+
+```c++
+TEST(MyDeathTest, Foo) {
+  // This death test uses a compound statement.
+  ASSERT_DEATH({
+    int n = 5;
+    Foo(&n);
+  }, "Error on line .* of Foo()");
+}
+
+TEST(MyDeathTest, NormalExit) {
+  EXPECT_EXIT(NormalExit(), ::testing::ExitedWithCode(0), "Success");
+}
+
+TEST(MyDeathTest, KillMyself) {
+  EXPECT_EXIT(KillMyself(), ::testing::KilledBySignal(SIGKILL),
+              "Sending myself unblockable signal");
+}
+```
+
+verifies that:
+
+*   calling `Foo(5)` causes the process to die with the given error message,
+*   calling `NormalExit()` causes the process to print `"Success"` to stderr and
+    exit with exit code 0, and
+*   calling `KillMyself()` kills the process with signal `SIGKILL`.
+
+The test function body may contain other assertions and statements as well, if
+necessary.
+
+### Death Test Naming
+
+IMPORTANT: We strongly recommend you to follow the convention of naming your
+**test case** (not test) `*DeathTest` when it contains a death test, as
+demonstrated in the above example. The [Death Tests And
+Threads](#death-tests-and-threads) section below explains why.
+
+If a test fixture class is shared by normal tests and death tests, you can use
+`using` or `typedef` to introduce an alias for the fixture class and avoid
+duplicating its code:
+
+```c++
+class FooTest : public ::testing::Test { ... };
+
+using FooDeathTest = FooTest;
+
+TEST_F(FooTest, DoesThis) {
+  // normal test
+}
+
+TEST_F(FooDeathTest, DoesThat) {
+  // death test
+}
+```
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Cygwin, and Mac
+
+### Regular Expression Syntax
+
+
+On POSIX systems (e.g. Linux, Cygwin, and Mac), googletest uses the
+[POSIX extended regular expression](http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap09.html#tag_09_04)
+syntax. To learn about this syntax, you may want to read this
+[Wikipedia entry](http://en.wikipedia.org/wiki/Regular_expression#POSIX_Extended_Regular_Expressions).
+
+On Windows, googletest uses its own simple regular expression implementation. It
+lacks many features. For example, we don't support union (`"x|y"`), grouping
+(`"(xy)"`), brackets (`"[xy]"`), and repetition count (`"x{5,7}"`), among
+others. Below is what we do support (`A` denotes a literal character, period
+(`.`), or a single `\\ ` escape sequence; `x` and `y` denote regular
+expressions.):
+
+Expression | Meaning
+---------- | --------------------------------------------------------------
+`c`        | matches any literal character `c`
+`\\d`      | matches any decimal digit
+`\\D`      | matches any character that's not a decimal digit
+`\\f`      | matches `\f`
+`\\n`      | matches `\n`
+`\\r`      | matches `\r`
+`\\s`      | matches any ASCII whitespace, including `\n`
+`\\S`      | matches any character that's not a whitespace
+`\\t`      | matches `\t`
+`\\v`      | matches `\v`
+`\\w`      | matches any letter, `_`, or decimal digit
+`\\W`      | matches any character that `\\w` doesn't match
+`\\c`      | matches any literal character `c`, which must be a punctuation
+`.`        | matches any single character except `\n`
+`A?`       | matches 0 or 1 occurrences of `A`
+`A*`       | matches 0 or many occurrences of `A`
+`A+`       | matches 1 or many occurrences of `A`
+`^`        | matches the beginning of a string (not that of each line)
+`$`        | matches the end of a string (not that of each line)
+`xy`       | matches `x` followed by `y`
+
+To help you determine which capability is available on your system, googletest
+defines macros to govern which regular expression it is using. The macros are:
+<!--absl:google3-begin(google3-only)-->`GTEST_USES_PCRE=1`, or
+<!--absl:google3-end--> `GTEST_USES_SIMPLE_RE=1` or `GTEST_USES_POSIX_RE=1`. If
+you want your death tests to work in all cases, you can either `#if` on these
+macros or use the more limited syntax only.
+
+### How It Works
+
+Under the hood, `ASSERT_EXIT()` spawns a new process and executes the death test
+statement in that process. The details of how precisely that happens depend on
+the platform and the variable ::testing::GTEST_FLAG(death_test_style) (which is
+initialized from the command-line flag `--gtest_death_test_style`).
+
+*   On POSIX systems, `fork()` (or `clone()` on Linux) is used to spawn the
+    child, after which:
+    *   If the variable's value is `"fast"`, the death test statement is
+        immediately executed.
+    *   If the variable's value is `"threadsafe"`, the child process re-executes
+        the unit test binary just as it was originally invoked, but with some
+        extra flags to cause just the single death test under consideration to
+        be run.
+*   On Windows, the child is spawned using the `CreateProcess()` API, and
+    re-executes the binary to cause just the single death test under
+    consideration to be run - much like the `threadsafe` mode on POSIX.
+
+Other values for the variable are illegal and will cause the death test to fail.
+Currently, the flag's default value is
+"fast". However, we reserve
+the right to change it in the future. Therefore, your tests should not depend on
+this. In either case, the parent process waits for the child process to
+complete, and checks that
+
+1.  the child's exit status satisfies the predicate, and
+2.  the child's stderr matches the regular expression.
+
+If the death test statement runs to completion without dying, the child process
+will nonetheless terminate, and the assertion fails.
+
+### Death Tests And Threads
+
+The reason for the two death test styles has to do with thread safety. Due to
+well-known problems with forking in the presence of threads, death tests should
+be run in a single-threaded context. Sometimes, however, it isn't feasible to
+arrange that kind of environment. For example, statically-initialized modules
+may start threads before main is ever reached. Once threads have been created,
+it may be difficult or impossible to clean them up.
+
+googletest has three features intended to raise awareness of threading issues.
+
+1.  A warning is emitted if multiple threads are running when a death test is
+    encountered.
+2.  Test cases with a name ending in "DeathTest" are run before all other tests.
+3.  It uses `clone()` instead of `fork()` to spawn the child process on Linux
+    (`clone()` is not available on Cygwin and Mac), as `fork()` is more likely
+    to cause the child to hang when the parent process has multiple threads.
+
+It's perfectly fine to create threads inside a death test statement; they are
+executed in a separate process and cannot affect the parent.
+
+### Death Test Styles
+
+
+The "threadsafe" death test style was introduced in order to help mitigate the
+risks of testing in a possibly multithreaded environment. It trades increased
+test execution time (potentially dramatically so) for improved thread safety.
+
+The automated testing framework does not set the style flag. You can choose a
+particular style of death tests by setting the flag programmatically:
+
+```c++
+testing::FLAGS_gtest_death_test_style="threadsafe"
+```
+
+You can do this in `main()` to set the style for all death tests in the binary,
+or in individual tests. Recall that flags are saved before running each test and
+restored afterwards, so you need not do that yourself. For example:
+
+```c++
+int main(int argc, char** argv) {
+  InitGoogle(argv[0], &argc, &argv, true);
+  ::testing::FLAGS_gtest_death_test_style = "fast";
+  return RUN_ALL_TESTS();
+}
+
+TEST(MyDeathTest, TestOne) {
+  ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+  // This test is run in the "threadsafe" style:
+  ASSERT_DEATH(ThisShouldDie(), "");
+}
+
+TEST(MyDeathTest, TestTwo) {
+  // This test is run in the "fast" style:
+  ASSERT_DEATH(ThisShouldDie(), "");
+}
+```
+
+
+### Caveats
+
+The `statement` argument of `ASSERT_EXIT()` can be any valid C++ statement. If
+it leaves the current function via a `return` statement or by throwing an
+exception, the death test is considered to have failed. Some googletest macros
+may return from the current function (e.g. `ASSERT_TRUE()`), so be sure to avoid
+them in `statement`.
+
+Since `statement` runs in the child process, any in-memory side effect (e.g.
+modifying a variable, releasing memory, etc) it causes will *not* be observable
+in the parent process. In particular, if you release memory in a death test,
+your program will fail the heap check as the parent process will never see the
+memory reclaimed. To solve this problem, you can
+
+1.  try not to free memory in a death test;
+2.  free the memory again in the parent process; or
+3.  do not use the heap checker in your program.
+
+Due to an implementation detail, you cannot place multiple death test assertions
+on the same line; otherwise, compilation will fail with an unobvious error
+message.
+
+Despite the improved thread safety afforded by the "threadsafe" style of death
+test, thread problems such as deadlock are still possible in the presence of
+handlers registered with `pthread_atfork(3)`.
+
+
+## Using Assertions in Sub-routines
+
+### Adding Traces to Assertions
+
+If a test sub-routine is called from several places, when an assertion inside it
+fails, it can be hard to tell which invocation of the sub-routine the failure is
+from. 
+You can alleviate this problem using extra logging or custom failure messages,
+but that usually clutters up your tests. A better solution is to use the
+`SCOPED_TRACE` macro or the `ScopedTrace` utility:
+
+```c++
+SCOPED_TRACE(message);
+ScopedTrace trace("file_path", line_number, message);
+```
+
+where `message` can be anything streamable to `std::ostream`. `SCOPED_TRACE`
+macro will cause the current file name, line number, and the given message to be
+added in every failure message. `ScopedTrace` accepts explicit file name and
+line number in arguments, which is useful for writing test helpers. The effect
+will be undone when the control leaves the current lexical scope.
+
+For example,
+
+```c++
+10: void Sub1(int n) {
+11:   EXPECT_EQ(1, Bar(n));
+12:   EXPECT_EQ(2, Bar(n + 1));
+13: }
+14:
+15: TEST(FooTest, Bar) {
+16:   {
+17:     SCOPED_TRACE("A");  // This trace point will be included in
+18:                         // every failure in this scope.
+19:     Sub1(1);
+20:   }
+21:   // Now it won't.
+22:   Sub1(9);
+23: }
+```
+
+could result in messages like these:
+
+```none
+path/to/foo_test.cc:11: Failure
+Value of: Bar(n)
+Expected: 1
+  Actual: 2
+   Trace:
+path/to/foo_test.cc:17: A
+
+path/to/foo_test.cc:12: Failure
+Value of: Bar(n + 1)
+Expected: 2
+  Actual: 3
+```
+
+Without the trace, it would've been difficult to know which invocation of
+`Sub1()` the two failures come from respectively. (You could add
+
+an extra message to each assertion in `Sub1()` to indicate the value of `n`, but
+that's tedious.)
+
+Some tips on using `SCOPED_TRACE`:
+
+1.  With a suitable message, it's often enough to use `SCOPED_TRACE` at the
+    beginning of a sub-routine, instead of at each call site.
+2.  When calling sub-routines inside a loop, make the loop iterator part of the
+    message in `SCOPED_TRACE` such that you can know which iteration the failure
+    is from.
+3.  Sometimes the line number of the trace point is enough for identifying the
+    particular invocation of a sub-routine. In this case, you don't have to
+    choose a unique message for `SCOPED_TRACE`. You can simply use `""`.
+4.  You can use `SCOPED_TRACE` in an inner scope when there is one in the outer
+    scope. In this case, all active trace points will be included in the failure
+    messages, in reverse order they are encountered.
+5.  The trace dump is clickable in Emacs - hit `return` on a line number and
+    you'll be taken to that line in the source file!
+
+**Availability**: Linux, Windows, Mac.
+
+### Propagating Fatal Failures
+
+A common pitfall when using `ASSERT_*` and `FAIL*` is not understanding that
+when they fail they only abort the _current function_, not the entire test. For
+example, the following test will segfault:
+
+```c++
+void Subroutine() {
+  // Generates a fatal failure and aborts the current function.
+  ASSERT_EQ(1, 2);
+
+  // The following won't be executed.
+  ...
+}
+
+TEST(FooTest, Bar) {
+  Subroutine();  // The intended behavior is for the fatal failure
+                 // in Subroutine() to abort the entire test.
+
+  // The actual behavior: the function goes on after Subroutine() returns.
+  int* p = NULL;
+  *p = 3;  // Segfault!
+}
+```
+
+To alleviate this, googletest provides three different solutions. You could use
+either exceptions, the `(ASSERT|EXPECT)_NO_FATAL_FAILURE` assertions or the
+`HasFatalFailure()` function. They are described in the following two
+subsections.
+
+#### Asserting on Subroutines with an exception
+
+The following code can turn ASSERT-failure into an exception:
+
+```c++
+class ThrowListener : public testing::EmptyTestEventListener {
+  void OnTestPartResult(const testing::TestPartResult& result) override {
+    if (result.type() == testing::TestPartResult::kFatalFailure) {
+      throw testing::AssertionException(result);
+    }
+  }
+};
+int main(int argc, char** argv) {
+  ...
+  testing::UnitTest::GetInstance()->listeners().Append(new ThrowListener);
+  return RUN_ALL_TESTS();
+}
+```
+
+This listener should be added after other listeners if you have any, otherwise
+they won't see failed `OnTestPartResult`.
+
+#### Asserting on Subroutines
+
+As shown above, if your test calls a subroutine that has an `ASSERT_*` failure
+in it, the test will continue after the subroutine returns. This may not be what
+you want.
+
+Often people want fatal failures to propagate like exceptions. For that
+googletest offers the following macros:
+
+Fatal assertion                       | Nonfatal assertion                    | Verifies
+------------------------------------- | ------------------------------------- | --------
+`ASSERT_NO_FATAL_FAILURE(statement);` | `EXPECT_NO_FATAL_FAILURE(statement);` | `statement` doesn't generate any new fatal failures in the current thread.
+
+Only failures in the thread that executes the assertion are checked to determine
+the result of this type of assertions. If `statement` creates new threads,
+failures in these threads are ignored.
+
+Examples:
+
+```c++
+ASSERT_NO_FATAL_FAILURE(Foo());
+
+int i;
+EXPECT_NO_FATAL_FAILURE({
+  i = Bar();
+});
+```
+
+**Availability**: Linux, Windows, Mac. Assertions from multiple threads are
+currently not supported on Windows.
+
+#### Checking for Failures in the Current Test
+
+`HasFatalFailure()` in the `::testing::Test` class returns `true` if an
+assertion in the current test has suffered a fatal failure. This allows
+functions to catch fatal failures in a sub-routine and return early.
+
+```c++
+class Test {
+ public:
+  ...
+  static bool HasFatalFailure();
+};
+```
+
+The typical usage, which basically simulates the behavior of a thrown exception,
+is:
+
+```c++
+TEST(FooTest, Bar) {
+  Subroutine();
+  // Aborts if Subroutine() had a fatal failure.
+  if (HasFatalFailure()) return;
+
+  // The following won't be executed.
+  ...
+}
+```
+
+If `HasFatalFailure()` is used outside of `TEST()` , `TEST_F()` , or a test
+fixture, you must add the `::testing::Test::` prefix, as in:
+
+```c++
+if (::testing::Test::HasFatalFailure()) return;
+```
+
+Similarly, `HasNonfatalFailure()` returns `true` if the current test has at
+least one non-fatal failure, and `HasFailure()` returns `true` if the current
+test has at least one failure of either kind.
+
+**Availability**: Linux, Windows, Mac.
+
+## Logging Additional Information
+
+In your test code, you can call `RecordProperty("key", value)` to log additional
+information, where `value` can be either a string or an `int`. The *last* value
+recorded for a key will be emitted to the [XML output](#generating-an-xml-report) if you
+specify one. For example, the test
+
+```c++
+TEST_F(WidgetUsageTest, MinAndMaxWidgets) {
+  RecordProperty("MaximumWidgets", ComputeMaxUsage());
+  RecordProperty("MinimumWidgets", ComputeMinUsage());
+}
+```
+
+will output XML like this:
+
+```xml
+  ...
+    <testcase name="MinAndMaxWidgets" status="run" time="0.006" classname="WidgetUsageTest" MaximumWidgets="12" MinimumWidgets="9" />
+  ...
+```
+
+> NOTE:
+>
+> *   `RecordProperty()` is a static member of the `Test` class. Therefore it
+>     needs to be prefixed with `::testing::Test::` if used outside of the
+>     `TEST` body and the test fixture class.
+> *   `*key*` must be a valid XML attribute name, and cannot conflict with the
+>     ones already used by googletest (`name`, `status`, `time`, `classname`,
+>     `type_param`, and `value_param`).
+> *   Calling `RecordProperty()` outside of the lifespan of a test is allowed.
+>     If it's called outside of a test but between a test case's
+>     `SetUpTestCase()` and `TearDownTestCase()` methods, it will be attributed
+>     to the XML element for the test case. If it's called outside of all test
+>     cases (e.g. in a test environment), it will be attributed to the top-level
+>     XML element.
+
+**Availability**: Linux, Windows, Mac.
+
+## Sharing Resources Between Tests in the Same Test Case
+
+googletest creates a new test fixture object for each test in order to make
+tests independent and easier to debug. However, sometimes tests use resources
+that are expensive to set up, making the one-copy-per-test model prohibitively
+expensive.
+
+If the tests don't change the resource, there's no harm in their sharing a
+single resource copy. So, in addition to per-test set-up/tear-down, googletest
+also supports per-test-case set-up/tear-down. To use it:
+
+1.  In your test fixture class (say `FooTest` ), declare as `static` some member
+    variables to hold the shared resources.
+1.  Outside your test fixture class (typically just below it), define those
+    member variables, optionally giving them initial values.
+1.  In the same test fixture class, define a `static void SetUpTestCase()`
+    function (remember not to spell it as **`SetupTestCase`** with a small `u`!)
+    to set up the shared resources and a `static void TearDownTestCase()`
+    function to tear them down.
+
+That's it! googletest automatically calls `SetUpTestCase()` before running the
+*first test* in the `FooTest` test case (i.e. before creating the first
+`FooTest` object), and calls `TearDownTestCase()` after running the *last test*
+in it (i.e. after deleting the last `FooTest` object). In between, the tests can
+use the shared resources.
+
+Remember that the test order is undefined, so your code can't depend on a test
+preceding or following another. Also, the tests must either not modify the state
+of any shared resource, or, if they do modify the state, they must restore the
+state to its original value before passing control to the next test.
+
+Here's an example of per-test-case set-up and tear-down:
+
+```c++
+class FooTest : public ::testing::Test {
+ protected:
+  // Per-test-case set-up.
+  // Called before the first test in this test case.
+  // Can be omitted if not needed.
+  static void SetUpTestCase() {
+    shared_resource_ = new ...;
+  }
+
+  // Per-test-case tear-down.
+  // Called after the last test in this test case.
+  // Can be omitted if not needed.
+  static void TearDownTestCase() {
+    delete shared_resource_;
+    shared_resource_ = NULL;
+  }
+
+  // You can define per-test set-up logic as usual.
+  virtual void SetUp() { ... }
+
+  // You can define per-test tear-down logic as usual.
+  virtual void TearDown() { ... }
+
+  // Some expensive resource shared by all tests.
+  static T* shared_resource_;
+};
+
+T* FooTest::shared_resource_ = NULL;
+
+TEST_F(FooTest, Test1) {
+  ... you can refer to shared_resource_ here ...
+}
+
+TEST_F(FooTest, Test2) {
+  ... you can refer to shared_resource_ here ...
+}
+```
+
+NOTE: Though the above code declares `SetUpTestCase()` protected, it may
+sometimes be necessary to declare it public, such as when using it with
+`TEST_P`.
+
+**Availability**: Linux, Windows, Mac.
+
+## Global Set-Up and Tear-Down
+
+Just as you can do set-up and tear-down at the test level and the test case
+level, you can also do it at the test program level. Here's how.
+
+First, you subclass the `::testing::Environment` class to define a test
+environment, which knows how to set-up and tear-down:
+
+```c++
+class Environment {
+ public:
+  virtual ~Environment() {}
+
+  // Override this to define how to set up the environment.
+  virtual void SetUp() {}
+
+  // Override this to define how to tear down the environment.
+  virtual void TearDown() {}
+};
+```
+
+Then, you register an instance of your environment class with googletest by
+calling the `::testing::AddGlobalTestEnvironment()` function:
+
+```c++
+Environment* AddGlobalTestEnvironment(Environment* env);
+```
+
+Now, when `RUN_ALL_TESTS()` is called, it first calls the `SetUp()` method of
+the environment object, then runs the tests if there was no fatal failures, and
+finally calls `TearDown()` of the environment object.
+
+It's OK to register multiple environment objects. In this case, their `SetUp()`
+will be called in the order they are registered, and their `TearDown()` will be
+called in the reverse order.
+
+Note that googletest takes ownership of the registered environment objects.
+Therefore **do not delete them** by yourself.
+
+You should call `AddGlobalTestEnvironment()` before `RUN_ALL_TESTS()` is called,
+probably in `main()`. If you use `gtest_main`, you need to call this before
+`main()` starts for it to take effect. One way to do this is to define a global
+variable like this:
+
+```c++
+::testing::Environment* const foo_env =
+    ::testing::AddGlobalTestEnvironment(new FooEnvironment);
+```
+
+However, we strongly recommend you to write your own `main()` and call
+`AddGlobalTestEnvironment()` there, as relying on initialization of global
+variables makes the code harder to read and may cause problems when you register
+multiple environments from different translation units and the environments have
+dependencies among them (remember that the compiler doesn't guarantee the order
+in which global variables from different translation units are initialized).
+
+## Value-Parameterized Tests
+
+*Value-parameterized tests* allow you to test your code with different
+parameters without writing multiple copies of the same test. This is useful in a
+number of situations, for example:
+
+*   You have a piece of code whose behavior is affected by one or more
+    command-line flags. You want to make sure your code performs correctly for
+    various values of those flags.
+*   You want to test different implementations of an OO interface.
+*   You want to test your code over various inputs (a.k.a. data-driven testing).
+    This feature is easy to abuse, so please exercise your good sense when doing
+    it!
+
+### How to Write Value-Parameterized Tests
+
+To write value-parameterized tests, first you should define a fixture class. It
+must be derived from both `::testing::Test` and
+`::testing::WithParamInterface<T>` (the latter is a pure interface), where `T`
+is the type of your parameter values. For convenience, you can just derive the
+fixture class from `::testing::TestWithParam<T>`, which itself is derived from
+both `::testing::Test` and `::testing::WithParamInterface<T>`. `T` can be any
+copyable type. If it's a raw pointer, you are responsible for managing the
+lifespan of the pointed values.
+
+NOTE: If your test fixture defines `SetUpTestCase()` or `TearDownTestCase()`
+they must be declared **public** rather than **protected** in order to use
+`TEST_P`.
+
+```c++
+class FooTest :
+    public ::testing::TestWithParam<const char*> {
+  // You can implement all the usual fixture class members here.
+  // To access the test parameter, call GetParam() from class
+  // TestWithParam<T>.
+};
+
+// Or, when you want to add parameters to a pre-existing fixture class:
+class BaseTest : public ::testing::Test {
+  ...
+};
+class BarTest : public BaseTest,
+                public ::testing::WithParamInterface<const char*> {
+  ...
+};
+```
+
+Then, use the `TEST_P` macro to define as many test patterns using this fixture
+as you want. The `_P` suffix is for "parameterized" or "pattern", whichever you
+prefer to think.
+
+```c++
+TEST_P(FooTest, DoesBlah) {
+  // Inside a test, access the test parameter with the GetParam() method
+  // of the TestWithParam<T> class:
+  EXPECT_TRUE(foo.Blah(GetParam()));
+  ...
+}
+
+TEST_P(FooTest, HasBlahBlah) {
+  ...
+}
+```
+
+Finally, you can use `INSTANTIATE_TEST_CASE_P` to instantiate the test case with
+any set of parameters you want. googletest defines a number of functions for
+generating test parameters. They return what we call (surprise!) *parameter
+generators*. Here is a summary of them, which are all in the `testing`
+namespace:
+
+| Parameter Generator          | Behavior                                    |
+| ---------------------------- | ------------------------------------------- |
+| `Range(begin, end [, step])` | Yields values `{begin, begin+step, begin+step+step, ...}`. The values do not include `end`. `step` defaults to 1.      |
+| `Values(v1, v2, ..., vN)`    | Yields values `{v1, v2, ..., vN}`.          |
+| `ValuesIn(container)` and `ValuesIn(begin,end)`   | Yields values from a C-style array, an STL-style container, or an iterator range  `[begin, end)`. |
+| `Bool()`                     | Yields sequence `{false, true}`.            |
+| `Combine(g1, g2, ..., gN)`   | Yields all combinations (Cartesian product) as std\:\:tuples of the values generated by the `N` generators.            |
+
+For more details, see the comments at the definitions of these functions.
+
+The following statement will instantiate tests from the `FooTest` test case each
+with parameter values `"meeny"`, `"miny"`, and `"moe"`.
+
+```c++
+INSTANTIATE_TEST_CASE_P(InstantiationName,
+                        FooTest,
+                        ::testing::Values("meeny", "miny", "moe"));
+```
+
+NOTE: The code above must be placed at global or namespace scope, not at
+function scope.
+
+NOTE: Don't forget this step! If you do your test will silently pass, but none
+of its cases will ever run!
+
+To distinguish different instances of the pattern (yes, you can instantiate it
+more than once), the first argument to `INSTANTIATE_TEST_CASE_P` is a prefix
+that will be added to the actual test case name. Remember to pick unique
+prefixes for different instantiations. The tests from the instantiation above
+will have these names:
+
+*   `InstantiationName/FooTest.DoesBlah/0` for `"meeny"`
+*   `InstantiationName/FooTest.DoesBlah/1` for `"miny"`
+*   `InstantiationName/FooTest.DoesBlah/2` for `"moe"`
+*   `InstantiationName/FooTest.HasBlahBlah/0` for `"meeny"`
+*   `InstantiationName/FooTest.HasBlahBlah/1` for `"miny"`
+*   `InstantiationName/FooTest.HasBlahBlah/2` for `"moe"`
+
+You can use these names in [`--gtest_filter`](#running-a-subset-of-the-tests).
+
+This statement will instantiate all tests from `FooTest` again, each with
+parameter values `"cat"` and `"dog"`:
+
+```c++
+const char* pets[] = {"cat", "dog"};
+INSTANTIATE_TEST_CASE_P(AnotherInstantiationName, FooTest,
+                        ::testing::ValuesIn(pets));
+```
+
+The tests from the instantiation above will have these names:
+
+*   `AnotherInstantiationName/FooTest.DoesBlah/0` for `"cat"`
+*   `AnotherInstantiationName/FooTest.DoesBlah/1` for `"dog"`
+*   `AnotherInstantiationName/FooTest.HasBlahBlah/0` for `"cat"`
+*   `AnotherInstantiationName/FooTest.HasBlahBlah/1` for `"dog"`
+
+Please note that `INSTANTIATE_TEST_CASE_P` will instantiate *all* tests in the
+given test case, whether their definitions come before or *after* the
+`INSTANTIATE_TEST_CASE_P` statement.
+
+You can see sample7_unittest.cc and sample8_unittest.cc for more examples.
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+### Creating Value-Parameterized Abstract Tests
+
+In the above, we define and instantiate `FooTest` in the *same* source file.
+Sometimes you may want to define value-parameterized tests in a library and let
+other people instantiate them later. This pattern is known as *abstract tests*.
+As an example of its application, when you are designing an interface you can
+write a standard suite of abstract tests (perhaps using a factory function as
+the test parameter) that all implementations of the interface are expected to
+pass. When someone implements the interface, they can instantiate your suite to
+get all the interface-conformance tests for free.
+
+To define abstract tests, you should organize your code like this:
+
+1.  Put the definition of the parameterized test fixture class (e.g. `FooTest`)
+    in a header file, say `foo_param_test.h`. Think of this as *declaring* your
+    abstract tests.
+1.  Put the `TEST_P` definitions in `foo_param_test.cc`, which includes
+    `foo_param_test.h`. Think of this as *implementing* your abstract tests.
+
+Once they are defined, you can instantiate them by including `foo_param_test.h`,
+invoking `INSTANTIATE_TEST_CASE_P()`, and depending on the library target that
+contains `foo_param_test.cc`. You can instantiate the same abstract test case
+multiple times, possibly in different source files.
+
+### Specifying Names for Value-Parameterized Test Parameters
+
+The optional last argument to `INSTANTIATE_TEST_CASE_P()` allows the user to
+specify a function or functor that generates custom test name suffixes based on
+the test parameters. The function should accept one argument of type
+`testing::TestParamInfo<class ParamType>`, and return `std::string`.
+
+`testing::PrintToStringParamName` is a builtin test suffix generator that
+returns the value of `testing::PrintToString(GetParam())`. It does not work for
+`std::string` or C strings.
+
+NOTE: test names must be non-empty, unique, and may only contain ASCII
+alphanumeric characters. In particular, they [should not contain
+underscores](https://g3doc.corp.google.com/third_party/googletest/googletest/g3doc/faq.md#no-underscores).
+
+```c++
+class MyTestCase : public testing::TestWithParam<int> {};
+
+TEST_P(MyTestCase, MyTest)
+{
+  std::cout << "Example Test Param: " << GetParam() << std::endl;
+}
+
+INSTANTIATE_TEST_CASE_P(MyGroup, MyTestCase, testing::Range(0, 10),
+                        testing::PrintToStringParamName());
+```
+
+## Typed Tests</id>
+
+Suppose you have multiple implementations of the same interface and want to make
+sure that all of them satisfy some common requirements. Or, you may have defined
+several types that are supposed to conform to the same "concept" and you want to
+verify it. In both cases, you want the same test logic repeated for different
+types.
+
+While you can write one `TEST` or `TEST_F` for each type you want to test (and
+you may even factor the test logic into a function template that you invoke from
+the `TEST`), it's tedious and doesn't scale: if you want `m` tests over `n`
+types, you'll end up writing `m*n` `TEST`s.
+
+*Typed tests* allow you to repeat the same test logic over a list of types. You
+only need to write the test logic once, although you must know the type list
+when writing typed tests. Here's how you do it:
+
+First, define a fixture class template. It should be parameterized by a type.
+Remember to derive it from `::testing::Test`:
+
+```c++
+template <typename T>
+class FooTest : public ::testing::Test {
+ public:
+  ...
+  typedef std::list<T> List;
+  static T shared_;
+  T value_;
+};
+```
+
+Next, associate a list of types with the test case, which will be repeated for
+each type in the list:
+
+```c++
+using MyTypes = ::testing::Types<char, int, unsigned int>;
+TYPED_TEST_CASE(FooTest, MyTypes);
+```
+
+The type alias (`using` or `typedef`) is necessary for the `TYPED_TEST_CASE`
+macro to parse correctly. Otherwise the compiler will think that each comma in
+the type list introduces a new macro argument.
+
+Then, use `TYPED_TEST()` instead of `TEST_F()` to define a typed test for this
+test case. You can repeat this as many times as you want:
+
+```c++
+TYPED_TEST(FooTest, DoesBlah) {
+  // Inside a test, refer to the special name TypeParam to get the type
+  // parameter.  Since we are inside a derived class template, C++ requires
+  // us to visit the members of FooTest via 'this'.
+  TypeParam n = this->value_;
+
+  // To visit static members of the fixture, add the 'TestFixture::'
+  // prefix.
+  n += TestFixture::shared_;
+
+  // To refer to typedefs in the fixture, add the 'typename TestFixture::'
+  // prefix.  The 'typename' is required to satisfy the compiler.
+  typename TestFixture::List values;
+
+  values.push_back(n);
+  ...
+}
+
+TYPED_TEST(FooTest, HasPropertyA) { ... }
+```
+
+You can see sample6_unittest.cc
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+## Type-Parameterized Tests
+
+*Type-parameterized tests* are like typed tests, except that they don't require
+you to know the list of types ahead of time. Instead, you can define the test
+logic first and instantiate it with different type lists later. You can even
+instantiate it more than once in the same program.
+
+If you are designing an interface or concept, you can define a suite of
+type-parameterized tests to verify properties that any valid implementation of
+the interface/concept should have. Then, the author of each implementation can
+just instantiate the test suite with their type to verify that it conforms to
+the requirements, without having to write similar tests repeatedly. Here's an
+example:
+
+First, define a fixture class template, as we did with typed tests:
+
+```c++
+template <typename T>
+class FooTest : public ::testing::Test {
+  ...
+};
+```
+
+Next, declare that you will define a type-parameterized test case:
+
+```c++
+TYPED_TEST_CASE_P(FooTest);
+```
+
+Then, use `TYPED_TEST_P()` to define a type-parameterized test. You can repeat
+this as many times as you want:
+
+```c++
+TYPED_TEST_P(FooTest, DoesBlah) {
+  // Inside a test, refer to TypeParam to get the type parameter.
+  TypeParam n = 0;
+  ...
+}
+
+TYPED_TEST_P(FooTest, HasPropertyA) { ... }
+```
+
+Now the tricky part: you need to register all test patterns using the
+`REGISTER_TYPED_TEST_CASE_P` macro before you can instantiate them. The first
+argument of the macro is the test case name; the rest are the names of the tests
+in this test case:
+
+```c++
+REGISTER_TYPED_TEST_CASE_P(FooTest,
+                           DoesBlah, HasPropertyA);
+```
+
+Finally, you are free to instantiate the pattern with the types you want. If you
+put the above code in a header file, you can `#include` it in multiple C++
+source files and instantiate it multiple times.
+
+```c++
+typedef ::testing::Types<char, int, unsigned int> MyTypes;
+INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
+```
+
+To distinguish different instances of the pattern, the first argument to the
+`INSTANTIATE_TYPED_TEST_CASE_P` macro is a prefix that will be added to the
+actual test case name. Remember to pick unique prefixes for different instances.
+
+In the special case where the type list contains only one type, you can write
+that type directly without `::testing::Types<...>`, like this:
+
+```c++
+INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, int);
+```
+
+You can see `sample6_unittest.cc` for a complete example.
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+## Testing Private Code
+
+If you change your software's internal implementation, your tests should not
+break as long as the change is not observable by users. Therefore, **per the
+black-box testing principle, most of the time you should test your code through
+its public interfaces.**
+
+**If you still find yourself needing to test internal implementation code,
+consider if there's a better design.** The desire to test internal
+implementation is often a sign that the class is doing too much. Consider
+extracting an implementation class, and testing it. Then use that implementation
+class in the original class.
+
+If you absolutely have to test non-public interface code though, you can. There
+are two cases to consider:
+
+*   Static functions ( *not* the same as static member functions!) or unnamed
+    namespaces, and
+*   Private or protected class members
+
+To test them, we use the following special techniques:
+
+*   Both static functions and definitions/declarations in an unnamed namespace
+    are only visible within the same translation unit. To test them, you can
+    `#include` the entire `.cc` file being tested in your `*_test.cc` file.
+    (including `.cc` files is not a good way to reuse code - you should not do
+    this in production code!)
+
+    However, a better approach is to move the private code into the
+    `foo::internal` namespace, where `foo` is the namespace your project
+    normally uses, and put the private declarations in a `*-internal.h` file.
+    Your production `.cc` files and your tests are allowed to include this
+    internal header, but your clients are not. This way, you can fully test your
+    internal implementation without leaking it to your clients.
+
+*   Private class members are only accessible from within the class or by
+    friends. To access a class' private members, you can declare your test
+    fixture as a friend to the class and define accessors in your fixture. Tests
+    using the fixture can then access the private members of your production
+    class via the accessors in the fixture. Note that even though your fixture
+    is a friend to your production class, your tests are not automatically
+    friends to it, as they are technically defined in sub-classes of the
+    fixture.
+
+    Another way to test private members is to refactor them into an
+    implementation class, which is then declared in a `*-internal.h` file. Your
+    clients aren't allowed to include this header but your tests can. Such is
+    called the
+    [Pimpl](https://www.gamedev.net/articles/programming/general-and-gameplay-programming/the-c-pimpl-r1794/)
+    (Private Implementation) idiom.
+
+    Or, you can declare an individual test as a friend of your class by adding
+    this line in the class body:
+
+    ```c++
+        FRIEND_TEST(TestCaseName, TestName);
+    ```
+
+    For example,
+
+    ```c++
+    // foo.h
+
+    #include "gtest/gtest_prod.h"
+
+    class Foo {
+      ...
+    private:
+      FRIEND_TEST(FooTest, BarReturnsZeroOnNull);
+
+      int Bar(void* x);
+    };
+
+    // foo_test.cc
+    ...
+    TEST(FooTest, BarReturnsZeroOnNull) {
+      Foo foo;
+      EXPECT_EQ(0, foo.Bar(NULL));  // Uses Foo's private member Bar().
+    }
+    ```
+
+    Pay special attention when your class is defined in a namespace, as you
+    should define your test fixtures and tests in the same namespace if you want
+    them to be friends of your class. For example, if the code to be tested
+    looks like:
+
+    ```c++
+    namespace my_namespace {
+
+    class Foo {
+      friend class FooTest;
+      FRIEND_TEST(FooTest, Bar);
+      FRIEND_TEST(FooTest, Baz);
+      ... definition of the class Foo ...
+    };
+
+    }  // namespace my_namespace
+    ```
+
+    Your test code should be something like:
+
+    ```c++
+    namespace my_namespace {
+
+    class FooTest : public ::testing::Test {
+     protected:
+      ...
+    };
+
+    TEST_F(FooTest, Bar) { ... }
+    TEST_F(FooTest, Baz) { ... }
+
+    }  // namespace my_namespace
+    ```
+
+
+## "Catching" Failures
+
+If you are building a testing utility on top of googletest, you'll want to test
+your utility. What framework would you use to test it? googletest, of course.
+
+The challenge is to verify that your testing utility reports failures correctly.
+In frameworks that report a failure by throwing an exception, you could catch
+the exception and assert on it. But googletest doesn't use exceptions, so how do
+we test that a piece of code generates an expected failure?
+
+gunit-spi.h contains some constructs to do this. After #including this header,
+you can use
+
+```c++
+  EXPECT_FATAL_FAILURE(statement, substring);
+```
+
+to assert that `statement` generates a fatal (e.g. `ASSERT_*`) failure in the
+current thread whose message contains the given `substring`, or use
+
+```c++
+  EXPECT_NONFATAL_FAILURE(statement, substring);
+```
+
+if you are expecting a non-fatal (e.g. `EXPECT_*`) failure.
+
+Only failures in the current thread are checked to determine the result of this
+type of expectations. If `statement` creates new threads, failures in these
+threads are also ignored. If you want to catch failures in other threads as
+well, use one of the following macros instead:
+
+```c++
+  EXPECT_FATAL_FAILURE_ON_ALL_THREADS(statement, substring);
+  EXPECT_NONFATAL_FAILURE_ON_ALL_THREADS(statement, substring);
+```
+
+NOTE: Assertions from multiple threads are currently not supported on Windows.
+
+For technical reasons, there are some caveats:
+
+1.  You cannot stream a failure message to either macro.
+
+1.  `statement` in `EXPECT_FATAL_FAILURE{_ON_ALL_THREADS}()` cannot reference
+    local non-static variables or non-static members of `this` object.
+
+1.  `statement` in `EXPECT_FATAL_FAILURE{_ON_ALL_THREADS}()()` cannot return a
+    value.
+
+
+## Getting the Current Test's Name
+
+Sometimes a function may need to know the name of the currently running test.
+For example, you may be using the `SetUp()` method of your test fixture to set
+the golden file name based on which test is running. The `::testing::TestInfo`
+class has this information:
+
+```c++
+namespace testing {
+
+class TestInfo {
+ public:
+  // Returns the test case name and the test name, respectively.
+  //
+  // Do NOT delete or free the return value - it's managed by the
+  // TestInfo class.
+  const char* test_case_name() const;
+  const char* name() const;
+};
+
+}
+```
+
+To obtain a `TestInfo` object for the currently running test, call
+`current_test_info()` on the `UnitTest` singleton object:
+
+```c++
+  // Gets information about the currently running test.
+  // Do NOT delete the returned object - it's managed by the UnitTest class.
+  const ::testing::TestInfo* const test_info =
+    ::testing::UnitTest::GetInstance()->current_test_info();
+
+
+
+  printf("We are in test %s of test case %s.\n",
+         test_info->name(),
+         test_info->test_case_name());
+```
+
+`current_test_info()` returns a null pointer if no test is running. In
+particular, you cannot find the test case name in `TestCaseSetUp()`,
+`TestCaseTearDown()` (where you know the test case name implicitly), or
+functions called from them.
+
+**Availability**: Linux, Windows, Mac.
+
+## Extending googletest by Handling Test Events
+
+googletest provides an **event listener API** to let you receive notifications
+about the progress of a test program and test failures. The events you can
+listen to include the start and end of the test program, a test case, or a test
+method, among others. You may use this API to augment or replace the standard
+console output, replace the XML output, or provide a completely different form
+of output, such as a GUI or a database. You can also use test events as
+checkpoints to implement a resource leak checker, for example.
+
+**Availability**: Linux, Windows, Mac.
+
+### Defining Event Listeners
+
+To define a event listener, you subclass either testing::TestEventListener or
+testing::EmptyTestEventListener The former is an (abstract) interface, where
+*each pure virtual method can be overridden to handle a test event* (For
+example, when a test starts, the `OnTestStart()` method will be called.). The
+latter provides an empty implementation of all methods in the interface, such
+that a subclass only needs to override the methods it cares about.
+
+When an event is fired, its context is passed to the handler function as an
+argument. The following argument types are used:
+
+*   UnitTest reflects the state of the entire test program,
+*   TestCase has information about a test case, which can contain one or more
+    tests,
+*   TestInfo contains the state of a test, and
+*   TestPartResult represents the result of a test assertion.
+
+An event handler function can examine the argument it receives to find out
+interesting information about the event and the test program's state.
+
+Here's an example:
+
+```c++
+  class MinimalistPrinter : public ::testing::EmptyTestEventListener {
+    // Called before a test starts.
+    virtual void OnTestStart(const ::testing::TestInfo& test_info) {
+      printf("*** Test %s.%s starting.\n",
+             test_info.test_case_name(), test_info.name());
+    }
+
+    // Called after a failed assertion or a SUCCESS().
+    virtual void OnTestPartResult(const ::testing::TestPartResult& test_part_result) {
+      printf("%s in %s:%d\n%s\n",
+             test_part_result.failed() ? "*** Failure" : "Success",
+             test_part_result.file_name(),
+             test_part_result.line_number(),
+             test_part_result.summary());
+    }
+
+    // Called after a test ends.
+    virtual void OnTestEnd(const ::testing::TestInfo& test_info) {
+      printf("*** Test %s.%s ending.\n",
+             test_info.test_case_name(), test_info.name());
+    }
+  };
+```
+
+### Using Event Listeners
+
+To use the event listener you have defined, add an instance of it to the
+googletest event listener list (represented by class TestEventListeners - note
+the "s" at the end of the name) in your `main()` function, before calling
+`RUN_ALL_TESTS()`:
+
+```c++
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  // Gets hold of the event listener list.
+  ::testing::TestEventListeners& listeners =
+        ::testing::UnitTest::GetInstance()->listeners();
+  // Adds a listener to the end.  googletest takes the ownership.
+  listeners.Append(new MinimalistPrinter);
+  return RUN_ALL_TESTS();
+}
+```
+
+There's only one problem: the default test result printer is still in effect, so
+its output will mingle with the output from your minimalist printer. To suppress
+the default printer, just release it from the event listener list and delete it.
+You can do so by adding one line:
+
+```c++
+  ...
+  delete listeners.Release(listeners.default_result_printer());
+  listeners.Append(new MinimalistPrinter);
+  return RUN_ALL_TESTS();
+```
+
+Now, sit back and enjoy a completely different output from your tests. For more
+details, you can read this sample9_unittest.cc
+
+You may append more than one listener to the list. When an `On*Start()` or
+`OnTestPartResult()` event is fired, the listeners will receive it in the order
+they appear in the list (since new listeners are added to the end of the list,
+the default text printer and the default XML generator will receive the event
+first). An `On*End()` event will be received by the listeners in the *reverse*
+order. This allows output by listeners added later to be framed by output from
+listeners added earlier.
+
+### Generating Failures in Listeners
+
+You may use failure-raising macros (`EXPECT_*()`, `ASSERT_*()`, `FAIL()`, etc)
+when processing an event. There are some restrictions:
+
+1.  You cannot generate any failure in `OnTestPartResult()` (otherwise it will
+    cause `OnTestPartResult()` to be called recursively).
+1.  A listener that handles `OnTestPartResult()` is not allowed to generate any
+    failure.
+
+When you add listeners to the listener list, you should put listeners that
+handle `OnTestPartResult()` *before* listeners that can generate failures. This
+ensures that failures generated by the latter are attributed to the right test
+by the former.
+
+We have a sample of failure-raising listener sample10_unittest.cc
+
+## Running Test Programs: Advanced Options
+
+googletest test programs are ordinary executables. Once built, you can run them
+directly and affect their behavior via the following environment variables
+and/or command line flags. For the flags to work, your programs must call
+`::testing::InitGoogleTest()` before calling `RUN_ALL_TESTS()`.
+
+To see a list of supported flags and their usage, please run your test program
+with the `--help` flag. You can also use `-h`, `-?`, or `/?` for short.
+
+If an option is specified both by an environment variable and by a flag, the
+latter takes precedence.
+
+### Selecting Tests
+
+#### Listing Test Names
+
+Sometimes it is necessary to list the available tests in a program before
+running them so that a filter may be applied if needed. Including the flag
+`--gtest_list_tests` overrides all other flags and lists tests in the following
+format:
+
+```none
+TestCase1.
+  TestName1
+  TestName2
+TestCase2.
+  TestName
+```
+
+None of the tests listed are actually run if the flag is provided. There is no
+corresponding environment variable for this flag.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Running a Subset of the Tests
+
+By default, a googletest program runs all tests the user has defined. Sometimes,
+you want to run only a subset of the tests (e.g. for debugging or quickly
+verifying a change). If you set the `GTEST_FILTER` environment variable or the
+`--gtest_filter` flag to a filter string, googletest will only run the tests
+whose full names (in the form of `TestCaseName.TestName`) match the filter.
+
+The format of a filter is a '`:`'-separated list of wildcard patterns (called
+the *positive patterns*) optionally followed by a '`-`' and another
+'`:`'-separated pattern list (called the *negative patterns*). A test matches
+the filter if and only if it matches any of the positive patterns but does not
+match any of the negative patterns.
+
+A pattern may contain `'*'` (matches any string) or `'?'` (matches any single
+character). For convenience, the filter
+
+`'*-NegativePatterns'` can be also written as `'-NegativePatterns'`.
+
+For example:
+
+*   `./foo_test` Has no flag, and thus runs all its tests.
+*   `./foo_test --gtest_filter=*` Also runs everything, due to the single
+    match-everything `*` value.
+*   `./foo_test --gtest_filter=FooTest.*` Runs everything in test case `FooTest`
+    .
+*   `./foo_test --gtest_filter=*Null*:*Constructor*` Runs any test whose full
+    name contains either `"Null"` or `"Constructor"` .
+*   `./foo_test --gtest_filter=-*DeathTest.*` Runs all non-death tests.
+*   `./foo_test --gtest_filter=FooTest.*-FooTest.Bar` Runs everything in test
+    case `FooTest` except `FooTest.Bar`.
+*   `./foo_test --gtest_filter=FooTest.*:BarTest.*-FooTest.Bar:BarTest.Foo` Runs
+    everything in test case `FooTest` except `FooTest.Bar` and everything in
+    test case `BarTest` except `BarTest.Foo`.
+    
+#### Temporarily Disabling Tests
+
+If you have a broken test that you cannot fix right away, you can add the
+`DISABLED_` prefix to its name. This will exclude it from execution. This is
+better than commenting out the code or using `#if 0`, as disabled tests are
+still compiled (and thus won't rot).
+
+If you need to disable all tests in a test case, you can either add `DISABLED_`
+to the front of the name of each test, or alternatively add it to the front of
+the test case name.
+
+For example, the following tests won't be run by googletest, even though they
+will still be compiled:
+
+```c++
+// Tests that Foo does Abc.
+TEST(FooTest, DISABLED_DoesAbc) { ... }
+
+class DISABLED_BarTest : public ::testing::Test { ... };
+
+// Tests that Bar does Xyz.
+TEST_F(DISABLED_BarTest, DoesXyz) { ... }
+```
+
+NOTE: This feature should only be used for temporary pain-relief. You still have
+to fix the disabled tests at a later date. As a reminder, googletest will print
+a banner warning you if a test program contains any disabled tests.
+
+TIP: You can easily count the number of disabled tests you have using `gsearch`
+and/or `grep`. This number can be used as a metric for improving your test
+quality.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Temporarily Enabling Disabled Tests
+
+To include disabled tests in test execution, just invoke the test program with
+the `--gtest_also_run_disabled_tests` flag or set the
+`GTEST_ALSO_RUN_DISABLED_TESTS` environment variable to a value other than `0`.
+You can combine this with the `--gtest_filter` flag to further select which
+disabled tests to run.
+
+**Availability**: Linux, Windows, Mac.
+
+### Repeating the Tests
+
+Once in a while you'll run into a test whose result is hit-or-miss. Perhaps it
+will fail only 1% of the time, making it rather hard to reproduce the bug under
+a debugger. This can be a major source of frustration.
+
+The `--gtest_repeat` flag allows you to repeat all (or selected) test methods in
+a program many times. Hopefully, a flaky test will eventually fail and give you
+a chance to debug. Here's how to use it:
+
+```none
+$ foo_test --gtest_repeat=1000
+Repeat foo_test 1000 times and don't stop at failures.
+
+$ foo_test --gtest_repeat=-1
+A negative count means repeating forever.
+
+$ foo_test --gtest_repeat=1000 --gtest_break_on_failure
+Repeat foo_test 1000 times, stopping at the first failure.  This
+is especially useful when running under a debugger: when the test
+fails, it will drop into the debugger and you can then inspect
+variables and stacks.
+
+$ foo_test --gtest_repeat=1000 --gtest_filter=FooBar.*
+Repeat the tests whose name matches the filter 1000 times.
+```
+
+If your test program contains [global set-up/tear-down](#global-set-up-and-tear-down) code, it
+will be repeated in each iteration as well, as the flakiness may be in it. You
+can also specify the repeat count by setting the `GTEST_REPEAT` environment
+variable.
+
+**Availability**: Linux, Windows, Mac.
+
+### Shuffling the Tests
+
+You can specify the `--gtest_shuffle` flag (or set the `GTEST_SHUFFLE`
+environment variable to `1`) to run the tests in a program in a random order.
+This helps to reveal bad dependencies between tests.
+
+By default, googletest uses a random seed calculated from the current time.
+Therefore you'll get a different order every time. The console output includes
+the random seed value, such that you can reproduce an order-related test failure
+later. To specify the random seed explicitly, use the `--gtest_random_seed=SEED`
+flag (or set the `GTEST_RANDOM_SEED` environment variable), where `SEED` is an
+integer in the range [0, 99999]. The seed value 0 is special: it tells
+googletest to do the default behavior of calculating the seed from the current
+time.
+
+If you combine this with `--gtest_repeat=N`, googletest will pick a different
+random seed and re-shuffle the tests in each iteration.
+
+**Availability**: Linux, Windows, Mac.
+
+### Controlling Test Output
+
+#### Colored Terminal Output
+
+googletest can use colors in its terminal output to make it easier to spot the
+important information:
+
+...<br/>
+<span style="color:green">[----------]<span style="color:black"> 1 test from FooTest<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> FooTest.DoesAbc<br/>
+<span style="color:green">[       OK ]<span style="color:black"> FooTest.DoesAbc<br/>
+<span style="color:green">[----------]<span style="color:black"> 2 tests from BarTest<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> BarTest.HasXyzProperty<br/>
+<span style="color:green">[       OK ]<span style="color:black"> BarTest.HasXyzProperty<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> BarTest.ReturnsTrueOnSuccess<br/>
+... some error messages ...<br/>
+<span   style="color:red">[  FAILED  ] <span style="color:black">BarTest.ReturnsTrueOnSuccess<br/>
+...<br/>
+<span style="color:green">[==========]<span style="color:black"> 30 tests from 14 test cases ran.<br/>
+<span style="color:green">[  PASSED  ]<span style="color:black"> 28 tests.<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> 2 tests, listed below:<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> BarTest.ReturnsTrueOnSuccess<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> AnotherTest.DoesXyz<br/>
+  2 FAILED TESTS
+
+You can set the `GTEST_COLOR` environment variable or the `--gtest_color`
+command line flag to `yes`, `no`, or `auto` (the default) to enable colors,
+disable colors, or let googletest decide. When the value is `auto`, googletest
+will use colors if and only if the output goes to a terminal and (on non-Windows
+platforms) the `TERM` environment variable is set to `xterm` or `xterm-color`.
+
+ **Availability**: Linux, Windows, Mac.
+
+#### Suppressing the Elapsed Time
+
+By default, googletest prints the time it takes to run each test. To disable
+that, run the test program with the `--gtest_print_time=0` command line flag, or
+set the GTEST_PRINT_TIME environment variable to `0`.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Suppressing UTF-8 Text Output
+
+In case of assertion failures, googletest prints expected and actual values of
+type `string` both as hex-encoded strings as well as in readable UTF-8 text if
+they contain valid non-ASCII UTF-8 characters. If you want to suppress the UTF-8
+text because, for example, you don't have an UTF-8 compatible output medium, run
+the test program with `--gtest_print_utf8=0` or set the `GTEST_PRINT_UTF8`
+environment variable to `0`.
+
+**Availability**: Linux, Windows, Mac.
+
+
+#### Generating an XML Report
+
+googletest can emit a detailed XML report to a file in addition to its normal
+textual output. The report contains the duration of each test, and thus can help
+you identify slow tests. The report is also used by the http://unittest
+dashboard to show per-test-method error messages.
+
+To generate the XML report, set the `GTEST_OUTPUT` environment variable or the
+`--gtest_output` flag to the string `"xml:path_to_output_file"`, which will
+create the file at the given location. You can also just use the string `"xml"`,
+in which case the output can be found in the `test_detail.xml` file in the
+current directory.
+
+If you specify a directory (for example, `"xml:output/directory/"` on Linux or
+`"xml:output\directory\"` on Windows), googletest will create the XML file in
+that directory, named after the test executable (e.g. `foo_test.xml` for test
+program `foo_test` or `foo_test.exe`). If the file already exists (perhaps left
+over from a previous run), googletest will pick a different name (e.g.
+`foo_test_1.xml`) to avoid overwriting it.
+
+
+The report is based on the `junitreport` Ant task. Since that format was
+originally intended for Java, a little interpretation is required to make it
+apply to googletest tests, as shown here:
+
+```xml
+<testsuites name="AllTests" ...>
+  <testsuite name="test_case_name" ...>
+    <testcase    name="test_name" ...>
+      <failure message="..."/>
+      <failure message="..."/>
+      <failure message="..."/>
+    </testcase>
+  </testsuite>
+</testsuites>
+```
+
+*   The root `<testsuites>` element corresponds to the entire test program.
+*   `<testsuite>` elements correspond to googletest test cases.
+*   `<testcase>` elements correspond to googletest test functions.
+
+For instance, the following program
+
+```c++
+TEST(MathTest, Addition) { ... }
+TEST(MathTest, Subtraction) { ... }
+TEST(LogicTest, NonContradiction) { ... }
+```
+
+could generate this report:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<testsuites tests="3" failures="1" errors="0" time="0.035" timestamp="2011-10-31T18:52:42" name="AllTests">
+  <testsuite name="MathTest" tests="2" failures="1" errors="0" time="0.015">
+    <testcase name="Addition" status="run" time="0.007" classname="">
+      <failure message="Value of: add(1, 1)&#x0A;  Actual: 3&#x0A;Expected: 2" type="">...</failure>
+      <failure message="Value of: add(1, -1)&#x0A;  Actual: 1&#x0A;Expected: 0" type="">...</failure>
+    </testcase>
+    <testcase name="Subtraction" status="run" time="0.005" classname="">
+    </testcase>
+  </testsuite>
+  <testsuite name="LogicTest" tests="1" failures="0" errors="0" time="0.005">
+    <testcase name="NonContradiction" status="run" time="0.005" classname="">
+    </testcase>
+  </testsuite>
+</testsuites>
+```
+
+Things to note:
+
+*   The `tests` attribute of a `<testsuites>` or `<testsuite>` element tells how
+    many test functions the googletest program or test case contains, while the
+    `failures` attribute tells how many of them failed.
+
+*   The `time` attribute expresses the duration of the test, test case, or
+    entire test program in seconds.
+
+*   The `timestamp` attribute records the local date and time of the test
+    execution.
+
+*   Each `<failure>` element corresponds to a single failed googletest
+    assertion.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Generating an JSON Report
+
+googletest can also emit a JSON report as an alternative format to XML. To
+generate the JSON report, set the `GTEST_OUTPUT` environment variable or the
+`--gtest_output` flag to the string `"json:path_to_output_file"`, which will
+create the file at the given location. You can also just use the string
+`"json"`, in which case the output can be found in the `test_detail.json` file
+in the current directory.
+
+The report format conforms to the following JSON Schema:
+
+```json
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "definitions": {
+    "TestCase": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "tests": { "type": "integer" },
+        "failures": { "type": "integer" },
+        "disabled": { "type": "integer" },
+        "time": { "type": "string" },
+        "testsuite": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/TestInfo"
+          }
+        }
+      }
+    },
+    "TestInfo": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "status": {
+          "type": "string",
+          "enum": ["RUN", "NOTRUN"]
+        },
+        "time": { "type": "string" },
+        "classname": { "type": "string" },
+        "failures": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Failure"
+          }
+        }
+      }
+    },
+    "Failure": {
+      "type": "object",
+      "properties": {
+        "failures": { "type": "string" },
+        "type": { "type": "string" }
+      }
+    }
+  },
+  "properties": {
+    "tests": { "type": "integer" },
+    "failures": { "type": "integer" },
+    "disabled": { "type": "integer" },
+    "errors": { "type": "integer" },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "time": { "type": "string" },
+    "name": { "type": "string" },
+    "testsuites": {
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/TestCase"
+      }
+    }
+  }
+}
+```
+
+The report uses the format that conforms to the following Proto3 using the [JSON
+encoding](https://developers.google.com/protocol-buffers/docs/proto3#json):
+
+```proto
+syntax = "proto3";
+
+package googletest;
+
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";
+
+message UnitTest {
+  int32 tests = 1;
+  int32 failures = 2;
+  int32 disabled = 3;
+  int32 errors = 4;
+  google.protobuf.Timestamp timestamp = 5;
+  google.protobuf.Duration time = 6;
+  string name = 7;
+  repeated TestCase testsuites = 8;
+}
+
+message TestCase {
+  string name = 1;
+  int32 tests = 2;
+  int32 failures = 3;
+  int32 disabled = 4;
+  int32 errors = 5;
+  google.protobuf.Duration time = 6;
+  repeated TestInfo testsuite = 7;
+}
+
+message TestInfo {
+  string name = 1;
+  enum Status {
+    RUN = 0;
+    NOTRUN = 1;
+  }
+  Status status = 2;
+  google.protobuf.Duration time = 3;
+  string classname = 4;
+  message Failure {
+    string failures = 1;
+    string type = 2;
+  }
+  repeated Failure failures = 5;
+}
+```
+
+For instance, the following program
+
+```c++
+TEST(MathTest, Addition) { ... }
+TEST(MathTest, Subtraction) { ... }
+TEST(LogicTest, NonContradiction) { ... }
+```
+
+could generate this report:
+
+```json
+{
+  "tests": 3,
+  "failures": 1,
+  "errors": 0,
+  "time": "0.035s",
+  "timestamp": "2011-10-31T18:52:42Z"
+  "name": "AllTests",
+  "testsuites": [
+    {
+      "name": "MathTest",
+      "tests": 2,
+      "failures": 1,
+      "errors": 0,
+      "time": "0.015s",
+      "testsuite": [
+        {
+          "name": "Addition",
+          "status": "RUN",
+          "time": "0.007s",
+          "classname": "",
+          "failures": [
+            {
+              "message": "Value of: add(1, 1)\x0A  Actual: 3\x0AExpected: 2",
+              "type": ""
+            },
+            {
+              "message": "Value of: add(1, -1)\x0A  Actual: 1\x0AExpected: 0",
+              "type": ""
+            }
+          ]
+        },
+        {
+          "name": "Subtraction",
+          "status": "RUN",
+          "time": "0.005s",
+          "classname": ""
+        }
+      ]
+    }
+    {
+      "name": "LogicTest",
+      "tests": 1,
+      "failures": 0,
+      "errors": 0,
+      "time": "0.005s",
+      "testsuite": [
+        {
+          "name": "NonContradiction",
+          "status": "RUN",
+          "time": "0.005s",
+          "classname": ""
+        }
+      ]
+    }
+  ]
+}
+```
+
+IMPORTANT: The exact format of the JSON document is subject to change.
+
+**Availability**: Linux, Windows, Mac.
+
+### Controlling How Failures Are Reported
+
+#### Turning Assertion Failures into Break-Points
+
+When running test programs under a debugger, it's very convenient if the
+debugger can catch an assertion failure and automatically drop into interactive
+mode. googletest's *break-on-failure* mode supports this behavior.
+
+To enable it, set the `GTEST_BREAK_ON_FAILURE` environment variable to a value
+other than `0` . Alternatively, you can use the `--gtest_break_on_failure`
+command line flag.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Disabling Catching Test-Thrown Exceptions
+
+googletest can be used either with or without exceptions enabled. If a test
+throws a C++ exception or (on Windows) a structured exception (SEH), by default
+googletest catches it, reports it as a test failure, and continues with the next
+test method. This maximizes the coverage of a test run. Also, on Windows an
+uncaught exception will cause a pop-up window, so catching the exceptions allows
+you to run the tests automatically.
+
+When debugging the test failures, however, you may instead want the exceptions
+to be handled by the debugger, such that you can examine the call stack when an
+exception is thrown. To achieve that, set the `GTEST_CATCH_EXCEPTIONS`
+environment variable to `0`, or use the `--gtest_catch_exceptions=0` flag when
+running the tests.
+
+**Availability**: Linux, Windows, Mac.
+
diff --git a/security/nss/gtests/google_test/gtest/docs/faq.md b/security/nss/gtests/google_test/gtest/docs/faq.md
new file mode 100644
index 000000000..7d42ff7db
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/faq.md
@@ -0,0 +1,770 @@
+# Googletest FAQ
+
+
+## Why should test case names and test names not contain underscore?
+
+Underscore (`_`) is special, as C++ reserves the following to be used by the
+compiler and the standard library:
+
+1.  any identifier that starts with an `_` followed by an upper-case letter, and
+1.  any identifier that contains two consecutive underscores (i.e. `__`)
+    *anywhere* in its name.
+
+User code is *prohibited* from using such identifiers.
+
+Now let's look at what this means for `TEST` and `TEST_F`.
+
+Currently `TEST(TestCaseName, TestName)` generates a class named
+`TestCaseName_TestName_Test`. What happens if `TestCaseName` or `TestName`
+contains `_`?
+
+1.  If `TestCaseName` starts with an `_` followed by an upper-case letter (say,
+    `_Foo`), we end up with `_Foo_TestName_Test`, which is reserved and thus
+    invalid.
+1.  If `TestCaseName` ends with an `_` (say, `Foo_`), we get
+    `Foo__TestName_Test`, which is invalid.
+1.  If `TestName` starts with an `_` (say, `_Bar`), we get
+    `TestCaseName__Bar_Test`, which is invalid.
+1.  If `TestName` ends with an `_` (say, `Bar_`), we get
+    `TestCaseName_Bar__Test`, which is invalid.
+
+So clearly `TestCaseName` and `TestName` cannot start or end with `_` (Actually,
+`TestCaseName` can start with `_` -- as long as the `_` isn't followed by an
+upper-case letter. But that's getting complicated. So for simplicity we just say
+that it cannot start with `_`.).
+
+It may seem fine for `TestCaseName` and `TestName` to contain `_` in the middle.
+However, consider this:
+
+```c++
+TEST(Time, Flies_Like_An_Arrow) { ... }
+TEST(Time_Flies, Like_An_Arrow) { ... }
+```
+
+Now, the two `TEST`s will both generate the same class
+(`Time_Flies_Like_An_Arrow_Test`). That's not good.
+
+So for simplicity, we just ask the users to avoid `_` in `TestCaseName` and
+`TestName`. The rule is more constraining than necessary, but it's simple and
+easy to remember. It also gives googletest some wiggle room in case its
+implementation needs to change in the future.
+
+If you violate the rule, there may not be immediate consequences, but your test
+may (just may) break with a new compiler (or a new version of the compiler you
+are using) or with a new version of googletest. Therefore it's best to follow
+the rule.
+
+## Why does googletest support `EXPECT_EQ(NULL, ptr)` and `ASSERT_EQ(NULL, ptr)` but not `EXPECT_NE(NULL, ptr)` and `ASSERT_NE(NULL, ptr)`?
+
+First of all you can use `EXPECT_NE(nullptr, ptr)` and `ASSERT_NE(nullptr,
+ptr)`. This is the preferred syntax in the style guide because nullptr does not
+have the type problems that NULL does. Which is why NULL does not work.
+
+Due to some peculiarity of C++, it requires some non-trivial template meta
+programming tricks to support using `NULL` as an argument of the `EXPECT_XX()`
+and `ASSERT_XX()` macros. Therefore we only do it where it's most needed
+(otherwise we make the implementation of googletest harder to maintain and more
+error-prone than necessary).
+
+The `EXPECT_EQ()` macro takes the *expected* value as its first argument and the
+*actual* value as the second. It's reasonable that someone wants to write
+`EXPECT_EQ(NULL, some_expression)`, and this indeed was requested several times.
+Therefore we implemented it.
+
+The need for `EXPECT_NE(NULL, ptr)` isn't nearly as strong. When the assertion
+fails, you already know that `ptr` must be `NULL`, so it doesn't add any
+information to print `ptr` in this case. That means `EXPECT_TRUE(ptr != NULL)`
+works just as well.
+
+If we were to support `EXPECT_NE(NULL, ptr)`, for consistency we'll have to
+support `EXPECT_NE(ptr, NULL)` as well, as unlike `EXPECT_EQ`, we don't have a
+convention on the order of the two arguments for `EXPECT_NE`. This means using
+the template meta programming tricks twice in the implementation, making it even
+harder to understand and maintain. We believe the benefit doesn't justify the
+cost.
+
+Finally, with the growth of the gMock matcher library, we are encouraging people
+to use the unified `EXPECT_THAT(value, matcher)` syntax more often in tests. One
+significant advantage of the matcher approach is that matchers can be easily
+combined to form new matchers, while the `EXPECT_NE`, etc, macros cannot be
+easily combined. Therefore we want to invest more in the matchers than in the
+`EXPECT_XX()` macros.
+
+## I need to test that different implementations of an interface satisfy some common requirements. Should I use typed tests or value-parameterized tests?
+
+For testing various implementations of the same interface, either typed tests or
+value-parameterized tests can get it done. It's really up to you the user to
+decide which is more convenient for you, depending on your particular case. Some
+rough guidelines:
+
+*   Typed tests can be easier to write if instances of the different
+    implementations can be created the same way, modulo the type. For example,
+    if all these implementations have a public default constructor (such that
+    you can write `new TypeParam`), or if their factory functions have the same
+    form (e.g. `CreateInstance<TypeParam>()`).
+*   Value-parameterized tests can be easier to write if you need different code
+    patterns to create different implementations' instances, e.g. `new Foo` vs
+    `new Bar(5)`. To accommodate for the differences, you can write factory
+    function wrappers and pass these function pointers to the tests as their
+    parameters.
+*   When a typed test fails, the output includes the name of the type, which can
+    help you quickly identify which implementation is wrong. Value-parameterized
+    tests cannot do this, so there you'll have to look at the iteration number
+    to know which implementation the failure is from, which is less direct.
+*   If you make a mistake writing a typed test, the compiler errors can be
+    harder to digest, as the code is templatized.
+*   When using typed tests, you need to make sure you are testing against the
+    interface type, not the concrete types (in other words, you want to make
+    sure `implicit_cast<MyInterface*>(my_concrete_impl)` works, not just that
+    `my_concrete_impl` works). It's less likely to make mistakes in this area
+    when using value-parameterized tests.
+
+I hope I didn't confuse you more. :-) If you don't mind, I'd suggest you to give
+both approaches a try. Practice is a much better way to grasp the subtle
+differences between the two tools. Once you have some concrete experience, you
+can much more easily decide which one to use the next time.
+
+## My death tests became very slow - what happened?
+
+In August 2008 we had to switch the default death test style from `fast` to
+`threadsafe`, as the former is no longer safe now that threaded logging is the
+default. This caused many death tests to slow down. Unfortunately this change
+was necessary.
+
+Please read [Fixing Failing Death Tests](death_test_styles.md) for what you can
+do.
+
+## I got some run-time errors about invalid proto descriptors when using `ProtocolMessageEquals`. Help!
+
+**Note:** `ProtocolMessageEquals` and `ProtocolMessageEquiv` are *deprecated*
+now. Please use `EqualsProto`, etc instead.
+
+`ProtocolMessageEquals` and `ProtocolMessageEquiv` were redefined recently and
+are now less tolerant on invalid protocol buffer definitions. In particular, if
+you have a `foo.proto` that doesn't fully qualify the type of a protocol message
+it references (e.g. `message<Bar>` where it should be `message<blah.Bar>`), you
+will now get run-time errors like:
+
+```
+... descriptor.cc:...] Invalid proto descriptor for file "path/to/foo.proto":
+... descriptor.cc:...]  blah.MyMessage.my_field: ".Bar" is not defined.
+```
+
+If you see this, your `.proto` file is broken and needs to be fixed by making
+the types fully qualified. The new definition of `ProtocolMessageEquals` and
+`ProtocolMessageEquiv` just happen to reveal your bug.
+
+## My death test modifies some state, but the change seems lost after the death test finishes. Why?
+
+Death tests (`EXPECT_DEATH`, etc) are executed in a sub-process s.t. the
+expected crash won't kill the test program (i.e. the parent process). As a
+result, any in-memory side effects they incur are observable in their respective
+sub-processes, but not in the parent process. You can think of them as running
+in a parallel universe, more or less.
+
+In particular, if you use [gMock](../../googlemock) and the death test statement
+invokes some mock methods, the parent process will think the calls have never
+occurred. Therefore, you may want to move your `EXPECT_CALL` statements inside
+the `EXPECT_DEATH` macro.
+
+## EXPECT_EQ(htonl(blah), blah_blah) generates weird compiler errors in opt mode. Is this a googletest bug?
+
+Actually, the bug is in `htonl()`.
+
+According to `'man htonl'`, `htonl()` is a *function*, which means it's valid to
+use `htonl` as a function pointer. However, in opt mode `htonl()` is defined as
+a *macro*, which breaks this usage.
+
+Worse, the macro definition of `htonl()` uses a `gcc` extension and is *not*
+standard C++. That hacky implementation has some ad hoc limitations. In
+particular, it prevents you from writing `Foo<sizeof(htonl(x))>()`, where `Foo`
+is a template that has an integral argument.
+
+The implementation of `EXPECT_EQ(a, b)` uses `sizeof(... a ...)` inside a
+template argument, and thus doesn't compile in opt mode when `a` contains a call
+to `htonl()`. It is difficult to make `EXPECT_EQ` bypass the `htonl()` bug, as
+the solution must work with different compilers on various platforms.
+
+`htonl()` has some other problems as described in `//util/endian/endian.h`,
+which defines `ghtonl()` to replace it. `ghtonl()` does the same thing `htonl()`
+does, only without its problems. We suggest you to use `ghtonl()` instead of
+`htonl()`, both in your tests and production code.
+
+`//util/endian/endian.h` also defines `ghtons()`, which solves similar problems
+in `htons()`.
+
+Don't forget to add `//util/endian` to the list of dependencies in the `BUILD`
+file wherever `ghtonl()` and `ghtons()` are used. The library consists of a
+single header file and will not bloat your binary.
+
+## The compiler complains about "undefined references" to some static const member variables, but I did define them in the class body. What's wrong?
+
+If your class has a static data member:
+
+```c++
+// foo.h
+class Foo {
+  ...
+  static const int kBar = 100;
+};
+```
+
+You also need to define it *outside* of the class body in `foo.cc`:
+
+```c++
+const int Foo::kBar;  // No initializer here.
+```
+
+Otherwise your code is **invalid C++**, and may break in unexpected ways. In
+particular, using it in googletest comparison assertions (`EXPECT_EQ`, etc) will
+generate an "undefined reference" linker error. The fact that "it used to work"
+doesn't mean it's valid. It just means that you were lucky. :-)
+
+## Can I derive a test fixture from another?
+
+Yes.
+
+Each test fixture has a corresponding and same named test case. This means only
+one test case can use a particular fixture. Sometimes, however, multiple test
+cases may want to use the same or slightly different fixtures. For example, you
+may want to make sure that all of a GUI library's test cases don't leak
+important system resources like fonts and brushes.
+
+In googletest, you share a fixture among test cases by putting the shared logic
+in a base test fixture, then deriving from that base a separate fixture for each
+test case that wants to use this common logic. You then use `TEST_F()` to write
+tests using each derived fixture.
+
+Typically, your code looks like this:
+
+```c++
+// Defines a base test fixture.
+class BaseTest : public ::testing::Test {
+ protected:
+  ...
+};
+
+// Derives a fixture FooTest from BaseTest.
+class FooTest : public BaseTest {
+ protected:
+  void SetUp() override {
+    BaseTest::SetUp();  // Sets up the base fixture first.
+    ... additional set-up work ...
+  }
+
+  void TearDown() override {
+    ... clean-up work for FooTest ...
+    BaseTest::TearDown();  // Remember to tear down the base fixture
+                           // after cleaning up FooTest!
+  }
+
+  ... functions and variables for FooTest ...
+};
+
+// Tests that use the fixture FooTest.
+TEST_F(FooTest, Bar) { ... }
+TEST_F(FooTest, Baz) { ... }
+
+... additional fixtures derived from BaseTest ...
+```
+
+If necessary, you can continue to derive test fixtures from a derived fixture.
+googletest has no limit on how deep the hierarchy can be.
+
+For a complete example using derived test fixtures, see [googletest
+sample](https://github.com/google/googletest/blob/master/googletest/samples/sample5_unittest.cc)
+
+## My compiler complains "void value not ignored as it ought to be." What does this mean?
+
+You're probably using an `ASSERT_*()` in a function that doesn't return `void`.
+`ASSERT_*()` can only be used in `void` functions, due to exceptions being
+disabled by our build system. Please see more details
+[here](advanced.md#assertion-placement).
+
+## My death test hangs (or seg-faults). How do I fix it?
+
+In googletest, death tests are run in a child process and the way they work is
+delicate. To write death tests you really need to understand how they work.
+Please make sure you have read [this](advanced.md#how-it-works).
+
+In particular, death tests don't like having multiple threads in the parent
+process. So the first thing you can try is to eliminate creating threads outside
+of `EXPECT_DEATH()`. For example, you may want to use [mocks](../../googlemock)
+or fake objects instead of real ones in your tests.
+
+Sometimes this is impossible as some library you must use may be creating
+threads before `main()` is even reached. In this case, you can try to minimize
+the chance of conflicts by either moving as many activities as possible inside
+`EXPECT_DEATH()` (in the extreme case, you want to move everything inside), or
+leaving as few things as possible in it. Also, you can try to set the death test
+style to `"threadsafe"`, which is safer but slower, and see if it helps.
+
+If you go with thread-safe death tests, remember that they rerun the test
+program from the beginning in the child process. Therefore make sure your
+program can run side-by-side with itself and is deterministic.
+
+In the end, this boils down to good concurrent programming. You have to make
+sure that there is no race conditions or dead locks in your program. No silver
+bullet - sorry!
+
+## Should I use the constructor/destructor of the test fixture or SetUp()/TearDown()?
+
+The first thing to remember is that googletest does **not** reuse the same test
+fixture object across multiple tests. For each `TEST_F`, googletest will create
+a **fresh** test fixture object, immediately call `SetUp()`, run the test body,
+call `TearDown()`, and then delete the test fixture object.
+
+When you need to write per-test set-up and tear-down logic, you have the choice
+between using the test fixture constructor/destructor or `SetUp()/TearDown()`.
+The former is usually preferred, as it has the following benefits:
+
+*   By initializing a member variable in the constructor, we have the option to
+    make it `const`, which helps prevent accidental changes to its value and
+    makes the tests more obviously correct.
+*   In case we need to subclass the test fixture class, the subclass'
+    constructor is guaranteed to call the base class' constructor *first*, and
+    the subclass' destructor is guaranteed to call the base class' destructor
+    *afterward*. With `SetUp()/TearDown()`, a subclass may make the mistake of
+    forgetting to call the base class' `SetUp()/TearDown()` or call them at the
+    wrong time.
+
+You may still want to use `SetUp()/TearDown()` in the following rare cases:
+
+*   In the body of a constructor (or destructor), it's not possible to use the
+    `ASSERT_xx` macros. Therefore, if the set-up operation could cause a fatal
+    test failure that should prevent the test from running, it's necessary to
+    use a `CHECK` macro or to use `SetUp()` instead of a constructor.
+*   If the tear-down operation could throw an exception, you must use
+    `TearDown()` as opposed to the destructor, as throwing in a destructor leads
+    to undefined behavior and usually will kill your program right away. Note
+    that many standard libraries (like STL) may throw when exceptions are
+    enabled in the compiler. Therefore you should prefer `TearDown()` if you
+    want to write portable tests that work with or without exceptions.
+*   The googletest team is considering making the assertion macros throw on
+    platforms where exceptions are enabled (e.g. Windows, Mac OS, and Linux
+    client-side), which will eliminate the need for the user to propagate
+    failures from a subroutine to its caller. Therefore, you shouldn't use
+    googletest assertions in a destructor if your code could run on such a
+    platform.
+*   In a constructor or destructor, you cannot make a virtual function call on
+    this object. (You can call a method declared as virtual, but it will be
+    statically bound.) Therefore, if you need to call a method that will be
+    overridden in a derived class, you have to use `SetUp()/TearDown()`.
+
+
+## The compiler complains "no matching function to call" when I use ASSERT_PRED*. How do I fix it?
+
+If the predicate function you use in `ASSERT_PRED*` or `EXPECT_PRED*` is
+overloaded or a template, the compiler will have trouble figuring out which
+overloaded version it should use. `ASSERT_PRED_FORMAT*` and
+`EXPECT_PRED_FORMAT*` don't have this problem.
+
+If you see this error, you might want to switch to
+`(ASSERT|EXPECT)_PRED_FORMAT*`, which will also give you a better failure
+message. If, however, that is not an option, you can resolve the problem by
+explicitly telling the compiler which version to pick.
+
+For example, suppose you have
+
+```c++
+bool IsPositive(int n) {
+  return n > 0;
+}
+
+bool IsPositive(double x) {
+  return x > 0;
+}
+```
+
+you will get a compiler error if you write
+
+```c++
+EXPECT_PRED1(IsPositive, 5);
+```
+
+However, this will work:
+
+```c++
+EXPECT_PRED1(static_cast<bool (*)(int)>(IsPositive), 5);
+```
+
+(The stuff inside the angled brackets for the `static_cast` operator is the type
+of the function pointer for the `int`-version of `IsPositive()`.)
+
+As another example, when you have a template function
+
+```c++
+template <typename T>
+bool IsNegative(T x) {
+  return x < 0;
+}
+```
+
+you can use it in a predicate assertion like this:
+
+```c++
+ASSERT_PRED1(IsNegative<int>, -5);
+```
+
+Things are more interesting if your template has more than one parameters. The
+following won't compile:
+
+```c++
+ASSERT_PRED2(GreaterThan<int, int>, 5, 0);
+```
+
+as the C++ pre-processor thinks you are giving `ASSERT_PRED2` 4 arguments, which
+is one more than expected. The workaround is to wrap the predicate function in
+parentheses:
+
+```c++
+ASSERT_PRED2((GreaterThan<int, int>), 5, 0);
+```
+
+
+## My compiler complains about "ignoring return value" when I call RUN_ALL_TESTS(). Why?
+
+Some people had been ignoring the return value of `RUN_ALL_TESTS()`. That is,
+instead of
+
+```c++
+  return RUN_ALL_TESTS();
+```
+
+they write
+
+```c++
+  RUN_ALL_TESTS();
+```
+
+This is **wrong and dangerous**. The testing services needs to see the return
+value of `RUN_ALL_TESTS()` in order to determine if a test has passed. If your
+`main()` function ignores it, your test will be considered successful even if it
+has a googletest assertion failure. Very bad.
+
+We have decided to fix this (thanks to Michael Chastain for the idea). Now, your
+code will no longer be able to ignore `RUN_ALL_TESTS()` when compiled with
+`gcc`. If you do so, you'll get a compiler error.
+
+If you see the compiler complaining about you ignoring the return value of
+`RUN_ALL_TESTS()`, the fix is simple: just make sure its value is used as the
+return value of `main()`.
+
+But how could we introduce a change that breaks existing tests? Well, in this
+case, the code was already broken in the first place, so we didn't break it. :-)
+
+## My compiler complains that a constructor (or destructor) cannot return a value. What's going on?
+
+Due to a peculiarity of C++, in order to support the syntax for streaming
+messages to an `ASSERT_*`, e.g.
+
+```c++
+  ASSERT_EQ(1, Foo()) << "blah blah" << foo;
+```
+
+we had to give up using `ASSERT*` and `FAIL*` (but not `EXPECT*` and
+`ADD_FAILURE*`) in constructors and destructors. The workaround is to move the
+content of your constructor/destructor to a private void member function, or
+switch to `EXPECT_*()` if that works. This
+[section](advanced.md#assertion-placement) in the user's guide explains it.
+
+## My SetUp() function is not called. Why?
+
+C++ is case-sensitive. Did you spell it as `Setup()`?
+
+Similarly, sometimes people spell `SetUpTestCase()` as `SetupTestCase()` and
+wonder why it's never called.
+
+## How do I jump to the line of a failure in Emacs directly?
+
+googletest's failure message format is understood by Emacs and many other IDEs,
+like acme and XCode. If a googletest message is in a compilation buffer in
+Emacs, then it's clickable.
+
+
+## I have several test cases which share the same test fixture logic, do I have to define a new test fixture class for each of them? This seems pretty tedious.
+
+You don't have to. Instead of
+
+```c++
+class FooTest : public BaseTest {};
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+class BarTest : public BaseTest {};
+
+TEST_F(BarTest, Abc) { ... }
+TEST_F(BarTest, Def) { ... }
+```
+
+you can simply `typedef` the test fixtures:
+
+```c++
+typedef BaseTest FooTest;
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+typedef BaseTest BarTest;
+
+TEST_F(BarTest, Abc) { ... }
+TEST_F(BarTest, Def) { ... }
+```
+
+## googletest output is buried in a whole bunch of LOG messages. What do I do?
+
+The googletest output is meant to be a concise and human-friendly report. If
+your test generates textual output itself, it will mix with the googletest
+output, making it hard to read. However, there is an easy solution to this
+problem.
+
+Since `LOG` messages go to stderr, we decided to let googletest output go to
+stdout. This way, you can easily separate the two using redirection. For
+example:
+
+```shell
+$ ./my_test > gtest_output.txt
+```
+
+
+## Why should I prefer test fixtures over global variables?
+
+There are several good reasons:
+
+1.  It's likely your test needs to change the states of its global variables.
+    This makes it difficult to keep side effects from escaping one test and
+    contaminating others, making debugging difficult. By using fixtures, each
+    test has a fresh set of variables that's different (but with the same
+    names). Thus, tests are kept independent of each other.
+1.  Global variables pollute the global namespace.
+1.  Test fixtures can be reused via subclassing, which cannot be done easily
+    with global variables. This is useful if many test cases have something in
+    common.
+
+
+    ## What can the statement argument in ASSERT_DEATH() be?
+
+`ASSERT_DEATH(*statement*, *regex*)` (or any death assertion macro) can be used
+wherever `*statement*` is valid. So basically `*statement*` can be any C++
+statement that makes sense in the current context. In particular, it can
+reference global and/or local variables, and can be:
+
+*   a simple function call (often the case),
+*   a complex expression, or
+*   a compound statement.
+
+Some examples are shown here:
+
+```c++
+// A death test can be a simple function call.
+TEST(MyDeathTest, FunctionCall) {
+  ASSERT_DEATH(Xyz(5), "Xyz failed");
+}
+
+// Or a complex expression that references variables and functions.
+TEST(MyDeathTest, ComplexExpression) {
+  const bool c = Condition();
+  ASSERT_DEATH((c ? Func1(0) : object2.Method("test")),
+               "(Func1|Method) failed");
+}
+
+// Death assertions can be used any where in a function.  In
+// particular, they can be inside a loop.
+TEST(MyDeathTest, InsideLoop) {
+  // Verifies that Foo(0), Foo(1), ..., and Foo(4) all die.
+  for (int i = 0; i < 5; i++) {
+    EXPECT_DEATH_M(Foo(i), "Foo has \\d+ errors",
+                   ::testing::Message() << "where i is " << i);
+  }
+}
+
+// A death assertion can contain a compound statement.
+TEST(MyDeathTest, CompoundStatement) {
+  // Verifies that at lease one of Bar(0), Bar(1), ..., and
+  // Bar(4) dies.
+  ASSERT_DEATH({
+    for (int i = 0; i < 5; i++) {
+      Bar(i);
+    }
+  },
+  "Bar has \\d+ errors");
+}
+```
+
+gtest-death-test_test.cc contains more examples if you are interested.
+
+## I have a fixture class `FooTest`, but `TEST_F(FooTest, Bar)` gives me error ``"no matching function for call to `FooTest::FooTest()'"``. Why?
+
+Googletest needs to be able to create objects of your test fixture class, so it
+must have a default constructor. Normally the compiler will define one for you.
+However, there are cases where you have to define your own:
+
+*   If you explicitly declare a non-default constructor for class `FooTest`
+    (`DISALLOW_EVIL_CONSTRUCTORS()` does this), then you need to define a
+    default constructor, even if it would be empty.
+*   If `FooTest` has a const non-static data member, then you have to define the
+    default constructor *and* initialize the const member in the initializer
+    list of the constructor. (Early versions of `gcc` doesn't force you to
+    initialize the const member. It's a bug that has been fixed in `gcc 4`.)
+
+## Why does ASSERT_DEATH complain about previous threads that were already joined?
+
+With the Linux pthread library, there is no turning back once you cross the line
+from single thread to multiple threads. The first time you create a thread, a
+manager thread is created in addition, so you get 3, not 2, threads. Later when
+the thread you create joins the main thread, the thread count decrements by 1,
+but the manager thread will never be killed, so you still have 2 threads, which
+means you cannot safely run a death test.
+
+The new NPTL thread library doesn't suffer from this problem, as it doesn't
+create a manager thread. However, if you don't control which machine your test
+runs on, you shouldn't depend on this.
+
+## Why does googletest require the entire test case, instead of individual tests, to be named *DeathTest when it uses ASSERT_DEATH?
+
+googletest does not interleave tests from different test cases. That is, it runs
+all tests in one test case first, and then runs all tests in the next test case,
+and so on. googletest does this because it needs to set up a test case before
+the first test in it is run, and tear it down afterwords. Splitting up the test
+case would require multiple set-up and tear-down processes, which is inefficient
+and makes the semantics unclean.
+
+If we were to determine the order of tests based on test name instead of test
+case name, then we would have a problem with the following situation:
+
+```c++
+TEST_F(FooTest, AbcDeathTest) { ... }
+TEST_F(FooTest, Uvw) { ... }
+
+TEST_F(BarTest, DefDeathTest) { ... }
+TEST_F(BarTest, Xyz) { ... }
+```
+
+Since `FooTest.AbcDeathTest` needs to run before `BarTest.Xyz`, and we don't
+interleave tests from different test cases, we need to run all tests in the
+`FooTest` case before running any test in the `BarTest` case. This contradicts
+with the requirement to run `BarTest.DefDeathTest` before `FooTest.Uvw`.
+
+## But I don't like calling my entire test case \*DeathTest when it contains both death tests and non-death tests. What do I do?
+
+You don't have to, but if you like, you may split up the test case into
+`FooTest` and `FooDeathTest`, where the names make it clear that they are
+related:
+
+```c++
+class FooTest : public ::testing::Test { ... };
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+using FooDeathTest = FooTest;
+
+TEST_F(FooDeathTest, Uvw) { ... EXPECT_DEATH(...) ... }
+TEST_F(FooDeathTest, Xyz) { ... ASSERT_DEATH(...) ... }
+```
+
+## googletest prints the LOG messages in a death test's child process only when the test fails. How can I see the LOG messages when the death test succeeds?
+
+Printing the LOG messages generated by the statement inside `EXPECT_DEATH()`
+makes it harder to search for real problems in the parent's log. Therefore,
+googletest only prints them when the death test has failed.
+
+If you really need to see such LOG messages, a workaround is to temporarily
+break the death test (e.g. by changing the regex pattern it is expected to
+match). Admittedly, this is a hack. We'll consider a more permanent solution
+after the fork-and-exec-style death tests are implemented.
+
+## The compiler complains about "no match for 'operator<<'" when I use an assertion. What gives?
+
+If you use a user-defined type `FooType` in an assertion, you must make sure
+there is an `std::ostream& operator<<(std::ostream&, const FooType&)` function
+defined such that we can print a value of `FooType`.
+
+In addition, if `FooType` is declared in a name space, the `<<` operator also
+needs to be defined in the *same* name space. See go/totw/49 for details.
+
+## How do I suppress the memory leak messages on Windows?
+
+Since the statically initialized googletest singleton requires allocations on
+the heap, the Visual C++ memory leak detector will report memory leaks at the
+end of the program run. The easiest way to avoid this is to use the
+`_CrtMemCheckpoint` and `_CrtMemDumpAllObjectsSince` calls to not report any
+statically initialized heap objects. See MSDN for more details and additional
+heap check/debug routines.
+
+
+## How can my code detect if it is running in a test?
+
+If you write code that sniffs whether it's running in a test and does different
+things accordingly, you are leaking test-only logic into production code and
+there is no easy way to ensure that the test-only code paths aren't run by
+mistake in production. Such cleverness also leads to
+[Heisenbugs](https://en.wikipedia.org/wiki/Heisenbug). Therefore we strongly
+advise against the practice, and googletest doesn't provide a way to do it.
+
+In general, the recommended way to cause the code to behave differently under
+test is [Dependency Injection](https://en.wikipedia.org/wiki/Dependency_injection). You can inject
+different functionality from the test and from the production code. Since your
+production code doesn't link in the for-test logic at all (the
+[`testonly`](https://docs.bazel.build/versions/master/be/common-definitions.html#common.testonly)
+attribute for BUILD targets helps to ensure that), there is no danger in
+accidentally running it.
+
+However, if you *really*, *really*, *really* have no choice, and if you follow
+the rule of ending your test program names with `_test`, you can use the
+*horrible* hack of sniffing your executable name (`argv[0]` in `main()`) to know
+whether the code is under test.
+
+
+## How do I temporarily disable a test?
+
+If you have a broken test that you cannot fix right away, you can add the
+DISABLED_ prefix to its name. This will exclude it from execution. This is
+better than commenting out the code or using #if 0, as disabled tests are still
+compiled (and thus won't rot).
+
+To include disabled tests in test execution, just invoke the test program with
+the --gtest_also_run_disabled_tests flag.
+
+## Is it OK if I have two separate `TEST(Foo, Bar)` test methods defined in different namespaces?
+
+Yes.
+
+The rule is **all test methods in the same test case must use the same fixture
+class.** This means that the following is **allowed** because both tests use the
+same fixture class (`::testing::Test`).
+
+```c++
+namespace foo {
+TEST(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace foo
+
+namespace bar {
+TEST(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace bar
+```
+
+However, the following code is **not allowed** and will produce a runtime error
+from googletest because the test methods are using different test fixture
+classes with the same test case name.
+
+```c++
+namespace foo {
+class CoolTest : public ::testing::Test {};  // Fixture foo::CoolTest
+TEST_F(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace foo
+
+namespace bar {
+class CoolTest : public ::testing::Test {};  // Fixture: bar::CoolTest
+TEST_F(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace bar
+```
diff --git a/security/nss/gtests/google_test/gtest/docs/primer.md b/security/nss/gtests/google_test/gtest/docs/primer.md
new file mode 100644
index 000000000..7a8ea8d71
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/primer.md
@@ -0,0 +1,569 @@
+# Googletest Primer
+
+
+## Introduction: Why googletest?
+
+*googletest* helps you write better C++ tests.
+
+googletest is a testing framework developed by the Testing
+Technology team with Google's specific
+requirements and constraints in mind. No matter whether you work on Linux,
+Windows, or a Mac, if you write C++ code, googletest can help you. And it
+supports *any* kind of tests, not just unit tests.
+
+So what makes a good test, and how does googletest fit in? We believe:
+
+1.  Tests should be *independent* and *repeatable*. It's a pain to debug a test
+    that succeeds or fails as a result of other tests. googletest isolates the
+    tests by running each of them on a different object. When a test fails,
+    googletest allows you to run it in isolation for quick debugging.
+1.  Tests should be well *organized* and reflect the structure of the tested
+    code. googletest groups related tests into test cases that can share data
+    and subroutines. This common pattern is easy to recognize and makes tests
+    easy to maintain. Such consistency is especially helpful when people switch
+    projects and start to work on a new code base.
+1.  Tests should be *portable* and *reusable*. Google has a lot of code that is
+    platform-neutral, its tests should also be platform-neutral. googletest
+    works on different OSes, with different compilers (gcc, icc, and MSVC), with
+    or without exceptions, so googletest tests can easily work with a variety of
+    configurations.
+1.  When tests fail, they should provide as much *information* about the problem
+    as possible. googletest doesn't stop at the first test failure. Instead, it
+    only stops the current test and continues with the next. You can also set up
+    tests that report non-fatal failures after which the current test continues.
+    Thus, you can detect and fix multiple bugs in a single run-edit-compile
+    cycle.
+1.  The testing framework should liberate test writers from housekeeping chores
+    and let them focus on the test *content*. googletest automatically keeps
+    track of all tests defined, and doesn't require the user to enumerate them
+    in order to run them.
+1.  Tests should be *fast*. With googletest, you can reuse shared resources
+    across tests and pay for the set-up/tear-down only once, without making
+    tests depend on each other.
+
+Since googletest is based on the popular xUnit architecture, you'll feel right
+at home if you've used JUnit or PyUnit before. If not, it will take you about 10
+minutes to learn the basics and get started. So let's go!
+
+## Beware of the nomenclature
+
+_Note:_ There might be some confusion of idea due to different
+definitions of the terms _Test_, _Test Case_ and _Test Suite_, so beware
+of misunderstanding these.
+
+Historically, googletest started to use the term _Test Case_ for grouping
+related tests, whereas current publications including the International Software
+Testing Qualifications Board ([ISTQB](http://www.istqb.org/)) and various
+textbooks on Software Quality use the term _[Test
+Suite](http://glossary.istqb.org/search/test%20suite)_ for this.
+
+The related term _Test_, as it is used in the googletest, is corresponding to
+the term _[Test Case](http://glossary.istqb.org/search/test%20case)_ of ISTQB
+and others.
+
+The term _Test_ is commonly of broad enough sense, including ISTQB's
+definition of _Test Case_, so it's not much of a problem here. But the
+term _Test Case_ as used in Google Test is of contradictory sense and thus confusing.
+
+Unfortunately replacing the term _Test Case_ by _Test Suite_ throughout the
+googletest is not easy without breaking dependent projects, as `TestCase` is
+part of the public API at various places.
+
+So for the time being, please be aware of the different definitions of
+the terms:
+
+Meaning                                                                              | googletest Term                                                                                            | [ISTQB](http://www.istqb.org/) Term
+:----------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------- | :----------------------------------
+Exercise a particular program path with specific input values and verify the results | [TEST()](#simple-tests)                                                                                    | [Test Case](http://glossary.istqb.org/search/test%20case)
+A set of several tests related to one component                                      | [TestCase](#basic-concepts) | [TestSuite](http://glossary.istqb.org/search/test%20suite)
+
+## Basic Concepts
+
+When using googletest, you start by writing *assertions*, which are statements
+that check whether a condition is true. An assertion's result can be *success*,
+*nonfatal failure*, or *fatal failure*. If a fatal failure occurs, it aborts the
+current function; otherwise the program continues normally.
+
+*Tests* use assertions to verify the tested code's behavior. If a test crashes
+or has a failed assertion, then it *fails*; otherwise it *succeeds*.
+
+A *test case* contains one or many tests. You should group your tests into test
+cases that reflect the structure of the tested code. When multiple tests in a
+test case need to share common objects and subroutines, you can put them into a
+*test fixture* class.
+
+A *test program* can contain multiple test cases.
+
+We'll now explain how to write a test program, starting at the individual
+assertion level and building up to tests and test cases.
+
+## Assertions
+
+googletest assertions are macros that resemble function calls. You test a class
+or function by making assertions about its behavior. When an assertion fails,
+googletest prints the assertion's source file and line number location, along
+with a failure message. You may also supply a custom failure message which will
+be appended to googletest's message.
+
+The assertions come in pairs that test the same thing but have different effects
+on the current function. `ASSERT_*` versions generate fatal failures when they
+fail, and **abort the current function**. `EXPECT_*` versions generate nonfatal
+failures, which don't abort the current function. Usually `EXPECT_*` are
+preferred, as they allow more than one failure to be reported in a test.
+However, you should use `ASSERT_*` if it doesn't make sense to continue when the
+assertion in question fails.
+
+Since a failed `ASSERT_*` returns from the current function immediately,
+possibly skipping clean-up code that comes after it, it may cause a space leak.
+Depending on the nature of the leak, it may or may not be worth fixing - so keep
+this in mind if you get a heap checker error in addition to assertion errors.
+
+To provide a custom failure message, simply stream it into the macro using the
+`<<` operator, or a sequence of such operators. An example:
+
+```c++
+ASSERT_EQ(x.size(), y.size()) << "Vectors x and y are of unequal length";
+
+for (int i = 0; i < x.size(); ++i) {
+  EXPECT_EQ(x[i], y[i]) << "Vectors x and y differ at index " << i;
+}
+```
+
+Anything that can be streamed to an `ostream` can be streamed to an assertion
+macro--in particular, C strings and `string` objects. If a wide string
+(`wchar_t*`, `TCHAR*` in `UNICODE` mode on Windows, or `std::wstring`) is
+streamed to an assertion, it will be translated to UTF-8 when printed.
+
+### Basic Assertions
+
+These assertions do basic true/false condition testing.
+
+Fatal assertion            | Nonfatal assertion         | Verifies
+-------------------------- | -------------------------- | --------------------
+`ASSERT_TRUE(condition);`  | `EXPECT_TRUE(condition);`  | `condition` is true
+`ASSERT_FALSE(condition);` | `EXPECT_FALSE(condition);` | `condition` is false
+
+Remember, when they fail, `ASSERT_*` yields a fatal failure and returns from the
+current function, while `EXPECT_*` yields a nonfatal failure, allowing the
+function to continue running. In either case, an assertion failure means its
+containing test fails.
+
+**Availability**: Linux, Windows, Mac.
+
+### Binary Comparison
+
+This section describes assertions that compare two values.
+
+Fatal assertion          | Nonfatal assertion       | Verifies
+------------------------ | ------------------------ | --------------
+`ASSERT_EQ(val1, val2);` | `EXPECT_EQ(val1, val2);` | `val1 == val2`
+`ASSERT_NE(val1, val2);` | `EXPECT_NE(val1, val2);` | `val1 != val2`
+`ASSERT_LT(val1, val2);` | `EXPECT_LT(val1, val2);` | `val1 < val2`
+`ASSERT_LE(val1, val2);` | `EXPECT_LE(val1, val2);` | `val1 <= val2`
+`ASSERT_GT(val1, val2);` | `EXPECT_GT(val1, val2);` | `val1 > val2`
+`ASSERT_GE(val1, val2);` | `EXPECT_GE(val1, val2);` | `val1 >= val2`
+
+Value arguments must be comparable by the assertion's comparison operator or
+you'll get a compiler error. We used to require the arguments to support the
+`<<` operator for streaming to an `ostream`, but it's no longer necessary. If
+`<<` is supported, it will be called to print the arguments when the assertion
+fails; otherwise googletest will attempt to print them in the best way it can.
+For more details and how to customize the printing of the arguments, see
+gMock [recipe](../../googlemock/docs/CookBook.md#teaching-google-mock-how-to-print-your-values).).
+
+These assertions can work with a user-defined type, but only if you define the
+corresponding comparison operator (e.g. `==`, `<`, etc). Since this is
+discouraged by the Google [C++ Style
+Guide](https://google.github.io/styleguide/cppguide.html#Operator_Overloading),
+you may need to use `ASSERT_TRUE()` or `EXPECT_TRUE()` to assert the equality of
+two objects of a user-defined type.
+
+However, when possible, `ASSERT_EQ(actual, expected)` is preferred to
+`ASSERT_TRUE(actual == expected)`, since it tells you `actual` and `expected`'s
+values on failure.
+
+Arguments are always evaluated exactly once. Therefore, it's OK for the
+arguments to have side effects. However, as with any ordinary C/C++ function,
+the arguments' evaluation order is undefined (i.e. the compiler is free to
+choose any order) and your code should not depend on any particular argument
+evaluation order.
+
+`ASSERT_EQ()` does pointer equality on pointers. If used on two C strings, it
+tests if they are in the same memory location, not if they have the same value.
+Therefore, if you want to compare C strings (e.g. `const char*`) by value, use
+`ASSERT_STREQ()`, which will be described later on. In particular, to assert
+that a C string is `NULL`, use `ASSERT_STREQ(c_string, NULL)`. Consider use
+`ASSERT_EQ(c_string, nullptr)` if c++11 is supported. To compare two `string`
+objects, you should use `ASSERT_EQ`.
+
+When doing pointer comparisons use `*_EQ(ptr, nullptr)` and `*_NE(ptr, nullptr)`
+instead of `*_EQ(ptr, NULL)` and `*_NE(ptr, NULL)`. This is because `nullptr` is
+typed while `NULL` is not. See [FAQ](faq.md#why-does-google-test-support-expect_eqnull-ptr-and-assert_eqnull-ptr-but-not-expect_nenull-ptr-and-assert_nenull-ptr)
+for more details.
+
+If you're working with floating point numbers, you may want to use the floating
+point variations of some of these macros in order to avoid problems caused by
+rounding. See [Advanced googletest Topics](advanced.md) for details.
+
+Macros in this section work with both narrow and wide string objects (`string`
+and `wstring`).
+
+**Availability**: Linux, Windows, Mac.
+
+**Historical note**: Before February 2016 `*_EQ` had a convention of calling it
+as `ASSERT_EQ(expected, actual)`, so lots of existing code uses this order. Now
+`*_EQ` treats both parameters in the same way.
+
+### String Comparison
+
+The assertions in this group compare two **C strings**. If you want to compare
+two `string` objects, use `EXPECT_EQ`, `EXPECT_NE`, and etc instead.
+
+| Fatal assertion                 | Nonfatal assertion              | Verifies                                                 |
+| ------------------------------- | ------------------------------- | -------------------------------------------------------- |
+| `ASSERT_STREQ(str1, str2);`     | `EXPECT_STREQ(str1, str2);`     | the two C strings have the same content                  |
+| `ASSERT_STRNE(str1, str2);`     | `EXPECT_STRNE(str1, str2);`     | the two C strings have different contents                |
+| `ASSERT_STRCASEEQ(str1, str2);` | `EXPECT_STRCASEEQ(str1, str2);` | the two C strings have the same content, ignoring case   |
+| `ASSERT_STRCASENE(str1, str2);` | `EXPECT_STRCASENE(str1, str2);` | the two C strings have different contents, ignoring case |
+
+Note that "CASE" in an assertion name means that case is ignored. A `NULL`
+pointer and an empty string are considered *different*.
+
+`*STREQ*` and `*STRNE*` also accept wide C strings (`wchar_t*`). If a comparison
+of two wide strings fails, their values will be printed as UTF-8 narrow strings.
+
+**Availability**: Linux, Windows, Mac.
+
+**See also**: For more string comparison tricks (substring, prefix, suffix, and
+regular expression matching, for example), see
+[this](https://github.com/google/googletest/blob/master/googletest/docs/advanced.md)
+in the Advanced googletest Guide.
+
+## Simple Tests
+
+To create a test:
+
+1.  Use the `TEST()` macro to define and name a test function, These are
+    ordinary C++ functions that don't return a value.
+1.  In this function, along with any valid C++ statements you want to include,
+    use the various googletest assertions to check values.
+1.  The test's result is determined by the assertions; if any assertion in the
+    test fails (either fatally or non-fatally), or if the test crashes, the
+    entire test fails. Otherwise, it succeeds.
+
+```c++
+TEST(TestCaseName, TestName) {
+  ... test body ...
+}
+```
+
+`TEST()` arguments go from general to specific. The *first* argument is the name
+of the test case, and the *second* argument is the test's name within the test
+case. Both names must be valid C++ identifiers, and they should not contain
+underscore (`_`). A test's *full name* consists of its containing test case and
+its individual name. Tests from different test cases can have the same
+individual name.
+
+For example, let's take a simple integer function:
+
+```c++
+int Factorial(int n);  // Returns the factorial of n
+```
+
+A test case for this function might look like:
+
+```c++
+// Tests factorial of 0.
+TEST(FactorialTest, HandlesZeroInput) {
+  EXPECT_EQ(Factorial(0), 1);
+}
+
+// Tests factorial of positive numbers.
+TEST(FactorialTest, HandlesPositiveInput) {
+  EXPECT_EQ(Factorial(1), 1);
+  EXPECT_EQ(Factorial(2), 2);
+  EXPECT_EQ(Factorial(3), 6);
+  EXPECT_EQ(Factorial(8), 40320);
+}
+```
+
+googletest groups the test results by test cases, so logically-related tests
+should be in the same test case; in other words, the first argument to their
+`TEST()` should be the same. In the above example, we have two tests,
+`HandlesZeroInput` and `HandlesPositiveInput`, that belong to the same test case
+`FactorialTest`.
+
+When naming your test cases and tests, you should follow the same convention as
+for [naming functions and
+classes](https://google.github.io/styleguide/cppguide.html#Function_Names).
+
+**Availability**: Linux, Windows, Mac.
+
+## Test Fixtures: Using the Same Data Configuration for Multiple Tests
+
+If you find yourself writing two or more tests that operate on similar data, you
+can use a *test fixture*. It allows you to reuse the same configuration of
+objects for several different tests.
+
+To create a fixture:
+
+1.  Derive a class from `::testing::Test` . Start its body with `protected:` as
+    we'll want to access fixture members from sub-classes.
+1.  Inside the class, declare any objects you plan to use.
+1.  If necessary, write a default constructor or `SetUp()` function to prepare
+    the objects for each test. A common mistake is to spell `SetUp()` as
+    **`Setup()`** with a small `u` - Use `override` in C++11 to make sure you
+    spelled it correctly
+1.  If necessary, write a destructor or `TearDown()` function to release any
+    resources you allocated in `SetUp()` . To learn when you should use the
+    constructor/destructor and when you should use `SetUp()/TearDown()`, read
+    this [FAQ](faq.md#should-i-use-the-constructordestructor-of-the-test-fixture-or-setupteardown) entry.
+1.  If needed, define subroutines for your tests to share.
+
+When using a fixture, use `TEST_F()` instead of `TEST()` as it allows you to
+access objects and subroutines in the test fixture:
+
+```c++
+TEST_F(TestCaseName, TestName) {
+  ... test body ...
+}
+```
+
+Like `TEST()`, the first argument is the test case name, but for `TEST_F()` this
+must be the name of the test fixture class. You've probably guessed: `_F` is for
+fixture.
+
+Unfortunately, the C++ macro system does not allow us to create a single macro
+that can handle both types of tests. Using the wrong macro causes a compiler
+error.
+
+Also, you must first define a test fixture class before using it in a
+`TEST_F()`, or you'll get the compiler error "`virtual outside class
+declaration`".
+
+For each test defined with `TEST_F()` , googletest will create a *fresh* test
+fixture at runtime, immediately initialize it via `SetUp()` , run the test,
+clean up by calling `TearDown()` , and then delete the test fixture. Note that
+different tests in the same test case have different test fixture objects, and
+googletest always deletes a test fixture before it creates the next one.
+googletest does **not** reuse the same test fixture for multiple tests. Any
+changes one test makes to the fixture do not affect other tests.
+
+As an example, let's write tests for a FIFO queue class named `Queue`, which has
+the following interface:
+
+```c++
+template <typename E>  // E is the element type.
+class Queue {
+ public:
+  Queue();
+  void Enqueue(const E& element);
+  E* Dequeue();  // Returns NULL if the queue is empty.
+  size_t size() const;
+  ...
+};
+```
+
+First, define a fixture class. By convention, you should give it the name
+`FooTest` where `Foo` is the class being tested.
+
+```c++
+class QueueTest : public ::testing::Test {
+ protected:
+  void SetUp() override {
+     q1_.Enqueue(1);
+     q2_.Enqueue(2);
+     q2_.Enqueue(3);
+  }
+
+  // void TearDown() override {}
+
+  Queue<int> q0_;
+  Queue<int> q1_;
+  Queue<int> q2_;
+};
+```
+
+In this case, `TearDown()` is not needed since we don't have to clean up after
+each test, other than what's already done by the destructor.
+
+Now we'll write tests using `TEST_F()` and this fixture.
+
+```c++
+TEST_F(QueueTest, IsEmptyInitially) {
+  EXPECT_EQ(q0_.size(), 0);
+}
+
+TEST_F(QueueTest, DequeueWorks) {
+  int* n = q0_.Dequeue();
+  EXPECT_EQ(n, nullptr);
+
+  n = q1_.Dequeue();
+  ASSERT_NE(n, nullptr);
+  EXPECT_EQ(*n, 1);
+  EXPECT_EQ(q1_.size(), 0);
+  delete n;
+
+  n = q2_.Dequeue();
+  ASSERT_NE(n, nullptr);
+  EXPECT_EQ(*n, 2);
+  EXPECT_EQ(q2_.size(), 1);
+  delete n;
+}
+```
+
+The above uses both `ASSERT_*` and `EXPECT_*` assertions. The rule of thumb is
+to use `EXPECT_*` when you want the test to continue to reveal more errors after
+the assertion failure, and use `ASSERT_*` when continuing after failure doesn't
+make sense. For example, the second assertion in the `Dequeue` test is
+=ASSERT_NE(nullptr, n)=, as we need to dereference the pointer `n` later, which
+would lead to a segfault when `n` is `NULL`.
+
+When these tests run, the following happens:
+
+1.  googletest constructs a `QueueTest` object (let's call it `t1` ).
+1.  `t1.SetUp()` initializes `t1` .
+1.  The first test ( `IsEmptyInitially` ) runs on `t1` .
+1.  `t1.TearDown()` cleans up after the test finishes.
+1.  `t1` is destructed.
+1.  The above steps are repeated on another `QueueTest` object, this time
+    running the `DequeueWorks` test.
+
+**Availability**: Linux, Windows, Mac.
+
+
+## Invoking the Tests
+
+`TEST()` and `TEST_F()` implicitly register their tests with googletest. So,
+unlike with many other C++ testing frameworks, you don't have to re-list all
+your defined tests in order to run them.
+
+After defining your tests, you can run them with `RUN_ALL_TESTS()` , which
+returns `0` if all the tests are successful, or `1` otherwise. Note that
+`RUN_ALL_TESTS()` runs *all tests* in your link unit -- they can be from
+different test cases, or even different source files.
+
+When invoked, the `RUN_ALL_TESTS()` macro:
+
+1. Saves the state of all googletest flags
+
+*   Creates a test fixture object for the first test.
+
+*   Initializes it via `SetUp()`.
+
+*   Runs the test on the fixture object.
+
+*   Cleans up the fixture via `TearDown()`.
+
+*   Deletes the fixture.
+
+* Restores the state of all googletest flags
+
+*   Repeats the above steps for the next test, until all tests have run.
+
+If a fatal failure happens the subsequent steps will be skipped.
+
+> IMPORTANT: You must **not** ignore the return value of `RUN_ALL_TESTS()`, or
+> you will get a compiler error. The rationale for this design is that the
+> automated testing service determines whether a test has passed based on its
+> exit code, not on its stdout/stderr output; thus your `main()` function must
+> return the value of `RUN_ALL_TESTS()`.
+>
+> Also, you should call `RUN_ALL_TESTS()` only **once**. Calling it more than
+> once conflicts with some advanced googletest features (e.g. thread-safe [death
+> tests](advanced#death-tests)) and thus is not supported.
+
+**Availability**: Linux, Windows, Mac.
+
+## Writing the main() Function
+
+In `google3`, the simplest approach is to use the default main() function
+provided by linking in `"//testing/base/public:gtest_main"`. If that doesn't
+cover what you need, you should write your own main() function, which should
+return the value of `RUN_ALL_TESTS()`. Link to `"//testing/base/public:gunit"`.
+You can start from this boilerplate:
+
+```c++
+#include "this/package/foo.h"
+#include "gtest/gtest.h"
+
+namespace {
+
+// The fixture for testing class Foo.
+class FooTest : public ::testing::Test {
+ protected:
+  // You can remove any or all of the following functions if its body
+  // is empty.
+
+  FooTest() {
+     // You can do set-up work for each test here.
+  }
+
+  ~FooTest() override {
+     // You can do clean-up work that doesn't throw exceptions here.
+  }
+
+  // If the constructor and destructor are not enough for setting up
+  // and cleaning up each test, you can define the following methods:
+
+  void SetUp() override {
+     // Code here will be called immediately after the constructor (right
+     // before each test).
+  }
+
+  void TearDown() override {
+     // Code here will be called immediately after each test (right
+     // before the destructor).
+  }
+
+  // Objects declared here can be used by all tests in the test case for Foo.
+};
+
+// Tests that the Foo::Bar() method does Abc.
+TEST_F(FooTest, MethodBarDoesAbc) {
+  const std::string input_filepath = "this/package/testdata/myinputfile.dat";
+  const std::string output_filepath = "this/package/testdata/myoutputfile.dat";
+  Foo f;
+  EXPECT_EQ(f.Bar(input_filepath, output_filepath), 0);
+}
+
+// Tests that Foo does Xyz.
+TEST_F(FooTest, DoesXyz) {
+  // Exercises the Xyz feature of Foo.
+}
+
+}  // namespace
+
+int main(int argc, char **argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+```
+
+
+The `::testing::InitGoogleTest()` function parses the command line for
+googletest flags, and removes all recognized flags. This allows the user to
+control a test program's behavior via various flags, which we'll cover in
+[AdvancedGuide](advanced.md). You **must** call this function before calling
+`RUN_ALL_TESTS()`, or the flags won't be properly initialized.
+
+On Windows, `InitGoogleTest()` also works with wide strings, so it can be used
+in programs compiled in `UNICODE` mode as well.
+
+But maybe you think that writing all those main() functions is too much work? We
+agree with you completely and that's why Google Test provides a basic
+implementation of main(). If it fits your needs, then just link your test with
+gtest\_main library and you are good to go.
+
+NOTE: `ParseGUnitFlags()` is deprecated in favor of `InitGoogleTest()`.
+
+
+## Known Limitations
+
+*   Google Test is designed to be thread-safe. The implementation is thread-safe
+    on systems where the `pthreads` library is available. It is currently
+    _unsafe_ to use Google Test assertions from two threads concurrently on
+    other systems (e.g. Windows). In most tests this is not an issue as usually
+    the assertions are done in the main thread. If you want to help, you can
+    volunteer to implement the necessary synchronization primitives in
+    `gtest-port.h` for your platform.
diff --git a/security/nss/gtests/google_test/gtest/docs/samples.md b/security/nss/gtests/google_test/gtest/docs/samples.md
new file mode 100644
index 000000000..18dcca381
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/samples.md
@@ -0,0 +1,22 @@
+# Googletest Samples {#samples}
+
+If you're like us, you'd like to look at [googletest
+samples.](https://github.com/google/googletest/tree/master/googletest/samples)
+The sample directory has a number of well-commented samples showing how to use a
+variety of googletest features.
+
+*   Sample #1 shows the basic steps of using googletest to test C++ functions.
+*   Sample #2 shows a more complex unit test for a class with multiple member
+    functions.
+*   Sample #3 uses a test fixture.
+*   Sample #4 teaches you how to use googletest and `googletest.h` together to
+    get the best of both libraries.
+*   Sample #5 puts shared testing logic in a base test fixture, and reuses it in
+    derived fixtures.
+*   Sample #6 demonstrates type-parameterized tests.
+*   Sample #7 teaches the basics of value-parameterized tests.
+*   Sample #8 shows using `Combine()` in value-parameterized tests.
+*   Sample #9 shows use of the listener API to modify Google Test's console
+    output and the use of its reflection API to inspect test results.
+*   Sample #10 shows use of the listener API to implement a primitive memory
+    leak checker.
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
index 957a69c6a..20c54d869 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
@@ -26,14 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the public API for death tests.  It is
 // #included by gtest.h so a user doesn't need to include this
 // directly.
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_DEATH_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_DEATH_TEST_H_
@@ -99,10 +99,11 @@ GTEST_API_ bool InDeathTestChild();
 //
 // On the regular expressions used in death tests:
 //
+//   GOOGLETEST_CM0005 DO NOT DELETE
 //   On POSIX-compliant systems (*nix), we use the <regex.h> library,
 //   which uses the POSIX extended regex syntax.
 //
-//   On other platforms (e.g. Windows), we only support a simple regex
+//   On other platforms (e.g. Windows or Mac), we only support a simple regex
 //   syntax implemented as part of Google Test.  This limited
 //   implementation should be enough most of the time when writing
 //   death tests; though it lacks many features you can find in PCRE
@@ -160,7 +161,7 @@ GTEST_API_ bool InDeathTestChild();
 //   is rarely a problem as people usually don't put the test binary
 //   directory in PATH.
 //
-// TODO(wan@google.com): make thread-safe death tests search the PATH.
+// FIXME: make thread-safe death tests search the PATH.
 
 // Asserts that a given statement causes the program to exit, with an
 // integer exit status that satisfies predicate, and emitting error output
@@ -198,9 +199,10 @@ class GTEST_API_ ExitedWithCode {
   const int exit_code_;
 };
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // Tests that an exit code describes an exit due to termination by a
 // given signal.
+// GOOGLETEST_CM0006 DO NOT DELETE
 class GTEST_API_ KilledBySignal {
  public:
   explicit KilledBySignal(int signum);
@@ -272,6 +274,54 @@ class GTEST_API_ KilledBySignal {
 # endif  // NDEBUG for EXPECT_DEBUG_DEATH
 #endif  // GTEST_HAS_DEATH_TEST
 
+// This macro is used for implementing macros such as
+// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED on systems where
+// death tests are not supported. Those macros must compile on such systems
+// iff EXPECT_DEATH and ASSERT_DEATH compile with the same parameters on
+// systems that support death tests. This allows one to write such a macro
+// on a system that does not support death tests and be sure that it will
+// compile on a death-test supporting system. It is exposed publicly so that
+// systems that have death-tests with stricter requirements than
+// GTEST_HAS_DEATH_TEST can write their own equivalent of
+// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED.
+//
+// Parameters:
+//   statement -  A statement that a macro such as EXPECT_DEATH would test
+//                for program termination. This macro has to make sure this
+//                statement is compiled but not executed, to ensure that
+//                EXPECT_DEATH_IF_SUPPORTED compiles with a certain
+//                parameter iff EXPECT_DEATH compiles with it.
+//   regex     -  A regex that a macro such as EXPECT_DEATH would use to test
+//                the output of statement.  This parameter has to be
+//                compiled but not evaluated by this macro, to ensure that
+//                this macro only accepts expressions that a macro such as
+//                EXPECT_DEATH would accept.
+//   terminator - Must be an empty statement for EXPECT_DEATH_IF_SUPPORTED
+//                and a return statement for ASSERT_DEATH_IF_SUPPORTED.
+//                This ensures that ASSERT_DEATH_IF_SUPPORTED will not
+//                compile inside functions where ASSERT_DEATH doesn't
+//                compile.
+//
+//  The branch that has an always false condition is used to ensure that
+//  statement and regex are compiled (and thus syntactically correct) but
+//  never executed. The unreachable code macro protects the terminator
+//  statement from generating an 'unreachable code' warning in case
+//  statement unconditionally returns or throws. The Message constructor at
+//  the end allows the syntax of streaming additional messages into the
+//  macro, for compilational compatibility with EXPECT_DEATH/ASSERT_DEATH.
+# define GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, terminator) \
+    GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
+    if (::testing::internal::AlwaysTrue()) { \
+      GTEST_LOG_(WARNING) \
+          << "Death tests are not supported on this platform.\n" \
+          << "Statement '" #statement "' cannot be verified."; \
+    } else if (::testing::internal::AlwaysFalse()) { \
+      ::testing::internal::RE::PartialMatch(".*", (regex)); \
+      GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
+      terminator; \
+    } else \
+      ::testing::Message()
+
 // EXPECT_DEATH_IF_SUPPORTED(statement, regex) and
 // ASSERT_DEATH_IF_SUPPORTED(statement, regex) expand to real death tests if
 // death tests are supported; otherwise they just issue a warning.  This is
@@ -284,9 +334,9 @@ class GTEST_API_ KilledBySignal {
     ASSERT_DEATH(statement, regex)
 #else
 # define EXPECT_DEATH_IF_SUPPORTED(statement, regex) \
-    GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, )
+    GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, )
 # define ASSERT_DEATH_IF_SUPPORTED(statement, regex) \
-    GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, return)
+    GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, return)
 #endif
 
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
index fe879bca7..5ca041614 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the Message class.
 //
@@ -43,6 +42,8 @@
 // to CHANGE WITHOUT NOTICE.  Therefore DO NOT DEPEND ON IT in a user
 // program!
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
 #define GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
 
@@ -50,6 +51,9 @@
 
 #include "gtest/internal/gtest-port.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // Ensures that there is at least one operator<< in the global namespace.
 // See Message& operator<<(...) below for why.
 void operator<<(const testing::internal::Secret&, int);
@@ -196,7 +200,6 @@ class GTEST_API_ Message {
   std::string GetString() const;
 
  private:
-
 #if GTEST_OS_SYMBIAN
   // These are needed as the Nokia Symbian Compiler cannot decide between
   // const T& and const T* in a function template. The Nokia compiler _can_
@@ -247,4 +250,6 @@ std::string StreamableToString(const T& streamable) {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
index d6702c8f1..3e95e4390 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
@@ -31,13 +31,12 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
 // Macros and functions for implementing parameterized tests
-// in Google C++ Testing Framework (Google Test)
+// in Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
 //
+// GOOGLETEST_CM0001 DO NOT DELETE
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 
@@ -79,7 +78,7 @@ TEST_P(FooTest, HasBlahBlah) {
 // Finally, you can use INSTANTIATE_TEST_CASE_P to instantiate the test
 // case with any set of parameters you want. Google Test defines a number
 // of functions for generating test parameters. They return what we call
-// (surprise!) parameter generators. Here is a  summary of them, which
+// (surprise!) parameter generators. Here is a summary of them, which
 // are all in the testing namespace:
 //
 //
@@ -185,15 +184,10 @@ TEST_P(DerivedTest, DoesBlah) {
 # include <utility>
 #endif
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-param-util-generated.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Functions producing parameter generators.
@@ -273,7 +267,7 @@ internal::ParamGenerator<T> Range(T start, T end) {
 // each with C-string values of "foo", "bar", and "baz":
 //
 // const char* strings[] = {"foo", "bar", "baz"};
-// INSTANTIATE_TEST_CASE_P(StringSequence, SrtingTest, ValuesIn(strings));
+// INSTANTIATE_TEST_CASE_P(StringSequence, StringTest, ValuesIn(strings));
 //
 // This instantiates tests from test case StlStringTest
 // each with STL strings with values "a" and "b":
@@ -1375,8 +1369,6 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
 }
 # endif  // GTEST_HAS_COMBINE
 
-
-
 # define TEST_P(test_case_name, test_name) \
   class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) \
       : public test_case_name { \
@@ -1387,14 +1379,17 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
     static int AddToRegistry() { \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestPattern(\
-                  #test_case_name, \
-                  #test_name, \
-                  new ::testing::internal::TestMetaFactory< \
-                      GTEST_TEST_CLASS_NAME_(test_case_name, test_name)>()); \
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestPattern(\
+                      GTEST_STRINGIFY_(test_case_name), \
+                      GTEST_STRINGIFY_(test_name), \
+                      new ::testing::internal::TestMetaFactory< \
+                          GTEST_TEST_CLASS_NAME_(\
+                              test_case_name, test_name)>()); \
       return 0; \
     } \
-    static int gtest_registering_dummy_; \
+    static int gtest_registering_dummy_ GTEST_ATTRIBUTE_UNUSED_; \
     GTEST_DISALLOW_COPY_AND_ASSIGN_(\
         GTEST_TEST_CLASS_NAME_(test_case_name, test_name)); \
   }; \
@@ -1403,19 +1398,37 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
       GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::AddToRegistry(); \
   void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
-# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
-  ::testing::internal::ParamGenerator<test_case_name::ParamType> \
+// The optional last argument to INSTANTIATE_TEST_CASE_P allows the user
+// to specify a function or functor that generates custom test name suffixes
+// based on the test parameters. The function should accept one argument of
+// type testing::TestParamInfo<class ParamType>, and return std::string.
+//
+// testing::PrintToStringParamName is a builtin test suffix generator that
+// returns the value of testing::PrintToString(GetParam()).
+//
+// Note: test names must be non-empty, unique, and may only contain ASCII
+// alphanumeric characters or underscore. Because PrintToString adds quotes
+// to std::string and C strings, it won't work for these types.
+
+# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator, ...) \
+  static ::testing::internal::ParamGenerator<test_case_name::ParamType> \
       gtest_##prefix##test_case_name##_EvalGenerator_() { return generator; } \
-  int gtest_##prefix##test_case_name##_dummy_ = \
+  static ::std::string gtest_##prefix##test_case_name##_EvalGenerateName_( \
+      const ::testing::TestParamInfo<test_case_name::ParamType>& info) { \
+    return ::testing::internal::GetParamNameGen<test_case_name::ParamType> \
+        (__VA_ARGS__)(info); \
+  } \
+  static int gtest_##prefix##test_case_name##_dummy_ GTEST_ATTRIBUTE_UNUSED_ = \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestCaseInstantiation(\
-                  #prefix, \
-                  &gtest_##prefix##test_case_name##_EvalGenerator_, \
-                  __FILE__, __LINE__)
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestCaseInstantiation(\
+                      #prefix, \
+                      &gtest_##prefix##test_case_name##_EvalGenerator_, \
+                      &gtest_##prefix##test_case_name##_EvalGenerateName_, \
+                      __FILE__, __LINE__)
 
 }  // namespace testing
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
index 2dc9303b5..274f2b3b5 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
@@ -30,13 +30,12 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
 // Macros and functions for implementing parameterized tests
-// in Google C++ Testing Framework (Google Test)
+// in Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
 //
+// GOOGLETEST_CM0001 DO NOT DELETE
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 
@@ -78,7 +77,7 @@ TEST_P(FooTest, HasBlahBlah) {
 // Finally, you can use INSTANTIATE_TEST_CASE_P to instantiate the test
 // case with any set of parameters you want. Google Test defines a number
 // of functions for generating test parameters. They return what we call
-// (surprise!) parameter generators. Here is a  summary of them, which
+// (surprise!) parameter generators. Here is a summary of them, which
 // are all in the testing namespace:
 //
 //
@@ -184,15 +183,10 @@ TEST_P(DerivedTest, DoesBlah) {
 # include <utility>
 #endif
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-param-util-generated.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Functions producing parameter generators.
@@ -272,7 +266,7 @@ internal::ParamGenerator<T> Range(T start, T end) {
 // each with C-string values of "foo", "bar", and "baz":
 //
 // const char* strings[] = {"foo", "bar", "baz"};
-// INSTANTIATE_TEST_CASE_P(StringSequence, SrtingTest, ValuesIn(strings));
+// INSTANTIATE_TEST_CASE_P(StringSequence, StringTest, ValuesIn(strings));
 //
 // This instantiates tests from test case StlStringTest
 // each with STL strings with values "a" and "b":
@@ -441,8 +435,6 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
 ]]
 # endif  // GTEST_HAS_COMBINE
 
-
-
 # define TEST_P(test_case_name, test_name) \
   class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) \
       : public test_case_name { \
@@ -453,14 +445,17 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
     static int AddToRegistry() { \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestPattern(\
-                  #test_case_name, \
-                  #test_name, \
-                  new ::testing::internal::TestMetaFactory< \
-                      GTEST_TEST_CLASS_NAME_(test_case_name, test_name)>()); \
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestPattern(\
+                      GTEST_STRINGIFY_(test_case_name), \
+                      GTEST_STRINGIFY_(test_name), \
+                      new ::testing::internal::TestMetaFactory< \
+                          GTEST_TEST_CLASS_NAME_(\
+                              test_case_name, test_name)>()); \
       return 0; \
     } \
-    static int gtest_registering_dummy_; \
+    static int gtest_registering_dummy_ GTEST_ATTRIBUTE_UNUSED_; \
     GTEST_DISALLOW_COPY_AND_ASSIGN_(\
         GTEST_TEST_CLASS_NAME_(test_case_name, test_name)); \
   }; \
@@ -469,19 +464,37 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
       GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::AddToRegistry(); \
   void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
-# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
-  ::testing::internal::ParamGenerator<test_case_name::ParamType> \
+// The optional last argument to INSTANTIATE_TEST_CASE_P allows the user
+// to specify a function or functor that generates custom test name suffixes
+// based on the test parameters. The function should accept one argument of
+// type testing::TestParamInfo<class ParamType>, and return std::string.
+//
+// testing::PrintToStringParamName is a builtin test suffix generator that
+// returns the value of testing::PrintToString(GetParam()).
+//
+// Note: test names must be non-empty, unique, and may only contain ASCII
+// alphanumeric characters or underscore. Because PrintToString adds quotes
+// to std::string and C strings, it won't work for these types.
+
+# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator, ...) \
+  static ::testing::internal::ParamGenerator<test_case_name::ParamType> \
       gtest_##prefix##test_case_name##_EvalGenerator_() { return generator; } \
-  int gtest_##prefix##test_case_name##_dummy_ = \
+  static ::std::string gtest_##prefix##test_case_name##_EvalGenerateName_( \
+      const ::testing::TestParamInfo<test_case_name::ParamType>& info) { \
+    return ::testing::internal::GetParamNameGen<test_case_name::ParamType> \
+        (__VA_ARGS__)(info); \
+  } \
+  static int gtest_##prefix##test_case_name##_dummy_ GTEST_ATTRIBUTE_UNUSED_ = \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestCaseInstantiation(\
-                  #prefix, \
-                  &gtest_##prefix##test_case_name##_EvalGenerator_, \
-                  __FILE__, __LINE__)
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestCaseInstantiation(\
+                      #prefix, \
+                      &gtest_##prefix##test_case_name##_EvalGenerator_, \
+                      &gtest_##prefix##test_case_name##_EvalGenerateName_, \
+                      __FILE__, __LINE__)
 
 }  // namespace testing
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
index 18ee7bc64..51865f84e 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file implements a universal value printer that can print a
 // value of any type T:
@@ -46,6 +45,10 @@
 //   2. operator<<(ostream&, const T&) defined in either foo or the
 //      global namespace.
 //
+// However if T is an STL-style container then it is printed element-wise
+// unless foo::PrintTo(const T&, ostream*) is defined. Note that
+// operator<<() is ignored for container types.
+//
 // If none of the above is defined, it will print the debug string of
 // the value if it is a protocol buffer, or print the raw bytes in the
 // value otherwise.
@@ -92,6 +95,8 @@
 // being defined as many user-defined container types don't have
 // value_type.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
 
@@ -107,6 +112,12 @@
 # include <tuple>
 #endif
 
+#if GTEST_HAS_ABSL
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/variant.h"
+#endif  // GTEST_HAS_ABSL
+
 namespace testing {
 
 // Definitions in the 'internal' and 'internal2' name spaces are
@@ -125,7 +136,11 @@ enum TypeKind {
   kProtobuf,              // a protobuf type
   kConvertibleToInteger,  // a type implicitly convertible to BiggestInt
                           // (e.g. a named or unnamed enum type)
-  kOtherType              // anything else
+#if GTEST_HAS_ABSL
+  kConvertibleToStringView,  // a type implicitly convertible to
+                             // absl::string_view
+#endif
+  kOtherType  // anything else
 };
 
 // TypeWithoutFormatter<T, kTypeKind>::PrintValue(value, os) is called
@@ -137,7 +152,8 @@ class TypeWithoutFormatter {
  public:
   // This default version is called when kTypeKind is kOtherType.
   static void PrintValue(const T& value, ::std::ostream* os) {
-    PrintBytesInObjectTo(reinterpret_cast<const unsigned char*>(&value),
+    PrintBytesInObjectTo(static_cast<const unsigned char*>(
+                             reinterpret_cast<const void*>(&value)),
                          sizeof(value), os);
   }
 };
@@ -151,10 +167,10 @@ template <typename T>
 class TypeWithoutFormatter<T, kProtobuf> {
  public:
   static void PrintValue(const T& value, ::std::ostream* os) {
-    const ::testing::internal::string short_str = value.ShortDebugString();
-    const ::testing::internal::string pretty_str =
-        short_str.length() <= kProtobufOneLinerMaxLength ?
-        short_str : ("\n" + value.DebugString());
+    std::string pretty_str = value.ShortDebugString();
+    if (pretty_str.length() > kProtobufOneLinerMaxLength) {
+      pretty_str = "\n" + value.DebugString();
+    }
     *os << ("<" + pretty_str + ">");
   }
 };
@@ -175,6 +191,19 @@ class TypeWithoutFormatter<T, kConvertibleToInteger> {
   }
 };
 
+#if GTEST_HAS_ABSL
+template <typename T>
+class TypeWithoutFormatter<T, kConvertibleToStringView> {
+ public:
+  // Since T has neither operator<< nor PrintTo() but can be implicitly
+  // converted to absl::string_view, we print it as a absl::string_view.
+  //
+  // Note: the implementation is further below, as it depends on
+  // internal::PrintTo symbol which is defined later in the file.
+  static void PrintValue(const T& value, ::std::ostream* os);
+};
+#endif
+
 // Prints the given value to the given ostream.  If the value is a
 // protocol message, its debug string is printed; if it's an enum or
 // of a type implicitly convertible to BiggestInt, it's printed as an
@@ -202,10 +231,19 @@ class TypeWithoutFormatter<T, kConvertibleToInteger> {
 template <typename Char, typename CharTraits, typename T>
 ::std::basic_ostream<Char, CharTraits>& operator<<(
     ::std::basic_ostream<Char, CharTraits>& os, const T& x) {
-  TypeWithoutFormatter<T,
-      (internal::IsAProtocolMessage<T>::value ? kProtobuf :
-       internal::ImplicitlyConvertible<const T&, internal::BiggestInt>::value ?
-       kConvertibleToInteger : kOtherType)>::PrintValue(x, &os);
+  TypeWithoutFormatter<T, (internal::IsAProtocolMessage<T>::value
+                               ? kProtobuf
+                               : internal::ImplicitlyConvertible<
+                                     const T&, internal::BiggestInt>::value
+                                     ? kConvertibleToInteger
+                                     :
+#if GTEST_HAS_ABSL
+                                     internal::ImplicitlyConvertible<
+                                         const T&, absl::string_view>::value
+                                         ? kConvertibleToStringView
+                                         :
+#endif
+                                         kOtherType)>::PrintValue(x, &os);
   return os;
 }
 
@@ -254,6 +292,103 @@ void DefaultPrintNonContainerTo(const T& value, ::std::ostream* os) {
 namespace testing {
 namespace internal {
 
+// FormatForComparison<ToPrint, OtherOperand>::Format(value) formats a
+// value of type ToPrint that is an operand of a comparison assertion
+// (e.g. ASSERT_EQ).  OtherOperand is the type of the other operand in
+// the comparison, and is used to help determine the best way to
+// format the value.  In particular, when the value is a C string
+// (char pointer) and the other operand is an STL string object, we
+// want to format the C string as a string, since we know it is
+// compared by value with the string object.  If the value is a char
+// pointer but the other operand is not an STL string object, we don't
+// know whether the pointer is supposed to point to a NUL-terminated
+// string, and thus want to print it as a pointer to be safe.
+//
+// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+
+// The default case.
+template <typename ToPrint, typename OtherOperand>
+class FormatForComparison {
+ public:
+  static ::std::string Format(const ToPrint& value) {
+    return ::testing::PrintToString(value);
+  }
+};
+
+// Array.
+template <typename ToPrint, size_t N, typename OtherOperand>
+class FormatForComparison<ToPrint[N], OtherOperand> {
+ public:
+  static ::std::string Format(const ToPrint* value) {
+    return FormatForComparison<const ToPrint*, OtherOperand>::Format(value);
+  }
+};
+
+// By default, print C string as pointers to be safe, as we don't know
+// whether they actually point to a NUL-terminated string.
+
+#define GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(CharType)                \
+  template <typename OtherOperand>                                      \
+  class FormatForComparison<CharType*, OtherOperand> {                  \
+   public:                                                              \
+    static ::std::string Format(CharType* value) {                      \
+      return ::testing::PrintToString(static_cast<const void*>(value)); \
+    }                                                                   \
+  }
+
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(char);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const char);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(wchar_t);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const wchar_t);
+
+#undef GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_
+
+// If a C string is compared with an STL string object, we know it's meant
+// to point to a NUL-terminated string, and thus can print it as a string.
+
+#define GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(CharType, OtherStringType) \
+  template <>                                                           \
+  class FormatForComparison<CharType*, OtherStringType> {               \
+   public:                                                              \
+    static ::std::string Format(CharType* value) {                      \
+      return ::testing::PrintToString(value);                           \
+    }                                                                   \
+  }
+
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::std::string);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::std::string);
+
+#if GTEST_HAS_GLOBAL_STRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::string);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::string);
+#endif
+
+#if GTEST_HAS_GLOBAL_WSTRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::wstring);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::wstring);
+#endif
+
+#if GTEST_HAS_STD_WSTRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::std::wstring);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::std::wstring);
+#endif
+
+#undef GTEST_IMPL_FORMAT_C_STRING_AS_STRING_
+
+// Formats a comparison assertion (e.g. ASSERT_EQ, EXPECT_LT, and etc)
+// operand to be used in a failure message.  The type (but not value)
+// of the other operand may affect the format.  This allows us to
+// print a char* as a raw pointer when it is compared against another
+// char* or void*, and print it as a C string when it is compared
+// against an std::string object, for example.
+//
+// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+template <typename T1, typename T2>
+std::string FormatForComparisonFailureMessage(
+    const T1& value, const T2& /* other_operand */) {
+  return FormatForComparison<T1, T2>::Format(value);
+}
+
 // UniversalPrinter<T>::Print(value, ostream_ptr) prints the given
 // value to the given ostream.  The caller must ensure that
 // 'ostream_ptr' is not NULL, or the behavior is undefined.
@@ -267,11 +402,18 @@ class UniversalPrinter;
 template <typename T>
 void UniversalPrint(const T& value, ::std::ostream* os);
 
+enum DefaultPrinterType {
+  kPrintContainer,
+  kPrintPointer,
+  kPrintFunctionPointer,
+  kPrintOther,
+};
+template <DefaultPrinterType type> struct WrapPrinterType {};
+
 // Used to print an STL-style container when the user doesn't define
 // a PrintTo() for it.
 template <typename C>
-void DefaultPrintTo(IsContainer /* dummy */,
-                    false_type /* is not a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintContainer> /* dummy */,
                     const C& container, ::std::ostream* os) {
   const size_t kMaxCount = 32;  // The maximum number of elements to print.
   *os << '{';
@@ -304,40 +446,34 @@ void DefaultPrintTo(IsContainer /* dummy */,
 // implementation-defined.  Therefore they will be printed as raw
 // bytes.)
 template <typename T>
-void DefaultPrintTo(IsNotContainer /* dummy */,
-                    true_type /* is a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintPointer> /* dummy */,
                     T* p, ::std::ostream* os) {
   if (p == NULL) {
     *os << "NULL";
   } else {
-    // C++ doesn't allow casting from a function pointer to any object
-    // pointer.
-    //
-    // IsTrue() silences warnings: "Condition is always true",
-    // "unreachable code".
-    if (IsTrue(ImplicitlyConvertible<T*, const void*>::value)) {
-      // T is not a function type.  We just call << to print p,
-      // relying on ADL to pick up user-defined << for their pointer
-      // types, if any.
-      *os << p;
-    } else {
-      // T is a function type, so '*os << p' doesn't do what we want
-      // (it just prints p as bool).  We want to print p as a const
-      // void*.  However, we cannot cast it to const void* directly,
-      // even using reinterpret_cast, as earlier versions of gcc
-      // (e.g. 3.4.5) cannot compile the cast when p is a function
-      // pointer.  Casting to UInt64 first solves the problem.
-      *os << reinterpret_cast<const void*>(
-          reinterpret_cast<internal::UInt64>(p));
-    }
+    // T is not a function type.  We just call << to print p,
+    // relying on ADL to pick up user-defined << for their pointer
+    // types, if any.
+    *os << p;
+  }
+}
+template <typename T>
+void DefaultPrintTo(WrapPrinterType<kPrintFunctionPointer> /* dummy */,
+                    T* p, ::std::ostream* os) {
+  if (p == NULL) {
+    *os << "NULL";
+  } else {
+    // T is a function type, so '*os << p' doesn't do what we want
+    // (it just prints p as bool).  We want to print p as a const
+    // void*.
+    *os << reinterpret_cast<const void*>(p);
   }
 }
 
 // Used to print a non-container, non-pointer value when the user
 // doesn't define PrintTo() for it.
 template <typename T>
-void DefaultPrintTo(IsNotContainer /* dummy */,
-                    false_type /* is not a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintOther> /* dummy */,
                     const T& value, ::std::ostream* os) {
   ::testing_internal::DefaultPrintNonContainerTo(value, os);
 }
@@ -355,11 +491,8 @@ void DefaultPrintTo(IsNotContainer /* dummy */,
 // wants).
 template <typename T>
 void PrintTo(const T& value, ::std::ostream* os) {
-  // DefaultPrintTo() is overloaded.  The type of its first two
-  // arguments determine which version will be picked.  If T is an
-  // STL-style container, the version for container will be called; if
-  // T is a pointer, the pointer version will be called; otherwise the
-  // generic version will be called.
+  // DefaultPrintTo() is overloaded.  The type of its first argument
+  // determines which version will be picked.
   //
   // Note that we check for container types here, prior to we check
   // for protocol message types in our operator<<.  The rationale is:
@@ -371,13 +504,27 @@ void PrintTo(const T& value, ::std::ostream* os) {
   // elements; therefore we check for container types here to ensure
   // that our format is used.
   //
-  // The second argument of DefaultPrintTo() is needed to bypass a bug
-  // in Symbian's C++ compiler that prevents it from picking the right
-  // overload between:
-  //
-  //   PrintTo(const T& x, ...);
-  //   PrintTo(T* x, ...);
-  DefaultPrintTo(IsContainerTest<T>(0), is_pointer<T>(), value, os);
+  // Note that MSVC and clang-cl do allow an implicit conversion from
+  // pointer-to-function to pointer-to-object, but clang-cl warns on it.
+  // So don't use ImplicitlyConvertible if it can be helped since it will
+  // cause this warning, and use a separate overload of DefaultPrintTo for
+  // function pointers so that the `*os << p` in the object pointer overload
+  // doesn't cause that warning either.
+  DefaultPrintTo(
+      WrapPrinterType <
+                  (sizeof(IsContainerTest<T>(0)) == sizeof(IsContainer)) &&
+              !IsRecursiveContainer<T>::value
+          ? kPrintContainer
+          : !is_pointer<T>::value
+                ? kPrintOther
+#if GTEST_LANG_CXX11
+                : std::is_function<typename std::remove_pointer<T>::type>::value
+#else
+                : !internal::ImplicitlyConvertible<T, const void*>::value
+#endif
+                      ? kPrintFunctionPointer
+                      : kPrintPointer > (),
+      value, os);
 }
 
 // The following list of PrintTo() overloads tells
@@ -484,6 +631,17 @@ inline void PrintTo(const ::std::wstring& s, ::std::ostream* os) {
 }
 #endif  // GTEST_HAS_STD_WSTRING
 
+#if GTEST_HAS_ABSL
+// Overload for absl::string_view.
+inline void PrintTo(absl::string_view sp, ::std::ostream* os) {
+  PrintTo(::std::string(sp), os);
+}
+#endif  // GTEST_HAS_ABSL
+
+#if GTEST_LANG_CXX11
+inline void PrintTo(std::nullptr_t, ::std::ostream* os) { *os << "(nullptr)"; }
+#endif  // GTEST_LANG_CXX11
+
 #if GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_
 // Helper function for printing a tuple.  T must be instantiated with
 // a tuple type.
@@ -613,6 +771,48 @@ class UniversalPrinter {
   GTEST_DISABLE_MSC_WARNINGS_POP_()
 };
 
+#if GTEST_HAS_ABSL
+
+// Printer for absl::optional
+
+template <typename T>
+class UniversalPrinter<::absl::optional<T>> {
+ public:
+  static void Print(const ::absl::optional<T>& value, ::std::ostream* os) {
+    *os << '(';
+    if (!value) {
+      *os << "nullopt";
+    } else {
+      UniversalPrint(*value, os);
+    }
+    *os << ')';
+  }
+};
+
+// Printer for absl::variant
+
+template <typename... T>
+class UniversalPrinter<::absl::variant<T...>> {
+ public:
+  static void Print(const ::absl::variant<T...>& value, ::std::ostream* os) {
+    *os << '(';
+    absl::visit(Visitor{os}, value);
+    *os << ')';
+  }
+
+ private:
+  struct Visitor {
+    template <typename U>
+    void operator()(const U& u) const {
+      *os << "'" << GetTypeName<U>() << "' with value ";
+      UniversalPrint(u, os);
+    }
+    ::std::ostream* os;
+  };
+};
+
+#endif  // GTEST_HAS_ABSL
+
 // UniversalPrintArray(begin, len, os) prints an array of 'len'
 // elements, starting at address 'begin'.
 template <typename T>
@@ -626,7 +826,7 @@ void UniversalPrintArray(const T* begin, size_t len, ::std::ostream* os) {
     // If the array has more than kThreshold elements, we'll have to
     // omit some details by printing only the first and the last
     // kChunkSize elements.
-    // TODO(wan@google.com): let the user control the threshold using a flag.
+    // FIXME: let the user control the threshold using a flag.
     if (len <= kThreshold) {
       PrintRawArrayTo(begin, len, os);
     } else {
@@ -708,7 +908,7 @@ class UniversalTersePrinter<const char*> {
     if (str == NULL) {
       *os << "NULL";
     } else {
-      UniversalPrint(string(str), os);
+      UniversalPrint(std::string(str), os);
     }
   }
 };
@@ -759,7 +959,7 @@ void UniversalPrint(const T& value, ::std::ostream* os) {
   UniversalPrinter<T1>::Print(value, os);
 }
 
-typedef ::std::vector<string> Strings;
+typedef ::std::vector< ::std::string> Strings;
 
 // TuplePolicy<TupleT> must provide:
 // - tuple_size
@@ -778,12 +978,13 @@ struct TuplePolicy {
   static const size_t tuple_size = ::std::tr1::tuple_size<Tuple>::value;
 
   template <size_t I>
-  struct tuple_element : ::std::tr1::tuple_element<I, Tuple> {};
+  struct tuple_element : ::std::tr1::tuple_element<static_cast<int>(I), Tuple> {
+  };
 
   template <size_t I>
-  static typename AddReference<
-      const typename ::std::tr1::tuple_element<I, Tuple>::type>::type get(
-      const Tuple& tuple) {
+  static typename AddReference<const typename ::std::tr1::tuple_element<
+      static_cast<int>(I), Tuple>::type>::type
+  get(const Tuple& tuple) {
     return ::std::tr1::get<I>(tuple);
   }
 };
@@ -879,6 +1080,16 @@ Strings UniversalTersePrintTupleFieldsToStrings(const Tuple& value) {
 
 }  // namespace internal
 
+#if GTEST_HAS_ABSL
+namespace internal2 {
+template <typename T>
+void TypeWithoutFormatter<T, kConvertibleToStringView>::PrintValue(
+    const T& value, ::std::ostream* os) {
+  internal::PrintTo(absl::string_view(value), os);
+}
+}  // namespace internal2
+#endif
+
 template <typename T>
 ::std::string PrintToString(const T& value) {
   ::std::stringstream ss;
@@ -888,4 +1099,9 @@ template <typename T>
 
 }  // namespace testing
 
+// Include any custom printer added by the local installation.
+// We must include this header at the end to make sure it can use the
+// declarations from this file.
+#include "gtest/internal/custom/gtest-printers.h"
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
index f63fa9a1b..1e8983938 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
@@ -26,17 +26,21 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Utilities for testing Google Test itself and code that uses Google Test
 // (e.g. frameworks built on top of Google Test).
 
+// GOOGLETEST_CM0004 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_SPI_H_
 #define GTEST_INCLUDE_GTEST_GTEST_SPI_H_
 
 #include "gtest/gtest.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // This helper class can be used to mock out Google Test failure reporting
@@ -97,13 +101,12 @@ class GTEST_API_ SingleFailureChecker {
  public:
   // The constructor remembers the arguments.
   SingleFailureChecker(const TestPartResultArray* results,
-                       TestPartResult::Type type,
-                       const string& substr);
+                       TestPartResult::Type type, const std::string& substr);
   ~SingleFailureChecker();
  private:
   const TestPartResultArray* const results_;
   const TestPartResult::Type type_;
-  const string substr_;
+  const std::string substr_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(SingleFailureChecker);
 };
@@ -112,6 +115,8 @@ class GTEST_API_ SingleFailureChecker {
 
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // A set of macros for testing Google Test assertions or code that's expected
 // to generate Google Test fatal failures.  It verifies that the given
 // statement will cause exactly one fatal Google Test failure with 'substr'
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
index 77eb84483..1c7b89e08 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
@@ -27,8 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: mheule@google.com (Markus Heule)
-//
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
 #define GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
@@ -38,6 +37,9 @@
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-string.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // A copyable object representing the result of a test part (i.e. an
@@ -143,7 +145,7 @@ class GTEST_API_ TestPartResultArray {
 };
 
 // This interface knows how to report a test part result.
-class TestPartResultReporterInterface {
+class GTEST_API_ TestPartResultReporterInterface {
  public:
   virtual ~TestPartResultReporterInterface() {}
 
@@ -176,4 +178,6 @@ class GTEST_API_ HasNewFatalFailureHelper
 
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
index fe1e83b27..74bce46bd 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
@@ -26,8 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
+
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_TYPED_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_TYPED_TEST_H_
@@ -82,6 +83,24 @@ TYPED_TEST(FooTest, DoesBlah) {
 
 TYPED_TEST(FooTest, HasPropertyA) { ... }
 
+// TYPED_TEST_CASE takes an optional third argument which allows to specify a
+// class that generates custom test name suffixes based on the type. This should
+// be a class which has a static template function GetName(int index) returning
+// a string for each type. The provided integer index equals the index of the
+// type in the provided type list. In many cases the index can be ignored.
+//
+// For example:
+//   class MyTypeNames {
+//    public:
+//     template <typename T>
+//     static std::string GetName(int) {
+//       if (std::is_same<T, char>()) return "char";
+//       if (std::is_same<T, int>()) return "int";
+//       if (std::is_same<T, unsigned int>()) return "unsignedInt";
+//     }
+//   };
+//   TYPED_TEST_CASE(FooTest, MyTypes, MyTypeNames);
+
 #endif  // 0
 
 // Type-parameterized tests are abstract test patterns parameterized
@@ -143,6 +162,11 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
 // If the type list contains only one type, you can write that type
 // directly without Types<...>:
 //   INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, int);
+//
+// Similar to the optional argument of TYPED_TEST_CASE above,
+// INSTANTIATE_TEST_CASE_P takes an optional fourth argument which allows to
+// generate custom names.
+//   INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes, MyTypeNames);
 
 #endif  // 0
 
@@ -159,31 +183,46 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
 // given test case.
 # define GTEST_TYPE_PARAMS_(TestCaseName) gtest_type_params_##TestCaseName##_
 
+// Expands to the name of the typedef for the NameGenerator, responsible for
+// creating the suffixes of the name.
+#define GTEST_NAME_GENERATOR_(TestCaseName) \
+  gtest_type_params_##TestCaseName##_NameGenerator
+
 // The 'Types' template argument below must have spaces around it
 // since some compilers may choke on '>>' when passing a template
 // instance (e.g. Types<int>)
-# define TYPED_TEST_CASE(CaseName, Types) \
-  typedef ::testing::internal::TypeList< Types >::type \
-      GTEST_TYPE_PARAMS_(CaseName)
-
-# define TYPED_TEST(CaseName, TestName) \
-  template <typename gtest_TypeParam_> \
-  class GTEST_TEST_CLASS_NAME_(CaseName, TestName) \
-      : public CaseName<gtest_TypeParam_> { \
-   private: \
-    typedef CaseName<gtest_TypeParam_> TestFixture; \
-    typedef gtest_TypeParam_ TypeParam; \
-    virtual void TestBody(); \
-  }; \
-  bool gtest_##CaseName##_##TestName##_registered_ GTEST_ATTRIBUTE_UNUSED_ = \
-      ::testing::internal::TypeParameterizedTest< \
-          CaseName, \
-          ::testing::internal::TemplateSel< \
-              GTEST_TEST_CLASS_NAME_(CaseName, TestName)>, \
-          GTEST_TYPE_PARAMS_(CaseName)>::Register(\
-              "", #CaseName, #TestName, 0); \
-  template <typename gtest_TypeParam_> \
-  void GTEST_TEST_CLASS_NAME_(CaseName, TestName)<gtest_TypeParam_>::TestBody()
+# define TYPED_TEST_CASE(CaseName, Types, ...)                             \
+  typedef ::testing::internal::TypeList< Types >::type GTEST_TYPE_PARAMS_( \
+      CaseName);                                                           \
+  typedef ::testing::internal::NameGeneratorSelector<__VA_ARGS__>::type    \
+      GTEST_NAME_GENERATOR_(CaseName)
+
+# define TYPED_TEST(CaseName, TestName)                                       \
+  template <typename gtest_TypeParam_>                                        \
+  class GTEST_TEST_CLASS_NAME_(CaseName, TestName)                            \
+      : public CaseName<gtest_TypeParam_> {                                   \
+   private:                                                                   \
+    typedef CaseName<gtest_TypeParam_> TestFixture;                           \
+    typedef gtest_TypeParam_ TypeParam;                                       \
+    virtual void TestBody();                                                  \
+  };                                                                          \
+  static bool gtest_##CaseName##_##TestName##_registered_                     \
+        GTEST_ATTRIBUTE_UNUSED_ =                                             \
+      ::testing::internal::TypeParameterizedTest<                             \
+          CaseName,                                                           \
+          ::testing::internal::TemplateSel<GTEST_TEST_CLASS_NAME_(CaseName,   \
+                                                                  TestName)>, \
+          GTEST_TYPE_PARAMS_(                                                 \
+              CaseName)>::Register("",                                        \
+                                   ::testing::internal::CodeLocation(         \
+                                       __FILE__, __LINE__),                   \
+                                   #CaseName, #TestName, 0,                   \
+                                   ::testing::internal::GenerateNames<        \
+                                       GTEST_NAME_GENERATOR_(CaseName),       \
+                                       GTEST_TYPE_PARAMS_(CaseName)>());      \
+  template <typename gtest_TypeParam_>                                        \
+  void GTEST_TEST_CLASS_NAME_(CaseName,                                       \
+                              TestName)<gtest_TypeParam_>::TestBody()
 
 #endif  // GTEST_HAS_TYPED_TEST
 
@@ -240,19 +279,27 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
   namespace GTEST_CASE_NAMESPACE_(CaseName) { \
   typedef ::testing::internal::Templates<__VA_ARGS__>::type gtest_AllTests_; \
   } \
-  static const char* const GTEST_REGISTERED_TEST_NAMES_(CaseName) = \
-      GTEST_TYPED_TEST_CASE_P_STATE_(CaseName).VerifyRegisteredTestNames(\
-          __FILE__, __LINE__, #__VA_ARGS__)
+  static const char* const GTEST_REGISTERED_TEST_NAMES_(CaseName) \
+      GTEST_ATTRIBUTE_UNUSED_ = \
+          GTEST_TYPED_TEST_CASE_P_STATE_(CaseName).VerifyRegisteredTestNames( \
+              __FILE__, __LINE__, #__VA_ARGS__)
 
 // The 'Types' template argument below must have spaces around it
 // since some compilers may choke on '>>' when passing a template
 // instance (e.g. Types<int>)
-# define INSTANTIATE_TYPED_TEST_CASE_P(Prefix, CaseName, Types) \
-  bool gtest_##Prefix##_##CaseName GTEST_ATTRIBUTE_UNUSED_ = \
-      ::testing::internal::TypeParameterizedTestCase<CaseName, \
-          GTEST_CASE_NAMESPACE_(CaseName)::gtest_AllTests_, \
-          ::testing::internal::TypeList< Types >::type>::Register(\
-              #Prefix, #CaseName, GTEST_REGISTERED_TEST_NAMES_(CaseName))
+# define INSTANTIATE_TYPED_TEST_CASE_P(Prefix, CaseName, Types, ...)      \
+  static bool gtest_##Prefix##_##CaseName GTEST_ATTRIBUTE_UNUSED_ =       \
+      ::testing::internal::TypeParameterizedTestCase<                     \
+          CaseName, GTEST_CASE_NAMESPACE_(CaseName)::gtest_AllTests_,     \
+          ::testing::internal::TypeList< Types >::type>::                 \
+          Register(#Prefix,                                               \
+                   ::testing::internal::CodeLocation(__FILE__, __LINE__), \
+                   &GTEST_TYPED_TEST_CASE_P_STATE_(CaseName), #CaseName,  \
+                   GTEST_REGISTERED_TEST_NAMES_(CaseName),                \
+                   ::testing::internal::GenerateNames<                    \
+                       ::testing::internal::NameGeneratorSelector<        \
+                           __VA_ARGS__>::type,                            \
+                       ::testing::internal::TypeList< Types >::type>())
 
 #endif  // GTEST_HAS_TYPED_TEST_P
 
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
index 38ca3e976..5df4b0a3a 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the public API for Google Test.  It should be
 // included by any test program that uses Google Test.
@@ -48,6 +47,8 @@
 // registration from Barthelemy Dagenais' (barthelemy@prologique.com)
 // easyUnit framework.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_H_
 
@@ -65,6 +66,9 @@
 #include "gtest/gtest-test-part.h"
 #include "gtest/gtest-typed-test.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // Depending on the platform, different string classes are available.
 // On Linux, in addition to ::std::string, Google also makes use of
 // class ::string, which has the same interface as ::std::string, but
@@ -82,6 +86,15 @@
 
 namespace testing {
 
+// Silence C4100 (unreferenced formal parameter) and 4805
+// unsafe mix of type 'const int' and type 'const bool'
+#ifdef _MSC_VER
+# pragma warning(push)
+# pragma warning(disable:4805)
+# pragma warning(disable:4100)
+#endif
+
+
 // Declares the flags.
 
 // This flag temporary enables the disabled tests.
@@ -103,6 +116,10 @@ GTEST_DECLARE_string_(color);
 // the tests to run. If the filter is not given all tests are executed.
 GTEST_DECLARE_string_(filter);
 
+// This flag controls whether Google Test installs a signal handler that dumps
+// debugging information when fatal signals are raised.
+GTEST_DECLARE_bool_(install_failure_signal_handler);
+
 // This flag causes the Google Test to list tests. None of the tests listed
 // are actually run if the flag is provided.
 GTEST_DECLARE_bool_(list_tests);
@@ -115,6 +132,9 @@ GTEST_DECLARE_string_(output);
 // test.
 GTEST_DECLARE_bool_(print_time);
 
+// This flags control whether Google Test prints UTF8 characters as text.
+GTEST_DECLARE_bool_(print_utf8);
+
 // This flag specifies the random number seed.
 GTEST_DECLARE_int32_(random_seed);
 
@@ -135,7 +155,7 @@ GTEST_DECLARE_int32_(stack_trace_depth);
 
 // When this flag is specified, a failed assertion will throw an
 // exception if exceptions are enabled, or exit the program with a
-// non-zero code otherwise.
+// non-zero code otherwise. For use with an external test framework.
 GTEST_DECLARE_bool_(throw_on_failure);
 
 // When this flag is set with a "host:port" string, on supported
@@ -143,6 +163,10 @@ GTEST_DECLARE_bool_(throw_on_failure);
 // the specified host machine.
 GTEST_DECLARE_string_(stream_result_to);
 
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+GTEST_DECLARE_string_(flagfile);
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+
 // The upper limit for valid stack trace depths.
 const int kMaxStackTraceDepth = 100;
 
@@ -160,6 +184,7 @@ class TestEventListenersAccessor;
 class TestEventRepeater;
 class UnitTestRecordPropertyTestHelper;
 class WindowsDeathTest;
+class FuchsiaDeathTest;
 class UnitTestImpl* GetUnitTestImpl();
 void ReportFailureInUnknownLocation(TestPartResult::Type result_type,
                                     const std::string& message);
@@ -259,7 +284,9 @@ class GTEST_API_ AssertionResult {
   // Used in EXPECT_TRUE/FALSE(assertion_result).
   AssertionResult(const AssertionResult& other);
 
+#if defined(_MSC_VER) && _MSC_VER < 1910
   GTEST_DISABLE_MSC_WARNINGS_PUSH_(4800 /* forcing value to bool */)
+#endif
 
   // Used in the EXPECT_TRUE/FALSE(bool_expression).
   //
@@ -276,7 +303,9 @@ class GTEST_API_ AssertionResult {
           /*enabler*/ = NULL)
       : success_(success) {}
 
+#if defined(_MSC_VER) && _MSC_VER < 1910
   GTEST_DISABLE_MSC_WARNINGS_POP_()
+#endif
 
   // Assignment operator.
   AssertionResult& operator=(AssertionResult other) {
@@ -297,7 +326,7 @@ class GTEST_API_ AssertionResult {
   const char* message() const {
     return message_.get() != NULL ?  message_->c_str() : "";
   }
-  // TODO(vladl@google.com): Remove this after making sure no clients use it.
+  // FIXME: Remove this after making sure no clients use it.
   // Deprecated; please use message() instead.
   const char* failure_message() const { return message(); }
 
@@ -345,6 +374,15 @@ GTEST_API_ AssertionResult AssertionFailure();
 // Deprecated; use AssertionFailure() << msg.
 GTEST_API_ AssertionResult AssertionFailure(const Message& msg);
 
+}  // namespace testing
+
+// Includes the auto-generated header that implements a family of generic
+// predicate assertion macros. This include comes late because it relies on
+// APIs declared above.
+#include "gtest/gtest_pred_impl.h"
+
+namespace testing {
+
 // The abstract class that all tests inherit from.
 //
 // In Google Test, a unit test program contains one or many TestCases, and
@@ -355,12 +393,12 @@ GTEST_API_ AssertionResult AssertionFailure(const Message& msg);
 // this for you.
 //
 // The only time you derive from Test is when defining a test fixture
-// to be used a TEST_F.  For example:
+// to be used in a TEST_F.  For example:
 //
 //   class FooTest : public testing::Test {
 //    protected:
-//     virtual void SetUp() { ... }
-//     virtual void TearDown() { ... }
+//     void SetUp() override { ... }
+//     void TearDown() override { ... }
 //     ...
 //   };
 //
@@ -452,8 +490,7 @@ class GTEST_API_ Test {
   // internal method to avoid clashing with names used in user TESTs.
   void DeleteSelf_() { delete this; }
 
-  // Uses a GTestFlagSaver to save and restore all Google Test flags.
-  const internal::GTestFlagSaver* const gtest_flag_saver_;
+  const internal::scoped_ptr< GTEST_FLAG_SAVER_ > gtest_flag_saver_;
 
   // Often a user misspells SetUp() as Setup() and spends a long time
   // wondering why it is never called by Google Test.  The declaration of
@@ -551,9 +588,8 @@ class GTEST_API_ TestResult {
   // Returns the elapsed time, in milliseconds.
   TimeInMillis elapsed_time() const { return elapsed_time_; }
 
-  // Returns the i-th test part result among all the results. i can range
-  // from 0 to test_property_count() - 1. If i is not in that range, aborts
-  // the program.
+  // Returns the i-th test part result among all the results. i can range from 0
+  // to total_part_count() - 1. If i is not in that range, aborts the program.
   const TestPartResult& GetTestPartResult(int i) const;
 
   // Returns the i-th test property. i can range from 0 to
@@ -570,6 +606,7 @@ class GTEST_API_ TestResult {
   friend class internal::TestResultAccessor;
   friend class internal::UnitTestImpl;
   friend class internal::WindowsDeathTest;
+  friend class internal::FuchsiaDeathTest;
 
   // Gets the vector of TestPartResults.
   const std::vector<TestPartResult>& test_part_results() const {
@@ -595,7 +632,7 @@ class GTEST_API_ TestResult {
 
   // Adds a failure if the key is a reserved attribute of Google Test
   // testcase tags.  Returns true if the property is valid.
-  // TODO(russr): Validate attribute names are legal and human readable.
+  // FIXME: Validate attribute names are legal and human readable.
   static bool ValidateTestProperty(const std::string& xml_element,
                                    const TestProperty& test_property);
 
@@ -670,6 +707,15 @@ class GTEST_API_ TestInfo {
     return NULL;
   }
 
+  // Returns the file name where this test is defined.
+  const char* file() const { return location_.file.c_str(); }
+
+  // Returns the line where this test is defined.
+  int line() const { return location_.line; }
+
+  // Return true if this test should not be run because it's in another shard.
+  bool is_in_another_shard() const { return is_in_another_shard_; }
+
   // Returns true if this test should run, that is if the test is not
   // disabled (or it is disabled but the also_run_disabled_tests flag has
   // been specified) and its full name matches the user-specified filter.
@@ -690,10 +736,9 @@ class GTEST_API_ TestInfo {
 
   // Returns true iff this test will appear in the XML report.
   bool is_reportable() const {
-    // For now, the XML report includes all tests matching the filter.
-    // In the future, we may trim tests that are excluded because of
-    // sharding.
-    return matches_filter_;
+    // The XML report includes tests matching the filter, excluding those
+    // run in other shards.
+    return matches_filter_ && !is_in_another_shard_;
   }
 
   // Returns the result of the test.
@@ -712,6 +757,7 @@ class GTEST_API_ TestInfo {
       const char* name,
       const char* type_param,
       const char* value_param,
+      internal::CodeLocation code_location,
       internal::TypeId fixture_class_id,
       Test::SetUpTestCaseFunc set_up_tc,
       Test::TearDownTestCaseFunc tear_down_tc,
@@ -723,6 +769,7 @@ class GTEST_API_ TestInfo {
            const std::string& name,
            const char* a_type_param,   // NULL if not a type-parameterized test
            const char* a_value_param,  // NULL if not a value-parameterized test
+           internal::CodeLocation a_code_location,
            internal::TypeId fixture_class_id,
            internal::TestFactoryBase* factory);
 
@@ -749,11 +796,13 @@ class GTEST_API_ TestInfo {
   // Text representation of the value parameter, or NULL if this is not a
   // value-parameterized test.
   const internal::scoped_ptr<const ::std::string> value_param_;
+  internal::CodeLocation location_;
   const internal::TypeId fixture_class_id_;   // ID of the test fixture class
   bool should_run_;                 // True iff this test should run
   bool is_disabled_;                // True iff this test is disabled
   bool matches_filter_;             // True if this test matches the
                                     // user-specified filter.
+  bool is_in_another_shard_;        // Will be run in another shard.
   internal::TestFactoryBase* const factory_;  // The factory that creates
                                               // the test object
 
@@ -978,6 +1027,18 @@ class Environment {
   virtual Setup_should_be_spelled_SetUp* Setup() { return NULL; }
 };
 
+#if GTEST_HAS_EXCEPTIONS
+
+// Exception which can be thrown from TestEventListener::OnTestPartResult.
+class GTEST_API_ AssertionException
+    : public internal::GoogleTestFailureException {
+ public:
+  explicit AssertionException(const TestPartResult& result)
+      : GoogleTestFailureException(result) {}
+};
+
+#endif  // GTEST_HAS_EXCEPTIONS
+
 // The interface for tracing execution of tests. The methods are organized in
 // the order the corresponding events are fired.
 class TestEventListener {
@@ -1006,6 +1067,8 @@ class TestEventListener {
   virtual void OnTestStart(const TestInfo& test_info) = 0;
 
   // Fired after a failed assertion or a SUCCEED() invocation.
+  // If you want to throw an exception from this function to skip to the next
+  // TEST, it must be AssertionException defined above, or inherited from it.
   virtual void OnTestPartResult(const TestPartResult& test_part_result) = 0;
 
   // Fired after the test ends.
@@ -1172,14 +1235,12 @@ class GTEST_API_ UnitTest {
   // Returns the random seed used at the start of the current test run.
   int random_seed() const;
 
-#if GTEST_HAS_PARAM_TEST
   // Returns the ParameterizedTestCaseRegistry object used to keep track of
   // value-parameterized tests and instantiate and register them.
   //
   // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
   internal::ParameterizedTestCaseRegistry& parameterized_test_registry()
       GTEST_LOCK_EXCLUDED_(mutex_);
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Gets the number of successful test cases.
   int successful_test_case_count() const;
@@ -1279,11 +1340,11 @@ class GTEST_API_ UnitTest {
   internal::UnitTestImpl* impl() { return impl_; }
   const internal::UnitTestImpl* impl() const { return impl_; }
 
-  // These classes and funcions are friends as they need to access private
+  // These classes and functions are friends as they need to access private
   // members of UnitTest.
+  friend class ScopedTrace;
   friend class Test;
   friend class internal::AssertHelper;
-  friend class internal::ScopedTrace;
   friend class internal::StreamingListenerTest;
   friend class internal::UnitTestRecordPropertyTestHelper;
   friend Environment* AddGlobalTestEnvironment(Environment* env);
@@ -1360,129 +1421,40 @@ GTEST_API_ void InitGoogleTest(int* argc, wchar_t** argv);
 
 namespace internal {
 
-// FormatForComparison<ToPrint, OtherOperand>::Format(value) formats a
-// value of type ToPrint that is an operand of a comparison assertion
-// (e.g. ASSERT_EQ).  OtherOperand is the type of the other operand in
-// the comparison, and is used to help determine the best way to
-// format the value.  In particular, when the value is a C string
-// (char pointer) and the other operand is an STL string object, we
-// want to format the C string as a string, since we know it is
-// compared by value with the string object.  If the value is a char
-// pointer but the other operand is not an STL string object, we don't
-// know whether the pointer is supposed to point to a NUL-terminated
-// string, and thus want to print it as a pointer to be safe.
-//
-// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-
-// The default case.
-template <typename ToPrint, typename OtherOperand>
-class FormatForComparison {
- public:
-  static ::std::string Format(const ToPrint& value) {
-    return ::testing::PrintToString(value);
-  }
-};
-
-// Array.
-template <typename ToPrint, size_t N, typename OtherOperand>
-class FormatForComparison<ToPrint[N], OtherOperand> {
- public:
-  static ::std::string Format(const ToPrint* value) {
-    return FormatForComparison<const ToPrint*, OtherOperand>::Format(value);
-  }
-};
-
-// By default, print C string as pointers to be safe, as we don't know
-// whether they actually point to a NUL-terminated string.
-
-#define GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(CharType)                \
-  template <typename OtherOperand>                                      \
-  class FormatForComparison<CharType*, OtherOperand> {                  \
-   public:                                                              \
-    static ::std::string Format(CharType* value) {                      \
-      return ::testing::PrintToString(static_cast<const void*>(value)); \
-    }                                                                   \
-  }
-
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(char);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const char);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(wchar_t);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const wchar_t);
-
-#undef GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_
-
-// If a C string is compared with an STL string object, we know it's meant
-// to point to a NUL-terminated string, and thus can print it as a string.
-
-#define GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(CharType, OtherStringType) \
-  template <>                                                           \
-  class FormatForComparison<CharType*, OtherStringType> {               \
-   public:                                                              \
-    static ::std::string Format(CharType* value) {                      \
-      return ::testing::PrintToString(value);                           \
-    }                                                                   \
-  }
-
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::std::string);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::std::string);
-
-#if GTEST_HAS_GLOBAL_STRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::string);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::string);
-#endif
-
-#if GTEST_HAS_GLOBAL_WSTRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::wstring);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::wstring);
-#endif
-
-#if GTEST_HAS_STD_WSTRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::std::wstring);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::std::wstring);
-#endif
-
-#undef GTEST_IMPL_FORMAT_C_STRING_AS_STRING_
-
-// Formats a comparison assertion (e.g. ASSERT_EQ, EXPECT_LT, and etc)
-// operand to be used in a failure message.  The type (but not value)
-// of the other operand may affect the format.  This allows us to
-// print a char* as a raw pointer when it is compared against another
-// char* or void*, and print it as a C string when it is compared
-// against an std::string object, for example.
-//
-// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+// Separate the error generating code from the code path to reduce the stack
+// frame size of CmpHelperEQ. This helps reduce the overhead of some sanitizers
+// when calling EXPECT_* in a tight loop.
 template <typename T1, typename T2>
-std::string FormatForComparisonFailureMessage(
-    const T1& value, const T2& /* other_operand */) {
-  return FormatForComparison<T1, T2>::Format(value);
+AssertionResult CmpHelperEQFailure(const char* lhs_expression,
+                                   const char* rhs_expression,
+                                   const T1& lhs, const T2& rhs) {
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   FormatForComparisonFailureMessage(lhs, rhs),
+                   FormatForComparisonFailureMessage(rhs, lhs),
+                   false);
 }
 
 // The helper function for {ASSERT|EXPECT}_EQ.
 template <typename T1, typename T2>
-AssertionResult CmpHelperEQ(const char* expected_expression,
-                            const char* actual_expression,
-                            const T1& expected,
-                            const T2& actual) {
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4389 /* signed/unsigned mismatch */)
-  if (expected == actual) {
+AssertionResult CmpHelperEQ(const char* lhs_expression,
+                            const char* rhs_expression,
+                            const T1& lhs,
+                            const T2& rhs) {
+  if (lhs == rhs) {
     return AssertionSuccess();
   }
-GTEST_DISABLE_MSC_WARNINGS_POP_()
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   FormatForComparisonFailureMessage(expected, actual),
-                   FormatForComparisonFailureMessage(actual, expected),
-                   false);
+  return CmpHelperEQFailure(lhs_expression, rhs_expression, lhs, rhs);
 }
 
 // With this overloaded version, we allow anonymous enums to be used
 // in {ASSERT|EXPECT}_EQ when compiled with gcc 4, as anonymous enums
 // can be implicitly cast to BiggestInt.
-GTEST_API_ AssertionResult CmpHelperEQ(const char* expected_expression,
-                                       const char* actual_expression,
-                                       BiggestInt expected,
-                                       BiggestInt actual);
+GTEST_API_ AssertionResult CmpHelperEQ(const char* lhs_expression,
+                                       const char* rhs_expression,
+                                       BiggestInt lhs,
+                                       BiggestInt rhs);
 
 // The helper class for {ASSERT|EXPECT}_EQ.  The template argument
 // lhs_is_null_literal is true iff the first argument to ASSERT_EQ()
@@ -1493,12 +1465,11 @@ class EqHelper {
  public:
   // This templatized version is for the general case.
   template <typename T1, typename T2>
-  static AssertionResult Compare(const char* expected_expression,
-                                 const char* actual_expression,
-                                 const T1& expected,
-                                 const T2& actual) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+  static AssertionResult Compare(const char* lhs_expression,
+                                 const char* rhs_expression,
+                                 const T1& lhs,
+                                 const T2& rhs) {
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 
   // With this overloaded version, we allow anonymous enums to be used
@@ -1507,12 +1478,11 @@ class EqHelper {
   //
   // Even though its body looks the same as the above version, we
   // cannot merge the two, as it will make anonymous enums unhappy.
-  static AssertionResult Compare(const char* expected_expression,
-                                 const char* actual_expression,
-                                 BiggestInt expected,
-                                 BiggestInt actual) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+  static AssertionResult Compare(const char* lhs_expression,
+                                 const char* rhs_expression,
+                                 BiggestInt lhs,
+                                 BiggestInt rhs) {
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 };
 
@@ -1527,40 +1497,52 @@ class EqHelper<true> {
   // EXPECT_EQ(false, a_bool).
   template <typename T1, typename T2>
   static AssertionResult Compare(
-      const char* expected_expression,
-      const char* actual_expression,
-      const T1& expected,
-      const T2& actual,
+      const char* lhs_expression,
+      const char* rhs_expression,
+      const T1& lhs,
+      const T2& rhs,
       // The following line prevents this overload from being considered if T2
       // is not a pointer type.  We need this because ASSERT_EQ(NULL, my_ptr)
       // expands to Compare("", "", NULL, my_ptr), which requires a conversion
       // to match the Secret* in the other overload, which would otherwise make
       // this template match better.
       typename EnableIf<!is_pointer<T2>::value>::type* = 0) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 
   // This version will be picked when the second argument to ASSERT_EQ() is a
   // pointer, e.g. ASSERT_EQ(NULL, a_pointer).
   template <typename T>
   static AssertionResult Compare(
-      const char* expected_expression,
-      const char* actual_expression,
+      const char* lhs_expression,
+      const char* rhs_expression,
       // We used to have a second template parameter instead of Secret*.  That
       // template parameter would deduce to 'long', making this a better match
       // than the first overload even without the first overload's EnableIf.
       // Unfortunately, gcc with -Wconversion-null warns when "passing NULL to
       // non-pointer argument" (even a deduced integral argument), so the old
       // implementation caused warnings in user code.
-      Secret* /* expected (NULL) */,
-      T* actual) {
-    // We already know that 'expected' is a null pointer.
-    return CmpHelperEQ(expected_expression, actual_expression,
-                       static_cast<T*>(NULL), actual);
+      Secret* /* lhs (NULL) */,
+      T* rhs) {
+    // We already know that 'lhs' is a null pointer.
+    return CmpHelperEQ(lhs_expression, rhs_expression,
+                       static_cast<T*>(NULL), rhs);
   }
 };
 
+// Separate the error generating code from the code path to reduce the stack
+// frame size of CmpHelperOP. This helps reduce the overhead of some sanitizers
+// when calling EXPECT_OP in a tight loop.
+template <typename T1, typename T2>
+AssertionResult CmpHelperOpFailure(const char* expr1, const char* expr2,
+                                   const T1& val1, const T2& val2,
+                                   const char* op) {
+  return AssertionFailure()
+         << "Expected: (" << expr1 << ") " << op << " (" << expr2
+         << "), actual: " << FormatForComparisonFailureMessage(val1, val2)
+         << " vs " << FormatForComparisonFailureMessage(val2, val1);
+}
+
 // A macro for implementing the helper functions needed to implement
 // ASSERT_?? and EXPECT_??.  It is here just to avoid copy-and-paste
 // of similar code.
@@ -1571,6 +1553,7 @@ class EqHelper<true> {
 // with gcc 4.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+
 #define GTEST_IMPL_CMP_HELPER_(op_name, op)\
 template <typename T1, typename T2>\
 AssertionResult CmpHelper##op_name(const char* expr1, const char* expr2, \
@@ -1578,10 +1561,7 @@ AssertionResult CmpHelper##op_name(const char* expr1, const char* expr2, \
   if (val1 op val2) {\
     return AssertionSuccess();\
   } else {\
-    return AssertionFailure() \
-        << "Expected: (" << expr1 << ") " #op " (" << expr2\
-        << "), actual: " << FormatForComparisonFailureMessage(val1, val2)\
-        << " vs " << FormatForComparisonFailureMessage(val2, val1);\
+    return CmpHelperOpFailure(expr1, expr2, val1, val2, #op);\
   }\
 }\
 GTEST_API_ AssertionResult CmpHelper##op_name(\
@@ -1605,18 +1585,18 @@ GTEST_IMPL_CMP_HELPER_(GT, >);
 // The helper function for {ASSERT|EXPECT}_STREQ.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                                          const char* actual_expression,
-                                          const char* expected,
-                                          const char* actual);
+GTEST_API_ AssertionResult CmpHelperSTREQ(const char* s1_expression,
+                                          const char* s2_expression,
+                                          const char* s1,
+                                          const char* s2);
 
 // The helper function for {ASSERT|EXPECT}_STRCASEEQ.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTRCASEEQ(const char* expected_expression,
-                                              const char* actual_expression,
-                                              const char* expected,
-                                              const char* actual);
+GTEST_API_ AssertionResult CmpHelperSTRCASEEQ(const char* s1_expression,
+                                              const char* s2_expression,
+                                              const char* s1,
+                                              const char* s2);
 
 // The helper function for {ASSERT|EXPECT}_STRNE.
 //
@@ -1638,10 +1618,10 @@ GTEST_API_ AssertionResult CmpHelperSTRCASENE(const char* s1_expression,
 // Helper function for *_STREQ on wide strings.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                                          const char* actual_expression,
-                                          const wchar_t* expected,
-                                          const wchar_t* actual);
+GTEST_API_ AssertionResult CmpHelperSTREQ(const char* s1_expression,
+                                          const char* s2_expression,
+                                          const wchar_t* s1,
+                                          const wchar_t* s2);
 
 // Helper function for *_STRNE on wide strings.
 //
@@ -1699,28 +1679,28 @@ namespace internal {
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
 template <typename RawType>
-AssertionResult CmpHelperFloatingPointEQ(const char* expected_expression,
-                                         const char* actual_expression,
-                                         RawType expected,
-                                         RawType actual) {
-  const FloatingPoint<RawType> lhs(expected), rhs(actual);
+AssertionResult CmpHelperFloatingPointEQ(const char* lhs_expression,
+                                         const char* rhs_expression,
+                                         RawType lhs_value,
+                                         RawType rhs_value) {
+  const FloatingPoint<RawType> lhs(lhs_value), rhs(rhs_value);
 
   if (lhs.AlmostEquals(rhs)) {
     return AssertionSuccess();
   }
 
-  ::std::stringstream expected_ss;
-  expected_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
-              << expected;
+  ::std::stringstream lhs_ss;
+  lhs_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
+         << lhs_value;
 
-  ::std::stringstream actual_ss;
-  actual_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
-            << actual;
+  ::std::stringstream rhs_ss;
+  rhs_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
+         << rhs_value;
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   StringStreamToString(&expected_ss),
-                   StringStreamToString(&actual_ss),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   StringStreamToString(&lhs_ss),
+                   StringStreamToString(&rhs_ss),
                    false);
 }
 
@@ -1777,7 +1757,6 @@ class GTEST_API_ AssertHelper {
 
 }  // namespace internal
 
-#if GTEST_HAS_PARAM_TEST
 // The pure interface class that all value-parameterized tests inherit from.
 // A value-parameterized class must inherit from both ::testing::Test and
 // ::testing::WithParamInterface. In most cases that just means inheriting
@@ -1854,8 +1833,6 @@ template <typename T>
 class TestWithParam : public Test, public WithParamInterface<T> {
 };
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 // Macros for indicating success/failure in test code.
 
 // ADD_FAILURE unconditionally adds a failure to the current test.
@@ -1940,18 +1917,14 @@ class TestWithParam : public Test, public WithParamInterface<T> {
   GTEST_TEST_BOOLEAN_(!(condition), #condition, true, false, \
                       GTEST_FATAL_FAILURE_)
 
-// Includes the auto-generated header that implements a family of
-// generic predicate assertion macros.
-#include "gtest/gtest_pred_impl.h"
-
 // Macros for testing equalities and inequalities.
 //
-//    * {ASSERT|EXPECT}_EQ(expected, actual): Tests that expected == actual
-//    * {ASSERT|EXPECT}_NE(v1, v2):           Tests that v1 != v2
-//    * {ASSERT|EXPECT}_LT(v1, v2):           Tests that v1 < v2
-//    * {ASSERT|EXPECT}_LE(v1, v2):           Tests that v1 <= v2
-//    * {ASSERT|EXPECT}_GT(v1, v2):           Tests that v1 > v2
-//    * {ASSERT|EXPECT}_GE(v1, v2):           Tests that v1 >= v2
+//    * {ASSERT|EXPECT}_EQ(v1, v2): Tests that v1 == v2
+//    * {ASSERT|EXPECT}_NE(v1, v2): Tests that v1 != v2
+//    * {ASSERT|EXPECT}_LT(v1, v2): Tests that v1 < v2
+//    * {ASSERT|EXPECT}_LE(v1, v2): Tests that v1 <= v2
+//    * {ASSERT|EXPECT}_GT(v1, v2): Tests that v1 > v2
+//    * {ASSERT|EXPECT}_GE(v1, v2): Tests that v1 >= v2
 //
 // When they are not, Google Test prints both the tested expressions and
 // their actual values.  The values must be compatible built-in types,
@@ -1973,8 +1946,8 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //   are related, not how their content is related.  To compare two C
 //   strings by content, use {ASSERT|EXPECT}_STR*().
 //
-//   3. {ASSERT|EXPECT}_EQ(expected, actual) is preferred to
-//   {ASSERT|EXPECT}_TRUE(expected == actual), as the former tells you
+//   3. {ASSERT|EXPECT}_EQ(v1, v2) is preferred to
+//   {ASSERT|EXPECT}_TRUE(v1 == v2), as the former tells you
 //   what the actual value is when it fails, and similarly for the
 //   other comparisons.
 //
@@ -1985,17 +1958,17 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //
 // Examples:
 //
-//   EXPECT_NE(5, Foo());
-//   EXPECT_EQ(NULL, a_pointer);
+//   EXPECT_NE(Foo(), 5);
+//   EXPECT_EQ(a_pointer, NULL);
 //   ASSERT_LT(i, array_size);
 //   ASSERT_GT(records.size(), 0) << "There is no record left.";
 
-#define EXPECT_EQ(expected, actual) \
+#define EXPECT_EQ(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal:: \
-                      EqHelper<GTEST_IS_NULL_LITERAL_(expected)>::Compare, \
-                      expected, actual)
-#define EXPECT_NE(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperNE, expected, actual)
+                      EqHelper<GTEST_IS_NULL_LITERAL_(val1)>::Compare, \
+                      val1, val2)
+#define EXPECT_NE(val1, val2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperNE, val1, val2)
 #define EXPECT_LE(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperLE, val1, val2)
 #define EXPECT_LT(val1, val2) \
@@ -2005,10 +1978,10 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 #define EXPECT_GT(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperGT, val1, val2)
 
-#define GTEST_ASSERT_EQ(expected, actual) \
+#define GTEST_ASSERT_EQ(val1, val2) \
   ASSERT_PRED_FORMAT2(::testing::internal:: \
-                      EqHelper<GTEST_IS_NULL_LITERAL_(expected)>::Compare, \
-                      expected, actual)
+                      EqHelper<GTEST_IS_NULL_LITERAL_(val1)>::Compare, \
+                      val1, val2)
 #define GTEST_ASSERT_NE(val1, val2) \
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperNE, val1, val2)
 #define GTEST_ASSERT_LE(val1, val2) \
@@ -2063,29 +2036,29 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //
 // These macros evaluate their arguments exactly once.
 
-#define EXPECT_STREQ(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, expected, actual)
+#define EXPECT_STREQ(s1, s2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, s1, s2)
 #define EXPECT_STRNE(s1, s2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRNE, s1, s2)
-#define EXPECT_STRCASEEQ(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, expected, actual)
+#define EXPECT_STRCASEEQ(s1, s2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, s1, s2)
 #define EXPECT_STRCASENE(s1, s2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASENE, s1, s2)
 
-#define ASSERT_STREQ(expected, actual) \
-  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, expected, actual)
+#define ASSERT_STREQ(s1, s2) \
+  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, s1, s2)
 #define ASSERT_STRNE(s1, s2) \
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRNE, s1, s2)
-#define ASSERT_STRCASEEQ(expected, actual) \
-  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, expected, actual)
+#define ASSERT_STRCASEEQ(s1, s2) \
+  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, s1, s2)
 #define ASSERT_STRCASENE(s1, s2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASENE, s1, s2)
 
 // Macros for comparing floating-point numbers.
 //
-//    * {ASSERT|EXPECT}_FLOAT_EQ(expected, actual):
+//    * {ASSERT|EXPECT}_FLOAT_EQ(val1, val2):
 //         Tests that two float values are almost equal.
-//    * {ASSERT|EXPECT}_DOUBLE_EQ(expected, actual):
+//    * {ASSERT|EXPECT}_DOUBLE_EQ(val1, val2):
 //         Tests that two double values are almost equal.
 //    * {ASSERT|EXPECT}_NEAR(v1, v2, abs_error):
 //         Tests that v1 and v2 are within the given distance to each other.
@@ -2095,21 +2068,21 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 // FloatingPoint template class in gtest-internal.h if you are
 // interested in the implementation details.
 
-#define EXPECT_FLOAT_EQ(expected, actual)\
+#define EXPECT_FLOAT_EQ(val1, val2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<float>, \
-                      expected, actual)
+                      val1, val2)
 
-#define EXPECT_DOUBLE_EQ(expected, actual)\
+#define EXPECT_DOUBLE_EQ(val1, val2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<double>, \
-                      expected, actual)
+                      val1, val2)
 
-#define ASSERT_FLOAT_EQ(expected, actual)\
+#define ASSERT_FLOAT_EQ(val1, val2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<float>, \
-                      expected, actual)
+                      val1, val2)
 
-#define ASSERT_DOUBLE_EQ(expected, actual)\
+#define ASSERT_DOUBLE_EQ(val1, val2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<double>, \
-                      expected, actual)
+                      val1, val2)
 
 #define EXPECT_NEAR(val1, val2, abs_error)\
   EXPECT_PRED_FORMAT3(::testing::internal::DoubleNearPredFormat, \
@@ -2172,6 +2145,57 @@ GTEST_API_ AssertionResult DoubleLE(const char* expr1, const char* expr2,
 #define EXPECT_NO_FATAL_FAILURE(statement) \
     GTEST_TEST_NO_FATAL_FAILURE_(statement, GTEST_NONFATAL_FAILURE_)
 
+// Causes a trace (including the given source file path and line number,
+// and the given message) to be included in every test failure message generated
+// by code in the scope of the lifetime of an instance of this class. The effect
+// is undone with the destruction of the instance.
+//
+// The message argument can be anything streamable to std::ostream.
+//
+// Example:
+//   testing::ScopedTrace trace("file.cc", 123, "message");
+//
+class GTEST_API_ ScopedTrace {
+ public:
+  // The c'tor pushes the given source file location and message onto
+  // a trace stack maintained by Google Test.
+
+  // Template version. Uses Message() to convert the values into strings.
+  // Slow, but flexible.
+  template <typename T>
+  ScopedTrace(const char* file, int line, const T& message) {
+    PushTrace(file, line, (Message() << message).GetString());
+  }
+
+  // Optimize for some known types.
+  ScopedTrace(const char* file, int line, const char* message) {
+    PushTrace(file, line, message ? message : "(null)");
+  }
+
+#if GTEST_HAS_GLOBAL_STRING
+  ScopedTrace(const char* file, int line, const ::string& message) {
+    PushTrace(file, line, message);
+  }
+#endif
+
+  ScopedTrace(const char* file, int line, const std::string& message) {
+    PushTrace(file, line, message);
+  }
+
+  // The d'tor pops the info pushed by the c'tor.
+  //
+  // Note that the d'tor is not virtual in order to be efficient.
+  // Don't inherit from ScopedTrace!
+  ~ScopedTrace();
+
+ private:
+  void PushTrace(const char* file, int line, std::string message);
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedTrace);
+} GTEST_ATTRIBUTE_UNUSED_;  // A ScopedTrace object does its job in its
+                            // c'tor and d'tor.  Therefore it doesn't
+                            // need to be used otherwise.
+
 // Causes a trace (including the source file path, the current line
 // number, and the given message) to be included in every test failure
 // message generated by code in the current scope.  The effect is
@@ -2183,9 +2207,14 @@ GTEST_API_ AssertionResult DoubleLE(const char* expr1, const char* expr2,
 // of the dummy variable name, thus allowing multiple SCOPED_TRACE()s
 // to appear in the same block - as long as they are on different
 // lines.
+//
+// Assuming that each thread maintains its own stack of traces.
+// Therefore, a SCOPED_TRACE() would (correctly) only affect the
+// assertions in its own thread.
 #define SCOPED_TRACE(message) \
-  ::testing::internal::ScopedTrace GTEST_CONCAT_TOKEN_(gtest_trace_, __LINE__)(\
-    __FILE__, __LINE__, ::testing::Message() << (message))
+  ::testing::ScopedTrace GTEST_CONCAT_TOKEN_(gtest_trace_, __LINE__)(\
+    __FILE__, __LINE__, (message))
+
 
 // Compile-time assertion for type equality.
 // StaticAssertTypeEq<type1, type2>() compiles iff type1 and type2 are
@@ -2265,7 +2294,7 @@ bool StaticAssertTypeEq() {
 // name of the test within the test case.
 //
 // A test fixture class must be declared earlier.  The user should put
-// his test code between braces after using this macro.  Example:
+// the test code between braces after using this macro.  Example:
 //
 //   class FooTest : public testing::Test {
 //    protected:
@@ -2280,14 +2309,22 @@ bool StaticAssertTypeEq() {
 //   }
 //
 //   TEST_F(FooTest, ReturnsElementCountCorrectly) {
-//     EXPECT_EQ(0, a_.size());
-//     EXPECT_EQ(1, b_.size());
+//     EXPECT_EQ(a_.size(), 0);
+//     EXPECT_EQ(b_.size(), 1);
 //   }
 
 #define TEST_F(test_fixture, test_name)\
   GTEST_TEST_(test_fixture, test_name, test_fixture, \
               ::testing::internal::GetTypeId<test_fixture>())
 
+// Returns a path to temporary directory.
+// Tries to determine an appropriate directory for the platform.
+GTEST_API_ std::string TempDir();
+
+#ifdef _MSC_VER
+#  pragma warning(pop)
+#endif
+
 }  // namespace testing
 
 // Use this function in main() to run all tests.  It returns 0 if all
@@ -2304,4 +2341,6 @@ inline int RUN_ALL_TESTS() {
   return ::testing::UnitTest::GetInstance()->Run();
 }
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
index 30ae712f5..0c1105cb8 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
@@ -27,18 +27,19 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// This file is AUTOMATICALLY GENERATED on 10/31/2011 by command
+// This file is AUTOMATICALLY GENERATED on 01/02/2018 by command
 // 'gen_gtest_pred_impl.py 5'.  DO NOT EDIT BY HAND!
 //
 // Implements a family of generic predicate assertion macros.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 
-// Makes sure this header is not included before gtest.h.
-#ifndef GTEST_INCLUDE_GTEST_GTEST_H_
-# error Do not include gtest_pred_impl.h directly.  Include gtest.h instead.
-#endif  // GTEST_INCLUDE_GTEST_GTEST_H_
+#include "gtest/gtest.h"
+
+namespace testing {
 
 // This header implements a family of generic predicate assertion
 // macros:
@@ -66,8 +67,6 @@
 // We also define the EXPECT_* variations.
 //
 // For now we only support predicates whose arity is at most 5.
-// Please email googletestframework@googlegroups.com if you need
-// support for higher arities.
 
 // GTEST_ASSERT_ is the basic statement to which all of the assertions
 // in this file reduce.  Don't use this in your code.
@@ -355,4 +354,6 @@ AssertionResult AssertPred5Helper(const char* pred_text,
 
 
 
+}  // namespace testing
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
index da80ddc6c..e651671eb 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
@@ -26,10 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Google C++ Testing Framework definitions useful in production code.
+// Google C++ Testing and Mocking Framework definitions useful in production code.
+// GOOGLETEST_CM0003 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PROD_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PROD_H_
@@ -40,17 +40,20 @@
 //
 // class MyClass {
 //  private:
-//   void MyMethod();
-//   FRIEND_TEST(MyClassTest, MyMethod);
+//   void PrivateMethod();
+//   FRIEND_TEST(MyClassTest, PrivateMethodWorks);
 // };
 //
 // class MyClassTest : public testing::Test {
 //   // ...
 // };
 //
-// TEST_F(MyClassTest, MyMethod) {
-//   // Can call MyClass::MyMethod() here.
+// TEST_F(MyClassTest, PrivateMethodWorks) {
+//   // Can call MyClass::PrivateMethod() here.
 // }
+//
+// Note: The test class must be in the same namespace as the class being tested.
+// For example, putting MyClassTest in an anonymous namespace will not work.
 
 #define FRIEND_TEST(test_case_name, test_name)\
 friend class test_case_name##_##test_name##_Test
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md
new file mode 100644
index 000000000..ff391fb4e
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md
@@ -0,0 +1,56 @@
+# Customization Points
+
+The custom directory is an injection point for custom user configurations.
+
+## Header `gtest.h`
+
+### The following macros can be defined:
+
+*   `GTEST_OS_STACK_TRACE_GETTER_` - The name of an implementation of
+    `OsStackTraceGetterInterface`.
+*   `GTEST_CUSTOM_TEMPDIR_FUNCTION_` - An override for `testing::TempDir()`. See
+    `testing::TempDir` for semantics and signature.
+
+## Header `gtest-port.h`
+
+The following macros can be defined:
+
+### Flag related macros:
+
+*   `GTEST_FLAG(flag_name)`
+*   `GTEST_USE_OWN_FLAGFILE_FLAG_` - Define to 0 when the system provides its
+    own flagfile flag parsing.
+*   `GTEST_DECLARE_bool_(name)`
+*   `GTEST_DECLARE_int32_(name)`
+*   `GTEST_DECLARE_string_(name)`
+*   `GTEST_DEFINE_bool_(name, default_val, doc)`
+*   `GTEST_DEFINE_int32_(name, default_val, doc)`
+*   `GTEST_DEFINE_string_(name, default_val, doc)`
+
+### Logging:
+
+*   `GTEST_LOG_(severity)`
+*   `GTEST_CHECK_(condition)`
+*   Functions `LogToStderr()` and `FlushInfoLog()` have to be provided too.
+
+### Threading:
+
+*   `GTEST_HAS_NOTIFICATION_` - Enabled if Notification is already provided.
+*   `GTEST_HAS_MUTEX_AND_THREAD_LOCAL_` - Enabled if `Mutex` and `ThreadLocal`
+    are already provided. Must also provide `GTEST_DECLARE_STATIC_MUTEX_(mutex)`
+    and `GTEST_DEFINE_STATIC_MUTEX_(mutex)`
+*   `GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)`
+*   `GTEST_LOCK_EXCLUDED_(locks)`
+
+### Underlying library support features
+
+*   `GTEST_HAS_CXXABI_H_`
+
+### Exporting API symbols:
+
+*   `GTEST_API_` - Specifier for exported symbols.
+
+## Header `gtest-printers.h`
+
+*   See documentation at `gtest/gtest-printers.h` for details on how to define a
+    custom printer.
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h
new file mode 100644
index 000000000..cd85d956d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h
@@ -0,0 +1,37 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h
new file mode 100644
index 000000000..eb4467abc
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h
@@ -0,0 +1,42 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// This file provides an injection point for custom printers in a local
+// installation of gTest.
+// It will be included from gtest-printers.h and the overrides in this file
+// will be visible to everyone.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h
new file mode 100644
index 000000000..4c8e07be2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h
@@ -0,0 +1,37 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
index 2b3a78f5b..0a9b42c8a 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
@@ -27,12 +27,11 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines internal utilities needed for implementing
 // death tests.  They are subject to change without notice.
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_DEATH_TEST_INTERNAL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_DEATH_TEST_INTERNAL_H_
@@ -53,6 +52,9 @@ const char kInternalRunDeathTestFlag[] = "internal_run_death_test";
 
 #if GTEST_HAS_DEATH_TEST
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // DeathTest is a class that hides much of the complexity of the
 // GTEST_DEATH_TEST_ macro.  It is abstract; its static Create method
 // returns a concrete class that depends on the prevailing death test
@@ -136,6 +138,8 @@ class GTEST_API_ DeathTest {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(DeathTest);
 };
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // Factory interface for death tests.  May be mocked out for testing.
 class DeathTestFactory {
  public:
@@ -218,14 +222,18 @@ GTEST_API_ bool ExitedUnsuccessfully(int exit_status);
 // can be streamed.
 
 // This macro is for implementing ASSERT/EXPECT_DEBUG_DEATH when compiled in
-// NDEBUG mode. In this case we need the statements to be executed, the regex is
-// ignored, and the macro must accept a streamed message even though the message
-// is never printed.
-# define GTEST_EXECUTE_STATEMENT_(statement, regex) \
-  GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
-  if (::testing::internal::AlwaysTrue()) { \
-     GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
-  } else \
+// NDEBUG mode. In this case we need the statements to be executed and the macro
+// must accept a streamed message even though the message is never printed.
+// The regex object is not evaluated, but it is used to prevent "unused"
+// warnings and to avoid an expression that doesn't compile in debug mode.
+#define GTEST_EXECUTE_STATEMENT_(statement, regex)             \
+  GTEST_AMBIGUOUS_ELSE_BLOCKER_                                \
+  if (::testing::internal::AlwaysTrue()) {                     \
+    GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
+  } else if (!::testing::internal::AlwaysTrue()) {             \
+    const ::testing::internal::RE& gtest_regex = (regex);      \
+    static_cast<void>(gtest_regex);                            \
+  } else                                                       \
     ::testing::Message()
 
 // A class representing the parsed contents of the
@@ -264,53 +272,6 @@ class InternalRunDeathTestFlag {
 // the flag is specified; otherwise returns NULL.
 InternalRunDeathTestFlag* ParseInternalRunDeathTestFlag();
 
-#else  // GTEST_HAS_DEATH_TEST
-
-// This macro is used for implementing macros such as
-// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED on systems where
-// death tests are not supported. Those macros must compile on such systems
-// iff EXPECT_DEATH and ASSERT_DEATH compile with the same parameters on
-// systems that support death tests. This allows one to write such a macro
-// on a system that does not support death tests and be sure that it will
-// compile on a death-test supporting system.
-//
-// Parameters:
-//   statement -  A statement that a macro such as EXPECT_DEATH would test
-//                for program termination. This macro has to make sure this
-//                statement is compiled but not executed, to ensure that
-//                EXPECT_DEATH_IF_SUPPORTED compiles with a certain
-//                parameter iff EXPECT_DEATH compiles with it.
-//   regex     -  A regex that a macro such as EXPECT_DEATH would use to test
-//                the output of statement.  This parameter has to be
-//                compiled but not evaluated by this macro, to ensure that
-//                this macro only accepts expressions that a macro such as
-//                EXPECT_DEATH would accept.
-//   terminator - Must be an empty statement for EXPECT_DEATH_IF_SUPPORTED
-//                and a return statement for ASSERT_DEATH_IF_SUPPORTED.
-//                This ensures that ASSERT_DEATH_IF_SUPPORTED will not
-//                compile inside functions where ASSERT_DEATH doesn't
-//                compile.
-//
-//  The branch that has an always false condition is used to ensure that
-//  statement and regex are compiled (and thus syntactically correct) but
-//  never executed. The unreachable code macro protects the terminator
-//  statement from generating an 'unreachable code' warning in case
-//  statement unconditionally returns or throws. The Message constructor at
-//  the end allows the syntax of streaming additional messages into the
-//  macro, for compilational compatibility with EXPECT_DEATH/ASSERT_DEATH.
-# define GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, terminator) \
-    GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
-    if (::testing::internal::AlwaysTrue()) { \
-      GTEST_LOG_(WARNING) \
-          << "Death tests are not supported on this platform.\n" \
-          << "Statement '" #statement "' cannot be verified."; \
-    } else if (::testing::internal::AlwaysFalse()) { \
-      ::testing::internal::RE::PartialMatch(".*", (regex)); \
-      GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
-      terminator; \
-    } else \
-      ::testing::Message()
-
 #endif  // GTEST_HAS_DEATH_TEST
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
index 7a13b4b0d..ae38d95bf 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
@@ -27,21 +27,24 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test filepath utilities
 //
 // This header file declares classes and functions used internally by
 // Google Test.  They are subject to change without notice.
 //
-// This file is #included in <gtest/internal/gtest-internal.h>.
+// This file is #included in gtest/internal/gtest-internal.h.
 // Do not include this header file separately!
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
 
 #include "gtest/internal/gtest-string.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 namespace internal {
 
@@ -203,4 +206,6 @@ class GTEST_API_ FilePath {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
index 21a0f567b..b762f61fc 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
@@ -27,13 +27,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file declares functions and macros used internally by
 // Google Test.  They are subject to change without notice.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
 
@@ -55,13 +55,14 @@
 #include <string.h>
 #include <iomanip>
 #include <limits>
+#include <map>
 #include <set>
 #include <string>
 #include <vector>
 
 #include "gtest/gtest-message.h"
-#include "gtest/internal/gtest-string.h"
 #include "gtest/internal/gtest-filepath.h"
+#include "gtest/internal/gtest-string.h"
 #include "gtest/internal/gtest-type-util.h"
 
 // Due to C++ preprocessor weirdness, we need double indirection to
@@ -75,6 +76,9 @@
 #define GTEST_CONCAT_TOKEN_(foo, bar) GTEST_CONCAT_TOKEN_IMPL_(foo, bar)
 #define GTEST_CONCAT_TOKEN_IMPL_(foo, bar) foo ## bar
 
+// Stringifies its argument.
+#define GTEST_STRINGIFY_(name) #name
+
 class ProtocolMessage;
 namespace proto2 { class Message; }
 
@@ -95,13 +99,9 @@ template <typename T>
 namespace internal {
 
 struct TraceInfo;                      // Information about a trace point.
-class ScopedTrace;                     // Implements scoped trace.
 class TestInfoImpl;                    // Opaque implementation of TestInfo
 class UnitTestImpl;                    // Opaque implementation of UnitTest
 
-// How many times InitGoogleTest() has been called.
-GTEST_API_ extern int g_init_gtest_count;
-
 // The text used in failure messages to indicate the start of the
 // stack trace.
 GTEST_API_ extern const char kStackTraceMarker[];
@@ -141,6 +141,9 @@ GTEST_API_ std::string AppendUserMessage(
 
 #if GTEST_HAS_EXCEPTIONS
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4275 \
+/* an exported class was derived from a class that was not exported */)
+
 // This exception is thrown by (and only by) a failed Google Test
 // assertion when GTEST_FLAG(throw_on_failure) is true (if exceptions
 // are enabled).  We derive it from std::runtime_error, which is for
@@ -152,32 +155,15 @@ class GTEST_API_ GoogleTestFailureException : public ::std::runtime_error {
   explicit GoogleTestFailureException(const TestPartResult& failure);
 };
 
-#endif  // GTEST_HAS_EXCEPTIONS
-
-// A helper class for creating scoped traces in user programs.
-class GTEST_API_ ScopedTrace {
- public:
-  // The c'tor pushes the given source file location and message onto
-  // a trace stack maintained by Google Test.
-  ScopedTrace(const char* file, int line, const Message& message);
-
-  // The d'tor pops the info pushed by the c'tor.
-  //
-  // Note that the d'tor is not virtual in order to be efficient.
-  // Don't inherit from ScopedTrace!
-  ~ScopedTrace();
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4275
 
- private:
-  GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedTrace);
-} GTEST_ATTRIBUTE_UNUSED_;  // A ScopedTrace object does its job in its
-                            // c'tor and d'tor.  Therefore it doesn't
-                            // need to be used otherwise.
+#endif  // GTEST_HAS_EXCEPTIONS
 
 namespace edit_distance {
 // Returns the optimal edits to go from 'left' to 'right'.
 // All edits cost the same, with replace having lower priority than
 // add/remove.
-// Simple implementation of the Wagner–Fischer algorithm.
+// Simple implementation of the Wagner-Fischer algorithm.
 // See http://en.wikipedia.org/wiki/Wagner-Fischer_algorithm
 enum EditType { kMatch, kAdd, kRemove, kReplace };
 GTEST_API_ std::vector<EditType> CalculateOptimalEdits(
@@ -503,6 +489,14 @@ GTEST_API_ AssertionResult IsHRESULTFailure(const char* expr,
 typedef void (*SetUpTestCaseFunc)();
 typedef void (*TearDownTestCaseFunc)();
 
+struct CodeLocation {
+  CodeLocation(const std::string& a_file, int a_line)
+      : file(a_file), line(a_line) {}
+
+  std::string file;
+  int line;
+};
+
 // Creates a new TestInfo object and registers it with Google Test;
 // returns the created object.
 //
@@ -514,6 +508,7 @@ typedef void (*TearDownTestCaseFunc)();
 //                     this is not a typed or a type-parameterized test.
 //   value_param       text representation of the test's value parameter,
 //                     or NULL if this is not a type-parameterized test.
+//   code_location:    code location where the test is defined
 //   fixture_class_id: ID of the test fixture class
 //   set_up_tc:        pointer to the function that sets up the test case
 //   tear_down_tc:     pointer to the function that tears down the test case
@@ -525,6 +520,7 @@ GTEST_API_ TestInfo* MakeAndRegisterTestInfo(
     const char* name,
     const char* type_param,
     const char* value_param,
+    CodeLocation code_location,
     TypeId fixture_class_id,
     SetUpTestCaseFunc set_up_tc,
     TearDownTestCaseFunc tear_down_tc,
@@ -537,6 +533,9 @@ GTEST_API_ bool SkipPrefix(const char* prefix, const char** pstr);
 
 #if GTEST_HAS_TYPED_TEST || GTEST_HAS_TYPED_TEST_P
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // State of the definition of a type-parameterized test case.
 class GTEST_API_ TypedTestCasePState {
  public:
@@ -554,10 +553,21 @@ class GTEST_API_ TypedTestCasePState {
       fflush(stderr);
       posix::Abort();
     }
-    defined_test_names_.insert(test_name);
+    registered_tests_.insert(
+        ::std::make_pair(test_name, CodeLocation(file, line)));
     return true;
   }
 
+  bool TestExists(const std::string& test_name) const {
+    return registered_tests_.count(test_name) > 0;
+  }
+
+  const CodeLocation& GetCodeLocation(const std::string& test_name) const {
+    RegisteredTestsMap::const_iterator it = registered_tests_.find(test_name);
+    GTEST_CHECK_(it != registered_tests_.end());
+    return it->second;
+  }
+
   // Verifies that registered_tests match the test names in
   // defined_test_names_; returns registered_tests if successful, or
   // aborts the program otherwise.
@@ -565,10 +575,14 @@ class GTEST_API_ TypedTestCasePState {
       const char* file, int line, const char* registered_tests);
 
  private:
+  typedef ::std::map<std::string, CodeLocation> RegisteredTestsMap;
+
   bool registered_;
-  ::std::set<const char*> defined_test_names_;
+  RegisteredTestsMap registered_tests_;
 };
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // Skips to the first non-space char after the first comma in 'str';
 // returns NULL if no comma is found in 'str'.
 inline const char* SkipComma(const char* str) {
@@ -587,6 +601,42 @@ inline std::string GetPrefixUntilComma(const char* str) {
   return comma == NULL ? str : std::string(str, comma);
 }
 
+// Splits a given string on a given delimiter, populating a given
+// vector with the fields.
+void SplitString(const ::std::string& str, char delimiter,
+                 ::std::vector< ::std::string>* dest);
+
+// The default argument to the template below for the case when the user does
+// not provide a name generator.
+struct DefaultNameGenerator {
+  template <typename T>
+  static std::string GetName(int i) {
+    return StreamableToString(i);
+  }
+};
+
+template <typename Provided = DefaultNameGenerator>
+struct NameGeneratorSelector {
+  typedef Provided type;
+};
+
+template <typename NameGenerator>
+void GenerateNamesRecursively(Types0, std::vector<std::string>*, int) {}
+
+template <typename NameGenerator, typename Types>
+void GenerateNamesRecursively(Types, std::vector<std::string>* result, int i) {
+  result->push_back(NameGenerator::template GetName<typename Types::Head>(i));
+  GenerateNamesRecursively<NameGenerator>(typename Types::Tail(), result,
+                                          i + 1);
+}
+
+template <typename NameGenerator, typename Types>
+std::vector<std::string> GenerateNames() {
+  std::vector<std::string> result;
+  GenerateNamesRecursively<NameGenerator>(Types(), &result, 0);
+  return result;
+}
+
 // TypeParameterizedTest<Fixture, TestSel, Types>::Register()
 // registers a list of type-parameterized tests with Google Test.  The
 // return value is insignificant - we just need to return something
@@ -601,8 +651,10 @@ class TypeParameterizedTest {
   // specified in INSTANTIATE_TYPED_TEST_CASE_P(Prefix, TestCase,
   // Types).  Valid values for 'index' are [0, N - 1] where N is the
   // length of Types.
-  static bool Register(const char* prefix, const char* case_name,
-                       const char* test_names, int index) {
+  static bool Register(const char* prefix, const CodeLocation& code_location,
+                       const char* case_name, const char* test_names, int index,
+                       const std::vector<std::string>& type_names =
+                           GenerateNames<DefaultNameGenerator, Types>()) {
     typedef typename Types::Head Type;
     typedef Fixture<Type> FixtureClass;
     typedef typename GTEST_BIND_(TestSel, Type) TestClass;
@@ -610,19 +662,23 @@ class TypeParameterizedTest {
     // First, registers the first type-parameterized test in the type
     // list.
     MakeAndRegisterTestInfo(
-        (std::string(prefix) + (prefix[0] == '\0' ? "" : "/") + case_name + "/"
-         + StreamableToString(index)).c_str(),
-        GetPrefixUntilComma(test_names).c_str(),
+        (std::string(prefix) + (prefix[0] == '\0' ? "" : "/") + case_name +
+         "/" + type_names[index])
+            .c_str(),
+        StripTrailingSpaces(GetPrefixUntilComma(test_names)).c_str(),
         GetTypeName<Type>().c_str(),
         NULL,  // No value parameter.
-        GetTypeId<FixtureClass>(),
-        TestClass::SetUpTestCase,
-        TestClass::TearDownTestCase,
-        new TestFactoryImpl<TestClass>);
+        code_location, GetTypeId<FixtureClass>(), TestClass::SetUpTestCase,
+        TestClass::TearDownTestCase, new TestFactoryImpl<TestClass>);
 
     // Next, recurses (at compile time) with the tail of the type list.
-    return TypeParameterizedTest<Fixture, TestSel, typename Types::Tail>
-        ::Register(prefix, case_name, test_names, index + 1);
+    return TypeParameterizedTest<Fixture, TestSel,
+                                 typename Types::Tail>::Register(prefix,
+                                                                 code_location,
+                                                                 case_name,
+                                                                 test_names,
+                                                                 index + 1,
+                                                                 type_names);
   }
 };
 
@@ -630,8 +686,11 @@ class TypeParameterizedTest {
 template <GTEST_TEMPLATE_ Fixture, class TestSel>
 class TypeParameterizedTest<Fixture, TestSel, Types0> {
  public:
-  static bool Register(const char* /*prefix*/, const char* /*case_name*/,
-                       const char* /*test_names*/, int /*index*/) {
+  static bool Register(const char* /*prefix*/, const CodeLocation&,
+                       const char* /*case_name*/, const char* /*test_names*/,
+                       int /*index*/,
+                       const std::vector<std::string>& =
+                           std::vector<std::string>() /*type_names*/) {
     return true;
   }
 };
@@ -643,17 +702,35 @@ class TypeParameterizedTest<Fixture, TestSel, Types0> {
 template <GTEST_TEMPLATE_ Fixture, typename Tests, typename Types>
 class TypeParameterizedTestCase {
  public:
-  static bool Register(const char* prefix, const char* case_name,
-                       const char* test_names) {
+  static bool Register(const char* prefix, CodeLocation code_location,
+                       const TypedTestCasePState* state, const char* case_name,
+                       const char* test_names,
+                       const std::vector<std::string>& type_names =
+                           GenerateNames<DefaultNameGenerator, Types>()) {
+    std::string test_name = StripTrailingSpaces(
+        GetPrefixUntilComma(test_names));
+    if (!state->TestExists(test_name)) {
+      fprintf(stderr, "Failed to get code location for test %s.%s at %s.",
+              case_name, test_name.c_str(),
+              FormatFileLocation(code_location.file.c_str(),
+                                 code_location.line).c_str());
+      fflush(stderr);
+      posix::Abort();
+    }
+    const CodeLocation& test_location = state->GetCodeLocation(test_name);
+
     typedef typename Tests::Head Head;
 
     // First, register the first test in 'Test' for each type in 'Types'.
     TypeParameterizedTest<Fixture, Head, Types>::Register(
-        prefix, case_name, test_names, 0);
+        prefix, test_location, case_name, test_names, 0, type_names);
 
     // Next, recurses (at compile time) with the tail of the test list.
-    return TypeParameterizedTestCase<Fixture, typename Tests::Tail, Types>
-        ::Register(prefix, case_name, SkipComma(test_names));
+    return TypeParameterizedTestCase<Fixture, typename Tests::Tail,
+                                     Types>::Register(prefix, code_location,
+                                                      state, case_name,
+                                                      SkipComma(test_names),
+                                                      type_names);
   }
 };
 
@@ -661,8 +738,11 @@ class TypeParameterizedTestCase {
 template <GTEST_TEMPLATE_ Fixture, typename Types>
 class TypeParameterizedTestCase<Fixture, Templates0, Types> {
  public:
-  static bool Register(const char* /*prefix*/, const char* /*case_name*/,
-                       const char* /*test_names*/) {
+  static bool Register(const char* /*prefix*/, const CodeLocation&,
+                       const TypedTestCasePState* /*state*/,
+                       const char* /*case_name*/, const char* /*test_names*/,
+                       const std::vector<std::string>& =
+                           std::vector<std::string>() /*type_names*/) {
     return true;
   }
 };
@@ -779,31 +859,6 @@ struct RemoveConst<T[N]> {
 #define GTEST_REMOVE_REFERENCE_AND_CONST_(T) \
     GTEST_REMOVE_CONST_(GTEST_REMOVE_REFERENCE_(T))
 
-// Adds reference to a type if it is not a reference type,
-// otherwise leaves it unchanged.  This is the same as
-// tr1::add_reference, which is not widely available yet.
-template <typename T>
-struct AddReference { typedef T& type; };  // NOLINT
-template <typename T>
-struct AddReference<T&> { typedef T& type; };  // NOLINT
-
-// A handy wrapper around AddReference that works when the argument T
-// depends on template parameters.
-#define GTEST_ADD_REFERENCE_(T) \
-    typename ::testing::internal::AddReference<T>::type
-
-// Adds a reference to const on top of T as necessary.  For example,
-// it transforms
-//
-//   char         ==> const char&
-//   const char   ==> const char&
-//   char&        ==> const char&
-//   const char&  ==> const char&
-//
-// The argument T must depend on some template parameters.
-#define GTEST_REFERENCE_TO_CONST_(T) \
-    GTEST_ADD_REFERENCE_(const GTEST_REMOVE_REFERENCE_(T))
-
 // ImplicitlyConvertible<From, To>::value is a compile-time bool
 // constant that's true iff type From can be implicitly converted to
 // type To.
@@ -873,8 +928,11 @@ struct IsAProtocolMessage
 // a container class by checking the type of IsContainerTest<C>(0).
 // The value of the expression is insignificant.
 //
-// Note that we look for both C::iterator and C::const_iterator.  The
-// reason is that C++ injects the name of a class as a member of the
+// In C++11 mode we check the existence of a const_iterator and that an
+// iterator is properly implemented for the container.
+//
+// For pre-C++11 that we look for both C::iterator and C::const_iterator.
+// The reason is that C++ injects the name of a class as a member of the
 // class itself (e.g. you can refer to class iterator as either
 // 'iterator' or 'iterator::iterator').  If we look for C::iterator
 // only, for example, we would mistakenly think that a class named
@@ -884,17 +942,96 @@ struct IsAProtocolMessage
 // IsContainerTest(typename C::const_iterator*) and
 // IsContainerTest(...) doesn't work with Visual Age C++ and Sun C++.
 typedef int IsContainer;
+#if GTEST_LANG_CXX11
+template <class C,
+          class Iterator = decltype(::std::declval<const C&>().begin()),
+          class = decltype(::std::declval<const C&>().end()),
+          class = decltype(++::std::declval<Iterator&>()),
+          class = decltype(*::std::declval<Iterator>()),
+          class = typename C::const_iterator>
+IsContainer IsContainerTest(int /* dummy */) {
+  return 0;
+}
+#else
 template <class C>
 IsContainer IsContainerTest(int /* dummy */,
                             typename C::iterator* /* it */ = NULL,
                             typename C::const_iterator* /* const_it */ = NULL) {
   return 0;
 }
+#endif  // GTEST_LANG_CXX11
 
 typedef char IsNotContainer;
 template <class C>
 IsNotContainer IsContainerTest(long /* dummy */) { return '\0'; }
 
+// Trait to detect whether a type T is a hash table.
+// The heuristic used is that the type contains an inner type `hasher` and does
+// not contain an inner type `reverse_iterator`.
+// If the container is iterable in reverse, then order might actually matter.
+template <typename T>
+struct IsHashTable {
+ private:
+  template <typename U>
+  static char test(typename U::hasher*, typename U::reverse_iterator*);
+  template <typename U>
+  static int test(typename U::hasher*, ...);
+  template <typename U>
+  static char test(...);
+
+ public:
+  static const bool value = sizeof(test<T>(0, 0)) == sizeof(int);
+};
+
+template <typename T>
+const bool IsHashTable<T>::value;
+
+template<typename T>
+struct VoidT {
+    typedef void value_type;
+};
+
+template <typename T, typename = void>
+struct HasValueType : false_type {};
+template <typename T>
+struct HasValueType<T, VoidT<typename T::value_type> > : true_type {
+};
+
+template <typename C,
+          bool = sizeof(IsContainerTest<C>(0)) == sizeof(IsContainer),
+          bool = HasValueType<C>::value>
+struct IsRecursiveContainerImpl;
+
+template <typename C, bool HV>
+struct IsRecursiveContainerImpl<C, false, HV> : public false_type {};
+
+// Since the IsRecursiveContainerImpl depends on the IsContainerTest we need to
+// obey the same inconsistencies as the IsContainerTest, namely check if
+// something is a container is relying on only const_iterator in C++11 and
+// is relying on both const_iterator and iterator otherwise
+template <typename C>
+struct IsRecursiveContainerImpl<C, true, false> : public false_type {};
+
+template <typename C>
+struct IsRecursiveContainerImpl<C, true, true> {
+  #if GTEST_LANG_CXX11
+  typedef typename IteratorTraits<typename C::const_iterator>::value_type
+      value_type;
+#else
+  typedef typename IteratorTraits<typename C::iterator>::value_type value_type;
+#endif
+  typedef is_same<value_type, C> type;
+};
+
+// IsRecursiveContainer<Type> is a unary compile-time predicate that
+// evaluates whether C is a recursive container type. A recursive container
+// type is a container type whose value_type is equal to the container type
+// itself. An example for a recursive container type is
+// boost::filesystem::path, whose iterator has a value_type that is equal to
+// boost::filesystem::path.
+template <typename C>
+struct IsRecursiveContainer : public IsRecursiveContainerImpl<C>::type {};
+
 // EnableIf<condition>::type is void when 'Cond' is true, and
 // undefined when 'Cond' is false.  To use SFINAE to make a function
 // overload only apply when a particular expression is true, add
@@ -1026,7 +1163,7 @@ class NativeArray {
  private:
   enum {
     kCheckTypeIsNotConstOrAReference = StaticAssertTypeEqHelper<
-        Element, GTEST_REMOVE_REFERENCE_AND_CONST_(Element)>::value,
+        Element, GTEST_REMOVE_REFERENCE_AND_CONST_(Element)>::value
   };
 
   // Initializes this object with a copy of the input.
@@ -1071,7 +1208,7 @@ class NativeArray {
 #define GTEST_SUCCESS_(message) \
   GTEST_MESSAGE_(message, ::testing::TestPartResult::kSuccess)
 
-// Suppresses MSVC warnings 4072 (unreachable code) for the code following
+// Suppress MSVC warning 4702 (unreachable code) for the code following
 // statement if it returns or throws (or doesn't return or throw in some
 // situations).
 #define GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement) \
@@ -1182,6 +1319,7 @@ class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) : public parent_class {\
   ::test_info_ =\
     ::testing::internal::MakeAndRegisterTestInfo(\
         #test_case_name, #test_name, NULL, NULL, \
+        ::testing::internal::CodeLocation(__FILE__, __LINE__), \
         (parent_id), \
         parent_class::SetUpTestCase, \
         parent_class::TearDownTestCase, \
@@ -1190,4 +1328,3 @@ class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) : public parent_class {\
 void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
-
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
index b1362cd00..082b87289 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: Dan Egnor (egnor@google.com)
-//
 // A "smart" pointer type with reference tracking.  Every pointer to a
 // particular object is kept on a circular linked list.  When the last pointer
 // to an object is destroyed or reassigned, the object is deleted.
@@ -62,9 +60,11 @@
 //       raw pointer (e.g. via get()) concurrently, and
 //     - it's safe to write to two linked_ptrs that point to the same
 //       shared object concurrently.
-// TODO(wan@google.com): rename this to safe_linked_ptr to avoid
+// FIXME: rename this to safe_linked_ptr to avoid
 // confusion with normal linked_ptr.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_LINKED_PTR_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_LINKED_PTR_H_
 
@@ -110,7 +110,12 @@ class linked_ptr_internal {
     MutexLock lock(&g_linked_ptr_mutex);
 
     linked_ptr_internal const* p = ptr;
-    while (p->next_ != ptr) p = p->next_;
+    while (p->next_ != ptr) {
+      assert(p->next_ != this &&
+             "Trying to join() a linked ring we are already in. "
+             "Is GMock thread safety enabled?");
+      p = p->next_;
+    }
     p->next_ = this;
     next_ = ptr;
   }
@@ -123,7 +128,12 @@ class linked_ptr_internal {
 
     if (next_ == this) return true;
     linked_ptr_internal const* p = next_;
-    while (p->next_ != this) p = p->next_;
+    while (p->next_ != this) {
+      assert(p->next_ != next_ &&
+             "Trying to depart() a linked ring we are not in. "
+             "Is GMock thread safety enabled?");
+      p = p->next_;
+    }
     p->next_ = next_;
     return false;
   }
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
index 6dbaf4b7a..4fac8c027 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
@@ -30,8 +30,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -43,17 +42,14 @@
 // by the maximum arity of the implementation of tuple which is
 // currently set at 10.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-port.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Forward declarations of ValuesIn(), which is implemented in
@@ -79,7 +75,12 @@ class ValueArray1 {
   explicit ValueArray1(T1 v1) : v1_(v1) {}
 
   template <typename T>
-  operator ParamGenerator<T>() const { return ValuesIn(&v1_, &v1_ + 1); }
+  operator ParamGenerator<T>() const {
+    const T array[] = {static_cast<T>(v1_)};
+    return ValuesIn(array);
+  }
+
+  ValueArray1(const ValueArray1& other) : v1_(other.v1_) {}
 
  private:
   // No implementation - assignment is unsupported.
@@ -99,6 +100,8 @@ class ValueArray2 {
     return ValuesIn(array);
   }
 
+  ValueArray2(const ValueArray2& other) : v1_(other.v1_), v2_(other.v2_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray2& other);
@@ -119,6 +122,9 @@ class ValueArray3 {
     return ValuesIn(array);
   }
 
+  ValueArray3(const ValueArray3& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray3& other);
@@ -141,6 +147,9 @@ class ValueArray4 {
     return ValuesIn(array);
   }
 
+  ValueArray4(const ValueArray4& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray4& other);
@@ -164,6 +173,9 @@ class ValueArray5 {
     return ValuesIn(array);
   }
 
+  ValueArray5(const ValueArray5& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray5& other);
@@ -190,6 +202,9 @@ class ValueArray6 {
     return ValuesIn(array);
   }
 
+  ValueArray6(const ValueArray6& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray6& other);
@@ -217,6 +232,10 @@ class ValueArray7 {
     return ValuesIn(array);
   }
 
+  ValueArray7(const ValueArray7& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray7& other);
@@ -246,6 +265,10 @@ class ValueArray8 {
     return ValuesIn(array);
   }
 
+  ValueArray8(const ValueArray8& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray8& other);
@@ -277,6 +300,10 @@ class ValueArray9 {
     return ValuesIn(array);
   }
 
+  ValueArray9(const ValueArray9& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray9& other);
@@ -309,6 +336,10 @@ class ValueArray10 {
     return ValuesIn(array);
   }
 
+  ValueArray10(const ValueArray10& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray10& other);
@@ -343,6 +374,11 @@ class ValueArray11 {
     return ValuesIn(array);
   }
 
+  ValueArray11(const ValueArray11& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray11& other);
@@ -379,6 +415,11 @@ class ValueArray12 {
     return ValuesIn(array);
   }
 
+  ValueArray12(const ValueArray12& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray12& other);
@@ -417,6 +458,11 @@ class ValueArray13 {
     return ValuesIn(array);
   }
 
+  ValueArray13(const ValueArray13& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray13& other);
@@ -456,6 +502,11 @@ class ValueArray14 {
     return ValuesIn(array);
   }
 
+  ValueArray14(const ValueArray14& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray14& other);
@@ -497,6 +548,12 @@ class ValueArray15 {
     return ValuesIn(array);
   }
 
+  ValueArray15(const ValueArray15& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray15& other);
@@ -541,6 +598,12 @@ class ValueArray16 {
     return ValuesIn(array);
   }
 
+  ValueArray16(const ValueArray16& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray16& other);
@@ -586,6 +649,12 @@ class ValueArray17 {
     return ValuesIn(array);
   }
 
+  ValueArray17(const ValueArray17& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray17& other);
@@ -633,6 +702,12 @@ class ValueArray18 {
     return ValuesIn(array);
   }
 
+  ValueArray18(const ValueArray18& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray18& other);
@@ -681,6 +756,13 @@ class ValueArray19 {
     return ValuesIn(array);
   }
 
+  ValueArray19(const ValueArray19& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray19& other);
@@ -731,6 +813,13 @@ class ValueArray20 {
     return ValuesIn(array);
   }
 
+  ValueArray20(const ValueArray20& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray20& other);
@@ -784,6 +873,13 @@ class ValueArray21 {
     return ValuesIn(array);
   }
 
+  ValueArray21(const ValueArray21& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray21& other);
@@ -838,6 +934,13 @@ class ValueArray22 {
     return ValuesIn(array);
   }
 
+  ValueArray22(const ValueArray22& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray22& other);
@@ -894,6 +997,14 @@ class ValueArray23 {
     return ValuesIn(array);
   }
 
+  ValueArray23(const ValueArray23& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray23& other);
@@ -952,6 +1063,14 @@ class ValueArray24 {
     return ValuesIn(array);
   }
 
+  ValueArray24(const ValueArray24& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray24& other);
@@ -1011,6 +1130,14 @@ class ValueArray25 {
     return ValuesIn(array);
   }
 
+  ValueArray25(const ValueArray25& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray25& other);
@@ -1072,6 +1199,14 @@ class ValueArray26 {
     return ValuesIn(array);
   }
 
+  ValueArray26(const ValueArray26& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray26& other);
@@ -1136,6 +1271,15 @@ class ValueArray27 {
     return ValuesIn(array);
   }
 
+  ValueArray27(const ValueArray27& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray27& other);
@@ -1201,6 +1345,15 @@ class ValueArray28 {
     return ValuesIn(array);
   }
 
+  ValueArray28(const ValueArray28& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray28& other);
@@ -1267,6 +1420,15 @@ class ValueArray29 {
     return ValuesIn(array);
   }
 
+  ValueArray29(const ValueArray29& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray29& other);
@@ -1336,6 +1498,15 @@ class ValueArray30 {
     return ValuesIn(array);
   }
 
+  ValueArray30(const ValueArray30& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray30& other);
@@ -1407,6 +1578,16 @@ class ValueArray31 {
     return ValuesIn(array);
   }
 
+  ValueArray31(const ValueArray31& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray31& other);
@@ -1479,6 +1660,16 @@ class ValueArray32 {
     return ValuesIn(array);
   }
 
+  ValueArray32(const ValueArray32& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray32& other);
@@ -1554,6 +1745,16 @@ class ValueArray33 {
     return ValuesIn(array);
   }
 
+  ValueArray33(const ValueArray33& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray33& other);
@@ -1630,6 +1831,16 @@ class ValueArray34 {
     return ValuesIn(array);
   }
 
+  ValueArray34(const ValueArray34& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray34& other);
@@ -1707,6 +1918,17 @@ class ValueArray35 {
     return ValuesIn(array);
   }
 
+  ValueArray35(const ValueArray35& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray35& other);
@@ -1787,6 +2009,17 @@ class ValueArray36 {
     return ValuesIn(array);
   }
 
+  ValueArray36(const ValueArray36& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray36& other);
@@ -1869,6 +2102,17 @@ class ValueArray37 {
     return ValuesIn(array);
   }
 
+  ValueArray37(const ValueArray37& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray37& other);
@@ -1952,6 +2196,17 @@ class ValueArray38 {
     return ValuesIn(array);
   }
 
+  ValueArray38(const ValueArray38& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray38& other);
@@ -2037,6 +2292,18 @@ class ValueArray39 {
     return ValuesIn(array);
   }
 
+  ValueArray39(const ValueArray39& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray39& other);
@@ -2124,6 +2391,18 @@ class ValueArray40 {
     return ValuesIn(array);
   }
 
+  ValueArray40(const ValueArray40& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray40& other);
@@ -2213,6 +2492,18 @@ class ValueArray41 {
     return ValuesIn(array);
   }
 
+  ValueArray41(const ValueArray41& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray41& other);
@@ -2304,6 +2595,18 @@ class ValueArray42 {
     return ValuesIn(array);
   }
 
+  ValueArray42(const ValueArray42& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray42& other);
@@ -2396,6 +2699,19 @@ class ValueArray43 {
     return ValuesIn(array);
   }
 
+  ValueArray43(const ValueArray43& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray43& other);
@@ -2490,6 +2806,19 @@ class ValueArray44 {
     return ValuesIn(array);
   }
 
+  ValueArray44(const ValueArray44& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray44& other);
@@ -2586,6 +2915,19 @@ class ValueArray45 {
     return ValuesIn(array);
   }
 
+  ValueArray45(const ValueArray45& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray45& other);
@@ -2684,6 +3026,19 @@ class ValueArray46 {
     return ValuesIn(array);
   }
 
+  ValueArray46(const ValueArray46& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray46& other);
@@ -2784,6 +3139,20 @@ class ValueArray47 {
     return ValuesIn(array);
   }
 
+  ValueArray47(const ValueArray47& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray47& other);
@@ -2886,6 +3255,20 @@ class ValueArray48 {
     return ValuesIn(array);
   }
 
+  ValueArray48(const ValueArray48& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray48& other);
@@ -2989,6 +3372,20 @@ class ValueArray49 {
     return ValuesIn(array);
   }
 
+  ValueArray49(const ValueArray49& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_), v49_(other.v49_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray49& other);
@@ -3093,6 +3490,20 @@ class ValueArray50 {
     return ValuesIn(array);
   }
 
+  ValueArray50(const ValueArray50& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_), v49_(other.v49_), v50_(other.v50_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray50& other);
@@ -3205,7 +3616,7 @@ class CartesianProductGenerator2
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3237,7 +3648,7 @@ class CartesianProductGenerator2
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_);
+        current_value_.reset(new ParamType(*current1_, *current2_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3259,7 +3670,7 @@ class CartesianProductGenerator2
     const typename ParamGenerator<T2>::iterator begin2_;
     const typename ParamGenerator<T2>::iterator end2_;
     typename ParamGenerator<T2>::iterator current2_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator2::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3328,7 +3739,7 @@ class CartesianProductGenerator3
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3364,7 +3775,7 @@ class CartesianProductGenerator3
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3390,7 +3801,7 @@ class CartesianProductGenerator3
     const typename ParamGenerator<T3>::iterator begin3_;
     const typename ParamGenerator<T3>::iterator end3_;
     typename ParamGenerator<T3>::iterator current3_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator3::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3469,7 +3880,7 @@ class CartesianProductGenerator4
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3509,8 +3920,8 @@ class CartesianProductGenerator4
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3540,7 +3951,7 @@ class CartesianProductGenerator4
     const typename ParamGenerator<T4>::iterator begin4_;
     const typename ParamGenerator<T4>::iterator end4_;
     typename ParamGenerator<T4>::iterator current4_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator4::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3627,7 +4038,7 @@ class CartesianProductGenerator5
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3671,8 +4082,8 @@ class CartesianProductGenerator5
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3706,7 +4117,7 @@ class CartesianProductGenerator5
     const typename ParamGenerator<T5>::iterator begin5_;
     const typename ParamGenerator<T5>::iterator end5_;
     typename ParamGenerator<T5>::iterator current5_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator5::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3804,7 +4215,7 @@ class CartesianProductGenerator6
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3852,8 +4263,8 @@ class CartesianProductGenerator6
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3891,7 +4302,7 @@ class CartesianProductGenerator6
     const typename ParamGenerator<T6>::iterator begin6_;
     const typename ParamGenerator<T6>::iterator end6_;
     typename ParamGenerator<T6>::iterator current6_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator6::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3998,7 +4409,7 @@ class CartesianProductGenerator7
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4050,8 +4461,8 @@ class CartesianProductGenerator7
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_, *current7_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_, *current7_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4093,7 +4504,7 @@ class CartesianProductGenerator7
     const typename ParamGenerator<T7>::iterator begin7_;
     const typename ParamGenerator<T7>::iterator end7_;
     typename ParamGenerator<T7>::iterator current7_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator7::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4211,7 +4622,7 @@ class CartesianProductGenerator8
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4267,8 +4678,8 @@ class CartesianProductGenerator8
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_, *current7_, *current8_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_, *current7_, *current8_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4314,7 +4725,7 @@ class CartesianProductGenerator8
     const typename ParamGenerator<T8>::iterator begin8_;
     const typename ParamGenerator<T8>::iterator end8_;
     typename ParamGenerator<T8>::iterator current8_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator8::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4440,7 +4851,7 @@ class CartesianProductGenerator9
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4500,9 +4911,9 @@ class CartesianProductGenerator9
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
             *current4_, *current5_, *current6_, *current7_, *current8_,
-            *current9_);
+            *current9_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4552,7 +4963,7 @@ class CartesianProductGenerator9
     const typename ParamGenerator<T9>::iterator begin9_;
     const typename ParamGenerator<T9>::iterator end9_;
     typename ParamGenerator<T9>::iterator current9_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator9::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4687,7 +5098,7 @@ class CartesianProductGenerator10
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4751,9 +5162,9 @@ class CartesianProductGenerator10
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
             *current4_, *current5_, *current6_, *current7_, *current8_,
-            *current9_, *current10_);
+            *current9_, *current10_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4807,7 +5218,7 @@ class CartesianProductGenerator10
     const typename ParamGenerator<T10>::iterator begin10_;
     const typename ParamGenerator<T10>::iterator end10_;
     typename ParamGenerator<T10>::iterator current10_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator10::Iterator
 
   // No implementation - assignment is unsupported.
@@ -5138,6 +5549,4 @@ CartesianProductHolder10(const Generator1& g1, const Generator2& g2,
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
index 801a2fc7d..30dffe43c 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
@@ -29,8 +29,7 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -42,17 +41,14 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // by the maximum arity of the implementation of tuple which is
 // currently set at $maxtuple.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-port.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Forward declarations of ValuesIn(), which is implemented in
@@ -72,29 +68,14 @@ internal::ParamGenerator<typename Container::value_type> ValuesIn(
 namespace internal {
 
 // Used in the Values() function to provide polymorphic capabilities.
-template <typename T1>
-class ValueArray1 {
- public:
-  explicit ValueArray1(T1 v1) : v1_(v1) {}
-
-  template <typename T>
-  operator ParamGenerator<T>() const { return ValuesIn(&v1_, &v1_ + 1); }
-
- private:
-  // No implementation - assignment is unsupported.
-  void operator=(const ValueArray1& other);
-
-  const T1 v1_;
-};
-
-$range i 2..n
+$range i 1..n
 $for i [[
 $range j 1..i
 
 template <$for j, [[typename T$j]]>
 class ValueArray$i {
  public:
-  ValueArray$i($for j, [[T$j v$j]]) : $for j, [[v$(j)_(v$j)]] {}
+  $if i==1 [[explicit ]]ValueArray$i($for j, [[T$j v$j]]) : $for j, [[v$(j)_(v$j)]] {}
 
   template <typename T>
   operator ParamGenerator<T>() const {
@@ -102,6 +83,8 @@ class ValueArray$i {
     return ValuesIn(array);
   }
 
+  ValueArray$i(const ValueArray$i& other) : $for j, [[v$(j)_(other.v$(j)_)]] {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray$i& other);
@@ -180,7 +163,7 @@ $for k [[
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -212,7 +195,7 @@ $for k [[
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType($for j, [[*current$(j)_]]);
+        current_value_.reset(new ParamType($for j, [[*current$(j)_]]));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -237,7 +220,7 @@ $for j [[
     typename ParamGenerator<T$j>::iterator current$(j)_;
 ]]
 
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator$i::Iterator
 
   // No implementation - assignment is unsupported.
@@ -296,6 +279,4 @@ $for j [[
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
index d5e1028b0..d64f620c4 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
@@ -26,29 +26,49 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
 
+#include <ctype.h>
+
 #include <iterator>
+#include <set>
 #include <utility>
 #include <vector>
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-linked_ptr.h"
 #include "gtest/internal/gtest-port.h"
 #include "gtest/gtest-printers.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
+
+// Input to a parameterized test name generator, describing a test parameter.
+// Consists of the parameter value and the integer parameter index.
+template <class ParamType>
+struct TestParamInfo {
+  TestParamInfo(const ParamType& a_param, size_t an_index) :
+    param(a_param),
+    index(an_index) {}
+  ParamType param;
+  size_t index;
+};
+
+// A builtin parameterized test name generator which returns the result of
+// testing::PrintToString.
+struct PrintToStringParamName {
+  template <class ParamType>
+  std::string operator()(const TestParamInfo<ParamType>& info) const {
+    return PrintToString(info.param);
+  }
+};
+
 namespace internal {
 
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
@@ -58,7 +78,7 @@ namespace internal {
 // TEST_P macro is used to define two tests with the same name
 // but in different namespaces.
 GTEST_API_ void ReportInvalidTestCaseType(const char* test_case_name,
-                                          const char* file, int line);
+                                          CodeLocation code_location);
 
 template <typename> class ParamGeneratorInterface;
 template <typename> class ParamGenerator;
@@ -206,7 +226,7 @@ class RangeGenerator : public ParamGeneratorInterface<T> {
       return base_;
     }
     virtual void Advance() {
-      value_ = value_ + step_;
+      value_ = static_cast<T>(value_ + step_);
       index_++;
     }
     virtual ParamIteratorInterface<T>* Clone() const {
@@ -243,7 +263,7 @@ class RangeGenerator : public ParamGeneratorInterface<T> {
                                const T& end,
                                const IncrementT& step) {
     int end_index = 0;
-    for (T i = begin; i < end; i = i + step)
+    for (T i = begin; i < end; i = static_cast<T>(i + step))
       end_index++;
     return end_index;
   }
@@ -347,6 +367,37 @@ class ValuesInIteratorRangeGenerator : public ParamGeneratorInterface<T> {
 
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
 //
+// Default parameterized test name generator, returns a string containing the
+// integer test parameter index.
+template <class ParamType>
+std::string DefaultParamName(const TestParamInfo<ParamType>& info) {
+  Message name_stream;
+  name_stream << info.index;
+  return name_stream.GetString();
+}
+
+// INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
+//
+// Parameterized test name overload helpers, which help the
+// INSTANTIATE_TEST_CASE_P macro choose between the default parameterized
+// test name generator and user param name generator.
+template <class ParamType, class ParamNameGenFunctor>
+ParamNameGenFunctor GetParamNameGen(ParamNameGenFunctor func) {
+  return func;
+}
+
+template <class ParamType>
+struct ParamNameGenFunc {
+  typedef std::string Type(const TestParamInfo<ParamType>&);
+};
+
+template <class ParamType>
+typename ParamNameGenFunc<ParamType>::Type *GetParamNameGen() {
+  return DefaultParamName;
+}
+
+// INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
+//
 // Stores a parameter value and later creates tests parameterized with that
 // value.
 template <class TestClass>
@@ -417,7 +468,7 @@ class ParameterizedTestCaseInfoBase {
   virtual ~ParameterizedTestCaseInfoBase() {}
 
   // Base part of test case name for display purposes.
-  virtual const string& GetTestCaseName() const = 0;
+  virtual const std::string& GetTestCaseName() const = 0;
   // Test case id to verify identity.
   virtual TypeId GetTestCaseTypeId() const = 0;
   // UnitTest class invokes this method to register tests in this
@@ -449,12 +500,14 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
   typedef typename TestCase::ParamType ParamType;
   // A function that returns an instance of appropriate generator type.
   typedef ParamGenerator<ParamType>(GeneratorCreationFunc)();
+  typedef typename ParamNameGenFunc<ParamType>::Type ParamNameGeneratorFunc;
 
-  explicit ParameterizedTestCaseInfo(const char* name)
-      : test_case_name_(name) {}
+  explicit ParameterizedTestCaseInfo(
+      const char* name, CodeLocation code_location)
+      : test_case_name_(name), code_location_(code_location) {}
 
   // Test case base name for display purposes.
-  virtual const string& GetTestCaseName() const { return test_case_name_; }
+  virtual const std::string& GetTestCaseName() const { return test_case_name_; }
   // Test case id to verify identity.
   virtual TypeId GetTestCaseTypeId() const { return GetTypeId<TestCase>(); }
   // TEST_P macro uses AddTestPattern() to record information
@@ -472,11 +525,12 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
   }
   // INSTANTIATE_TEST_CASE_P macro uses AddGenerator() to record information
   // about a generator.
-  int AddTestCaseInstantiation(const string& instantiation_name,
+  int AddTestCaseInstantiation(const std::string& instantiation_name,
                                GeneratorCreationFunc* func,
-                               const char* /* file */,
-                               int /* line */) {
-    instantiations_.push_back(::std::make_pair(instantiation_name, func));
+                               ParamNameGeneratorFunc* name_func,
+                               const char* file, int line) {
+    instantiations_.push_back(
+        InstantiationInfo(instantiation_name, func, name_func, file, line));
     return 0;  // Return value used only to run this method in namespace scope.
   }
   // UnitTest class invokes this method to register tests in this test case
@@ -491,25 +545,45 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
       for (typename InstantiationContainer::iterator gen_it =
                instantiations_.begin(); gen_it != instantiations_.end();
                ++gen_it) {
-        const string& instantiation_name = gen_it->first;
-        ParamGenerator<ParamType> generator((*gen_it->second)());
+        const std::string& instantiation_name = gen_it->name;
+        ParamGenerator<ParamType> generator((*gen_it->generator)());
+        ParamNameGeneratorFunc* name_func = gen_it->name_func;
+        const char* file = gen_it->file;
+        int line = gen_it->line;
 
-        string test_case_name;
+        std::string test_case_name;
         if ( !instantiation_name.empty() )
           test_case_name = instantiation_name + "/";
         test_case_name += test_info->test_case_base_name;
 
-        int i = 0;
+        size_t i = 0;
+        std::set<std::string> test_param_names;
         for (typename ParamGenerator<ParamType>::iterator param_it =
                  generator.begin();
              param_it != generator.end(); ++param_it, ++i) {
           Message test_name_stream;
-          test_name_stream << test_info->test_base_name << "/" << i;
+
+          std::string param_name = name_func(
+              TestParamInfo<ParamType>(*param_it, i));
+
+          GTEST_CHECK_(IsValidParamName(param_name))
+              << "Parameterized test name '" << param_name
+              << "' is invalid, in " << file
+              << " line " << line << std::endl;
+
+          GTEST_CHECK_(test_param_names.count(param_name) == 0)
+              << "Duplicate parameterized test name '" << param_name
+              << "', in " << file << " line " << line << std::endl;
+
+          test_param_names.insert(param_name);
+
+          test_name_stream << test_info->test_base_name << "/" << param_name;
           MakeAndRegisterTestInfo(
               test_case_name.c_str(),
               test_name_stream.GetString().c_str(),
               NULL,  // No type parameter.
               PrintToString(*param_it).c_str(),
+              code_location_,
               GetTestCaseTypeId(),
               TestCase::SetUpTestCase,
               TestCase::TearDownTestCase,
@@ -530,17 +604,50 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
         test_base_name(a_test_base_name),
         test_meta_factory(a_test_meta_factory) {}
 
-    const string test_case_base_name;
-    const string test_base_name;
+    const std::string test_case_base_name;
+    const std::string test_base_name;
     const scoped_ptr<TestMetaFactoryBase<ParamType> > test_meta_factory;
   };
   typedef ::std::vector<linked_ptr<TestInfo> > TestInfoContainer;
-  // Keeps pairs of <Instantiation name, Sequence generator creation function>
-  // received from INSTANTIATE_TEST_CASE_P macros.
-  typedef ::std::vector<std::pair<string, GeneratorCreationFunc*> >
-      InstantiationContainer;
+  // Records data received from INSTANTIATE_TEST_CASE_P macros:
+  //  <Instantiation name, Sequence generator creation function,
+  //     Name generator function, Source file, Source line>
+  struct InstantiationInfo {
+      InstantiationInfo(const std::string &name_in,
+                        GeneratorCreationFunc* generator_in,
+                        ParamNameGeneratorFunc* name_func_in,
+                        const char* file_in,
+                        int line_in)
+          : name(name_in),
+            generator(generator_in),
+            name_func(name_func_in),
+            file(file_in),
+            line(line_in) {}
+
+      std::string name;
+      GeneratorCreationFunc* generator;
+      ParamNameGeneratorFunc* name_func;
+      const char* file;
+      int line;
+  };
+  typedef ::std::vector<InstantiationInfo> InstantiationContainer;
 
-  const string test_case_name_;
+  static bool IsValidParamName(const std::string& name) {
+    // Check for empty string
+    if (name.empty())
+      return false;
+
+    // Check for invalid characters
+    for (std::string::size_type index = 0; index < name.size(); ++index) {
+      if (!isalnum(name[index]) && name[index] != '_')
+        return false;
+    }
+
+    return true;
+  }
+
+  const std::string test_case_name_;
+  CodeLocation code_location_;
   TestInfoContainer tests_;
   InstantiationContainer instantiations_;
 
@@ -568,8 +675,7 @@ class ParameterizedTestCaseRegistry {
   template <class TestCase>
   ParameterizedTestCaseInfo<TestCase>* GetTestCasePatternHolder(
       const char* test_case_name,
-      const char* file,
-      int line) {
+      CodeLocation code_location) {
     ParameterizedTestCaseInfo<TestCase>* typed_test_info = NULL;
     for (TestCaseInfoContainer::iterator it = test_case_infos_.begin();
          it != test_case_infos_.end(); ++it) {
@@ -578,7 +684,7 @@ class ParameterizedTestCaseRegistry {
           // Complain about incorrect usage of Google Test facilities
           // and terminate the program since we cannot guaranty correct
           // test case setup and tear-down in this case.
-          ReportInvalidTestCaseType(test_case_name,  file, line);
+          ReportInvalidTestCaseType(test_case_name, code_location);
           posix::Abort();
         } else {
           // At this point we are sure that the object we found is of the same
@@ -591,7 +697,8 @@ class ParameterizedTestCaseRegistry {
       }
     }
     if (typed_test_info == NULL) {
-      typed_test_info = new ParameterizedTestCaseInfo<TestCase>(test_case_name);
+      typed_test_info = new ParameterizedTestCaseInfo<TestCase>(
+          test_case_name, code_location);
       test_case_infos_.push_back(typed_test_info);
     }
     return typed_test_info;
@@ -614,6 +721,4 @@ class ParameterizedTestCaseRegistry {
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h
new file mode 100644
index 000000000..f83700e06
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h
@@ -0,0 +1,100 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// The Google C++ Testing and Mocking Framework (Google Test)
+//
+// This header file defines the GTEST_OS_* macro.
+// It is separate from gtest-port.h so that custom/gtest-port.h can include it.
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
+
+// Determines the platform on which Google Test is compiled.
+#ifdef __CYGWIN__
+# define GTEST_OS_CYGWIN 1
+#elif defined __SYMBIAN32__
+# define GTEST_OS_SYMBIAN 1
+#elif defined _WIN32
+# define GTEST_OS_WINDOWS 1
+# ifdef _WIN32_WCE
+#  define GTEST_OS_WINDOWS_MOBILE 1
+# elif defined(__MINGW__) || defined(__MINGW32__)
+#  define GTEST_OS_WINDOWS_MINGW 1
+# elif defined(WINAPI_FAMILY)
+#  include <winapifamily.h>
+#  if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+#   define GTEST_OS_WINDOWS_DESKTOP 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_PHONE_APP)
+#   define GTEST_OS_WINDOWS_PHONE 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
+#   define GTEST_OS_WINDOWS_RT 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_TV_TITLE)
+#   define GTEST_OS_WINDOWS_PHONE 1
+#   define GTEST_OS_WINDOWS_TV_TITLE 1
+#  else
+    // WINAPI_FAMILY defined but no known partition matched.
+    // Default to desktop.
+#   define GTEST_OS_WINDOWS_DESKTOP 1
+#  endif
+# else
+#  define GTEST_OS_WINDOWS_DESKTOP 1
+# endif  // _WIN32_WCE
+#elif defined __APPLE__
+# define GTEST_OS_MAC 1
+# if TARGET_OS_IPHONE
+#  define GTEST_OS_IOS 1
+# endif
+#elif defined __FreeBSD__
+# define GTEST_OS_FREEBSD 1
+#elif defined __Fuchsia__
+# define GTEST_OS_FUCHSIA 1
+#elif defined __linux__
+# define GTEST_OS_LINUX 1
+# if defined __ANDROID__
+#  define GTEST_OS_LINUX_ANDROID 1
+# endif
+#elif defined __MVS__
+# define GTEST_OS_ZOS 1
+#elif defined(__sun) && defined(__SVR4)
+# define GTEST_OS_SOLARIS 1
+#elif defined(_AIX)
+# define GTEST_OS_AIX 1
+#elif defined(__hpux)
+# define GTEST_OS_HPUX 1
+#elif defined __native_client__
+# define GTEST_OS_NACL 1
+#elif defined __NetBSD__
+# define GTEST_OS_NETBSD 1
+#elif defined __OpenBSD__
+# define GTEST_OS_OPENBSD 1
+#elif defined __QNX__
+# define GTEST_OS_QNX 1
+#endif  // __CYGWIN__
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
index f376dfa00..786497d85 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan)
-//
 // Low-level types and utilities for porting Google Test to various
 // platforms.  All macros ending with _ and symbols defined in an
 // internal namespace are subject to change without notice.  Code
@@ -40,6 +38,8 @@
 // files are expected to #include this.  Therefore, it cannot #include
 // any other Google Test header.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
 
@@ -73,11 +73,9 @@
 //   GTEST_HAS_EXCEPTIONS     - Define it to 1/0 to indicate that exceptions
 //                              are enabled.
 //   GTEST_HAS_GLOBAL_STRING  - Define it to 1/0 to indicate that ::string
-//                              is/isn't available (some systems define
-//                              ::string, which is different to std::string).
-//   GTEST_HAS_GLOBAL_WSTRING - Define it to 1/0 to indicate that ::string
-//                              is/isn't available (some systems define
-//                              ::wstring, which is different to std::wstring).
+//                              is/isn't available
+//   GTEST_HAS_GLOBAL_WSTRING - Define it to 1/0 to indicate that ::wstring
+//                              is/isn't available
 //   GTEST_HAS_POSIX_RE       - Define it to 1/0 to indicate that POSIX regular
 //                              expressions are/aren't available.
 //   GTEST_HAS_PTHREAD        - Define it to 1/0 to indicate that <pthread.h>
@@ -109,6 +107,12 @@
 //   GTEST_CREATE_SHARED_LIBRARY
 //                            - Define to 1 when compiling Google Test itself
 //                              as a shared library.
+//   GTEST_DEFAULT_DEATH_TEST_STYLE
+//                            - The default value of --gtest_death_test_style.
+//                              The legacy default has been "fast" in the open
+//                              source version since 2008. The recommended value
+//                              is "threadsafe", and can be set in
+//                              custom/gtest-port.h.
 
 // Platform-indicating macros
 // --------------------------
@@ -121,13 +125,15 @@
 //
 //   GTEST_OS_AIX      - IBM AIX
 //   GTEST_OS_CYGWIN   - Cygwin
+//   GTEST_OS_FREEBSD  - FreeBSD
+//   GTEST_OS_FUCHSIA  - Fuchsia
 //   GTEST_OS_HPUX     - HP-UX
 //   GTEST_OS_LINUX    - Linux
 //     GTEST_OS_LINUX_ANDROID - Google Android
 //   GTEST_OS_MAC      - Mac OS X
 //     GTEST_OS_IOS    - iOS
-//       GTEST_OS_IOS_SIMULATOR - iOS simulator
 //   GTEST_OS_NACL     - Google Native Client (NaCl)
+//   GTEST_OS_NETBSD   - NetBSD
 //   GTEST_OS_OPENBSD  - OpenBSD
 //   GTEST_OS_QNX      - QNX
 //   GTEST_OS_SOLARIS  - Sun Solaris
@@ -169,15 +175,15 @@
 //   GTEST_HAS_COMBINE      - the Combine() function (for value-parameterized
 //                            tests)
 //   GTEST_HAS_DEATH_TEST   - death tests
-//   GTEST_HAS_PARAM_TEST   - value-parameterized tests
 //   GTEST_HAS_TYPED_TEST   - typed tests
 //   GTEST_HAS_TYPED_TEST_P - type-parameterized tests
 //   GTEST_IS_THREADSAFE    - Google Test is thread-safe.
+//   GOOGLETEST_CM0007 DO NOT DELETE
 //   GTEST_USES_POSIX_RE    - enhanced POSIX regex is used. Do not confuse with
 //                            GTEST_HAS_POSIX_RE (see above) which users can
 //                            define themselves.
 //   GTEST_USES_SIMPLE_RE   - our own simple regex is used;
-//                            the above two are mutually exclusive.
+//                            the above RE\b(s) are mutually exclusive.
 //   GTEST_CAN_COMPARE_NULL - accepts untyped NULL in EXPECT_EQ().
 
 // Misc public macros
@@ -206,7 +212,8 @@
 //
 // C++11 feature wrappers:
 //
-//   GTEST_MOVE_          - portability wrapper for std::move.
+//   testing::internal::forward - portability wrapper for std::forward.
+//   testing::internal::move  - portability wrapper for std::move.
 //
 // Synchronization:
 //   Mutex, MutexLock, ThreadLocal, GetThreadCount()
@@ -222,10 +229,10 @@
 //
 // Regular expressions:
 //   RE             - a simple regular expression class using the POSIX
-//                    Extended Regular Expression syntax on UNIX-like
-//                    platforms, or a reduced regular exception syntax on
-//                    other platforms, including Windows.
-//
+//                    Extended Regular Expression syntax on UNIX-like platforms
+//                    GOOGLETEST_CM0008 DO NOT DELETE
+//                    or a reduced regular exception syntax on other
+//                    platforms, including Windows.
 // Logging:
 //   GTEST_LOG_()   - logs messages at the specified severity level.
 //   LogToStderr()  - directs all log messages to stderr.
@@ -271,18 +278,30 @@
 # include <TargetConditionals.h>
 #endif
 
+// Brings in the definition of HAS_GLOBAL_STRING.  This must be done
+// BEFORE we test HAS_GLOBAL_STRING.
+#include <string>  // NOLINT
 #include <algorithm>  // NOLINT
 #include <iostream>  // NOLINT
 #include <sstream>  // NOLINT
-#include <string>  // NOLINT
 #include <utility>
+#include <vector>  // NOLINT
 
-#define GTEST_DEV_EMAIL_ "googletestframework@@googlegroups.com"
-#define GTEST_FLAG_PREFIX_ "gtest_"
-#define GTEST_FLAG_PREFIX_DASH_ "gtest-"
-#define GTEST_FLAG_PREFIX_UPPER_ "GTEST_"
-#define GTEST_NAME_ "Google Test"
-#define GTEST_PROJECT_URL_ "http://code.google.com/p/googletest/"
+#include "gtest/internal/gtest-port-arch.h"
+#include "gtest/internal/custom/gtest-port.h"
+
+#if !defined(GTEST_DEV_EMAIL_)
+# define GTEST_DEV_EMAIL_ "googletestframework@@googlegroups.com"
+# define GTEST_FLAG_PREFIX_ "gtest_"
+# define GTEST_FLAG_PREFIX_DASH_ "gtest-"
+# define GTEST_FLAG_PREFIX_UPPER_ "GTEST_"
+# define GTEST_NAME_ "Google Test"
+# define GTEST_PROJECT_URL_ "https://github.com/google/googletest/"
+#endif  // !defined(GTEST_DEV_EMAIL_)
+
+#if !defined(GTEST_INIT_GOOGLE_TEST_NAME_)
+# define GTEST_INIT_GOOGLE_TEST_NAME_ "testing::InitGoogleTest"
+#endif  // !defined(GTEST_INIT_GOOGLE_TEST_NAME_)
 
 // Determines the version of gcc that is used to compile this.
 #ifdef __GNUC__
@@ -291,68 +310,12 @@
     (__GNUC__*10000 + __GNUC_MINOR__*100 + __GNUC_PATCHLEVEL__)
 #endif  // __GNUC__
 
-// Determines the platform on which Google Test is compiled.
-#ifdef __CYGWIN__
-# define GTEST_OS_CYGWIN 1
-#elif defined __SYMBIAN32__
-# define GTEST_OS_SYMBIAN 1
-#elif defined _WIN32
-# define GTEST_OS_WINDOWS 1
-# ifdef _WIN32_WCE
-#  define GTEST_OS_WINDOWS_MOBILE 1
-# elif defined(__MINGW__) || defined(__MINGW32__)
-#  define GTEST_OS_WINDOWS_MINGW 1
-# elif defined(WINAPI_FAMILY)
-#  include <winapifamily.h>
-#  if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
-#   define GTEST_OS_WINDOWS_DESKTOP 1
-#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_PHONE_APP)
-#   define GTEST_OS_WINDOWS_PHONE 1
-#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
-#   define GTEST_OS_WINDOWS_RT 1
-#  else
-    // WINAPI_FAMILY defined but no known partition matched.
-    // Default to desktop.
-#   define GTEST_OS_WINDOWS_DESKTOP 1
-#  endif
-# else
-#  define GTEST_OS_WINDOWS_DESKTOP 1
-# endif  // _WIN32_WCE
-#elif defined __APPLE__
-# define GTEST_OS_MAC 1
-# if TARGET_OS_IPHONE
-#  define GTEST_OS_IOS 1
-#  if TARGET_IPHONE_SIMULATOR
-#   define GTEST_OS_IOS_SIMULATOR 1
-#  endif
-# endif
-#elif defined __linux__
-# define GTEST_OS_LINUX 1
-# if defined __ANDROID__
-#  define GTEST_OS_LINUX_ANDROID 1
-# endif
-#elif defined __MVS__
-# define GTEST_OS_ZOS 1
-#elif defined(__sun) && defined(__SVR4)
-# define GTEST_OS_SOLARIS 1
-#elif defined(_AIX)
-# define GTEST_OS_AIX 1
-#elif defined(__hpux)
-# define GTEST_OS_HPUX 1
-#elif defined __native_client__
-# define GTEST_OS_NACL 1
-#elif defined __OpenBSD__
-# define GTEST_OS_OPENBSD 1
-#elif defined __QNX__
-# define GTEST_OS_QNX 1
-#endif  // __CYGWIN__
-
 // Macros for disabling Microsoft Visual C++ warnings.
 //
 //   GTEST_DISABLE_MSC_WARNINGS_PUSH_(4800 4385)
 //   /* code that triggers warnings C4800 and C4385 */
 //   GTEST_DISABLE_MSC_WARNINGS_POP_()
-#if _MSC_VER >= 1500
+#if _MSC_VER >= 1400
 # define GTEST_DISABLE_MSC_WARNINGS_PUSH_(warnings) \
     __pragma(warning(push))                        \
     __pragma(warning(disable: warnings))
@@ -364,12 +327,28 @@
 # define GTEST_DISABLE_MSC_WARNINGS_POP_()
 #endif
 
+// Clang on Windows does not understand MSVC's pragma warning.
+// We need clang-specific way to disable function deprecation warning.
+#ifdef __clang__
+# define GTEST_DISABLE_MSC_DEPRECATED_PUSH_()                         \
+    _Pragma("clang diagnostic push")                                  \
+    _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") \
+    _Pragma("clang diagnostic ignored \"-Wdeprecated-implementations\"")
+#define GTEST_DISABLE_MSC_DEPRECATED_POP_() \
+    _Pragma("clang diagnostic pop")
+#else
+# define GTEST_DISABLE_MSC_DEPRECATED_PUSH_() \
+    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+# define GTEST_DISABLE_MSC_DEPRECATED_POP_() \
+    GTEST_DISABLE_MSC_WARNINGS_POP_()
+#endif
+
 #ifndef GTEST_LANG_CXX11
 // gcc and clang define __GXX_EXPERIMENTAL_CXX0X__ when
 // -std={c,gnu}++{0x,11} is passed.  The C++11 standard specifies a
 // value for __cplusplus, and recent versions of clang, gcc, and
 // probably other compilers set that too in C++11 mode.
-# if __GXX_EXPERIMENTAL_CXX0X__ || __cplusplus >= 201103L
+# if __GXX_EXPERIMENTAL_CXX0X__ || __cplusplus >= 201103L || _MSC_VER >= 1900
 // Compiling in at least C++11 mode.
 #  define GTEST_LANG_CXX11 1
 # else
@@ -377,12 +356,40 @@
 # endif
 #endif
 
-// C++11 specifies that <initializer_list> provides std::initializer_list. Use
-// that if gtest is used in C++11 mode and libstdc++ isn't very old (binaries
-// targeting OS X 10.6 can build with clang but need to use gcc4.2's
-// libstdc++).
-#if GTEST_LANG_CXX11 && (!defined(__GLIBCXX__) || __GLIBCXX__ > 20110325)
+// Distinct from C++11 language support, some environments don't provide
+// proper C++11 library support. Notably, it's possible to build in
+// C++11 mode when targeting Mac OS X 10.6, which has an old libstdc++
+// with no C++11 support.
+//
+// libstdc++ has sufficient C++11 support as of GCC 4.6.0, __GLIBCXX__
+// 20110325, but maintenance releases in the 4.4 and 4.5 series followed
+// this date, so check for those versions by their date stamps.
+// https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html#abi.versioning
+#if GTEST_LANG_CXX11 && \
+    (!defined(__GLIBCXX__) || ( \
+        __GLIBCXX__ >= 20110325ul &&  /* GCC >= 4.6.0 */ \
+        /* Blacklist of patch releases of older branches: */ \
+        __GLIBCXX__ != 20110416ul &&  /* GCC 4.4.6 */ \
+        __GLIBCXX__ != 20120313ul &&  /* GCC 4.4.7 */ \
+        __GLIBCXX__ != 20110428ul &&  /* GCC 4.5.3 */ \
+        __GLIBCXX__ != 20120702ul))   /* GCC 4.5.4 */
+# define GTEST_STDLIB_CXX11 1
+#endif
+
+// Only use C++11 library features if the library provides them.
+#if GTEST_STDLIB_CXX11
+# define GTEST_HAS_STD_BEGIN_AND_END_ 1
+# define GTEST_HAS_STD_FORWARD_LIST_ 1
+# if !defined(_MSC_VER) || (_MSC_FULL_VER >= 190023824)
+// works only with VS2015U2 and better
+#   define GTEST_HAS_STD_FUNCTION_ 1
+# endif
 # define GTEST_HAS_STD_INITIALIZER_LIST_ 1
+# define GTEST_HAS_STD_MOVE_ 1
+# define GTEST_HAS_STD_UNIQUE_PTR_ 1
+# define GTEST_HAS_STD_SHARED_PTR_ 1
+# define GTEST_HAS_UNORDERED_MAP_ 1
+# define GTEST_HAS_UNORDERED_SET_ 1
 #endif
 
 // C++11 specifies that <tuple> provides std::tuple.
@@ -390,7 +397,8 @@
 #if GTEST_LANG_CXX11
 # define GTEST_HAS_STD_TUPLE_ 1
 # if defined(__clang__)
-// Inspired by http://clang.llvm.org/docs/LanguageExtensions.html#__has_include
+// Inspired by
+// https://clang.llvm.org/docs/LanguageExtensions.html#include-file-checking-macros
 #  if defined(__has_include) && !__has_include(<tuple>)
 #   undef GTEST_HAS_STD_TUPLE_
 #  endif
@@ -402,7 +410,7 @@
 # elif defined(__GLIBCXX__)
 // Inspired by boost/config/stdlib/libstdcpp3.hpp,
 // http://gcc.gnu.org/gcc-4.2/changes.html and
-// http://gcc.gnu.org/onlinedocs/libstdc++/manual/bk01pt01ch01.html#manual.intro.status.standard.200x
+// https://web.archive.org/web/20140227044429/gcc.gnu.org/onlinedocs/libstdc++/manual/bk01pt01ch01.html#manual.intro.status.standard.200x
 #  if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 2)
 #   undef GTEST_HAS_STD_TUPLE_
 #  endif
@@ -418,10 +426,16 @@
 #  include <io.h>
 # endif
 // In order to avoid having to include <windows.h>, use forward declaration
-// assuming CRITICAL_SECTION is a typedef of _RTL_CRITICAL_SECTION.
+#if GTEST_OS_WINDOWS_MINGW && !defined(__MINGW64_VERSION_MAJOR)
+// MinGW defined _CRITICAL_SECTION and _RTL_CRITICAL_SECTION as two
+// separate (equivalent) structs, instead of using typedef
+typedef struct _CRITICAL_SECTION GTEST_CRITICAL_SECTION;
+#else
+// Assume CRITICAL_SECTION is a typedef of _RTL_CRITICAL_SECTION.
 // This assumption is verified by
 // WindowsTypesTest.CRITICAL_SECTIONIs_RTL_CRITICAL_SECTION.
-struct _RTL_CRITICAL_SECTION;
+typedef struct _RTL_CRITICAL_SECTION GTEST_CRITICAL_SECTION;
+#endif
 #else
 // This assumes that non-Windows OSes provide unistd.h. For OSes where this
 // is not the case, we need to include headers that provide the functions
@@ -445,7 +459,10 @@ struct _RTL_CRITICAL_SECTION;
 # endif
 #endif
 
-#if GTEST_HAS_POSIX_RE
+#if GTEST_USES_PCRE
+// The appropriate headers have already been included.
+
+#elif GTEST_HAS_POSIX_RE
 
 // On some platforms, <regex.h> needs someone to define size_t, and
 // won't compile otherwise.  We can #include it here as we already
@@ -467,19 +484,31 @@ struct _RTL_CRITICAL_SECTION;
 // simple regex implementation instead.
 # define GTEST_USES_SIMPLE_RE 1
 
-#endif  // GTEST_HAS_POSIX_RE
+#endif  // GTEST_USES_PCRE
 
 #ifndef GTEST_HAS_EXCEPTIONS
 // The user didn't tell us whether exceptions are enabled, so we need
 // to figure it out.
-# if defined(_MSC_VER) || defined(__BORLANDC__)
-// MSVC's and C++Builder's implementations of the STL use the _HAS_EXCEPTIONS
+# if defined(_MSC_VER) && defined(_CPPUNWIND)
+// MSVC defines _CPPUNWIND to 1 iff exceptions are enabled.
+#  define GTEST_HAS_EXCEPTIONS 1
+# elif defined(__BORLANDC__)
+// C++Builder's implementation of the STL uses the _HAS_EXCEPTIONS
 // macro to enable exceptions, so we'll do the same.
 // Assumes that exceptions are enabled by default.
 #  ifndef _HAS_EXCEPTIONS
 #   define _HAS_EXCEPTIONS 1
 #  endif  // _HAS_EXCEPTIONS
 #  define GTEST_HAS_EXCEPTIONS _HAS_EXCEPTIONS
+# elif defined(__clang__)
+// clang defines __EXCEPTIONS iff exceptions are enabled before clang 220714,
+// but iff cleanups are enabled after that. In Obj-C++ files, there can be
+// cleanups for ObjC exceptions which also need cleanups, even if C++ exceptions
+// are disabled. clang has __has_feature(cxx_exceptions) which checks for C++
+// exceptions starting at clang r206352, but which checked for cleanups prior to
+// that. To reliably check for C++ exception availability with clang, check for
+// __EXCEPTIONS && __has_feature(cxx_exceptions).
+#  define GTEST_HAS_EXCEPTIONS (__EXCEPTIONS && __has_feature(cxx_exceptions))
 # elif defined(__GNUC__) && __EXCEPTIONS
 // gcc defines __EXCEPTIONS to 1 iff exceptions are enabled.
 #  define GTEST_HAS_EXCEPTIONS 1
@@ -508,21 +537,17 @@ struct _RTL_CRITICAL_SECTION;
 # define GTEST_HAS_STD_STRING 1
 #elif !GTEST_HAS_STD_STRING
 // The user told us that ::std::string isn't available.
-# error "Google Test cannot be used where ::std::string isn't available."
+# error "::std::string isn't available."
 #endif  // !defined(GTEST_HAS_STD_STRING)
 
 #ifndef GTEST_HAS_GLOBAL_STRING
-// The user didn't tell us whether ::string is available, so we need
-// to figure it out.
-
 # define GTEST_HAS_GLOBAL_STRING 0
-
 #endif  // GTEST_HAS_GLOBAL_STRING
 
 #ifndef GTEST_HAS_STD_WSTRING
 // The user didn't tell us whether ::std::wstring is available, so we need
 // to figure it out.
-// TODO(wan@google.com): uses autoconf to detect whether ::std::wstring
+// FIXME: uses autoconf to detect whether ::std::wstring
 //   is available.
 
 // Cygwin 1.7 and below doesn't support ::std::wstring.
@@ -605,13 +630,14 @@ struct _RTL_CRITICAL_SECTION;
 
 // Determines whether Google Test can use the pthreads library.
 #ifndef GTEST_HAS_PTHREAD
-// The user didn't tell us explicitly, so we assume pthreads support is
-// available on Linux and Mac.
+// The user didn't tell us explicitly, so we make reasonable assumptions about
+// which platforms have pthreads support.
 //
 // To disable threading support in Google Test, add -DGTEST_HAS_PTHREAD=0
 // to your compiler flags.
-# define GTEST_HAS_PTHREAD (GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_HPUX \
-    || GTEST_OS_QNX)
+#define GTEST_HAS_PTHREAD                                             \
+  (GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_HPUX || GTEST_OS_QNX || \
+   GTEST_OS_FREEBSD || GTEST_OS_NACL || GTEST_OS_NETBSD || GTEST_OS_FUCHSIA)
 #endif  // GTEST_HAS_PTHREAD
 
 #if GTEST_HAS_PTHREAD
@@ -623,6 +649,15 @@ struct _RTL_CRITICAL_SECTION;
 # include <time.h>  // NOLINT
 #endif
 
+// Determines if hash_map/hash_set are available.
+// Only used for testing against those containers.
+#if !defined(GTEST_HAS_HASH_MAP_)
+# if defined(_MSC_VER) && (_MSC_VER < 1900)
+#  define GTEST_HAS_HASH_MAP_ 1  // Indicates that hash_map is available.
+#  define GTEST_HAS_HASH_SET_ 1  // Indicates that hash_set is available.
+# endif  // _MSC_VER
+#endif  // !defined(GTEST_HAS_HASH_MAP_)
+
 // Determines whether Google Test can use tr1/tuple.  You can define
 // this macro to 0 to prevent Google Test from using tuple (any
 // feature depending on tuple with be disabled in this mode).
@@ -630,6 +665,14 @@ struct _RTL_CRITICAL_SECTION;
 # if GTEST_OS_LINUX_ANDROID && defined(_STLPORT_MAJOR)
 // STLport, provided with the Android NDK, has neither <tr1/tuple> or <tuple>.
 #  define GTEST_HAS_TR1_TUPLE 0
+# elif defined(_MSC_VER) && (_MSC_VER >= 1910)
+// Prevent `warning C4996: 'std::tr1': warning STL4002:
+// The non-Standard std::tr1 namespace and TR1-only machinery
+// are deprecated and will be REMOVED.`
+#  define GTEST_HAS_TR1_TUPLE 0
+# elif GTEST_LANG_CXX11 && defined(_LIBCPP_VERSION)
+// libc++ doesn't support TR1.
+#  define GTEST_HAS_TR1_TUPLE 0
 # else
 // The user didn't tell us not to do it, so we assume it's OK.
 #  define GTEST_HAS_TR1_TUPLE 1
@@ -639,6 +682,10 @@ struct _RTL_CRITICAL_SECTION;
 // Determines whether Google Test's own tr1 tuple implementation
 // should be used.
 #ifndef GTEST_USE_OWN_TR1_TUPLE
+// We use our own tuple implementation on Symbian.
+# if GTEST_OS_SYMBIAN
+#  define GTEST_USE_OWN_TR1_TUPLE 1
+# else
 // The user didn't tell us, so we need to figure it out.
 
 // We use our own TR1 tuple if we aren't sure the user has an
@@ -652,7 +699,8 @@ struct _RTL_CRITICAL_SECTION;
 // support TR1 tuple.  libc++ only provides std::tuple, in C++11 mode,
 // and it can be used with some compilers that define __GNUC__.
 # if (defined(__GNUC__) && !defined(__CUDACC__) && (GTEST_GCC_VER_ >= 40000) \
-      && !GTEST_OS_QNX && !defined(_LIBCPP_VERSION)) || _MSC_VER >= 1600
+      && !GTEST_OS_QNX && !defined(_LIBCPP_VERSION)) \
+      || (_MSC_VER >= 1600 && _MSC_VER < 1900)
 #  define GTEST_ENV_HAS_TR1_TUPLE_ 1
 # endif
 
@@ -668,12 +716,11 @@ struct _RTL_CRITICAL_SECTION;
 # else
 #  define GTEST_USE_OWN_TR1_TUPLE 1
 # endif
-
+# endif  // GTEST_OS_SYMBIAN
 #endif  // GTEST_USE_OWN_TR1_TUPLE
 
-// To avoid conditional compilation everywhere, we make it
-// gtest-port.h's responsibility to #include the header implementing
-// tuple.
+// To avoid conditional compilation we make it gtest-port.h's responsibility
+// to #include the header implementing tuple.
 #if GTEST_HAS_STD_TUPLE_
 # include <tuple>  // IWYU pragma: export
 # define GTEST_TUPLE_NAMESPACE_ ::std
@@ -688,22 +735,6 @@ struct _RTL_CRITICAL_SECTION;
 
 # if GTEST_USE_OWN_TR1_TUPLE
 #  include "gtest/internal/gtest-tuple.h"  // IWYU pragma: export  // NOLINT
-# elif GTEST_ENV_HAS_STD_TUPLE_
-#  include <tuple>
-// C++11 puts its tuple into the ::std namespace rather than
-// ::std::tr1.  gtest expects tuple to live in ::std::tr1, so put it there.
-// This causes undefined behavior, but supported compilers react in
-// the way we intend.
-namespace std {
-namespace tr1 {
-using ::std::get;
-using ::std::make_tuple;
-using ::std::tuple;
-using ::std::tuple_element;
-using ::std::tuple_size;
-}
-}
-
 # elif GTEST_OS_SYMBIAN
 
 // On Symbian, BOOST_HAS_TR1_TUPLE causes Boost's TR1 tuple library to
@@ -728,20 +759,22 @@ using ::std::tuple_size;
 // Until version 4.3.2, gcc has a bug that causes <tr1/functional>,
 // which is #included by <tr1/tuple>, to not compile when RTTI is
 // disabled.  _TR1_FUNCTIONAL is the header guard for
-// <tr1/functional>.  Hence the following #define is a hack to prevent
+// <tr1/functional>.  Hence the following #define is used to prevent
 // <tr1/functional> from being included.
 #   define _TR1_FUNCTIONAL 1
 #   include <tr1/tuple>
 #   undef _TR1_FUNCTIONAL  // Allows the user to #include
-                        // <tr1/functional> if he chooses to.
+                        // <tr1/functional> if they choose to.
 #  else
 #   include <tr1/tuple>  // NOLINT
 #  endif  // !GTEST_HAS_RTTI && GTEST_GCC_VER_ < 40302
 
-# else
-// If the compiler is not GCC 4.0+, we assume the user is using a
-// spec-conforming TR1 implementation.
+// VS 2010 now has tr1 support.
+# elif _MSC_VER >= 1600
 #  include <tuple>  // IWYU pragma: export  // NOLINT
+
+# else  // GTEST_USE_OWN_TR1_TUPLE
+#  include <tr1/tuple>  // IWYU pragma: export  // NOLINT
 # endif  // GTEST_USE_OWN_TR1_TUPLE
 
 #endif  // GTEST_HAS_TR1_TUPLE
@@ -755,8 +788,12 @@ using ::std::tuple_size;
 
 # if GTEST_OS_LINUX && !defined(__ia64__)
 #  if GTEST_OS_LINUX_ANDROID
-// On Android, clone() is only available on ARM starting with Gingerbread.
-#    if defined(__arm__) && __ANDROID_API__ >= 9
+// On Android, clone() became available at different API levels for each 32-bit
+// architecture.
+#    if defined(__LP64__) || \
+        (defined(__arm__) && __ANDROID_API__ >= 9) || \
+        (defined(__mips__) && __ANDROID_API__ >= 12) || \
+        (defined(__i386__) && __ANDROID_API__ >= 17)
 #     define GTEST_HAS_CLONE 1
 #    else
 #     define GTEST_HAS_CLONE 0
@@ -787,20 +824,15 @@ using ::std::tuple_size;
 // Google Test does not support death tests for VC 7.1 and earlier as
 // abort() in a VC 7.1 application compiled as GUI in debug config
 // pops up a dialog window that cannot be suppressed programmatically.
-#if (GTEST_OS_LINUX || GTEST_OS_CYGWIN || GTEST_OS_SOLARIS || \
-     (GTEST_OS_MAC && !GTEST_OS_IOS) || GTEST_OS_IOS_SIMULATOR || \
-     (GTEST_OS_WINDOWS_DESKTOP && _MSC_VER >= 1400) || \
+#if (GTEST_OS_LINUX || GTEST_OS_CYGWIN || GTEST_OS_SOLARIS ||   \
+     (GTEST_OS_MAC && !GTEST_OS_IOS) ||                         \
+     (GTEST_OS_WINDOWS_DESKTOP && _MSC_VER >= 1400) ||          \
      GTEST_OS_WINDOWS_MINGW || GTEST_OS_AIX || GTEST_OS_HPUX || \
-     GTEST_OS_OPENBSD || GTEST_OS_QNX)
+     GTEST_OS_OPENBSD || GTEST_OS_QNX || GTEST_OS_FREEBSD || \
+     GTEST_OS_NETBSD || GTEST_OS_FUCHSIA)
 # define GTEST_HAS_DEATH_TEST 1
-# include <vector>  // NOLINT
 #endif
 
-// We don't support MSVC 7.1 with exceptions disabled now.  Therefore
-// all the compilers we care about are adequate for supporting
-// value-parameterized tests.
-#define GTEST_HAS_PARAM_TEST 1
-
 // Determines whether to support type-driven tests.
 
 // Typed tests need <typeinfo> and variadic macros, which GCC, VC++ 8.0,
@@ -815,7 +847,7 @@ using ::std::tuple_size;
 // value-parameterized tests are enabled.  The implementation doesn't
 // work on Sun Studio since it doesn't understand templated conversion
 // operators.
-#if GTEST_HAS_PARAM_TEST && GTEST_HAS_TR1_TUPLE && !defined(__SUNPRO_CC)
+#if (GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_) && !defined(__SUNPRO_CC)
 # define GTEST_HAS_COMBINE 1
 #endif
 
@@ -857,19 +889,48 @@ using ::std::tuple_size;
 // compiler the variable/parameter does not have to be used.
 #if defined(__GNUC__) && !defined(COMPILER_ICC)
 # define GTEST_ATTRIBUTE_UNUSED_ __attribute__ ((unused))
-#else
+#elif defined(__clang__)
+# if __has_attribute(unused)
+#  define GTEST_ATTRIBUTE_UNUSED_ __attribute__ ((unused))
+# endif
+#endif
+#ifndef GTEST_ATTRIBUTE_UNUSED_
 # define GTEST_ATTRIBUTE_UNUSED_
 #endif
 
+#if GTEST_LANG_CXX11
+# define GTEST_CXX11_EQUALS_DELETE_ = delete
+#else  // GTEST_LANG_CXX11
+# define GTEST_CXX11_EQUALS_DELETE_
+#endif  // GTEST_LANG_CXX11
+
+// Use this annotation before a function that takes a printf format string.
+#if (defined(__GNUC__) || defined(__clang__)) && !defined(COMPILER_ICC)
+# if defined(__MINGW_PRINTF_FORMAT)
+// MinGW has two different printf implementations. Ensure the format macro
+// matches the selected implementation. See
+// https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/.
+#  define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check) \
+       __attribute__((__format__(__MINGW_PRINTF_FORMAT, string_index, \
+                                 first_to_check)))
+# else
+#  define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check) \
+       __attribute__((__format__(__printf__, string_index, first_to_check)))
+# endif
+#else
+# define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check)
+#endif
+
+
 // A macro to disallow operator=
 // This should be used in the private: declarations for a class.
-#define GTEST_DISALLOW_ASSIGN_(type)\
-  void operator=(type const &)
+#define GTEST_DISALLOW_ASSIGN_(type) \
+  void operator=(type const &) GTEST_CXX11_EQUALS_DELETE_
 
 // A macro to disallow copy constructor and operator=
 // This should be used in the private: declarations for a class.
-#define GTEST_DISALLOW_COPY_AND_ASSIGN_(type)\
-  type(type const &);\
+#define GTEST_DISALLOW_COPY_AND_ASSIGN_(type) \
+  type(type const &) GTEST_CXX11_EQUALS_DELETE_; \
   GTEST_DISALLOW_ASSIGN_(type)
 
 // Tell the compiler to warn about unused return values for functions declared
@@ -883,12 +944,6 @@ using ::std::tuple_size;
 # define GTEST_MUST_USE_RESULT_
 #endif  // __GNUC__ && (GTEST_GCC_VER_ >= 30400) && !COMPILER_ICC
 
-#if GTEST_LANG_CXX11
-# define GTEST_MOVE_(x) ::std::move(x)  // NOLINT
-#else
-# define GTEST_MOVE_(x) x
-#endif
-
 // MS C++ compiler emits warning when a conditional expression is compile time
 // constant. In some contexts this warning is false positive and needs to be
 // suppressed. Use the following two macros in such cases:
@@ -917,25 +972,36 @@ using ::std::tuple_size;
 # endif
 
 #define GTEST_IS_THREADSAFE \
-    (0 \
+    (GTEST_HAS_MUTEX_AND_THREAD_LOCAL_ \
      || (GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT) \
      || GTEST_HAS_PTHREAD)
 
 #endif  // GTEST_HAS_SEH
 
-#ifdef _MSC_VER
+// GTEST_API_ qualifies all symbols that must be exported. The definitions below
+// are guarded by #ifndef to give embedders a chance to define GTEST_API_ in
+// gtest/internal/custom/gtest-port.h
+#ifndef GTEST_API_
 
+#ifdef _MSC_VER
 # if GTEST_LINKED_AS_SHARED_LIBRARY
 #  define GTEST_API_ __declspec(dllimport)
 # elif GTEST_CREATE_SHARED_LIBRARY
 #  define GTEST_API_ __declspec(dllexport)
 # endif
-
+#elif __GNUC__ >= 4 || defined(__clang__)
+# define GTEST_API_ __attribute__((visibility ("default")))
 #endif  // _MSC_VER
 
+#endif  // GTEST_API_
+
 #ifndef GTEST_API_
 # define GTEST_API_
-#endif
+#endif  // GTEST_API_
+
+#ifndef GTEST_DEFAULT_DEATH_TEST_STYLE
+# define GTEST_DEFAULT_DEATH_TEST_STYLE  "fast"
+#endif  // GTEST_DEFAULT_DEATH_TEST_STYLE
 
 #ifdef __GNUC__
 // Ask the compiler to never inline a given function.
@@ -945,10 +1011,12 @@ using ::std::tuple_size;
 #endif
 
 // _LIBCPP_VERSION is defined by the libc++ library from the LLVM project.
-#if defined(__GLIBCXX__) || defined(_LIBCPP_VERSION)
-# define GTEST_HAS_CXXABI_H_ 1
-#else
-# define GTEST_HAS_CXXABI_H_ 0
+#if !defined(GTEST_HAS_CXXABI_H_)
+# if defined(__GLIBCXX__) || (defined(_LIBCPP_VERSION) && !defined(_MSC_VER))
+#  define GTEST_HAS_CXXABI_H_ 1
+# else
+#  define GTEST_HAS_CXXABI_H_ 0
+# endif
 #endif
 
 // A function level attribute to disable checking for use of uninitialized
@@ -1025,16 +1093,22 @@ class Secret;
 // the expression is false, most compilers will issue a warning/error
 // containing the name of the variable.
 
+#if GTEST_LANG_CXX11
+# define GTEST_COMPILE_ASSERT_(expr, msg) static_assert(expr, #msg)
+#else  // !GTEST_LANG_CXX11
 template <bool>
-struct CompileAssert {
+  struct CompileAssert {
 };
 
-#define GTEST_COMPILE_ASSERT_(expr, msg) \
+# define GTEST_COMPILE_ASSERT_(expr, msg) \
   typedef ::testing::internal::CompileAssert<(static_cast<bool>(expr))> \
       msg[static_cast<bool>(expr) ? 1 : -1] GTEST_ATTRIBUTE_UNUSED_
+#endif  // !GTEST_LANG_CXX11
 
 // Implementation details of GTEST_COMPILE_ASSERT_:
 //
+// (In C++11, we simply use static_assert instead of the following)
+//
 // - GTEST_COMPILE_ASSERT_ works by defining an array type that has -1
 //   elements (and thus is invalid) when the expression is false.
 //
@@ -1085,6 +1159,16 @@ struct StaticAssertTypeEqHelper<T, T> {
   enum { value = true };
 };
 
+// Same as std::is_same<>.
+template <typename T, typename U>
+struct IsSame {
+  enum { value = false };
+};
+template <typename T>
+struct IsSame<T, T> {
+  enum { value = true };
+};
+
 // Evaluates to the number of elements in 'array'.
 #define GTEST_ARRAY_SIZE_(array) (sizeof(array) / sizeof(array[0]))
 
@@ -1148,6 +1232,10 @@ class scoped_ptr {
 
 // Defines RE.
 
+#if GTEST_USES_PCRE
+// if used, PCRE is injected by custom/gtest-port.h
+#elif GTEST_USES_POSIX_RE || GTEST_USES_SIMPLE_RE
+
 // A simple C++ wrapper for <regex.h>.  It uses the POSIX Extended
 // Regular Expression syntax.
 class GTEST_API_ RE {
@@ -1159,11 +1247,11 @@ class GTEST_API_ RE {
   // Constructs an RE from a string.
   RE(const ::std::string& regex) { Init(regex.c_str()); }  // NOLINT
 
-#if GTEST_HAS_GLOBAL_STRING
+# if GTEST_HAS_GLOBAL_STRING
 
   RE(const ::string& regex) { Init(regex.c_str()); }  // NOLINT
 
-#endif  // GTEST_HAS_GLOBAL_STRING
+# endif  // GTEST_HAS_GLOBAL_STRING
 
   RE(const char* regex) { Init(regex); }  // NOLINT
   ~RE();
@@ -1176,7 +1264,7 @@ class GTEST_API_ RE {
   // PartialMatch(str, re) returns true iff regular expression re
   // matches a substring of str (including str itself).
   //
-  // TODO(wan@google.com): make FullMatch() and PartialMatch() work
+  // FIXME: make FullMatch() and PartialMatch() work
   // when str contains NUL characters.
   static bool FullMatch(const ::std::string& str, const RE& re) {
     return FullMatch(str.c_str(), re);
@@ -1185,7 +1273,7 @@ class GTEST_API_ RE {
     return PartialMatch(str.c_str(), re);
   }
 
-#if GTEST_HAS_GLOBAL_STRING
+# if GTEST_HAS_GLOBAL_STRING
 
   static bool FullMatch(const ::string& str, const RE& re) {
     return FullMatch(str.c_str(), re);
@@ -1194,7 +1282,7 @@ class GTEST_API_ RE {
     return PartialMatch(str.c_str(), re);
   }
 
-#endif  // GTEST_HAS_GLOBAL_STRING
+# endif  // GTEST_HAS_GLOBAL_STRING
 
   static bool FullMatch(const char* str, const RE& re);
   static bool PartialMatch(const char* str, const RE& re);
@@ -1203,25 +1291,27 @@ class GTEST_API_ RE {
   void Init(const char* regex);
 
   // We use a const char* instead of an std::string, as Google Test used to be
-  // used where std::string is not available.  TODO(wan@google.com): change to
+  // used where std::string is not available.  FIXME: change to
   // std::string.
   const char* pattern_;
   bool is_valid_;
 
-#if GTEST_USES_POSIX_RE
+# if GTEST_USES_POSIX_RE
 
   regex_t full_regex_;     // For FullMatch().
   regex_t partial_regex_;  // For PartialMatch().
 
-#else  // GTEST_USES_SIMPLE_RE
+# else  // GTEST_USES_SIMPLE_RE
 
   const char* full_pattern_;  // For FullMatch();
 
-#endif
+# endif
 
   GTEST_DISALLOW_ASSIGN_(RE);
 };
 
+#endif  // GTEST_USES_PCRE
+
 // Formats a source file path and a line number as they would appear
 // in an error message from the compiler used to compile this code.
 GTEST_API_ ::std::string FormatFileLocation(const char* file, int line);
@@ -1263,13 +1353,18 @@ class GTEST_API_ GTestLog {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(GTestLog);
 };
 
-#define GTEST_LOG_(severity) \
+#if !defined(GTEST_LOG_)
+
+# define GTEST_LOG_(severity) \
     ::testing::internal::GTestLog(::testing::internal::GTEST_##severity, \
                                   __FILE__, __LINE__).GetStream()
 
 inline void LogToStderr() {}
 inline void FlushInfoLog() { fflush(NULL); }
 
+#endif  // !defined(GTEST_LOG_)
+
+#if !defined(GTEST_CHECK_)
 // INTERNAL IMPLEMENTATION - DO NOT USE.
 //
 // GTEST_CHECK_ is an all-mode assert. It aborts the program if the condition
@@ -1284,12 +1379,13 @@ inline void FlushInfoLog() { fflush(NULL); }
 //    condition itself, plus additional message streamed into it, if any,
 //    and then it aborts the program. It aborts the program irrespective of
 //    whether it is built in the debug mode or not.
-#define GTEST_CHECK_(condition) \
+# define GTEST_CHECK_(condition) \
     GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
     if (::testing::internal::IsTrue(condition)) \
       ; \
     else \
       GTEST_LOG_(FATAL) << "Condition " #condition " failed. "
+#endif  // !defined(GTEST_CHECK_)
 
 // An all-mode assert to verify that the given POSIX-style function
 // call returns 0 (indicating success).  Known limitation: this
@@ -1301,6 +1397,61 @@ inline void FlushInfoLog() { fflush(NULL); }
     GTEST_LOG_(FATAL) << #posix_call << "failed with error " \
                       << gtest_error
 
+// Adds reference to a type if it is not a reference type,
+// otherwise leaves it unchanged.  This is the same as
+// tr1::add_reference, which is not widely available yet.
+template <typename T>
+struct AddReference { typedef T& type; };  // NOLINT
+template <typename T>
+struct AddReference<T&> { typedef T& type; };  // NOLINT
+
+// A handy wrapper around AddReference that works when the argument T
+// depends on template parameters.
+#define GTEST_ADD_REFERENCE_(T) \
+    typename ::testing::internal::AddReference<T>::type
+
+// Transforms "T" into "const T&" according to standard reference collapsing
+// rules (this is only needed as a backport for C++98 compilers that do not
+// support reference collapsing). Specifically, it transforms:
+//
+//   char         ==> const char&
+//   const char   ==> const char&
+//   char&        ==> char&
+//   const char&  ==> const char&
+//
+// Note that the non-const reference will not have "const" added. This is
+// standard, and necessary so that "T" can always bind to "const T&".
+template <typename T>
+struct ConstRef { typedef const T& type; };
+template <typename T>
+struct ConstRef<T&> { typedef T& type; };
+
+// The argument T must depend on some template parameters.
+#define GTEST_REFERENCE_TO_CONST_(T) \
+  typename ::testing::internal::ConstRef<T>::type
+
+#if GTEST_HAS_STD_MOVE_
+using std::forward;
+using std::move;
+
+template <typename T>
+struct RvalueRef {
+  typedef T&& type;
+};
+#else  // GTEST_HAS_STD_MOVE_
+template <typename T>
+const T& move(const T& t) {
+  return t;
+}
+template <typename T>
+GTEST_ADD_REFERENCE_(T) forward(GTEST_ADD_REFERENCE_(T) t) { return t; }
+
+template <typename T>
+struct RvalueRef {
+  typedef const T& type;
+};
+#endif  // GTEST_HAS_STD_MOVE_
+
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
 //
 // Use ImplicitCast_ as a safe version of static_cast for upcasting in
@@ -1374,6 +1525,11 @@ template <class Derived, class Base>
 Derived* CheckedDowncastToActualType(Base* base) {
 #if GTEST_HAS_RTTI
   GTEST_CHECK_(typeid(*base) == typeid(Derived));
+#endif
+
+#if GTEST_HAS_DOWNCAST_
+  return ::down_cast<Derived*>(base);
+#elif GTEST_HAS_RTTI
   return dynamic_cast<Derived*>(base);  // NOLINT
 #else
   return static_cast<Derived*>(base);  // Poor man's downcast.
@@ -1394,16 +1550,25 @@ GTEST_API_ void CaptureStderr();
 GTEST_API_ std::string GetCapturedStderr();
 
 #endif  // GTEST_HAS_STREAM_REDIRECTION
+// Returns the size (in bytes) of a file.
+GTEST_API_ size_t GetFileSize(FILE* file);
 
+// Reads the entire content of a file as a string.
+GTEST_API_ std::string ReadEntireFile(FILE* file);
 
-#if GTEST_HAS_DEATH_TEST
+// All command line arguments.
+GTEST_API_ std::vector<std::string> GetArgvs();
 
-const ::std::vector<testing::internal::string>& GetInjectableArgvs();
-void SetInjectableArgvs(const ::std::vector<testing::internal::string>*
-                             new_argvs);
+#if GTEST_HAS_DEATH_TEST
 
-// A copy of all command line arguments.  Set by InitGoogleTest().
-extern ::std::vector<testing::internal::string> g_argvs;
+std::vector<std::string> GetInjectableArgvs();
+// Deprecated: pass the args vector by value instead.
+void SetInjectableArgvs(const std::vector<std::string>* new_argvs);
+void SetInjectableArgvs(const std::vector<std::string>& new_argvs);
+#if GTEST_HAS_GLOBAL_STRING
+void SetInjectableArgvs(const std::vector< ::string>& new_argvs);
+#endif  // GTEST_HAS_GLOBAL_STRING
+void ClearInjectableArgvs();
 
 #endif  // GTEST_HAS_DEATH_TEST
 
@@ -1422,7 +1587,10 @@ inline void SleepMilliseconds(int n) {
 }
 # endif  // GTEST_HAS_PTHREAD
 
-# if 0  // OS detection
+# if GTEST_HAS_NOTIFICATION_
+// Notification has already been imported into the namespace.
+// Nothing to do here.
+
 # elif GTEST_HAS_PTHREAD
 // Allows a controller thread to pause execution of newly created
 // threads until notified.  Instances of this class must be created
@@ -1516,7 +1684,7 @@ class GTEST_API_ Notification {
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(Notification);
 };
-# endif  // OS detection
+# endif  // GTEST_HAS_NOTIFICATION_
 
 // On MinGW, we can have both GTEST_OS_WINDOWS and GTEST_HAS_PTHREAD
 // defined, but we don't want to use MinGW's pthreads implementation, which
@@ -1599,9 +1767,13 @@ class ThreadWithParam : public ThreadWithParamBase {
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadWithParam);
 };
-# endif  // GTEST_HAS_PTHREAD && !GTEST_OS_WINDOWS_MINGW
+# endif  // !GTEST_OS_WINDOWS && GTEST_HAS_PTHREAD ||
+         // GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
+
+# if GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
+// Mutex and ThreadLocal have already been imported into the namespace.
+// Nothing to do here.
 
-# if 0  // OS detection
 # elif GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
 
 // Mutex implements mutex on Windows platforms.  It is used in conjunction
@@ -1646,7 +1818,7 @@ class GTEST_API_ Mutex {
   // Initializes owner_thread_id_ and critical_section_ in static mutexes.
   void ThreadSafeLazyInit();
 
-  // Per http://blogs.msdn.com/b/oldnewthing/archive/2004/02/23/78395.aspx,
+  // Per https://blogs.msdn.microsoft.com/oldnewthing/20040223-00/?p=40503,
   // we assume that 0 is an invalid value for thread IDs.
   unsigned int owner_thread_id_;
 
@@ -1654,7 +1826,7 @@ class GTEST_API_ Mutex {
   // by the linker.
   MutexType type_;
   long critical_section_init_phase_;  // NOLINT
-  _RTL_CRITICAL_SECTION* critical_section_;
+  GTEST_CRITICAL_SECTION* critical_section_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(Mutex);
 };
@@ -1806,8 +1978,9 @@ class ThreadWithParam : public ThreadWithParamBase {
 template <typename T>
 class ThreadLocal : public ThreadLocalBase {
  public:
-  ThreadLocal() : default_() {}
-  explicit ThreadLocal(const T& value) : default_(value) {}
+  ThreadLocal() : default_factory_(new DefaultValueHolderFactory()) {}
+  explicit ThreadLocal(const T& value)
+      : default_factory_(new InstanceValueHolderFactory(value)) {}
 
   ~ThreadLocal() { ThreadLocalRegistry::OnThreadLocalDestroyed(this); }
 
@@ -1821,6 +1994,7 @@ class ThreadLocal : public ThreadLocalBase {
   // knowing the type of T.
   class ValueHolder : public ThreadLocalValueHolderBase {
    public:
+    ValueHolder() : value_() {}
     explicit ValueHolder(const T& value) : value_(value) {}
 
     T* pointer() { return &value_; }
@@ -1837,10 +2011,42 @@ class ThreadLocal : public ThreadLocalBase {
   }
 
   virtual ThreadLocalValueHolderBase* NewValueForCurrentThread() const {
-    return new ValueHolder(default_);
+    return default_factory_->MakeNewHolder();
   }
 
-  const T default_;  // The default value for each thread.
+  class ValueHolderFactory {
+   public:
+    ValueHolderFactory() {}
+    virtual ~ValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const = 0;
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(ValueHolderFactory);
+  };
+
+  class DefaultValueHolderFactory : public ValueHolderFactory {
+   public:
+    DefaultValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const { return new ValueHolder(); }
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(DefaultValueHolderFactory);
+  };
+
+  class InstanceValueHolderFactory : public ValueHolderFactory {
+   public:
+    explicit InstanceValueHolderFactory(const T& value) : value_(value) {}
+    virtual ValueHolder* MakeNewHolder() const {
+      return new ValueHolder(value_);
+    }
+
+   private:
+    const T value_;  // The value for each thread.
+
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(InstanceValueHolderFactory);
+  };
+
+  scoped_ptr<ValueHolderFactory> default_factory_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadLocal);
 };
@@ -1901,8 +2107,8 @@ class MutexBase {
 // particular, the owner_ field (a pthread_t) is not explicitly initialized.
 // This allows initialization to work whether pthread_t is a scalar or struct.
 // The flag -Wmissing-field-initializers must not be specified for this to work.
-#  define GTEST_DEFINE_STATIC_MUTEX_(mutex) \
-     ::testing::internal::MutexBase mutex = { PTHREAD_MUTEX_INITIALIZER, false }
+#define GTEST_DEFINE_STATIC_MUTEX_(mutex) \
+  ::testing::internal::MutexBase mutex = {PTHREAD_MUTEX_INITIALIZER, false, 0}
 
 // The Mutex class can only be used for mutexes created at runtime. It
 // shares its API with MutexBase otherwise.
@@ -1959,12 +2165,13 @@ extern "C" inline void DeleteThreadLocalValue(void* value_holder) {
 
 // Implements thread-local storage on pthreads-based systems.
 template <typename T>
-class ThreadLocal {
+class GTEST_API_ ThreadLocal {
  public:
-  ThreadLocal() : key_(CreateKey()),
-                  default_() {}
-  explicit ThreadLocal(const T& value) : key_(CreateKey()),
-                                         default_(value) {}
+  ThreadLocal()
+      : key_(CreateKey()), default_factory_(new DefaultValueHolderFactory()) {}
+  explicit ThreadLocal(const T& value)
+      : key_(CreateKey()),
+        default_factory_(new InstanceValueHolderFactory(value)) {}
 
   ~ThreadLocal() {
     // Destroys the managed object for the current thread, if any.
@@ -1984,6 +2191,7 @@ class ThreadLocal {
   // Holds a value of type T.
   class ValueHolder : public ThreadLocalValueHolderBase {
    public:
+    ValueHolder() : value_() {}
     explicit ValueHolder(const T& value) : value_(value) {}
 
     T* pointer() { return &value_; }
@@ -2009,20 +2217,52 @@ class ThreadLocal {
       return CheckedDowncastToActualType<ValueHolder>(holder)->pointer();
     }
 
-    ValueHolder* const new_holder = new ValueHolder(default_);
+    ValueHolder* const new_holder = default_factory_->MakeNewHolder();
     ThreadLocalValueHolderBase* const holder_base = new_holder;
     GTEST_CHECK_POSIX_SUCCESS_(pthread_setspecific(key_, holder_base));
     return new_holder->pointer();
   }
 
+  class ValueHolderFactory {
+   public:
+    ValueHolderFactory() {}
+    virtual ~ValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const = 0;
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(ValueHolderFactory);
+  };
+
+  class DefaultValueHolderFactory : public ValueHolderFactory {
+   public:
+    DefaultValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const { return new ValueHolder(); }
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(DefaultValueHolderFactory);
+  };
+
+  class InstanceValueHolderFactory : public ValueHolderFactory {
+   public:
+    explicit InstanceValueHolderFactory(const T& value) : value_(value) {}
+    virtual ValueHolder* MakeNewHolder() const {
+      return new ValueHolder(value_);
+    }
+
+   private:
+    const T value_;  // The value for each thread.
+
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(InstanceValueHolderFactory);
+  };
+
   // A key pthreads uses for looking up per-thread values.
   const pthread_key_t key_;
-  const T default_;  // The default value for each thread.
+  scoped_ptr<ValueHolderFactory> default_factory_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadLocal);
 };
 
-# endif  // OS detection
+# endif  // GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
 
 #else  // GTEST_IS_THREADSAFE
 
@@ -2057,7 +2297,7 @@ class GTestMutexLock {
 typedef GTestMutexLock MutexLock;
 
 template <typename T>
-class ThreadLocal {
+class GTEST_API_ ThreadLocal {
  public:
   ThreadLocal() : value_() {}
   explicit ThreadLocal(const T& value) : value_(value) {}
@@ -2076,12 +2316,13 @@ class ThreadLocal {
 GTEST_API_ size_t GetThreadCount();
 
 // Passing non-POD classes through ellipsis (...) crashes the ARM
-// compiler and generates a warning in Sun Studio.  The Nokia Symbian
+// compiler and generates a warning in Sun Studio before 12u4. The Nokia Symbian
 // and the IBM XL C/C++ compiler try to instantiate a copy constructor
 // for objects passed through ellipsis (...), failing for uncopyable
 // objects.  We define this to ensure that only POD is passed through
 // ellipsis on these systems.
-#if defined(__SYMBIAN32__) || defined(__IBMCPP__) || defined(__SUNPRO_CC)
+#if defined(__SYMBIAN32__) || defined(__IBMCPP__) || \
+     (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x5130)
 // We lose support for NULL detection where the compiler doesn't like
 // passing non-POD classes through ellipsis (...).
 # define GTEST_ELLIPSIS_NEEDS_POD_ 1
@@ -2107,6 +2348,13 @@ template <bool bool_value> const bool bool_constant<bool_value>::value;
 typedef bool_constant<false> false_type;
 typedef bool_constant<true> true_type;
 
+template <typename T, typename U>
+struct is_same : public false_type {};
+
+template <typename T>
+struct is_same<T, T> : public true_type {};
+
+
 template <typename T>
 struct is_pointer : public false_type {};
 
@@ -2118,6 +2366,7 @@ struct IteratorTraits {
   typedef typename Iterator::value_type value_type;
 };
 
+
 template <typename T>
 struct IteratorTraits<T*> {
   typedef T value_type;
@@ -2179,6 +2428,13 @@ inline char ToUpper(char ch) {
   return static_cast<char>(toupper(static_cast<unsigned char>(ch)));
 }
 
+inline std::string StripTrailingSpaces(std::string str) {
+  std::string::iterator it = str.end();
+  while (it != str.begin() && IsSpace(*--it))
+    it = str.erase(it);
+  return str;
+}
+
 // The testing::internal::posix namespace holds wrappers for common
 // POSIX functions.  These wrappers hide the differences between
 // Windows/MSVC and POSIX systems.  Since some compilers define these
@@ -2242,7 +2498,7 @@ inline bool IsDir(const StatStruct& st) { return S_ISDIR(st.st_mode); }
 
 // Functions deprecated by MSVC 8.0.
 
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* deprecated function */)
+GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
 
 inline const char* StrNCpy(char* dest, const char* src, size_t n) {
   return strncpy(dest, src, n);
@@ -2276,8 +2532,9 @@ inline int Close(int fd) { return close(fd); }
 inline const char* StrError(int errnum) { return strerror(errnum); }
 #endif
 inline const char* GetEnv(const char* name) {
-#if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_PHONE | GTEST_OS_WINDOWS_RT
+#if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_PHONE || GTEST_OS_WINDOWS_RT
   // We are on Windows CE, which has no environment variables.
+  static_cast<void>(name);  // To prevent 'unused argument' warning.
   return NULL;
 #elif defined(__BORLANDC__) || defined(__SunOS_5_8) || defined(__SunOS_5_9)
   // Environment variables which we programmatically clear will be set to the
@@ -2289,7 +2546,7 @@ inline const char* GetEnv(const char* name) {
 #endif
 }
 
-GTEST_DISABLE_MSC_WARNINGS_POP_()
+GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
 #if GTEST_OS_WINDOWS_MOBILE
 // Windows CE has no C library. The abort() function is used in
@@ -2390,31 +2647,44 @@ typedef TypeWithSize<8>::Int TimeInMillis;  // Represents time in milliseconds.
 // Utilities for command line flags and environment variables.
 
 // Macro for referencing flags.
-#define GTEST_FLAG(name) FLAGS_gtest_##name
+#if !defined(GTEST_FLAG)
+# define GTEST_FLAG(name) FLAGS_gtest_##name
+#endif  // !defined(GTEST_FLAG)
+
+#if !defined(GTEST_USE_OWN_FLAGFILE_FLAG_)
+# define GTEST_USE_OWN_FLAGFILE_FLAG_ 1
+#endif  // !defined(GTEST_USE_OWN_FLAGFILE_FLAG_)
+
+#if !defined(GTEST_DECLARE_bool_)
+# define GTEST_FLAG_SAVER_ ::testing::internal::GTestFlagSaver
 
 // Macros for declaring flags.
-#define GTEST_DECLARE_bool_(name) GTEST_API_ extern bool GTEST_FLAG(name)
-#define GTEST_DECLARE_int32_(name) \
+# define GTEST_DECLARE_bool_(name) GTEST_API_ extern bool GTEST_FLAG(name)
+# define GTEST_DECLARE_int32_(name) \
     GTEST_API_ extern ::testing::internal::Int32 GTEST_FLAG(name)
-#define GTEST_DECLARE_string_(name) \
+# define GTEST_DECLARE_string_(name) \
     GTEST_API_ extern ::std::string GTEST_FLAG(name)
 
 // Macros for defining flags.
-#define GTEST_DEFINE_bool_(name, default_val, doc) \
+# define GTEST_DEFINE_bool_(name, default_val, doc) \
     GTEST_API_ bool GTEST_FLAG(name) = (default_val)
-#define GTEST_DEFINE_int32_(name, default_val, doc) \
+# define GTEST_DEFINE_int32_(name, default_val, doc) \
     GTEST_API_ ::testing::internal::Int32 GTEST_FLAG(name) = (default_val)
-#define GTEST_DEFINE_string_(name, default_val, doc) \
+# define GTEST_DEFINE_string_(name, default_val, doc) \
     GTEST_API_ ::std::string GTEST_FLAG(name) = (default_val)
 
+#endif  // !defined(GTEST_DECLARE_bool_)
+
 // Thread annotations
-#define GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)
-#define GTEST_LOCK_EXCLUDED_(locks)
+#if !defined(GTEST_EXCLUSIVE_LOCK_REQUIRED_)
+# define GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)
+# define GTEST_LOCK_EXCLUDED_(locks)
+#endif  // !defined(GTEST_EXCLUSIVE_LOCK_REQUIRED_)
 
 // Parses 'str' for a 32-bit signed integer.  If successful, writes the result
 // to *value and returns true; otherwise leaves *value unchanged and returns
 // false.
-// TODO(chandlerc): Find a better way to refactor flag and environment parsing
+// FIXME: Find a better way to refactor flag and environment parsing
 // out of both gtest-port.cc and gtest.cc to avoid exporting this utility
 // function.
 bool ParseInt32(const Message& src_text, const char* str, Int32* value);
@@ -2423,10 +2693,10 @@ bool ParseInt32(const Message& src_text, const char* str, Int32* value);
 // corresponding to the given Google Test flag.
 bool BoolFromGTestEnv(const char* flag, bool default_val);
 GTEST_API_ Int32 Int32FromGTestEnv(const char* flag, Int32 default_val);
+std::string OutputFlagAlsoCheckEnvVar();
 const char* StringFromGTestEnv(const char* flag, const char* default_val);
 
 }  // namespace internal
 }  // namespace testing
 
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
-
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
index 97f1a7fdd..4c9b6262c 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
@@ -27,17 +27,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file declares the String class and functions used internally by
 // Google Test.  They are subject to change without notice. They should not used
 // by code external to Google Test.
 //
-// This header file is #included by <gtest/internal/gtest-internal.h>.
+// This header file is #included by gtest-internal.h.
 // It should not be #included by other files.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_STRING_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_STRING_H_
 
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
index e9b405340..78a3a6a01 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
@@ -30,11 +30,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Implements a subset of TR1 tuple needed by Google Test and Google Mock.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 
@@ -42,7 +43,7 @@
 
 // The compiler used in Symbian has a bug that prevents us from declaring the
 // tuple template as a friend (it complains that tuple is redefined).  This
-// hack bypasses the bug by declaring the members that should otherwise be
+// bypasses the bug by declaring the members that should otherwise be
 // private as public.
 // Sun Studio versions < 12 also have the above bug.
 #if defined(__SYMBIAN32__) || (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x590)
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
index 429ddfeec..bb626e049 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
@@ -29,11 +29,12 @@ $$ This meta comment fixes auto-indentation in Emacs. }}
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Implements a subset of TR1 tuple needed by Google Test and Google Mock.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 
@@ -41,7 +42,7 @@ $$ This meta comment fixes auto-indentation in Emacs. }}
 
 // The compiler used in Symbian has a bug that prevents us from declaring the
 // tuple template as a friend (it complains that tuple is redefined).  This
-// hack bypasses the bug by declaring the members that should otherwise be
+// bypasses the bug by declaring the members that should otherwise be
 // private as public.
 // Sun Studio versions < 12 also have the above bug.
 #if defined(__SYMBIAN32__) || (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x590)
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
index e46f7cfcb..28e411245 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
@@ -30,8 +30,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Type utilities needed for implementing typed and type-parameterized
 // tests.  This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -41,6 +40,8 @@
 // Please contact googletestframework@googlegroups.com if you need
 // more.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 
@@ -57,6 +58,22 @@
 namespace testing {
 namespace internal {
 
+// Canonicalizes a given name with respect to the Standard C++ Library.
+// This handles removing the inline namespace within `std` that is
+// used by various standard libraries (e.g., `std::__1`).  Names outside
+// of namespace std are returned unmodified.
+inline std::string CanonicalizeForStdLibVersioning(std::string s) {
+  static const char prefix[] = "std::__";
+  if (s.compare(0, strlen(prefix), prefix) == 0) {
+    std::string::size_type end = s.find("::", strlen(prefix));
+    if (end != s.npos) {
+      // Erase everything between the initial `std` and the second `::`.
+      s.erase(strlen("std"), end - strlen("std"));
+    }
+  }
+  return s;
+}
+
 // GetTypeName<T>() returns a human-readable name of type T.
 // NB: This function is also used in Google Mock, so don't move it inside of
 // the typed-test-only section below.
@@ -75,7 +92,7 @@ std::string GetTypeName() {
   char* const readable_name = __cxa_demangle(name, 0, 0, &status);
   const std::string name_str(status == 0 ? readable_name : name);
   free(readable_name);
-  return name_str;
+  return CanonicalizeForStdLibVersioning(name_str);
 #  else
   return name;
 #  endif  // GTEST_HAS_CXXABI_H_ || __HP_aCC
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
index 251fdf025..0001a5d39 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
@@ -28,8 +28,7 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Type utilities needed for implementing typed and type-parameterized
 // tests.  This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -39,6 +38,8 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 // Please contact googletestframework@googlegroups.com if you need
 // more.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 
@@ -55,6 +56,22 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 namespace testing {
 namespace internal {
 
+// Canonicalizes a given name with respect to the Standard C++ Library.
+// This handles removing the inline namespace within `std` that is
+// used by various standard libraries (e.g., `std::__1`).  Names outside
+// of namespace std are returned unmodified.
+inline std::string CanonicalizeForStdLibVersioning(std::string s) {
+  static const char prefix[] = "std::__";
+  if (s.compare(0, strlen(prefix), prefix) == 0) {
+    std::string::size_type end = s.find("::", strlen(prefix));
+    if (end != s.npos) {
+      // Erase everything between the initial `std` and the second `::`.
+      s.erase(strlen("std"), end - strlen("std"));
+    }
+  }
+  return s;
+}
+
 // GetTypeName<T>() returns a human-readable name of type T.
 // NB: This function is also used in Google Mock, so don't move it inside of
 // the typed-test-only section below.
@@ -73,7 +90,7 @@ std::string GetTypeName() {
   char* const readable_name = __cxa_demangle(name, 0, 0, &status);
   const std::string name_str(status == 0 ? readable_name : name);
   free(readable_name);
-  return name_str;
+  return CanonicalizeForStdLibVersioning(name_str);
 #  else
   return name;
 #  endif  // GTEST_HAS_CXXABI_H_ || __HP_aCC
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln
new file mode 100644
index 000000000..e36b33b62
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln
@@ -0,0 +1,55 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest-md", "gtest-md.vcxproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main-md", "gtest_main-md.vcxproj", "{3AF54C8A-10BF-4332-9147-F68ED9862033}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test-md", "gtest_prod_test-md.vcxproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest-md", "gtest_unittest-md.vcxproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|Win32.Build.0 = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|x64.ActiveCfg = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|x64.Build.0 = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|Win32.ActiveCfg = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|Win32.Build.0 = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|x64.ActiveCfg = Release|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|x64.Build.0 = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|Win32.Build.0 = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|x64.ActiveCfg = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|x64.Build.0 = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|Win32.ActiveCfg = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|Win32.Build.0 = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|x64.ActiveCfg = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|x64.Build.0 = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|Win32.ActiveCfg = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|Win32.Build.0 = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|x64.ActiveCfg = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|x64.Build.0 = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|Win32.ActiveCfg = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|Win32.Build.0 = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|x64.ActiveCfg = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|x64.Build.0 = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|Win32.Build.0 = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|x64.ActiveCfg = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|x64.Build.0 = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|Win32.ActiveCfg = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|Win32.Build.0 = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|x64.ActiveCfg = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj
new file mode 100644
index 000000000..16a6ff12f
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters
new file mode 100644
index 000000000..69edeff23
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln
new file mode 100644
index 000000000..cacd5c0ce
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln
@@ -0,0 +1,55 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest", "gtest.vcxproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main", "gtest_main.vcxproj", "{3AF54C8A-10BF-4332-9147-F68ED9862032}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest", "gtest_unittest.vcxproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test", "gtest_prod_test.vcxproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|Win32.Build.0 = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|x64.ActiveCfg = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|x64.Build.0 = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|Win32.ActiveCfg = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|Win32.Build.0 = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|x64.ActiveCfg = Release|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|x64.Build.0 = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|Win32.Build.0 = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|x64.ActiveCfg = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|x64.Build.0 = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|Win32.ActiveCfg = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|Win32.Build.0 = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|x64.ActiveCfg = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|x64.Build.0 = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|Win32.Build.0 = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|x64.ActiveCfg = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|x64.Build.0 = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|Win32.ActiveCfg = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|Win32.Build.0 = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|x64.ActiveCfg = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|x64.Build.0 = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|Win32.ActiveCfg = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|Win32.Build.0 = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|x64.ActiveCfg = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|x64.Build.0 = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|Win32.ActiveCfg = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|Win32.Build.0 = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|x64.ActiveCfg = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj
new file mode 100644
index 000000000..a46f5c7af
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters
new file mode 100644
index 000000000..69edeff23
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj
new file mode 100644
index 000000000..3d773895b
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3AF54C8A-10BF-4332-9147-F68ED9862033}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest-md.vcxproj">
+      <Project>{c8f6c172-56f2-4e76-b5fa-c3b423b31be8}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters
new file mode 100644
index 000000000..726c773cc
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj
new file mode 100644
index 000000000..8fb25897c
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3AF54C8A-10BF-4332-9147-F68ED9862032}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName)d.lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName)d.lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName).lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName).lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest.vcxproj">
+      <Project>{c8f6c172-56f2-4e76-b5fa-c3b423b31be7}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters
new file mode 100644
index 000000000..726c773cc
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj
new file mode 100644
index 000000000..830e5dce4
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main-md.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862033}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters
new file mode 100644
index 000000000..ac367310a
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj
new file mode 100644
index 000000000..d42e13511
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862032}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters
new file mode 100644
index 000000000..ac367310a
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj
new file mode 100644
index 000000000..93b0dc4e1
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MinSpace</Optimization>
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MinSpace</Optimization>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Default</BasicRuntimeChecks>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Default</BasicRuntimeChecks>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">ProgramDatabase</DebugInformationFormat>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main-md.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862033}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters
new file mode 100644
index 000000000..047dae513
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj
new file mode 100644
index 000000000..ec6abde7d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MinSpace</Optimization>
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MinSpace</Optimization>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Default</BasicRuntimeChecks>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Default</BasicRuntimeChecks>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">ProgramDatabase</DebugInformationFormat>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862032}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters
new file mode 100644
index 000000000..047dae513
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
+\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln b/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln
deleted file mode 100644
index f7908da11..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln
+++ /dev/null
@@ -1,45 +0,0 @@
-Microsoft Visual Studio Solution File, Format Version 8.00
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest-md", "gtest-md.vcproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main-md", "gtest_main-md.vcproj", "{3AF54C8A-10BF-4332-9147-F68ED9862033}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test-md", "gtest_prod_test-md.vcproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest-md", "gtest_unittest-md.vcproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Global
-	GlobalSection(SolutionConfiguration) = preSolution
-		Debug = Debug
-		Release = Release
-	EndGlobalSection
-	GlobalSection(ProjectConfiguration) = postSolution
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug.ActiveCfg = Debug|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug.Build.0 = Debug|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release.ActiveCfg = Release|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release.Build.0 = Release|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug.ActiveCfg = Debug|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug.Build.0 = Debug|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release.ActiveCfg = Release|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release.Build.0 = Release|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug.ActiveCfg = Debug|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug.Build.0 = Debug|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release.ActiveCfg = Release|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release.Build.0 = Release|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug.ActiveCfg = Debug|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug.Build.0 = Debug|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release.ActiveCfg = Release|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ExtensibilityGlobals) = postSolution
-	EndGlobalSection
-	GlobalSection(ExtensibilityAddIns) = postSolution
-	EndGlobalSection
-EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj
deleted file mode 100644
index 1c35c3a5e..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj
+++ /dev/null
@@ -1,126 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest-md"
-	ProjectGUID="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/gtestd.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/gtest.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\src\gtest-all.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest.sln b/security/nss/gtests/google_test/gtest/msvc/gtest.sln
deleted file mode 100644
index ef4b057ff..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest.sln
+++ /dev/null
@@ -1,45 +0,0 @@
-Microsoft Visual Studio Solution File, Format Version 8.00
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest", "gtest.vcproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main", "gtest_main.vcproj", "{3AF54C8A-10BF-4332-9147-F68ED9862032}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest", "gtest_unittest.vcproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test", "gtest_prod_test.vcproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"
-	ProjectSection(ProjectDependencies) = postProject
-	EndProjectSection
-EndProject
-Global
-	GlobalSection(SolutionConfiguration) = preSolution
-		Debug = Debug
-		Release = Release
-	EndGlobalSection
-	GlobalSection(ProjectConfiguration) = postSolution
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug.ActiveCfg = Debug|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug.Build.0 = Debug|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release.ActiveCfg = Release|Win32
-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release.Build.0 = Release|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug.ActiveCfg = Debug|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug.Build.0 = Debug|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release.ActiveCfg = Release|Win32
-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release.Build.0 = Release|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug.ActiveCfg = Debug|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug.Build.0 = Debug|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release.ActiveCfg = Release|Win32
-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release.Build.0 = Release|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug.ActiveCfg = Debug|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug.Build.0 = Debug|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release.ActiveCfg = Release|Win32
-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ExtensibilityGlobals) = postSolution
-	EndGlobalSection
-	GlobalSection(ExtensibilityAddIns) = postSolution
-	EndGlobalSection
-EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj
deleted file mode 100644
index a8373ce9a..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj
+++ /dev/null
@@ -1,126 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest"
-	ProjectGUID="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="5"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/gtestd.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"
-				RuntimeLibrary="4"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/gtest.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\src\gtest-all.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj
deleted file mode 100644
index b5379fe61..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj
+++ /dev/null
@@ -1,129 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_main-md"
-	ProjectGUID="{3AF54C8A-10BF-4332-9147-F68ED9862033}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/$(ProjectName)d.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/$(ProjectName).lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"
-			Name="gtest-md"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\src\gtest_main.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj
deleted file mode 100644
index e8b763c56..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj
+++ /dev/null
@@ -1,129 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_main"
-	ProjectGUID="{3AF54C8A-10BF-4332-9147-F68ED9862032}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="5"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/$(ProjectName)d.lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="4"
-			CharacterSet="2"
-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"
-				RuntimeLibrary="4"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLibrarianTool"
-				OutputFile="$(OutDir)/$(ProjectName).lib"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"
-			Name="gtest"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\src\gtest_main.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj
deleted file mode 100644
index 05b05d9ed..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj
+++ /dev/null
@@ -1,164 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_prod_test-md"
-	ProjectGUID="{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_prod_test.exe"
-				LinkIncremental="2"
-				GenerateDebugInformation="TRUE"
-				ProgramDatabaseFile="$(OutDir)/gtest_prod_test.pdb"
-				SubSystem="1"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_prod_test.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="TRUE"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862033}"
-			Name="gtest_main-md"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\test\gtest_prod_test.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-			<File
-				RelativePath="..\test\production.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-			<File
-				RelativePath="..\test\production.h">
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj
deleted file mode 100644
index 6d7a2f021..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj
+++ /dev/null
@@ -1,164 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_prod_test"
-	ProjectGUID="{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="5"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_prod_test.exe"
-				LinkIncremental="2"
-				GenerateDebugInformation="TRUE"
-				ProgramDatabaseFile="$(OutDir)/gtest_prod_test.pdb"
-				SubSystem="1"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="4"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_prod_test.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="TRUE"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862032}"
-			Name="gtest_main"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\test\gtest_prod_test.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-			<File
-				RelativePath="..\test\production.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-			<File
-				RelativePath="..\test\production.h">
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj
deleted file mode 100644
index 38a5e5663..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj
+++ /dev/null
@@ -1,147 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_unittest-md"
-	ProjectGUID="{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_unittest.exe"
-				LinkIncremental="2"
-				GenerateDebugInformation="TRUE"
-				ProgramDatabaseFile="$(OutDir)/gtest_unittest.pdb"
-				SubSystem="1"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="2"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_unittest.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="TRUE"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862033}"
-			Name="gtest_main-md"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\test\gtest_unittest.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						Optimization="1"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						BasicRuntimeChecks="0"
-						UsePrecompiledHeader="0"
-						DebugInformationFormat="3"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj
deleted file mode 100644
index cb1f52b1f..000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj
+++ /dev/null
@@ -1,147 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="7.10"
-	Name="gtest_unittest"
-	ProjectGUID="{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"
-	Keyword="Win32Proj">
-	<Platforms>
-		<Platform
-			Name="Win32"/>
-	</Platforms>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="TRUE"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="5"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="4"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_unittest.exe"
-				LinkIncremental="2"
-				GenerateDebugInformation="TRUE"
-				ProgramDatabaseFile="$(OutDir)/gtest_unittest.pdb"
-				SubSystem="1"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"
-			IntermediateDirectory="$(OutDir)/$(ProjectName)"
-			ConfigurationType="1"
-			CharacterSet="2">
-			<Tool
-				Name="VCCLCompilerTool"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="4"
-				UsePrecompiledHeader="3"
-				WarningLevel="3"
-				Detect64BitPortabilityProblems="FALSE"
-				DebugInformationFormat="3"/>
-			<Tool
-				Name="VCCustomBuildTool"/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)/gtest_unittest.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="TRUE"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"/>
-			<Tool
-				Name="VCMIDLTool"/>
-			<Tool
-				Name="VCPostBuildEventTool"/>
-			<Tool
-				Name="VCPreBuildEventTool"/>
-			<Tool
-				Name="VCPreLinkEventTool"/>
-			<Tool
-				Name="VCResourceCompilerTool"/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
-		</Configuration>
-	</Configurations>
-	<References>
-		<ProjectReference
-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862032}"
-			Name="gtest_main"/>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
-			<File
-				RelativePath="..\test\gtest_unittest.cc">
-				<FileConfiguration
-					Name="Debug|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						Optimization="1"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						BasicRuntimeChecks="0"
-						UsePrecompiledHeader="0"
-						DebugInformationFormat="3"/>
-				</FileConfiguration>
-				<FileConfiguration
-					Name="Release|Win32">
-					<Tool
-						Name="VCCLCompilerTool"
-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"
-						UsePrecompiledHeader="0"/>
-				</FileConfiguration>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/security/nss/gtests/google_test/gtest/samples/prime_tables.h b/security/nss/gtests/google_test/gtest/samples/prime_tables.h
index 92ce16a01..523c50b9a 100644
--- a/security/nss/gtests/google_test/gtest/samples/prime_tables.h
+++ b/security/nss/gtests/google_test/gtest/samples/prime_tables.h
@@ -26,9 +26,8 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
-// Author: vladl@google.com (Vlad Losev)
+
+
 
 // This provides interface PrimeTable that determines whether a number is a
 // prime and determines a next prime number. This interface is used
@@ -103,11 +102,15 @@ class PreCalculatedPrimeTable : public PrimeTable {
     ::std::fill(is_prime_, is_prime_ + is_prime_size_, true);
     is_prime_[0] = is_prime_[1] = false;
 
-    for (int i = 2; i <= max; i++) {
+    // Checks every candidate for prime number (we know that 2 is the only even
+    // prime).
+    for (int i = 2; i*i <= max; i += i%2+1) {
       if (!is_prime_[i]) continue;
 
       // Marks all multiples of i (except i itself) as non-prime.
-      for (int j = 2*i; j <= max; j += i) {
+      // We are starting here from i-th multiplier, because all smaller
+      // complex numbers were already marked.
+      for (int j = i*i; j <= max; j += i) {
         is_prime_[j] = false;
       }
     }
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1.cc b/security/nss/gtests/google_test/gtest/samples/sample1.cc
index f171e2609..13cec1d0f 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample1.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "sample1.h"
 
@@ -55,7 +53,7 @@ bool IsPrime(int n) {
 
   // Try to divide n by every odd number i, starting from 3
   for (int i = 3; ; i += 2) {
-    // We only have to try i up to the squre root of n
+    // We only have to try i up to the square root of n
     if (i > n/i) break;
 
     // Now, we have i <= n/i < n.
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1.h b/security/nss/gtests/google_test/gtest/samples/sample1.h
index 3dfeb98c4..2c3e9f05f 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample1.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE1_H_
 #define GTEST_SAMPLES_SAMPLE1_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
index 0051cd5dc..7ce9550f8 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
@@ -25,8 +25,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to use Google Test listener API to implement
 // a primitive leak checker.
@@ -35,18 +34,15 @@
 #include <stdlib.h>
 
 #include "gtest/gtest.h"
-
 using ::testing::EmptyTestEventListener;
 using ::testing::InitGoogleTest;
 using ::testing::Test;
-using ::testing::TestCase;
 using ::testing::TestEventListeners;
 using ::testing::TestInfo;
 using ::testing::TestPartResult;
 using ::testing::UnitTest;
 
 namespace {
-
 // We will track memory used by this class.
 class Water {
  public:
@@ -106,7 +102,6 @@ TEST(ListenersTest, LeaksWater) {
   Water* water = new Water;
   EXPECT_TRUE(water != NULL);
 }
-
 }  // namespace
 
 int main(int argc, char **argv) {
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
index aefc4f1d8..cb08b61a5 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // This sample shows how to write a simple unit test for a function,
 // using Google C++ testing framework.
@@ -46,7 +43,7 @@
 #include <limits.h>
 #include "sample1.h"
 #include "gtest/gtest.h"
-
+namespace {
 
 // Step 2. Use the TEST macro to define your tests.
 //
@@ -139,6 +136,7 @@ TEST(IsPrimeTest, Positive) {
   EXPECT_FALSE(IsPrime(6));
   EXPECT_TRUE(IsPrime(23));
 }
+}  // namespace
 
 // Step 3. Call RUN_ALL_TESTS() in main().
 //
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2.cc b/security/nss/gtests/google_test/gtest/samples/sample2.cc
index 5f763b9bd..f3b722fca 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample2.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "sample2.h"
 
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2.h b/security/nss/gtests/google_test/gtest/samples/sample2.h
index cb485c70f..58f360f45 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample2.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE2_H_
 #define GTEST_SAMPLES_SAMPLE2_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
index 4fa19b71c..084882619 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // This sample shows how to write a more complex unit test for a class
 // that has multiple member functions.
@@ -42,7 +39,7 @@
 
 #include "sample2.h"
 #include "gtest/gtest.h"
-
+namespace {
 // In this example, we test the MyString class (a simple string).
 
 // Tests the default c'tor.
@@ -107,3 +104,4 @@ TEST(MyString, Set) {
   s.Set(NULL);
   EXPECT_STREQ(NULL, s.c_string());
 }
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample3-inl.h b/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
index 7e3084d63..1a29ce929 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE3_INL_H_
 #define GTEST_SAMPLES_SAMPLE3_INL_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
index bf3877d01..e093c2588 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // In this example, we use a more advanced feature of Google Test called
 // test fixture.
@@ -65,14 +62,14 @@
 
 #include "sample3-inl.h"
 #include "gtest/gtest.h"
-
+namespace {
 // To use a test fixture, derive a class from testing::Test.
-class QueueTest : public testing::Test {
+class QueueTestSmpl3 : public testing::Test {
  protected:  // You should make the members protected s.t. they can be
              // accessed from sub-classes.
 
   // virtual void SetUp() will be called before each test is run.  You
-  // should define it if you need to initialize the varaibles.
+  // should define it if you need to initialize the variables.
   // Otherwise, this can be skipped.
   virtual void SetUp() {
     q1_.Enqueue(1);
@@ -120,13 +117,13 @@ class QueueTest : public testing::Test {
 // instead of TEST.
 
 // Tests the default c'tor.
-TEST_F(QueueTest, DefaultConstructor) {
+TEST_F(QueueTestSmpl3, DefaultConstructor) {
   // You can access data in the test fixture here.
   EXPECT_EQ(0u, q0_.Size());
 }
 
 // Tests Dequeue().
-TEST_F(QueueTest, Dequeue) {
+TEST_F(QueueTestSmpl3, Dequeue) {
   int * n = q0_.Dequeue();
   EXPECT_TRUE(n == NULL);
 
@@ -144,8 +141,9 @@ TEST_F(QueueTest, Dequeue) {
 }
 
 // Tests the Queue::Map() function.
-TEST_F(QueueTest, Map) {
+TEST_F(QueueTestSmpl3, Map) {
   MapTester(&q0_);
   MapTester(&q1_);
   MapTester(&q2_);
 }
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4.cc b/security/nss/gtests/google_test/gtest/samples/sample4.cc
index ae44bda6f..b0ee6093b 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample4.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include <stdio.h>
 
@@ -40,6 +38,16 @@ int Counter::Increment() {
   return counter_++;
 }
 
+// Returns the current counter value, and decrements it.
+// counter can not be less than 0, return 0 in this case
+int Counter::Decrement() {
+  if (counter_ == 0) {
+    return counter_;
+  } else  {
+    return counter_--;
+  }
+}
+
 // Prints the current counter value to STDOUT.
 void Counter::Print() const {
   printf("%d", counter_);
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4.h b/security/nss/gtests/google_test/gtest/samples/sample4.h
index cd60f0dd2..e256f4064 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample4.h
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 #ifndef GTEST_SAMPLES_SAMPLE4_H_
 #define GTEST_SAMPLES_SAMPLE4_H_
 
@@ -46,6 +43,9 @@ class Counter {
   // Returns the current counter value, and increments it.
   int Increment();
 
+  // Returns the current counter value, and decrements it.
+  int Decrement();
+
   // Prints the current counter value to STDOUT.
   void Print() const;
 };
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
index fa5afc7d5..d5144c0d0 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
@@ -26,20 +26,28 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-#include "gtest/gtest.h"
+
 #include "sample4.h"
+#include "gtest/gtest.h"
 
+namespace {
 // Tests the Increment() method.
+
 TEST(Counter, Increment) {
   Counter c;
 
+  // Test that counter 0 returns 0
+  EXPECT_EQ(0, c.Decrement());
+
   // EXPECT_EQ() evaluates its arguments exactly once, so they
   // can have side effects.
 
   EXPECT_EQ(0, c.Increment());
   EXPECT_EQ(1, c.Increment());
   EXPECT_EQ(2, c.Increment());
+
+  EXPECT_EQ(3, c.Decrement());
 }
+
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
index 43d8e5777..d8a8788c6 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This sample teaches how to reuse a test fixture in multiple test
 // cases by deriving sub-fixtures from it.
@@ -46,10 +45,10 @@
 
 #include <limits.h>
 #include <time.h>
-#include "sample3-inl.h"
 #include "gtest/gtest.h"
 #include "sample1.h"
-
+#include "sample3-inl.h"
+namespace {
 // In this sample, we want to ensure that every test finishes within
 // ~5 seconds.  If a test takes longer to run, we consider it a
 // failure.
@@ -191,7 +190,7 @@ TEST_F(QueueTest, Dequeue) {
   EXPECT_EQ(1u, q2_.Size());
   delete n;
 }
-
+}  // namespace
 // If necessary, you can derive further test fixtures from a derived
 // fixture itself.  For example, you can derive another fixture from
 // QueueTest.  Google Test imposes no limit on how deep the hierarchy
diff --git a/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
index 8f2036a51..ddf2f1c13 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This sample shows how to test common properties of multiple
 // implementations of the same interface (aka interface tests).
@@ -36,7 +35,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
+namespace {
 // First, we define some factory functions for creating instances of
 // the implementations.  You may be able to skip this step if all your
 // implementations can be constructed the same way.
@@ -222,3 +221,4 @@ INSTANTIATE_TYPED_TEST_CASE_P(OnTheFlyAndPreCalculated,    // Instance name
                               PrimeTableImplementations);  // Type list
 
 #endif  // GTEST_HAS_TYPED_TEST_P
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
index 1b651a21d..c1ae8bded 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to test common properties of multiple
 // implementations of an interface (aka interface tests) using
@@ -39,8 +38,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
-#if GTEST_HAS_PARAM_TEST
+namespace {
 
 using ::testing::TestWithParam;
 using ::testing::Values;
@@ -65,9 +63,9 @@ PrimeTable* CreatePreCalculatedPrimeTable() {
 // can refer to the test parameter by GetParam().  In this case, the test
 // parameter is a factory function which we call in fixture's SetUp() to
 // create and store an instance of PrimeTable.
-class PrimeTableTest : public TestWithParam<CreatePrimeTableFunc*> {
+class PrimeTableTestSmpl7 : public TestWithParam<CreatePrimeTableFunc*> {
  public:
-  virtual ~PrimeTableTest() { delete table_; }
+  virtual ~PrimeTableTestSmpl7() { delete table_; }
   virtual void SetUp() { table_ = (*GetParam())(); }
   virtual void TearDown() {
     delete table_;
@@ -78,7 +76,7 @@ class PrimeTableTest : public TestWithParam<CreatePrimeTableFunc*> {
   PrimeTable* table_;
 };
 
-TEST_P(PrimeTableTest, ReturnsFalseForNonPrimes) {
+TEST_P(PrimeTableTestSmpl7, ReturnsFalseForNonPrimes) {
   EXPECT_FALSE(table_->IsPrime(-5));
   EXPECT_FALSE(table_->IsPrime(0));
   EXPECT_FALSE(table_->IsPrime(1));
@@ -87,7 +85,7 @@ TEST_P(PrimeTableTest, ReturnsFalseForNonPrimes) {
   EXPECT_FALSE(table_->IsPrime(100));
 }
 
-TEST_P(PrimeTableTest, ReturnsTrueForPrimes) {
+TEST_P(PrimeTableTestSmpl7, ReturnsTrueForPrimes) {
   EXPECT_TRUE(table_->IsPrime(2));
   EXPECT_TRUE(table_->IsPrime(3));
   EXPECT_TRUE(table_->IsPrime(5));
@@ -96,7 +94,7 @@ TEST_P(PrimeTableTest, ReturnsTrueForPrimes) {
   EXPECT_TRUE(table_->IsPrime(131));
 }
 
-TEST_P(PrimeTableTest, CanGetNextPrime) {
+TEST_P(PrimeTableTestSmpl7, CanGetNextPrime) {
   EXPECT_EQ(2, table_->GetNextPrime(0));
   EXPECT_EQ(3, table_->GetNextPrime(2));
   EXPECT_EQ(5, table_->GetNextPrime(3));
@@ -112,19 +110,8 @@ TEST_P(PrimeTableTest, CanGetNextPrime) {
 //
 // Here, we instantiate our tests with a list of two PrimeTable object
 // factory functions:
-INSTANTIATE_TEST_CASE_P(
-    OnTheFlyAndPreCalculated,
-    PrimeTableTest,
-    Values(&CreateOnTheFlyPrimeTable, &CreatePreCalculatedPrimeTable<1000>));
-
-#else
-
-// Google Test may not support value-parameterized tests with some
-// compilers. If we use conditional compilation to compile out all
-// code referring to the gtest_main library, MSVC linker will not link
-// that library at all and consequently complain about missing entry
-// point defined in that library (fatal error LNK1561: entry point
-// must be defined). This dummy test keeps gtest_main linked in.
-TEST(DummyTest, ValueParameterizedTestsAreNotSupportedOnThisPlatform) {}
+INSTANTIATE_TEST_CASE_P(OnTheFlyAndPreCalculated, PrimeTableTestSmpl7,
+                        Values(&CreateOnTheFlyPrimeTable,
+                               &CreatePreCalculatedPrimeTable<1000>));
 
-#endif  // GTEST_HAS_PARAM_TEST
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
index 727433406..ce75cf030 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to test code relying on some global flag variables.
 // Combine() helps with generating all possible combinations of such flags,
@@ -37,7 +36,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
+namespace {
 #if GTEST_HAS_COMBINE
 
 // Suppose we want to introduce a new, improved implementation of PrimeTable
@@ -171,3 +170,4 @@ INSTANTIATE_TEST_CASE_P(MeaningfulTestParameters,
 TEST(DummyTest, CombineIsNotSupportedOnThisPlatform) {}
 
 #endif  // GTEST_HAS_COMBINE
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
index b2e2079bf..53f9af5ba 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
@@ -25,8 +25,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to use Google Test listener API to implement
 // an alternative console output and how to use the UnitTest reflection API
@@ -44,9 +43,7 @@ using ::testing::TestEventListeners;
 using ::testing::TestInfo;
 using ::testing::TestPartResult;
 using ::testing::UnitTest;
-
 namespace {
-
 // Provides alternative output mode which produces minimal amount of
 // information about tests.
 class TersePrinter : public EmptyTestEventListener {
@@ -102,7 +99,6 @@ TEST(CustomOutputTest, Fails) {
   EXPECT_EQ(1, 2)
       << "This test fails in order to demonstrate alternative failure messages";
 }
-
 }  // namespace
 
 int main(int argc, char **argv) {
diff --git a/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py b/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
index 57ef72f0e..d0dd464fe 100755
--- a/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
+++ b/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
@@ -52,7 +52,7 @@ EXAMPLES
 This tool is experimental.  In particular, it assumes that there is no
 conditional inclusion of Google Test headers.  Please report any
 problems to googletestframework@googlegroups.com.  You can read
-http://code.google.com/p/googletest/wiki/GoogleTestAdvancedGuide for
+https://github.com/google/googletest/blob/master/googletest/docs/advanced.md for
 more information.
 """
 
@@ -60,7 +60,10 @@ __author__ = 'wan@google.com (Zhanyong Wan)'
 
 import os
 import re
-import sets
+try:
+  from sets import Set as set  # For Python 2.3 compatibility
+except ImportError:
+  pass
 import sys
 
 # We assume that this file is in the scripts/ directory in the Google
@@ -90,10 +93,10 @@ def VerifyFileExists(directory, relative_path):
   """
 
   if not os.path.isfile(os.path.join(directory, relative_path)):
-    print 'ERROR: Cannot find %s in directory %s.' % (relative_path,
-                                                      directory)
-    print ('Please either specify a valid project root directory '
-           'or omit it on the command line.')
+    print('ERROR: Cannot find %s in directory %s.' % (relative_path,
+                                                      directory))
+    print('Please either specify a valid project root directory '
+          'or omit it on the command line.')
     sys.exit(1)
 
 
@@ -119,11 +122,11 @@ def VerifyOutputFile(output_dir, relative_path):
     # TODO(wan@google.com): The following user-interaction doesn't
     # work with automated processes.  We should provide a way for the
     # Makefile to force overwriting the files.
-    print ('%s already exists in directory %s - overwrite it? (y/N) ' %
-           (relative_path, output_dir))
+    print('%s already exists in directory %s - overwrite it? (y/N) ' %
+          (relative_path, output_dir))
     answer = sys.stdin.readline().strip()
     if answer not in ['y', 'Y']:
-      print 'ABORTED.'
+      print('ABORTED.')
       sys.exit(1)
 
   # Makes sure the directory holding the output file exists; creates
@@ -146,8 +149,8 @@ def ValidateOutputDir(output_dir):
 def FuseGTestH(gtest_root, output_dir):
   """Scans folder gtest_root to generate gtest/gtest.h in output_dir."""
 
-  output_file = file(os.path.join(output_dir, GTEST_H_OUTPUT), 'w')
-  processed_files = sets.Set()  # Holds all gtest headers we've processed.
+  output_file = open(os.path.join(output_dir, GTEST_H_OUTPUT), 'w')
+  processed_files = set()  # Holds all gtest headers we've processed.
 
   def ProcessFile(gtest_header_path):
     """Processes the given gtest header file."""
@@ -159,7 +162,7 @@ def FuseGTestH(gtest_root, output_dir):
     processed_files.add(gtest_header_path)
 
     # Reads each line in the given gtest header.
-    for line in file(os.path.join(gtest_root, gtest_header_path), 'r'):
+    for line in open(os.path.join(gtest_root, gtest_header_path), 'r'):
       m = INCLUDE_GTEST_FILE_REGEX.match(line)
       if m:
         # It's '#include "gtest/..."' - let's process it recursively.
@@ -175,7 +178,7 @@ def FuseGTestH(gtest_root, output_dir):
 def FuseGTestAllCcToFile(gtest_root, output_file):
   """Scans folder gtest_root to generate gtest/gtest-all.cc in output_file."""
 
-  processed_files = sets.Set()
+  processed_files = set()
 
   def ProcessFile(gtest_source_file):
     """Processes the given gtest source file."""
@@ -187,7 +190,7 @@ def FuseGTestAllCcToFile(gtest_root, output_file):
     processed_files.add(gtest_source_file)
 
     # Reads each line in the given gtest source file.
-    for line in file(os.path.join(gtest_root, gtest_source_file), 'r'):
+    for line in open(os.path.join(gtest_root, gtest_source_file), 'r'):
       m = INCLUDE_GTEST_FILE_REGEX.match(line)
       if m:
         if 'include/' + m.group(1) == GTEST_SPI_H_SEED:
@@ -218,7 +221,7 @@ def FuseGTestAllCcToFile(gtest_root, output_file):
 def FuseGTestAllCc(gtest_root, output_dir):
   """Scans folder gtest_root to generate gtest/gtest-all.cc in output_dir."""
 
-  output_file = file(os.path.join(output_dir, GTEST_ALL_CC_OUTPUT), 'w')
+  output_file = open(os.path.join(output_dir, GTEST_ALL_CC_OUTPUT), 'w')
   FuseGTestAllCcToFile(gtest_root, output_file)
   output_file.close()
 
@@ -242,7 +245,7 @@ def main():
     # fuse_gtest_files.py GTEST_ROOT_DIR OUTPUT_DIR
     FuseGTest(sys.argv[1], sys.argv[2])
   else:
-    print __doc__
+    print(__doc__)
     sys.exit(1)
 
 
diff --git a/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py b/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
index 3e7ab042e..b43efdf41 100755
--- a/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
+++ b/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
@@ -115,10 +115,9 @@ def HeaderPreamble(n):
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 
-// Makes sure this header is not included before gtest.h.
-#ifndef GTEST_INCLUDE_GTEST_GTEST_H_
-# error Do not include gtest_pred_impl.h directly.  Include gtest.h instead.
-#endif  // GTEST_INCLUDE_GTEST_GTEST_H_
+#include "gtest/gtest.h"
+
+namespace testing {
 
 // This header implements a family of generic predicate assertion
 // macros:
@@ -295,16 +294,17 @@ def HeaderPostamble():
 
   return """
 
+}  // namespace testing
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 """
 
 
 def GenerateFile(path, content):
-  """Given a file path and a content string, overwrites it with the
-  given content."""
-
+  """Given a file path and a content string
+     overwrites it with the given content.
+  """
   print 'Updating file %s . . .' % path
-
   f = file(path, 'w+')
   print >>f, content,
   f.close()
@@ -314,8 +314,8 @@ def GenerateFile(path, content):
 
 def GenerateHeader(n):
   """Given the maximum arity n, updates the header file that implements
-  the predicate assertions."""
-
+  the predicate assertions.
+  """
   GenerateFile(HEADER,
                HeaderPreamble(n)
                + ''.join([ImplementationForArity(i) for i in OneTo(n)])
diff --git a/security/nss/gtests/google_test/gtest/scripts/upload.py b/security/nss/gtests/google_test/gtest/scripts/upload.py
index 6e6f9a147..c852e4c91 100755
--- a/security/nss/gtests/google_test/gtest/scripts/upload.py
+++ b/security/nss/gtests/google_test/gtest/scripts/upload.py
@@ -242,7 +242,7 @@ class AbstractRpcServer(object):
     The authentication process works as follows:
      1) We get a username and password from the user
      2) We use ClientLogin to obtain an AUTH token for the user
-        (see http://code.google.com/apis/accounts/AuthForInstalledApps.html).
+        (see https://developers.google.com/identity/protocols/AuthForInstalledApps).
      3) We pass the auth token to /_ah/login on the server to obtain an
         authentication cookie. If login was successful, it tries to redirect
         us to the URL we provided.
@@ -506,7 +506,7 @@ def EncodeMultipartFormData(fields, files):
     (content_type, body) ready for httplib.HTTP instance.
 
   Source:
-    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/146306
+    https://web.archive.org/web/20160116052001/code.activestate.com/recipes/146306
   """
   BOUNDARY = '-M-A-G-I-C---B-O-U-N-D-A-R-Y-'
   CRLF = '\r\n'
@@ -732,7 +732,7 @@ class SubversionVCS(VersionControlSystem):
     else:
       self.rev_start = self.rev_end = None
     # Cache output from "svn list -r REVNO dirname".
-    # Keys: dirname, Values: 2-tuple (ouput for start rev and end rev).
+    # Keys: dirname, Values: 2-tuple (output for start rev and end rev).
     self.svnls_cache = {}
     # SVN base URL is required to fetch files deleted in an older revision.
     # Result is cached to not guess it over and over again in GetBaseFile().
@@ -807,7 +807,7 @@ class SubversionVCS(VersionControlSystem):
     # svn cat translates keywords but svn diff doesn't. As a result of this
     # behavior patching.PatchChunks() fails with a chunk mismatch error.
     # This part was originally written by the Review Board development team
-    # who had the same problem (http://reviews.review-board.org/r/276/).
+    # who had the same problem (https://reviews.reviewboard.org/r/276/).
     # Mapping of keywords to known aliases
     svn_keywords = {
       # Standard keywords
@@ -860,7 +860,7 @@ class SubversionVCS(VersionControlSystem):
       status_lines = status.splitlines()
       # If file is in a cl, the output will begin with
       # "\n--- Changelist 'cl_name':\n".  See
-      # http://svn.collab.net/repos/svn/trunk/notes/changelist-design.txt
+      # https://web.archive.org/web/20090918234815/svn.collab.net/repos/svn/trunk/notes/changelist-design.txt
       if (len(status_lines) == 3 and
           not status_lines[0] and
           status_lines[1].startswith("--- Changelist")):
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-all.cc b/security/nss/gtests/google_test/gtest/src/gtest-all.cc
index 0a9cee522..b217a1800 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-all.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-all.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: mheule@google.com (Markus Heule)
-//
-// Google C++ Testing Framework (Google Test)
+// Google C++ Testing and Mocking Framework (Google Test)
 //
 // Sometimes it's desirable to build Google Test by compiling a single file.
 // This file serves this purpose.
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc b/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
index a0a8c7baf..090835516 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
@@ -26,13 +26,13 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan), vladl@google.com (Vlad Losev)
+
 //
 // This file implements death tests.
 
 #include "gtest/gtest-death-test.h"
 #include "gtest/internal/gtest-port.h"
+#include "gtest/internal/custom/gtest.h"
 
 #if GTEST_HAS_DEATH_TEST
 
@@ -61,26 +61,30 @@
 #  include <spawn.h>
 # endif  // GTEST_OS_QNX
 
+# if GTEST_OS_FUCHSIA
+#  include <lib/fdio/io.h>
+#  include <lib/fdio/spawn.h>
+#  include <zircon/processargs.h>
+#  include <zircon/syscalls.h>
+#  include <zircon/syscalls/port.h>
+# endif  // GTEST_OS_FUCHSIA
+
 #endif  // GTEST_HAS_DEATH_TEST
 
 #include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-string.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
 // Constants.
 
 // The default death test style.
-static const char kDefaultDeathTestStyle[] = "fast";
+//
+// This is defined in internal/gtest-port.h as "fast", but can be overridden by
+// a definition in internal/custom/gtest-port.h. The recommended value, which is
+// used internally at Google, is "threadsafe".
+static const char kDefaultDeathTestStyle[] = GTEST_DEFAULT_DEATH_TEST_STYLE;
 
 GTEST_DEFINE_string_(
     death_test_style,
@@ -120,7 +124,9 @@ namespace internal {
 
 // Valid only for fast death tests. Indicates the code is running in the
 // child process of a fast style death test.
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 static bool g_in_fast_death_test_child = false;
+# endif
 
 // Returns a Boolean value indicating whether the caller is currently
 // executing in the context of the death test child process.  Tools such as
@@ -128,10 +134,10 @@ static bool g_in_fast_death_test_child = false;
 // tests.  IMPORTANT: This is an internal utility.  Using it may break the
 // implementation of death tests.  User code MUST NOT use it.
 bool InDeathTestChild() {
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
-  // On Windows, death tests are thread-safe regardless of the value of the
-  // death_test_style flag.
+  // On Windows and Fuchsia, death tests are thread-safe regardless of the value
+  // of the death_test_style flag.
   return !GTEST_FLAG(internal_run_death_test).empty();
 
 # else
@@ -151,7 +157,7 @@ ExitedWithCode::ExitedWithCode(int exit_code) : exit_code_(exit_code) {
 
 // ExitedWithCode function-call operator.
 bool ExitedWithCode::operator()(int exit_status) const {
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   return exit_status == exit_code_;
 
@@ -159,19 +165,27 @@ bool ExitedWithCode::operator()(int exit_status) const {
 
   return WIFEXITED(exit_status) && WEXITSTATUS(exit_status) == exit_code_;
 
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 }
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // KilledBySignal constructor.
 KilledBySignal::KilledBySignal(int signum) : signum_(signum) {
 }
 
 // KilledBySignal function-call operator.
 bool KilledBySignal::operator()(int exit_status) const {
+#  if defined(GTEST_KILLED_BY_SIGNAL_OVERRIDE_)
+  {
+    bool result;
+    if (GTEST_KILLED_BY_SIGNAL_OVERRIDE_(signum_, exit_status, &result)) {
+      return result;
+    }
+  }
+#  endif  // defined(GTEST_KILLED_BY_SIGNAL_OVERRIDE_)
   return WIFSIGNALED(exit_status) && WTERMSIG(exit_status) == signum_;
 }
-# endif  // !GTEST_OS_WINDOWS
+# endif  // !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 
 namespace internal {
 
@@ -182,7 +196,7 @@ namespace internal {
 static std::string ExitSummary(int exit_code) {
   Message m;
 
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   m << "Exited with exit status " << exit_code;
 
@@ -198,7 +212,7 @@ static std::string ExitSummary(int exit_code) {
     m << " (core dumped)";
   }
 #  endif
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   return m.GetString();
 }
@@ -209,7 +223,7 @@ bool ExitedUnsuccessfully(int exit_status) {
   return !ExitedWithCode(0)(exit_status);
 }
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // Generates a textual failure message when a death test finds more than
 // one thread running, or cannot determine the number of threads, prior
 // to executing the given statement.  It is the responsibility of the
@@ -218,13 +232,19 @@ static std::string DeathTestThreadWarning(size_t thread_count) {
   Message msg;
   msg << "Death tests use fork(), which is unsafe particularly"
       << " in a threaded context. For this test, " << GTEST_NAME_ << " ";
-  if (thread_count == 0)
+  if (thread_count == 0) {
     msg << "couldn't detect the number of threads.";
-  else
+  } else {
     msg << "detected " << thread_count << " threads.";
+  }
+  msg << " See "
+         "https://github.com/google/googletest/blob/master/googletest/docs/"
+         "advanced.md#death-tests-and-threads"
+      << " for more explanation and suggested solutions, especially if"
+      << " this is the last message you see before your test times out.";
   return msg.GetString();
 }
-# endif  // !GTEST_OS_WINDOWS
+# endif  // !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 
 // Flag characters for reporting a death test that did not die.
 static const char kDeathTestLived = 'L';
@@ -232,6 +252,13 @@ static const char kDeathTestReturned = 'R';
 static const char kDeathTestThrew = 'T';
 static const char kDeathTestInternalError = 'I';
 
+#if GTEST_OS_FUCHSIA
+
+// File descriptor used for the pipe in the child process.
+static const int kFuchsiaReadPipeFd = 3;
+
+#endif
+
 // An enumeration describing all of the possible ways that a death test can
 // conclude.  DIED means that the process died while executing the test
 // code; LIVED means that process lived beyond the end of the test code;
@@ -239,7 +266,7 @@ static const char kDeathTestInternalError = 'I';
 // statement, which is not allowed; THREW means that the test statement
 // returned control by throwing an exception.  IN_PROGRESS means the test
 // has not yet concluded.
-// TODO(vladl@google.com): Unify names and possibly values for
+// FIXME: Unify names and possibly values for
 // AbortReason, DeathTestOutcome, and flag characters above.
 enum DeathTestOutcome { IN_PROGRESS, DIED, LIVED, RETURNED, THREW };
 
@@ -248,7 +275,7 @@ enum DeathTestOutcome { IN_PROGRESS, DIED, LIVED, RETURNED, THREW };
 // message is propagated back to the parent process.  Otherwise, the
 // message is simply printed to stderr.  In either case, the program
 // then exits with status 1.
-void DeathTestAbort(const std::string& message) {
+static void DeathTestAbort(const std::string& message) {
   // On a POSIX system, this function may be called from a threadsafe-style
   // death test child process, which operates on a very small stack.  Use
   // the heap for any additional non-minuscule memory requirements.
@@ -552,7 +579,12 @@ bool DeathTestImpl::Passed(bool status_ok) {
       break;
     case DIED:
       if (status_ok) {
+# if GTEST_USES_PCRE
+        // PCRE regexes support embedded NULs.
+        const bool matched = RE::PartialMatch(error_message, *regex());
+# else
         const bool matched = RE::PartialMatch(error_message.c_str(), *regex());
+# endif  // GTEST_USES_PCRE
         if (matched) {
           success = true;
         } else {
@@ -768,7 +800,200 @@ DeathTest::TestRole WindowsDeathTest::AssumeRole() {
   set_spawned(true);
   return OVERSEE_TEST;
 }
-# else  // We are not on Windows.
+
+# elif GTEST_OS_FUCHSIA
+
+class FuchsiaDeathTest : public DeathTestImpl {
+ public:
+  FuchsiaDeathTest(const char* a_statement,
+                   const RE* a_regex,
+                   const char* file,
+                   int line)
+      : DeathTestImpl(a_statement, a_regex), file_(file), line_(line) {}
+  virtual ~FuchsiaDeathTest() {
+    zx_status_t status = zx_handle_close(child_process_);
+    GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+    status = zx_handle_close(port_);
+    GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+  }
+
+  // All of these virtual functions are inherited from DeathTest.
+  virtual int Wait();
+  virtual TestRole AssumeRole();
+
+ private:
+  // The name of the file in which the death test is located.
+  const char* const file_;
+  // The line number on which the death test is located.
+  const int line_;
+
+  zx_handle_t child_process_ = ZX_HANDLE_INVALID;
+  zx_handle_t port_ = ZX_HANDLE_INVALID;
+};
+
+// Utility class for accumulating command-line arguments.
+class Arguments {
+ public:
+  Arguments() {
+    args_.push_back(NULL);
+  }
+
+  ~Arguments() {
+    for (std::vector<char*>::iterator i = args_.begin(); i != args_.end();
+         ++i) {
+      free(*i);
+    }
+  }
+  void AddArgument(const char* argument) {
+    args_.insert(args_.end() - 1, posix::StrDup(argument));
+  }
+
+  template <typename Str>
+  void AddArguments(const ::std::vector<Str>& arguments) {
+    for (typename ::std::vector<Str>::const_iterator i = arguments.begin();
+         i != arguments.end();
+         ++i) {
+      args_.insert(args_.end() - 1, posix::StrDup(i->c_str()));
+    }
+  }
+  char* const* Argv() {
+    return &args_[0];
+  }
+
+  int size() {
+    return args_.size() - 1;
+  }
+
+ private:
+  std::vector<char*> args_;
+};
+
+// Waits for the child in a death test to exit, returning its exit
+// status, or 0 if no child process exists.  As a side effect, sets the
+// outcome data member.
+int FuchsiaDeathTest::Wait() {
+  if (!spawned())
+    return 0;
+
+  // Register to wait for the child process to terminate.
+  zx_status_t status_zx;
+  status_zx = zx_object_wait_async(child_process_,
+                                   port_,
+                                   0 /* key */,
+                                   ZX_PROCESS_TERMINATED,
+                                   ZX_WAIT_ASYNC_ONCE);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  // Wait for it to terminate, or an exception to be received.
+  zx_port_packet_t packet;
+  status_zx = zx_port_wait(port_, ZX_TIME_INFINITE, &packet);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  if (ZX_PKT_IS_EXCEPTION(packet.type)) {
+    // Process encountered an exception. Kill it directly rather than letting
+    // other handlers process the event.
+    status_zx = zx_task_kill(child_process_);
+    GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+    // Now wait for |child_process_| to terminate.
+    zx_signals_t signals = 0;
+    status_zx = zx_object_wait_one(
+        child_process_, ZX_PROCESS_TERMINATED, ZX_TIME_INFINITE, &signals);
+    GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+    GTEST_DEATH_TEST_CHECK_(signals & ZX_PROCESS_TERMINATED);
+  } else {
+    // Process terminated.
+    GTEST_DEATH_TEST_CHECK_(ZX_PKT_IS_SIGNAL_ONE(packet.type));
+    GTEST_DEATH_TEST_CHECK_(packet.signal.observed & ZX_PROCESS_TERMINATED);
+  }
+
+  ReadAndInterpretStatusByte();
+
+  zx_info_process_t buffer;
+  status_zx = zx_object_get_info(
+      child_process_,
+      ZX_INFO_PROCESS,
+      &buffer,
+      sizeof(buffer),
+      nullptr,
+      nullptr);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  GTEST_DEATH_TEST_CHECK_(buffer.exited);
+  set_status(buffer.return_code);
+  return status();
+}
+
+// The AssumeRole process for a Fuchsia death test.  It creates a child
+// process with the same executable as the current process to run the
+// death test.  The child process is given the --gtest_filter and
+// --gtest_internal_run_death_test flags such that it knows to run the
+// current death test only.
+DeathTest::TestRole FuchsiaDeathTest::AssumeRole() {
+  const UnitTestImpl* const impl = GetUnitTestImpl();
+  const InternalRunDeathTestFlag* const flag =
+      impl->internal_run_death_test_flag();
+  const TestInfo* const info = impl->current_test_info();
+  const int death_test_index = info->result()->death_test_count();
+
+  if (flag != NULL) {
+    // ParseInternalRunDeathTestFlag() has performed all the necessary
+    // processing.
+    set_write_fd(kFuchsiaReadPipeFd);
+    return EXECUTE_TEST;
+  }
+
+  CaptureStderr();
+  // Flush the log buffers since the log streams are shared with the child.
+  FlushInfoLog();
+
+  // Build the child process command line.
+  const std::string filter_flag =
+      std::string("--") + GTEST_FLAG_PREFIX_ + kFilterFlag + "="
+      + info->test_case_name() + "." + info->name();
+  const std::string internal_flag =
+      std::string("--") + GTEST_FLAG_PREFIX_ + kInternalRunDeathTestFlag + "="
+      + file_ + "|"
+      + StreamableToString(line_) + "|"
+      + StreamableToString(death_test_index);
+  Arguments args;
+  args.AddArguments(GetInjectableArgvs());
+  args.AddArgument(filter_flag.c_str());
+  args.AddArgument(internal_flag.c_str());
+
+  // Build the pipe for communication with the child.
+  zx_status_t status;
+  zx_handle_t child_pipe_handle;
+  uint32_t type;
+  status = fdio_pipe_half(&child_pipe_handle, &type);
+  GTEST_DEATH_TEST_CHECK_(status >= 0);
+  set_read_fd(status);
+
+  // Set the pipe handle for the child.
+  fdio_spawn_action_t add_handle_action = {};
+  add_handle_action.action = FDIO_SPAWN_ACTION_ADD_HANDLE;
+  add_handle_action.h.id = PA_HND(type, kFuchsiaReadPipeFd);
+  add_handle_action.h.handle = child_pipe_handle;
+
+  // Spawn the child process.
+  status = fdio_spawn_etc(ZX_HANDLE_INVALID, FDIO_SPAWN_CLONE_ALL,
+                          args.Argv()[0], args.Argv(), nullptr, 1,
+                          &add_handle_action, &child_process_, nullptr);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+
+  // Create an exception port and attach it to the |child_process_|, to allow
+  // us to suppress the system default exception handler from firing.
+  status = zx_port_create(0, &port_);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+  status = zx_task_bind_exception_port(
+      child_process_, port_, 0 /* key */, 0 /*options */);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+
+  set_spawned(true);
+  return OVERSEE_TEST;
+}
+
+#else  // We are neither on Windows, nor on Fuchsia.
 
 // ForkingDeathTest provides implementations for most of the abstract
 // methods of the DeathTest interface.  Only the AssumeRole method is
@@ -872,9 +1097,13 @@ class ExecDeathTest : public ForkingDeathTest {
       ForkingDeathTest(a_statement, a_regex), file_(file), line_(line) { }
   virtual TestRole AssumeRole();
  private:
-  static ::std::vector<testing::internal::string>
-  GetArgvsForDeathTestChildProcess() {
-    ::std::vector<testing::internal::string> args = GetInjectableArgvs();
+  static ::std::vector<std::string> GetArgvsForDeathTestChildProcess() {
+    ::std::vector<std::string> args = GetInjectableArgvs();
+#  if defined(GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_)
+    ::std::vector<std::string> extra_args =
+        GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_();
+    args.insert(args.end(), extra_args.begin(), extra_args.end());
+#  endif  // defined(GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_)
     return args;
   }
   // The name of the file in which the death test is located.
@@ -970,6 +1199,7 @@ static int ExecDeathTestChildMain(void* child_arg) {
 }
 #  endif  // !GTEST_OS_QNX
 
+#  if GTEST_HAS_CLONE
 // Two utility routines that together determine the direction the stack
 // grows.
 // This could be accomplished more elegantly by a single recursive
@@ -979,20 +1209,22 @@ static int ExecDeathTestChildMain(void* child_arg) {
 // GTEST_NO_INLINE_ is required to prevent GCC 4.6 from inlining
 // StackLowerThanAddress into StackGrowsDown, which then doesn't give
 // correct answer.
-void StackLowerThanAddress(const void* ptr, bool* result) GTEST_NO_INLINE_;
-void StackLowerThanAddress(const void* ptr, bool* result) {
+static void StackLowerThanAddress(const void* ptr,
+                                  bool* result) GTEST_NO_INLINE_;
+static void StackLowerThanAddress(const void* ptr, bool* result) {
   int dummy;
   *result = (&dummy < ptr);
 }
 
 // Make sure AddressSanitizer does not tamper with the stack here.
 GTEST_ATTRIBUTE_NO_SANITIZE_ADDRESS_
-bool StackGrowsDown() {
+static bool StackGrowsDown() {
   int dummy;
   bool result;
   StackLowerThanAddress(&dummy, &result);
   return result;
 }
+#  endif  // GTEST_HAS_CLONE
 
 // Spawns a child process with the same executable as the current process in
 // a thread-safe manner and instructs it to run the death test.  The
@@ -1184,6 +1416,13 @@ bool DefaultDeathTestFactory::Create(const char* statement, const RE* regex,
     *test = new WindowsDeathTest(statement, regex, file, line);
   }
 
+# elif GTEST_OS_FUCHSIA
+
+  if (GTEST_FLAG(death_test_style) == "threadsafe" ||
+      GTEST_FLAG(death_test_style) == "fast") {
+    *test = new FuchsiaDeathTest(statement, regex, file, line);
+  }
+
 # else
 
   if (GTEST_FLAG(death_test_style) == "threadsafe") {
@@ -1204,31 +1443,11 @@ bool DefaultDeathTestFactory::Create(const char* statement, const RE* regex,
   return true;
 }
 
-// Splits a given string on a given delimiter, populating a given
-// vector with the fields.  GTEST_HAS_DEATH_TEST implies that we have
-// ::std::string, so we can use it here.
-static void SplitString(const ::std::string& str, char delimiter,
-                        ::std::vector< ::std::string>* dest) {
-  ::std::vector< ::std::string> parsed;
-  ::std::string::size_type pos = 0;
-  while (::testing::internal::AlwaysTrue()) {
-    const ::std::string::size_type colon = str.find(delimiter, pos);
-    if (colon == ::std::string::npos) {
-      parsed.push_back(str.substr(pos));
-      break;
-    } else {
-      parsed.push_back(str.substr(pos, colon - pos));
-      pos = colon + 1;
-    }
-  }
-  dest->swap(parsed);
-}
-
 # if GTEST_OS_WINDOWS
 // Recreates the pipe and event handles from the provided parameters,
 // signals the event, and returns a file descriptor wrapped around the pipe
 // handle. This function is called in the child process only.
-int GetStatusFileDescriptor(unsigned int parent_process_id,
+static int GetStatusFileDescriptor(unsigned int parent_process_id,
                             size_t write_handle_as_size_t,
                             size_t event_handle_as_size_t) {
   AutoHandle parent_process_handle(::OpenProcess(PROCESS_DUP_HANDLE,
@@ -1239,7 +1458,7 @@ int GetStatusFileDescriptor(unsigned int parent_process_id,
                    StreamableToString(parent_process_id));
   }
 
-  // TODO(vladl@google.com): Replace the following check with a
+  // FIXME: Replace the following check with a
   // compile-time assertion when available.
   GTEST_CHECK_(sizeof(HANDLE) <= sizeof(size_t));
 
@@ -1247,7 +1466,7 @@ int GetStatusFileDescriptor(unsigned int parent_process_id,
       reinterpret_cast<HANDLE>(write_handle_as_size_t);
   HANDLE dup_write_handle;
 
-  // The newly initialized handle is accessible only in in the parent
+  // The newly initialized handle is accessible only in the parent
   // process. To obtain one accessible within the child, we need to use
   // DuplicateHandle.
   if (!::DuplicateHandle(parent_process_handle.Get(), write_handle,
@@ -1324,6 +1543,16 @@ InternalRunDeathTestFlag* ParseInternalRunDeathTestFlag() {
   write_fd = GetStatusFileDescriptor(parent_process_id,
                                      write_handle_as_size_t,
                                      event_handle_as_size_t);
+
+# elif GTEST_OS_FUCHSIA
+
+  if (fields.size() != 3
+      || !ParseNaturalNumber(fields[1], &line)
+      || !ParseNaturalNumber(fields[2], &index)) {
+    DeathTestAbort("Bad --gtest_internal_run_death_test flag: "
+        + GTEST_FLAG(internal_run_death_test));
+  }
+
 # else
 
   if (fields.size() != 4
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc b/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
index 0292dc119..a7e65c082 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
@@ -26,14 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Authors: keith.ray@gmail.com (Keith Ray)
 
-#include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-filepath.h"
-#include "gtest/internal/gtest-port.h"
 
 #include <stdlib.h>
+#include "gtest/internal/gtest-port.h"
+#include "gtest/gtest-message.h"
 
 #if GTEST_OS_WINDOWS_MOBILE
 # include <windows.h>
@@ -48,6 +46,8 @@
 # include <climits>  // Some Linux distributions define PATH_MAX here.
 #endif  // GTEST_OS_WINDOWS_MOBILE
 
+#include "gtest/internal/gtest-string.h"
+
 #if GTEST_OS_WINDOWS
 # define GTEST_PATH_MAX_ _MAX_PATH
 #elif defined(PATH_MAX)
@@ -58,8 +58,6 @@
 # define GTEST_PATH_MAX_ _POSIX_PATH_MAX
 #endif  // GTEST_OS_WINDOWS
 
-#include "gtest/internal/gtest-string.h"
-
 namespace testing {
 namespace internal {
 
@@ -130,7 +128,7 @@ FilePath FilePath::RemoveExtension(const char* extension) const {
   return *this;
 }
 
-// Returns a pointer to the last occurence of a valid path separator in
+// Returns a pointer to the last occurrence of a valid path separator in
 // the FilePath. On Windows, for example, both '/' and '\' are valid path
 // separators. Returns NULL if no path separator was found.
 const char* FilePath::FindLastPathSeparator() const {
@@ -252,7 +250,7 @@ bool FilePath::DirectoryExists() const {
 // root directory per disk drive.)
 bool FilePath::IsRootDirectory() const {
 #if GTEST_OS_WINDOWS
-  // TODO(wan@google.com): on Windows a network share like
+  // FIXME: on Windows a network share like
   // \\server\share can be a root directory, although it cannot be the
   // current directory.  Handle this properly.
   return pathname_.length() == 3 && IsAbsolutePath();
@@ -352,7 +350,7 @@ FilePath FilePath::RemoveTrailingPathSeparator() const {
 // Removes any redundant separators that might be in the pathname.
 // For example, "bar///foo" becomes "bar/foo". Does not eliminate other
 // redundancies that might be in a pathname involving "." or "..".
-// TODO(wan@google.com): handle Windows network shares (e.g. \\server\share).
+// FIXME: handle Windows network shares (e.g. \\server\share).
 void FilePath::Normalize() {
   if (pathname_.c_str() == NULL) {
     pathname_ = "";
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h b/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
index 0ac7a109b..479004149 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
+++ b/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
@@ -27,24 +27,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// Utility functions and classes used by the Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-//
+// Utility functions and classes used by the Google C++ testing framework.//
 // This file contains purely Google Test's internal implementation.  Please
 // DO NOT #INCLUDE IT IN A USER PROGRAM.
 
 #ifndef GTEST_SRC_GTEST_INTERNAL_INL_H_
 #define GTEST_SRC_GTEST_INTERNAL_INL_H_
 
-// GTEST_IMPLEMENTATION_ is defined to 1 iff the current translation unit is
-// part of Google Test's implementation; otherwise it's undefined.
-#if !GTEST_IMPLEMENTATION_
-// If this file is included from the user's code, just say no.
-# error "gtest-internal-inl.h is part of Google Test's internal implementation."
-# error "It must not be included except by Google Test itself."
-#endif  // GTEST_IMPLEMENTATION_
-
 #ifndef _WIN32_WCE
 # include <errno.h>
 #endif  // !_WIN32_WCE
@@ -67,9 +56,12 @@
 # include <windows.h>  // NOLINT
 #endif  // GTEST_OS_WINDOWS
 
-#include "gtest/gtest.h"  // NOLINT
+#include "gtest/gtest.h"
 #include "gtest/gtest-spi.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // Declares the flags.
@@ -94,12 +86,14 @@ const char kFilterFlag[] = "filter";
 const char kListTestsFlag[] = "list_tests";
 const char kOutputFlag[] = "output";
 const char kPrintTimeFlag[] = "print_time";
+const char kPrintUTF8Flag[] = "print_utf8";
 const char kRandomSeedFlag[] = "random_seed";
 const char kRepeatFlag[] = "repeat";
 const char kShuffleFlag[] = "shuffle";
 const char kStackTraceDepthFlag[] = "stack_trace_depth";
 const char kStreamResultToFlag[] = "stream_result_to";
 const char kThrowOnFailureFlag[] = "throw_on_failure";
+const char kFlagfileFlag[] = "flagfile";
 
 // A valid random seed must be in [1, kMaxRandomSeed].
 const int kMaxRandomSeed = 99999;
@@ -173,6 +167,7 @@ class GTestFlagSaver {
     list_tests_ = GTEST_FLAG(list_tests);
     output_ = GTEST_FLAG(output);
     print_time_ = GTEST_FLAG(print_time);
+    print_utf8_ = GTEST_FLAG(print_utf8);
     random_seed_ = GTEST_FLAG(random_seed);
     repeat_ = GTEST_FLAG(repeat);
     shuffle_ = GTEST_FLAG(shuffle);
@@ -194,6 +189,7 @@ class GTestFlagSaver {
     GTEST_FLAG(list_tests) = list_tests_;
     GTEST_FLAG(output) = output_;
     GTEST_FLAG(print_time) = print_time_;
+    GTEST_FLAG(print_utf8) = print_utf8_;
     GTEST_FLAG(random_seed) = random_seed_;
     GTEST_FLAG(repeat) = repeat_;
     GTEST_FLAG(shuffle) = shuffle_;
@@ -215,6 +211,7 @@ class GTestFlagSaver {
   bool list_tests_;
   std::string output_;
   bool print_time_;
+  bool print_utf8_;
   internal::Int32 random_seed_;
   internal::Int32 repeat_;
   bool shuffle_;
@@ -425,13 +422,17 @@ class OsStackTraceGetterInterface {
   //                in the trace.
   //   skip_count - the number of top frames to be skipped; doesn't count
   //                against max_depth.
-  virtual string CurrentStackTrace(int max_depth, int skip_count) = 0;
+  virtual std::string CurrentStackTrace(int max_depth, int skip_count) = 0;
 
   // UponLeavingGTest() should be called immediately before Google Test calls
   // user code. It saves some information about the current stack that
   // CurrentStackTrace() will use to find and hide Google Test stack frames.
   virtual void UponLeavingGTest() = 0;
 
+  // This string is inserted in place of stack frames that are part of
+  // Google Test's implementation.
+  static const char* const kElidedFramesMarker;
+
  private:
   GTEST_DISALLOW_COPY_AND_ASSIGN_(OsStackTraceGetterInterface);
 };
@@ -439,25 +440,21 @@ class OsStackTraceGetterInterface {
 // A working implementation of the OsStackTraceGetterInterface interface.
 class OsStackTraceGetter : public OsStackTraceGetterInterface {
  public:
-  OsStackTraceGetter() : caller_frame_(NULL) {}
+  OsStackTraceGetter() {}
 
-  virtual string CurrentStackTrace(int max_depth, int skip_count)
-      GTEST_LOCK_EXCLUDED_(mutex_);
-
-  virtual void UponLeavingGTest() GTEST_LOCK_EXCLUDED_(mutex_);
-
-  // This string is inserted in place of stack frames that are part of
-  // Google Test's implementation.
-  static const char* const kElidedFramesMarker;
+  virtual std::string CurrentStackTrace(int max_depth, int skip_count);
+  virtual void UponLeavingGTest();
 
  private:
-  Mutex mutex_;  // protects all internal state
+#if GTEST_HAS_ABSL
+  Mutex mutex_;  // Protects all internal state.
 
   // We save the stack frame below the frame that calls user code.
   // We do this because the address of the frame immediately below
   // the user code changes between the call to UponLeavingGTest()
-  // and any calls to CurrentStackTrace() from within the user code.
-  void* caller_frame_;
+  // and any calls to the stack trace code from within the user code.
+  void* caller_frame_ = nullptr;
+#endif  // GTEST_HAS_ABSL
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(OsStackTraceGetter);
 };
@@ -673,13 +670,11 @@ class GTEST_API_ UnitTestImpl {
                 tear_down_tc)->AddTestInfo(test_info);
   }
 
-#if GTEST_HAS_PARAM_TEST
   // Returns ParameterizedTestCaseRegistry object used to keep track of
   // value-parameterized tests and instantiate and register them.
   internal::ParameterizedTestCaseRegistry& parameterized_test_registry() {
     return parameterized_test_registry_;
   }
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Sets the TestCase object for the test that's currently running.
   void set_current_test_case(TestCase* a_current_test_case) {
@@ -854,14 +849,12 @@ class GTEST_API_ UnitTestImpl {
   // shuffled order.
   std::vector<int> test_case_indices_;
 
-#if GTEST_HAS_PARAM_TEST
   // ParameterizedTestRegistry object used to register value-parameterized
   // tests.
   internal::ParameterizedTestCaseRegistry parameterized_test_registry_;
 
   // Indicates whether RegisterParameterizedTests() has been called already.
   bool parameterized_tests_registered_;
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Index of the last death test case registered.  Initially -1.
   int last_death_test_case_;
@@ -1001,7 +994,7 @@ bool ParseNaturalNumber(const ::std::string& str, Integer* number) {
 
   const bool parse_success = *end == '\0' && errno == 0;
 
-  // TODO(vladl@google.com): Convert this to compile time assertion when it is
+  // FIXME: Convert this to compile time assertion when it is
   // available.
   GTEST_CHECK_(sizeof(Integer) <= sizeof(parsed));
 
@@ -1049,21 +1042,19 @@ class StreamingListener : public EmptyTestEventListener {
     virtual ~AbstractSocketWriter() {}
 
     // Sends a string to the socket.
-    virtual void Send(const string& message) = 0;
+    virtual void Send(const std::string& message) = 0;
 
     // Closes the socket.
     virtual void CloseConnection() {}
 
     // Sends a string and a newline to the socket.
-    void SendLn(const string& message) {
-      Send(message + "\n");
-    }
+    void SendLn(const std::string& message) { Send(message + "\n"); }
   };
 
   // Concrete class for actually writing strings to a socket.
   class SocketWriter : public AbstractSocketWriter {
    public:
-    SocketWriter(const string& host, const string& port)
+    SocketWriter(const std::string& host, const std::string& port)
         : sockfd_(-1), host_name_(host), port_num_(port) {
       MakeConnection();
     }
@@ -1074,7 +1065,7 @@ class StreamingListener : public EmptyTestEventListener {
     }
 
     // Sends a string to the socket.
-    virtual void Send(const string& message) {
+    virtual void Send(const std::string& message) {
       GTEST_CHECK_(sockfd_ != -1)
           << "Send() can be called only when there is a connection.";
 
@@ -1100,17 +1091,19 @@ class StreamingListener : public EmptyTestEventListener {
     }
 
     int sockfd_;  // socket file descriptor
-    const string host_name_;
-    const string port_num_;
+    const std::string host_name_;
+    const std::string port_num_;
 
     GTEST_DISALLOW_COPY_AND_ASSIGN_(SocketWriter);
   };  // class SocketWriter
 
   // Escapes '=', '&', '%', and '\n' characters in str as "%xx".
-  static string UrlEncode(const char* str);
+  static std::string UrlEncode(const char* str);
 
-  StreamingListener(const string& host, const string& port)
-      : socket_writer_(new SocketWriter(host, port)) { Start(); }
+  StreamingListener(const std::string& host, const std::string& port)
+      : socket_writer_(new SocketWriter(host, port)) {
+    Start();
+  }
 
   explicit StreamingListener(AbstractSocketWriter* socket_writer)
       : socket_writer_(socket_writer) { Start(); }
@@ -1171,13 +1164,13 @@ class StreamingListener : public EmptyTestEventListener {
 
  private:
   // Sends the given message and a newline to the socket.
-  void SendLn(const string& message) { socket_writer_->SendLn(message); }
+  void SendLn(const std::string& message) { socket_writer_->SendLn(message); }
 
   // Called at the start of streaming to notify the receiver what
   // protocol we are using.
   void Start() { SendLn("gtest_streaming_protocol_version=1.0"); }
 
-  string FormatBool(bool value) { return value ? "1" : "0"; }
+  std::string FormatBool(bool value) { return value ? "1" : "0"; }
 
   const scoped_ptr<AbstractSocketWriter> socket_writer_;
 
@@ -1189,4 +1182,6 @@ class StreamingListener : public EmptyTestEventListener {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_SRC_GTEST_INTERNAL_INL_H_
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-port.cc b/security/nss/gtests/google_test/gtest/src/gtest-port.cc
index b032745b4..fecb5d11c 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-port.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-port.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/internal/gtest-port.h"
 
@@ -35,6 +34,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <fstream>
 
 #if GTEST_OS_WINDOWS
 # include <windows.h>
@@ -57,19 +57,21 @@
 # include <sys/procfs.h>
 #endif  // GTEST_OS_QNX
 
+#if GTEST_OS_AIX
+# include <procinfo.h>
+# include <sys/types.h>
+#endif  // GTEST_OS_AIX
+
+#if GTEST_OS_FUCHSIA
+# include <zircon/process.h>
+# include <zircon/syscalls.h>
+#endif  // GTEST_OS_FUCHSIA
+
 #include "gtest/gtest-spi.h"
 #include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-string.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -83,10 +85,31 @@ const int kStdOutFileno = STDOUT_FILENO;
 const int kStdErrFileno = STDERR_FILENO;
 #endif  // _MSC_VER
 
-#if GTEST_OS_MAC
+#if GTEST_OS_LINUX
+
+namespace {
+template <typename T>
+T ReadProcFileField(const std::string& filename, int field) {
+  std::string dummy;
+  std::ifstream file(filename.c_str());
+  while (field-- > 0) {
+    file >> dummy;
+  }
+  T output = 0;
+  file >> output;
+  return output;
+}
+}  // namespace
+
+// Returns the number of active threads, or 0 when there is an error.
+size_t GetThreadCount() {
+  const std::string filename =
+      (Message() << "/proc/" << getpid() << "/stat").GetString();
+  return ReadProcFileField<int>(filename, 19);
+}
+
+#elif GTEST_OS_MAC
 
-// Returns the number of threads running in the process, or 0 to indicate that
-// we cannot detect it.
 size_t GetThreadCount() {
   const task_t task = mach_task_self();
   mach_msg_type_number_t thread_count;
@@ -124,6 +147,38 @@ size_t GetThreadCount() {
   }
 }
 
+#elif GTEST_OS_AIX
+
+size_t GetThreadCount() {
+  struct procentry64 entry;
+  pid_t pid = getpid();
+  int status = getprocs64(&entry, sizeof(entry), NULL, 0, &pid, 1);
+  if (status == 1) {
+    return entry.pi_thcount;
+  } else {
+    return 0;
+  }
+}
+
+#elif GTEST_OS_FUCHSIA
+
+size_t GetThreadCount() {
+  int dummy_buffer;
+  size_t avail;
+  zx_status_t status = zx_object_get_info(
+      zx_process_self(),
+      ZX_INFO_PROCESS_THREADS,
+      &dummy_buffer,
+      0,
+      nullptr,
+      &avail);
+  if (status == ZX_OK) {
+    return avail;
+  } else {
+    return 0;
+  }
+}
+
 #else
 
 size_t GetThreadCount() {
@@ -132,7 +187,7 @@ size_t GetThreadCount() {
   return 0;
 }
 
-#endif  // GTEST_OS_MAC
+#endif  // GTEST_OS_LINUX
 
 #if GTEST_IS_THREADSAFE && GTEST_OS_WINDOWS
 
@@ -196,8 +251,8 @@ void Notification::WaitForNotification() {
 }
 
 Mutex::Mutex()
-    : type_(kDynamic),
-      owner_thread_id_(0),
+    : owner_thread_id_(0),
+      type_(kDynamic),
       critical_section_init_phase_(0),
       critical_section_(new CRITICAL_SECTION) {
   ::InitializeCriticalSection(critical_section_);
@@ -206,9 +261,9 @@ Mutex::Mutex()
 Mutex::~Mutex() {
   // Static mutexes are leaked intentionally. It is not thread-safe to try
   // to clean them up.
-  // TODO(yukawa): Switch to Slim Reader/Writer (SRW) Locks, which requires
+  // FIXME: Switch to Slim Reader/Writer (SRW) Locks, which requires
   // nothing to clean it up but is available only on Vista and later.
-  // http://msdn.microsoft.com/en-us/library/windows/desktop/aa904937.aspx
+  // https://docs.microsoft.com/en-us/windows/desktop/Sync/slim-reader-writer--srw--locks
   if (type_ == kDynamic) {
     ::DeleteCriticalSection(critical_section_);
     delete critical_section_;
@@ -239,6 +294,43 @@ void Mutex::AssertHeld() {
       << "The current thread is not holding the mutex @" << this;
 }
 
+namespace {
+
+// Use the RAII idiom to flag mem allocs that are intentionally never
+// deallocated. The motivation is to silence the false positive mem leaks
+// that are reported by the debug version of MS's CRT which can only detect
+// if an alloc is missing a matching deallocation.
+// Example:
+//    MemoryIsNotDeallocated memory_is_not_deallocated;
+//    critical_section_ = new CRITICAL_SECTION;
+//
+class MemoryIsNotDeallocated
+{
+ public:
+  MemoryIsNotDeallocated() : old_crtdbg_flag_(0) {
+#ifdef _MSC_VER
+    old_crtdbg_flag_ = _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG);
+    // Set heap allocation block type to _IGNORE_BLOCK so that MS debug CRT
+    // doesn't report mem leak if there's no matching deallocation.
+    _CrtSetDbgFlag(old_crtdbg_flag_ & ~_CRTDBG_ALLOC_MEM_DF);
+#endif  //  _MSC_VER
+  }
+
+  ~MemoryIsNotDeallocated() {
+#ifdef _MSC_VER
+    // Restore the original _CRTDBG_ALLOC_MEM_DF flag
+    _CrtSetDbgFlag(old_crtdbg_flag_);
+#endif  //  _MSC_VER
+  }
+
+ private:
+  int old_crtdbg_flag_;
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(MemoryIsNotDeallocated);
+};
+
+}  // namespace
+
 // Initializes owner_thread_id_ and critical_section_ in static mutexes.
 void Mutex::ThreadSafeLazyInit() {
   // Dynamic mutexes are initialized in the constructor.
@@ -249,7 +341,11 @@ void Mutex::ThreadSafeLazyInit() {
         // If critical_section_init_phase_ was 0 before the exchange, we
         // are the first to test it and need to perform the initialization.
         owner_thread_id_ = 0;
-        critical_section_ = new CRITICAL_SECTION;
+        {
+          // Use RAII to flag that following mem alloc is never deallocated.
+          MemoryIsNotDeallocated memory_is_not_deallocated;
+          critical_section_ = new CRITICAL_SECTION;
+        }
         ::InitializeCriticalSection(critical_section_);
         // Updates the critical_section_init_phase_ to 2 to signal
         // initialization complete.
@@ -288,7 +384,7 @@ class ThreadWithParamSupport : public ThreadWithParamBase {
                              Notification* thread_can_start) {
     ThreadMainParam* param = new ThreadMainParam(runnable, thread_can_start);
     DWORD thread_id;
-    // TODO(yukawa): Consider to use _beginthreadex instead.
+    // FIXME: Consider to use _beginthreadex instead.
     HANDLE thread_handle = ::CreateThread(
         NULL,    // Default security.
         0,       // Default stack size.
@@ -456,7 +552,7 @@ class ThreadLocalRegistryImpl {
                                  FALSE,
                                  thread_id);
     GTEST_CHECK_(thread != NULL);
-    // We need to to pass a valid thread ID pointer into CreateThread for it
+    // We need to pass a valid thread ID pointer into CreateThread for it
     // to work correctly under Win98.
     DWORD watcher_thread_id;
     HANDLE watcher_thread = ::CreateThread(
@@ -491,7 +587,8 @@ class ThreadLocalRegistryImpl {
   // Returns map of thread local instances.
   static ThreadIdToThreadLocals* GetThreadLocalsMapLocked() {
     mutex_.AssertHeld();
-    static ThreadIdToThreadLocals* map = new ThreadIdToThreadLocals;
+    MemoryIsNotDeallocated memory_is_not_deallocated;
+    static ThreadIdToThreadLocals* map = new ThreadIdToThreadLocals();
     return map;
   }
 
@@ -631,7 +728,7 @@ bool AtomMatchesChar(bool escaped, char pattern_char, char ch) {
 }
 
 // Helper function used by ValidateRegex() to format error messages.
-std::string FormatRegexSyntaxError(const char* regex, int index) {
+static std::string FormatRegexSyntaxError(const char* regex, int index) {
   return (Message() << "Syntax error at index " << index
           << " in simple regular expression \"" << regex << "\": ").GetString();
 }
@@ -640,7 +737,7 @@ std::string FormatRegexSyntaxError(const char* regex, int index) {
 // otherwise returns true.
 bool ValidateRegex(const char* regex) {
   if (regex == NULL) {
-    // TODO(wan@google.com): fix the source file location in the
+    // FIXME: fix the source file location in the
     // assertion failures to match where the regex is used in user
     // code.
     ADD_FAILURE() << "NULL is not a valid simple regular expression.";
@@ -865,7 +962,6 @@ GTEST_API_ ::std::string FormatCompilerIndependentFileLocation(
     return file_name + ":" + StreamableToString(line);
 }
 
-
 GTestLog::GTestLog(GTestLogSeverity severity, const char* file, int line)
     : severity_(severity) {
   const char* const marker =
@@ -884,9 +980,10 @@ GTestLog::~GTestLog() {
     posix::Abort();
   }
 }
+
 // Disable Microsoft deprecation warnings for POSIX functions called from
 // this class (creat, dup, dup2, and close)
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
 
 #if GTEST_HAS_STREAM_REDIRECTION
 
@@ -962,12 +1059,6 @@ class CapturedStream {
   }
 
  private:
-  // Reads the entire content of a file as an std::string.
-  static std::string ReadEntireFile(FILE* file);
-
-  // Returns the size (in bytes) of a file.
-  static size_t GetFileSize(FILE* file);
-
   const int fd_;  // A stream to capture.
   int uncaptured_fd_;
   // Name of the temporary file holding the stderr output.
@@ -976,42 +1067,14 @@ class CapturedStream {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(CapturedStream);
 };
 
-// Returns the size (in bytes) of a file.
-size_t CapturedStream::GetFileSize(FILE* file) {
-  fseek(file, 0, SEEK_END);
-  return static_cast<size_t>(ftell(file));
-}
-
-// Reads the entire content of a file as a string.
-std::string CapturedStream::ReadEntireFile(FILE* file) {
-  const size_t file_size = GetFileSize(file);
-  char* const buffer = new char[file_size];
-
-  size_t bytes_last_read = 0;  // # of bytes read in the last fread()
-  size_t bytes_read = 0;       // # of bytes read so far
-
-  fseek(file, 0, SEEK_SET);
-
-  // Keeps reading the file until we cannot read further or the
-  // pre-determined file size is reached.
-  do {
-    bytes_last_read = fread(buffer+bytes_read, 1, file_size-bytes_read, file);
-    bytes_read += bytes_last_read;
-  } while (bytes_last_read > 0 && bytes_read < file_size);
-
-  const std::string content(buffer, bytes_read);
-  delete[] buffer;
-
-  return content;
-}
-
-GTEST_DISABLE_MSC_WARNINGS_POP_()
+GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
 static CapturedStream* g_captured_stderr = NULL;
 static CapturedStream* g_captured_stdout = NULL;
 
 // Starts capturing an output stream (stdout/stderr).
-void CaptureStream(int fd, const char* stream_name, CapturedStream** stream) {
+static void CaptureStream(int fd, const char* stream_name,
+                          CapturedStream** stream) {
   if (*stream != NULL) {
     GTEST_LOG_(FATAL) << "Only one " << stream_name
                       << " capturer can exist at a time.";
@@ -1020,7 +1083,7 @@ void CaptureStream(int fd, const char* stream_name, CapturedStream** stream) {
 }
 
 // Stops capturing the output stream and returns the captured string.
-std::string GetCapturedStream(CapturedStream** captured_stream) {
+static std::string GetCapturedStream(CapturedStream** captured_stream) {
   const std::string content = (*captured_stream)->GetCapturedString();
 
   delete *captured_stream;
@@ -1051,25 +1114,67 @@ std::string GetCapturedStderr() {
 
 #endif  // GTEST_HAS_STREAM_REDIRECTION
 
-#if GTEST_HAS_DEATH_TEST
 
-// A copy of all command line arguments.  Set by InitGoogleTest().
-::std::vector<testing::internal::string> g_argvs;
 
-static const ::std::vector<testing::internal::string>* g_injected_test_argvs =
-                                        NULL;  // Owned.
 
-void SetInjectableArgvs(const ::std::vector<testing::internal::string>* argvs) {
-  if (g_injected_test_argvs != argvs)
-    delete g_injected_test_argvs;
-  g_injected_test_argvs = argvs;
+
+size_t GetFileSize(FILE* file) {
+  fseek(file, 0, SEEK_END);
+  return static_cast<size_t>(ftell(file));
 }
 
-const ::std::vector<testing::internal::string>& GetInjectableArgvs() {
+std::string ReadEntireFile(FILE* file) {
+  const size_t file_size = GetFileSize(file);
+  char* const buffer = new char[file_size];
+
+  size_t bytes_last_read = 0;  // # of bytes read in the last fread()
+  size_t bytes_read = 0;       // # of bytes read so far
+
+  fseek(file, 0, SEEK_SET);
+
+  // Keeps reading the file until we cannot read further or the
+  // pre-determined file size is reached.
+  do {
+    bytes_last_read = fread(buffer+bytes_read, 1, file_size-bytes_read, file);
+    bytes_read += bytes_last_read;
+  } while (bytes_last_read > 0 && bytes_read < file_size);
+
+  const std::string content(buffer, bytes_read);
+  delete[] buffer;
+
+  return content;
+}
+
+#if GTEST_HAS_DEATH_TEST
+static const std::vector<std::string>* g_injected_test_argvs = NULL;  // Owned.
+
+std::vector<std::string> GetInjectableArgvs() {
   if (g_injected_test_argvs != NULL) {
     return *g_injected_test_argvs;
   }
-  return g_argvs;
+  return GetArgvs();
+}
+
+void SetInjectableArgvs(const std::vector<std::string>* new_argvs) {
+  if (g_injected_test_argvs != new_argvs) delete g_injected_test_argvs;
+  g_injected_test_argvs = new_argvs;
+}
+
+void SetInjectableArgvs(const std::vector<std::string>& new_argvs) {
+  SetInjectableArgvs(
+      new std::vector<std::string>(new_argvs.begin(), new_argvs.end()));
+}
+
+#if GTEST_HAS_GLOBAL_STRING
+void SetInjectableArgvs(const std::vector< ::string>& new_argvs) {
+  SetInjectableArgvs(
+      new std::vector<std::string>(new_argvs.begin(), new_argvs.end()));
+}
+#endif  // GTEST_HAS_GLOBAL_STRING
+
+void ClearInjectableArgvs() {
+  delete g_injected_test_argvs;
+  g_injected_test_argvs = NULL;
 }
 #endif  // GTEST_HAS_DEATH_TEST
 
@@ -1143,16 +1248,23 @@ bool ParseInt32(const Message& src_text, const char* str, Int32* value) {
 //
 // The value is considered true iff it's not "0".
 bool BoolFromGTestEnv(const char* flag, bool default_value) {
+#if defined(GTEST_GET_BOOL_FROM_ENV_)
+  return GTEST_GET_BOOL_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const string_value = posix::GetEnv(env_var.c_str());
   return string_value == NULL ?
       default_value : strcmp(string_value, "0") != 0;
+#endif  // defined(GTEST_GET_BOOL_FROM_ENV_)
 }
 
 // Reads and returns a 32-bit integer stored in the environment
 // variable corresponding to the given flag; if it isn't set or
 // doesn't represent a valid 32-bit integer, returns default_value.
 Int32 Int32FromGTestEnv(const char* flag, Int32 default_value) {
+#if defined(GTEST_GET_INT32_FROM_ENV_)
+  return GTEST_GET_INT32_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const string_value = posix::GetEnv(env_var.c_str());
   if (string_value == NULL) {
@@ -1170,14 +1282,36 @@ Int32 Int32FromGTestEnv(const char* flag, Int32 default_value) {
   }
 
   return result;
+#endif  // defined(GTEST_GET_INT32_FROM_ENV_)
+}
+
+// As a special case for the 'output' flag, if GTEST_OUTPUT is not
+// set, we look for XML_OUTPUT_FILE, which is set by the Bazel build
+// system.  The value of XML_OUTPUT_FILE is a filename without the
+// "xml:" prefix of GTEST_OUTPUT.
+// Note that this is meant to be called at the call site so it does
+// not check that the flag is 'output'
+// In essence this checks an env variable called XML_OUTPUT_FILE
+// and if it is set we prepend "xml:" to its value, if it not set we return ""
+std::string OutputFlagAlsoCheckEnvVar(){
+  std::string default_value_for_output_flag = "";
+  const char* xml_output_file_env = posix::GetEnv("XML_OUTPUT_FILE");
+  if (NULL != xml_output_file_env) {
+    default_value_for_output_flag = std::string("xml:") + xml_output_file_env;
+  }
+  return default_value_for_output_flag;
 }
 
 // Reads and returns the string environment variable corresponding to
 // the given flag; if it's not set, returns default_value.
 const char* StringFromGTestEnv(const char* flag, const char* default_value) {
+#if defined(GTEST_GET_STRING_FROM_ENV_)
+  return GTEST_GET_STRING_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const value = posix::GetEnv(env_var.c_str());
   return value == NULL ? default_value : value;
+#endif  // defined(GTEST_GET_STRING_FROM_ENV_)
 }
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-printers.cc b/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
index a2df412f8..de4d245e9 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file implements a universal value printer that can print a
 // value of any type T:
@@ -43,12 +42,13 @@
 // defines Foo.
 
 #include "gtest/gtest-printers.h"
-#include <ctype.h>
 #include <stdio.h>
+#include <cctype>
 #include <cwchar>
 #include <ostream>  // NOLINT
 #include <string>
 #include "gtest/internal/gtest-port.h"
+#include "src/gtest-internal-inl.h"
 
 namespace testing {
 
@@ -89,7 +89,7 @@ void PrintBytesInObjectToImpl(const unsigned char* obj_bytes, size_t count,
   // If the object size is bigger than kThreshold, we'll have to omit
   // some details by printing only the first and the last kChunkSize
   // bytes.
-  // TODO(wan): let the user control the threshold using a flag.
+  // FIXME: let the user control the threshold using a flag.
   if (count < kThreshold) {
     PrintByteSegmentInObjectTo(obj_bytes, 0, count, os);
   } else {
@@ -123,7 +123,7 @@ namespace internal {
 // Depending on the value of a char (or wchar_t), we print it in one
 // of three formats:
 //   - as is if it's a printable ASCII (e.g. 'a', '2', ' '),
-//   - as a hexidecimal escape sequence (e.g. '\x7F'), or
+//   - as a hexadecimal escape sequence (e.g. '\x7F'), or
 //   - as a special escape sequence (e.g. '\r', '\n').
 enum CharFormat {
   kAsIs,
@@ -180,7 +180,10 @@ static CharFormat PrintAsCharLiteralTo(Char c, ostream* os) {
         *os << static_cast<char>(c);
         return kAsIs;
       } else {
-        *os << "\\x" + String::FormatHexInt(static_cast<UnsignedChar>(c));
+        ostream::fmtflags flags = os->flags();
+        *os << "\\x" << std::hex << std::uppercase
+            << static_cast<int>(static_cast<UnsignedChar>(c));
+        os->flags(flags);
         return kHexEscape;
       }
   }
@@ -227,7 +230,7 @@ void PrintCharAndCodeTo(Char c, ostream* os) {
     return;
   *os << " (" << static_cast<int>(c);
 
-  // For more convenience, we print c's code again in hexidecimal,
+  // For more convenience, we print c's code again in hexadecimal,
   // unless c was already printed in the form '\x##' or the code is in
   // [1, 9].
   if (format == kHexEscape || (1 <= c && c <= 9)) {
@@ -259,11 +262,12 @@ template <typename CharType>
 GTEST_ATTRIBUTE_NO_SANITIZE_MEMORY_
 GTEST_ATTRIBUTE_NO_SANITIZE_ADDRESS_
 GTEST_ATTRIBUTE_NO_SANITIZE_THREAD_
-static void PrintCharsAsStringTo(
+static CharFormat PrintCharsAsStringTo(
     const CharType* begin, size_t len, ostream* os) {
   const char* const kQuoteBegin = sizeof(CharType) == 1 ? "\"" : "L\"";
   *os << kQuoteBegin;
   bool is_previous_hex = false;
+  CharFormat print_format = kAsIs;
   for (size_t index = 0; index < len; ++index) {
     const CharType cur = begin[index];
     if (is_previous_hex && IsXDigit(cur)) {
@@ -273,8 +277,13 @@ static void PrintCharsAsStringTo(
       *os << "\" " << kQuoteBegin;
     }
     is_previous_hex = PrintAsStringLiteralTo(cur, os) == kHexEscape;
+    // Remember if any characters required hex escaping.
+    if (is_previous_hex) {
+      print_format = kHexEscape;
+    }
   }
   *os << "\"";
+  return print_format;
 }
 
 // Prints a (const) char/wchar_t array of 'len' elements, starting at address
@@ -344,15 +353,90 @@ void PrintTo(const wchar_t* s, ostream* os) {
 }
 #endif  // wchar_t is native
 
+namespace {
+
+bool ContainsUnprintableControlCodes(const char* str, size_t length) {
+  const unsigned char *s = reinterpret_cast<const unsigned char *>(str);
+
+  for (size_t i = 0; i < length; i++) {
+    unsigned char ch = *s++;
+    if (std::iscntrl(ch)) {
+        switch (ch) {
+        case '\t':
+        case '\n':
+        case '\r':
+          break;
+        default:
+          return true;
+        }
+      }
+  }
+  return false;
+}
+
+bool IsUTF8TrailByte(unsigned char t) { return 0x80 <= t && t<= 0xbf; }
+
+bool IsValidUTF8(const char* str, size_t length) {
+  const unsigned char *s = reinterpret_cast<const unsigned char *>(str);
+
+  for (size_t i = 0; i < length;) {
+    unsigned char lead = s[i++];
+
+    if (lead <= 0x7f) {
+      continue;  // single-byte character (ASCII) 0..7F
+    }
+    if (lead < 0xc2) {
+      return false;  // trail byte or non-shortest form
+    } else if (lead <= 0xdf && (i + 1) <= length && IsUTF8TrailByte(s[i])) {
+      ++i;  // 2-byte character
+    } else if (0xe0 <= lead && lead <= 0xef && (i + 2) <= length &&
+               IsUTF8TrailByte(s[i]) &&
+               IsUTF8TrailByte(s[i + 1]) &&
+               // check for non-shortest form and surrogate
+               (lead != 0xe0 || s[i] >= 0xa0) &&
+               (lead != 0xed || s[i] < 0xa0)) {
+      i += 2;  // 3-byte character
+    } else if (0xf0 <= lead && lead <= 0xf4 && (i + 3) <= length &&
+               IsUTF8TrailByte(s[i]) &&
+               IsUTF8TrailByte(s[i + 1]) &&
+               IsUTF8TrailByte(s[i + 2]) &&
+               // check for non-shortest form
+               (lead != 0xf0 || s[i] >= 0x90) &&
+               (lead != 0xf4 || s[i] < 0x90)) {
+      i += 3;  // 4-byte character
+    } else {
+      return false;
+    }
+  }
+  return true;
+}
+
+void ConditionalPrintAsText(const char* str, size_t length, ostream* os) {
+  if (!ContainsUnprintableControlCodes(str, length) &&
+      IsValidUTF8(str, length)) {
+    *os << "\n    As Text: \"" << str << "\"";
+  }
+}
+
+}  // anonymous namespace
+
 // Prints a ::string object.
 #if GTEST_HAS_GLOBAL_STRING
 void PrintStringTo(const ::string& s, ostream* os) {
-  PrintCharsAsStringTo(s.data(), s.size(), os);
+  if (PrintCharsAsStringTo(s.data(), s.size(), os) == kHexEscape) {
+    if (GTEST_FLAG(print_utf8)) {
+      ConditionalPrintAsText(s.data(), s.size(), os);
+    }
+  }
 }
 #endif  // GTEST_HAS_GLOBAL_STRING
 
 void PrintStringTo(const ::std::string& s, ostream* os) {
-  PrintCharsAsStringTo(s.data(), s.size(), os);
+  if (PrintCharsAsStringTo(s.data(), s.size(), os) == kHexEscape) {
+    if (GTEST_FLAG(print_utf8)) {
+      ConditionalPrintAsText(s.data(), s.size(), os);
+    }
+  }
 }
 
 // Prints a ::wstring object.
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc b/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
index fb0e35425..c88860d92 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
@@ -26,21 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: mheule@google.com (Markus Heule)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 
 #include "gtest/gtest-test-part.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc b/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
index f0079f407..1dc2ad38b 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
@@ -26,10 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest-typed-test.h"
+
 #include "gtest/gtest.h"
 
 namespace testing {
@@ -45,33 +45,41 @@ static const char* SkipSpaces(const char* str) {
   return str;
 }
 
+static std::vector<std::string> SplitIntoTestNames(const char* src) {
+  std::vector<std::string> name_vec;
+  src = SkipSpaces(src);
+  for (; src != NULL; src = SkipComma(src)) {
+    name_vec.push_back(StripTrailingSpaces(GetPrefixUntilComma(src)));
+  }
+  return name_vec;
+}
+
 // Verifies that registered_tests match the test names in
-// defined_test_names_; returns registered_tests if successful, or
+// registered_tests_; returns registered_tests if successful, or
 // aborts the program otherwise.
 const char* TypedTestCasePState::VerifyRegisteredTestNames(
     const char* file, int line, const char* registered_tests) {
-  typedef ::std::set<const char*>::const_iterator DefinedTestIter;
+  typedef RegisteredTestsMap::const_iterator RegisteredTestIter;
   registered_ = true;
 
-  // Skip initial whitespace in registered_tests since some
-  // preprocessors prefix stringizied literals with whitespace.
-  registered_tests = SkipSpaces(registered_tests);
+  std::vector<std::string> name_vec = SplitIntoTestNames(registered_tests);
 
   Message errors;
-  ::std::set<std::string> tests;
-  for (const char* names = registered_tests; names != NULL;
-       names = SkipComma(names)) {
-    const std::string name = GetPrefixUntilComma(names);
+
+  std::set<std::string> tests;
+  for (std::vector<std::string>::const_iterator name_it = name_vec.begin();
+       name_it != name_vec.end(); ++name_it) {
+    const std::string& name = *name_it;
     if (tests.count(name) != 0) {
       errors << "Test " << name << " is listed more than once.\n";
       continue;
     }
 
     bool found = false;
-    for (DefinedTestIter it = defined_test_names_.begin();
-         it != defined_test_names_.end();
+    for (RegisteredTestIter it = registered_tests_.begin();
+         it != registered_tests_.end();
          ++it) {
-      if (name == *it) {
+      if (name == it->first) {
         found = true;
         break;
       }
@@ -85,11 +93,11 @@ const char* TypedTestCasePState::VerifyRegisteredTestNames(
     }
   }
 
-  for (DefinedTestIter it = defined_test_names_.begin();
-       it != defined_test_names_.end();
+  for (RegisteredTestIter it = registered_tests_.begin();
+       it != registered_tests_.end();
        ++it) {
-    if (tests.count(*it) == 0) {
-      errors << "You forgot to list test " << *it << ".\n";
+    if (tests.count(it->first) == 0) {
+      errors << "You forgot to list test " << it->first << ".\n";
     }
   }
 
diff --git a/security/nss/gtests/google_test/gtest/src/gtest.cc b/security/nss/gtests/google_test/gtest/src/gtest.cc
index e4f3df3ea..96b07c68a 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest.cc
@@ -26,12 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 
 #include "gtest/gtest.h"
+#include "gtest/internal/custom/gtest.h"
 #include "gtest/gtest-spi.h"
 
 #include <ctype.h>
@@ -54,7 +54,7 @@
 
 #if GTEST_OS_LINUX
 
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 // gettimeofday().
 # define GTEST_HAS_GETTIMEOFDAY_ 1
 
@@ -93,9 +93,9 @@
 
 # if GTEST_OS_WINDOWS_MINGW
 // MinGW has gettimeofday() but not _ftime64().
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 //   gettimeofday().
-// TODO(kenton@google.com): There are other ways to get the time on
+// FIXME: There are other ways to get the time on
 //   Windows, like GetTickCount() or GetSystemTimeAsFileTime().  MinGW
 //   supports these.  consider using them instead.
 #  define GTEST_HAS_GETTIMEOFDAY_ 1
@@ -110,7 +110,7 @@
 #else
 
 // Assume other platforms have gettimeofday().
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 //   gettimeofday().
 # define GTEST_HAS_GETTIMEOFDAY_ 1
 
@@ -128,21 +128,29 @@
 #if GTEST_CAN_STREAM_RESULTS_
 # include <arpa/inet.h>  // NOLINT
 # include <netdb.h>  // NOLINT
+# include <sys/socket.h>  // NOLINT
+# include <sys/types.h>  // NOLINT
 #endif
 
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_OS_WINDOWS
 # define vsnprintf _vsnprintf
 #endif  // GTEST_OS_WINDOWS
 
+#if GTEST_OS_MAC
+#ifndef GTEST_OS_IOS
+#include <crt_externs.h>
+#endif
+#endif
+
+#if GTEST_HAS_ABSL
+#include "absl/debugging/failure_signal_handler.h"
+#include "absl/debugging/stacktrace.h"
+#include "absl/debugging/symbolize.h"
+#include "absl/strings/str_cat.h"
+#endif  // GTEST_HAS_ABSL
+
 namespace testing {
 
 using internal::CountIf;
@@ -164,8 +172,10 @@ static const char kDeathTestCaseFilter[] = "*DeathTest:*DeathTest/*";
 // A test filter that matches everything.
 static const char kUniversalFilter[] = "*";
 
-// The default output file for XML output.
-static const char kDefaultOutputFile[] = "test_detail.xml";
+// The default output format.
+static const char kDefaultOutputFormat[] = "xml";
+// The default output file.
+static const char kDefaultOutputFile[] = "test_detail";
 
 // The environment variable name for the test shard index.
 static const char kTestShardIndex[] = "GTEST_SHARD_INDEX";
@@ -184,9 +194,31 @@ const char kStackTraceMarker[] = "\nStack trace:\n";
 // specified on the command line.
 bool g_help_flag = false;
 
+// Utilty function to Open File for Writing
+static FILE* OpenFileForWriting(const std::string& output_file) {
+  FILE* fileout = NULL;
+  FilePath output_file_path(output_file);
+  FilePath output_dir(output_file_path.RemoveFileName());
+
+  if (output_dir.CreateDirectoriesRecursively()) {
+    fileout = posix::FOpen(output_file.c_str(), "w");
+  }
+  if (fileout == NULL) {
+    GTEST_LOG_(FATAL) << "Unable to open file \"" << output_file << "\"";
+  }
+  return fileout;
+}
+
 }  // namespace internal
 
+// Bazel passes in the argument to '--test_filter' via the TESTBRIDGE_TEST_ONLY
+// environment variable.
 static const char* GetDefaultFilter() {
+  const char* const testbridge_test_only =
+      internal::posix::GetEnv("TESTBRIDGE_TEST_ONLY");
+  if (testbridge_test_only != NULL) {
+    return testbridge_test_only;
+  }
   return kUniversalFilter;
 }
 
@@ -223,15 +255,28 @@ GTEST_DEFINE_string_(
     "exclude).  A test is run if it matches one of the positive "
     "patterns and does not match any of the negative patterns.");
 
+GTEST_DEFINE_bool_(
+    install_failure_signal_handler,
+    internal::BoolFromGTestEnv("install_failure_signal_handler", false),
+    "If true and supported on the current platform, " GTEST_NAME_ " should "
+    "install a signal handler that dumps debugging information when fatal "
+    "signals are raised.");
+
 GTEST_DEFINE_bool_(list_tests, false,
                    "List all tests without running them.");
 
+// The net priority order after flag processing is thus:
+//   --gtest_output command line flag
+//   GTEST_OUTPUT environment variable
+//   XML_OUTPUT_FILE environment variable
+//   ''
 GTEST_DEFINE_string_(
     output,
-    internal::StringFromGTestEnv("output", ""),
-    "A format (currently must be \"xml\"), optionally followed "
-    "by a colon and an output file name or directory. A directory "
-    "is indicated by a trailing pathname separator. "
+    internal::StringFromGTestEnv("output",
+      internal::OutputFlagAlsoCheckEnvVar().c_str()),
+    "A format (defaults to \"xml\" but can be specified to be \"json\"), "
+    "optionally followed by a colon and an output file name or directory. "
+    "A directory is indicated by a trailing pathname separator. "
     "Examples: \"xml:filename.xml\", \"xml::directoryname/\". "
     "If a directory is specified, output files will be created "
     "within that directory, with file-names based on the test "
@@ -244,6 +289,12 @@ GTEST_DEFINE_bool_(
     "True iff " GTEST_NAME_
     " should display elapsed time in text output.");
 
+GTEST_DEFINE_bool_(
+    print_utf8,
+    internal::BoolFromGTestEnv("print_utf8", true),
+    "True iff " GTEST_NAME_
+    " prints UTF8 characters as text.");
+
 GTEST_DEFINE_int32_(
     random_seed,
     internal::Int32FromGTestEnv("random_seed", 0),
@@ -285,7 +336,14 @@ GTEST_DEFINE_bool_(
     internal::BoolFromGTestEnv("throw_on_failure", false),
     "When this flag is specified, a failed assertion will throw an exception "
     "if exceptions are enabled or exit the program with a non-zero code "
-    "otherwise.");
+    "otherwise. For use with an external test framework.");
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+GTEST_DEFINE_string_(
+    flagfile,
+    internal::StringFromGTestEnv("flagfile", ""),
+    "This flag specifies the flagfile to read command-line flags from.");
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
 
 namespace internal {
 
@@ -294,7 +352,8 @@ namespace internal {
 // than kMaxRange.
 UInt32 Random::Generate(UInt32 range) {
   // These constants are the same as are used in glibc's rand(3).
-  state_ = (1103515245U*state_ + 12345U) % kMaxRange;
+  // Use wider types than necessary to prevent unsigned overflow diagnostics.
+  state_ = static_cast<UInt32>(1103515245ULL*state_ + 12345U) % kMaxRange;
 
   GTEST_CHECK_(range > 0)
       << "Cannot generate a number in the range [0, 0).";
@@ -311,13 +370,7 @@ UInt32 Random::Generate(UInt32 range) {
 // GTestIsInitialized() returns true iff the user has initialized
 // Google Test.  Useful for catching the user mistake of not initializing
 // Google Test before calling RUN_ALL_TESTS().
-//
-// A user must call testing::InitGoogleTest() to initialize Google
-// Test.  g_init_gtest_count is set to the number of times
-// InitGoogleTest() has been called.  We don't protect this variable
-// under a mutex as it is only accessed in the main thread.
-GTEST_API_ int g_init_gtest_count = 0;
-static bool GTestIsInitialized() { return g_init_gtest_count != 0; }
+static bool GTestIsInitialized() { return GetArgvs().size() > 0; }
 
 // Iterates over a vector of TestCases, keeping a running sum of the
 // results of calling a given int-returning method on each.
@@ -373,8 +426,19 @@ void AssertHelper::operator=(const Message& message) const {
 // Mutex for linked pointers.
 GTEST_API_ GTEST_DEFINE_STATIC_MUTEX_(g_linked_ptr_mutex);
 
-// Application pathname gotten in InitGoogleTest.
-std::string g_executable_path;
+// A copy of all command line arguments.  Set by InitGoogleTest().
+static ::std::vector<std::string> g_argvs;
+
+::std::vector<std::string> GetArgvs() {
+#if defined(GTEST_CUSTOM_GET_ARGVS_)
+  // GTEST_CUSTOM_GET_ARGVS_() may return a container of std::string or
+  // ::string. This code converts it to the appropriate type.
+  const auto& custom = GTEST_CUSTOM_GET_ARGVS_();
+  return ::std::vector<std::string>(custom.begin(), custom.end());
+#else   // defined(GTEST_CUSTOM_GET_ARGVS_)
+  return g_argvs;
+#endif  // defined(GTEST_CUSTOM_GET_ARGVS_)
+}
 
 // Returns the current application's name, removing directory path if that
 // is present.
@@ -382,9 +446,9 @@ FilePath GetCurrentExecutableName() {
   FilePath result;
 
 #if GTEST_OS_WINDOWS
-  result.Set(FilePath(g_executable_path).RemoveExtension("exe"));
+  result.Set(FilePath(GetArgvs()[0]).RemoveExtension("exe"));
 #else
-  result.Set(FilePath(g_executable_path));
+  result.Set(FilePath(GetArgvs()[0]));
 #endif  // GTEST_OS_WINDOWS
 
   return result.RemoveDirectoryName();
@@ -395,8 +459,6 @@ FilePath GetCurrentExecutableName() {
 // Returns the output format, or "" for normal printed output.
 std::string UnitTestOptions::GetOutputFormat() {
   const char* const gtest_output_flag = GTEST_FLAG(output).c_str();
-  if (gtest_output_flag == NULL) return std::string("");
-
   const char* const colon = strchr(gtest_output_flag, ':');
   return (colon == NULL) ?
       std::string(gtest_output_flag) :
@@ -407,19 +469,22 @@ std::string UnitTestOptions::GetOutputFormat() {
 // was explicitly specified.
 std::string UnitTestOptions::GetAbsolutePathToOutputFile() {
   const char* const gtest_output_flag = GTEST_FLAG(output).c_str();
-  if (gtest_output_flag == NULL)
-    return "";
+
+  std::string format = GetOutputFormat();
+  if (format.empty())
+    format = std::string(kDefaultOutputFormat);
 
   const char* const colon = strchr(gtest_output_flag, ':');
   if (colon == NULL)
-    return internal::FilePath::ConcatPaths(
+    return internal::FilePath::MakeFileName(
         internal::FilePath(
             UnitTest::GetInstance()->original_working_dir()),
-        internal::FilePath(kDefaultOutputFile)).string();
+        internal::FilePath(kDefaultOutputFile), 0,
+        format.c_str()).string();
 
   internal::FilePath output_name(colon + 1);
   if (!output_name.IsAbsolutePath())
-    // TODO(wan@google.com): on Windows \some\path is not an absolute
+    // FIXME: on Windows \some\path is not an absolute
     // path (as its meaning depends on the current drive), yet the
     // following logic for turning it into an absolute path is wrong.
     // Fix it.
@@ -610,12 +675,12 @@ extern const TypeId kTestTypeIdInGoogleTest = GetTestTypeId();
 // This predicate-formatter checks that 'results' contains a test part
 // failure of the given type and that the failure message contains the
 // given substring.
-AssertionResult HasOneFailure(const char* /* results_expr */,
-                              const char* /* type_expr */,
-                              const char* /* substr_expr */,
-                              const TestPartResultArray& results,
-                              TestPartResult::Type type,
-                              const string& substr) {
+static AssertionResult HasOneFailure(const char* /* results_expr */,
+                                     const char* /* type_expr */,
+                                     const char* /* substr_expr */,
+                                     const TestPartResultArray& results,
+                                     TestPartResult::Type type,
+                                     const std::string& substr) {
   const std::string expected(type == TestPartResult::kFatalFailure ?
                         "1 fatal failure" :
                         "1 non-fatal failure");
@@ -649,13 +714,10 @@ AssertionResult HasOneFailure(const char* /* results_expr */,
 // The constructor of SingleFailureChecker remembers where to look up
 // test part results, what type of failure we expect, and what
 // substring the failure message should contain.
-SingleFailureChecker:: SingleFailureChecker(
-    const TestPartResultArray* results,
-    TestPartResult::Type type,
-    const string& substr)
-    : results_(results),
-      type_(type),
-      substr_(substr) {}
+SingleFailureChecker::SingleFailureChecker(const TestPartResultArray* results,
+                                           TestPartResult::Type type,
+                                           const std::string& substr)
+    : results_(results), type_(type), substr_(substr) {}
 
 // The destructor of SingleFailureChecker verifies that the given
 // TestPartResultArray contains exactly one failure that has the given
@@ -776,8 +838,12 @@ int UnitTestImpl::test_to_run_count() const {
 // CurrentOsStackTraceExceptTop(1), Foo() will be included in the
 // trace but Bar() and CurrentOsStackTraceExceptTop() won't.
 std::string UnitTestImpl::CurrentOsStackTraceExceptTop(int skip_count) {
-  (void)skip_count;
-  return "";
+  return os_stack_trace_getter()->CurrentStackTrace(
+      static_cast<int>(GTEST_FLAG(stack_trace_depth)),
+      skip_count + 1
+      // Skips the user-specified number of frames plus this function
+      // itself.
+      );  // NOLINT
 }
 
 // Returns the current time in milliseconds.
@@ -792,7 +858,7 @@ TimeInMillis GetTimeInMillis() {
   SYSTEMTIME now_systime;
   FILETIME now_filetime;
   ULARGE_INTEGER now_int64;
-  // TODO(kenton@google.com): Shouldn't this just use
+  // FIXME: Shouldn't this just use
   //   GetSystemTimeAsFileTime()?
   GetSystemTime(&now_systime);
   if (SystemTimeToFileTime(&now_systime, &now_filetime)) {
@@ -808,11 +874,11 @@ TimeInMillis GetTimeInMillis() {
 
   // MSVC 8 deprecates _ftime64(), so we want to suppress warning 4996
   // (deprecated function) there.
-  // TODO(kenton@google.com): Use GetTickCount()?  Or use
+  // FIXME: Use GetTickCount()?  Or use
   //   SystemTimeToFileTime()
-  GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+  GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
   _ftime64(&now);
-  GTEST_DISABLE_MSC_WARNINGS_POP_()
+  GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
   return static_cast<TimeInMillis>(now.time) * 1000 + now.millitm;
 #elif GTEST_HAS_GETTIMEOFDAY_
@@ -897,6 +963,23 @@ static void StreamWideCharsToMessage(const wchar_t* wstr, size_t length,
 
 #endif  // GTEST_HAS_STD_WSTRING || GTEST_HAS_GLOBAL_WSTRING
 
+void SplitString(const ::std::string& str, char delimiter,
+                 ::std::vector< ::std::string>* dest) {
+  ::std::vector< ::std::string> parsed;
+  ::std::string::size_type pos = 0;
+  while (::testing::internal::AlwaysTrue()) {
+    const ::std::string::size_type colon = str.find(delimiter, pos);
+    if (colon == ::std::string::npos) {
+      parsed.push_back(str.substr(pos));
+      break;
+    } else {
+      parsed.push_back(str.substr(pos, colon - pos));
+      pos = colon + 1;
+    }
+  }
+  dest->swap(parsed);
+}
+
 }  // namespace internal
 
 // Constructs an empty Message.
@@ -1132,7 +1215,7 @@ class Hunk {
   // Print a unified diff header for one hunk.
   // The format is
   //   "@@ -<left_start>,<left_length> +<right_start>,<right_length> @@"
-  // where the left/right parts are ommitted if unnecessary.
+  // where the left/right parts are omitted if unnecessary.
   void PrintHeader(std::ostream* ss) const {
     *ss << "@@ ";
     if (removes_) {
@@ -1262,41 +1345,42 @@ std::vector<std::string> SplitEscapedString(const std::string& str) {
 // and their values, as strings.  For example, for ASSERT_EQ(foo, bar)
 // where foo is 5 and bar is 6, we have:
 //
-//   expected_expression: "foo"
-//   actual_expression:   "bar"
-//   expected_value:      "5"
-//   actual_value:        "6"
+//   lhs_expression: "foo"
+//   rhs_expression: "bar"
+//   lhs_value:      "5"
+//   rhs_value:      "6"
 //
 // The ignoring_case parameter is true iff the assertion is a
-// *_STRCASEEQ*.  When it's true, the string " (ignoring case)" will
+// *_STRCASEEQ*.  When it's true, the string "Ignoring case" will
 // be inserted into the message.
-AssertionResult EqFailure(const char* expected_expression,
-                          const char* actual_expression,
-                          const std::string& expected_value,
-                          const std::string& actual_value,
+AssertionResult EqFailure(const char* lhs_expression,
+                          const char* rhs_expression,
+                          const std::string& lhs_value,
+                          const std::string& rhs_value,
                           bool ignoring_case) {
   Message msg;
-  msg << "Value of: " << actual_expression;
-  if (actual_value != actual_expression) {
-    msg << "\n  Actual: " << actual_value;
+  msg << "Expected equality of these values:";
+  msg << "\n  " << lhs_expression;
+  if (lhs_value != lhs_expression) {
+    msg << "\n    Which is: " << lhs_value;
+  }
+  msg << "\n  " << rhs_expression;
+  if (rhs_value != rhs_expression) {
+    msg << "\n    Which is: " << rhs_value;
   }
 
-  msg << "\nExpected: " << expected_expression;
   if (ignoring_case) {
-    msg << " (ignoring case)";
-  }
-  if (expected_value != expected_expression) {
-    msg << "\nWhich is: " << expected_value;
+    msg << "\nIgnoring case";
   }
 
-  if (!expected_value.empty() && !actual_value.empty()) {
-    const std::vector<std::string> expected_lines =
-        SplitEscapedString(expected_value);
-    const std::vector<std::string> actual_lines =
-        SplitEscapedString(actual_value);
-    if (expected_lines.size() > 1 || actual_lines.size() > 1) {
+  if (!lhs_value.empty() && !rhs_value.empty()) {
+    const std::vector<std::string> lhs_lines =
+        SplitEscapedString(lhs_value);
+    const std::vector<std::string> rhs_lines =
+        SplitEscapedString(rhs_value);
+    if (lhs_lines.size() > 1 || rhs_lines.size() > 1) {
       msg << "\nWith diff:\n"
-          << edit_distance::CreateUnifiedDiff(expected_lines, actual_lines);
+          << edit_distance::CreateUnifiedDiff(lhs_lines, rhs_lines);
     }
   }
 
@@ -1329,7 +1413,7 @@ AssertionResult DoubleNearPredFormat(const char* expr1,
   const double diff = fabs(val1 - val2);
   if (diff <= abs_error) return AssertionSuccess();
 
-  // TODO(wan): do not print the value of an expression if it's
+  // FIXME: do not print the value of an expression if it's
   // already a literal.
   return AssertionFailure()
       << "The difference between " << expr1 << " and " << expr2
@@ -1395,18 +1479,18 @@ namespace internal {
 
 // The helper function for {ASSERT|EXPECT}_EQ with int or enum
 // arguments.
-AssertionResult CmpHelperEQ(const char* expected_expression,
-                            const char* actual_expression,
-                            BiggestInt expected,
-                            BiggestInt actual) {
-  if (expected == actual) {
+AssertionResult CmpHelperEQ(const char* lhs_expression,
+                            const char* rhs_expression,
+                            BiggestInt lhs,
+                            BiggestInt rhs) {
+  if (lhs == rhs) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   FormatForComparisonFailureMessage(expected, actual),
-                   FormatForComparisonFailureMessage(actual, expected),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   FormatForComparisonFailureMessage(lhs, rhs),
+                   FormatForComparisonFailureMessage(rhs, lhs),
                    false);
 }
 
@@ -1445,34 +1529,34 @@ GTEST_IMPL_CMP_HELPER_(GT, > )
 #undef GTEST_IMPL_CMP_HELPER_
 
 // The helper function for {ASSERT|EXPECT}_STREQ.
-AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                               const char* actual_expression,
-                               const char* expected,
-                               const char* actual) {
-  if (String::CStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTREQ(const char* lhs_expression,
+                               const char* rhs_expression,
+                               const char* lhs,
+                               const char* rhs) {
+  if (String::CStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    false);
 }
 
 // The helper function for {ASSERT|EXPECT}_STRCASEEQ.
-AssertionResult CmpHelperSTRCASEEQ(const char* expected_expression,
-                                   const char* actual_expression,
-                                   const char* expected,
-                                   const char* actual) {
-  if (String::CaseInsensitiveCStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTRCASEEQ(const char* lhs_expression,
+                                   const char* rhs_expression,
+                                   const char* lhs,
+                                   const char* rhs) {
+  if (String::CaseInsensitiveCStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    true);
 }
 
@@ -1624,7 +1708,7 @@ namespace {
 AssertionResult HRESULTFailureHelper(const char* expr,
                                      const char* expected,
                                      long hr) {  // NOLINT
-# if GTEST_OS_WINDOWS_MOBILE
+# if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_TV_TITLE
 
   // Windows CE doesn't support FormatMessage.
   const char error_text[] = "";
@@ -1681,7 +1765,7 @@ AssertionResult IsHRESULTFailure(const char* expr, long hr) {  // NOLINT
 // Utility functions for encoding Unicode text (wide strings) in
 // UTF-8.
 
-// A Unicode code-point can have upto 21 bits, and is encoded in UTF-8
+// A Unicode code-point can have up to 21 bits, and is encoded in UTF-8
 // like this:
 //
 // Code-point length   Encoding
@@ -1745,7 +1829,7 @@ std::string CodePointToUtf8(UInt32 code_point) {
   return str;
 }
 
-// The following two functions only make sense if the the system
+// The following two functions only make sense if the system
 // uses UTF-16 for wide string encoding. All supported systems
 // with 16 bit wchar_t (Windows, Cygwin, Symbian OS) do use UTF-16.
 
@@ -1827,18 +1911,18 @@ bool String::WideCStringEquals(const wchar_t * lhs, const wchar_t * rhs) {
 }
 
 // Helper function for *_STREQ on wide strings.
-AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                               const char* actual_expression,
-                               const wchar_t* expected,
-                               const wchar_t* actual) {
-  if (String::WideCStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTREQ(const char* lhs_expression,
+                               const char* rhs_expression,
+                               const wchar_t* lhs,
+                               const wchar_t* rhs) {
+  if (String::WideCStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    false);
 }
 
@@ -2057,13 +2141,8 @@ static const char* const kReservedTestSuiteAttributes[] = {
 
 // The list of reserved attributes used in the <testcase> element of XML output.
 static const char* const kReservedTestCaseAttributes[] = {
-  "classname",
-  "name",
-  "status",
-  "time",
-  "type_param",
-  "value_param"
-};
+    "classname",  "name",        "status", "time",
+    "type_param", "value_param", "file",   "line"};
 
 template <int kSize>
 std::vector<std::string> ArrayAsVector(const char* const (&array)[kSize]) {
@@ -2099,8 +2178,9 @@ static std::string FormatWordList(const std::vector<std::string>& words) {
   return word_list.GetString();
 }
 
-bool ValidateTestPropertyName(const std::string& property_name,
-                              const std::vector<std::string>& reserved_names) {
+static bool ValidateTestPropertyName(
+    const std::string& property_name,
+    const std::vector<std::string>& reserved_names) {
   if (std::find(reserved_names.begin(), reserved_names.end(), property_name) !=
           reserved_names.end()) {
     ADD_FAILURE() << "Reserved key used in RecordProperty(): " << property_name
@@ -2171,14 +2251,15 @@ int TestResult::test_property_count() const {
 
 // Creates a Test object.
 
-// The c'tor saves the values of all Google Test flags.
+// The c'tor saves the states of all flags.
 Test::Test()
-    : gtest_flag_saver_(new internal::GTestFlagSaver) {
+    : gtest_flag_saver_(new GTEST_FLAG_SAVER_) {
 }
 
-// The d'tor restores the values of all Google Test flags.
+// The d'tor restores the states of all flags.  The actual work is
+// done by the d'tor of the gtest_flag_saver_ field, and thus not
+// visible here.
 Test::~Test() {
-  delete gtest_flag_saver_;
 }
 
 // Sets up the test fixture.
@@ -2396,6 +2477,8 @@ Result HandleExceptionsInMethodIfSupported(
 #if GTEST_HAS_EXCEPTIONS
     try {
       return HandleSehExceptionsInMethodIfSupported(object, method, location);
+    } catch (const AssertionException&) {  // NOLINT
+      // This failure was reported already.
     } catch (const internal::GoogleTestFailureException&) {  // NOLINT
       // This exception type can only be thrown by a failed Google
       // Test assertion with the intention of letting another testing
@@ -2462,12 +2545,14 @@ TestInfo::TestInfo(const std::string& a_test_case_name,
                    const std::string& a_name,
                    const char* a_type_param,
                    const char* a_value_param,
+                   internal::CodeLocation a_code_location,
                    internal::TypeId fixture_class_id,
                    internal::TestFactoryBase* factory)
     : test_case_name_(a_test_case_name),
       name_(a_name),
       type_param_(a_type_param ? new std::string(a_type_param) : NULL),
       value_param_(a_value_param ? new std::string(a_value_param) : NULL),
+      location_(a_code_location),
       fixture_class_id_(fixture_class_id),
       should_run_(false),
       is_disabled_(false),
@@ -2491,6 +2576,7 @@ namespace internal {
 //                     this is not a typed or a type-parameterized test.
 //   value_param:      text representation of the test's value parameter,
 //                     or NULL if this is not a value-parameterized test.
+//   code_location:    code location where the test is defined
 //   fixture_class_id: ID of the test fixture class
 //   set_up_tc:        pointer to the function that sets up the test case
 //   tear_down_tc:     pointer to the function that tears down the test case
@@ -2502,20 +2588,20 @@ TestInfo* MakeAndRegisterTestInfo(
     const char* name,
     const char* type_param,
     const char* value_param,
+    CodeLocation code_location,
     TypeId fixture_class_id,
     SetUpTestCaseFunc set_up_tc,
     TearDownTestCaseFunc tear_down_tc,
     TestFactoryBase* factory) {
   TestInfo* const test_info =
       new TestInfo(test_case_name, name, type_param, value_param,
-                   fixture_class_id, factory);
+                   code_location, fixture_class_id, factory);
   GetUnitTestImpl()->AddTestInfo(set_up_tc, tear_down_tc, test_info);
   return test_info;
 }
 
-#if GTEST_HAS_PARAM_TEST
 void ReportInvalidTestCaseType(const char* test_case_name,
-                               const char* file, int line) {
+                               CodeLocation code_location) {
   Message errors;
   errors
       << "Attempted redefinition of test case " << test_case_name << ".\n"
@@ -2527,11 +2613,10 @@ void ReportInvalidTestCaseType(const char* test_case_name,
       << "probably rename one of the classes to put the tests into different\n"
       << "test cases.";
 
-  fprintf(stderr, "%s %s", FormatFileLocation(file, line).c_str(),
-          errors.GetString().c_str());
+  GTEST_LOG_(ERROR) << FormatFileLocation(code_location.file.c_str(),
+                                          code_location.line)
+                    << " " << errors.GetString();
 }
-#endif  // GTEST_HAS_PARAM_TEST
-
 }  // namespace internal
 
 namespace {
@@ -2569,12 +2654,10 @@ namespace internal {
 // and INSTANTIATE_TEST_CASE_P into regular tests and registers those.
 // This will be done just once during the program runtime.
 void UnitTestImpl::RegisterParameterizedTests() {
-#if GTEST_HAS_PARAM_TEST
   if (!parameterized_tests_registered_) {
     parameterized_test_registry_.RegisterTests();
     parameterized_tests_registered_ = true;
   }
-#endif
 }
 
 }  // namespace internal
@@ -2602,18 +2685,18 @@ void TestInfo::Run() {
       factory_, &internal::TestFactoryBase::CreateTest,
       "the test fixture's constructor");
 
-  // Runs the test only if the test object was created and its
-  // constructor didn't generate a fatal failure.
-  if ((test != NULL) && !Test::HasFatalFailure()) {
+  // Runs the test if the constructor didn't generate a fatal failure.
+  // Note that the object will not be null
+  if (!Test::HasFatalFailure()) {
     // This doesn't throw as all user code that can throw are wrapped into
     // exception handling code.
     test->Run();
   }
 
-  // Deletes the test object.
-  impl->os_stack_trace_getter()->UponLeavingGTest();
-  internal::HandleExceptionsInMethodIfSupported(
-      test, &Test::DeleteSelf_, "the test fixture's destructor");
+    // Deletes the test object.
+    impl->os_stack_trace_getter()->UponLeavingGTest();
+    internal::HandleExceptionsInMethodIfSupported(
+        test, &Test::DeleteSelf_, "the test fixture's destructor");
 
   result_.set_elapsed_time(internal::GetTimeInMillis() - start);
 
@@ -2839,10 +2922,10 @@ enum GTestColor {
 };
 
 #if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MOBILE && \
-    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
+    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT && !GTEST_OS_WINDOWS_MINGW
 
 // Returns the character attribute for the given color.
-WORD GetColorAttribute(GTestColor color) {
+static WORD GetColorAttribute(GTestColor color) {
   switch (color) {
     case COLOR_RED:    return FOREGROUND_RED;
     case COLOR_GREEN:  return FOREGROUND_GREEN;
@@ -2851,11 +2934,42 @@ WORD GetColorAttribute(GTestColor color) {
   }
 }
 
+static int GetBitOffset(WORD color_mask) {
+  if (color_mask == 0) return 0;
+
+  int bitOffset = 0;
+  while ((color_mask & 1) == 0) {
+    color_mask >>= 1;
+    ++bitOffset;
+  }
+  return bitOffset;
+}
+
+static WORD GetNewColor(GTestColor color, WORD old_color_attrs) {
+  // Let's reuse the BG
+  static const WORD background_mask = BACKGROUND_BLUE | BACKGROUND_GREEN |
+                                      BACKGROUND_RED | BACKGROUND_INTENSITY;
+  static const WORD foreground_mask = FOREGROUND_BLUE | FOREGROUND_GREEN |
+                                      FOREGROUND_RED | FOREGROUND_INTENSITY;
+  const WORD existing_bg = old_color_attrs & background_mask;
+
+  WORD new_color =
+      GetColorAttribute(color) | existing_bg | FOREGROUND_INTENSITY;
+  static const int bg_bitOffset = GetBitOffset(background_mask);
+  static const int fg_bitOffset = GetBitOffset(foreground_mask);
+
+  if (((new_color & background_mask) >> bg_bitOffset) ==
+      ((new_color & foreground_mask) >> fg_bitOffset)) {
+    new_color ^= FOREGROUND_INTENSITY;  // invert intensity
+  }
+  return new_color;
+}
+
 #else
 
 // Returns the ANSI color code for the given color.  COLOR_DEFAULT is
 // an invalid input.
-const char* GetAnsiColorCode(GTestColor color) {
+static const char* GetAnsiColorCode(GTestColor color) {
   switch (color) {
     case COLOR_RED:     return "1";
     case COLOR_GREEN:   return "2";
@@ -2871,7 +2985,7 @@ bool ShouldUseColor(bool stdout_is_tty) {
   const char* const gtest_color = GTEST_FLAG(color).c_str();
 
   if (String::CaseInsensitiveCStringEquals(gtest_color, "auto")) {
-#if GTEST_OS_WINDOWS
+#if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MINGW
     // On Windows the TERM variable is usually not set, but the
     // console there does support colors.
     return stdout_is_tty;
@@ -2884,6 +2998,10 @@ bool ShouldUseColor(bool stdout_is_tty) {
         String::CStringEquals(term, "xterm-256color") ||
         String::CStringEquals(term, "screen") ||
         String::CStringEquals(term, "screen-256color") ||
+        String::CStringEquals(term, "tmux") ||
+        String::CStringEquals(term, "tmux-256color") ||
+        String::CStringEquals(term, "rxvt-unicode") ||
+        String::CStringEquals(term, "rxvt-unicode-256color") ||
         String::CStringEquals(term, "linux") ||
         String::CStringEquals(term, "cygwin");
     return stdout_is_tty && term_supports_color;
@@ -2903,13 +3021,13 @@ bool ShouldUseColor(bool stdout_is_tty) {
 // cannot simply emit special characters and have the terminal change colors.
 // This routine must actually emit the characters rather than return a string
 // that would be colored when printed, as can be done on Linux.
-void ColoredPrintf(GTestColor color, const char* fmt, ...) {
+static void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   va_list args;
   va_start(args, fmt);
 
 #if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_SYMBIAN || GTEST_OS_ZOS || \
     GTEST_OS_IOS || GTEST_OS_WINDOWS_PHONE || GTEST_OS_WINDOWS_RT
-  const bool use_color = false;
+  const bool use_color = AlwaysFalse();
 #else
   static const bool in_color_mode =
       ShouldUseColor(posix::IsATTY(posix::FileNo(stdout)) != 0);
@@ -2924,20 +3042,21 @@ void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   }
 
 #if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MOBILE && \
-    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
+    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT && !GTEST_OS_WINDOWS_MINGW
   const HANDLE stdout_handle = GetStdHandle(STD_OUTPUT_HANDLE);
 
   // Gets the current text color.
   CONSOLE_SCREEN_BUFFER_INFO buffer_info;
   GetConsoleScreenBufferInfo(stdout_handle, &buffer_info);
   const WORD old_color_attrs = buffer_info.wAttributes;
+  const WORD new_color = GetNewColor(color, old_color_attrs);
 
   // We need to flush the stream buffers into the console before each
   // SetConsoleTextAttribute call lest it affect the text that is already
   // printed but has not yet reached the console.
   fflush(stdout);
-  SetConsoleTextAttribute(stdout_handle,
-                          GetColorAttribute(color) | FOREGROUND_INTENSITY);
+  SetConsoleTextAttribute(stdout_handle, new_color);
+
   vprintf(fmt, args);
 
   fflush(stdout);
@@ -2951,12 +3070,12 @@ void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   va_end(args);
 }
 
-// Text printed in Google Test's text output and --gunit_list_tests
+// Text printed in Google Test's text output and --gtest_list_tests
 // output to label the type parameter and value parameter for a test.
 static const char kTypeParamLabel[] = "TypeParam";
 static const char kValueParamLabel[] = "GetParam()";
 
-void PrintFullTestCommentIfPresent(const TestInfo& test_info) {
+static void PrintFullTestCommentIfPresent(const TestInfo& test_info) {
   const char* const type_param = test_info.type_param();
   const char* const value_param = test_info.value_param();
 
@@ -3227,7 +3346,7 @@ void TestEventRepeater::Append(TestEventListener *listener) {
   listeners_.push_back(listener);
 }
 
-// TODO(vladl@google.com): Factor the search functionality into Vector::Find.
+// FIXME: Factor the search functionality into Vector::Find.
 TestEventListener* TestEventRepeater::Release(TestEventListener *listener) {
   for (size_t i = 0; i < listeners_.size(); ++i) {
     if (listeners_[i] == listener) {
@@ -3301,6 +3420,11 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
   explicit XmlUnitTestResultPrinter(const char* output_file);
 
   virtual void OnTestIterationEnd(const UnitTest& unit_test, int iteration);
+  void ListTestsMatchingFilter(const std::vector<TestCase*>& test_cases);
+
+  // Prints an XML summary of all unit tests.
+  static void PrintXmlTestsList(std::ostream* stream,
+                                const std::vector<TestCase*>& test_cases);
 
  private:
   // Is c a whitespace character that is normalized to a space character
@@ -3362,6 +3486,11 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
   // to delimit this attribute from prior attributes.
   static std::string TestPropertiesAsXmlAttributes(const TestResult& result);
 
+  // Streams an XML representation of the test properties of a TestResult
+  // object.
+  static void OutputXmlTestProperties(std::ostream* stream,
+                                      const TestResult& result);
+
   // The output file.
   const std::string output_file_;
 
@@ -3371,46 +3500,30 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
 // Creates a new XmlUnitTestResultPrinter.
 XmlUnitTestResultPrinter::XmlUnitTestResultPrinter(const char* output_file)
     : output_file_(output_file) {
-  if (output_file_.c_str() == NULL || output_file_.empty()) {
-    fprintf(stderr, "XML output file may not be null\n");
-    fflush(stderr);
-    exit(EXIT_FAILURE);
+  if (output_file_.empty()) {
+    GTEST_LOG_(FATAL) << "XML output file may not be null";
   }
 }
 
 // Called after the unit test ends.
 void XmlUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
                                                   int /*iteration*/) {
-  FILE* xmlout = NULL;
-  FilePath output_file(output_file_);
-  FilePath output_dir(output_file.RemoveFileName());
-
-  if (output_dir.CreateDirectoriesRecursively()) {
-    xmlout = posix::FOpen(output_file_.c_str(), "w");
-  }
-  if (xmlout == NULL) {
-    // TODO(wan): report the reason of the failure.
-    //
-    // We don't do it for now as:
-    //
-    //   1. There is no urgent need for it.
-    //   2. It's a bit involved to make the errno variable thread-safe on
-    //      all three operating systems (Linux, Windows, and Mac OS).
-    //   3. To interpret the meaning of errno in a thread-safe way,
-    //      we need the strerror_r() function, which is not available on
-    //      Windows.
-    fprintf(stderr,
-            "Unable to open file \"%s\"\n",
-            output_file_.c_str());
-    fflush(stderr);
-    exit(EXIT_FAILURE);
-  }
+  FILE* xmlout = OpenFileForWriting(output_file_);
   std::stringstream stream;
   PrintXmlUnitTest(&stream, unit_test);
   fprintf(xmlout, "%s", StringStreamToString(&stream).c_str());
   fclose(xmlout);
 }
 
+void XmlUnitTestResultPrinter::ListTestsMatchingFilter(
+    const std::vector<TestCase*>& test_cases) {
+  FILE* xmlout = OpenFileForWriting(output_file_);
+  std::stringstream stream;
+  PrintXmlTestsList(&stream, test_cases);
+  fprintf(xmlout, "%s", StringStreamToString(&stream).c_str());
+  fclose(xmlout);
+}
+
 // Returns an XML-escaped copy of the input string str.  If is_attribute
 // is true, the text is meant to appear as an attribute value, and
 // normalizable whitespace is preserved by replacing it with character
@@ -3421,7 +3534,7 @@ void XmlUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
 // module will consist of ordinary English text.
 // If this module is ever modified to produce version 1.1 XML output,
 // most invalid characters can be retained using character references.
-// TODO(wan): It might be nice to have a minimally invasive, human-readable
+// FIXME: It might be nice to have a minimally invasive, human-readable
 // escaping scheme for invalid characters, rather than dropping them.
 std::string XmlUnitTestResultPrinter::EscapeXml(
     const std::string& str, bool is_attribute) {
@@ -3482,6 +3595,7 @@ std::string XmlUnitTestResultPrinter::RemoveInvalidXmlCharacters(
 
 // The following routines generate an XML representation of a UnitTest
 // object.
+// GOOGLETEST_CM0009 DO NOT DELETE
 //
 // This is how Google Test concepts map to the DTD:
 //
@@ -3499,23 +3613,32 @@ std::string XmlUnitTestResultPrinter::RemoveInvalidXmlCharacters(
 // Formats the given time in milliseconds as seconds.
 std::string FormatTimeInMillisAsSeconds(TimeInMillis ms) {
   ::std::stringstream ss;
-  ss << ms/1000.0;
+  ss << (static_cast<double>(ms) * 1e-3);
   return ss.str();
 }
 
+static bool PortableLocaltime(time_t seconds, struct tm* out) {
+#if defined(_MSC_VER)
+  return localtime_s(out, &seconds) == 0;
+#elif defined(__MINGW32__) || defined(__MINGW64__)
+  // MINGW <time.h> provides neither localtime_r nor localtime_s, but uses
+  // Windows' localtime(), which has a thread-local tm buffer.
+  struct tm* tm_ptr = localtime(&seconds);  // NOLINT
+  if (tm_ptr == NULL)
+    return false;
+  *out = *tm_ptr;
+  return true;
+#else
+  return localtime_r(&seconds, out) != NULL;
+#endif
+}
+
 // Converts the given epoch time in milliseconds to a date string in the ISO
 // 8601 format, without the timezone information.
 std::string FormatEpochTimeInMillisAsIso8601(TimeInMillis ms) {
-  time_t seconds = static_cast<time_t>(ms / 1000);
   struct tm time_struct;
-#ifdef _MSC_VER
-  if (localtime_s(&time_struct, &seconds) != 0)
-    return "";  // Invalid ms value
-#else
-  if (localtime_r(&seconds, &time_struct) == NULL)
-    return "";  // Invalid ms value
-#endif
-
+  if (!PortableLocaltime(static_cast<time_t>(ms / 1000), &time_struct))
+    return "";
   // YYYY-MM-DDThh:mm:ss
   return StreamableToString(time_struct.tm_year + 1900) + "-" +
       String::FormatIntWidth2(time_struct.tm_mon + 1) + "-" +
@@ -3562,13 +3685,17 @@ void XmlUnitTestResultPrinter::OutputXmlAttribute(
 }
 
 // Prints an XML representation of a TestInfo object.
-// TODO(wan): There is also value in printing properties with the plain printer.
+// FIXME: There is also value in printing properties with the plain printer.
 void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
                                                  const char* test_case_name,
                                                  const TestInfo& test_info) {
   const TestResult& result = *test_info.result();
   const std::string kTestcase = "testcase";
 
+  if (test_info.is_in_another_shard()) {
+    return;
+  }
+
   *stream << "    <testcase";
   OutputXmlAttribute(stream, kTestcase, "name", test_info.name());
 
@@ -3579,13 +3706,19 @@ void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
   if (test_info.type_param() != NULL) {
     OutputXmlAttribute(stream, kTestcase, "type_param", test_info.type_param());
   }
+  if (GTEST_FLAG(list_tests)) {
+    OutputXmlAttribute(stream, kTestcase, "file", test_info.file());
+    OutputXmlAttribute(stream, kTestcase, "line",
+                       StreamableToString(test_info.line()));
+    *stream << " />\n";
+    return;
+  }
 
   OutputXmlAttribute(stream, kTestcase, "status",
                      test_info.should_run() ? "run" : "notrun");
   OutputXmlAttribute(stream, kTestcase, "time",
                      FormatTimeInMillisAsSeconds(result.elapsed_time()));
   OutputXmlAttribute(stream, kTestcase, "classname", test_case_name);
-  *stream << TestPropertiesAsXmlAttributes(result);
 
   int failures = 0;
   for (int i = 0; i < result.total_part_count(); ++i) {
@@ -3594,22 +3727,28 @@ void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
       if (++failures == 1) {
         *stream << ">\n";
       }
-      const string location = internal::FormatCompilerIndependentFileLocation(
-          part.file_name(), part.line_number());
-      const string summary = location + "\n" + part.summary();
+      const std::string location =
+          internal::FormatCompilerIndependentFileLocation(part.file_name(),
+                                                          part.line_number());
+      const std::string summary = location + "\n" + part.summary();
       *stream << "      <failure message=\""
               << EscapeXmlAttribute(summary.c_str())
               << "\" type=\"\">";
-      const string detail = location + "\n" + part.message();
+      const std::string detail = location + "\n" + part.message();
       OutputXmlCDataSection(stream, RemoveInvalidXmlCharacters(detail).c_str());
       *stream << "</failure>\n";
     }
   }
 
-  if (failures == 0)
+  if (failures == 0 && result.test_property_count() == 0) {
     *stream << " />\n";
-  else
+  } else {
+    if (failures == 0) {
+      *stream << ">\n";
+    }
+    OutputXmlTestProperties(stream, result);
     *stream << "    </testcase>\n";
+  }
 }
 
 // Prints an XML representation of a TestCase object
@@ -3620,17 +3759,18 @@ void XmlUnitTestResultPrinter::PrintXmlTestCase(std::ostream* stream,
   OutputXmlAttribute(stream, kTestsuite, "name", test_case.name());
   OutputXmlAttribute(stream, kTestsuite, "tests",
                      StreamableToString(test_case.reportable_test_count()));
-  OutputXmlAttribute(stream, kTestsuite, "failures",
-                     StreamableToString(test_case.failed_test_count()));
-  OutputXmlAttribute(
-      stream, kTestsuite, "disabled",
-      StreamableToString(test_case.reportable_disabled_test_count()));
-  OutputXmlAttribute(stream, kTestsuite, "errors", "0");
-  OutputXmlAttribute(stream, kTestsuite, "time",
-                     FormatTimeInMillisAsSeconds(test_case.elapsed_time()));
-  *stream << TestPropertiesAsXmlAttributes(test_case.ad_hoc_test_result())
-          << ">\n";
-
+  if (!GTEST_FLAG(list_tests)) {
+    OutputXmlAttribute(stream, kTestsuite, "failures",
+                       StreamableToString(test_case.failed_test_count()));
+    OutputXmlAttribute(
+        stream, kTestsuite, "disabled",
+        StreamableToString(test_case.reportable_disabled_test_count()));
+    OutputXmlAttribute(stream, kTestsuite, "errors", "0");
+    OutputXmlAttribute(stream, kTestsuite, "time",
+                       FormatTimeInMillisAsSeconds(test_case.elapsed_time()));
+    *stream << TestPropertiesAsXmlAttributes(test_case.ad_hoc_test_result());
+  }
+  *stream << ">\n";
   for (int i = 0; i < test_case.total_test_count(); ++i) {
     if (test_case.GetTestInfo(i)->is_reportable())
       OutputXmlTestInfo(stream, test_case.name(), *test_case.GetTestInfo(i));
@@ -3664,7 +3804,6 @@ void XmlUnitTestResultPrinter::PrintXmlUnitTest(std::ostream* stream,
     OutputXmlAttribute(stream, kTestsuites, "random_seed",
                        StreamableToString(unit_test.random_seed()));
   }
-
   *stream << TestPropertiesAsXmlAttributes(unit_test.ad_hoc_test_result());
 
   OutputXmlAttribute(stream, kTestsuites, "name", "AllTests");
@@ -3677,6 +3816,28 @@ void XmlUnitTestResultPrinter::PrintXmlUnitTest(std::ostream* stream,
   *stream << "</" << kTestsuites << ">\n";
 }
 
+void XmlUnitTestResultPrinter::PrintXmlTestsList(
+    std::ostream* stream, const std::vector<TestCase*>& test_cases) {
+  const std::string kTestsuites = "testsuites";
+
+  *stream << "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
+  *stream << "<" << kTestsuites;
+
+  int total_tests = 0;
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    total_tests += test_cases[i]->total_test_count();
+  }
+  OutputXmlAttribute(stream, kTestsuites, "tests",
+                     StreamableToString(total_tests));
+  OutputXmlAttribute(stream, kTestsuites, "name", "AllTests");
+  *stream << ">\n";
+
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    PrintXmlTestCase(stream, *test_cases[i]);
+  }
+  *stream << "</" << kTestsuites << ">\n";
+}
+
 // Produces a string representing the test properties in a result as space
 // delimited XML attributes based on the property key="value" pairs.
 std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
@@ -3690,8 +3851,390 @@ std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
   return attributes.GetString();
 }
 
+void XmlUnitTestResultPrinter::OutputXmlTestProperties(
+    std::ostream* stream, const TestResult& result) {
+  const std::string kProperties = "properties";
+  const std::string kProperty = "property";
+
+  if (result.test_property_count() <= 0) {
+    return;
+  }
+
+  *stream << "<" << kProperties << ">\n";
+  for (int i = 0; i < result.test_property_count(); ++i) {
+    const TestProperty& property = result.GetTestProperty(i);
+    *stream << "<" << kProperty;
+    *stream << " name=\"" << EscapeXmlAttribute(property.key()) << "\"";
+    *stream << " value=\"" << EscapeXmlAttribute(property.value()) << "\"";
+    *stream << "/>\n";
+  }
+  *stream << "</" << kProperties << ">\n";
+}
+
 // End XmlUnitTestResultPrinter
 
+// This class generates an JSON output file.
+class JsonUnitTestResultPrinter : public EmptyTestEventListener {
+ public:
+  explicit JsonUnitTestResultPrinter(const char* output_file);
+
+  virtual void OnTestIterationEnd(const UnitTest& unit_test, int iteration);
+
+  // Prints an JSON summary of all unit tests.
+  static void PrintJsonTestList(::std::ostream* stream,
+                                const std::vector<TestCase*>& test_cases);
+
+ private:
+  // Returns an JSON-escaped copy of the input string str.
+  static std::string EscapeJson(const std::string& str);
+
+  //// Verifies that the given attribute belongs to the given element and
+  //// streams the attribute as JSON.
+  static void OutputJsonKey(std::ostream* stream,
+                            const std::string& element_name,
+                            const std::string& name,
+                            const std::string& value,
+                            const std::string& indent,
+                            bool comma = true);
+  static void OutputJsonKey(std::ostream* stream,
+                            const std::string& element_name,
+                            const std::string& name,
+                            int value,
+                            const std::string& indent,
+                            bool comma = true);
+
+  // Streams a JSON representation of a TestInfo object.
+  static void OutputJsonTestInfo(::std::ostream* stream,
+                                 const char* test_case_name,
+                                 const TestInfo& test_info);
+
+  // Prints a JSON representation of a TestCase object
+  static void PrintJsonTestCase(::std::ostream* stream,
+                                const TestCase& test_case);
+
+  // Prints a JSON summary of unit_test to output stream out.
+  static void PrintJsonUnitTest(::std::ostream* stream,
+                                const UnitTest& unit_test);
+
+  // Produces a string representing the test properties in a result as
+  // a JSON dictionary.
+  static std::string TestPropertiesAsJson(const TestResult& result,
+                                          const std::string& indent);
+
+  // The output file.
+  const std::string output_file_;
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(JsonUnitTestResultPrinter);
+};
+
+// Creates a new JsonUnitTestResultPrinter.
+JsonUnitTestResultPrinter::JsonUnitTestResultPrinter(const char* output_file)
+    : output_file_(output_file) {
+  if (output_file_.empty()) {
+    GTEST_LOG_(FATAL) << "JSON output file may not be null";
+  }
+}
+
+void JsonUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
+                                                  int /*iteration*/) {
+  FILE* jsonout = OpenFileForWriting(output_file_);
+  std::stringstream stream;
+  PrintJsonUnitTest(&stream, unit_test);
+  fprintf(jsonout, "%s", StringStreamToString(&stream).c_str());
+  fclose(jsonout);
+}
+
+// Returns an JSON-escaped copy of the input string str.
+std::string JsonUnitTestResultPrinter::EscapeJson(const std::string& str) {
+  Message m;
+
+  for (size_t i = 0; i < str.size(); ++i) {
+    const char ch = str[i];
+    switch (ch) {
+      case '\\':
+      case '"':
+      case '/':
+        m << '\\' << ch;
+        break;
+      case '\b':
+        m << "\\b";
+        break;
+      case '\t':
+        m << "\\t";
+        break;
+      case '\n':
+        m << "\\n";
+        break;
+      case '\f':
+        m << "\\f";
+        break;
+      case '\r':
+        m << "\\r";
+        break;
+      default:
+        if (ch < ' ') {
+          m << "\\u00" << String::FormatByte(static_cast<unsigned char>(ch));
+        } else {
+          m << ch;
+        }
+        break;
+    }
+  }
+
+  return m.GetString();
+}
+
+// The following routines generate an JSON representation of a UnitTest
+// object.
+
+// Formats the given time in milliseconds as seconds.
+static std::string FormatTimeInMillisAsDuration(TimeInMillis ms) {
+  ::std::stringstream ss;
+  ss << (static_cast<double>(ms) * 1e-3) << "s";
+  return ss.str();
+}
+
+// Converts the given epoch time in milliseconds to a date string in the
+// RFC3339 format, without the timezone information.
+static std::string FormatEpochTimeInMillisAsRFC3339(TimeInMillis ms) {
+  struct tm time_struct;
+  if (!PortableLocaltime(static_cast<time_t>(ms / 1000), &time_struct))
+    return "";
+  // YYYY-MM-DDThh:mm:ss
+  return StreamableToString(time_struct.tm_year + 1900) + "-" +
+      String::FormatIntWidth2(time_struct.tm_mon + 1) + "-" +
+      String::FormatIntWidth2(time_struct.tm_mday) + "T" +
+      String::FormatIntWidth2(time_struct.tm_hour) + ":" +
+      String::FormatIntWidth2(time_struct.tm_min) + ":" +
+      String::FormatIntWidth2(time_struct.tm_sec) + "Z";
+}
+
+static inline std::string Indent(int width) {
+  return std::string(width, ' ');
+}
+
+void JsonUnitTestResultPrinter::OutputJsonKey(
+    std::ostream* stream,
+    const std::string& element_name,
+    const std::string& name,
+    const std::string& value,
+    const std::string& indent,
+    bool comma) {
+  const std::vector<std::string>& allowed_names =
+      GetReservedAttributesForElement(element_name);
+
+  GTEST_CHECK_(std::find(allowed_names.begin(), allowed_names.end(), name) !=
+                   allowed_names.end())
+      << "Key \"" << name << "\" is not allowed for value \"" << element_name
+      << "\".";
+
+  *stream << indent << "\"" << name << "\": \"" << EscapeJson(value) << "\"";
+  if (comma)
+    *stream << ",\n";
+}
+
+void JsonUnitTestResultPrinter::OutputJsonKey(
+    std::ostream* stream,
+    const std::string& element_name,
+    const std::string& name,
+    int value,
+    const std::string& indent,
+    bool comma) {
+  const std::vector<std::string>& allowed_names =
+      GetReservedAttributesForElement(element_name);
+
+  GTEST_CHECK_(std::find(allowed_names.begin(), allowed_names.end(), name) !=
+                   allowed_names.end())
+      << "Key \"" << name << "\" is not allowed for value \"" << element_name
+      << "\".";
+
+  *stream << indent << "\"" << name << "\": " << StreamableToString(value);
+  if (comma)
+    *stream << ",\n";
+}
+
+// Prints a JSON representation of a TestInfo object.
+void JsonUnitTestResultPrinter::OutputJsonTestInfo(::std::ostream* stream,
+                                                   const char* test_case_name,
+                                                   const TestInfo& test_info) {
+  const TestResult& result = *test_info.result();
+  const std::string kTestcase = "testcase";
+  const std::string kIndent = Indent(10);
+
+  *stream << Indent(8) << "{\n";
+  OutputJsonKey(stream, kTestcase, "name", test_info.name(), kIndent);
+
+  if (test_info.value_param() != NULL) {
+    OutputJsonKey(stream, kTestcase, "value_param",
+                  test_info.value_param(), kIndent);
+  }
+  if (test_info.type_param() != NULL) {
+    OutputJsonKey(stream, kTestcase, "type_param", test_info.type_param(),
+                  kIndent);
+  }
+  if (GTEST_FLAG(list_tests)) {
+    OutputJsonKey(stream, kTestcase, "file", test_info.file(), kIndent);
+    OutputJsonKey(stream, kTestcase, "line", test_info.line(), kIndent, false);
+    *stream << "\n" << Indent(8) << "}";
+    return;
+  }
+
+  OutputJsonKey(stream, kTestcase, "status",
+                test_info.should_run() ? "RUN" : "NOTRUN", kIndent);
+  OutputJsonKey(stream, kTestcase, "time",
+                FormatTimeInMillisAsDuration(result.elapsed_time()), kIndent);
+  OutputJsonKey(stream, kTestcase, "classname", test_case_name, kIndent, false);
+  *stream << TestPropertiesAsJson(result, kIndent);
+
+  int failures = 0;
+  for (int i = 0; i < result.total_part_count(); ++i) {
+    const TestPartResult& part = result.GetTestPartResult(i);
+    if (part.failed()) {
+      *stream << ",\n";
+      if (++failures == 1) {
+        *stream << kIndent << "\"" << "failures" << "\": [\n";
+      }
+      const std::string location =
+          internal::FormatCompilerIndependentFileLocation(part.file_name(),
+                                                          part.line_number());
+      const std::string message = EscapeJson(location + "\n" + part.message());
+      *stream << kIndent << "  {\n"
+              << kIndent << "    \"failure\": \"" << message << "\",\n"
+              << kIndent << "    \"type\": \"\"\n"
+              << kIndent << "  }";
+    }
+  }
+
+  if (failures > 0)
+    *stream << "\n" << kIndent << "]";
+  *stream << "\n" << Indent(8) << "}";
+}
+
+// Prints an JSON representation of a TestCase object
+void JsonUnitTestResultPrinter::PrintJsonTestCase(std::ostream* stream,
+                                                  const TestCase& test_case) {
+  const std::string kTestsuite = "testsuite";
+  const std::string kIndent = Indent(6);
+
+  *stream << Indent(4) << "{\n";
+  OutputJsonKey(stream, kTestsuite, "name", test_case.name(), kIndent);
+  OutputJsonKey(stream, kTestsuite, "tests", test_case.reportable_test_count(),
+                kIndent);
+  if (!GTEST_FLAG(list_tests)) {
+    OutputJsonKey(stream, kTestsuite, "failures", test_case.failed_test_count(),
+                  kIndent);
+    OutputJsonKey(stream, kTestsuite, "disabled",
+                  test_case.reportable_disabled_test_count(), kIndent);
+    OutputJsonKey(stream, kTestsuite, "errors", 0, kIndent);
+    OutputJsonKey(stream, kTestsuite, "time",
+                  FormatTimeInMillisAsDuration(test_case.elapsed_time()),
+                  kIndent, false);
+    *stream << TestPropertiesAsJson(test_case.ad_hoc_test_result(), kIndent)
+            << ",\n";
+  }
+
+  *stream << kIndent << "\"" << kTestsuite << "\": [\n";
+
+  bool comma = false;
+  for (int i = 0; i < test_case.total_test_count(); ++i) {
+    if (test_case.GetTestInfo(i)->is_reportable()) {
+      if (comma) {
+        *stream << ",\n";
+      } else {
+        comma = true;
+      }
+      OutputJsonTestInfo(stream, test_case.name(), *test_case.GetTestInfo(i));
+    }
+  }
+  *stream << "\n" << kIndent << "]\n" << Indent(4) << "}";
+}
+
+// Prints a JSON summary of unit_test to output stream out.
+void JsonUnitTestResultPrinter::PrintJsonUnitTest(std::ostream* stream,
+                                                  const UnitTest& unit_test) {
+  const std::string kTestsuites = "testsuites";
+  const std::string kIndent = Indent(2);
+  *stream << "{\n";
+
+  OutputJsonKey(stream, kTestsuites, "tests", unit_test.reportable_test_count(),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "failures", unit_test.failed_test_count(),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "disabled",
+                unit_test.reportable_disabled_test_count(), kIndent);
+  OutputJsonKey(stream, kTestsuites, "errors", 0, kIndent);
+  if (GTEST_FLAG(shuffle)) {
+    OutputJsonKey(stream, kTestsuites, "random_seed", unit_test.random_seed(),
+                  kIndent);
+  }
+  OutputJsonKey(stream, kTestsuites, "timestamp",
+                FormatEpochTimeInMillisAsRFC3339(unit_test.start_timestamp()),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "time",
+                FormatTimeInMillisAsDuration(unit_test.elapsed_time()), kIndent,
+                false);
+
+  *stream << TestPropertiesAsJson(unit_test.ad_hoc_test_result(), kIndent)
+          << ",\n";
+
+  OutputJsonKey(stream, kTestsuites, "name", "AllTests", kIndent);
+  *stream << kIndent << "\"" << kTestsuites << "\": [\n";
+
+  bool comma = false;
+  for (int i = 0; i < unit_test.total_test_case_count(); ++i) {
+    if (unit_test.GetTestCase(i)->reportable_test_count() > 0) {
+      if (comma) {
+        *stream << ",\n";
+      } else {
+        comma = true;
+      }
+      PrintJsonTestCase(stream, *unit_test.GetTestCase(i));
+    }
+  }
+
+  *stream << "\n" << kIndent << "]\n" << "}\n";
+}
+
+void JsonUnitTestResultPrinter::PrintJsonTestList(
+    std::ostream* stream, const std::vector<TestCase*>& test_cases) {
+  const std::string kTestsuites = "testsuites";
+  const std::string kIndent = Indent(2);
+  *stream << "{\n";
+  int total_tests = 0;
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    total_tests += test_cases[i]->total_test_count();
+  }
+  OutputJsonKey(stream, kTestsuites, "tests", total_tests, kIndent);
+
+  OutputJsonKey(stream, kTestsuites, "name", "AllTests", kIndent);
+  *stream << kIndent << "\"" << kTestsuites << "\": [\n";
+
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    if (i != 0) {
+      *stream << ",\n";
+    }
+    PrintJsonTestCase(stream, *test_cases[i]);
+  }
+
+  *stream << "\n"
+          << kIndent << "]\n"
+          << "}\n";
+}
+// Produces a string representing the test properties in a result as
+// a JSON dictionary.
+std::string JsonUnitTestResultPrinter::TestPropertiesAsJson(
+    const TestResult& result, const std::string& indent) {
+  Message attributes;
+  for (int i = 0; i < result.test_property_count(); ++i) {
+    const TestProperty& property = result.GetTestProperty(i);
+    attributes << ",\n" << indent << "\"" << property.key() << "\": "
+               << "\"" << EscapeJson(property.value()) << "\"";
+  }
+  return attributes.GetString();
+}
+
+// End JsonUnitTestResultPrinter
+
 #if GTEST_CAN_STREAM_RESULTS_
 
 // Checks if str contains '=', '&', '%' or '\n' characters. If yes,
@@ -3699,8 +4242,8 @@ std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
 // example, replaces "=" with "%3D".  This algorithm is O(strlen(str))
 // in both time and space -- important as the input str may contain an
 // arbitrarily long test failure message and stack trace.
-string StreamingListener::UrlEncode(const char* str) {
-  string result;
+std::string StreamingListener::UrlEncode(const char* str) {
+  std::string result;
   result.reserve(strlen(str) + 1);
   for (char ch = *str; ch != '\0'; ch = *++str) {
     switch (ch) {
@@ -3762,58 +4305,82 @@ void StreamingListener::SocketWriter::MakeConnection() {
 // End of class Streaming Listener
 #endif  // GTEST_CAN_STREAM_RESULTS__
 
-// Class ScopedTrace
+// class OsStackTraceGetter
 
-// Pushes the given source file location and message onto a per-thread
-// trace stack maintained by Google Test.
-ScopedTrace::ScopedTrace(const char* file, int line, const Message& message)
-    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
-  TraceInfo trace;
-  trace.file = file;
-  trace.line = line;
-  trace.message = message.GetString();
+const char* const OsStackTraceGetterInterface::kElidedFramesMarker =
+    "... " GTEST_NAME_ " internal frames ...";
 
-  UnitTest::GetInstance()->PushGTestTrace(trace);
-}
+std::string OsStackTraceGetter::CurrentStackTrace(int max_depth, int skip_count)
+    GTEST_LOCK_EXCLUDED_(mutex_) {
+#if GTEST_HAS_ABSL
+  std::string result;
 
-// Pops the info pushed by the c'tor.
-ScopedTrace::~ScopedTrace()
-    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
-  UnitTest::GetInstance()->PopGTestTrace();
-}
+  if (max_depth <= 0) {
+    return result;
+  }
 
+  max_depth = std::min(max_depth, kMaxStackTraceDepth);
 
-// class OsStackTraceGetter
+  std::vector<void*> raw_stack(max_depth);
+  // Skips the frames requested by the caller, plus this function.
+  const int raw_stack_size =
+      absl::GetStackTrace(&raw_stack[0], max_depth, skip_count + 1);
 
-// Returns the current OS stack trace as an std::string.  Parameters:
-//
-//   max_depth  - the maximum number of stack frames to be included
-//                in the trace.
-//   skip_count - the number of top frames to be skipped; doesn't count
-//                against max_depth.
-//
-string OsStackTraceGetter::CurrentStackTrace(int /* max_depth */,
-                                             int /* skip_count */)
-    GTEST_LOCK_EXCLUDED_(mutex_) {
+  void* caller_frame = nullptr;
+  {
+    MutexLock lock(&mutex_);
+    caller_frame = caller_frame_;
+  }
+
+  for (int i = 0; i < raw_stack_size; ++i) {
+    if (raw_stack[i] == caller_frame &&
+        !GTEST_FLAG(show_internal_stack_frames)) {
+      // Add a marker to the trace and stop adding frames.
+      absl::StrAppend(&result, kElidedFramesMarker, "\n");
+      break;
+    }
+
+    char tmp[1024];
+    const char* symbol = "(unknown)";
+    if (absl::Symbolize(raw_stack[i], tmp, sizeof(tmp))) {
+      symbol = tmp;
+    }
+
+    char line[1024];
+    snprintf(line, sizeof(line), "  %p: %s\n", raw_stack[i], symbol);
+    result += line;
+  }
+
+  return result;
+
+#else  // !GTEST_HAS_ABSL
+  static_cast<void>(max_depth);
+  static_cast<void>(skip_count);
   return "";
+#endif  // GTEST_HAS_ABSL
 }
 
-void OsStackTraceGetter::UponLeavingGTest()
-    GTEST_LOCK_EXCLUDED_(mutex_) {
-}
+void OsStackTraceGetter::UponLeavingGTest() GTEST_LOCK_EXCLUDED_(mutex_) {
+#if GTEST_HAS_ABSL
+  void* caller_frame = nullptr;
+  if (absl::GetStackTrace(&caller_frame, 1, 3) <= 0) {
+    caller_frame = nullptr;
+  }
 
-const char* const
-OsStackTraceGetter::kElidedFramesMarker =
-    "... " GTEST_NAME_ " internal frames ...";
+  MutexLock lock(&mutex_);
+  caller_frame_ = caller_frame;
+#endif  // GTEST_HAS_ABSL
+}
 
 // A helper class that creates the premature-exit file in its
 // constructor and deletes the file in its destructor.
 class ScopedPrematureExitFile {
  public:
   explicit ScopedPrematureExitFile(const char* premature_exit_filepath)
-      : premature_exit_filepath_(premature_exit_filepath) {
+      : premature_exit_filepath_(premature_exit_filepath ?
+                                 premature_exit_filepath : "") {
     // If a path to the premature-exit file is specified...
-    if (premature_exit_filepath != NULL && *premature_exit_filepath != '\0') {
+    if (!premature_exit_filepath_.empty()) {
       // create the file with a single "0" character in it.  I/O
       // errors are ignored as there's nothing better we can do and we
       // don't want to fail the test because of this.
@@ -3824,13 +4391,18 @@ class ScopedPrematureExitFile {
   }
 
   ~ScopedPrematureExitFile() {
-    if (premature_exit_filepath_ != NULL && *premature_exit_filepath_ != '\0') {
-      remove(premature_exit_filepath_);
+    if (!premature_exit_filepath_.empty()) {
+      int retval = remove(premature_exit_filepath_.c_str());
+      if (retval) {
+        GTEST_LOG_(ERROR) << "Failed to remove premature exit filepath \""
+                          << premature_exit_filepath_ << "\" with error "
+                          << retval;
+      }
     }
   }
 
  private:
-  const char* const premature_exit_filepath_;
+  const std::string premature_exit_filepath_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedPrematureExitFile);
 };
@@ -4100,6 +4672,11 @@ void UnitTest::AddTestPartResult(
       // when a failure happens and both the --gtest_break_on_failure and
       // the --gtest_catch_exceptions flags are specified.
       DebugBreak();
+#elif (!defined(__native_client__)) &&            \
+    ((defined(__clang__) || defined(__GNUC__)) && \
+     (defined(__x86_64__) || defined(__i386__)))
+      // with clang/gcc we can achieve the same effect on x86 by invoking int3
+      asm("int3");
 #else
       // Dereference NULL through a volatile pointer to prevent the compiler
       // from removing. We use this rather than abort() or __builtin_trap() for
@@ -4167,7 +4744,7 @@ int UnitTest::Run() {
   // used for the duration of the program.
   impl()->set_catch_exceptions(GTEST_FLAG(catch_exceptions));
 
-#if GTEST_HAS_SEH
+#if GTEST_OS_WINDOWS
   // Either the user wants Google Test to catch exceptions thrown by the
   // tests or this is executing in the context of death test child
   // process. In either case the user does not want to see pop-up dialogs
@@ -4196,7 +4773,7 @@ int UnitTest::Run() {
     // VC++ doesn't define _set_abort_behavior() prior to the version 8.0.
     // Users of prior VC versions shall suffer the agony and pain of
     // clicking through the countless debug dialogs.
-    // TODO(vladl@google.com): find a way to suppress the abort dialog() in the
+    // FIXME: find a way to suppress the abort dialog() in the
     // debug mode when compiled with VC 7.1 or lower.
     if (!GTEST_FLAG(break_on_failure))
       _set_abort_behavior(
@@ -4204,7 +4781,7 @@ int UnitTest::Run() {
           _WRITE_ABORT_MSG | _CALL_REPORTFAULT);  // pop-up window, core dump.
 # endif
   }
-#endif  // GTEST_HAS_SEH
+#endif  // GTEST_OS_WINDOWS
 
   return internal::HandleExceptionsInMethodIfSupported(
       impl(),
@@ -4237,7 +4814,6 @@ const TestInfo* UnitTest::current_test_info() const
 // Returns the random seed used at the start of the current test run.
 int UnitTest::random_seed() const { return impl_->random_seed(); }
 
-#if GTEST_HAS_PARAM_TEST
 // Returns ParameterizedTestCaseRegistry object used to keep track of
 // value-parameterized tests and instantiate and register them.
 internal::ParameterizedTestCaseRegistry&
@@ -4245,7 +4821,6 @@ internal::ParameterizedTestCaseRegistry&
         GTEST_LOCK_EXCLUDED_(mutex_) {
   return impl_->parameterized_test_registry();
 }
-#endif  // GTEST_HAS_PARAM_TEST
 
 // Creates an empty UnitTest.
 UnitTest::UnitTest() {
@@ -4284,10 +4859,8 @@ UnitTestImpl::UnitTestImpl(UnitTest* parent)
           &default_global_test_part_result_reporter_),
       per_thread_test_part_result_reporter_(
           &default_per_thread_test_part_result_reporter_),
-#if GTEST_HAS_PARAM_TEST
       parameterized_test_registry_(),
       parameterized_tests_registered_(false),
-#endif  // GTEST_HAS_PARAM_TEST
       last_death_test_case_(-1),
       current_test_case_(NULL),
       current_test_info_(NULL),
@@ -4354,10 +4927,12 @@ void UnitTestImpl::ConfigureXmlOutput() {
   if (output_format == "xml") {
     listeners()->SetDefaultXmlGenerator(new XmlUnitTestResultPrinter(
         UnitTestOptions::GetAbsolutePathToOutputFile().c_str()));
+  } else if (output_format == "json") {
+    listeners()->SetDefaultXmlGenerator(new JsonUnitTestResultPrinter(
+        UnitTestOptions::GetAbsolutePathToOutputFile().c_str()));
   } else if (output_format != "") {
-    printf("WARNING: unrecognized output format \"%s\" ignored.\n",
-           output_format.c_str());
-    fflush(stdout);
+    GTEST_LOG_(WARNING) << "WARNING: unrecognized output format \""
+                        << output_format << "\" ignored.";
   }
 }
 
@@ -4372,9 +4947,8 @@ void UnitTestImpl::ConfigureStreamingOutput() {
       listeners()->Append(new StreamingListener(target.substr(0, pos),
                                                 target.substr(pos+1)));
     } else {
-      printf("WARNING: unrecognized streaming target \"%s\" ignored.\n",
-             target.c_str());
-      fflush(stdout);
+      GTEST_LOG_(WARNING) << "unrecognized streaming target \"" << target
+                          << "\" ignored.";
     }
   }
 }
@@ -4390,6 +4964,11 @@ void UnitTestImpl::PostFlagParsingInit() {
   if (!post_flag_parse_init_performed_) {
     post_flag_parse_init_performed_ = true;
 
+#if defined(GTEST_CUSTOM_TEST_EVENT_LISTENER_)
+    // Register to send notifications about key process state changes.
+    listeners()->Append(new GTEST_CUSTOM_TEST_EVENT_LISTENER_());
+#endif  // defined(GTEST_CUSTOM_TEST_EVENT_LISTENER_)
+
 #if GTEST_HAS_DEATH_TEST
     InitDeathTestSubprocessControlInfo();
     SuppressTestEventsIfInSubprocess();
@@ -4408,6 +4987,13 @@ void UnitTestImpl::PostFlagParsingInit() {
     // Configures listeners for streaming test results to the specified server.
     ConfigureStreamingOutput();
 #endif  // GTEST_CAN_STREAM_RESULTS_
+
+#if GTEST_HAS_ABSL
+    if (GTEST_FLAG(install_failure_signal_handler)) {
+      absl::FailureSignalHandlerOptions options;
+      absl::InstallFailureSignalHandler(options);
+    }
+#endif  // GTEST_HAS_ABSL
   }
 }
 
@@ -4451,11 +5037,11 @@ TestCase* UnitTestImpl::GetTestCase(const char* test_case_name,
                                     Test::SetUpTestCaseFunc set_up_tc,
                                     Test::TearDownTestCaseFunc tear_down_tc) {
   // Can we find a TestCase with the given name?
-  const std::vector<TestCase*>::const_iterator test_case =
-      std::find_if(test_cases_.begin(), test_cases_.end(),
+  const std::vector<TestCase*>::const_reverse_iterator test_case =
+      std::find_if(test_cases_.rbegin(), test_cases_.rend(),
                    TestCaseNameIs(test_case_name));
 
-  if (test_case != test_cases_.end())
+  if (test_case != test_cases_.rend())
     return *test_case;
 
   // No.  Let's create one.
@@ -4496,13 +5082,8 @@ static void TearDownEnvironment(Environment* env) { env->TearDown(); }
 // All other functions called from RunAllTests() may safely assume that
 // parameterized tests are ready to be counted and run.
 bool UnitTestImpl::RunAllTests() {
-  // Makes sure InitGoogleTest() was called.
-  if (!GTestIsInitialized()) {
-    printf("%s",
-           "\nThis test program did NOT call ::testing::InitGoogleTest "
-           "before calling RUN_ALL_TESTS().  Please fix it.\n");
-    return false;
-  }
+  // True iff Google Test is initialized before RUN_ALL_TESTS() is called.
+  const bool gtest_is_initialized_before_run_all_tests = GTestIsInitialized();
 
   // Do not run any test if the --help flag was specified.
   if (g_help_flag)
@@ -4523,6 +5104,11 @@ bool UnitTestImpl::RunAllTests() {
 
 #if GTEST_HAS_DEATH_TEST
   in_subprocess_for_death_test = (internal_run_death_test_flag_.get() != NULL);
+# if defined(GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_)
+  if (in_subprocess_for_death_test) {
+    GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_();
+  }
+# endif  // defined(GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_)
 #endif  // GTEST_HAS_DEATH_TEST
 
   const bool should_shard = ShouldShard(kTestTotalShards, kTestShardIndex,
@@ -4625,6 +5211,20 @@ bool UnitTestImpl::RunAllTests() {
 
   repeater->OnTestProgramEnd(*parent_);
 
+  if (!gtest_is_initialized_before_run_all_tests) {
+    ColoredPrintf(
+        COLOR_RED,
+        "\nIMPORTANT NOTICE - DO NOT IGNORE:\n"
+        "This test program did NOT call " GTEST_INIT_GOOGLE_TEST_NAME_
+        "() before calling RUN_ALL_TESTS(). This is INVALID. Soon " GTEST_NAME_
+        " will start to enforce the valid usage. "
+        "Please fix it ASAP, or IT WILL START TO FAIL.\n");  // NOLINT
+#if GTEST_FOR_GOOGLE_
+    ColoredPrintf(COLOR_RED,
+                  "For more details, see http://wiki/Main/ValidGUnitMain.\n");
+#endif  // GTEST_FOR_GOOGLE_
+  }
+
   return !failed;
 }
 
@@ -4726,8 +5326,8 @@ bool ShouldRunTestOnShard(int total_shards, int shard_index, int test_id) {
 // each TestCase and TestInfo object.
 // If shard_tests == true, further filters tests based on sharding
 // variables in the environment - see
-// http://code.google.com/p/googletest/wiki/GoogleTestAdvancedGuide.
-// Returns the number of tests that should run.
+// https://github.com/google/googletest/blob/master/googletest/docs/advanced.md
+// . Returns the number of tests that should run.
 int UnitTestImpl::FilterTests(ReactionToSharding shard_tests) {
   const Int32 total_shards = shard_tests == HONOR_SHARDING_PROTOCOL ?
       Int32FromEnvOrDie(kTestTotalShards, -1) : -1;
@@ -4766,10 +5366,11 @@ int UnitTestImpl::FilterTests(ReactionToSharding shard_tests) {
           (GTEST_FLAG(also_run_disabled_tests) || !is_disabled) &&
           matches_filter;
 
-      const bool is_selected = is_runnable &&
-          (shard_tests == IGNORE_SHARDING_PROTOCOL ||
-           ShouldRunTestOnShard(total_shards, shard_index,
-                                num_runnable_tests));
+      const bool is_in_another_shard =
+          shard_tests != IGNORE_SHARDING_PROTOCOL &&
+          !ShouldRunTestOnShard(total_shards, shard_index, num_runnable_tests);
+      test_info->is_in_another_shard_ = is_in_another_shard;
+      const bool is_selected = is_runnable && !is_in_another_shard;
 
       num_runnable_tests += is_runnable;
       num_selected_tests += is_selected;
@@ -4839,6 +5440,23 @@ void UnitTestImpl::ListTestsMatchingFilter() {
     }
   }
   fflush(stdout);
+  const std::string& output_format = UnitTestOptions::GetOutputFormat();
+  if (output_format == "xml" || output_format == "json") {
+    FILE* fileout = OpenFileForWriting(
+        UnitTestOptions::GetAbsolutePathToOutputFile().c_str());
+    std::stringstream stream;
+    if (output_format == "xml") {
+      XmlUnitTestResultPrinter(
+          UnitTestOptions::GetAbsolutePathToOutputFile().c_str())
+          .PrintXmlTestsList(&stream, test_cases_);
+    } else if (output_format == "json") {
+      JsonUnitTestResultPrinter(
+          UnitTestOptions::GetAbsolutePathToOutputFile().c_str())
+          .PrintJsonTestList(&stream, test_cases_);
+    }
+    fprintf(fileout, "%s", StringStreamToString(&stream).c_str());
+    fclose(fileout);
+  }
 }
 
 // Sets the OS stack trace getter.
@@ -4859,17 +5477,25 @@ void UnitTestImpl::set_os_stack_trace_getter(
 // getter, and returns it.
 OsStackTraceGetterInterface* UnitTestImpl::os_stack_trace_getter() {
   if (os_stack_trace_getter_ == NULL) {
+#ifdef GTEST_OS_STACK_TRACE_GETTER_
+    os_stack_trace_getter_ = new GTEST_OS_STACK_TRACE_GETTER_;
+#else
     os_stack_trace_getter_ = new OsStackTraceGetter;
+#endif  // GTEST_OS_STACK_TRACE_GETTER_
   }
 
   return os_stack_trace_getter_;
 }
 
-// Returns the TestResult for the test that's currently running, or
-// the TestResult for the ad hoc test if no test is running.
+// Returns the most specific TestResult currently running.
 TestResult* UnitTestImpl::current_test_result() {
-  return current_test_info_ ?
-      &(current_test_info_->result_) : &ad_hoc_test_result_;
+  if (current_test_info_ != NULL) {
+    return &current_test_info_->result_;
+  }
+  if (current_test_case_ != NULL) {
+    return &current_test_case_->ad_hoc_test_result_;
+  }
+  return &ad_hoc_test_result_;
 }
 
 // Shuffles all test cases, and the tests within each test case,
@@ -4950,9 +5576,8 @@ bool SkipPrefix(const char* prefix, const char** pstr) {
 // part can be omitted.
 //
 // Returns the value of the flag, or NULL if the parsing failed.
-const char* ParseFlagValue(const char* str,
-                           const char* flag,
-                           bool def_optional) {
+static const char* ParseFlagValue(const char* str, const char* flag,
+                                  bool def_optional) {
   // str and flag must not be NULL.
   if (str == NULL || flag == NULL) return NULL;
 
@@ -4988,7 +5613,7 @@ const char* ParseFlagValue(const char* str,
 //
 // On success, stores the value of the flag in *value, and returns
 // true.  On failure, returns false without changing *value.
-bool ParseBoolFlag(const char* str, const char* flag, bool* value) {
+static bool ParseBoolFlag(const char* str, const char* flag, bool* value) {
   // Gets the value of the flag as a string.
   const char* const value_str = ParseFlagValue(str, flag, true);
 
@@ -5022,7 +5647,8 @@ bool ParseInt32Flag(const char* str, const char* flag, Int32* value) {
 //
 // On success, stores the value of the flag in *value, and returns
 // true.  On failure, returns false without changing *value.
-bool ParseStringFlag(const char* str, const char* flag, std::string* value) {
+template <typename String>
+static bool ParseStringFlag(const char* str, const char* flag, String* value) {
   // Gets the value of the flag as a string.
   const char* const value_str = ParseFlagValue(str, flag, false);
 
@@ -5058,7 +5684,7 @@ static bool HasGoogleTestFlagPrefix(const char* str) {
 //   @Y    changes the color to yellow.
 //   @D    changes to the default terminal text color.
 //
-// TODO(wan@google.com): Write tests for this once we add stdout
+// FIXME: Write tests for this once we add stdout
 // capturing to Google Test.
 static void PrintColorEncoded(const char* str) {
   GTestColor color = COLOR_DEFAULT;  // The current color.
@@ -5124,24 +5750,25 @@ static const char kColorEncodedHelpMessage[] =
 "      Enable/disable colored output. The default is @Gauto@D.\n"
 "  -@G-" GTEST_FLAG_PREFIX_ "print_time=0@D\n"
 "      Don't print the elapsed time of each test.\n"
-"  @G--" GTEST_FLAG_PREFIX_ "output=xml@Y[@G:@YDIRECTORY_PATH@G"
+"  @G--" GTEST_FLAG_PREFIX_ "output=@Y(@Gjson@Y|@Gxml@Y)[@G:@YDIRECTORY_PATH@G"
     GTEST_PATH_SEP_ "@Y|@G:@YFILE_PATH]@D\n"
-"      Generate an XML report in the given directory or with the given file\n"
-"      name. @YFILE_PATH@D defaults to @Gtest_details.xml@D.\n"
-#if GTEST_CAN_STREAM_RESULTS_
+"      Generate a JSON or XML report in the given directory or with the given\n"
+"      file name. @YFILE_PATH@D defaults to @Gtest_details.xml@D.\n"
+# if GTEST_CAN_STREAM_RESULTS_
 "  @G--" GTEST_FLAG_PREFIX_ "stream_result_to=@YHOST@G:@YPORT@D\n"
 "      Stream test results to the given server.\n"
-#endif  // GTEST_CAN_STREAM_RESULTS_
+# endif  // GTEST_CAN_STREAM_RESULTS_
 "\n"
 "Assertion Behavior:\n"
-#if GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
+# if GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
 "  @G--" GTEST_FLAG_PREFIX_ "death_test_style=@Y(@Gfast@Y|@Gthreadsafe@Y)@D\n"
 "      Set the default death test style.\n"
-#endif  // GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
+# endif  // GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
 "  @G--" GTEST_FLAG_PREFIX_ "break_on_failure@D\n"
 "      Turn assertion failures into debugger break-points.\n"
 "  @G--" GTEST_FLAG_PREFIX_ "throw_on_failure@D\n"
-"      Turn assertion failures into C++ exceptions.\n"
+"      Turn assertion failures into C++ exceptions for use by an external\n"
+"      test framework.\n"
 "  @G--" GTEST_FLAG_PREFIX_ "catch_exceptions=0@D\n"
 "      Do not report exceptions as test failures. Instead, allow them\n"
 "      to crash the program or throw a pop-up (on Windows).\n"
@@ -5158,6 +5785,56 @@ static const char kColorEncodedHelpMessage[] =
 "(not one in your own code or tests), please report it to\n"
 "@G<" GTEST_DEV_EMAIL_ ">@D.\n";
 
+static bool ParseGoogleTestFlag(const char* const arg) {
+  return ParseBoolFlag(arg, kAlsoRunDisabledTestsFlag,
+                       &GTEST_FLAG(also_run_disabled_tests)) ||
+      ParseBoolFlag(arg, kBreakOnFailureFlag,
+                    &GTEST_FLAG(break_on_failure)) ||
+      ParseBoolFlag(arg, kCatchExceptionsFlag,
+                    &GTEST_FLAG(catch_exceptions)) ||
+      ParseStringFlag(arg, kColorFlag, &GTEST_FLAG(color)) ||
+      ParseStringFlag(arg, kDeathTestStyleFlag,
+                      &GTEST_FLAG(death_test_style)) ||
+      ParseBoolFlag(arg, kDeathTestUseFork,
+                    &GTEST_FLAG(death_test_use_fork)) ||
+      ParseStringFlag(arg, kFilterFlag, &GTEST_FLAG(filter)) ||
+      ParseStringFlag(arg, kInternalRunDeathTestFlag,
+                      &GTEST_FLAG(internal_run_death_test)) ||
+      ParseBoolFlag(arg, kListTestsFlag, &GTEST_FLAG(list_tests)) ||
+      ParseStringFlag(arg, kOutputFlag, &GTEST_FLAG(output)) ||
+      ParseBoolFlag(arg, kPrintTimeFlag, &GTEST_FLAG(print_time)) ||
+      ParseBoolFlag(arg, kPrintUTF8Flag, &GTEST_FLAG(print_utf8)) ||
+      ParseInt32Flag(arg, kRandomSeedFlag, &GTEST_FLAG(random_seed)) ||
+      ParseInt32Flag(arg, kRepeatFlag, &GTEST_FLAG(repeat)) ||
+      ParseBoolFlag(arg, kShuffleFlag, &GTEST_FLAG(shuffle)) ||
+      ParseInt32Flag(arg, kStackTraceDepthFlag,
+                     &GTEST_FLAG(stack_trace_depth)) ||
+      ParseStringFlag(arg, kStreamResultToFlag,
+                      &GTEST_FLAG(stream_result_to)) ||
+      ParseBoolFlag(arg, kThrowOnFailureFlag,
+                    &GTEST_FLAG(throw_on_failure));
+}
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+static void LoadFlagsFromFile(const std::string& path) {
+  FILE* flagfile = posix::FOpen(path.c_str(), "r");
+  if (!flagfile) {
+    GTEST_LOG_(FATAL) << "Unable to open file \"" << GTEST_FLAG(flagfile)
+                      << "\"";
+  }
+  std::string contents(ReadEntireFile(flagfile));
+  posix::FClose(flagfile);
+  std::vector<std::string> lines;
+  SplitString(contents, '\n', &lines);
+  for (size_t i = 0; i < lines.size(); ++i) {
+    if (lines[i].empty())
+      continue;
+    if (!ParseGoogleTestFlag(lines[i].c_str()))
+      g_help_flag = true;
+  }
+}
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+
 // Parses the command line for Google Test flags, without initializing
 // other parts of Google Test.  The type parameter CharType can be
 // instantiated to either char or wchar_t.
@@ -5171,35 +5848,24 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
     using internal::ParseInt32Flag;
     using internal::ParseStringFlag;
 
-    // Do we see a Google Test flag?
-    if (ParseBoolFlag(arg, kAlsoRunDisabledTestsFlag,
-                      &GTEST_FLAG(also_run_disabled_tests)) ||
-        ParseBoolFlag(arg, kBreakOnFailureFlag,
-                      &GTEST_FLAG(break_on_failure)) ||
-        ParseBoolFlag(arg, kCatchExceptionsFlag,
-                      &GTEST_FLAG(catch_exceptions)) ||
-        ParseStringFlag(arg, kColorFlag, &GTEST_FLAG(color)) ||
-        ParseStringFlag(arg, kDeathTestStyleFlag,
-                        &GTEST_FLAG(death_test_style)) ||
-        ParseBoolFlag(arg, kDeathTestUseFork,
-                      &GTEST_FLAG(death_test_use_fork)) ||
-        ParseStringFlag(arg, kFilterFlag, &GTEST_FLAG(filter)) ||
-        ParseStringFlag(arg, kInternalRunDeathTestFlag,
-                        &GTEST_FLAG(internal_run_death_test)) ||
-        ParseBoolFlag(arg, kListTestsFlag, &GTEST_FLAG(list_tests)) ||
-        ParseStringFlag(arg, kOutputFlag, &GTEST_FLAG(output)) ||
-        ParseBoolFlag(arg, kPrintTimeFlag, &GTEST_FLAG(print_time)) ||
-        ParseInt32Flag(arg, kRandomSeedFlag, &GTEST_FLAG(random_seed)) ||
-        ParseInt32Flag(arg, kRepeatFlag, &GTEST_FLAG(repeat)) ||
-        ParseBoolFlag(arg, kShuffleFlag, &GTEST_FLAG(shuffle)) ||
-        ParseInt32Flag(arg, kStackTraceDepthFlag,
-                       &GTEST_FLAG(stack_trace_depth)) ||
-        ParseStringFlag(arg, kStreamResultToFlag,
-                        &GTEST_FLAG(stream_result_to)) ||
-        ParseBoolFlag(arg, kThrowOnFailureFlag,
-                      &GTEST_FLAG(throw_on_failure))
-        ) {
-      // Yes.  Shift the remainder of the argv list left by one.  Note
+    bool remove_flag = false;
+    if (ParseGoogleTestFlag(arg)) {
+      remove_flag = true;
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+    } else if (ParseStringFlag(arg, kFlagfileFlag, &GTEST_FLAG(flagfile))) {
+      LoadFlagsFromFile(GTEST_FLAG(flagfile));
+      remove_flag = true;
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+    } else if (arg_string == "--help" || arg_string == "-h" ||
+               arg_string == "-?" || arg_string == "/?" ||
+               HasGoogleTestFlagPrefix(arg)) {
+      // Both help flag and unrecognized Google Test flags (excluding
+      // internal ones) trigger help display.
+      g_help_flag = true;
+    }
+
+    if (remove_flag) {
+      // Shift the remainder of the argv list left by one.  Note
       // that argv has (*argc + 1) elements, the last one always being
       // NULL.  The following loop moves the trailing NULL element as
       // well.
@@ -5213,12 +5879,6 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
       // We also need to decrement the iterator as we just removed
       // an element.
       i--;
-    } else if (arg_string == "--help" || arg_string == "-h" ||
-               arg_string == "-?" || arg_string == "/?" ||
-               HasGoogleTestFlagPrefix(arg)) {
-      // Both help flag and unrecognized Google Test flags (excluding
-      // internal ones) trigger help display.
-      g_help_flag = true;
     }
   }
 
@@ -5234,6 +5894,17 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
 // other parts of Google Test.
 void ParseGoogleTestFlagsOnly(int* argc, char** argv) {
   ParseGoogleTestFlagsOnlyImpl(argc, argv);
+
+  // Fix the value of *_NSGetArgc() on macOS, but iff
+  // *_NSGetArgv() == argv
+  // Only applicable to char** version of argv
+#if GTEST_OS_MAC
+#ifndef GTEST_OS_IOS
+  if (*_NSGetArgv() == argv) {
+    *_NSGetArgc() = *argc;
+  }
+#endif
+#endif
 }
 void ParseGoogleTestFlagsOnly(int* argc, wchar_t** argv) {
   ParseGoogleTestFlagsOnlyImpl(argc, argv);
@@ -5245,23 +5916,19 @@ void ParseGoogleTestFlagsOnly(int* argc, wchar_t** argv) {
 // wchar_t.
 template <typename CharType>
 void InitGoogleTestImpl(int* argc, CharType** argv) {
-  g_init_gtest_count++;
-
   // We don't want to run the initialization code twice.
-  if (g_init_gtest_count != 1) return;
+  if (GTestIsInitialized()) return;
 
   if (*argc <= 0) return;
 
-  internal::g_executable_path = internal::StreamableToString(argv[0]);
-
-#if GTEST_HAS_DEATH_TEST
-
   g_argvs.clear();
   for (int i = 0; i != *argc; i++) {
     g_argvs.push_back(StreamableToString(argv[i]));
   }
 
-#endif  // GTEST_HAS_DEATH_TEST
+#if GTEST_HAS_ABSL
+  absl::InitializeSymbolizer(g_argvs[0].c_str());
+#endif  // GTEST_HAS_ABSL
 
   ParseGoogleTestFlagsOnly(argc, argv);
   GetUnitTestImpl()->PostFlagParsingInit();
@@ -5279,13 +5946,62 @@ void InitGoogleTestImpl(int* argc, CharType** argv) {
 //
 // Calling the function for the second time has no user-visible effect.
 void InitGoogleTest(int* argc, char** argv) {
+#if defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+  GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_(argc, argv);
+#else  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
   internal::InitGoogleTestImpl(argc, argv);
+#endif  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
 }
 
 // This overloaded version can be used in Windows programs compiled in
 // UNICODE mode.
 void InitGoogleTest(int* argc, wchar_t** argv) {
+#if defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+  GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_(argc, argv);
+#else  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
   internal::InitGoogleTestImpl(argc, argv);
+#endif  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+}
+
+std::string TempDir() {
+#if defined(GTEST_CUSTOM_TEMPDIR_FUNCTION_)
+  return GTEST_CUSTOM_TEMPDIR_FUNCTION_();
+#endif
+
+#if GTEST_OS_WINDOWS_MOBILE
+  return "\\temp\\";
+#elif GTEST_OS_WINDOWS
+  const char* temp_dir = internal::posix::GetEnv("TEMP");
+  if (temp_dir == NULL || temp_dir[0] == '\0')
+    return "\\temp\\";
+  else if (temp_dir[strlen(temp_dir) - 1] == '\\')
+    return temp_dir;
+  else
+    return std::string(temp_dir) + "\\";
+#elif GTEST_OS_LINUX_ANDROID
+  return "/sdcard/";
+#else
+  return "/tmp/";
+#endif  // GTEST_OS_WINDOWS_MOBILE
+}
+
+// Class ScopedTrace
+
+// Pushes the given source file location and message onto a per-thread
+// trace stack maintained by Google Test.
+void ScopedTrace::PushTrace(const char* file, int line, std::string message) {
+  internal::TraceInfo trace;
+  trace.file = file;
+  trace.line = line;
+  trace.message.swap(message);
+
+  UnitTest::GetInstance()->PushGTestTrace(trace);
+}
+
+// Pops the info pushed by the c'tor.
+ScopedTrace::~ScopedTrace()
+    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
+  UnitTest::GetInstance()->PopGTestTrace();
 }
 
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/src/gtest_main.cc b/security/nss/gtests/google_test/gtest/src/gtest_main.cc
index f30282255..2113f621e 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest_main.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest_main.cc
@@ -28,11 +28,10 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 #include <stdio.h>
-
 #include "gtest/gtest.h"
 
 GTEST_API_ int main(int argc, char **argv) {
-  printf("Running main() from gtest_main.cc\n");
+  printf("Running main() from %s\n", __FILE__);
   testing::InitGoogleTest(&argc, argv);
   return RUN_ALL_TESTS();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/BUILD.bazel b/security/nss/gtests/google_test/gtest/test/BUILD.bazel
new file mode 100644
index 000000000..a930d65e0
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/BUILD.bazel
@@ -0,0 +1,527 @@
+# Copyright 2017 Google Inc.
+# All Rights Reserved.
+#
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Author: misterg@google.com (Gennadiy Civil)
+#
+# Bazel BUILD for The Google C++ Testing Framework (Google Test)
+
+licenses(["notice"])
+
+config_setting(
+    name = "windows",
+    values = {"cpu": "x64_windows"},
+)
+
+config_setting(
+    name = "windows_msvc",
+    values = {"cpu": "x64_windows_msvc"},
+)
+
+config_setting(
+    name = "has_absl",
+    values = {"define": "absl=1"},
+)
+
+#on windows exclude gtest-tuple.h and googletest-tuple-test.cc
+cc_test(
+    name = "gtest_all_test",
+    size = "small",
+    srcs = glob(
+        include = [
+            "gtest-*.cc",
+            "googletest-*.cc",
+            "*.h",
+            "googletest/include/gtest/**/*.h",
+        ],
+        exclude = [
+            "gtest-unittest-api_test.cc",
+            "googletest-tuple-test.cc",
+            "googletest/src/gtest-all.cc",
+            "gtest_all_test.cc",
+            "gtest-death-test_ex_test.cc",
+            "gtest-listener_test.cc",
+            "gtest-unittest-api_test.cc",
+            "googletest-param-test-test.cc",
+            "googletest-catch-exceptions-test_.cc",
+            "googletest-color-test_.cc",
+            "googletest-env-var-test_.cc",
+            "googletest-filter-unittest_.cc",
+            "googletest-break-on-failure-unittest_.cc",
+             "googletest-listener-test.cc",
+             "googletest-output-test_.cc",
+             "googletest-list-tests-unittest_.cc",
+             "googletest-shuffle-test_.cc",
+             "googletest-uninitialized-test_.cc",
+             "googletest-death-test_ex_test.cc",
+             "googletest-param-test-test",
+             "googletest-throw-on-failure-test_.cc",
+             "googletest-param-test-invalid-name1-test_.cc",
+             "googletest-param-test-invalid-name2-test_.cc",
+
+        ],
+    ) + select({
+        "//:windows": [],
+        "//:windows_msvc": [],
+        "//conditions:default": [
+            "googletest-tuple-test.cc",
+        ],
+    }),
+    copts = select({
+        "//:windows": ["-DGTEST_USE_OWN_TR1_TUPLE=0"],
+        "//:windows_msvc": ["-DGTEST_USE_OWN_TR1_TUPLE=0"],
+        "//conditions:default": ["-DGTEST_USE_OWN_TR1_TUPLE=1"],
+    }),
+    includes = [
+        "googletest",
+        "googletest/include",
+        "googletest/include/internal",
+        "googletest/test",
+    ],
+    linkopts = select({
+        "//:windows": [],
+        "//:windows_msvc": [],
+        "//conditions:default": [
+            "-pthread",
+        ],
+    }),
+    deps = ["//:gtest_main"],
+)
+
+
+# Tests death tests.
+cc_test(
+    name = "googletest-death-test-test",
+    size = "medium",
+    srcs = ["googletest-death-test-test.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_test(
+    name = "gtest_test_macro_stack_footprint_test",
+    size = "small",
+    srcs = ["gtest_test_macro_stack_footprint_test.cc"],
+    deps = ["//:gtest"],
+)
+
+#These googletest tests have their own main()
+cc_test(
+    name = "googletest-listener-test",
+    size = "small",
+    srcs = ["googletest-listener-test.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_test(
+    name = "gtest-unittest-api_test",
+    size = "small",
+    srcs = [
+        "gtest-unittest-api_test.cc",
+    ],
+    deps = [
+        "//:gtest",
+    ],
+)
+
+cc_test(
+    name = "googletest-param-test-test",
+    size = "small",
+    srcs = [
+        "googletest-param-test-test.cc",
+        "googletest-param-test-test.h",
+        "googletest-param-test2-test.cc",
+    ],
+    deps = ["//:gtest"],
+)
+
+cc_test(
+    name = "gtest_unittest",
+    size = "small",
+    srcs = ["gtest_unittest.cc"],
+    args = ["--heap_check=strict"],
+    shard_count = 2,
+    deps = ["//:gtest_main"],
+)
+
+#  Py tests
+
+py_library(
+    name = "gtest_test_utils",
+    testonly = 1,
+    srcs = ["gtest_test_utils.py"],
+)
+
+cc_binary(
+    name = "gtest_help_test_",
+    testonly = 1,
+    srcs = ["gtest_help_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "gtest_help_test",
+    size = "small",
+    srcs = ["gtest_help_test.py"],
+    data = [":gtest_help_test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-output-test_",
+    testonly = 1,
+    srcs = ["googletest-output-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+
+py_test(
+    name = "googletest-output-test",
+    size = "small",
+    srcs = ["googletest-output-test.py"],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    data = [
+        "googletest-output-test-golden-lin.txt",
+        ":googletest-output-test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-color-test_",
+    testonly = 1,
+    srcs = ["googletest-color-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-color-test",
+    size = "small",
+    srcs = ["googletest-color-test.py"],
+    data = [":googletest-color-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-env-var-test_",
+    testonly = 1,
+    srcs = ["googletest-env-var-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-env-var-test",
+    size = "medium",
+    srcs = ["googletest-env-var-test.py"],
+    data = [":googletest-env-var-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-filter-unittest_",
+    testonly = 1,
+    srcs = ["googletest-filter-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-filter-unittest",
+    size = "medium",
+    srcs = ["googletest-filter-unittest.py"],
+    data = [":googletest-filter-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_binary(
+    name = "googletest-break-on-failure-unittest_",
+    testonly = 1,
+    srcs = ["googletest-break-on-failure-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+
+
+py_test(
+    name = "googletest-break-on-failure-unittest",
+    size = "small",
+    srcs = ["googletest-break-on-failure-unittest.py"],
+    data = [":googletest-break-on-failure-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_test(
+    name = "gtest_assert_by_exception_test",
+    size = "small",
+    srcs = ["gtest_assert_by_exception_test.cc"],
+    deps = ["//:gtest"],
+)
+
+
+
+cc_binary(
+    name = "googletest-throw-on-failure-test_",
+    testonly = 1,
+    srcs = ["googletest-throw-on-failure-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-throw-on-failure-test",
+    size = "small",
+    srcs = ["googletest-throw-on-failure-test.py"],
+    data = [":googletest-throw-on-failure-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_binary(
+    name = "googletest-list-tests-unittest_",
+    testonly = 1,
+    srcs = ["googletest-list-tests-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-list-tests-unittest",
+    size = "small",
+    srcs = ["googletest-list-tests-unittest.py"],
+    data = [":googletest-list-tests-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-shuffle-test_",
+    srcs = ["googletest-shuffle-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-shuffle-test",
+    size = "small",
+    srcs = ["googletest-shuffle-test.py"],
+    data = [":googletest-shuffle-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-catch-exceptions-no-ex-test_",
+    testonly = 1,
+    srcs = ["googletest-catch-exceptions-test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_binary(
+    name = "googletest-catch-exceptions-ex-test_",
+    testonly = 1,
+    srcs = ["googletest-catch-exceptions-test_.cc"],
+    copts = ["-fexceptions"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "googletest-catch-exceptions-test",
+    size = "small",
+    srcs = ["googletest-catch-exceptions-test.py"],
+    data = [
+        ":googletest-catch-exceptions-ex-test_",
+        ":googletest-catch-exceptions-no-ex-test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_xml_output_unittest_",
+    testonly = 1,
+    srcs = ["gtest_xml_output_unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+cc_test(
+    name = "gtest_no_test_unittest",
+    size = "small",
+    srcs = ["gtest_no_test_unittest.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "gtest_xml_output_unittest",
+    size = "small",
+    srcs = [
+        "gtest_xml_output_unittest.py",
+        "gtest_xml_test_utils.py",
+    ],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    data = [
+        # We invoke gtest_no_test_unittest to verify the XML output
+        # when the test program contains no test definition.
+        ":gtest_no_test_unittest",
+        ":gtest_xml_output_unittest_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_xml_outfile1_test_",
+    testonly = 1,
+    srcs = ["gtest_xml_outfile1_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_binary(
+    name = "gtest_xml_outfile2_test_",
+    testonly = 1,
+    srcs = ["gtest_xml_outfile2_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "gtest_xml_outfiles_test",
+    size = "small",
+    srcs = [
+        "gtest_xml_outfiles_test.py",
+        "gtest_xml_test_utils.py",
+    ],
+    data = [
+        ":gtest_xml_outfile1_test_",
+        ":gtest_xml_outfile2_test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-uninitialized-test_",
+    testonly = 1,
+    srcs = ["googletest-uninitialized-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-uninitialized-test",
+    size = "medium",
+    srcs = ["googletest-uninitialized-test.py"],
+    data = ["googletest-uninitialized-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_testbridge_test_",
+    testonly = 1,
+    srcs = ["gtest_testbridge_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+# Tests that filtering via testbridge works
+py_test(
+    name = "gtest_testbridge_test",
+    size = "small",
+    srcs = ["gtest_testbridge_test.py"],
+    data = [":gtest_testbridge_test_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+py_test(
+    name = "googletest-json-outfiles-test",
+    size = "small",
+    srcs = [
+        "googletest-json-outfiles-test.py",
+        "gtest_json_test_utils.py",
+    ],
+    data = [
+        ":gtest_xml_outfile1_test_",
+        ":gtest_xml_outfile2_test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+py_test(
+    name = "googletest-json-output-unittest",
+    size = "medium",
+    srcs = [
+        "googletest-json-output-unittest.py",
+        "gtest_json_test_utils.py",
+    ],
+    data = [
+        # We invoke gtest_no_test_unittest to verify the JSON output
+        # when the test program contains no test definition.
+        ":gtest_no_test_unittest",
+        ":gtest_xml_output_unittest_",
+    ],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    deps = [":gtest_test_utils"],
+)
+# Verifies interaction of death tests and exceptions.
+cc_test(
+    name = "googletest-death-test_ex_catch_test",
+    size = "medium",
+    srcs = ["googletest-death-test_ex_test.cc"],
+    copts = ["-fexceptions"],
+    defines = ["GTEST_ENABLE_CATCH_EXCEPTIONS_=1"],
+    deps = ["//:gtest"],
+)
+
+cc_binary(
+    name = "googletest-param-test-invalid-name1-test_",
+    testonly = 1,
+    srcs = ["googletest-param-test-invalid-name1-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+cc_binary(
+    name = "googletest-param-test-invalid-name2-test_",
+    testonly = 1,
+    srcs = ["googletest-param-test-invalid-name2-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-param-test-invalid-name1-test",
+    size = "small",
+    srcs = ["googletest-param-test-invalid-name1-test.py"],
+    data = [":googletest-param-test-invalid-name1-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+py_test(
+    name = "googletest-param-test-invalid-name2-test",
+    size = "small",
+    srcs = ["googletest-param-test-invalid-name2-test.py"],
+    data = [":googletest-param-test-invalid-name2-test_"],
+    deps = [":gtest_test_utils"],
+)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest.py
index 78f3e0f53..a5dfbc693 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest.py
@@ -34,16 +34,12 @@
 A user can ask Google Test to seg-fault when an assertion fails, using
 either the GTEST_BREAK_ON_FAILURE environment variable or the
 --gtest_break_on_failure flag.  This script tests such functionality
-by invoking gtest_break_on_failure_unittest_ (a program written with
+by invoking googletest-break-on-failure-unittest_ (a program written with
 Google Test) with different environments and command line flags.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
-import gtest_test_utils
 import os
-import sys
-
+import gtest_test_utils
 
 # Constants.
 
@@ -61,9 +57,9 @@ THROW_ON_FAILURE_ENV_VAR = 'GTEST_THROW_ON_FAILURE'
 # The environment variable for enabling/disabling the catch-exceptions mode.
 CATCH_EXCEPTIONS_ENV_VAR = 'GTEST_CATCH_EXCEPTIONS'
 
-# Path to the gtest_break_on_failure_unittest_ program.
+# Path to the googletest-break-on-failure-unittest_ program.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_break_on_failure_unittest_')
+    'googletest-break-on-failure-unittest_')
 
 
 environ = gtest_test_utils.environ
@@ -97,7 +93,7 @@ class GTestBreakOnFailureUnitTest(gtest_test_utils.TestCase):
   """
 
   def RunAndVerify(self, env_var_value, flag_value, expect_seg_fault):
-    """Runs gtest_break_on_failure_unittest_ and verifies that it does
+    """Runs googletest-break-on-failure-unittest_ and verifies that it does
     (or does not) have a seg-fault.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest_.cc
index dd07478c0..f84957a2d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Unit test for Google Test's break-on-failure mode.
 //
@@ -80,8 +79,7 @@ int main(int argc, char **argv) {
   SetUnhandledExceptionFilter(ExitWithExceptionCode);
 
 # endif
-#endif
-
+#endif  // GTEST_OS_WINDOWS
   testing::InitGoogleTest(&argc, argv);
 
   return RUN_ALL_TESTS();
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test.py b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test.py
index e6fc22fd1..5d49c1023 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test.py
@@ -30,15 +30,11 @@
 
 """Tests Google Test's exception catching behavior.
 
-This script invokes gtest_catch_exceptions_test_ and
-gtest_catch_exceptions_ex_test_ (programs written with
+This script invokes googletest-catch-exceptions-test_ and
+googletest-catch-exceptions-ex-test_ (programs written with
 Google Test) and verifies their output.
 """
 
-__author__ = 'vladl@google.com (Vlad Losev)'
-
-import os
-
 import gtest_test_utils
 
 # Constants.
@@ -47,15 +43,15 @@ LIST_TESTS_FLAG = FLAG_PREFIX + 'list_tests'
 NO_CATCH_EXCEPTIONS_FLAG = FLAG_PREFIX + 'catch_exceptions=0'
 FILTER_FLAG = FLAG_PREFIX + 'filter'
 
-# Path to the gtest_catch_exceptions_ex_test_ binary, compiled with
+# Path to the googletest-catch-exceptions-ex-test_ binary, compiled with
 # exceptions enabled.
 EX_EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_catch_exceptions_ex_test_')
+    'googletest-catch-exceptions-ex-test_')
 
-# Path to the gtest_catch_exceptions_test_ binary, compiled with
+# Path to the googletest-catch-exceptions-test_ binary, compiled with
 # exceptions disabled.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_catch_exceptions_no_ex_test_')
+    'googletest-catch-exceptions-no-ex-test_')
 
 environ = gtest_test_utils.environ
 SetEnvVar = gtest_test_utils.SetEnvVar
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc
index d0fc82c99..09dae7003 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc
@@ -26,17 +26,17 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself. Tests in this file throw C++ or SEH
-// exceptions, and the output is verified by gtest_catch_exceptions_test.py.
-
-#include "gtest/gtest.h"
+// exceptions, and the output is verified by
+// googletest-catch-exceptions-test.py.
 
 #include <stdio.h>  // NOLINT
 #include <stdlib.h>  // For exit().
 
+#include "gtest/gtest.h"
+
 #if GTEST_HAS_SEH
 # include <windows.h>
 #endif
@@ -138,7 +138,7 @@ TEST_F(CxxExceptionInConstructorTest, ThrowsExceptionInConstructor) {
 }
 
 // Exceptions in destructors are not supported in C++11.
-#if !defined(__GXX_EXPERIMENTAL_CXX0X__) &&  __cplusplus < 201103L
+#if !GTEST_LANG_CXX11
 class CxxExceptionInDestructorTest : public Test {
  public:
   static void TearDownTestCase() {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_color_test.py b/security/nss/gtests/google_test/gtest/test/googletest-color-test.py
index d02a53ed8..f3b7c9990 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_color_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-color-test.py
@@ -31,17 +31,14 @@
 
 """Verifies that Google Test correctly determines whether to use colors."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
-
-IS_WINDOWS = os.name = 'nt'
+IS_WINDOWS = os.name == 'nt'
 
 COLOR_ENV_VAR = 'GTEST_COLOR'
 COLOR_FLAG = 'gtest_color'
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_color_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-color-test_')
 
 
 def SetEnvVar(env_var, value):
@@ -54,7 +51,7 @@ def SetEnvVar(env_var, value):
 
 
 def UsesColor(term, color_env_var, color_flag):
-  """Runs gtest_color_test_ and returns its exit code."""
+  """Runs googletest-color-test_ and returns its exit code."""
 
   SetEnvVar('TERM', term)
   SetEnvVar(COLOR_ENV_VAR, color_env_var)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_color_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-color-test_.cc
index f61ebb89b..220a3a005 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_color_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-color-test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // A helper program for testing how Google Test determines whether to use
 // colors in the output.  It prints "YES" and returns 1 if Google Test
@@ -36,15 +35,7 @@
 #include <stdio.h>
 
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using testing::internal::ShouldUseColor;
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-death-test_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-death-test-test.cc
index b25bc2296..c0c3026fb 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-death-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-death-test-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for death tests.
 
@@ -56,15 +55,7 @@ using testing::internal::AlwaysTrue;
 # endif  // GTEST_OS_LINUX
 
 # include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-# define GTEST_IMPLEMENTATION_ 1
 # include "src/gtest-internal-inl.h"
-# undef GTEST_IMPLEMENTATION_
 
 namespace posix = ::testing::internal::posix;
 
@@ -208,7 +199,7 @@ int DieInDebugElse12(int* sideeffect) {
   return 12;
 }
 
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
 // Tests the ExitedWithCode predicate.
 TEST(ExitStatusPredicateTest, ExitedWithCode) {
@@ -280,7 +271,7 @@ TEST(ExitStatusPredicateTest, KilledBySignal) {
   EXPECT_FALSE(pred_kill(status_segv));
 }
 
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
 // Tests that the death test macros expand to code which may or may not
 // be followed by operator<<, and that in either case the complete text
@@ -313,14 +304,14 @@ void DieWithEmbeddedNul() {
 }
 
 # if GTEST_USES_PCRE
+
 // Tests that EXPECT_DEATH and ASSERT_DEATH work when the error
 // message has a NUL character in it.
 TEST_F(TestForDeathTest, EmbeddedNulInMessage) {
-  // TODO(wan@google.com): <regex.h> doesn't support matching strings
-  // with embedded NUL characters - find a way to workaround it.
   EXPECT_DEATH(DieWithEmbeddedNul(), "my null world");
   ASSERT_DEATH(DieWithEmbeddedNul(), "my null world");
 }
+
 # endif  // GTEST_USES_PCRE
 
 // Tests that death test macros expand to code which interacts well with switch
@@ -505,13 +496,17 @@ TEST_F(TestForDeathTest, AcceptsAnythingConvertibleToRE) {
 
 # if GTEST_HAS_GLOBAL_STRING
 
-  const string regex_str(regex_c_str);
+  const ::string regex_str(regex_c_str);
   EXPECT_DEATH(GlobalFunction(), regex_str);
 
 # endif  // GTEST_HAS_GLOBAL_STRING
 
+# if !GTEST_USES_PCRE
+
   const ::std::string regex_std_str(regex_c_str);
   EXPECT_DEATH(GlobalFunction(), regex_std_str);
+
+# endif  // !GTEST_USES_PCRE
 }
 
 // Tests that a non-void function can be used in a death test.
@@ -621,7 +616,11 @@ TEST_F(TestForDeathTest, ReturnIsFailure) {
 TEST_F(TestForDeathTest, TestExpectDebugDeath) {
   int sideeffect = 0;
 
-  EXPECT_DEBUG_DEATH(DieInDebugElse12(&sideeffect), "death.*DieInDebugElse12")
+  // Put the regex in a local variable to make sure we don't get an "unused"
+  // warning in opt mode.
+  const char* regex = "death.*DieInDebugElse12";
+
+  EXPECT_DEBUG_DEATH(DieInDebugElse12(&sideeffect), regex)
       << "Must accept a streamed message";
 
 # ifdef NDEBUG
@@ -784,11 +783,12 @@ static void TestExitMacros() {
 
   // Of all signals effects on the process exit code, only those of SIGABRT
   // are documented on Windows.
-  // See http://msdn.microsoft.com/en-us/library/dwwzkt4c(VS.71).aspx.
+  // See https://msdn.microsoft.com/en-us/query-bi/m/dwwzkt4c.
   EXPECT_EXIT(raise(SIGABRT), testing::ExitedWithCode(3), "") << "b_ar";
 
-# else
+# elif !GTEST_OS_FUCHSIA
 
+  // Fuchsia has no unix signals.
   EXPECT_EXIT(raise(SIGKILL), testing::KilledBySignal(SIGKILL), "") << "foo";
   ASSERT_EXIT(raise(SIGUSR2), testing::KilledBySignal(SIGUSR2), "") << "bar";
 
@@ -887,9 +887,9 @@ class MockDeathTestFactory : public DeathTestFactory {
   // Accessors.
   int AssumeRoleCalls() const { return assume_role_calls_; }
   int WaitCalls() const { return wait_calls_; }
-  int PassedCalls() const { return passed_args_.size(); }
+  size_t PassedCalls() const { return passed_args_.size(); }
   bool PassedArgument(int n) const { return passed_args_[n]; }
-  int AbortCalls() const { return abort_args_.size(); }
+  size_t AbortCalls() const { return abort_args_.size(); }
   DeathTest::AbortReason AbortArgument(int n) const {
     return abort_args_[n];
   }
@@ -1050,8 +1050,8 @@ TEST_F(MacroLogicDeathTest, NothingHappens) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(0, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_FALSE(factory_->TestDeleted());
 }
 
@@ -1065,9 +1065,9 @@ TEST_F(MacroLogicDeathTest, ChildExitsSuccessfully) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(1, factory_->WaitCalls());
-  ASSERT_EQ(1, factory_->PassedCalls());
+  ASSERT_EQ(1U, factory_->PassedCalls());
   EXPECT_FALSE(factory_->PassedArgument(0));
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_TRUE(factory_->TestDeleted());
 }
 
@@ -1080,9 +1080,9 @@ TEST_F(MacroLogicDeathTest, ChildExitsUnsuccessfully) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(1, factory_->WaitCalls());
-  ASSERT_EQ(1, factory_->PassedCalls());
+  ASSERT_EQ(1U, factory_->PassedCalls());
   EXPECT_TRUE(factory_->PassedArgument(0));
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_TRUE(factory_->TestDeleted());
 }
 
@@ -1096,8 +1096,8 @@ TEST_F(MacroLogicDeathTest, ChildPerformsReturn) {
   EXPECT_TRUE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
-  EXPECT_EQ(1, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
+  EXPECT_EQ(1U, factory_->AbortCalls());
   EXPECT_EQ(DeathTest::TEST_ENCOUNTERED_RETURN_STATEMENT,
             factory_->AbortArgument(0));
   EXPECT_TRUE(factory_->TestDeleted());
@@ -1112,13 +1112,13 @@ TEST_F(MacroLogicDeathTest, ChildDoesNotDie) {
   EXPECT_TRUE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
   // This time there are two calls to Abort: one since the test didn't
   // die, and another from the ReturnSentinel when it's destroyed.  The
   // sentinel normally isn't destroyed if a test doesn't die, since
   // _exit(2) is called in that case by ForkingDeathTest, but not by
   // our MockDeathTest.
-  ASSERT_EQ(2, factory_->AbortCalls());
+  ASSERT_EQ(2U, factory_->AbortCalls());
   EXPECT_EQ(DeathTest::TEST_DID_NOT_DIE,
             factory_->AbortArgument(0));
   EXPECT_EQ(DeathTest::TEST_ENCOUNTERED_RETURN_STATEMENT,
@@ -1279,7 +1279,7 @@ TEST(ParseNaturalNumberTest, WorksForShorterIntegers) {
 
 # if GTEST_OS_WINDOWS
 TEST(EnvironmentTest, HandleFitsIntoSizeT) {
-  // TODO(vladl@google.com): Remove this test after this condition is verified
+  // FIXME: Remove this test after this condition is verified
   // in a static assertion in gtest-death-test.cc in the function
   // GetStatusFileDescriptor.
   ASSERT_TRUE(sizeof(HANDLE) <= sizeof(size_t));
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-death-test_ex_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-death-test_ex_test.cc
index b50a13d5e..b8b9470fc 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-death-test_ex_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-death-test_ex_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests that verify interaction of exceptions and death tests.
 
@@ -69,7 +68,7 @@ TEST(CxxExceptionDeathTest, PrintsMessageForStdExceptions) {
                           "exceptional message");
   // Verifies that the location is mentioned in the failure text.
   EXPECT_NONFATAL_FAILURE(EXPECT_DEATH(throw TestException(), ""),
-                          "gtest-death-test_ex_test.cc");
+                          "googletest-death-test_ex_test.cc");
 }
 # endif  // GTEST_HAS_EXCEPTIONS
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test.py b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test.py
index ac24337fa..e1efeee1e 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test.py
@@ -31,8 +31,6 @@
 
 """Verifies that Google Test correctly parses environment variables."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
@@ -40,7 +38,7 @@ import gtest_test_utils
 IS_WINDOWS = os.name == 'nt'
 IS_LINUX = os.name == 'posix' and os.uname()[0] == 'Linux'
 
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_env_var_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-env-var-test_')
 
 environ = os.environ.copy()
 
@@ -62,7 +60,7 @@ def SetEnvVar(env_var, value):
 
 
 def GetFlag(flag):
-  """Runs gtest_env_var_test_ and returns its output."""
+  """Runs googletest-env-var-test_ and returns its output."""
 
   args = [COMMAND]
   if flag is not None:
@@ -81,12 +79,14 @@ def TestFlag(flag, test_val, default_val):
 
 
 class GTestEnvVarTest(gtest_test_utils.TestCase):
+
   def testEnvVarAffectsFlag(self):
     """Tests that environment variable should affect the corresponding flag."""
 
     TestFlag('break_on_failure', '1', '0')
     TestFlag('color', 'yes', 'auto')
     TestFlag('filter', 'FooTest.Bar', '*')
+    SetEnvVar('XML_OUTPUT_FILE', None)  # For 'output' test
     TestFlag('output', 'xml:tmp/foo.xml', '')
     TestFlag('print_time', '0', '1')
     TestFlag('repeat', '999', '1')
@@ -99,5 +99,19 @@ class GTestEnvVarTest(gtest_test_utils.TestCase):
       TestFlag('stack_trace_depth', '0', '100')
 
 
+  def testXmlOutputFile(self):
+    """Tests that $XML_OUTPUT_FILE affects the output flag."""
+
+    SetEnvVar('GTEST_OUTPUT', None)
+    SetEnvVar('XML_OUTPUT_FILE', 'tmp/bar.xml')
+    AssertEq('xml:tmp/bar.xml', GetFlag('output'))
+
+  def testXmlOutputFileOverride(self):
+    """Tests that $XML_OUTPUT_FILE is overridden by $GTEST_OUTPUT."""
+
+    SetEnvVar('GTEST_OUTPUT', 'xml:tmp/foo.xml')
+    SetEnvVar('XML_OUTPUT_FILE', 'tmp/bar.xml')
+    AssertEq('xml:tmp/foo.xml', GetFlag('output'))
+
 if __name__ == '__main__':
   gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test_.cc
index 539afc968..fd2aa82f7 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test_.cc
@@ -26,19 +26,15 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // A helper program for testing that Google Test parses the environment
 // variables correctly.
 
-#include "gtest/gtest.h"
-
 #include <iostream>
 
-#define GTEST_IMPLEMENTATION_ 1
+#include "gtest/gtest.h"
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using ::std::cout;
 
@@ -117,7 +113,7 @@ int main(int argc, char** argv) {
   testing::InitGoogleTest(&argc, argv);
 
   if (argc != 2) {
-    cout << "Usage: gtest_env_var_test_ NAME_OF_FLAG\n";
+    cout << "Usage: googletest-env-var-test_ NAME_OF_FLAG\n";
     return 1;
   }
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-filepath_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-filepath-test.cc
index ae9f55a0c..37f02fb4b 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-filepath_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filepath-test.cc
@@ -27,28 +27,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test filepath utilities
 //
 // This file tests classes and functions used internally by
 // Google Test.  They are subject to change without notice.
 //
-// This file is #included from gtest_unittest.cc, to avoid changing
-// build or make-files for some existing Google Test clients. Do not
-// #include this file anywhere else!
+// This file is #included from gtest-internal.h.
+// Do not #include this file anywhere else!
 
 #include "gtest/internal/gtest-filepath.h"
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_OS_WINDOWS_MOBILE
 # include <windows.h>  // NOLINT
@@ -61,7 +50,7 @@ namespace internal {
 namespace {
 
 #if GTEST_OS_WINDOWS_MOBILE
-// TODO(wan@google.com): Move these to the POSIX adapter section in
+// FIXME: Move these to the POSIX adapter section in
 // gtest-port.h.
 
 // Windows CE doesn't have the remove C function.
@@ -514,24 +503,6 @@ class DirectoryCreationTest : public Test {
     posix::RmDir(testdata_path_.c_str());
   }
 
-  std::string TempDir() const {
-#if GTEST_OS_WINDOWS_MOBILE
-    return "\\temp\\";
-#elif GTEST_OS_WINDOWS
-    const char* temp_dir = posix::GetEnv("TEMP");
-    if (temp_dir == NULL || temp_dir[0] == '\0')
-      return "\\temp\\";
-    else if (temp_dir[strlen(temp_dir) - 1] == '\\')
-      return temp_dir;
-    else
-      return std::string(temp_dir) + "\\";
-#elif GTEST_OS_LINUX_ANDROID
-    return "/sdcard/";
-#else
-    return "/tmp/";
-#endif  // GTEST_OS_WINDOWS_MOBILE
-  }
-
   void CreateTextFile(const char* filename) {
     FILE* f = posix::FOpen(filename, "w");
     fprintf(f, "text\n");
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest.py
index 0d1a77005..dc0b5bd9a 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest.py
@@ -33,20 +33,17 @@
 A user can specify which test(s) in a Google Test program to run via either
 the GTEST_FILTER environment variable or the --gtest_filter flag.
 This script tests such functionality by invoking
-gtest_filter_unittest_ (a program written with Google Test) with different
+googletest-filter-unittest_ (a program written with Google Test) with different
 environments and command line flags.
 
 Note that test sharding may also influence which tests are filtered. Therefore,
 we test that here also.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import re
 import sets
 import sys
-
 import gtest_test_utils
 
 # Constants.
@@ -56,10 +53,12 @@ import gtest_test_utils
 # script in a subprocess to print whether the variable is STILL in
 # os.environ.  We then use 'eval' to parse the child's output so that an
 # exception is thrown if the input is anything other than 'True' nor 'False'.
-os.environ['EMPTY_VAR'] = ''
-child = gtest_test_utils.Subprocess(
-    [sys.executable, '-c', 'import os; print \'EMPTY_VAR\' in os.environ'])
-CAN_PASS_EMPTY_ENV = eval(child.output)
+CAN_PASS_EMPTY_ENV = False
+if sys.executable:
+  os.environ['EMPTY_VAR'] = ''
+  child = gtest_test_utils.Subprocess(
+      [sys.executable, '-c', 'import os; print \'EMPTY_VAR\' in os.environ'])
+  CAN_PASS_EMPTY_ENV = eval(child.output)
 
 
 # Check if this platform can unset environment variables in child processes.
@@ -68,11 +67,14 @@ CAN_PASS_EMPTY_ENV = eval(child.output)
 # is NO LONGER in os.environ.
 # We use 'eval' to parse the child's output so that an exception
 # is thrown if the input is neither 'True' nor 'False'.
-os.environ['UNSET_VAR'] = 'X'
-del os.environ['UNSET_VAR']
-child = gtest_test_utils.Subprocess(
-    [sys.executable, '-c', 'import os; print \'UNSET_VAR\' not in os.environ'])
-CAN_UNSET_ENV = eval(child.output)
+CAN_UNSET_ENV = False
+if sys.executable:
+  os.environ['UNSET_VAR'] = 'X'
+  del os.environ['UNSET_VAR']
+  child = gtest_test_utils.Subprocess(
+      [sys.executable, '-c', 'import os; print \'UNSET_VAR\' not in os.environ'
+      ])
+  CAN_UNSET_ENV = eval(child.output)
 
 
 # Checks if we should test with an empty filter. This doesn't
@@ -94,10 +96,10 @@ SHARD_STATUS_FILE_ENV_VAR = 'GTEST_SHARD_STATUS_FILE'
 FILTER_FLAG = 'gtest_filter'
 
 # The command line flag for including disabled tests.
-ALSO_RUN_DISABED_TESTS_FLAG = 'gtest_also_run_disabled_tests'
+ALSO_RUN_DISABLED_TESTS_FLAG = 'gtest_also_run_disabled_tests'
 
-# Command to run the gtest_filter_unittest_ program.
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_filter_unittest_')
+# Command to run the googletest-filter-unittest_ program.
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-filter-unittest_')
 
 # Regex for determining whether parameterized tests are enabled in the binary.
 PARAM_TEST_REGEX = re.compile(r'/ParamTest')
@@ -116,7 +118,7 @@ LIST_TESTS_FLAG = '--gtest_list_tests'
 SUPPORTS_DEATH_TESTS = 'HasDeathTest' in gtest_test_utils.Subprocess(
     [COMMAND, LIST_TESTS_FLAG]).output
 
-# Full names of all tests in gtest_filter_unittests_.
+# Full names of all tests in googletest-filter-unittests_.
 PARAM_TESTS = [
     'SeqP/ParamTest.TestX/0',
     'SeqP/ParamTest.TestX/1',
@@ -288,9 +290,10 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
                                args=None, check_exit_0=False):
     """Checks that binary runs correct tests for the given filter and shard.
 
-    Runs all shards of gtest_filter_unittest_ with the given filter, and
+    Runs all shards of googletest-filter-unittest_ with the given filter, and
     verifies that the right set of tests were run. The union of tests run
     on each shard should be identical to tests_to_run, without duplicates.
+    If check_exit_0, .
 
     Args:
       gtest_filter: A filter to apply to the tests.
@@ -325,7 +328,7 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
   def RunAndVerifyAllowingDisabled(self, gtest_filter, tests_to_run):
     """Checks that the binary runs correct set of tests for the given filter.
 
-    Runs gtest_filter_unittest_ with the given filter, and enables
+    Runs googletest-filter-unittest_ with the given filter, and enables
     disabled tests. Verifies that the right set of tests were run.
 
     Args:
@@ -336,7 +339,7 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
     tests_to_run = self.AdjustForParameterizedTests(tests_to_run)
 
     # Construct the command line.
-    args = ['--%s' % ALSO_RUN_DISABED_TESTS_FLAG]
+    args = ['--%s' % ALSO_RUN_DISABLED_TESTS_FLAG]
     if gtest_filter is not None:
       args.append('--%s=%s' % (FILTER_FLAG, gtest_filter))
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest_.cc
index 77deffc38..d335b6039 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Unit test for Google Test test filters.
 //
@@ -117,7 +116,6 @@ TEST(DISABLED_FoobarbazTest, TestA) {
   FAIL() << "Expected failure.";
 }
 
-#if GTEST_HAS_PARAM_TEST
 class ParamTest : public testing::TestWithParam<int> {
 };
 
@@ -129,7 +127,6 @@ TEST_P(ParamTest, TestY) {
 
 INSTANTIATE_TEST_CASE_P(SeqP, ParamTest, testing::Values(1, 2));
 INSTANTIATE_TEST_CASE_P(SeqQ, ParamTest, testing::Values(5, 6));
-#endif  // GTEST_HAS_PARAM_TEST
 
 }  // namespace
 
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py b/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py
new file mode 100644
index 000000000..c99be48e8
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py
@@ -0,0 +1,162 @@
+#!/usr/bin/env python
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test for the gtest_json_output module."""
+
+import json
+import os
+import gtest_json_test_utils
+import gtest_test_utils
+
+GTEST_OUTPUT_SUBDIR = 'json_outfiles'
+GTEST_OUTPUT_1_TEST = 'gtest_xml_outfile1_test_'
+GTEST_OUTPUT_2_TEST = 'gtest_xml_outfile2_test_'
+
+EXPECTED_1 = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [{
+        u'name': u'PropertyOne',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'TestSomeProperties',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'PropertyOne',
+            u'SetUpProp': u'1',
+            u'TestSomeProperty': u'1',
+            u'TearDownProp': u'1',
+        }],
+    }],
+}
+
+EXPECTED_2 = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [{
+        u'name': u'PropertyTwo',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'TestSomeProperties',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'PropertyTwo',
+            u'SetUpProp': u'2',
+            u'TestSomeProperty': u'2',
+            u'TearDownProp': u'2',
+        }],
+    }],
+}
+
+
+class GTestJsonOutFilesTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's JSON output functionality."""
+
+  def setUp(self):
+    # We want the trailing '/' that the last "" provides in os.path.join, for
+    # telling Google Test to create an output directory instead of a single file
+    # for xml output.
+    self.output_dir_ = os.path.join(gtest_test_utils.GetTempDir(),
+                                    GTEST_OUTPUT_SUBDIR, '')
+    self.DeleteFilesAndDir()
+
+  def tearDown(self):
+    self.DeleteFilesAndDir()
+
+  def DeleteFilesAndDir(self):
+    try:
+      os.remove(os.path.join(self.output_dir_, GTEST_OUTPUT_1_TEST + '.json'))
+    except os.error:
+      pass
+    try:
+      os.remove(os.path.join(self.output_dir_, GTEST_OUTPUT_2_TEST + '.json'))
+    except os.error:
+      pass
+    try:
+      os.rmdir(self.output_dir_)
+    except os.error:
+      pass
+
+  def testOutfile1(self):
+    self._TestOutFile(GTEST_OUTPUT_1_TEST, EXPECTED_1)
+
+  def testOutfile2(self):
+    self._TestOutFile(GTEST_OUTPUT_2_TEST, EXPECTED_2)
+
+  def _TestOutFile(self, test_name, expected):
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(test_name)
+    command = [gtest_prog_path, '--gtest_output=json:%s' % self.output_dir_]
+    p = gtest_test_utils.Subprocess(command,
+                                    working_dir=gtest_test_utils.GetTempDir())
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+
+    # FIXME: libtool causes the built test binary to be
+    #   named lt-gtest_xml_outfiles_test_ instead of
+    #   gtest_xml_outfiles_test_.  To account for this possibility, we
+    #   allow both names in the following code.  We should remove this
+    #   when libtool replacement tool is ready.
+    output_file_name1 = test_name + '.json'
+    output_file1 = os.path.join(self.output_dir_, output_file_name1)
+    output_file_name2 = 'lt-' + output_file_name1
+    output_file2 = os.path.join(self.output_dir_, output_file_name2)
+    self.assert_(os.path.isfile(output_file1) or os.path.isfile(output_file2),
+                 output_file1)
+
+    if os.path.isfile(output_file1):
+      with open(output_file1) as f:
+        actual = json.load(f)
+    else:
+      with open(output_file2) as f:
+        actual = json.load(f)
+    self.assertEqual(expected, gtest_json_test_utils.normalize(actual))
+
+
+if __name__ == '__main__':
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '0'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py
new file mode 100644
index 000000000..57dcd5fa1
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py
@@ -0,0 +1,618 @@
+#!/usr/bin/env python
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test for the gtest_json_output module."""
+
+import datetime
+import errno
+import json
+import os
+import re
+import sys
+
+import gtest_json_test_utils
+import gtest_test_utils
+
+GTEST_FILTER_FLAG = '--gtest_filter'
+GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
+GTEST_OUTPUT_FLAG = '--gtest_output'
+GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.json'
+GTEST_PROGRAM_NAME = 'gtest_xml_output_unittest_'
+
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
+
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
+
+if SUPPORTS_STACK_TRACES:
+  STACK_TRACE_TEMPLATE = '\nStack trace:\n*'
+else:
+  STACK_TRACE_TEMPLATE = ''
+
+EXPECTED_NON_EMPTY = {
+    u'tests': 23,
+    u'failures': 4,
+    u'disabled': 2,
+    u'errors': 0,
+    u'timestamp': u'*',
+    u'time': u'*',
+    u'ad_hoc_property': u'42',
+    u'name': u'AllTests',
+    u'testsuites': [
+        {
+            u'name': u'SuccessfulTest',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Succeeds',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'SuccessfulTest'
+                }
+            ]
+        },
+        {
+            u'name': u'FailedTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Fails',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'FailedTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  1\n  2' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'DisabledTest',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 1,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'DISABLED_test_not_run',
+                    u'status': u'NOTRUN',
+                    u'time': u'*',
+                    u'classname': u'DisabledTest'
+                }
+            ]
+        },
+        {
+            u'name': u'MixedResultTest',
+            u'tests': 3,
+            u'failures': 1,
+            u'disabled': 1,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Succeeds',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest'
+                },
+                {
+                    u'name': u'Fails',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  1\n  2' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        },
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  2\n  3' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                },
+                {
+                    u'name': u'DISABLED_test',
+                    u'status': u'NOTRUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest'
+                }
+            ]
+        },
+        {
+            u'name': u'XmlQuotingTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'OutputsCData',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'XmlQuotingTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Failed\nXML output: <?xml encoding="utf-8">'
+                                u'<top><![CDATA[cdata text]]></top>' +
+                                STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'InvalidCharactersTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'InvalidCharactersInMessage',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'InvalidCharactersTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Failed\nInvalid characters in brackets'
+                                u' [\x01\x02]' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'PropertyRecordingTest',
+            u'tests': 4,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'SetUpTestCase': u'yes',
+            u'TearDownTestCase': u'aye',
+            u'testsuite': [
+                {
+                    u'name': u'OneProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'1'
+                },
+                {
+                    u'name': u'IntValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_int': u'1'
+                },
+                {
+                    u'name': u'ThreeProperties',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'1',
+                    u'key_2': u'2',
+                    u'key_3': u'3'
+                },
+                {
+                    u'name': u'TwoValuesForOneKeyUsesLastValue',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'2'
+                }
+            ]
+        },
+        {
+            u'name': u'NoFixtureTest',
+            u'tests': 3,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'RecordProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key': u'1'
+                },
+                {
+                    u'name': u'ExternalUtilityThatCallsRecordIntValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key_for_utility_int': u'1'
+                },
+                {
+                    u'name':
+                        u'ExternalUtilityThatCallsRecordStringValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key_for_utility_string': u'1'
+                }
+            ]
+        },
+        {
+            u'name': u'TypedTest/0',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'int',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'TypedTest/0'
+                }
+            ]
+        },
+        {
+            u'name': u'TypedTest/1',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'long',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'TypedTest/1'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/TypeParameterizedTestCase/0',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'int',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/TypeParameterizedTestCase/0'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/TypeParameterizedTestCase/1',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'long',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/TypeParameterizedTestCase/1'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/ValueParamTest',
+            u'tests': 4,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasValueParamAttribute/0',
+                    u'value_param': u'33',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'HasValueParamAttribute/1',
+                    u'value_param': u'42',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'AnotherTestThatHasValueParamAttribute/0',
+                    u'value_param': u'33',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'AnotherTestThatHasValueParamAttribute/1',
+                    u'value_param': u'42',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                }
+            ]
+        }
+    ]
+}
+
+EXPECTED_FILTERED = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'ad_hoc_property': u'42',
+    u'testsuites': [{
+        u'name': u'SuccessfulTest',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'Succeeds',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'SuccessfulTest',
+        }]
+    }],
+}
+
+EXPECTED_EMPTY = {
+    u'tests': 0,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [],
+}
+
+GTEST_PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath(GTEST_PROGRAM_NAME)
+
+SUPPORTS_TYPED_TESTS = 'TypedTest' in gtest_test_utils.Subprocess(
+    [GTEST_PROGRAM_PATH, GTEST_LIST_TESTS_FLAG], capture_stderr=False).output
+
+
+class GTestJsonOutputUnitTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's JSON output functionality.
+  """
+
+  # This test currently breaks on platforms that do not support typed and
+  # type-parameterized tests, so we don't run it under them.
+  if SUPPORTS_TYPED_TESTS:
+
+    def testNonEmptyJsonOutput(self):
+      """Verifies JSON output for a Google Test binary with non-empty output.
+
+      Runs a test program that generates a non-empty JSON output, and
+      tests that the JSON output is expected.
+      """
+      self._TestJsonOutput(GTEST_PROGRAM_NAME, EXPECTED_NON_EMPTY, 1)
+
+  def testEmptyJsonOutput(self):
+    """Verifies JSON output for a Google Test binary without actual tests.
+
+    Runs a test program that generates an empty JSON output, and
+    tests that the JSON output is expected.
+    """
+
+    self._TestJsonOutput('gtest_no_test_unittest', EXPECTED_EMPTY, 0)
+
+  def testTimestampValue(self):
+    """Checks whether the timestamp attribute in the JSON output is valid.
+
+    Runs a test program that generates an empty JSON output, and checks if
+    the timestamp attribute in the testsuites tag is valid.
+    """
+    actual = self._GetJsonOutput('gtest_no_test_unittest', [], 0)
+    date_time_str = actual['timestamp']
+    # datetime.strptime() is only available in Python 2.5+ so we have to
+    # parse the expected datetime manually.
+    match = re.match(r'(\d+)-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)', date_time_str)
+    self.assertTrue(
+        re.match,
+        'JSON datettime string %s has incorrect format' % date_time_str)
+    date_time_from_json = datetime.datetime(
+        year=int(match.group(1)), month=int(match.group(2)),
+        day=int(match.group(3)), hour=int(match.group(4)),
+        minute=int(match.group(5)), second=int(match.group(6)))
+
+    time_delta = abs(datetime.datetime.now() - date_time_from_json)
+    # timestamp value should be near the current local time
+    self.assertTrue(time_delta < datetime.timedelta(seconds=600),
+                    'time_delta is %s' % time_delta)
+
+  def testDefaultOutputFile(self):
+    """Verifies the default output file name.
+
+    Confirms that Google Test produces an JSON output file with the expected
+    default name if no name is explicitly specified.
+    """
+    output_file = os.path.join(gtest_test_utils.GetTempDir(),
+                               GTEST_DEFAULT_OUTPUT_FILE)
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(
+        'gtest_no_test_unittest')
+    try:
+      os.remove(output_file)
+    except OSError:
+      e = sys.exc_info()[1]
+      if e.errno != errno.ENOENT:
+        raise
+
+    p = gtest_test_utils.Subprocess(
+        [gtest_prog_path, '%s=json' % GTEST_OUTPUT_FLAG],
+        working_dir=gtest_test_utils.GetTempDir())
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+    self.assert_(os.path.isfile(output_file))
+
+  def testSuppressedJsonOutput(self):
+    """Verifies that no JSON output is generated.
+
+    Tests that no JSON file is generated if the default JSON listener is
+    shut down before RUN_ALL_TESTS is invoked.
+    """
+
+    json_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             GTEST_PROGRAM_NAME + 'out.json')
+    if os.path.isfile(json_path):
+      os.remove(json_path)
+
+    command = [GTEST_PROGRAM_PATH,
+               '%s=json:%s' % (GTEST_OUTPUT_FLAG, json_path),
+               '--shut_down_xml']
+    p = gtest_test_utils.Subprocess(command)
+    if p.terminated_by_signal:
+      # p.signal is available only if p.terminated_by_signal is True.
+      self.assertFalse(
+          p.terminated_by_signal,
+          '%s was killed by signal %d' % (GTEST_PROGRAM_NAME, p.signal))
+    else:
+      self.assert_(p.exited)
+      self.assertEquals(1, p.exit_code,
+                        "'%s' exited with code %s, which doesn't match "
+                        'the expected exit code %s.'
+                        % (command, p.exit_code, 1))
+
+    self.assert_(not os.path.isfile(json_path))
+
+  def testFilteredTestJsonOutput(self):
+    """Verifies JSON output when a filter is applied.
+
+    Runs a test program that executes only some tests and verifies that
+    non-selected tests do not show up in the JSON output.
+    """
+
+    self._TestJsonOutput(GTEST_PROGRAM_NAME, EXPECTED_FILTERED, 0,
+                         extra_args=['%s=SuccessfulTest.*' % GTEST_FILTER_FLAG])
+
+  def _GetJsonOutput(self, gtest_prog_name, extra_args, expected_exit_code):
+    """Returns the JSON output generated by running the program gtest_prog_name.
+
+    Furthermore, the program's exit code must be expected_exit_code.
+
+    Args:
+      gtest_prog_name: Google Test binary name.
+      extra_args: extra arguments to binary invocation.
+      expected_exit_code: program's exit code.
+    """
+    json_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             gtest_prog_name + 'out.json')
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(gtest_prog_name)
+
+    command = (
+        [gtest_prog_path, '%s=json:%s' % (GTEST_OUTPUT_FLAG, json_path)] +
+        extra_args
+    )
+    p = gtest_test_utils.Subprocess(command)
+    if p.terminated_by_signal:
+      self.assert_(False,
+                   '%s was killed by signal %d' % (gtest_prog_name, p.signal))
+    else:
+      self.assert_(p.exited)
+      self.assertEquals(expected_exit_code, p.exit_code,
+                        "'%s' exited with code %s, which doesn't match "
+                        'the expected exit code %s.'
+                        % (command, p.exit_code, expected_exit_code))
+    with open(json_path) as f:
+      actual = json.load(f)
+    return actual
+
+  def _TestJsonOutput(self, gtest_prog_name, expected,
+                      expected_exit_code, extra_args=None):
+    """Checks the JSON output generated by the Google Test binary.
+
+    Asserts that the JSON document generated by running the program
+    gtest_prog_name matches expected_json, a string containing another
+    JSON document.  Furthermore, the program's exit code must be
+    expected_exit_code.
+
+    Args:
+      gtest_prog_name: Google Test binary name.
+      expected: expected output.
+      expected_exit_code: program's exit code.
+      extra_args: extra arguments to binary invocation.
+    """
+
+    actual = self._GetJsonOutput(gtest_prog_name, extra_args or [],
+                                 expected_exit_code)
+    self.assertEqual(expected, gtest_json_test_utils.normalize(actual))
+
+
+if __name__ == '__main__':
+  if NO_STACKTRACE_SUPPORT_FLAG in sys.argv:
+    # unittest.main() can't handle unknown flags
+    sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
+
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '1'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-linked_ptr_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-linked-ptr-test.cc
index 6fcf5124a..fa00f3429 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-linked_ptr_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-linked-ptr-test.cc
@@ -26,13 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Authors: Dan Egnor (egnor@google.com)
-// Ported to Windows: Vadim Berman (vadimb@google.com)
-
-#include "gtest/internal/gtest-linked_ptr.h"
 
 #include <stdlib.h>
+
+#include "gtest/internal/gtest-linked_ptr.h"
 #include "gtest/gtest.h"
 
 namespace {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest.py
index 925b09d9c..81423a339 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest.py
@@ -33,25 +33,22 @@
 
 A user can ask Google Test to list all tests by specifying the
 --gtest_list_tests flag.  This script tests such functionality
-by invoking gtest_list_tests_unittest_ (a program written with
+by invoking googletest-list-tests-unittest_ (a program written with
 Google Test) the command line flags.
 """
 
-__author__ = 'phanna@google.com (Patrick Hanna)'
-
-import gtest_test_utils
 import re
-
+import gtest_test_utils
 
 # Constants.
 
 # The command line flag for enabling/disabling listing all tests.
 LIST_TESTS_FLAG = 'gtest_list_tests'
 
-# Path to the gtest_list_tests_unittest_ program.
-EXE_PATH = gtest_test_utils.GetTestExecutablePath('gtest_list_tests_unittest_')
+# Path to the googletest-list-tests-unittest_ program.
+EXE_PATH = gtest_test_utils.GetTestExecutablePath('googletest-list-tests-unittest_')
 
-# The expected output when running gtest_list_tests_unittest_ with
+# The expected output when running googletest-list-tests-unittest_ with
 # --gtest_list_tests
 EXPECTED_OUTPUT_NO_FILTER_RE = re.compile(r"""FooDeathTest\.
   Test1
@@ -71,7 +68,7 @@ FooTest\.
 TypedTest/0\.  # TypeParam = (VeryLo{245}|class VeryLo{239})\.\.\.
   TestA
   TestB
-TypedTest/1\.  # TypeParam = int\s*\*
+TypedTest/1\.  # TypeParam = int\s*\*( __ptr64)?
   TestA
   TestB
 TypedTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
@@ -80,7 +77,7 @@ TypedTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
 My/TypeParamTest/0\.  # TypeParam = (VeryLo{245}|class VeryLo{239})\.\.\.
   TestA
   TestB
-My/TypeParamTest/1\.  # TypeParam = int\s*\*
+My/TypeParamTest/1\.  # TypeParam = int\s*\*( __ptr64)?
   TestA
   TestB
 My/TypeParamTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
@@ -95,7 +92,7 @@ MyInstantiation/ValueParamTest\.
   TestB/2  # GetParam\(\) = a very\\nlo{241}\.\.\.
 """)
 
-# The expected output when running gtest_list_tests_unittest_ with
+# The expected output when running googletest-list-tests-unittest_ with
 # --gtest_list_tests and --gtest_filter=Foo*.
 EXPECTED_OUTPUT_FILTER_FOO_RE = re.compile(r"""FooDeathTest\.
   Test1
@@ -115,7 +112,7 @@ FooTest\.
 
 
 def Run(args):
-  """Runs gtest_list_tests_unittest_ and returns the list of tests printed."""
+  """Runs googletest-list-tests-unittest_ and returns the list of tests printed."""
 
   return gtest_test_utils.Subprocess([EXE_PATH] + args,
                                      capture_stderr=False).output
@@ -123,11 +120,12 @@ def Run(args):
 
 # The unit test.
 
+
 class GTestListTestsUnitTest(gtest_test_utils.TestCase):
   """Tests using the --gtest_list_tests flag to list all tests."""
 
   def RunAndVerify(self, flag_value, expected_output_re, other_flag):
-    """Runs gtest_list_tests_unittest_ and verifies that it prints
+    """Runs googletest-list-tests-unittest_ and verifies that it prints
     the correct tests.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest_.cc
index 907c176ba..f473c7d1a 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: phanna@google.com (Patrick Hanna)
+
 
 // Unit test for Google Test's --gtest_list_tests flag.
 //
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-listener_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-listener-test.cc
index 99662cff3..835559715 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-listener_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-listener-test.cc
@@ -25,17 +25,17 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file verifies Google Test event listeners receive events at the
 // right times.
 
-#include "gtest/gtest.h"
 #include <vector>
 
+#include "gtest/gtest.h"
+
 using ::testing::AddGlobalTestEnvironment;
 using ::testing::Environment;
 using ::testing::InitGoogleTest;
@@ -176,16 +176,16 @@ using ::testing::internal::EventRecordingListener;
 
 void VerifyResults(const std::vector<std::string>& data,
                    const char* const* expected_data,
-                   int expected_data_size) {
-  const int actual_size = data.size();
+                   size_t expected_data_size) {
+  const size_t actual_size = data.size();
   // If the following assertion fails, a new entry will be appended to
   // data.  Hence we save data.size() first.
   EXPECT_EQ(expected_data_size, actual_size);
 
   // Compares the common prefix.
-  const int shorter_size = expected_data_size <= actual_size ?
+  const size_t shorter_size = expected_data_size <= actual_size ?
       expected_data_size : actual_size;
-  int i = 0;
+  size_t i = 0;
   for (; i < shorter_size; ++i) {
     ASSERT_STREQ(expected_data[i], data[i].c_str())
         << "at position " << i;
@@ -193,7 +193,8 @@ void VerifyResults(const std::vector<std::string>& data,
 
   // Prints extra elements in the actual data.
   for (; i < actual_size; ++i) {
-    printf("  Actual event #%d: %s\n", i, data[i].c_str());
+    printf("  Actual event #%lu: %s\n",
+        static_cast<unsigned long>(i), data[i].c_str());
   }
 }
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-message_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-message-test.cc
index 175238ef4..c6445853e 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-message_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-message-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for the Message class.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-options_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-options-test.cc
index 5586dc3b1..edd4eba3b 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-options_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-options-test.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test UnitTestOptions tests
 //
 // This file tests classes and functions used internally by
@@ -46,14 +44,7 @@
 # include <direct.h>
 #endif  // GTEST_OS_WINDOWS_MOBILE
 
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -107,15 +98,16 @@ TEST(OutputFileHelpersTest, GetCurrentExecutableName) {
   const std::string exe_str = GetCurrentExecutableName().string();
 #if GTEST_OS_WINDOWS
   const bool success =
-      _strcmpi("gtest-options_test", exe_str.c_str()) == 0 ||
+      _strcmpi("googletest-options-test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest-options-ex_test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest_all_test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest_dll_test", exe_str.c_str()) == 0;
+#elif GTEST_OS_FUCHSIA
+  const bool success = exe_str == "app";
 #else
-  // TODO(wan@google.com): remove the hard-coded "lt-" prefix when
-  //   Chandler Carruth's libtool replacement is ready.
+  // FIXME: remove the hard-coded "lt-" prefix when libtool replacement is ready
   const bool success =
-      exe_str == "gtest-options_test" ||
+      exe_str == "googletest-options-test" ||
       exe_str == "gtest_all_test" ||
       exe_str == "lt-gtest_all_test" ||
       exe_str == "gtest_dll_test";
@@ -124,6 +116,8 @@ TEST(OutputFileHelpersTest, GetCurrentExecutableName) {
     FAIL() << "GetCurrentExecutableName() returns " << exe_str;
 }
 
+#if !GTEST_OS_FUCHSIA
+
 class XmlOutputChangeDirTest : public Test {
  protected:
   virtual void SetUp() {
@@ -210,6 +204,8 @@ TEST_F(XmlOutputChangeDirTest, PreserveOriginalWorkingDirWithAbsolutePath) {
 #endif
 }
 
+#endif  // !GTEST_OS_FUCHSIA
+
 }  // namespace
 }  // namespace internal
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test_golden_lin.txt b/security/nss/gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt
index da541700e..86da845b7 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test_golden_lin.txt
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt
@@ -1,13 +1,18 @@
 The non-test part of the code is expected to have 2 failures.
 
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
-gtest_output_test_.cc:#: Failure
-Value of: 3
-Expected: 2
-[0;32m[==========] [mRunning 64 tests from 28 test cases.
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  3
+Stack trace: (omitted)
+
+[0;32m[==========] [mRunning 76 tests from 34 test cases.
 [0;32m[----------] [mGlobal test environment set-up.
 FooEnvironment::SetUp() called.
 BarEnvironment::SetUp() called.
@@ -33,237 +38,351 @@ BarEnvironment::SetUp() called.
 [0;32m[       OK ] [mPassingTest.PassingTest2
 [0;32m[----------] [m2 tests from NonfatalFailureTest
 [0;32m[ RUN      ] [mNonfatalFailureTest.EscapesStringOperands
-gtest_output_test_.cc:#: Failure
-Value of: actual
-  Actual: "actual \"string\""
-Expected: kGoldenString
-Which is: "\"Line"
-gtest_output_test_.cc:#: Failure
-Value of: actual
-  Actual: "actual \"string\""
-Expected: golden
-Which is: "\"Line"
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  kGoldenString
+    Which is: "\"Line"
+  actual
+    Which is: "actual \"string\""
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  golden
+    Which is: "\"Line"
+  actual
+    Which is: "actual \"string\""
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mNonfatalFailureTest.EscapesStringOperands
 [0;32m[ RUN      ] [mNonfatalFailureTest.DiffForLongStrings
-gtest_output_test_.cc:#: Failure
-Value of: "Line 2"
-Expected: golden_str
-Which is: "\"Line\0 1\"\nLine 2"
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  golden_str
+    Which is: "\"Line\0 1\"\nLine 2"
+  "Line 2"
 With diff:
 @@ -1,2 @@
 -\"Line\0 1\"
  Line 2
 
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mNonfatalFailureTest.DiffForLongStrings
 [0;32m[----------] [m3 tests from FatalFailureTest
 [0;32m[ RUN      ] [mFatalFailureTest.FatalFailureInSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mFatalFailureTest.FatalFailureInSubroutine
 [0;32m[ RUN      ] [mFatalFailureTest.FatalFailureInNestedSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mFatalFailureTest.FatalFailureInNestedSubroutine
 [0;32m[ RUN      ] [mFatalFailureTest.NonfatalFailureInSubroutine
 (expecting a failure on false)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mFatalFailureTest.NonfatalFailureInSubroutine
 [0;32m[----------] [m1 test from LoggingTest
 [0;32m[ RUN      ] [mLoggingTest.InterleavingLoggingAndAssertions
 (expecting 2 failures on (3) >= (a[i]))
 i == 0
 i == 1
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 9
+Stack trace: (omitted)
+
 i == 2
 i == 3
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 6
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mLoggingTest.InterleavingLoggingAndAssertions
-[0;32m[----------] [m6 tests from SCOPED_TRACETest
+[0;32m[----------] [m7 tests from SCOPED_TRACETest
+[0;32m[ RUN      ] [mSCOPED_TRACETest.AcceptedValues
+googletest-output-test_.cc:#: Failure
+Failed
+Just checking that all these values work fine.
+Google Test trace:
+googletest-output-test_.cc:#: (null)
+googletest-output-test_.cc:#: 1337
+googletest-output-test_.cc:#: std::string
+googletest-output-test_.cc:#: literal string
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mSCOPED_TRACETest.AcceptedValues
 [0;32m[ RUN      ] [mSCOPED_TRACETest.ObeysScopes
 (expected to fail)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and shouldn't have a trace.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should have a trace.
 Google Test trace:
-gtest_output_test_.cc:#: Expected trace
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Expected trace
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and shouldn't have a trace.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.ObeysScopes
 [0;32m[ RUN      ] [mSCOPED_TRACETest.WorksInLoop
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 1
-Expected: 2
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  n
+    Which is: 1
 Google Test trace:
-gtest_output_test_.cc:#: i = 1
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: i = 1
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: i = 2
+googletest-output-test_.cc:#: i = 2
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksInLoop
 [0;32m[ RUN      ] [mSCOPED_TRACETest.WorksInSubroutine
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 1
-Expected: 2
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  n
+    Which is: 1
 Google Test trace:
-gtest_output_test_.cc:#: n = 1
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: n = 1
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: n = 2
+googletest-output-test_.cc:#: n = 2
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksInSubroutine
 [0;32m[ RUN      ] [mSCOPED_TRACETest.CanBeNested
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: n = 2
-gtest_output_test_.cc:#: 
+googletest-output-test_.cc:#: n = 2
+googletest-output-test_.cc:#: 
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.CanBeNested
 [0;32m[ RUN      ] [mSCOPED_TRACETest.CanBeRepeated
 (expected to fail)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A.
 Google Test trace:
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A and B.
 Google Test trace:
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A, B, and C.
 Google Test trace:
-gtest_output_test_.cc:#: C
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: C
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A, B, and D.
 Google Test trace:
-gtest_output_test_.cc:#: D
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
+googletest-output-test_.cc:#: D
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.CanBeRepeated
 [0;32m[ RUN      ] [mSCOPED_TRACETest.WorksConcurrently
 (expecting 6 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1 (in thread B, only trace B alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace B
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace B
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2 (in thread A, trace A & B both alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3 (in thread B, trace A & B both alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace B
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace B
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4 (in thread B, only trace A alive).
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #5 (in thread A, only trace A alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #6 (in thread A, no trace alive).
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksConcurrently
+[0;32m[----------] [m1 test from ScopedTraceTest
+[0;32m[ RUN      ] [mScopedTraceTest.WithExplicitFileAndLine
+googletest-output-test_.cc:#: Failure
+Failed
+Check that the trace is attached to a particular location.
+Google Test trace:
+explicit_file.cc:123: expected trace message
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mScopedTraceTest.WithExplicitFileAndLine
 [0;32m[----------] [m1 test from NonFatalFailureInFixtureConstructorTest
 [0;32m[ RUN      ] [mNonFatalFailureInFixtureConstructorTest.FailureInConstructor
 (expecting 5 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in the test fixture c'tor.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in the test body.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4, in TearDown.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #5, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mNonFatalFailureInFixtureConstructorTest.FailureInConstructor
 [0;32m[----------] [m1 test from FatalFailureInFixtureConstructorTest
 [0;32m[ RUN      ] [mFatalFailureInFixtureConstructorTest.FailureInConstructor
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in the test fixture c'tor.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mFatalFailureInFixtureConstructorTest.FailureInConstructor
 [0;32m[----------] [m1 test from NonFatalFailureInSetUpTest
 [0;32m[ RUN      ] [mNonFatalFailureInSetUpTest.FailureInSetUp
 (expecting 4 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in the test function.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in TearDown().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mNonFatalFailureInSetUpTest.FailureInSetUp
 [0;32m[----------] [m1 test from FatalFailureInSetUpTest
 [0;32m[ RUN      ] [mFatalFailureInSetUpTest.FailureInSetUp
 (expecting 3 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in TearDown().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mFatalFailureInSetUpTest.FailureInSetUp
 [0;32m[----------] [m1 test from AddFailureAtTest
 [0;32m[ RUN      ] [mAddFailureAtTest.MessageContainsSpecifiedFileAndLineNumber
 foo.cc:42: Failure
 Failed
 Expected failure in foo.cc
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mAddFailureAtTest.MessageContainsSpecifiedFileAndLineNumber
 [0;32m[----------] [m4 tests from MixedUpTestCaseTest
 [0;32m[ RUN      ] [mMixedUpTestCaseTest.FirstTestFromNamespaceFoo
@@ -280,6 +399,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mMixedUpTestCaseTest.ThisShouldFail
 [0;32m[ RUN      ] [mMixedUpTestCaseTest.ThisShouldFailToo
 gtest.cc:#: Failure
@@ -291,6 +412,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mMixedUpTestCaseTest.ThisShouldFailToo
 [0;32m[----------] [m2 tests from MixedUpTestCaseWithSameTestNameTest
 [0;32m[ RUN      ] [mMixedUpTestCaseWithSameTestNameTest.TheSecondTestWithThisNameShouldFail
@@ -305,6 +428,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mMixedUpTestCaseWithSameTestNameTest.TheSecondTestWithThisNameShouldFail
 [0;32m[----------] [m2 tests from TEST_F_before_TEST_in_same_test_case
 [0;32m[ RUN      ] [mTEST_F_before_TEST_in_same_test_case.DefinedUsingTEST_F
@@ -319,6 +444,8 @@ test DefinedUsingTEST_F is defined using TEST_F but
 test DefinedUsingTESTAndShouldFail is defined using TEST.  You probably
 want to change the TEST to TEST_F or move it to another test
 case.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mTEST_F_before_TEST_in_same_test_case.DefinedUsingTESTAndShouldFail
 [0;32m[----------] [m2 tests from TEST_before_TEST_F_in_same_test_case
 [0;32m[ RUN      ] [mTEST_before_TEST_F_in_same_test_case.DefinedUsingTEST
@@ -333,6 +460,8 @@ test DefinedUsingTEST_FAndShouldFail is defined using TEST_F but
 test DefinedUsingTEST is defined using TEST.  You probably
 want to change the TEST to TEST_F or move it to another test
 case.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mTEST_before_TEST_F_in_same_test_case.DefinedUsingTEST_FAndShouldFail
 [0;32m[----------] [m8 tests from ExpectNonfatalFailureTest
 [0;32m[ RUN      ] [mExpectNonfatalFailureTest.CanReferenceGlobalVariables
@@ -346,19 +475,27 @@ case.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectNonfatalFailureTest.FailsWhenThereIsNoNonfatalFailure
 [0;32m[ RUN      ] [mExpectNonfatalFailureTest.FailsWhenThereAreTwoNonfatalFailures
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 2 failures
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure 1.
+Stack trace: (omitted)
+
 
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure 2.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectNonfatalFailureTest.FailsWhenThereAreTwoNonfatalFailures
 [0;32m[ RUN      ] [mExpectNonfatalFailureTest.FailsWhenThereIsOneFatalFailure
@@ -366,9 +503,13 @@ Expected non-fatal failure 2.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectNonfatalFailureTest.FailsWhenThereIsOneFatalFailure
 [0;32m[ RUN      ] [mExpectNonfatalFailureTest.FailsWhenStatementReturns
@@ -376,12 +517,16 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectNonfatalFailureTest.FailsWhenStatementReturns
 [0;32m[ RUN      ] [mExpectNonfatalFailureTest.FailsWhenStatementThrows
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectNonfatalFailureTest.FailsWhenStatementThrows
 [0;32m[----------] [m8 tests from ExpectFatalFailureTest
 [0;32m[ RUN      ] [mExpectFatalFailureTest.CanReferenceGlobalVariables
@@ -395,19 +540,27 @@ Expected: 1 non-fatal failure
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenThereIsNoFatalFailure
 [0;32m[ RUN      ] [mExpectFatalFailureTest.FailsWhenThereAreTwoFatalFailures
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 2 failures
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
 
-gtest_output_test_.cc:#: Fatal failure:
+
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenThereAreTwoFatalFailures
 [0;32m[ RUN      ] [mExpectFatalFailureTest.FailsWhenThereIsOneNonfatalFailure
@@ -415,9 +568,13 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenThereIsOneNonfatalFailure
 [0;32m[ RUN      ] [mExpectFatalFailureTest.FailsWhenStatementReturns
@@ -425,69 +582,140 @@ Expected non-fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenStatementReturns
 [0;32m[ RUN      ] [mExpectFatalFailureTest.FailsWhenStatementThrows
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenStatementThrows
 [0;32m[----------] [m2 tests from TypedTest/0, where TypeParam = int
 [0;32m[ RUN      ] [mTypedTest/0.Success
 [0;32m[       OK ] [mTypedTest/0.Success
 [0;32m[ RUN      ] [mTypedTest/0.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: 0
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  TypeParam()
+    Which is: 0
 Expected failure
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mTypedTest/0.Failure, where TypeParam = int
+[0;32m[----------] [m2 tests from TypedTestWithNames/char0, where TypeParam = char
+[0;32m[ RUN      ] [mTypedTestWithNames/char0.Success
+[0;32m[       OK ] [mTypedTestWithNames/char0.Success
+[0;32m[ RUN      ] [mTypedTestWithNames/char0.Failure
+googletest-output-test_.cc:#: Failure
+Failed
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mTypedTestWithNames/char0.Failure, where TypeParam = char
+[0;32m[----------] [m2 tests from TypedTestWithNames/int1, where TypeParam = int
+[0;32m[ RUN      ] [mTypedTestWithNames/int1.Success
+[0;32m[       OK ] [mTypedTestWithNames/int1.Success
+[0;32m[ RUN      ] [mTypedTestWithNames/int1.Failure
+googletest-output-test_.cc:#: Failure
+Failed
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mTypedTestWithNames/int1.Failure, where TypeParam = int
 [0;32m[----------] [m2 tests from Unsigned/TypedTestP/0, where TypeParam = unsigned char
 [0;32m[ RUN      ] [mUnsigned/TypedTestP/0.Success
 [0;32m[       OK ] [mUnsigned/TypedTestP/0.Success
 [0;32m[ RUN      ] [mUnsigned/TypedTestP/0.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: '\0'
-Expected: 1U
-Which is: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: '\0'
 Expected failure
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mUnsigned/TypedTestP/0.Failure, where TypeParam = unsigned char
 [0;32m[----------] [m2 tests from Unsigned/TypedTestP/1, where TypeParam = unsigned int
 [0;32m[ RUN      ] [mUnsigned/TypedTestP/1.Success
 [0;32m[       OK ] [mUnsigned/TypedTestP/1.Success
 [0;32m[ RUN      ] [mUnsigned/TypedTestP/1.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: 0
-Expected: 1U
-Which is: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: 0
 Expected failure
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mUnsigned/TypedTestP/1.Failure, where TypeParam = unsigned int
+[0;32m[----------] [m2 tests from UnsignedCustomName/TypedTestP/unsignedChar0, where TypeParam = unsigned char
+[0;32m[ RUN      ] [mUnsignedCustomName/TypedTestP/unsignedChar0.Success
+[0;32m[       OK ] [mUnsignedCustomName/TypedTestP/unsignedChar0.Success
+[0;32m[ RUN      ] [mUnsignedCustomName/TypedTestP/unsignedChar0.Failure
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: '\0'
+Expected failure
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mUnsignedCustomName/TypedTestP/unsignedChar0.Failure, where TypeParam = unsigned char
+[0;32m[----------] [m2 tests from UnsignedCustomName/TypedTestP/unsignedInt1, where TypeParam = unsigned int
+[0;32m[ RUN      ] [mUnsignedCustomName/TypedTestP/unsignedInt1.Success
+[0;32m[       OK ] [mUnsignedCustomName/TypedTestP/unsignedInt1.Success
+[0;32m[ RUN      ] [mUnsignedCustomName/TypedTestP/unsignedInt1.Failure
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: 0
+Expected failure
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mUnsignedCustomName/TypedTestP/unsignedInt1.Failure, where TypeParam = unsigned int
 [0;32m[----------] [m4 tests from ExpectFailureTest
 [0;32m[ RUN      ] [mExpectFailureTest.ExpectFatalFailure
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure containing "Some other fatal failure expected."
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectFatalFailure
 [0;32m[ RUN      ] [mExpectFailureTest.ExpectNonFatalFailure
@@ -495,24 +723,36 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure containing "Some other non-fatal failure."
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectNonFatalFailure
 [0;32m[ RUN      ] [mExpectFailureTest.ExpectFatalFailureOnAllThreads
@@ -520,24 +760,36 @@ Expected non-fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure containing "Some other fatal failure expected."
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectFatalFailureOnAllThreads
 [0;32m[ RUN      ] [mExpectFailureTest.ExpectNonFatalFailureOnAllThreads
@@ -545,86 +797,132 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure containing "Some other non-fatal failure."
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectNonFatalFailureOnAllThreads
 [0;32m[----------] [m2 tests from ExpectFailureWithThreadsTest
 [0;32m[ RUN      ] [mExpectFailureWithThreadsTest.ExpectFatalFailure
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectFailureWithThreadsTest.ExpectFatalFailure
 [0;32m[ RUN      ] [mExpectFailureWithThreadsTest.ExpectNonFatalFailure
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mExpectFailureWithThreadsTest.ExpectNonFatalFailure
 [0;32m[----------] [m1 test from ScopedFakeTestPartResultReporterTest
 [0;32m[ RUN      ] [mScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 [0;32m[----------] [m1 test from PrintingFailingParams/FailingParamTest
 [0;32m[ RUN      ] [mPrintingFailingParams/FailingParamTest.Fails/0
-gtest_output_test_.cc:#: Failure
-Value of: GetParam()
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  GetParam()
+    Which is: 2
+Stack trace: (omitted)
+
 [0;31m[  FAILED  ] [mPrintingFailingParams/FailingParamTest.Fails/0, where GetParam() = 2
+[0;32m[----------] [m2 tests from PrintingStrings/ParamTest
+[0;32m[ RUN      ] [mPrintingStrings/ParamTest.Success/a
+[0;32m[       OK ] [mPrintingStrings/ParamTest.Success/a
+[0;32m[ RUN      ] [mPrintingStrings/ParamTest.Failure/a
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  "b"
+  GetParam()
+    Which is: "a"
+Expected failure
+Stack trace: (omitted)
+
+[0;31m[  FAILED  ] [mPrintingStrings/ParamTest.Failure/a, where GetParam() = "a"
 [0;32m[----------] [mGlobal test environment tear-down
 BarEnvironment::TearDown() called.
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 FooEnvironment::TearDown() called.
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
-[0;32m[==========] [m64 tests from 28 test cases ran.
-[0;32m[  PASSED  ] [m21 tests.
-[0;31m[  FAILED  ] [m43 tests, listed below:
+Stack trace: (omitted)
+
+[0;32m[==========] [m76 tests from 34 test cases ran.
+[0;32m[  PASSED  ] [m26 tests.
+[0;31m[  FAILED  ] [m50 tests, listed below:
 [0;31m[  FAILED  ] [mNonfatalFailureTest.EscapesStringOperands
 [0;31m[  FAILED  ] [mNonfatalFailureTest.DiffForLongStrings
 [0;31m[  FAILED  ] [mFatalFailureTest.FatalFailureInSubroutine
 [0;31m[  FAILED  ] [mFatalFailureTest.FatalFailureInNestedSubroutine
 [0;31m[  FAILED  ] [mFatalFailureTest.NonfatalFailureInSubroutine
 [0;31m[  FAILED  ] [mLoggingTest.InterleavingLoggingAndAssertions
+[0;31m[  FAILED  ] [mSCOPED_TRACETest.AcceptedValues
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.ObeysScopes
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksInLoop
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksInSubroutine
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.CanBeNested
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.CanBeRepeated
 [0;31m[  FAILED  ] [mSCOPED_TRACETest.WorksConcurrently
+[0;31m[  FAILED  ] [mScopedTraceTest.WithExplicitFileAndLine
 [0;31m[  FAILED  ] [mNonFatalFailureInFixtureConstructorTest.FailureInConstructor
 [0;31m[  FAILED  ] [mFatalFailureInFixtureConstructorTest.FailureInConstructor
 [0;31m[  FAILED  ] [mNonFatalFailureInSetUpTest.FailureInSetUp
@@ -646,8 +944,12 @@ Expected fatal failure.
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenStatementReturns
 [0;31m[  FAILED  ] [mExpectFatalFailureTest.FailsWhenStatementThrows
 [0;31m[  FAILED  ] [mTypedTest/0.Failure, where TypeParam = int
+[0;31m[  FAILED  ] [mTypedTestWithNames/char0.Failure, where TypeParam = char
+[0;31m[  FAILED  ] [mTypedTestWithNames/int1.Failure, where TypeParam = int
 [0;31m[  FAILED  ] [mUnsigned/TypedTestP/0.Failure, where TypeParam = unsigned char
 [0;31m[  FAILED  ] [mUnsigned/TypedTestP/1.Failure, where TypeParam = unsigned int
+[0;31m[  FAILED  ] [mUnsignedCustomName/TypedTestP/unsignedChar0.Failure, where TypeParam = unsigned char
+[0;31m[  FAILED  ] [mUnsignedCustomName/TypedTestP/unsignedInt1.Failure, where TypeParam = unsigned int
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectFatalFailure
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectNonFatalFailure
 [0;31m[  FAILED  ] [mExpectFailureTest.ExpectFatalFailureOnAllThreads
@@ -656,8 +958,9 @@ Expected fatal failure.
 [0;31m[  FAILED  ] [mExpectFailureWithThreadsTest.ExpectNonFatalFailure
 [0;31m[  FAILED  ] [mScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 [0;31m[  FAILED  ] [mPrintingFailingParams/FailingParamTest.Fails/0, where GetParam() = 2
+[0;31m[  FAILED  ] [mPrintingStrings/ParamTest.Failure/a, where GetParam() = "a"
 
-43 FAILED TESTS
+50 FAILED TESTS
 [0;33m  YOU HAVE 1 DISABLED TEST
 
 [mNote: Google Test filter = FatalFailureTest.*:LoggingTest.*
@@ -666,24 +969,32 @@ Expected fatal failure.
 [----------] 3 tests from FatalFailureTest
 [ RUN      ] FatalFailureTest.FatalFailureInSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInSubroutine (? ms)
 [ RUN      ] FatalFailureTest.FatalFailureInNestedSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInNestedSubroutine (? ms)
 [ RUN      ] FatalFailureTest.NonfatalFailureInSubroutine
 (expecting a failure on false)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.NonfatalFailureInSubroutine (? ms)
 [----------] 3 tests from FatalFailureTest (? ms total)
 
@@ -692,12 +1003,16 @@ Expected: true
 (expecting 2 failures on (3) >= (a[i]))
 i == 0
 i == 1
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 9
+Stack trace: (omitted)
+
 i == 2
 i == 3
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 6
+Stack trace: (omitted)
+
 [  FAILED  ] LoggingTest.InterleavingLoggingAndAssertions (? ms)
 [----------] 1 test from LoggingTest (? ms total)
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test.py b/security/nss/gtests/google_test/gtest/test/googletest-output-test.py
index fa1a31172..2d69e353a 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test.py
@@ -29,17 +29,16 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Tests the text output of Google C++ Testing Framework.
+"""Tests the text output of Google C++ Testing and Mocking Framework.
 
-SYNOPSIS
-       gtest_output_test.py --build_dir=BUILD/DIR --gengolden
-         # where BUILD/DIR contains the built gtest_output_test_ file.
-       gtest_output_test.py --gengolden
-       gtest_output_test.py
+To update the golden file:
+googletest_output_test.py --build_dir=BUILD/DIR --gengolden
+where BUILD/DIR contains the built googletest-output-test_ file.
+googletest_output_test.py --gengolden
+googletest_output_test.py
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
+import difflib
 import os
 import re
 import sys
@@ -50,30 +49,34 @@ import gtest_test_utils
 GENGOLDEN_FLAG = '--gengolden'
 CATCH_EXCEPTIONS_ENV_VAR_NAME = 'GTEST_CATCH_EXCEPTIONS'
 
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
+
+IS_LINUX = os.name == 'posix' and os.uname()[0] == 'Linux'
 IS_WINDOWS = os.name == 'nt'
 
-# TODO(vladl@google.com): remove the _lin suffix.
-GOLDEN_NAME = 'gtest_output_test_golden_lin.txt'
+# FIXME: remove the _lin suffix.
+GOLDEN_NAME = 'googletest-output-test-golden-lin.txt'
 
-PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath('gtest_output_test_')
+PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath('googletest-output-test_')
 
 # At least one command we exercise must not have the
-# --gtest_internal_skip_environment_and_ad_hoc_tests flag.
+# 'internal_skip_environment_and_ad_hoc_tests' argument.
 COMMAND_LIST_TESTS = ({}, [PROGRAM_PATH, '--gtest_list_tests'])
 COMMAND_WITH_COLOR = ({}, [PROGRAM_PATH, '--gtest_color=yes'])
 COMMAND_WITH_TIME = ({}, [PROGRAM_PATH,
                           '--gtest_print_time',
-                          '--gtest_internal_skip_environment_and_ad_hoc_tests',
+                          'internal_skip_environment_and_ad_hoc_tests',
                           '--gtest_filter=FatalFailureTest.*:LoggingTest.*'])
 COMMAND_WITH_DISABLED = (
     {}, [PROGRAM_PATH,
          '--gtest_also_run_disabled_tests',
-         '--gtest_internal_skip_environment_and_ad_hoc_tests',
+         'internal_skip_environment_and_ad_hoc_tests',
          '--gtest_filter=*DISABLED_*'])
 COMMAND_WITH_SHARDING = (
     {'GTEST_SHARD_INDEX': '1', 'GTEST_TOTAL_SHARDS': '2'},
     [PROGRAM_PATH,
-     '--gtest_internal_skip_environment_and_ad_hoc_tests',
+     'internal_skip_environment_and_ad_hoc_tests',
      '--gtest_filter=PassingTest.*'])
 
 GOLDEN_PATH = os.path.join(gtest_test_utils.GetSourceDir(), GOLDEN_NAME)
@@ -98,7 +101,8 @@ def RemoveLocations(test_output):
        'FILE_NAME:#: '.
   """
 
-  return re.sub(r'.*[/\\](.+)(\:\d+|\(\d+\))\: ', r'\1:#: ', test_output)
+  return re.sub(r'.*[/\\]((googletest-output-test_|gtest).cc)(\:\d+|\(\d+\))\: ',
+                r'\1:#: ', test_output)
 
 
 def RemoveStackTraceDetails(output):
@@ -188,7 +192,7 @@ def RemoveMatchingTests(test_output, pattern):
 
 
 def NormalizeOutput(output):
-  """Normalizes output (the output of gtest_output_test_.exe)."""
+  """Normalizes output (the output of googletest-output-test_.exe)."""
 
   output = ToUnixLineEnding(output)
   output = RemoveLocations(output)
@@ -248,12 +252,12 @@ test_list = GetShellCommandOutput(COMMAND_LIST_TESTS)
 SUPPORTS_DEATH_TESTS = 'DeathTest' in test_list
 SUPPORTS_TYPED_TESTS = 'TypedTest' in test_list
 SUPPORTS_THREADS = 'ExpectFailureWithThreadsTest' in test_list
-SUPPORTS_STACK_TRACES = False
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
 
 CAN_GENERATE_GOLDEN_FILE = (SUPPORTS_DEATH_TESTS and
                             SUPPORTS_TYPED_TESTS and
                             SUPPORTS_THREADS and
-                            not IS_WINDOWS)
+                            SUPPORTS_STACK_TRACES)
 
 class GTestOutputTest(gtest_test_utils.TestCase):
   def RemoveUnsupportedTests(self, test_output):
@@ -294,7 +298,11 @@ class GTestOutputTest(gtest_test_utils.TestCase):
     normalized_golden = RemoveTypeInfoDetails(golden)
 
     if CAN_GENERATE_GOLDEN_FILE:
-      self.assertEqual(normalized_golden, normalized_actual)
+      self.assertEqual(normalized_golden, normalized_actual,
+                       '\n'.join(difflib.unified_diff(
+                           normalized_golden.split('\n'),
+                           normalized_actual.split('\n'),
+                           'golden', 'actual')))
     else:
       normalized_actual = NormalizeToCurrentPlatform(
           RemoveTestCounts(normalized_actual))
@@ -305,18 +313,22 @@ class GTestOutputTest(gtest_test_utils.TestCase):
       if os.getenv('DEBUG_GTEST_OUTPUT_TEST'):
         open(os.path.join(
             gtest_test_utils.GetSourceDir(),
-            '_gtest_output_test_normalized_actual.txt'), 'wb').write(
+            '_googletest-output-test_normalized_actual.txt'), 'wb').write(
                 normalized_actual)
         open(os.path.join(
             gtest_test_utils.GetSourceDir(),
-            '_gtest_output_test_normalized_golden.txt'), 'wb').write(
+            '_googletest-output-test_normalized_golden.txt'), 'wb').write(
                 normalized_golden)
 
       self.assertEqual(normalized_golden, normalized_actual)
 
 
 if __name__ == '__main__':
-  if sys.argv[1:] == [GENGOLDEN_FLAG]:
+  if NO_STACKTRACE_SUPPORT_FLAG in sys.argv:
+    # unittest.main() can't handle unknown flags
+    sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
+
+  if GENGOLDEN_FLAG in sys.argv:
     if CAN_GENERATE_GOLDEN_FILE:
       output = GetOutputOfAllCommands()
       golden_file = open(GOLDEN_PATH, 'wb')
@@ -325,9 +337,9 @@ if __name__ == '__main__':
     else:
       message = (
           """Unable to write a golden file when compiled in an environment
-that does not support all the required features (death tests, typed tests,
-and multiple threads).  Please generate the golden file using a binary built
-with those features enabled.""")
+that does not support all the required features (death tests,
+typed tests, stack traces, and multiple threads).
+Please build this test and generate the golden file using Blaze on Linux.""")
 
       sys.stderr.write(message)
       sys.exit(1)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-output-test_.cc
index 5361d8d87..f6525ec97 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test_.cc
@@ -29,26 +29,20 @@
 //
 // The purpose of this file is to generate Google Test output under
 // various conditions.  The output will then be verified by
-// gtest_output_test.py to ensure that Google Test generates the
+// googletest-output-test.py to ensure that Google Test generates the
 // desired messages.  Therefore, most tests in this file are MEANT TO
 // FAIL.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "gtest/gtest-spi.h"
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #include <stdlib.h>
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4127 /* conditional expression is constant */)
+#endif  //  _MSC_VER
+
 #if GTEST_IS_THREADSAFE
 using testing::ScopedFakeTestPartResultReporter;
 using testing::TestPartResultArray;
@@ -58,7 +52,6 @@ using testing::internal::ThreadWithParam;
 #endif
 
 namespace posix = ::testing::internal::posix;
-using testing::internal::scoped_ptr;
 
 // Tests catching fatal failures.
 
@@ -177,6 +170,16 @@ void SubWithTrace(int n) {
   SubWithoutTrace(n);
 }
 
+TEST(SCOPED_TRACETest, AcceptedValues) {
+  SCOPED_TRACE("literal string");
+  SCOPED_TRACE(std::string("std::string"));
+  SCOPED_TRACE(1337);  // streamable type
+  const char* null_value = NULL;
+  SCOPED_TRACE(null_value);
+
+  ADD_FAILURE() << "Just checking that all these values work fine.";
+}
+
 // Tests that SCOPED_TRACE() obeys lexical scopes.
 TEST(SCOPED_TRACETest, ObeysScopes) {
   printf("(expected to fail)\n");
@@ -324,6 +327,13 @@ TEST(SCOPED_TRACETest, WorksConcurrently) {
 }
 #endif  // GTEST_IS_THREADSAFE
 
+// Tests basic functionality of the ScopedTrace utility (most of its features
+// are already tested in SCOPED_TRACETest).
+TEST(ScopedTraceTest, WithExplicitFileAndLine) {
+  testing::ScopedTrace trace("explicit_file.cc", 123, "expected trace message");
+  ADD_FAILURE() << "Check that the trace is attached to a particular location.";
+}
+
 TEST(DisabledTestsWarningTest,
      DISABLED_AlsoRunDisabledTestsFlagSuppressesWarning) {
   // This test body is intentionally empty.  Its sole purpose is for
@@ -515,7 +525,8 @@ class DeathTestAndMultiThreadsTest : public testing::Test {
 
  private:
   SpawnThreadNotifications notifications_;
-  scoped_ptr<ThreadWithParam<SpawnThreadNotifications*> > thread_;
+  testing::internal::scoped_ptr<ThreadWithParam<SpawnThreadNotifications*> >
+      thread_;
 };
 
 #endif  // GTEST_IS_THREADSAFE
@@ -755,6 +766,28 @@ TEST(ExpectFatalFailureTest, FailsWhenStatementThrows) {
 
 #endif  // GTEST_HAS_EXCEPTIONS
 
+// This #ifdef block tests the output of value-parameterized tests.
+
+std::string ParamNameFunc(const testing::TestParamInfo<std::string>& info) {
+  return info.param;
+}
+
+class ParamTest : public testing::TestWithParam<std::string> {
+};
+
+TEST_P(ParamTest, Success) {
+  EXPECT_EQ("a", GetParam());
+}
+
+TEST_P(ParamTest, Failure) {
+  EXPECT_EQ("b", GetParam()) << "Expected failure";
+}
+
+INSTANTIATE_TEST_CASE_P(PrintingStrings,
+                        ParamTest,
+                        testing::Values(std::string("a")),
+                        ParamNameFunc);
+
 // This #ifdef block tests the output of typed tests.
 #if GTEST_HAS_TYPED_TEST
 
@@ -772,6 +805,28 @@ TYPED_TEST(TypedTest, Failure) {
   EXPECT_EQ(1, TypeParam()) << "Expected failure";
 }
 
+typedef testing::Types<char, int> TypesForTestWithNames;
+
+template <typename T>
+class TypedTestWithNames : public testing::Test {};
+
+class TypedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value)
+      return std::string("char") + ::testing::PrintToString(i);
+    if (testing::internal::IsSame<T, int>::value)
+      return std::string("int") + ::testing::PrintToString(i);
+  }
+};
+
+TYPED_TEST_CASE(TypedTestWithNames, TypesForTestWithNames, TypedTestNames);
+
+TYPED_TEST(TypedTestWithNames, Success) {}
+
+TYPED_TEST(TypedTestWithNames, Failure) { FAIL(); }
+
 #endif  // GTEST_HAS_TYPED_TEST
 
 // This #ifdef block tests the output of type-parameterized tests.
@@ -796,6 +851,22 @@ REGISTER_TYPED_TEST_CASE_P(TypedTestP, Success, Failure);
 typedef testing::Types<unsigned char, unsigned int> UnsignedTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(Unsigned, TypedTestP, UnsignedTypes);
 
+class TypedTestPNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, unsigned char>::value) {
+      return std::string("unsignedChar") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, unsigned int>::value) {
+      return std::string("unsignedInt") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+INSTANTIATE_TYPED_TEST_CASE_P(UnsignedCustomName, TypedTestP, UnsignedTypes,
+                              TypedTestPNames);
+
 #endif  // GTEST_HAS_TYPED_TEST_P
 
 #if GTEST_HAS_DEATH_TEST
@@ -990,8 +1061,6 @@ class BarEnvironment : public testing::Environment {
   }
 };
 
-bool GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests) = false;
-
 // The main function.
 //
 // The idea is to use Google Test to run all the tests we have defined (some
@@ -1008,10 +1077,9 @@ int main(int argc, char **argv) {
   // global side effects.  The following line serves as a sanity test
   // for it.
   testing::InitGoogleTest(&argc, argv);
-  if (argc >= 2 &&
-      (std::string(argv[1]) ==
-       "--gtest_internal_skip_environment_and_ad_hoc_tests"))
-    GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests) = true;
+  bool internal_skip_environment_and_ad_hoc_tests =
+      std::count(argv, argv + argc,
+                 std::string("internal_skip_environment_and_ad_hoc_tests")) > 0;
 
 #if GTEST_HAS_DEATH_TEST
   if (testing::internal::GTEST_FLAG(internal_run_death_test) != "") {
@@ -1026,7 +1094,7 @@ int main(int argc, char **argv) {
   }
 #endif  // GTEST_HAS_DEATH_TEST
 
-  if (GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests))
+  if (internal_skip_environment_and_ad_hoc_tests)
     return RUN_ALL_TESTS();
 
   // Registers two global test environments.
@@ -1034,6 +1102,8 @@ int main(int argc, char **argv) {
   // are registered, and torn down in the reverse order.
   testing::AddGlobalTestEnvironment(new FooEnvironment);
   testing::AddGlobalTestEnvironment(new BarEnvironment);
-
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4127
+#endif  //  _MSC_VER
   return RunAllTests();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py
new file mode 100644
index 000000000..2a08477a7
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Verifies that Google Test warns the user when not initialized properly."""
+
+import gtest_test_utils
+
+binary_name = 'googletest-param-test-invalid-name1-test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+def TestExitCodeAndOutput(command):
+  """Runs the given command and verifies its exit code and output."""
+
+  err = ('Parameterized test name \'"InvalidWithQuotes"\' is invalid')
+
+  p = gtest_test_utils.Subprocess(command)
+  Assert(p.terminated_by_signal)
+
+  # Verify the output message contains appropriate output
+  Assert(err in p.output)
+
+
+class GTestParamTestInvalidName1Test(gtest_test_utils.TestCase):
+
+  def testExitCodeAndOutput(self):
+    TestExitCodeAndOutput(COMMAND)
+
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc
new file mode 100644
index 000000000..5a95155b2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc
@@ -0,0 +1,50 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#include "gtest/gtest.h"
+
+namespace {
+class DummyTest : public ::testing::TestWithParam<const char *> {};
+
+TEST_P(DummyTest, Dummy) {
+}
+
+INSTANTIATE_TEST_CASE_P(InvalidTestName,
+                        DummyTest,
+                        ::testing::Values("InvalidWithQuotes"),
+                        ::testing::PrintToStringParamName());
+
+}  // namespace
+
+int main(int argc, char *argv[]) {
+  testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py
new file mode 100644
index 000000000..ab838f463
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Verifies that Google Test warns the user when not initialized properly."""
+
+import gtest_test_utils
+
+binary_name = 'googletest-param-test-invalid-name2-test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+def TestExitCodeAndOutput(command):
+  """Runs the given command and verifies its exit code and output."""
+
+  err = ('Duplicate parameterized test name \'a\'')
+
+  p = gtest_test_utils.Subprocess(command)
+  Assert(p.terminated_by_signal)
+
+  # Check for appropriate output
+  Assert(err in p.output)
+
+
+class GTestParamTestInvalidName2Test(gtest_test_utils.TestCase):
+
+  def testExitCodeAndOutput(self):
+    TestExitCodeAndOutput(COMMAND)
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc
new file mode 100644
index 000000000..ef093490e
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc
@@ -0,0 +1,55 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#include "gtest/gtest.h"
+
+namespace {
+class DummyTest : public ::testing::TestWithParam<const char *> {};
+
+std::string StringParamTestSuffix(
+    const testing::TestParamInfo<const char*>& info) {
+  return std::string(info.param);
+}
+
+TEST_P(DummyTest, Dummy) {
+}
+
+INSTANTIATE_TEST_CASE_P(DuplicateTestNames,
+                        DummyTest,
+                        ::testing::Values("a", "b", "a", "c"),
+                        StringParamTestSuffix);
+}  // namespace
+
+int main(int argc, char *argv[]) {
+  testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+
+
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.cc
index cc1dc65fb..f789cab27 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself. This file verifies that the parameter
 // generators objects produce correct parameter sequences and that
@@ -35,8 +34,6 @@
 
 #include "gtest/gtest.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 # include <algorithm>
 # include <iostream>
 # include <list>
@@ -44,12 +41,8 @@
 # include <string>
 # include <vector>
 
-// To include gtest-internal-inl.h.
-# define GTEST_IMPLEMENTATION_ 1
 # include "src/gtest-internal-inl.h"  // for UnitTestOptions
-# undef GTEST_IMPLEMENTATION_
-
-# include "test/gtest-param-test_test.h"
+# include "test/googletest-param-test-test.h"
 
 using ::std::vector;
 using ::std::sort;
@@ -74,7 +67,7 @@ using ::testing::internal::UnitTestOptions;
 
 // Prints a value to a string.
 //
-// TODO(wan@google.com): remove PrintValue() when we move matchers and
+// FIXME: remove PrintValue() when we move matchers and
 // EXPECT_THAT() from Google Mock to Google Test.  At that time, we
 // can write EXPECT_THAT(x, Eq(y)) to compare two tuples x and y, as
 // EXPECT_THAT() and the matchers know how to print tuples.
@@ -141,7 +134,7 @@ void VerifyGenerator(const ParamGenerator<T>& generator,
         << ", expected_values[i] is " << PrintValue(expected_values[i])
         << ", *it is " << PrintValue(*it)
         << ", and 'it' is an iterator created with the copy constructor.\n";
-    it++;
+    ++it;
   }
   EXPECT_TRUE(it == generator.end())
         << "At the presumed end of sequence when accessing via an iterator "
@@ -161,7 +154,7 @@ void VerifyGenerator(const ParamGenerator<T>& generator,
         << ", expected_values[i] is " << PrintValue(expected_values[i])
         << ", *it is " << PrintValue(*it)
         << ", and 'it' is an iterator created with the copy constructor.\n";
-    it++;
+    ++it;
   }
   EXPECT_TRUE(it == generator.end())
         << "At the presumed end of sequence when accessing via an iterator "
@@ -196,7 +189,7 @@ TEST(IteratorTest, ParamIteratorConformsToForwardIteratorConcept) {
                            << "element same as its source points to";
 
   // Verifies that iterator assignment works as expected.
-  it++;
+  ++it;
   EXPECT_FALSE(*it == *it2);
   it2 = it;
   EXPECT_TRUE(*it == *it2) << "Assigned iterators must point to the "
@@ -215,7 +208,7 @@ TEST(IteratorTest, ParamIteratorConformsToForwardIteratorConcept) {
   // Verifies that prefix and postfix operator++() advance an iterator
   // all the same.
   it2 = it;
-  it++;
+  ++it;
   ++it2;
   EXPECT_TRUE(*it == *it2);
 }
@@ -542,6 +535,51 @@ TEST(CombineTest, CombineWithMaxNumberOfParameters) {
   VerifyGenerator(gen, expected_values);
 }
 
+#if GTEST_LANG_CXX11
+
+class NonDefaultConstructAssignString {
+ public:
+  NonDefaultConstructAssignString(const std::string& s) : str_(s) {}
+
+  const std::string& str() const { return str_; }
+
+ private:
+  std::string str_;
+
+  // Not default constructible
+  NonDefaultConstructAssignString();
+  // Not assignable
+  void operator=(const NonDefaultConstructAssignString&);
+};
+
+TEST(CombineTest, NonDefaultConstructAssign) {
+  const ParamGenerator<tuple<int, NonDefaultConstructAssignString> > gen =
+      Combine(Values(0, 1), Values(NonDefaultConstructAssignString("A"),
+                                   NonDefaultConstructAssignString("B")));
+
+  ParamGenerator<tuple<int, NonDefaultConstructAssignString> >::iterator it =
+      gen.begin();
+
+  EXPECT_EQ(0, std::get<0>(*it));
+  EXPECT_EQ("A", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(0, std::get<0>(*it));
+  EXPECT_EQ("B", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(1, std::get<0>(*it));
+  EXPECT_EQ("A", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(1, std::get<0>(*it));
+  EXPECT_EQ("B", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_TRUE(it == gen.end());
+}
+
+#endif   // GTEST_LANG_CXX11
 # endif  // GTEST_HAS_COMBINE
 
 // Tests that an generator produces correct sequence after being
@@ -809,6 +847,184 @@ TEST_P(NamingTest, TestsReportCorrectNamesAndParameters) {
 
 INSTANTIATE_TEST_CASE_P(ZeroToFiveSequence, NamingTest, Range(0, 5));
 
+// Tests that macros in test names are expanded correctly.
+class MacroNamingTest : public TestWithParam<int> {};
+
+#define PREFIX_WITH_FOO(test_name) Foo##test_name
+#define PREFIX_WITH_MACRO(test_name) Macro##test_name
+
+TEST_P(PREFIX_WITH_MACRO(NamingTest), PREFIX_WITH_FOO(SomeTestName)) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+
+  EXPECT_STREQ("FortyTwo/MacroNamingTest", test_info->test_case_name());
+  EXPECT_STREQ("FooSomeTestName", test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(FortyTwo, MacroNamingTest, Values(42));
+
+// Tests the same thing for non-parametrized tests.
+class MacroNamingTestNonParametrized : public ::testing::Test {};
+
+TEST_F(PREFIX_WITH_MACRO(NamingTestNonParametrized),
+       PREFIX_WITH_FOO(SomeTestName)) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+
+  EXPECT_STREQ("MacroNamingTestNonParametrized", test_info->test_case_name());
+  EXPECT_STREQ("FooSomeTestName", test_info->name());
+}
+
+// Tests that user supplied custom parameter names are working correctly.
+// Runs the test with a builtin helper method which uses PrintToString,
+// as well as a custom function and custom functor to ensure all possible
+// uses work correctly.
+class CustomFunctorNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomFunctorNamingTest, CustomTestNames) {}
+
+struct CustomParamNameFunctor {
+  std::string operator()(const ::testing::TestParamInfo<std::string>& inf) {
+    return inf.param;
+  }
+};
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameFunctor,
+                        CustomFunctorNamingTest,
+                        Values(std::string("FunctorName")),
+                        CustomParamNameFunctor());
+
+INSTANTIATE_TEST_CASE_P(AllAllowedCharacters,
+                        CustomFunctorNamingTest,
+                        Values("abcdefghijklmnopqrstuvwxyz",
+                               "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+                               "01234567890_"),
+                        CustomParamNameFunctor());
+
+inline std::string CustomParamNameFunction(
+    const ::testing::TestParamInfo<std::string>& inf) {
+  return inf.param;
+}
+
+class CustomFunctionNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomFunctionNamingTest, CustomTestNames) {}
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameFunction,
+                        CustomFunctionNamingTest,
+                        Values(std::string("FunctionName")),
+                        CustomParamNameFunction);
+
+#if GTEST_LANG_CXX11
+
+// Test custom naming with a lambda
+
+class CustomLambdaNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomLambdaNamingTest, CustomTestNames) {}
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameLambda, CustomLambdaNamingTest,
+                        Values(std::string("LambdaName")),
+                        [](const ::testing::TestParamInfo<std::string>& inf) {
+                          return inf.param;
+                        });
+
+#endif  // GTEST_LANG_CXX11
+
+TEST(CustomNamingTest, CheckNameRegistry) {
+  ::testing::UnitTest* unit_test = ::testing::UnitTest::GetInstance();
+  std::set<std::string> test_names;
+  for (int case_num = 0;
+       case_num < unit_test->total_test_case_count();
+       ++case_num) {
+    const ::testing::TestCase* test_case = unit_test->GetTestCase(case_num);
+    for (int test_num = 0;
+         test_num < test_case->total_test_count();
+         ++test_num) {
+      const ::testing::TestInfo* test_info = test_case->GetTestInfo(test_num);
+      test_names.insert(std::string(test_info->name()));
+    }
+  }
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/FunctorName"));
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/FunctionName"));
+#if GTEST_LANG_CXX11
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/LambdaName"));
+#endif  // GTEST_LANG_CXX11
+}
+
+// Test a numeric name to ensure PrintToStringParamName works correctly.
+
+class CustomIntegerNamingTest : public TestWithParam<int> {};
+
+TEST_P(CustomIntegerNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << GetParam();
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(PrintToString,
+                        CustomIntegerNamingTest,
+                        Range(0, 5),
+                        ::testing::PrintToStringParamName());
+
+// Test a custom struct with PrintToString.
+
+struct CustomStruct {
+  explicit CustomStruct(int value) : x(value) {}
+  int x;
+};
+
+std::ostream& operator<<(std::ostream& stream, const CustomStruct& val) {
+  stream << val.x;
+  return stream;
+}
+
+class CustomStructNamingTest : public TestWithParam<CustomStruct> {};
+
+TEST_P(CustomStructNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << GetParam();
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(PrintToString,
+                        CustomStructNamingTest,
+                        Values(CustomStruct(0), CustomStruct(1)),
+                        ::testing::PrintToStringParamName());
+
+// Test that using a stateful parameter naming function works as expected.
+
+struct StatefulNamingFunctor {
+  StatefulNamingFunctor() : sum(0) {}
+  std::string operator()(const ::testing::TestParamInfo<int>& info) {
+    int value = info.param + sum;
+    sum += info.param;
+    return ::testing::PrintToString(value);
+  }
+  int sum;
+};
+
+class StatefulNamingTest : public ::testing::TestWithParam<int> {
+ protected:
+  StatefulNamingTest() : sum_(0) {}
+  int sum_;
+};
+
+TEST_P(StatefulNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  sum_ += GetParam();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << sum_;
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(StatefulNamingFunctor,
+                        StatefulNamingTest,
+                        Range(0, 5),
+                        StatefulNamingFunctor());
+
 // Class that cannot be streamed into an ostream.  It needs to be copyable
 // (and, in case of MSVC, also assignable) in order to be a test parameter
 // type.  Its default copy constructor and assignment operator do exactly
@@ -874,31 +1090,20 @@ TEST_F(ParameterizedDeathTest, GetParamDiesFromTestF) {
 
 INSTANTIATE_TEST_CASE_P(RangeZeroToFive, ParameterizedDerivedTest, Range(0, 5));
 
-#endif  // GTEST_HAS_PARAM_TEST
-
-TEST(CompileTest, CombineIsDefinedOnlyWhenGtestHasParamTestIsDefined) {
-#if GTEST_HAS_COMBINE && !GTEST_HAS_PARAM_TEST
-  FAIL() << "GTEST_HAS_COMBINE is defined while GTEST_HAS_PARAM_TEST is not\n"
-#endif
-}
 
 int main(int argc, char **argv) {
-#if GTEST_HAS_PARAM_TEST
   // Used in TestGenerationTest test case.
   AddGlobalTestEnvironment(TestGenerationTest::Environment::Instance());
   // Used in GeneratorEvaluationTest test case. Tests that the updated value
   // will be picked up for instantiating tests in GeneratorEvaluationTest.
   GeneratorEvaluationTest::set_param_value(1);
-#endif  // GTEST_HAS_PARAM_TEST
 
   ::testing::InitGoogleTest(&argc, argv);
 
-#if GTEST_HAS_PARAM_TEST
   // Used in GeneratorEvaluationTest test case. Tests that value updated
   // here will NOT be used for instantiating tests in
   // GeneratorEvaluationTest.
   GeneratorEvaluationTest::set_param_value(2);
-#endif  // GTEST_HAS_PARAM_TEST
 
   return RUN_ALL_TESTS();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.h b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.h
index 26ea122b1..632a61f49 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.h
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.h
@@ -27,9 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file provides classes and functions used internally
 // for testing Google Test itself.
@@ -39,8 +37,6 @@
 
 #include "gtest/gtest.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 // Test fixture for testing definition and instantiation of a test
 // in separate translation units.
 class ExternalInstantiationTest : public ::testing::TestWithParam<int> {
@@ -52,6 +48,4 @@ class InstantiationInMultipleTranslaionUnitsTest
     : public ::testing::TestWithParam<int> {
 };
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_TEST_GTEST_PARAM_TEST_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test2_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test2-test.cc
index 4a782fe70..25bb945c2 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test2_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test2-test.cc
@@ -26,40 +26,36 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself.  This verifies that the basic constructs of
 // Google Test work.
 
 #include "gtest/gtest.h"
-
-#include "test/gtest-param-test_test.h"
-
-#if GTEST_HAS_PARAM_TEST
+#include "test/googletest-param-test-test.h"
 
 using ::testing::Values;
 using ::testing::internal::ParamGenerator;
 
 // Tests that generators defined in a different translation unit
 // are functional. The test using extern_gen is defined
-// in gtest-param-test_test.cc.
+// in googletest-param-test-test.cc.
 ParamGenerator<int> extern_gen = Values(33);
 
 // Tests that a parameterized test case can be defined in one translation unit
-// and instantiated in another. The test is defined in gtest-param-test_test.cc
-// and ExternalInstantiationTest fixture class is defined in
-// gtest-param-test_test.h.
+// and instantiated in another. The test is defined in
+// googletest-param-test-test.cc and ExternalInstantiationTest fixture class is
+// defined in gtest-param-test_test.h.
 INSTANTIATE_TEST_CASE_P(MultiplesOf33,
                         ExternalInstantiationTest,
                         Values(33, 66));
 
 // Tests that a parameterized test case can be instantiated
 // in multiple translation units. Another instantiation is defined
-// in gtest-param-test_test.cc and InstantiationInMultipleTranslaionUnitsTest
-// fixture is defined in gtest-param-test_test.h
+// in googletest-param-test-test.cc and
+// InstantiationInMultipleTranslaionUnitsTest fixture is defined in
+// gtest-param-test_test.h
 INSTANTIATE_TEST_CASE_P(Sequence2,
                         InstantiationInMultipleTranslaionUnitsTest,
                         Values(42*3, 42*4, 42*5));
 
-#endif  // GTEST_HAS_PARAM_TEST
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-port_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-port-test.cc
index 370c952b2..399316f95 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-port_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-port-test.cc
@@ -27,14 +27,11 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev), wan@google.com (Zhanyong Wan)
-//
 // This file tests the internal cross-platform support utilities.
+#include <stdio.h>
 
 #include "gtest/internal/gtest-port.h"
 
-#include <stdio.h>
-
 #if GTEST_OS_MAC
 # include <time.h>
 #endif  // GTEST_OS_MAC
@@ -45,15 +42,7 @@
 
 #include "gtest/gtest.h"
 #include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using std::make_pair;
 using std::pair;
@@ -75,8 +64,8 @@ TEST(IsXDigitTest, WorksForNarrowAscii) {
 }
 
 TEST(IsXDigitTest, ReturnsFalseForNarrowNonAscii) {
-  EXPECT_FALSE(IsXDigit(static_cast<char>(0x80)));
-  EXPECT_FALSE(IsXDigit(static_cast<char>('0' | 0x80)));
+  EXPECT_FALSE(IsXDigit(static_cast<char>('\x80')));
+  EXPECT_FALSE(IsXDigit(static_cast<char>('0' | '\x80')));
 }
 
 TEST(IsXDigitTest, WorksForWideAscii) {
@@ -235,7 +224,7 @@ TEST(ScopedPtrTest, DefinesElementType) {
   StaticAssertTypeEq<int, ::testing::internal::scoped_ptr<int>::element_type>();
 }
 
-// TODO(vladl@google.com): Implement THE REST of scoped_ptr tests.
+// FIXME: Implement THE REST of scoped_ptr tests.
 
 TEST(GtestCheckSyntaxTest, BehavesLikeASingleStatement) {
   if (AlwaysFalse())
@@ -304,68 +293,61 @@ TEST(FormatCompilerIndependentFileLocationTest, FormatsUknownFileAndLine) {
   EXPECT_EQ("unknown file", FormatCompilerIndependentFileLocation(NULL, -1));
 }
 
-#if GTEST_OS_MAC || GTEST_OS_QNX
+#if GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_QNX || GTEST_OS_FUCHSIA
 void* ThreadFunc(void* data) {
-  pthread_mutex_t* mutex = static_cast<pthread_mutex_t*>(data);
-  pthread_mutex_lock(mutex);
-  pthread_mutex_unlock(mutex);
+  internal::Mutex* mutex = static_cast<internal::Mutex*>(data);
+  mutex->Lock();
+  mutex->Unlock();
   return NULL;
 }
 
 TEST(GetThreadCountTest, ReturnsCorrectValue) {
-  EXPECT_EQ(1U, GetThreadCount());
-  pthread_mutex_t mutex;
-  pthread_attr_t  attr;
+  const size_t starting_count = GetThreadCount();
   pthread_t       thread_id;
 
-  // TODO(vladl@google.com): turn mutex into internal::Mutex for automatic
-  // destruction.
-  pthread_mutex_init(&mutex, NULL);
-  pthread_mutex_lock(&mutex);
-  ASSERT_EQ(0, pthread_attr_init(&attr));
-  ASSERT_EQ(0, pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE));
-
-  const int status = pthread_create(&thread_id, &attr, &ThreadFunc, &mutex);
-  ASSERT_EQ(0, pthread_attr_destroy(&attr));
-  ASSERT_EQ(0, status);
-  EXPECT_EQ(2U, GetThreadCount());
-  pthread_mutex_unlock(&mutex);
+  internal::Mutex mutex;
+  {
+    internal::MutexLock lock(&mutex);
+    pthread_attr_t  attr;
+    ASSERT_EQ(0, pthread_attr_init(&attr));
+    ASSERT_EQ(0, pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE));
+
+    const int status = pthread_create(&thread_id, &attr, &ThreadFunc, &mutex);
+    ASSERT_EQ(0, pthread_attr_destroy(&attr));
+    ASSERT_EQ(0, status);
+    EXPECT_EQ(starting_count + 1, GetThreadCount());
+  }
 
   void* dummy;
   ASSERT_EQ(0, pthread_join(thread_id, &dummy));
 
-# if GTEST_OS_MAC
-
-  // MacOS X may not immediately report the updated thread count after
+  // The OS may not immediately report the updated thread count after
   // joining a thread, causing flakiness in this test. To counter that, we
   // wait for up to .5 seconds for the OS to report the correct value.
   for (int i = 0; i < 5; ++i) {
-    if (GetThreadCount() == 1)
+    if (GetThreadCount() == starting_count)
       break;
 
     SleepMilliseconds(100);
   }
 
-# endif  // GTEST_OS_MAC
-
-  EXPECT_EQ(1U, GetThreadCount());
-  pthread_mutex_destroy(&mutex);
+  EXPECT_EQ(starting_count, GetThreadCount());
 }
 #else
 TEST(GetThreadCountTest, ReturnsZeroWhenUnableToCountThreads) {
   EXPECT_EQ(0U, GetThreadCount());
 }
-#endif  // GTEST_OS_MAC || GTEST_OS_QNX
+#endif  // GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_QNX || GTEST_OS_FUCHSIA
 
 TEST(GtestCheckDeathTest, DiesWithCorrectOutputOnFailure) {
   const bool a_false_condition = false;
   const char regex[] =
 #ifdef _MSC_VER
-     "gtest-port_test\\.cc\\(\\d+\\):"
+     "googletest-port-test\\.cc\\(\\d+\\):"
 #elif GTEST_USES_POSIX_RE
-     "gtest-port_test\\.cc:[0-9]+"
+     "googletest-port-test\\.cc:[0-9]+"
 #else
-     "gtest-port_test\\.cc:\\d+"
+     "googletest-port-test\\.cc:\\d+"
 #endif  // _MSC_VER
      ".*a_false_condition.*Extra info.*";
 
@@ -389,15 +371,17 @@ TEST(GtestCheckDeathTest, LivesSilentlyOnSuccess) {
 // the platform. The test will produce compiler errors in case of failure.
 // For simplicity, we only cover the most important platforms here.
 TEST(RegexEngineSelectionTest, SelectsCorrectRegexEngine) {
-#if GTEST_HAS_POSIX_RE
+#if !GTEST_USES_PCRE
+# if GTEST_HAS_POSIX_RE
 
   EXPECT_TRUE(GTEST_USES_POSIX_RE);
 
-#else
+# else
 
   EXPECT_TRUE(GTEST_USES_SIMPLE_RE);
 
-#endif
+# endif
+#endif  // !GTEST_USES_PCRE
 }
 
 #if GTEST_USES_POSIX_RE
@@ -1214,16 +1198,16 @@ class DestructorTracker {
       : index_(GetNewIndex()) {}
   ~DestructorTracker() {
     // We never access DestructorCall::List() concurrently, so we don't need
-    // to protect this acccess with a mutex.
+    // to protect this access with a mutex.
     DestructorCall::List()[index_]->ReportDestroyed();
   }
 
  private:
-  static int GetNewIndex() {
+  static size_t GetNewIndex() {
     DestructorCall::List().push_back(new DestructorCall);
     return DestructorCall::List().size() - 1;
   }
-  const int index_;
+  const size_t index_;
 
   GTEST_DISALLOW_ASSIGN_(DestructorTracker);
 };
@@ -1240,25 +1224,18 @@ TEST(ThreadLocalTest, DestroysManagedObjectForOwnThreadWhenDying) {
   DestructorCall::ResetList();
 
   {
-    // The next line default constructs a DestructorTracker object as
-    // the default value of objects managed by thread_local_tracker.
     ThreadLocal<DestructorTracker> thread_local_tracker;
-    ASSERT_EQ(1U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(0U, DestructorCall::List().size());
 
     // This creates another DestructorTracker object for the main thread.
     thread_local_tracker.get();
-    ASSERT_EQ(2U, DestructorCall::List().size());
+    ASSERT_EQ(1U, DestructorCall::List().size());
     ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
-    ASSERT_FALSE(DestructorCall::List()[1]->CheckDestroyed());
   }
 
-  // Now thread_local_tracker has died.  It should have destroyed both the
-  // default value shared by all threads and the value for the main
-  // thread.
-  ASSERT_EQ(2U, DestructorCall::List().size());
+  // Now thread_local_tracker has died.
+  ASSERT_EQ(1U, DestructorCall::List().size());
   EXPECT_TRUE(DestructorCall::List()[0]->CheckDestroyed());
-  EXPECT_TRUE(DestructorCall::List()[1]->CheckDestroyed());
 
   DestructorCall::ResetList();
 }
@@ -1269,29 +1246,22 @@ TEST(ThreadLocalTest, DestroysManagedObjectAtThreadExit) {
   DestructorCall::ResetList();
 
   {
-    // The next line default constructs a DestructorTracker object as
-    // the default value of objects managed by thread_local_tracker.
     ThreadLocal<DestructorTracker> thread_local_tracker;
-    ASSERT_EQ(1U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(0U, DestructorCall::List().size());
 
     // This creates another DestructorTracker object in the new thread.
     ThreadWithParam<ThreadParam> thread(
         &CallThreadLocalGet, &thread_local_tracker, NULL);
     thread.Join();
 
-    // The thread has exited, and we should have another DestroyedTracker
+    // The thread has exited, and we should have a DestroyedTracker
     // instance created for it. But it may not have been destroyed yet.
-    // The instance for the main thread should still persist.
-    ASSERT_EQ(2U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(1U, DestructorCall::List().size());
   }
 
-  // The thread has exited and thread_local_tracker has died.  The default
-  // value should have been destroyed too.
-  ASSERT_EQ(2U, DestructorCall::List().size());
+  // The thread has exited and thread_local_tracker has died.
+  ASSERT_EQ(1U, DestructorCall::List().size());
   EXPECT_TRUE(DestructorCall::List()[0]->CheckDestroyed());
-  EXPECT_TRUE(DestructorCall::List()[1]->CheckDestroyed());
 
   DestructorCall::ResetList();
 }
@@ -1314,9 +1284,16 @@ TEST(WindowsTypesTest, HANDLEIsVoidStar) {
   StaticAssertTypeEq<HANDLE, void*>();
 }
 
+#if GTEST_OS_WINDOWS_MINGW && !defined(__MINGW64_VERSION_MAJOR)
+TEST(WindowsTypesTest, _CRITICAL_SECTIONIs_CRITICAL_SECTION) {
+  StaticAssertTypeEq<CRITICAL_SECTION, _CRITICAL_SECTION>();
+}
+#else
 TEST(WindowsTypesTest, CRITICAL_SECTIONIs_RTL_CRITICAL_SECTION) {
   StaticAssertTypeEq<CRITICAL_SECTION, _RTL_CRITICAL_SECTION>();
 }
+#endif
+
 #endif  // GTEST_OS_WINDOWS
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-printers_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-printers-test.cc
index 7b07fd105..ea8369d27 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-printers_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-printers-test.cc
@@ -26,15 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file tests the universal value printer.
 
-#include "gtest/gtest-printers.h"
-
 #include <ctype.h>
 #include <limits.h>
 #include <string.h>
@@ -48,15 +45,20 @@
 #include <utility>
 #include <vector>
 
+#include "gtest/gtest-printers.h"
 #include "gtest/gtest.h"
 
-// hash_map and hash_set are available under Visual C++.
-#if _MSC_VER
-# define GTEST_HAS_HASH_MAP_ 1  // Indicates that hash_map is available.
-# include <hash_map>            // NOLINT
-# define GTEST_HAS_HASH_SET_ 1  // Indicates that hash_set is available.
-# include <hash_set>            // NOLINT
-#endif  // GTEST_OS_WINDOWS
+#if GTEST_HAS_UNORDERED_MAP_
+# include <unordered_map>  // NOLINT
+#endif  // GTEST_HAS_UNORDERED_MAP_
+
+#if GTEST_HAS_UNORDERED_SET_
+# include <unordered_set>  // NOLINT
+#endif  // GTEST_HAS_UNORDERED_SET_
+
+#if GTEST_HAS_STD_FORWARD_LIST_
+# include <forward_list> // NOLINT
+#endif  // GTEST_HAS_STD_FORWARD_LIST_
 
 // Some user-defined types for testing the universal value printer.
 
@@ -183,6 +185,25 @@ inline ::std::ostream& operator<<(::std::ostream& os,
   return os << "StreamableTemplateInFoo: " << x.value();
 }
 
+// A user-defined streamable but recursivly-defined container type in
+// a user namespace, it mimics therefore std::filesystem::path or
+// boost::filesystem::path.
+class PathLike {
+ public:
+  struct iterator {
+    typedef PathLike value_type;
+  };
+
+  PathLike() {}
+
+  iterator begin() const { return iterator(); }
+  iterator end() const { return iterator(); }
+
+  friend ::std::ostream& operator<<(::std::ostream& os, const PathLike&) {
+    return os << "Streamable-PathLike";
+  }
+};
+
 }  // namespace foo
 
 namespace testing {
@@ -207,28 +228,14 @@ using ::testing::internal::Strings;
 using ::testing::internal::UniversalPrint;
 using ::testing::internal::UniversalPrinter;
 using ::testing::internal::UniversalTersePrint;
+#if GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_
 using ::testing::internal::UniversalTersePrintTupleFieldsToStrings;
-using ::testing::internal::string;
-
-// The hash_* classes are not part of the C++ standard.  STLport
-// defines them in namespace std.  MSVC defines them in ::stdext.  GCC
-// defines them in ::.
-#ifdef _STLP_HASH_MAP  // We got <hash_map> from STLport.
-using ::std::hash_map;
-using ::std::hash_set;
-using ::std::hash_multimap;
-using ::std::hash_multiset;
-#elif _MSC_VER
-using ::stdext::hash_map;
-using ::stdext::hash_set;
-using ::stdext::hash_multimap;
-using ::stdext::hash_multiset;
 #endif
 
 // Prints a value to a string using the universal value printer.  This
 // is a helper for testing UniversalPrinter<T>::Print() for various types.
 template <typename T>
-string Print(const T& value) {
+std::string Print(const T& value) {
   ::std::stringstream ss;
   UniversalPrinter<T>::Print(value, &ss);
   return ss.str();
@@ -238,7 +245,7 @@ string Print(const T& value) {
 // value printer.  This is a helper for testing
 // UniversalPrinter<T&>::Print() for various types.
 template <typename T>
-string PrintByRef(const T& value) {
+std::string PrintByRef(const T& value) {
   ::std::stringstream ss;
   UniversalPrinter<T&>::Print(value, &ss);
   return ss.str();
@@ -375,7 +382,7 @@ TEST(PrintBuiltInTypeTest, FloatingPoints) {
 // Since ::std::stringstream::operator<<(const void *) formats the pointer
 // output differently with different compilers, we have to create the expected
 // output first and use it as our expectation.
-static string PrintPointer(const void *p) {
+static std::string PrintPointer(const void* p) {
   ::std::stringstream expected_result_stream;
   expected_result_stream << p;
   return expected_result_stream.str();
@@ -563,7 +570,7 @@ struct Foo {
 TEST(PrintPointerTest, MemberVariablePointer) {
   EXPECT_TRUE(HasPrefix(Print(&Foo::value),
                         Print(sizeof(&Foo::value)) + "-byte object "));
-  int (Foo::*p) = NULL;  // NOLINT
+  int Foo::*p = NULL;  // NOLINT
   EXPECT_TRUE(HasPrefix(Print(p),
                         Print(sizeof(p)) + "-byte object "));
 }
@@ -588,7 +595,7 @@ TEST(PrintPointerTest, MemberFunctionPointer) {
 // The difference between this and Print() is that it ensures that the
 // argument is a reference to an array.
 template <typename T, size_t N>
-string PrintArrayHelper(T (&a)[N]) {
+std::string PrintArrayHelper(T (&a)[N]) {
   return Print(a);
 }
 
@@ -641,7 +648,7 @@ TEST(PrintArrayTest, WConstCharArrayWithTerminatingNul) {
 
 // Array of objects.
 TEST(PrintArrayTest, ObjectArray) {
-  string a[3] = { "Hi", "Hello", "Ni hao" };
+  std::string a[3] = {"Hi", "Hello", "Ni hao"};
   EXPECT_EQ("{ \"Hi\", \"Hello\", \"Ni hao\" }", PrintArrayHelper(a));
 }
 
@@ -778,22 +785,22 @@ TEST(PrintTypeWithGenericStreamingTest, TypeImplicitlyConvertible) {
   EXPECT_EQ("AllowsGenericStreamingAndImplicitConversionTemplate", Print(a));
 }
 
-#if GTEST_HAS_STRING_PIECE_
+#if GTEST_HAS_ABSL
 
-// Tests printing StringPiece.
+// Tests printing ::absl::string_view.
 
-TEST(PrintStringPieceTest, SimpleStringPiece) {
-  const StringPiece sp = "Hello";
+TEST(PrintStringViewTest, SimpleStringView) {
+  const ::absl::string_view sp = "Hello";
   EXPECT_EQ("\"Hello\"", Print(sp));
 }
 
-TEST(PrintStringPieceTest, UnprintableCharacters) {
+TEST(PrintStringViewTest, UnprintableCharacters) {
   const char str[] = "NUL (\0) and \r\t";
-  const StringPiece sp(str, sizeof(str) - 1);
+  const ::absl::string_view sp(str, sizeof(str) - 1);
   EXPECT_EQ("\"NUL (\\0) and \\r\\t\"", Print(sp));
 }
 
-#endif  // GTEST_HAS_STRING_PIECE_
+#endif  // GTEST_HAS_ABSL
 
 // Tests printing STL containers.
 
@@ -809,44 +816,44 @@ TEST(PrintStlContainerTest, NonEmptyDeque) {
   EXPECT_EQ("{ 1, 3 }", Print(non_empty));
 }
 
-#if GTEST_HAS_HASH_MAP_
+#if GTEST_HAS_UNORDERED_MAP_
 
 TEST(PrintStlContainerTest, OneElementHashMap) {
-  hash_map<int, char> map1;
+  ::std::unordered_map<int, char> map1;
   map1[1] = 'a';
   EXPECT_EQ("{ (1, 'a' (97, 0x61)) }", Print(map1));
 }
 
 TEST(PrintStlContainerTest, HashMultiMap) {
-  hash_multimap<int, bool> map1;
+  ::std::unordered_multimap<int, bool> map1;
   map1.insert(make_pair(5, true));
   map1.insert(make_pair(5, false));
 
   // Elements of hash_multimap can be printed in any order.
-  const string result = Print(map1);
+  const std::string result = Print(map1);
   EXPECT_TRUE(result == "{ (5, true), (5, false) }" ||
               result == "{ (5, false), (5, true) }")
                   << " where Print(map1) returns \"" << result << "\".";
 }
 
-#endif  // GTEST_HAS_HASH_MAP_
+#endif  // GTEST_HAS_UNORDERED_MAP_
 
-#if GTEST_HAS_HASH_SET_
+#if GTEST_HAS_UNORDERED_SET_
 
 TEST(PrintStlContainerTest, HashSet) {
-  hash_set<string> set1;
-  set1.insert("hello");
-  EXPECT_EQ("{ \"hello\" }", Print(set1));
+  ::std::unordered_set<int> set1;
+  set1.insert(1);
+  EXPECT_EQ("{ 1 }", Print(set1));
 }
 
 TEST(PrintStlContainerTest, HashMultiSet) {
   const int kSize = 5;
   int a[kSize] = { 1, 1, 2, 5, 1 };
-  hash_multiset<int> set1(a, a + kSize);
+  ::std::unordered_multiset<int> set1(a, a + kSize);
 
   // Elements of hash_multiset can be printed in any order.
-  const string result = Print(set1);
-  const string expected_pattern = "{ d, d, d, d, d }";  // d means a digit.
+  const std::string result = Print(set1);
+  const std::string expected_pattern = "{ d, d, d, d, d }";  // d means a digit.
 
   // Verifies the result matches the expected pattern; also extracts
   // the numbers in the result.
@@ -868,14 +875,11 @@ TEST(PrintStlContainerTest, HashMultiSet) {
   EXPECT_TRUE(std::equal(a, a + kSize, numbers.begin()));
 }
 
-#endif  // GTEST_HAS_HASH_SET_
+#endif  //  GTEST_HAS_UNORDERED_SET_
 
 TEST(PrintStlContainerTest, List) {
-  const string a[] = {
-    "hello",
-    "world"
-  };
-  const list<string> strings(a, a + 2);
+  const std::string a[] = {"hello", "world"};
+  const list<std::string> strings(a, a + 2);
   EXPECT_EQ("{ \"hello\", \"world\" }", Print(strings));
 }
 
@@ -913,6 +917,15 @@ TEST(PrintStlContainerTest, MultiSet) {
   EXPECT_EQ("{ 1, 1, 1, 2, 5 }", Print(set1));
 }
 
+#if GTEST_HAS_STD_FORWARD_LIST_
+
+TEST(PrintStlContainerTest, SinglyLinkedList) {
+  int a[] = { 9, 2, 8 };
+  const std::forward_list<int> ints(a, a + 3);
+  EXPECT_EQ("{ 9, 2, 8 }", Print(ints));
+}
+#endif  // GTEST_HAS_STD_FORWARD_LIST_
+
 TEST(PrintStlContainerTest, Pair) {
   pair<const bool, int> p(true, 5);
   EXPECT_EQ("(true, 5)", Print(p));
@@ -1020,8 +1033,9 @@ TEST(PrintTr1TupleTest, VariousSizes) {
   // VC++ 2010's implementation of tuple of C++0x is deficient, requiring
   // an explicit type cast of NULL to be used.
   ::std::tr1::tuple<bool, char, short, testing::internal::Int32,  // NOLINT
-      testing::internal::Int64, float, double, const char*, void*, string>
-      t10(false, 'a', 3, 4, 5, 1.5F, -2.5, str,
+                    testing::internal::Int64, float, double, const char*, void*,
+                    std::string>
+      t10(false, 'a', static_cast<short>(3), 4, 5, 1.5F, -2.5, str,  // NOLINT
           ImplicitCast_<void*>(NULL), "10");
   EXPECT_EQ("(false, 'a' (97, 0x61), 3, 4, 5, 1.5, -2.5, " + PrintPointer(str) +
             " pointing to \"8\", NULL, \"10\")",
@@ -1037,7 +1051,7 @@ TEST(PrintTr1TupleTest, NestedTuple) {
 
 #endif  // GTEST_HAS_TR1_TUPLE
 
-#if GTEST_LANG_CXX11
+#if GTEST_HAS_STD_TUPLE_
 // Tests printing ::std::tuples.
 
 // Tuples of various arities.
@@ -1079,8 +1093,9 @@ TEST(PrintStdTupleTest, VariousSizes) {
   // VC++ 2010's implementation of tuple of C++0x is deficient, requiring
   // an explicit type cast of NULL to be used.
   ::std::tuple<bool, char, short, testing::internal::Int32,  // NOLINT
-      testing::internal::Int64, float, double, const char*, void*, string>
-      t10(false, 'a', 3, 4, 5, 1.5F, -2.5, str,
+               testing::internal::Int64, float, double, const char*, void*,
+               std::string>
+      t10(false, 'a', static_cast<short>(3), 4, 5, 1.5F, -2.5, str,  // NOLINT
           ImplicitCast_<void*>(NULL), "10");
   EXPECT_EQ("(false, 'a' (97, 0x61), 3, 4, 5, 1.5, -2.5, " + PrintPointer(str) +
             " pointing to \"8\", NULL, \"10\")",
@@ -1096,6 +1111,12 @@ TEST(PrintStdTupleTest, NestedTuple) {
 
 #endif  // GTEST_LANG_CXX11
 
+#if GTEST_LANG_CXX11
+TEST(PrintNullptrT, Basic) {
+  EXPECT_EQ("(nullptr)", Print(nullptr));
+}
+#endif  // GTEST_LANG_CXX11
+
 // Tests printing user-defined unprintable types.
 
 // Unprintable types in the global namespace.
@@ -1143,6 +1164,15 @@ TEST(PrintStreamableTypeTest, TemplateTypeInUserNamespace) {
             Print(::foo::StreamableTemplateInFoo<int>()));
 }
 
+// Tests printing a user-defined recursive container type that has a <<
+// operator.
+TEST(PrintStreamableTypeTest, PathLikeInUserNamespace) {
+  ::foo::PathLike x;
+  EXPECT_EQ("Streamable-PathLike", Print(x));
+  const ::foo::PathLike cx;
+  EXPECT_EQ("Streamable-PathLike", Print(cx));
+}
+
 // Tests printing user-defined types that have a PrintTo() function.
 TEST(PrintPrintableTypeTest, InUserNamespace) {
   EXPECT_EQ("PrintableViaPrintTo: 0",
@@ -1162,37 +1192,6 @@ TEST(PrintPrintableTypeTest, TemplateInUserNamespace) {
             Print(::foo::PrintableViaPrintToTemplate<int>(5)));
 }
 
-#if GTEST_HAS_PROTOBUF_
-
-// Tests printing a short proto2 message.
-TEST(PrintProto2MessageTest, PrintsShortDebugStringWhenItIsShort) {
-  testing::internal::FooMessage msg;
-  msg.set_int_field(2);
-  msg.set_string_field("hello");
-  EXPECT_PRED2(RE::FullMatch, Print(msg),
-               "<int_field:\\s*2\\s+string_field:\\s*\"hello\">");
-}
-
-// Tests printing a long proto2 message.
-TEST(PrintProto2MessageTest, PrintsDebugStringWhenItIsLong) {
-  testing::internal::FooMessage msg;
-  msg.set_int_field(2);
-  msg.set_string_field("hello");
-  msg.add_names("peter");
-  msg.add_names("paul");
-  msg.add_names("mary");
-  EXPECT_PRED2(RE::FullMatch, Print(msg),
-               "<\n"
-               "int_field:\\s*2\n"
-               "string_field:\\s*\"hello\"\n"
-               "names:\\s*\"peter\"\n"
-               "names:\\s*\"paul\"\n"
-               "names:\\s*\"mary\"\n"
-               ">");
-}
-
-#endif  // GTEST_HAS_PROTOBUF_
-
 // Tests that the universal printer prints both the address and the
 // value of a reference.
 TEST(PrintReferenceTest, PrintsAddressAndValue) {
@@ -1216,13 +1215,13 @@ TEST(PrintReferenceTest, PrintsAddressAndValue) {
 // reference.
 TEST(PrintReferenceTest, HandlesFunctionPointer) {
   void (*fp)(int n) = &MyFunction;
-  const string fp_pointer_string =
+  const std::string fp_pointer_string =
       PrintPointer(reinterpret_cast<const void*>(&fp));
   // We cannot directly cast &MyFunction to const void* because the
   // standard disallows casting between pointers to functions and
   // pointers to objects, and some compilers (e.g. GCC 3.4) enforce
   // this limitation.
-  const string fp_string = PrintPointer(reinterpret_cast<const void*>(
+  const std::string fp_string = PrintPointer(reinterpret_cast<const void*>(
       reinterpret_cast<internal::BiggestInt>(fp)));
   EXPECT_EQ("@" + fp_pointer_string + " " + fp_string,
             PrintByRef(fp));
@@ -1247,7 +1246,7 @@ TEST(PrintReferenceTest, HandlesMemberFunctionPointer) {
 // Tests that the universal printer prints a member variable pointer
 // passed by reference.
 TEST(PrintReferenceTest, HandlesMemberVariablePointer) {
-  int (Foo::*p) = &Foo::value;  // NOLINT
+  int Foo::*p = &Foo::value;  // NOLINT
   EXPECT_TRUE(HasPrefix(
       PrintByRef(p),
       "@" + PrintPointer(&p) + " " + Print(sizeof(p)) + "-byte object "));
@@ -1280,7 +1279,7 @@ TEST(FormatForComparisonFailureMessageTest, FormatsNonCharArrayAsPointer) {
 }
 
 // Tests formatting a char pointer when it's compared with another pointer.
-// In this case we want to print it as a raw pointer, as the comparision is by
+// In this case we want to print it as a raw pointer, as the comparison is by
 // pointer.
 
 // char pointer vs pointer
@@ -1505,6 +1504,78 @@ TEST(PrintToStringTest, WorksForCharArrayWithEmbeddedNul) {
   EXPECT_PRINT_TO_STRING_(mutable_str_with_nul, "\"hello\\0 world\"");
 }
 
+  TEST(PrintToStringTest, ContainsNonLatin) {
+  // Sanity test with valid UTF-8. Prints both in hex and as text.
+  std::string non_ascii_str = ::std::string("오전 4:30");
+  EXPECT_PRINT_TO_STRING_(non_ascii_str,
+                          "\"\\xEC\\x98\\xA4\\xEC\\xA0\\x84 4:30\"\n"
+                          "    As Text: \"오전 4:30\"");
+  non_ascii_str = ::std::string("From ä — ẑ");
+  EXPECT_PRINT_TO_STRING_(non_ascii_str,
+                          "\"From \\xC3\\xA4 \\xE2\\x80\\x94 \\xE1\\xBA\\x91\""
+                          "\n    As Text: \"From ä — ẑ\"");
+}
+
+TEST(IsValidUTF8Test, IllFormedUTF8) {
+  // The following test strings are ill-formed UTF-8 and are printed
+  // as hex only (or ASCII, in case of ASCII bytes) because IsValidUTF8() is
+  // expected to fail, thus output does not contain "As Text:".
+
+  static const char *const kTestdata[][2] = {
+    // 2-byte lead byte followed by a single-byte character.
+    {"\xC3\x74", "\"\\xC3t\""},
+    // Valid 2-byte character followed by an orphan trail byte.
+    {"\xC3\x84\xA4", "\"\\xC3\\x84\\xA4\""},
+    // Lead byte without trail byte.
+    {"abc\xC3", "\"abc\\xC3\""},
+    // 3-byte lead byte, single-byte character, orphan trail byte.
+    {"x\xE2\x70\x94", "\"x\\xE2p\\x94\""},
+    // Truncated 3-byte character.
+    {"\xE2\x80", "\"\\xE2\\x80\""},
+    // Truncated 3-byte character followed by valid 2-byte char.
+    {"\xE2\x80\xC3\x84", "\"\\xE2\\x80\\xC3\\x84\""},
+    // Truncated 3-byte character followed by a single-byte character.
+    {"\xE2\x80\x7A", "\"\\xE2\\x80z\""},
+    // 3-byte lead byte followed by valid 3-byte character.
+    {"\xE2\xE2\x80\x94", "\"\\xE2\\xE2\\x80\\x94\""},
+    // 4-byte lead byte followed by valid 3-byte character.
+    {"\xF0\xE2\x80\x94", "\"\\xF0\\xE2\\x80\\x94\""},
+    // Truncated 4-byte character.
+    {"\xF0\xE2\x80", "\"\\xF0\\xE2\\x80\""},
+     // Invalid UTF-8 byte sequences embedded in other chars.
+    {"abc\xE2\x80\x94\xC3\x74xyc", "\"abc\\xE2\\x80\\x94\\xC3txyc\""},
+    {"abc\xC3\x84\xE2\x80\xC3\x84xyz",
+     "\"abc\\xC3\\x84\\xE2\\x80\\xC3\\x84xyz\""},
+    // Non-shortest UTF-8 byte sequences are also ill-formed.
+    // The classics: xC0, xC1 lead byte.
+    {"\xC0\x80", "\"\\xC0\\x80\""},
+    {"\xC1\x81", "\"\\xC1\\x81\""},
+    // Non-shortest sequences.
+    {"\xE0\x80\x80", "\"\\xE0\\x80\\x80\""},
+    {"\xf0\x80\x80\x80", "\"\\xF0\\x80\\x80\\x80\""},
+    // Last valid code point before surrogate range, should be printed as text,
+    // too.
+    {"\xED\x9F\xBF", "\"\\xED\\x9F\\xBF\"\n    As Text: \"퟿\""},
+    // Start of surrogate lead. Surrogates are not printed as text.
+    {"\xED\xA0\x80", "\"\\xED\\xA0\\x80\""},
+    // Last non-private surrogate lead.
+    {"\xED\xAD\xBF", "\"\\xED\\xAD\\xBF\""},
+    // First private-use surrogate lead.
+    {"\xED\xAE\x80", "\"\\xED\\xAE\\x80\""},
+    // Last private-use surrogate lead.
+    {"\xED\xAF\xBF", "\"\\xED\\xAF\\xBF\""},
+    // Mid-point of surrogate trail.
+    {"\xED\xB3\xBF", "\"\\xED\\xB3\\xBF\""},
+    // First valid code point after surrogate range, should be printed as text,
+    // too.
+    {"\xEE\x80\x80", "\"\\xEE\\x80\\x80\"\n    As Text: \"\""}
+  };
+
+  for (int i = 0; i < int(sizeof(kTestdata)/sizeof(kTestdata[0])); ++i) {
+    EXPECT_PRINT_TO_STRING_(kTestdata[i][0], kTestdata[i][1]);
+  }
+}
+
 #undef EXPECT_PRINT_TO_STRING_
 
 TEST(UniversalTersePrintTest, WorksForNonReference) {
@@ -1554,12 +1625,12 @@ TEST(UniversalPrintTest, WorksForCString) {
   const char* s1 = "abc";
   ::std::stringstream ss1;
   UniversalPrint(s1, &ss1);
-  EXPECT_EQ(PrintPointer(s1) + " pointing to \"abc\"", string(ss1.str()));
+  EXPECT_EQ(PrintPointer(s1) + " pointing to \"abc\"", std::string(ss1.str()));
 
   char* s2 = const_cast<char*>(s1);
   ::std::stringstream ss2;
   UniversalPrint(s2, &ss2);
-  EXPECT_EQ(PrintPointer(s2) + " pointing to \"abc\"", string(ss2.str()));
+  EXPECT_EQ(PrintPointer(s2) + " pointing to \"abc\"", std::string(ss2.str()));
 
   const char* s3 = NULL;
   ::std::stringstream ss3;
@@ -1646,6 +1717,32 @@ TEST(UniversalTersePrintTupleFieldsToStringsTestWithStd, PrintsTersely) {
 
 #endif  // GTEST_HAS_STD_TUPLE_
 
+#if GTEST_HAS_ABSL
+
+TEST(PrintOptionalTest, Basic) {
+  absl::optional<int> value;
+  EXPECT_EQ("(nullopt)", PrintToString(value));
+  value = {7};
+  EXPECT_EQ("(7)", PrintToString(value));
+  EXPECT_EQ("(1.1)", PrintToString(absl::optional<double>{1.1}));
+  EXPECT_EQ("(\"A\")", PrintToString(absl::optional<std::string>{"A"}));
+}
+
+struct NonPrintable {
+  unsigned char contents = 17;
+};
+
+TEST(PrintOneofTest, Basic) {
+  using Type = absl::variant<int, StreamableInGlobal, NonPrintable>;
+  EXPECT_EQ("('int' with value 7)", PrintToString(Type(7)));
+  EXPECT_EQ("('StreamableInGlobal' with value StreamableInGlobal)",
+            PrintToString(Type(StreamableInGlobal{})));
+  EXPECT_EQ(
+      "('testing::gtest_printers_test::NonPrintable' with value 1-byte object "
+      "<11>)",
+      PrintToString(Type(NonPrintable{})));
+}
+#endif  // GTEST_HAS_ABSL
+
 }  // namespace gtest_printers_test
 }  // namespace testing
-
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test.py b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test.py
index 30d0303d1..573cc5eca 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test.py
@@ -30,13 +30,11 @@
 
 """Verifies that test shuffling works."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
-# Command to run the gtest_shuffle_test_ program.
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_shuffle_test_')
+# Command to run the googletest-shuffle-test_ program.
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-shuffle-test_')
 
 # The environment variables for test sharding.
 TOTAL_SHARDS_ENV_VAR = 'GTEST_TOTAL_SHARDS'
@@ -89,7 +87,7 @@ def GetTestsForAllIterations(extra_env, args):
 
   Args:
     extra_env: a map from environment variables to their values
-    args: command line flags to pass to gtest_shuffle_test_
+    args: command line flags to pass to googletest-shuffle-test_
 
   Returns:
     A list where the i-th element is the list of tests run in the i-th
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test_.cc
index 6fb441bd4..1fe5f6aba 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Verifies that test shuffling works.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-test-part_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-test-part-test.cc
index ca8ba933a..cd2d6f9e8 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-test-part_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-test-part-test.cc
@@ -26,9 +26,6 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: mheule@google.com (Markus Heule)
-//
 
 #include "gtest/gtest-test-part.h"
 
@@ -203,6 +200,6 @@ TEST_F(TestPartResultArrayDeathTest, DiesWhenIndexIsOutOfBound) {
   EXPECT_DEATH_IF_SUPPORTED(results.GetTestPartResult(1), "");
 }
 
-// TODO(mheule@google.com): Add a test for the class HasNewFatalFailureHelper.
+// FIXME: Add a test for the class HasNewFatalFailureHelper.
 
 }  // namespace
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc
new file mode 100644
index 000000000..c2f98dc7d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc
@@ -0,0 +1,61 @@
+// Copyright 2008, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+//
+// Tests for Google Test itself.  This verifies that the basic constructs of
+// Google Test work.
+
+#include "gtest/gtest.h"
+#include "googletest-param-test-test.h"
+
+using ::testing::Values;
+using ::testing::internal::ParamGenerator;
+
+// Tests that generators defined in a different translation unit
+// are functional. The test using extern_gen_2 is defined
+// in googletest-param-test-test.cc.
+ParamGenerator<int> extern_gen_2 = Values(33);
+
+// Tests that a parameterized test case can be defined in one translation unit
+// and instantiated in another. The test is defined in
+// googletest-param-test-test.cc and ExternalInstantiationTest fixture class is
+// defined in gtest-param-test_test.h.
+INSTANTIATE_TEST_CASE_P(MultiplesOf33,
+                        ExternalInstantiationTest,
+                        Values(33, 66));
+
+// Tests that a parameterized test case can be instantiated
+// in multiple translation units. Another instantiation is defined
+// in googletest-param-test-test.cc and
+// InstantiationInMultipleTranslaionUnitsTest fixture is defined in
+// gtest-param-test_test.h
+INSTANTIATE_TEST_CASE_P(Sequence2,
+                        InstantiationInMultipleTranslaionUnitsTest,
+                        Values(42*3, 42*4, 42*5));
+
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test.py b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test.py
index 5678ffeaf..46cb9f6da 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test.py
@@ -31,12 +31,10 @@
 
 """Tests Google Test's throw-on-failure mode with exceptions disabled.
 
-This script invokes gtest_throw_on_failure_test_ (a program written with
+This script invokes googletest-throw-on-failure-test_ (a program written with
 Google Test) with different environments and command line flags.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
@@ -46,10 +44,10 @@ import gtest_test_utils
 # The command line flag for enabling/disabling the throw-on-failure mode.
 THROW_ON_FAILURE = 'gtest_throw_on_failure'
 
-# Path to the gtest_throw_on_failure_test_ program, compiled with
+# Path to the googletest-throw-on-failure-test_ program, compiled with
 # exceptions disabled.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_throw_on_failure_test_')
+    'googletest-throw-on-failure-test_')
 
 
 # Utilities.
@@ -75,13 +73,13 @@ def Run(command):
   return p.exited and p.exit_code == 0
 
 
-# The tests.  TODO(wan@google.com): refactor the class to share common
-# logic with code in gtest_break_on_failure_unittest.py.
+# The tests.  FIXME: refactor the class to share common
+# logic with code in googletest-break-on-failure-unittest.py.
 class ThrowOnFailureTest(gtest_test_utils.TestCase):
   """Tests the throw-on-failure mode."""
 
   def RunAndVerify(self, env_var_value, flag_value, should_fail):
-    """Runs gtest_throw_on_failure_test_ and verifies that it does
+    """Runs googletest-throw-on-failure-test_ and verifies that it does
     (or does not) exit with a non-zero code.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc
index 2b88fe3d9..f9a2c6448 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc
@@ -26,13 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests Google Test's throw-on-failure mode with exceptions disabled.
 //
 // This program must be compiled with exceptions disabled.  It will be
-// invoked by gtest_throw_on_failure_test.py, and is expected to exit
+// invoked by googletest-throw-on-failure-test.py, and is expected to exit
 // with non-zero in the throw-on-failure mode or 0 otherwise.
 
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-tuple_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-tuple-test.cc
index bfaa3e0ac..dd82c160f 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-tuple_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-tuple-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/internal/gtest-tuple.h"
 #include <utility>
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test.py b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test.py
index 6ae57eeed..5b7d1e74f 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test.py
@@ -31,12 +31,9 @@
 
 """Verifies that Google Test warns the user when not initialized properly."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import gtest_test_utils
 
-
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_uninitialized_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-uninitialized-test_')
 
 
 def Assert(condition):
@@ -56,8 +53,8 @@ def TestExitCodeAndOutput(command):
 
   # Verifies that 'command' exits with code 1.
   p = gtest_test_utils.Subprocess(command)
-  Assert(p.exited)
-  AssertEq(1, p.exit_code)
+  if p.exited and p.exit_code == 0:
+    Assert('IMPORTANT NOTICE' in p.output);
   Assert('InitGoogleTest' in p.output)
 
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test_.cc
index 44316987f..b4434d51e 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test_.cc
@@ -26,16 +26,15 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest.h"
 
 TEST(DummyTest, Dummy) {
   // This test doesn't verify anything.  We just need it to create a
   // realistic stage for testing the behavior of Google Test when
-  // RUN_ALL_TESTS() is called without testing::InitGoogleTest() being
-  // called first.
+  // RUN_ALL_TESTS() is called without
+  // testing::InitGoogleTest() being called first.
 }
 
 int main() {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
index c284700b0..ed96421c6 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include <vector>
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
index c3e66c2db..4e398697d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "test/gtest-typed-test_test.h"
 
@@ -36,6 +35,10 @@
 
 #include "gtest/gtest.h"
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4127 /* conditional expression is constant */)
+#endif  //  _MSC_VER
+
 using testing::Test;
 
 // Used for testing that SetUpTestCase()/TearDownTestCase(), fixture
@@ -166,6 +169,40 @@ TYPED_TEST(NumericTest, DefaultIsZero) {
 
 }  // namespace library1
 
+// Tests that custom names work.
+template <typename T>
+class TypedTestWithNames : public Test {};
+
+class TypedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value) {
+      return std::string("char") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, int>::value) {
+      return std::string("int") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+TYPED_TEST_CASE(TypedTestWithNames, TwoTypes, TypedTestNames);
+
+TYPED_TEST(TypedTestWithNames, TestCaseName) {
+  if (testing::internal::IsSame<TypeParam, char>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "TypedTestWithNames/char0");
+  }
+  if (testing::internal::IsSame<TypeParam, int>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "TypedTestWithNames/int1");
+  }
+}
+
 #endif  // GTEST_HAS_TYPED_TEST
 
 // This #ifdef block tests type-parameterized tests.
@@ -266,6 +303,46 @@ REGISTER_TYPED_TEST_CASE_P(DerivedTest,
 typedef Types<short, long> MyTwoTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(My, DerivedTest, MyTwoTypes);
 
+// Tests that custom names work with type parametrized tests. We reuse the
+// TwoTypes from above here.
+template <typename T>
+class TypeParametrizedTestWithNames : public Test {};
+
+TYPED_TEST_CASE_P(TypeParametrizedTestWithNames);
+
+TYPED_TEST_P(TypeParametrizedTestWithNames, TestCaseName) {
+  if (testing::internal::IsSame<TypeParam, char>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "CustomName/TypeParametrizedTestWithNames/parChar0");
+  }
+  if (testing::internal::IsSame<TypeParam, int>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "CustomName/TypeParametrizedTestWithNames/parInt1");
+  }
+}
+
+REGISTER_TYPED_TEST_CASE_P(TypeParametrizedTestWithNames, TestCaseName);
+
+class TypeParametrizedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value) {
+      return std::string("parChar") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, int>::value) {
+      return std::string("parInt") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+INSTANTIATE_TYPED_TEST_CASE_P(CustomName, TypeParametrizedTestWithNames,
+                              TwoTypes, TypeParametrizedTestNames);
+
 // Tests that multiple TYPED_TEST_CASE_P's can be defined in the same
 // translation unit.
 
@@ -344,6 +421,25 @@ REGISTER_TYPED_TEST_CASE_P(NumericTest,
 typedef Types<int, double> NumericTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(My, NumericTest, NumericTypes);
 
+static const char* GetTestName() {
+  return testing::UnitTest::GetInstance()->current_test_info()->name();
+}
+// Test the stripping of space from test names
+template <typename T> class TrimmedTest : public Test { };
+TYPED_TEST_CASE_P(TrimmedTest);
+TYPED_TEST_P(TrimmedTest, Test1) { EXPECT_STREQ("Test1", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test2) { EXPECT_STREQ("Test2", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test3) { EXPECT_STREQ("Test3", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test4) { EXPECT_STREQ("Test4", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test5) { EXPECT_STREQ("Test5", GetTestName()); }
+REGISTER_TYPED_TEST_CASE_P(
+    TrimmedTest,
+    Test1, Test2,Test3 , Test4 ,Test5 );  // NOLINT
+template <typename T1, typename T2> struct MyPair {};
+// Be sure to try a type with a comma in its name just in case it matters.
+typedef Types<int, double, MyPair<int, int> > TrimTypes;
+INSTANTIATE_TYPED_TEST_CASE_P(My, TrimmedTest, TrimTypes);
+
 }  // namespace library2
 
 #endif  // GTEST_HAS_TYPED_TEST_P
@@ -358,4 +454,8 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, NumericTest, NumericTypes);
 // must be defined). This dummy test keeps gtest_main linked in.
 TEST(DummyTest, TypedTestsAreNotSupportedOnThisPlatform) {}
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4127
+#endif                             //  _MSC_VER
+
 #endif  // #if !defined(GTEST_HAS_TYPED_TEST) && !defined(GTEST_HAS_TYPED_TEST_P)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
index 41d75704c..2cce67c82 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #ifndef GTEST_TEST_GTEST_TYPED_TEST_TEST_H_
 #define GTEST_TEST_GTEST_TYPED_TEST_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
index b1f51688a..f3ea03a59 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
@@ -25,10 +25,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file contains tests verifying correctness of data provided via
 // UnitTest's public methods.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
index 955aa6282..e61e36b1d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
@@ -26,21 +26,20 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Tests for Google C++ Testing Framework (Google Test)
+// Tests for Google C++ Testing and Mocking Framework (Google Test)
 //
 // Sometimes it's desirable to build most of Google Test's own tests
 // by compiling a single file.  This file serves this purpose.
-#include "test/gtest-filepath_test.cc"
-#include "test/gtest-linked_ptr_test.cc"
-#include "test/gtest-message_test.cc"
-#include "test/gtest-options_test.cc"
-#include "test/gtest-port_test.cc"
+#include "test/googletest-filepath-test.cc"
+#include "test/googletest-linked-ptr-test.cc"
+#include "test/googletest-message-test.cc"
+#include "test/googletest-options-test.cc"
+#include "test/googletest-port-test.cc"
 #include "test/gtest_pred_impl_unittest.cc"
 #include "test/gtest_prod_test.cc"
-#include "test/gtest-test-part_test.cc"
+#include "test/googletest-test-part-test.cc"
 #include "test/gtest-typed-test_test.cc"
 #include "test/gtest-typed-test2_test.cc"
 #include "test/gtest_unittest.cc"
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc
new file mode 100644
index 000000000..0eae8575f
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc
@@ -0,0 +1,118 @@
+// Copyright 2009, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+// Tests Google Test's assert-by-exception mode with exceptions enabled.
+
+#include "gtest/gtest.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdexcept>
+
+class ThrowListener : public testing::EmptyTestEventListener {
+  void OnTestPartResult(const testing::TestPartResult& result) override {
+    if (result.type() == testing::TestPartResult::kFatalFailure) {
+      throw testing::AssertionException(result);
+    }
+  }
+};
+
+// Prints the given failure message and exits the program with
+// non-zero.  We use this instead of a Google Test assertion to
+// indicate a failure, as the latter is been tested and cannot be
+// relied on.
+void Fail(const char* msg) {
+  printf("FAILURE: %s\n", msg);
+  fflush(stdout);
+  exit(1);
+}
+
+static void AssertFalse() {
+  ASSERT_EQ(2, 3) << "Expected failure";
+}
+
+// Tests that an assertion failure throws a subclass of
+// std::runtime_error.
+TEST(Test, Test) {
+  // A successful assertion shouldn't throw.
+  try {
+    EXPECT_EQ(3, 3);
+  } catch(...) {
+    Fail("A successful assertion wrongfully threw.");
+  }
+
+  // A successful assertion shouldn't throw.
+  try {
+    EXPECT_EQ(3, 4);
+  } catch(...) {
+    Fail("A failed non-fatal assertion wrongfully threw.");
+  }
+
+  // A failed assertion should throw.
+  try {
+    AssertFalse();
+  } catch(const testing::AssertionException& e) {
+    if (strstr(e.what(), "Expected failure") != NULL)
+      throw;
+
+    printf("%s",
+           "A failed assertion did throw an exception of the right type, "
+           "but the message is incorrect.  Instead of containing \"Expected "
+           "failure\", it is:\n");
+    Fail(e.what());
+  } catch(...) {
+    Fail("A failed assertion threw the wrong type of exception.");
+  }
+  Fail("A failed assertion should've thrown but didn't.");
+}
+
+int kTestForContinuingTest = 0;
+
+TEST(Test, Test2) {
+  // FIXME: how to force Test2 to be after Test?
+  kTestForContinuingTest = 1;
+}
+
+int main(int argc, char** argv) {
+  testing::InitGoogleTest(&argc, argv);
+  testing::UnitTest::GetInstance()->listeners().Append(new ThrowListener);
+
+  int result = RUN_ALL_TESTS();
+  if (result == 0) {
+    printf("RUN_ALL_TESTS returned %d\n", result);
+    Fail("Expected failure instead.");
+  }
+
+  if (kTestForContinuingTest == 0) {
+    Fail("Should have continued with other tests, but did not.");
+  }
+  return 0;
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
index 3cff19e70..bc9524d66 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
@@ -26,18 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests using global test environments.
 
 #include <stdlib.h>
 #include <stdio.h>
 #include "gtest/gtest.h"
-
-#define GTEST_IMPLEMENTATION_ 1  // Required for the next #include.
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 GTEST_DECLARE_string_(filter);
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_help_test.py b/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
index 093c838d9..582d24c2d 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
@@ -29,7 +29,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Tests the --help flag of Google C++ Testing Framework.
+"""Tests the --help flag of Google C++ Testing and Mocking Framework.
 
 SYNOPSIS
        gtest_help_test.py --build_dir=BUILD/DIR
@@ -37,8 +37,6 @@ SYNOPSIS
        gtest_help_test.py
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import re
 import gtest_test_utils
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
index 31f78c244..750ae6ce9 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This program is meant to be run by gtest_help_test.py.  Do not run
 // it directly.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py
new file mode 100644
index 000000000..62bbfc288
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py
@@ -0,0 +1,60 @@
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test utilities for gtest_json_output."""
+
+import re
+
+
+def normalize(obj):
+  """Normalize output object.
+
+  Args:
+     obj: Google Test's JSON output object to normalize.
+
+  Returns:
+     Normalized output without any references to transient information that may
+     change from run to run.
+  """
+  def _normalize(key, value):
+    if key == 'time':
+      return re.sub(r'^\d+(\.\d+)?s$', '*', value)
+    elif key == 'timestamp':
+      return re.sub(r'^\d{4}-\d\d-\d\dT\d\d:\d\d:\d\dZ$', '*', value)
+    elif key == 'failure':
+      value = re.sub(r'^.*[/\\](.*:)\d+\n', '\\1*\n', value)
+      return re.sub(r'Stack trace:\n(.|\n)*', 'Stack trace:\n*', value)
+    else:
+      return normalize(value)
+  if isinstance(obj, dict):
+    return {k: _normalize(k, v) for k, v in obj.items()}
+  if isinstance(obj, list):
+    return [normalize(x) for x in obj]
+  else:
+    return obj
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py
new file mode 100644
index 000000000..3bba7ea2c
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py
@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+#
+# Copyright 2006, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+"""Unit test for Google Test's --gtest_list_tests flag.
+
+A user can ask Google Test to list all tests by specifying the
+--gtest_list_tests flag. If output is requested, via --gtest_output=xml
+or --gtest_output=json, the tests are listed, with extra information in the
+output file.
+This script tests such functionality by invoking gtest_list_output_unittest_
+ (a program written with Google Test) the command line flags.
+"""
+
+import os
+import re
+import gtest_test_utils
+
+GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
+GTEST_OUTPUT_FLAG = '--gtest_output'
+
+EXPECTED_XML = """<\?xml version="1.0" encoding="UTF-8"\?>
+<testsuites tests="2" name="AllTests">
+  <testsuite name="FooTest" tests="2">
+    <testcase name="Test1" file=".*gtest_list_output_unittest_.cc" line="43" />
+    <testcase name="Test2" file=".*gtest_list_output_unittest_.cc" line="45" />
+  </testsuite>
+</testsuites>
+"""
+
+EXPECTED_JSON = """{
+  "tests": 2,
+  "name": "AllTests",
+  "testsuites": \[
+    {
+      "name": "FooTest",
+      "tests": 2,
+      "testsuite": \[
+        {
+          "name": "Test1",
+          "file": ".*gtest_list_output_unittest_.cc",
+          "line": 43
+        },
+        {
+          "name": "Test2",
+          "file": ".*gtest_list_output_unittest_.cc",
+          "line": 45
+        }
+      \]
+    }
+  \]
+}
+"""
+
+
+class GTestListTestsOutputUnitTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's list tests with output to file functionality.
+  """
+
+  def testXml(self):
+    """Verifies XML output for listing tests in a Google Test binary.
+
+    Runs a test program that generates an empty XML output, and
+    tests that the XML output is expected.
+    """
+    self._TestOutput('xml', EXPECTED_XML)
+
+  def testJSON(self):
+    """Verifies XML output for listing tests in a Google Test binary.
+
+    Runs a test program that generates an empty XML output, and
+    tests that the XML output is expected.
+    """
+    self._TestOutput('json', EXPECTED_JSON)
+
+  def _GetOutput(self, out_format):
+    file_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             'test_out.' + out_format)
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(
+        'gtest_list_output_unittest_')
+
+    command = ([
+        gtest_prog_path,
+        '%s=%s:%s' % (GTEST_OUTPUT_FLAG, out_format, file_path),
+        '--gtest_list_tests'
+    ])
+    environ_copy = os.environ.copy()
+    p = gtest_test_utils.Subprocess(
+        command, env=environ_copy, working_dir=gtest_test_utils.GetTempDir())
+
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+    with open(file_path) as f:
+      result = f.read()
+    return result
+
+  def _TestOutput(self, test_format, expected_output):
+    actual = self._GetOutput(test_format)
+    actual_lines = actual.splitlines()
+    expected_lines = expected_output.splitlines()
+    line_count = 0
+    for actual_line in actual_lines:
+      expected_line = expected_lines[line_count]
+      expected_line_re = re.compile(expected_line.strip())
+      self.assert_(
+          expected_line_re.match(actual_line.strip()),
+          ('actual output of "%s",\n'
+           'which does not match expected regex of "%s"\n'
+           'on line %d' % (actual, expected_output, line_count)))
+      line_count = line_count + 1
+
+
+if __name__ == '__main__':
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '1'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc
new file mode 100644
index 000000000..b1c7b4de3
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc
@@ -0,0 +1,51 @@
+// Copyright 2018, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Author: david.schuldenfrei@gmail.com (David Schuldenfrei)
+
+// Unit test for Google Test's --gtest_list_tests and --gtest_output flag.
+//
+// A user can ask Google Test to list all tests that will run,
+// and have the output saved in a Json/Xml file.
+// The tests will not be run after listing.
+//
+// This program will be invoked from a Python unit test.
+// Don't run it directly.
+
+#include "gtest/gtest.h"
+
+TEST(FooTest, Test1) {}
+
+TEST(FooTest, Test2) {}
+
+int main(int argc, char **argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+
+  return RUN_ALL_TESTS();
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
index ecd9bb876..eddedeabe 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest.h"
 
@@ -41,5 +40,5 @@ TEST(GTestMainTest, ShouldSucceed) {
 
 }  // namespace
 
-// We are using the main() function defined in src/gtest_main.cc, so
-// we don't define it here.
+// We are using the main() function defined in gtest_main.cc, so we
+// don't define it here.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
index 292599af8..d4f88dbfd 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
@@ -29,8 +29,6 @@
 
 // Tests that a Google Test program that has no test defined can run
 // successfully.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
index a84eff860..b466c150a 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
@@ -27,7 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// This file is AUTOMATICALLY GENERATED on 10/31/2011 by command
+// This file is AUTOMATICALLY GENERATED on 01/02/2018 by command
 // 'gen_gtest_pred_impl.py 5'.  DO NOT EDIT BY HAND!
 
 // Regression test for gtest_pred_impl.h
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
index c1ed96866..c1e93056d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests that Google Test manipulates the premature-exit-detection
 // file correctly.
@@ -44,10 +43,6 @@ using ::testing::internal::posix::StatStruct;
 
 namespace {
 
-// Is the TEST_PREMATURE_EXIT_FILE environment variable expected to be
-// set?
-const bool kTestPrematureExitFileEnvVarShouldBeSet = false;
-
 class PrematureExitTest : public Test {
  public:
   // Returns true iff the given file exists.
@@ -97,18 +92,6 @@ TEST_F(PrematureExitDeathTest, FileExistsDuringExecutionOfDeathTest) {
     }, "");
 }
 
-// Tests that TEST_PREMATURE_EXIT_FILE is set where it's expected to
-// be set.
-TEST_F(PrematureExitTest, TestPrematureExitFileEnvVarIsSet) {
-  GTEST_INTENTIONAL_CONST_COND_PUSH_()
-  if (kTestPrematureExitFileEnvVarShouldBeSet) {
-  GTEST_INTENTIONAL_CONST_COND_POP_()
-    const char* const filepath = GetEnv("TEST_PREMATURE_EXIT_FILE");
-    ASSERT_TRUE(filepath != NULL);
-    ASSERT_NE(*filepath, '\0');
-  }
-}
-
 // Tests that the premature-exit file exists during the execution of a
 // normal (non-death) test.
 TEST_F(PrematureExitTest, PrematureExitFileExistsDuringTestExecution) {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
index 060abce18..ede81a0d1 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
@@ -26,13 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Unit test for include/gtest/gtest_prod.h.
+// Unit test for gtest_prod.h.
 
+#include "production.h"
 #include "gtest/gtest.h"
-#include "test/production.h"
 
 // Tests that private members can be accessed from a TEST declared as
 // a friend of the class.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
index 481012adc..1e8f499bb 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
@@ -26,23 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests the --gtest_repeat=number flag.
 
 #include <stdlib.h>
 #include <iostream>
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
@@ -75,7 +66,7 @@ namespace {
 
 
 // Used for verifying that global environment set-up and tear-down are
-// inside the gtest_repeat loop.
+// inside the --gtest_repeat loop.
 
 int g_environment_set_up_count = 0;
 int g_environment_tear_down_count = 0;
@@ -119,7 +110,6 @@ TEST(BarDeathTest, ThreadSafeAndFast) {
   EXPECT_DEATH_IF_SUPPORTED(::testing::internal::posix::Abort(), "");
 }
 
-#if GTEST_HAS_PARAM_TEST
 int g_param_test_count = 0;
 
 const int kNumberOfParamTests = 10;
@@ -127,15 +117,13 @@ const int kNumberOfParamTests = 10;
 class MyParamTest : public testing::TestWithParam<int> {};
 
 TEST_P(MyParamTest, ShouldPass) {
-  // TODO(vladl@google.com): Make parameter value checking robust
-  //                         WRT order of tests.
+  // FIXME: Make parameter value checking robust WRT order of tests.
   GTEST_CHECK_INT_EQ_(g_param_test_count % kNumberOfParamTests, GetParam());
   g_param_test_count++;
 }
 INSTANTIATE_TEST_CASE_P(MyParamSequence,
                         MyParamTest,
                         testing::Range(0, kNumberOfParamTests));
-#endif  // GTEST_HAS_PARAM_TEST
 
 // Resets the count for each test.
 void ResetCounts() {
@@ -144,9 +132,7 @@ void ResetCounts() {
   g_should_fail_count = 0;
   g_should_pass_count = 0;
   g_death_test_count = 0;
-#if GTEST_HAS_PARAM_TEST
   g_param_test_count = 0;
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Checks that the count for each test is expected.
@@ -156,9 +142,7 @@ void CheckCounts(int expected) {
   GTEST_CHECK_INT_EQ_(expected, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(expected, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(expected, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(expected * kNumberOfParamTests, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Tests the behavior of Google Test when --gtest_repeat is not specified.
@@ -201,9 +185,7 @@ void TestRepeatWithFilterForSuccessfulTests(int repeat) {
   GTEST_CHECK_INT_EQ_(0, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(repeat, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(repeat, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(repeat * kNumberOfParamTests, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Tests using --gtest_repeat when --gtest_filter specifies a set of
@@ -219,15 +201,14 @@ void TestRepeatWithFilterForFailedTests(int repeat) {
   GTEST_CHECK_INT_EQ_(repeat, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(0, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(0, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(0, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 }  // namespace
 
 int main(int argc, char **argv) {
   testing::InitGoogleTest(&argc, argv);
+
   testing::AddGlobalTestEnvironment(new MyEnvironment);
 
   TestRepeatUnspecified();
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
index ccd091a28..1d94ac6b3 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: mheule@google.com (Markus Heule)
+
 //
 // This test verifies that it's possible to use Google Test by including
 // the gtest.h header file alone.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
index e7daa430d..95ada39c3 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
@@ -26,23 +26,16 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests that SCOPED_TRACE() and various Google Test assertions can be
 // used in a large number of threads concurrently.
 
 #include "gtest/gtest.h"
 
-#include <iostream>
 #include <vector>
 
-// We must define this macro in order to #include
-// gtest-internal-inl.h.  This is how Google Test prevents a user from
-// accidentally depending on its internal implementation.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_IS_THREADSAFE
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc
new file mode 100644
index 000000000..a48db0501
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc
@@ -0,0 +1,89 @@
+// Copyright 2013, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+//
+// Each TEST() expands to some static registration logic.  GCC puts all
+// such static initialization logic for a translation unit in a common,
+// internal function.  Since Google's build system restricts how much
+// stack space a function can use, there's a limit on how many TEST()s
+// one can put in a single C++ test file.  This test ensures that a large
+// number of TEST()s can be defined in the same translation unit.
+
+#include "gtest/gtest.h"
+
+// This macro defines 10 dummy tests.
+#define TEN_TESTS_(test_case_name) \
+  TEST(test_case_name, T0) {} \
+  TEST(test_case_name, T1) {} \
+  TEST(test_case_name, T2) {} \
+  TEST(test_case_name, T3) {} \
+  TEST(test_case_name, T4) {} \
+  TEST(test_case_name, T5) {} \
+  TEST(test_case_name, T6) {} \
+  TEST(test_case_name, T7) {} \
+  TEST(test_case_name, T8) {} \
+  TEST(test_case_name, T9) {}
+
+// This macro defines 100 dummy tests.
+#define HUNDRED_TESTS_(test_case_name_prefix) \
+  TEN_TESTS_(test_case_name_prefix ## 0) \
+  TEN_TESTS_(test_case_name_prefix ## 1) \
+  TEN_TESTS_(test_case_name_prefix ## 2) \
+  TEN_TESTS_(test_case_name_prefix ## 3) \
+  TEN_TESTS_(test_case_name_prefix ## 4) \
+  TEN_TESTS_(test_case_name_prefix ## 5) \
+  TEN_TESTS_(test_case_name_prefix ## 6) \
+  TEN_TESTS_(test_case_name_prefix ## 7) \
+  TEN_TESTS_(test_case_name_prefix ## 8) \
+  TEN_TESTS_(test_case_name_prefix ## 9)
+
+// This macro defines 1000 dummy tests.
+#define THOUSAND_TESTS_(test_case_name_prefix) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 0) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 1) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 2) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 3) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 4) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 5) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 6) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 7) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 8) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 9)
+
+// Ensures that we can define 1000 TEST()s in the same translation
+// unit.
+THOUSAND_TESTS_(T)
+
+int main(int argc, char **argv) {
+  testing::InitGoogleTest(&argc, argv);
+
+  // We don't actually need to run the dummy tests - the purpose is to
+  // ensure that they compile.
+  return 0;
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
index 7e3cbcafd..43cba8f4c 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-#
 # Copyright 2006, Google Inc.
 # All rights reserved.
 #
@@ -29,20 +27,21 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Unit test utilities for Google C++ Testing Framework."""
+"""Unit test utilities for Google C++ Testing and Mocking Framework."""
+# Suppresses the 'Import not at the top of the file' lint complaint.
+# pylint: disable-msg=C6204
+
+import os
+import sys
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
+IS_WINDOWS = os.name == 'nt'
+IS_CYGWIN = os.name == 'posix' and 'CYGWIN' in os.uname()[0]
 
 import atexit
-import os
 import shutil
-import sys
 import tempfile
-import unittest
-_test_module = unittest
+import unittest as _test_module
 
-# Suppresses the 'Import not at the top of the file' lint complaint.
-# pylint: disable-msg=C6204
 try:
   import subprocess
   _SUBPROCESS_MODULE_AVAILABLE = True
@@ -53,9 +52,6 @@ except:
 
 GTEST_OUTPUT_VAR_NAME = 'GTEST_OUTPUT'
 
-IS_WINDOWS = os.name == 'nt'
-IS_CYGWIN = os.name == 'posix' and 'CYGWIN' in os.uname()[0]
-
 # The environment variable for specifying the path to the premature-exit file.
 PREMATURE_EXIT_FILE_ENV_VAR = 'TEST_PREMATURE_EXIT_FILE'
 
@@ -74,7 +70,7 @@ def SetEnvVar(env_var, value):
 # Here we expose a class from a particular module, depending on the
 # environment. The comment suppresses the 'Invalid variable name' lint
 # complaint.
-TestCase = _test_module.TestCase  # pylint: disable-msg=C6409
+TestCase = _test_module.TestCase  # pylint: disable=C6409
 
 # Initially maps a flag to its default value. After
 # _ParseAndStripGTestFlags() is called, maps a flag to its actual value.
@@ -88,7 +84,7 @@ def _ParseAndStripGTestFlags(argv):
 
   # Suppresses the lint complaint about a global variable since we need it
   # here to maintain module-wide state.
-  global _gtest_flags_are_parsed  # pylint: disable-msg=W0603
+  global _gtest_flags_are_parsed  # pylint: disable=W0603
   if _gtest_flags_are_parsed:
     return
 
@@ -145,8 +141,6 @@ atexit.register(_RemoveTempDir)
 
 
 def GetTempDir():
-  """Returns a directory for temporary files."""
-
   global _temp_dir
   if not _temp_dir:
     _temp_dir = tempfile.mkdtemp()
@@ -245,7 +239,7 @@ class Subprocess:
       p = subprocess.Popen(command,
                            stdout=subprocess.PIPE, stderr=stderr,
                            cwd=working_dir, universal_newlines=True, env=env)
-      # communicate returns a tuple with the file obect for the child's
+      # communicate returns a tuple with the file object for the child's
       # output.
       self.output = p.communicate()[0]
       self._return_code = p.returncode
@@ -312,7 +306,7 @@ def Main():
   _ParseAndStripGTestFlags(sys.argv)
   # The tested binaries should not be writing XML output files unless the
   # script explicitly instructs them to.
-  # TODO(vladl@google.com): Move this into Subprocess when we implement
+  # FIXME: Move this into Subprocess when we implement
   # passing environment into it as a parameter.
   if GTEST_OUTPUT_VAR_NAME in os.environ:
     del os.environ[GTEST_OUTPUT_VAR_NAME]
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py
new file mode 100644
index 000000000..87ffad73d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+#
+# Copyright 2018 Google LLC. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+"""Verifies that Google Test uses filter provided via testbridge."""
+
+import os
+
+import gtest_test_utils
+
+binary_name = 'gtest_testbridge_test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+TESTBRIDGE_NAME = 'TESTBRIDGE_TEST_ONLY'
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+class GTestTestFilterTest(gtest_test_utils.TestCase):
+
+  def testTestExecutionIsFiltered(self):
+    """Tests that the test filter is picked up from the testbridge env var."""
+    subprocess_env = os.environ.copy()
+
+    subprocess_env[TESTBRIDGE_NAME] = '*.TestThatSucceeds'
+    p = gtest_test_utils.Subprocess(COMMAND, env=subprocess_env)
+
+    self.assertEquals(0, p.exit_code)
+
+    Assert('filter = *.TestThatSucceeds' in p.output)
+    Assert('[       OK ] TestFilterTest.TestThatSucceeds' in p.output)
+    Assert('[  PASSED  ] 1 test.' in p.output)
+
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc
new file mode 100644
index 000000000..24617b209
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc
@@ -0,0 +1,43 @@
+// Copyright 2018, Google LLC.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+// This program is meant to be run by gtest_test_filter_test.py.  Do not run
+// it directly.
+
+#include "gtest/gtest.h"
+
+// These tests are used to detect if filtering is working. Only
+// 'TestThatSucceeds' should ever run.
+
+TEST(TestFilterTest, TestThatSucceeds) {}
+
+TEST(TestFilterTest, TestThatFails) {
+  ASSERT_TRUE(false) << "This test should never be run.";
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
index 8d46c76f1..93f59d49c 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests Google Test's throw-on-failure mode with exceptions enabled.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
index 9625fa4e8..f7213fbf3 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
@@ -26,17 +26,16 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for Google Test itself.  This verifies that the basic constructs of
 // Google Test work.
 
 #include "gtest/gtest.h"
 
-// Verifies that the command line flag variables can be accessed
-// in code once <gtest/gtest.h> has been #included.
-// Do not move it after other #includes.
+// Verifies that the command line flag variables can be accessed in
+// code once "gtest.h" has been #included.
+// Do not move it after other gtest #includes.
 TEST(CommandLineFlagsTest, CanBeAccessedInCodeOnceGTestHIsIncluded) {
   bool dummy = testing::GTEST_FLAG(also_run_disabled_tests)
       || testing::GTEST_FLAG(break_on_failure)
@@ -64,17 +63,12 @@ TEST(CommandLineFlagsTest, CanBeAccessedInCodeOnceGTestHIsIncluded) {
 #include <map>
 #include <vector>
 #include <ostream>
+#if GTEST_LANG_CXX11
+#include <unordered_set>
+#endif  // GTEST_LANG_CXX11
 
 #include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -86,18 +80,19 @@ class StreamingListenerTest : public Test {
   class FakeSocketWriter : public StreamingListener::AbstractSocketWriter {
    public:
     // Sends a string to the socket.
-    virtual void Send(const string& message) { output_ += message; }
+    virtual void Send(const std::string& message) { output_ += message; }
 
-    string output_;
+    std::string output_;
   };
 
   StreamingListenerTest()
       : fake_sock_writer_(new FakeSocketWriter),
         streamer_(fake_sock_writer_),
-        test_info_obj_("FooTest", "Bar", NULL, NULL, 0, NULL) {}
+        test_info_obj_("FooTest", "Bar", NULL, NULL,
+                       CodeLocation(__FILE__, __LINE__), 0, NULL) {}
 
  protected:
-  string* output() { return &(fake_sock_writer_->output_); }
+  std::string* output() { return &(fake_sock_writer_->output_); }
 
   FakeSocketWriter* const fake_sock_writer_;
   StreamingListener streamer_;
@@ -265,6 +260,8 @@ using testing::internal::IsContainer;
 using testing::internal::IsContainerTest;
 using testing::internal::IsNotContainer;
 using testing::internal::NativeArray;
+using testing::internal::OsStackTraceGetter;
+using testing::internal::OsStackTraceGetterInterface;
 using testing::internal::ParseInt32Flag;
 using testing::internal::RelationToSourceCopy;
 using testing::internal::RelationToSourceReference;
@@ -281,13 +278,13 @@ using testing::internal::String;
 using testing::internal::TestEventListenersAccessor;
 using testing::internal::TestResultAccessor;
 using testing::internal::UInt32;
+using testing::internal::UnitTestImpl;
 using testing::internal::WideStringToUtf8;
 using testing::internal::edit_distance::CalculateOptimalEdits;
 using testing::internal::edit_distance::CreateUnifiedDiff;
 using testing::internal::edit_distance::EditType;
 using testing::internal::kMaxRandomSeed;
 using testing::internal::kTestTypeIdInGoogleTest;
-using testing::internal::scoped_ptr;
 using testing::kMaxStackTraceDepth;
 
 #if GTEST_HAS_STREAM_REDIRECTION
@@ -382,6 +379,31 @@ TEST(GetTestTypeIdTest, ReturnsTheSameValueInsideOrOutsideOfGoogleTest) {
   EXPECT_EQ(kTestTypeIdInGoogleTest, GetTestTypeId());
 }
 
+// Tests CanonicalizeForStdLibVersioning.
+
+using ::testing::internal::CanonicalizeForStdLibVersioning;
+
+TEST(CanonicalizeForStdLibVersioning, LeavesUnversionedNamesUnchanged) {
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::_"));
+  EXPECT_EQ("std::__foo", CanonicalizeForStdLibVersioning("std::__foo"));
+  EXPECT_EQ("gtl::__1::x", CanonicalizeForStdLibVersioning("gtl::__1::x"));
+  EXPECT_EQ("__1::x", CanonicalizeForStdLibVersioning("__1::x"));
+  EXPECT_EQ("::__1::x", CanonicalizeForStdLibVersioning("::__1::x"));
+}
+
+TEST(CanonicalizeForStdLibVersioning, ElidesDoubleUnderNames) {
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::__1::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__1::_"));
+
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::__g::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__g::_"));
+
+  EXPECT_EQ("std::bind",
+            CanonicalizeForStdLibVersioning("std::__google::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__google::_"));
+}
+
 // Tests FormatTimeInMillisAsSeconds().
 
 TEST(FormatTimeInMillisAsSecondsTest, FormatsZero) {
@@ -421,10 +443,10 @@ class FormatEpochTimeInMillisAsIso8601Test : public Test {
   virtual void SetUp() {
     saved_tz_ = NULL;
 
-    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* PR_GetEnvSecure, strdup: deprecated */)
-    if (PR_GetEnvSecure("TZ"))
-      saved_tz_ = strdup(PR_GetEnvSecure("TZ"));
-    GTEST_DISABLE_MSC_WARNINGS_POP_()
+    GTEST_DISABLE_MSC_DEPRECATED_PUSH_(/* getenv, strdup: deprecated */)
+    if (getenv("TZ"))
+      saved_tz_ = strdup(getenv("TZ"));
+    GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
     // Set up the time zone for FormatEpochTimeInMillisAsIso8601 to use.  We
     // cannot use the local time zone because the function's output depends
@@ -442,7 +464,7 @@ class FormatEpochTimeInMillisAsIso8601Test : public Test {
     // tzset() distinguishes between the TZ variable being present and empty
     // and not being present, so we have to consider the case of time_zone
     // being NULL.
-#if _MSC_VER
+#if _MSC_VER || GTEST_OS_WINDOWS_MINGW
     // ...Unless it's MSVC, whose standard library's _putenv doesn't
     // distinguish between an empty and a missing variable.
     const std::string env_var =
@@ -546,7 +568,7 @@ TEST(CodePointToUtf8Test, CanEncode8To11Bits) {
 
   // 101 0111 0110 => 110-10101 10-110110
   // Some compilers (e.g., GCC on MinGW) cannot handle non-ASCII codepoints
-  // in wide strings and wide chars. In order to accomodate them, we have to
+  // in wide strings and wide chars. In order to accommodate them, we have to
   // introduce such character constants as integers.
   EXPECT_EQ("\xD5\xB6",
             CodePointToUtf8(static_cast<wchar_t>(0x576)));
@@ -1362,8 +1384,7 @@ class TestResultTest : public Test {
     // In order to test TestResult, we need to modify its internal
     // state, in particular the TestPartResult vector it holds.
     // test_part_results() returns a const reference to this vector.
-    // We cast it to a non-const object s.t. it can be modified (yes,
-    // this is a hack).
+    // We cast it to a non-const object s.t. it can be modified
     TPRVector* results1 = const_cast<TPRVector*>(
         &TestResultAccessor::test_part_results(*r1));
     TPRVector* results2 = const_cast<TPRVector*>(
@@ -1388,7 +1409,7 @@ class TestResultTest : public Test {
     delete r2;
   }
 
-  // Helper that compares two two TestPartResults.
+  // Helper that compares two TestPartResults.
   static void CompareTestPartResult(const TestPartResult& expected,
                                     const TestPartResult& actual) {
     EXPECT_EQ(expected.type(), actual.type());
@@ -1518,6 +1539,16 @@ TEST(TestResultPropertyTest, GetTestProperty) {
   EXPECT_DEATH_IF_SUPPORTED(test_result.GetTestProperty(-1), "");
 }
 
+// Tests the Test class.
+//
+// It's difficult to test every public method of this class (we are
+// already stretching the limit of Google Test by using it to test itself!).
+// Fortunately, we don't have to do that, as we are already testing
+// the functionalities of the Test class extensively by using Google Test
+// alone.
+//
+// Therefore, this section only contains one test.
+
 // Tests that GTestFlagSaver works on Windows and Mac.
 
 class GTestFlagSaverTest : public Test {
@@ -1661,6 +1692,8 @@ TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenVariableIsNotSet) {
   EXPECT_EQ(10, Int32FromGTestEnv("temp", 10));
 }
 
+# if !defined(GTEST_GET_INT32_FROM_ENV_)
+
 // Tests that Int32FromGTestEnv() returns the default value when the
 // environment variable overflows as an Int32.
 TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenValueOverflows) {
@@ -1685,6 +1718,8 @@ TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenValueIsInvalid) {
   EXPECT_EQ(50, Int32FromGTestEnv("temp", 50));
 }
 
+# endif  // !defined(GTEST_GET_INT32_FROM_ENV_)
+
 // Tests that Int32FromGTestEnv() parses and returns the value of the
 // environment variable when it represents a valid decimal integer in
 // the range of an Int32.
@@ -1773,7 +1808,7 @@ TEST(Int32FromEnvOrDieDeathTest, AbortsOnFailure) {
 }
 
 // Tests that Int32FromEnvOrDie() aborts with an error message
-// if the variable cannot be represnted by an Int32.
+// if the variable cannot be represented by an Int32.
 TEST(Int32FromEnvOrDieDeathTest, AbortsOnInt32Overflow) {
   SetEnv(GTEST_FLAG_PREFIX_UPPER_ "VAR", "1234567891234567891234");
   EXPECT_DEATH_IF_SUPPORTED(
@@ -2055,8 +2090,8 @@ TEST_F(UnitTestRecordPropertyTest,
        AddRecordWithReservedKeysGeneratesCorrectPropertyList) {
   EXPECT_NONFATAL_FAILURE(
       Test::RecordProperty("name", "1"),
-      "'classname', 'name', 'status', 'time', 'type_param', and 'value_param'"
-      " are reserved");
+      "'classname', 'name', 'status', 'time', 'type_param', 'value_param',"
+      " 'file', and 'line' are reserved");
 }
 
 class UnitTestRecordPropertyTestEnvironment : public Environment {
@@ -2416,7 +2451,7 @@ TEST(StringAssertionTest, ASSERT_STREQ) {
   ASSERT_STREQ(p1, p2);
 
   EXPECT_FATAL_FAILURE(ASSERT_STREQ("bad", "good"),
-                       "Expected: \"bad\"");
+                       "  \"bad\"\n  \"good\"");
 }
 
 // Tests ASSERT_STREQ with NULL arguments.
@@ -2452,7 +2487,7 @@ TEST(StringAssertionTest, ASSERT_STRCASEEQ) {
 
   ASSERT_STRCASEEQ("", "");
   EXPECT_FATAL_FAILURE(ASSERT_STRCASEEQ("Hi", "hi2"),
-                       "(ignoring case)");
+                       "Ignoring case");
 }
 
 // Tests ASSERT_STRCASENE.
@@ -3101,13 +3136,13 @@ TEST(DISABLED_TestCase, DISABLED_TestShouldNotRun) {
   FAIL() << "Unexpected failure: Test in disabled test case should not be run.";
 }
 
-// Check that when all tests in a test case are disabled, SetupTestCase() and
+// Check that when all tests in a test case are disabled, SetUpTestCase() and
 // TearDownTestCase() are not called.
 class DisabledTestsTest : public Test {
  protected:
   static void SetUpTestCase() {
     FAIL() << "Unexpected failure: All tests disabled in test case. "
-              "SetupTestCase() should not be called.";
+              "SetUpTestCase() should not be called.";
   }
 
   static void TearDownTestCase() {
@@ -3246,7 +3281,7 @@ TEST_F(SingleEvaluationTest, ASSERT_STR) {
 
   // failed EXPECT_STRCASEEQ
   EXPECT_NONFATAL_FAILURE(EXPECT_STRCASEEQ(p1_++, p2_++),
-                          "ignoring case");
+                          "Ignoring case");
   EXPECT_EQ(s1_ + 2, p1_);
   EXPECT_EQ(s2_ + 2, p2_);
 }
@@ -3354,7 +3389,7 @@ class NoFatalFailureTest : public Test {
 
   void DoAssertNoFatalFailureOnFails() {
     ASSERT_NO_FATAL_FAILURE(Fails());
-    ADD_FAILURE() << "shold not reach here.";
+    ADD_FAILURE() << "should not reach here.";
   }
 
   void DoExpectNoFatalFailureOnFails() {
@@ -3514,35 +3549,39 @@ TEST(AssertionTest, EqFailure) {
       EqFailure("foo", "bar", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: 6\n"
-      "Expected: foo\n"
-      "Which is: 5",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: 5\n"
+      "  bar\n"
+      "    Which is: 6",
       msg1.c_str());
 
   const std::string msg2(
       EqFailure("foo", "6", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: 6\n"
-      "Expected: foo\n"
-      "Which is: 5",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: 5\n"
+      "  6",
       msg2.c_str());
 
   const std::string msg3(
       EqFailure("5", "bar", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: 6\n"
-      "Expected: 5",
+      "Expected equality of these values:\n"
+      "  5\n"
+      "  bar\n"
+      "    Which is: 6",
       msg3.c_str());
 
   const std::string msg4(
       EqFailure("5", "6", foo_val, bar_val, false).failure_message());
   EXPECT_STREQ(
-      "Value of: 6\n"
-      "Expected: 5",
+      "Expected equality of these values:\n"
+      "  5\n"
+      "  6",
       msg4.c_str());
 
   const std::string msg5(
@@ -3550,10 +3589,12 @@ TEST(AssertionTest, EqFailure) {
                 std::string("\"x\""), std::string("\"y\""),
                 true).failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: \"y\"\n"
-      "Expected: foo (ignoring case)\n"
-      "Which is: \"x\"",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: \"x\"\n"
+      "  bar\n"
+      "    Which is: \"y\"\n"
+      "Ignoring case",
       msg5.c_str());
 }
 
@@ -3565,11 +3606,12 @@ TEST(AssertionTest, EqFailureWithDiff) {
   const std::string msg1(
       EqFailure("left", "right", left, right, false).failure_message());
   EXPECT_STREQ(
-      "Value of: right\n"
-      "  Actual: 1\\n2\\n3\\n4\\n5\\n6\\n7\\n8\\n9\\n11\\n12\\n13\\n14\n"
-      "Expected: left\n"
-      "Which is: "
+      "Expected equality of these values:\n"
+      "  left\n"
+      "    Which is: "
       "1\\n2XXX\\n3\\n5\\n6\\n7\\n8\\n9\\n10\\n11\\n12XXX\\n13\\n14\\n15\n"
+      "  right\n"
+      "    Which is: 1\\n2\\n3\\n4\\n5\\n6\\n7\\n8\\n9\\n11\\n12\\n13\\n14\n"
       "With diff:\n@@ -1,5 +1,6 @@\n 1\n-2XXX\n+2\n 3\n+4\n 5\n 6\n"
       "@@ -7,8 +8,6 @@\n 8\n 9\n-10\n 11\n-12XXX\n+12\n 13\n 14\n-15\n",
       msg1.c_str());
@@ -3644,7 +3686,7 @@ TEST(AssertionTest, AssertFalseWithAssertionResult) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -3664,9 +3706,10 @@ TEST(ExpectTest, ASSERT_EQ_Double) {
 TEST(AssertionTest, ASSERT_EQ) {
   ASSERT_EQ(5, 2 + 3);
   EXPECT_FATAL_FAILURE(ASSERT_EQ(5, 2*3),
-                       "Value of: 2*3\n"
-                       "  Actual: 6\n"
-                       "Expected: 5");
+                       "Expected equality of these values:\n"
+                       "  5\n"
+                       "  2*3\n"
+                       "    Which is: 6");
 }
 
 // Tests ASSERT_EQ(NULL, pointer).
@@ -3674,7 +3717,7 @@ TEST(AssertionTest, ASSERT_EQ) {
 TEST(AssertionTest, ASSERT_EQ_NULL) {
   // A success.
   const char* p = NULL;
-  // Some older GCC versions may issue a spurious waring in this or the next
+  // Some older GCC versions may issue a spurious warning in this or the next
   // assertion statement. This warning should not be suppressed with
   // static_cast since the test verifies the ability to use bare NULL as the
   // expected parameter to the macro.
@@ -3683,7 +3726,7 @@ TEST(AssertionTest, ASSERT_EQ_NULL) {
   // A failure.
   static int n = 0;
   EXPECT_FATAL_FAILURE(ASSERT_EQ(NULL, &n),
-                       "Value of: &n\n");
+                       "  &n\n    Which is:");
 }
 #endif  // GTEST_CAN_COMPARE_NULL
 
@@ -3699,7 +3742,7 @@ TEST(ExpectTest, ASSERT_EQ_0) {
 
   // A failure.
   EXPECT_FATAL_FAILURE(ASSERT_EQ(0, 5.6),
-                       "Expected: 0");
+                       "  0\n  5.6");
 }
 
 // Tests ASSERT_NE.
@@ -3798,7 +3841,7 @@ void TestEq1(int x) {
 // Tests calling a test subroutine that's not part of a fixture.
 TEST(AssertionTest, NonFixtureSubroutine) {
   EXPECT_FATAL_FAILURE(TestEq1(2),
-                       "Value of: x");
+                       "  x\n    Which is: 2");
 }
 
 // An uncopyable class.
@@ -3847,7 +3890,8 @@ TEST(AssertionTest, AssertWorksWithUncopyableObject) {
   EXPECT_FATAL_FAILURE(TestAssertNonPositive(),
     "IsPositiveUncopyable(y) evaluates to false, where\ny evaluates to -1");
   EXPECT_FATAL_FAILURE(TestAssertEqualsUncopyable(),
-    "Value of: y\n  Actual: -1\nExpected: x\nWhich is: 5");
+                       "Expected equality of these values:\n"
+                       "  x\n    Which is: 5\n  y\n    Which is: -1");
 }
 
 // Tests that uncopyable objects can be used in expects.
@@ -3859,7 +3903,8 @@ TEST(AssertionTest, ExpectWorksWithUncopyableObject) {
     "IsPositiveUncopyable(y) evaluates to false, where\ny evaluates to -1");
   EXPECT_EQ(x, x);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(x, y),
-    "Value of: y\n  Actual: -1\nExpected: x\nWhich is: 5");
+                          "Expected equality of these values:\n"
+                          "  x\n    Which is: 5\n  y\n    Which is: -1");
 }
 
 enum NamedEnum {
@@ -3871,7 +3916,7 @@ TEST(AssertionTest, NamedEnum) {
   EXPECT_EQ(kE1, kE1);
   EXPECT_LT(kE1, kE2);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Which is: 0");
-  EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Actual: 1");
+  EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Which is: 1");
 }
 
 // The version of gcc used in XCode 2.2 has a bug and doesn't allow
@@ -3935,13 +3980,13 @@ TEST(AssertionTest, AnonymousEnum) {
 
   // ICE's in C++Builder.
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseB),
-                       "Value of: kCaseB");
+                       "  kCaseB\n    Which is: ");
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseC),
-                       "Actual: 42");
+                       "\n    Which is: 42");
 # endif
 
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseC),
-                       "Which is: -1");
+                       "\n    Which is: -1");
 }
 
 #endif  // !GTEST_OS_MAC && !defined(__SUNPRO_CC)
@@ -4367,7 +4412,7 @@ TEST(ExpectTest, ExpectFalseWithAssertionResult) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -4375,9 +4420,10 @@ TEST(ExpectTest, ExpectFalseWithAssertionResult) {
 TEST(ExpectTest, EXPECT_EQ) {
   EXPECT_EQ(5, 2 + 3);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(5, 2*3),
-                          "Value of: 2*3\n"
-                          "  Actual: 6\n"
-                          "Expected: 5");
+                          "Expected equality of these values:\n"
+                          "  5\n"
+                          "  2*3\n"
+                          "    Which is: 6");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(5, 2 - 3),
                           "2 - 3");
 }
@@ -4408,7 +4454,7 @@ TEST(ExpectTest, EXPECT_EQ_NULL) {
   // A failure.
   int n = 0;
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(NULL, &n),
-                          "Value of: &n\n");
+                          "  &n\n    Which is:");
 }
 #endif  // GTEST_CAN_COMPARE_NULL
 
@@ -4424,7 +4470,7 @@ TEST(ExpectTest, EXPECT_EQ_0) {
 
   // A failure.
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(0, 5.6),
-                          "Expected: 0");
+                          "  0\n  5.6");
 }
 
 // Tests EXPECT_NE.
@@ -4524,7 +4570,7 @@ TEST(ExpectTest, EXPECT_ANY_THROW) {
 TEST(ExpectTest, ExpectPrecedence) {
   EXPECT_EQ(1 < 2, true);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(true, true && false),
-                          "Value of: true && false");
+                          "  true && false\n    Which is: false");
 }
 
 
@@ -4641,7 +4687,7 @@ TEST(MacroTest, ADD_FAILURE_AT) {
   // Unfortunately, we cannot verify that the failure message contains
   // the right file path and line number the same way, as
   // EXPECT_NONFATAL_FAILURE() doesn't get to see the file path and
-  // line number.  Instead, we do that in gtest_output_test_.cc.
+  // line number.  Instead, we do that in googletest-output-test_.cc.
 }
 
 // Tests FAIL.
@@ -4671,14 +4717,14 @@ TEST(EqAssertionTest, Bool) {
   EXPECT_FATAL_FAILURE({
       bool false_value = false;
       ASSERT_EQ(false_value, true);
-    }, "Value of: true");
+    }, "  false_value\n    Which is: false\n  true");
 }
 
 // Tests using int values in {EXPECT|ASSERT}_EQ.
 TEST(EqAssertionTest, Int) {
   ASSERT_EQ(32, 32);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(32, 33),
-                          "33");
+                          "  32\n  33");
 }
 
 // Tests using time_t values in {EXPECT|ASSERT}_EQ.
@@ -4695,9 +4741,9 @@ TEST(EqAssertionTest, Char) {
   ASSERT_EQ('z', 'z');
   const char ch = 'b';
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ('\0', ch),
-                          "ch");
+                          "  ch\n    Which is: 'b'");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ('a', ch),
-                          "ch");
+                          "  ch\n    Which is: 'b'");
 }
 
 // Tests using wchar_t values in {EXPECT|ASSERT}_EQ.
@@ -4705,10 +4751,11 @@ TEST(EqAssertionTest, WideChar) {
   EXPECT_EQ(L'b', L'b');
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(L'\0', L'x'),
-                          "Value of: L'x'\n"
-                          "  Actual: L'x' (120, 0x78)\n"
-                          "Expected: L'\0'\n"
-                          "Which is: L'\0' (0, 0x0)");
+                          "Expected equality of these values:\n"
+                          "  L'\0'\n"
+                          "    Which is: L'\0' (0, 0x0)\n"
+                          "  L'x'\n"
+                          "    Which is: L'x' (120, 0x78)");
 
   static wchar_t wchar;
   wchar = L'b';
@@ -4716,7 +4763,7 @@ TEST(EqAssertionTest, WideChar) {
                           "wchar");
   wchar = 0x8119;
   EXPECT_FATAL_FAILURE(ASSERT_EQ(static_cast<wchar_t>(0x8120), wchar),
-                       "Value of: wchar");
+                       "  wchar\n    Which is: L'");
 }
 
 // Tests using ::std::string values in {EXPECT|ASSERT}_EQ.
@@ -4745,8 +4792,7 @@ TEST(EqAssertionTest, StdString) {
   static ::std::string str3(str1);
   str3.at(2) = '\0';
   EXPECT_FATAL_FAILURE(ASSERT_EQ(str1, str3),
-                       "Value of: str3\n"
-                       "  Actual: \"A \\0 in the middle\"");
+                       "  str3\n    Which is: \"A \\0 in the middle\"");
 }
 
 #if GTEST_HAS_STD_WSTRING
@@ -4866,9 +4912,9 @@ TEST(EqAssertionTest, CharPointer) {
   ASSERT_EQ(p1, p1);
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p0, p2),
-                          "Value of: p2");
+                          "  p2\n    Which is:");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p1, p2),
-                          "p2");
+                          "  p2\n    Which is:");
   EXPECT_FATAL_FAILURE(ASSERT_EQ(reinterpret_cast<char*>(0x1234),
                                  reinterpret_cast<char*>(0xABC0)),
                        "ABC0");
@@ -4888,9 +4934,9 @@ TEST(EqAssertionTest, WideCharPointer) {
   EXPECT_EQ(p0, p0);
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p0, p2),
-                          "Value of: p2");
+                          "  p2\n    Which is:");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p1, p2),
-                          "p2");
+                          "  p2\n    Which is:");
   void* pv3 = (void*)0x1234;  // NOLINT
   void* pv4 = (void*)0xABC0;  // NOLINT
   const wchar_t* p3 = reinterpret_cast<const wchar_t*>(pv3);
@@ -5319,6 +5365,59 @@ TEST_F(TestInfoTest, result) {
   ASSERT_EQ(0, GetTestResult(test_info)->total_part_count());
 }
 
+#define VERIFY_CODE_LOCATION \
+  const int expected_line = __LINE__ - 1; \
+  const TestInfo* const test_info = GetUnitTestImpl()->current_test_info(); \
+  ASSERT_TRUE(test_info); \
+  EXPECT_STREQ(__FILE__, test_info->file()); \
+  EXPECT_EQ(expected_line, test_info->line())
+
+TEST(CodeLocationForTEST, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+class CodeLocationForTESTF : public Test {
+};
+
+TEST_F(CodeLocationForTESTF, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+class CodeLocationForTESTP : public TestWithParam<int> {
+};
+
+TEST_P(CodeLocationForTESTP, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+INSTANTIATE_TEST_CASE_P(, CodeLocationForTESTP, Values(0));
+
+template <typename T>
+class CodeLocationForTYPEDTEST : public Test {
+};
+
+TYPED_TEST_CASE(CodeLocationForTYPEDTEST, int);
+
+TYPED_TEST(CodeLocationForTYPEDTEST, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+template <typename T>
+class CodeLocationForTYPEDTESTP : public Test {
+};
+
+TYPED_TEST_CASE_P(CodeLocationForTYPEDTESTP);
+
+TYPED_TEST_P(CodeLocationForTYPEDTESTP, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+REGISTER_TYPED_TEST_CASE_P(CodeLocationForTYPEDTESTP, Verify);
+
+INSTANTIATE_TYPED_TEST_CASE_P(My, CodeLocationForTYPEDTESTP, int);
+
+#undef VERIFY_CODE_LOCATION
+
 // Tests setting up and tearing down a test case.
 
 class SetUpTestCaseTest : public Test {
@@ -5382,7 +5481,8 @@ TEST_F(SetUpTestCaseTest, Test2) {
   EXPECT_STREQ("123", shared_resource_);
 }
 
-// The InitGoogleTestTest test case tests testing::InitGoogleTest().
+
+// The ParseFlagsTest test case tests ParseGoogleTestFlagsOnly.
 
 // The Flags struct stores a copy of all Google Test flags.
 struct Flags {
@@ -5468,8 +5568,8 @@ struct Flags {
     return flags;
   }
 
-  // Creates a Flags struct where the gtest_random_seed flag has
-  // the given value.
+  // Creates a Flags struct where the gtest_random_seed flag has the given
+  // value.
   static Flags RandomSeed(Int32 random_seed) {
     Flags flags;
     flags.random_seed = random_seed;
@@ -5484,8 +5584,8 @@ struct Flags {
     return flags;
   }
 
-  // Creates a Flags struct where the gtest_shuffle flag has
-  // the given value.
+  // Creates a Flags struct where the gtest_shuffle flag has the given
+  // value.
   static Flags Shuffle(bool shuffle) {
     Flags flags;
     flags.shuffle = shuffle;
@@ -5533,8 +5633,8 @@ struct Flags {
   bool throw_on_failure;
 };
 
-// Fixture for testing InitGoogleTest().
-class InitGoogleTestTest : public Test {
+// Fixture for testing ParseGoogleTestFlagsOnly().
+class ParseFlagsTest : public Test {
  protected:
   // Clears the flags before each test.
   virtual void SetUp() {
@@ -5595,16 +5695,16 @@ class InitGoogleTestTest : public Test {
     const bool saved_help_flag = ::testing::internal::g_help_flag;
     ::testing::internal::g_help_flag = false;
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     CaptureStdout();
-#endif
+# endif
 
     // Parses the command line.
     internal::ParseGoogleTestFlagsOnly(&argc1, const_cast<CharType**>(argv1));
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     const std::string captured_stdout = GetCapturedStdout();
-#endif
+# endif
 
     // Verifies the flag values.
     CheckFlags(expected);
@@ -5617,7 +5717,7 @@ class InitGoogleTestTest : public Test {
     // help message for the flags it recognizes.
     EXPECT_EQ(should_print_help, ::testing::internal::g_help_flag);
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     const char* const expected_help_fragment =
         "This program contains tests written using";
     if (should_print_help) {
@@ -5626,7 +5726,7 @@ class InitGoogleTestTest : public Test {
       EXPECT_PRED_FORMAT2(IsNotSubstring,
                           expected_help_fragment, captured_stdout);
     }
-#endif  // GTEST_HAS_STREAM_REDIRECTION
+# endif  // GTEST_HAS_STREAM_REDIRECTION
 
     ::testing::internal::g_help_flag = saved_help_flag;
   }
@@ -5634,14 +5734,14 @@ class InitGoogleTestTest : public Test {
   // This macro wraps TestParsingFlags s.t. the user doesn't need
   // to specify the array sizes.
 
-#define GTEST_TEST_PARSING_FLAGS_(argv1, argv2, expected, should_print_help) \
+# define GTEST_TEST_PARSING_FLAGS_(argv1, argv2, expected, should_print_help) \
   TestParsingFlags(sizeof(argv1)/sizeof(*argv1) - 1, argv1, \
                    sizeof(argv2)/sizeof(*argv2) - 1, argv2, \
                    expected, should_print_help)
 };
 
 // Tests parsing an empty command line.
-TEST_F(InitGoogleTestTest, Empty) {
+TEST_F(ParseFlagsTest, Empty) {
   const char* argv[] = {
     NULL
   };
@@ -5654,7 +5754,7 @@ TEST_F(InitGoogleTestTest, Empty) {
 }
 
 // Tests parsing a command line that has no flag.
-TEST_F(InitGoogleTestTest, NoFlag) {
+TEST_F(ParseFlagsTest, NoFlag) {
   const char* argv[] = {
     "foo.exe",
     NULL
@@ -5669,7 +5769,7 @@ TEST_F(InitGoogleTestTest, NoFlag) {
 }
 
 // Tests parsing a bad --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterBad) {
+TEST_F(ParseFlagsTest, FilterBad) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter",
@@ -5686,7 +5786,7 @@ TEST_F(InitGoogleTestTest, FilterBad) {
 }
 
 // Tests parsing an empty --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterEmpty) {
+TEST_F(ParseFlagsTest, FilterEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=",
@@ -5702,7 +5802,7 @@ TEST_F(InitGoogleTestTest, FilterEmpty) {
 }
 
 // Tests parsing a non-empty --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterNonEmpty) {
+TEST_F(ParseFlagsTest, FilterNonEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=abc",
@@ -5718,7 +5818,7 @@ TEST_F(InitGoogleTestTest, FilterNonEmpty) {
 }
 
 // Tests parsing --gtest_break_on_failure.
-TEST_F(InitGoogleTestTest, BreakOnFailureWithoutValue) {
+TEST_F(ParseFlagsTest, BreakOnFailureWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure",
@@ -5734,7 +5834,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureWithoutValue) {
 }
 
 // Tests parsing --gtest_break_on_failure=0.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_0) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=0",
@@ -5750,7 +5850,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_0) {
 }
 
 // Tests parsing --gtest_break_on_failure=f.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_f) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=f",
@@ -5766,7 +5866,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_f) {
 }
 
 // Tests parsing --gtest_break_on_failure=F.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_F) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=F",
@@ -5783,7 +5883,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_F) {
 
 // Tests parsing a --gtest_break_on_failure flag that has a "true"
 // definition.
-TEST_F(InitGoogleTestTest, BreakOnFailureTrue) {
+TEST_F(ParseFlagsTest, BreakOnFailureTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=1",
@@ -5799,7 +5899,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureTrue) {
 }
 
 // Tests parsing --gtest_catch_exceptions.
-TEST_F(InitGoogleTestTest, CatchExceptions) {
+TEST_F(ParseFlagsTest, CatchExceptions) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_catch_exceptions",
@@ -5815,7 +5915,7 @@ TEST_F(InitGoogleTestTest, CatchExceptions) {
 }
 
 // Tests parsing --gtest_death_test_use_fork.
-TEST_F(InitGoogleTestTest, DeathTestUseFork) {
+TEST_F(ParseFlagsTest, DeathTestUseFork) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_death_test_use_fork",
@@ -5832,7 +5932,7 @@ TEST_F(InitGoogleTestTest, DeathTestUseFork) {
 
 // Tests having the same flag twice with different values.  The
 // expected behavior is that the one coming last takes precedence.
-TEST_F(InitGoogleTestTest, DuplicatedFlags) {
+TEST_F(ParseFlagsTest, DuplicatedFlags) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=a",
@@ -5849,7 +5949,7 @@ TEST_F(InitGoogleTestTest, DuplicatedFlags) {
 }
 
 // Tests having an unrecognized flag on the command line.
-TEST_F(InitGoogleTestTest, UnrecognizedFlag) {
+TEST_F(ParseFlagsTest, UnrecognizedFlag) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure",
@@ -5871,7 +5971,7 @@ TEST_F(InitGoogleTestTest, UnrecognizedFlag) {
 }
 
 // Tests having a --gtest_list_tests flag
-TEST_F(InitGoogleTestTest, ListTestsFlag) {
+TEST_F(ParseFlagsTest, ListTestsFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests",
@@ -5887,7 +5987,7 @@ TEST_F(InitGoogleTestTest, ListTestsFlag) {
 }
 
 // Tests having a --gtest_list_tests flag with a "true" value
-TEST_F(InitGoogleTestTest, ListTestsTrue) {
+TEST_F(ParseFlagsTest, ListTestsTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests=1",
@@ -5903,7 +6003,7 @@ TEST_F(InitGoogleTestTest, ListTestsTrue) {
 }
 
 // Tests having a --gtest_list_tests flag with a "false" value
-TEST_F(InitGoogleTestTest, ListTestsFalse) {
+TEST_F(ParseFlagsTest, ListTestsFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests=0",
@@ -5919,7 +6019,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse) {
 }
 
 // Tests parsing --gtest_list_tests=f.
-TEST_F(InitGoogleTestTest, ListTestsFalse_f) {
+TEST_F(ParseFlagsTest, ListTestsFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_list_tests=f",
@@ -5935,7 +6035,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse_f) {
 }
 
 // Tests parsing --gtest_list_tests=F.
-TEST_F(InitGoogleTestTest, ListTestsFalse_F) {
+TEST_F(ParseFlagsTest, ListTestsFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_list_tests=F",
@@ -5951,7 +6051,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse_F) {
 }
 
 // Tests parsing --gtest_output (invalid).
-TEST_F(InitGoogleTestTest, OutputEmpty) {
+TEST_F(ParseFlagsTest, OutputEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output",
@@ -5968,7 +6068,7 @@ TEST_F(InitGoogleTestTest, OutputEmpty) {
 }
 
 // Tests parsing --gtest_output=xml
-TEST_F(InitGoogleTestTest, OutputXml) {
+TEST_F(ParseFlagsTest, OutputXml) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml",
@@ -5984,7 +6084,7 @@ TEST_F(InitGoogleTestTest, OutputXml) {
 }
 
 // Tests parsing --gtest_output=xml:file
-TEST_F(InitGoogleTestTest, OutputXmlFile) {
+TEST_F(ParseFlagsTest, OutputXmlFile) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml:file",
@@ -6000,7 +6100,7 @@ TEST_F(InitGoogleTestTest, OutputXmlFile) {
 }
 
 // Tests parsing --gtest_output=xml:directory/path/
-TEST_F(InitGoogleTestTest, OutputXmlDirectory) {
+TEST_F(ParseFlagsTest, OutputXmlDirectory) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml:directory/path/",
@@ -6017,7 +6117,7 @@ TEST_F(InitGoogleTestTest, OutputXmlDirectory) {
 }
 
 // Tests having a --gtest_print_time flag
-TEST_F(InitGoogleTestTest, PrintTimeFlag) {
+TEST_F(ParseFlagsTest, PrintTimeFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time",
@@ -6033,7 +6133,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFlag) {
 }
 
 // Tests having a --gtest_print_time flag with a "true" value
-TEST_F(InitGoogleTestTest, PrintTimeTrue) {
+TEST_F(ParseFlagsTest, PrintTimeTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time=1",
@@ -6049,7 +6149,7 @@ TEST_F(InitGoogleTestTest, PrintTimeTrue) {
 }
 
 // Tests having a --gtest_print_time flag with a "false" value
-TEST_F(InitGoogleTestTest, PrintTimeFalse) {
+TEST_F(ParseFlagsTest, PrintTimeFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time=0",
@@ -6065,7 +6165,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse) {
 }
 
 // Tests parsing --gtest_print_time=f.
-TEST_F(InitGoogleTestTest, PrintTimeFalse_f) {
+TEST_F(ParseFlagsTest, PrintTimeFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_print_time=f",
@@ -6081,7 +6181,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse_f) {
 }
 
 // Tests parsing --gtest_print_time=F.
-TEST_F(InitGoogleTestTest, PrintTimeFalse_F) {
+TEST_F(ParseFlagsTest, PrintTimeFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_print_time=F",
@@ -6097,7 +6197,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse_F) {
 }
 
 // Tests parsing --gtest_random_seed=number
-TEST_F(InitGoogleTestTest, RandomSeed) {
+TEST_F(ParseFlagsTest, RandomSeed) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_random_seed=1000",
@@ -6113,7 +6213,7 @@ TEST_F(InitGoogleTestTest, RandomSeed) {
 }
 
 // Tests parsing --gtest_repeat=number
-TEST_F(InitGoogleTestTest, Repeat) {
+TEST_F(ParseFlagsTest, Repeat) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_repeat=1000",
@@ -6129,7 +6229,7 @@ TEST_F(InitGoogleTestTest, Repeat) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFlag) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests",
@@ -6146,7 +6246,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFlag) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag with a "true" value
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsTrue) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests=1",
@@ -6163,7 +6263,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsTrue) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag with a "false" value
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFalse) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests=0",
@@ -6180,7 +6280,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFalse) {
 }
 
 // Tests parsing --gtest_shuffle.
-TEST_F(InitGoogleTestTest, ShuffleWithoutValue) {
+TEST_F(ParseFlagsTest, ShuffleWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle",
@@ -6196,7 +6296,7 @@ TEST_F(InitGoogleTestTest, ShuffleWithoutValue) {
 }
 
 // Tests parsing --gtest_shuffle=0.
-TEST_F(InitGoogleTestTest, ShuffleFalse_0) {
+TEST_F(ParseFlagsTest, ShuffleFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle=0",
@@ -6211,9 +6311,8 @@ TEST_F(InitGoogleTestTest, ShuffleFalse_0) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::Shuffle(false), false);
 }
 
-// Tests parsing a --gtest_shuffle flag that has a "true"
-// definition.
-TEST_F(InitGoogleTestTest, ShuffleTrue) {
+// Tests parsing a --gtest_shuffle flag that has a "true" definition.
+TEST_F(ParseFlagsTest, ShuffleTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle=1",
@@ -6229,7 +6328,7 @@ TEST_F(InitGoogleTestTest, ShuffleTrue) {
 }
 
 // Tests parsing --gtest_stack_trace_depth=number.
-TEST_F(InitGoogleTestTest, StackTraceDepth) {
+TEST_F(ParseFlagsTest, StackTraceDepth) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_stack_trace_depth=5",
@@ -6244,7 +6343,7 @@ TEST_F(InitGoogleTestTest, StackTraceDepth) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::StackTraceDepth(5), false);
 }
 
-TEST_F(InitGoogleTestTest, StreamResultTo) {
+TEST_F(ParseFlagsTest, StreamResultTo) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_stream_result_to=localhost:1234",
@@ -6261,7 +6360,7 @@ TEST_F(InitGoogleTestTest, StreamResultTo) {
 }
 
 // Tests parsing --gtest_throw_on_failure.
-TEST_F(InitGoogleTestTest, ThrowOnFailureWithoutValue) {
+TEST_F(ParseFlagsTest, ThrowOnFailureWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure",
@@ -6277,7 +6376,7 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureWithoutValue) {
 }
 
 // Tests parsing --gtest_throw_on_failure=0.
-TEST_F(InitGoogleTestTest, ThrowOnFailureFalse_0) {
+TEST_F(ParseFlagsTest, ThrowOnFailureFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure=0",
@@ -6294,7 +6393,7 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureFalse_0) {
 
 // Tests parsing a --gtest_throw_on_failure flag that has a "true"
 // definition.
-TEST_F(InitGoogleTestTest, ThrowOnFailureTrue) {
+TEST_F(ParseFlagsTest, ThrowOnFailureTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure=1",
@@ -6309,9 +6408,9 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureTrue) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::ThrowOnFailure(true), false);
 }
 
-#if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS
 // Tests parsing wide strings.
-TEST_F(InitGoogleTestTest, WideStrings) {
+TEST_F(ParseFlagsTest, WideStrings) {
   const wchar_t* argv[] = {
     L"foo.exe",
     L"--gtest_filter=Foo*",
@@ -6334,7 +6433,108 @@ TEST_F(InitGoogleTestTest, WideStrings) {
 
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, expected_flags, false);
 }
-#endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+class FlagfileTest : public ParseFlagsTest {
+ public:
+  virtual void SetUp() {
+    ParseFlagsTest::SetUp();
+
+    testdata_path_.Set(internal::FilePath(
+        testing::TempDir() + internal::GetCurrentExecutableName().string() +
+        "_flagfile_test"));
+    testing::internal::posix::RmDir(testdata_path_.c_str());
+    EXPECT_TRUE(testdata_path_.CreateFolder());
+  }
+
+  virtual void TearDown() {
+    testing::internal::posix::RmDir(testdata_path_.c_str());
+    ParseFlagsTest::TearDown();
+  }
+
+  internal::FilePath CreateFlagfile(const char* contents) {
+    internal::FilePath file_path(internal::FilePath::GenerateUniqueFileName(
+        testdata_path_, internal::FilePath("unique"), "txt"));
+    FILE* f = testing::internal::posix::FOpen(file_path.c_str(), "w");
+    fprintf(f, "%s", contents);
+    fclose(f);
+    return file_path;
+  }
+
+ private:
+  internal::FilePath testdata_path_;
+};
+
+// Tests an empty flagfile.
+TEST_F(FlagfileTest, Empty) {
+  internal::FilePath flagfile_path(CreateFlagfile(""));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags(), false);
+}
+
+// Tests passing a non-empty --gtest_filter flag via --gtest_flagfile.
+TEST_F(FlagfileTest, FilterNonEmpty) {
+  internal::FilePath flagfile_path(CreateFlagfile(
+      "--"  GTEST_FLAG_PREFIX_  "filter=abc"));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::Filter("abc"), false);
+}
+
+// Tests passing several flags via --gtest_flagfile.
+TEST_F(FlagfileTest, SeveralFlags) {
+  internal::FilePath flagfile_path(CreateFlagfile(
+      "--"  GTEST_FLAG_PREFIX_  "filter=abc\n"
+      "--"  GTEST_FLAG_PREFIX_  "break_on_failure\n"
+      "--"  GTEST_FLAG_PREFIX_  "list_tests"));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  Flags expected_flags;
+  expected_flags.break_on_failure = true;
+  expected_flags.filter = "abc";
+  expected_flags.list_tests = true;
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, expected_flags, false);
+}
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
 
 // Tests current_test_info() in UnitTest.
 class CurrentTestInfoTest : public Test {
@@ -6389,6 +6589,7 @@ TEST_F(CurrentTestInfoTest, WorksForSecondTestInATestCase) {
 
 }  // namespace testing
 
+
 // These two lines test that we can define tests in a namespace that
 // has the name "testing" and is nested in another namespace.
 namespace my_namespace {
@@ -6469,7 +6670,7 @@ TEST(StreamingAssertionsTest, Truth2) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -6672,6 +6873,18 @@ TEST(ColoredOutputTest, UsesColorsWhenTermSupportsColors) {
   SetEnv("TERM", "screen-256color");  // TERM supports colors.
   EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
 
+  SetEnv("TERM", "tmux");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "tmux-256color");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "rxvt-unicode");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "rxvt-unicode-256color");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
   SetEnv("TERM", "linux");  // TERM supports colors.
   EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
 
@@ -6707,14 +6920,6 @@ TEST(StaticAssertTypeEqTest, CompilesForEqualTypes) {
   StaticAssertTypeEq<int*, IntAlias*>();
 }
 
-TEST(GetCurrentOsStackTraceExceptTopTest, ReturnsTheStackTrace) {
-  testing::UnitTest* const unit_test = testing::UnitTest::GetInstance();
-
-  // We don't have a stack walker in Google Test yet.
-  EXPECT_STREQ("", GetCurrentOsStackTraceExceptTop(unit_test, 0).c_str());
-  EXPECT_STREQ("", GetCurrentOsStackTraceExceptTop(unit_test, 1).c_str());
-}
-
 TEST(HasNonfatalFailureTest, ReturnsFalseWhenThereIsNoFailure) {
   EXPECT_FALSE(HasNonfatalFailure());
 }
@@ -7166,7 +7371,7 @@ GTEST_TEST(AlternativeNameTest, Works) {  // GTEST_TEST is the same as TEST.
 
 // Tests for internal utilities necessary for implementation of the universal
 // printing.
-// TODO(vladl@google.com): Find a better home for them.
+// FIXME: Find a better home for them.
 
 class ConversionHelperBase {};
 class ConversionHelperDerived : public ConversionHelperBase {};
@@ -7350,6 +7555,50 @@ TEST(IsContainerTestTest, WorksForContainer) {
             sizeof(IsContainerTest<std::map<int, double> >(0)));
 }
 
+#if GTEST_LANG_CXX11
+struct ConstOnlyContainerWithPointerIterator {
+  using const_iterator = int*;
+  const_iterator begin() const;
+  const_iterator end() const;
+};
+
+struct ConstOnlyContainerWithClassIterator {
+  struct const_iterator {
+    const int& operator*() const;
+    const_iterator& operator++(/* pre-increment */);
+  };
+  const_iterator begin() const;
+  const_iterator end() const;
+};
+
+TEST(IsContainerTestTest, ConstOnlyContainer) {
+  EXPECT_EQ(sizeof(IsContainer),
+            sizeof(IsContainerTest<ConstOnlyContainerWithPointerIterator>(0)));
+  EXPECT_EQ(sizeof(IsContainer),
+            sizeof(IsContainerTest<ConstOnlyContainerWithClassIterator>(0)));
+}
+#endif  // GTEST_LANG_CXX11
+
+// Tests IsHashTable.
+struct AHashTable {
+  typedef void hasher;
+};
+struct NotReallyAHashTable {
+  typedef void hasher;
+  typedef void reverse_iterator;
+};
+TEST(IsHashTable, Basic) {
+  EXPECT_TRUE(testing::internal::IsHashTable<AHashTable>::value);
+  EXPECT_FALSE(testing::internal::IsHashTable<NotReallyAHashTable>::value);
+#if GTEST_LANG_CXX11
+  EXPECT_FALSE(testing::internal::IsHashTable<std::vector<int>>::value);
+  EXPECT_TRUE(testing::internal::IsHashTable<std::unordered_set<int>>::value);
+#endif  // GTEST_LANG_CXX11
+#if GTEST_HAS_HASH_SET_
+  EXPECT_TRUE(testing::internal::IsHashTable<__gnu_cxx::hash_set<int>>::value);
+#endif  // GTEST_HAS_HASH_SET_
+}
+
 // Tests ArrayEq().
 
 TEST(ArrayEqTest, WorksForDegeneratedArrays) {
@@ -7523,3 +7772,24 @@ TEST(SkipPrefixTest, DoesNotSkipWhenPrefixDoesNotMatch) {
   EXPECT_EQ(str, p);
 }
 
+// Tests ad_hoc_test_result().
+
+class AdHocTestResultTest : public testing::Test {
+ protected:
+  static void SetUpTestCase() {
+    FAIL() << "A failure happened inside SetUpTestCase().";
+  }
+};
+
+TEST_F(AdHocTestResultTest, AdHocTestResultForTestCaseShowsFailure) {
+  const testing::TestResult& test_result = testing::UnitTest::GetInstance()
+                                               ->current_test_case()
+                                               ->ad_hoc_test_result();
+  EXPECT_TRUE(test_result.Failed());
+}
+
+TEST_F(AdHocTestResultTest, AdHocTestResultTestForUnitTestDoesNotShowFailure) {
+  const testing::TestResult& test_result =
+      testing::UnitTest::GetInstance()->ad_hoc_test_result();
+  EXPECT_FALSE(test_result.Failed());
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
index 531ced49d..a38ebac83 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // gtest_xml_outfile1_test_ writes some xml via TestProperty used by
 // gtest_xml_outfiles_test.py
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
index 7b400b276..afaf15a5d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // gtest_xml_outfile2_test_ writes some xml via TestProperty used by
 // gtest_xml_outfiles_test.py
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
index 524e437e6..2c031ff8d 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
@@ -31,15 +31,11 @@
 
 """Unit test for the gtest_xml_output module."""
 
-__author__ = "keith.ray@gmail.com (Keith Ray)"
-
 import os
 from xml.dom import minidom, Node
-
 import gtest_test_utils
 import gtest_xml_test_utils
 
-
 GTEST_OUTPUT_SUBDIR = "xml_outfiles"
 GTEST_OUTPUT_1_TEST = "gtest_xml_outfile1_test_"
 GTEST_OUTPUT_2_TEST = "gtest_xml_outfile2_test_"
@@ -47,7 +43,13 @@ GTEST_OUTPUT_2_TEST = "gtest_xml_outfile2_test_"
 EXPECTED_XML_1 = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="1" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests">
   <testsuite name="PropertyOne" tests="1" failures="0" disabled="0" errors="0" time="*">
-    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyOne" SetUpProp="1" TestSomeProperty="1" TearDownProp="1" />
+    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyOne">
+      <properties>
+        <property name="SetUpProp" value="1"/>
+        <property name="TestSomeProperty" value="1"/>
+        <property name="TearDownProp" value="1"/>
+      </properties>
+    </testcase>
   </testsuite>
 </testsuites>
 """
@@ -55,7 +57,13 @@ EXPECTED_XML_1 = """<?xml version="1.0" encoding="UTF-8"?>
 EXPECTED_XML_2 = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="1" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests">
   <testsuite name="PropertyTwo" tests="1" failures="0" disabled="0" errors="0" time="*">
-    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyTwo" SetUpProp="2" TestSomeProperty="2" TearDownProp="2" />
+    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyTwo">
+      <properties>
+        <property name="SetUpProp" value="2"/>
+        <property name="TestSomeProperty" value="2"/>
+        <property name="TearDownProp" value="2"/>
+      </properties>
+    </testcase>
   </testsuite>
 </testsuites>
 """
@@ -103,11 +111,11 @@ class GTestXMLOutFilesTest(gtest_xml_test_utils.GTestXMLTestCase):
     self.assert_(p.exited)
     self.assertEquals(0, p.exit_code)
 
-    # TODO(wan@google.com): libtool causes the built test binary to be
+    # FIXME: libtool causes the built test binary to be
     #   named lt-gtest_xml_outfiles_test_ instead of
-    #   gtest_xml_outfiles_test_.  To account for this possibillity, we
+    #   gtest_xml_outfiles_test_.  To account for this possibility, we
     #   allow both names in the following code.  We should remove this
-    #   hack when Chandler Carruth's libtool replacement tool is ready.
+    #   when libtool replacement tool is ready.
     output_file_name1 = test_name + ".xml"
     output_file1 = os.path.join(self.output_dir_, output_file_name1)
     output_file_name2 = 'lt-' + output_file_name1
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
index f605d4ee2..faedd4e6c 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
@@ -31,8 +31,6 @@
 
 """Unit test for the gtest_xml_output module"""
 
-__author__ = 'eefacm@gmail.com (Sean Mcafee)'
-
 import datetime
 import errno
 import os
@@ -43,19 +41,28 @@ from xml.dom import minidom, Node
 import gtest_test_utils
 import gtest_xml_test_utils
 
-
 GTEST_FILTER_FLAG = '--gtest_filter'
 GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
-GTEST_OUTPUT_FLAG         = "--gtest_output"
-GTEST_DEFAULT_OUTPUT_FILE = "test_detail.xml"
-GTEST_PROGRAM_NAME = "gtest_xml_output_unittest_"
+GTEST_OUTPUT_FLAG = '--gtest_output'
+GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.xml'
+GTEST_PROGRAM_NAME = 'gtest_xml_output_unittest_'
+
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
 
-SUPPORTS_STACK_TRACES = False
+# The environment variables for test sharding.
+TOTAL_SHARDS_ENV_VAR = 'GTEST_TOTAL_SHARDS'
+SHARD_INDEX_ENV_VAR = 'GTEST_SHARD_INDEX'
+SHARD_STATUS_FILE_ENV_VAR = 'GTEST_SHARD_STATUS_FILE'
+
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
 
 if SUPPORTS_STACK_TRACES:
   STACK_TRACE_TEMPLATE = '\nStack trace:\n*'
 else:
   STACK_TRACE_TEMPLATE = ''
+  # unittest.main() can't handle unknown flags
+  sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
 
 EXPECTED_NON_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="23" failures="4" disabled="2" errors="0" time="*" timestamp="*" name="AllTests" ad_hoc_property="42">
@@ -64,20 +71,23 @@ EXPECTED_NON_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
   </testsuite>
   <testsuite name="FailedTest" tests="1" failures="1" disabled="0" errors="0" time="*">
     <testcase name="Fails" status="run" time="*" classname="FailedTest">
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 2&#x0A;Expected: 1" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 2
-Expected: 1%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  1&#x0A;  2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  1
+  2%(stack)s]]></failure>
     </testcase>
   </testsuite>
   <testsuite name="MixedResultTest" tests="3" failures="1" disabled="1" errors="0" time="*">
     <testcase name="Succeeds" status="run" time="*" classname="MixedResultTest"/>
     <testcase name="Fails" status="run" time="*" classname="MixedResultTest">
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 2&#x0A;Expected: 1" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 2
-Expected: 1%(stack)s]]></failure>
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 3&#x0A;Expected: 2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 3
-Expected: 2%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  1&#x0A;  2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  1
+  2%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  2&#x0A;  3" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  2
+  3%(stack)s]]></failure>
     </testcase>
     <testcase name="DISABLED_test" status="notrun" time="*" classname="MixedResultTest"/>
   </testsuite>
@@ -99,15 +109,45 @@ Invalid characters in brackets []%(stack)s]]></failure>
     <testcase name="DISABLED_test_not_run" status="notrun" time="*" classname="DisabledTest"/>
   </testsuite>
   <testsuite name="PropertyRecordingTest" tests="4" failures="0" disabled="0" errors="0" time="*" SetUpTestCase="yes" TearDownTestCase="aye">
-    <testcase name="OneProperty" status="run" time="*" classname="PropertyRecordingTest" key_1="1"/>
-    <testcase name="IntValuedProperty" status="run" time="*" classname="PropertyRecordingTest" key_int="1"/>
-    <testcase name="ThreeProperties" status="run" time="*" classname="PropertyRecordingTest" key_1="1" key_2="2" key_3="3"/>
-    <testcase name="TwoValuesForOneKeyUsesLastValue" status="run" time="*" classname="PropertyRecordingTest" key_1="2"/>
+    <testcase name="OneProperty" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="1"/>
+      </properties>
+    </testcase>
+    <testcase name="IntValuedProperty" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_int" value="1"/>
+      </properties>
+    </testcase>
+    <testcase name="ThreeProperties" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="1"/>
+        <property name="key_2" value="2"/>
+        <property name="key_3" value="3"/>
+      </properties>
+    </testcase>
+    <testcase name="TwoValuesForOneKeyUsesLastValue" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="2"/>
+      </properties>
+    </testcase>
   </testsuite>
   <testsuite name="NoFixtureTest" tests="3" failures="0" disabled="0" errors="0" time="*">
-     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest" key="1"/>
-     <testcase name="ExternalUtilityThatCallsRecordIntValuedProperty" status="run" time="*" classname="NoFixtureTest" key_for_utility_int="1"/>
-     <testcase name="ExternalUtilityThatCallsRecordStringValuedProperty" status="run" time="*" classname="NoFixtureTest" key_for_utility_string="1"/>
+     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key" value="1"/>
+       </properties>
+     </testcase>
+     <testcase name="ExternalUtilityThatCallsRecordIntValuedProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key_for_utility_int" value="1"/>
+       </properties>
+     </testcase>
+     <testcase name="ExternalUtilityThatCallsRecordStringValuedProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key_for_utility_string" value="1"/>
+       </properties>
+     </testcase>
   </testsuite>
   <testsuite name="Single/ValueParamTest" tests="4" failures="0" disabled="0" errors="0" time="*">
     <testcase name="HasValueParamAttribute/0" value_param="33" status="run" time="*" classname="Single/ValueParamTest" />
@@ -138,6 +178,23 @@ EXPECTED_FILTERED_TEST_XML = """<?xml version="1.0" encoding="UTF-8"?>
   </testsuite>
 </testsuites>"""
 
+EXPECTED_SHARDED_TEST_XML = """<?xml version="1.0" encoding="UTF-8"?>
+<testsuites tests="3" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests" ad_hoc_property="42">
+  <testsuite name="SuccessfulTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+    <testcase name="Succeeds" status="run" time="*" classname="SuccessfulTest"/>
+  </testsuite>
+  <testsuite name="NoFixtureTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key" value="1"/>
+       </properties>
+     </testcase>
+  </testsuite>
+  <testsuite name="Single/ValueParamTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+    <testcase name="AnotherTestThatHasValueParamAttribute/1" value_param="42" status="run" time="*" classname="Single/ValueParamTest" />
+  </testsuite>
+</testsuites>"""
+
 EXPECTED_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="0" failures="0" disabled="0" errors="0" time="*"
             timestamp="*" name="AllTests">
@@ -179,7 +236,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     Runs a test program that generates an empty XML output, and checks if
     the timestamp attribute in the testsuites tag is valid.
     """
-    actual = self._GetXmlOutput('gtest_no_test_unittest', [], 0)
+    actual = self._GetXmlOutput('gtest_no_test_unittest', [], {}, 0)
     date_time_str = actual.documentElement.getAttributeNode('timestamp').value
     # datetime.strptime() is only available in Python 2.5+ so we have to
     # parse the expected datetime manually.
@@ -236,7 +293,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
                '--shut_down_xml']
     p = gtest_test_utils.Subprocess(command)
     if p.terminated_by_signal:
-      # p.signal is avalable only if p.terminated_by_signal is True.
+      # p.signal is available only if p.terminated_by_signal is True.
       self.assertFalse(
           p.terminated_by_signal,
           '%s was killed by signal %d' % (GTEST_PROGRAM_NAME, p.signal))
@@ -259,7 +316,22 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     self._TestXmlOutput(GTEST_PROGRAM_NAME, EXPECTED_FILTERED_TEST_XML, 0,
                         extra_args=['%s=SuccessfulTest.*' % GTEST_FILTER_FLAG])
 
-  def _GetXmlOutput(self, gtest_prog_name, extra_args, expected_exit_code):
+  def testShardedTestXmlOutput(self):
+    """Verifies XML output when run using multiple shards.
+
+    Runs a test program that executes only one shard and verifies that tests
+    from other shards do not show up in the XML output.
+    """
+
+    self._TestXmlOutput(
+        GTEST_PROGRAM_NAME,
+        EXPECTED_SHARDED_TEST_XML,
+        0,
+        extra_env={SHARD_INDEX_ENV_VAR: '0',
+                   TOTAL_SHARDS_ENV_VAR: '10'})
+
+  def _GetXmlOutput(self, gtest_prog_name, extra_args, extra_env,
+                    expected_exit_code):
     """
     Returns the xml output generated by running the program gtest_prog_name.
     Furthermore, the program's exit code must be expected_exit_code.
@@ -270,7 +342,11 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
 
     command = ([gtest_prog_path, '%s=xml:%s' % (GTEST_OUTPUT_FLAG, xml_path)] +
                extra_args)
-    p = gtest_test_utils.Subprocess(command)
+    environ_copy = os.environ.copy()
+    if extra_env:
+      environ_copy.update(extra_env)
+    p = gtest_test_utils.Subprocess(command, env=environ_copy)
+
     if p.terminated_by_signal:
       self.assert_(False,
                    '%s was killed by signal %d' % (gtest_prog_name, p.signal))
@@ -284,7 +360,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     return actual
 
   def _TestXmlOutput(self, gtest_prog_name, expected_xml,
-                     expected_exit_code, extra_args=None):
+                     expected_exit_code, extra_args=None, extra_env=None):
     """
     Asserts that the XML document generated by running the program
     gtest_prog_name matches expected_xml, a string containing another
@@ -293,7 +369,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     """
 
     actual = self._GetXmlOutput(gtest_prog_name, extra_args or [],
-                                expected_exit_code)
+                                extra_env or {}, expected_exit_code)
     expected = minidom.parseString(expected_xml)
     self.NormalizeXml(actual.documentElement)
     self.AssertEquivalentNodes(expected.documentElement,
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
index 48b8771b5..2ee883800 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// Author: eefacm@gmail.com (Sean Mcafee)
-
 // Unit test for Google Test XML output.
 //
 // A user can specify XML output in a Google Test program to run via
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
index 3d0c3b2c2..1e0358592 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-#
 # Copyright 2006, Google Inc.
 # All rights reserved.
 #
@@ -31,15 +29,10 @@
 
 """Unit test utilities for gtest_xml_output"""
 
-__author__ = 'eefacm@gmail.com (Sean Mcafee)'
-
 import re
 from xml.dom import minidom, Node
-
 import gtest_test_utils
 
-
-GTEST_OUTPUT_FLAG         = '--gtest_output'
 GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.xml'
 
 class GTestXMLTestCase(gtest_test_utils.TestCase):
@@ -108,19 +101,22 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
       self.AssertEquivalentNodes(child, actual_children[child_id])
 
   identifying_attribute = {
-    'testsuites': 'name',
-    'testsuite': 'name',
-    'testcase':  'name',
-    'failure':   'message',
-    }
+      'testsuites': 'name',
+      'testsuite': 'name',
+      'testcase': 'name',
+      'failure': 'message',
+      'property': 'name',
+  }
 
   def _GetChildren(self, element):
     """
     Fetches all of the child nodes of element, a DOM Element object.
     Returns them as the values of a dictionary keyed by the IDs of the
-    children.  For <testsuites>, <testsuite> and <testcase> elements, the ID
-    is the value of their "name" attribute; for <failure> elements, it is
-    the value of the "message" attribute; CDATA sections and non-whitespace
+    children.  For <testsuites>, <testsuite>, <testcase>, and <property>
+    elements, the ID is the value of their "name" attribute; for <failure>
+    elements, it is the value of the "message" attribute; for <properties>
+    elements, it is the value of their parent's "name" attribute plus the
+    literal string "properties"; CDATA sections and non-whitespace
     text nodes are concatenated into a single CDATA section with ID
     "detail".  An exception is raised if any element other than the above
     four is encountered, if two child elements with the same identifying
@@ -130,11 +126,17 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
     children = {}
     for child in element.childNodes:
       if child.nodeType == Node.ELEMENT_NODE:
-        self.assert_(child.tagName in self.identifying_attribute,
-                     'Encountered unknown element <%s>' % child.tagName)
-        childID = child.getAttribute(self.identifying_attribute[child.tagName])
-        self.assert_(childID not in children)
-        children[childID] = child
+        if child.tagName == 'properties':
+          self.assert_(child.parentNode is not None,
+                       'Encountered <properties> element without a parent')
+          child_id = child.parentNode.getAttribute('name') + '-properties'
+        else:
+          self.assert_(child.tagName in self.identifying_attribute,
+                       'Encountered unknown element <%s>' % child.tagName)
+          child_id = child.getAttribute(
+              self.identifying_attribute[child.tagName])
+        self.assert_(child_id not in children)
+        children[child_id] = child
       elif child.nodeType in [Node.TEXT_NODE, Node.CDATA_SECTION_NODE]:
         if 'detail' not in children:
           if (child.nodeType == Node.CDATA_SECTION_NODE or
@@ -187,8 +189,8 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
           # Replaces the source line information with a normalized form.
           cdata = re.sub(source_line_pat, '\\1*\n', child.nodeValue)
           # Removes the actual stack trace.
-          child.nodeValue = re.sub(r'\nStack trace:\n(.|\n)*',
-                                   '', cdata)
+          child.nodeValue = re.sub(r'Stack trace:\n(.|\n)*',
+                                   'Stack trace:\n*', cdata)
     for child in element.childNodes:
       if child.nodeType == Node.ELEMENT_NODE:
         self.NormalizeXml(child)
diff --git a/security/nss/gtests/google_test/gtest/test/production.cc b/security/nss/gtests/google_test/gtest/test/production.cc
index 8b8a40b44..0f69f6dbd 100644
--- a/security/nss/gtests/google_test/gtest/test/production.cc
+++ b/security/nss/gtests/google_test/gtest/test/production.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// This is part of the unit test for include/gtest/gtest_prod.h.
+// This is part of the unit test for gtest_prod.h.
 
 #include "production.h"
 
diff --git a/security/nss/gtests/google_test/gtest/test/production.h b/security/nss/gtests/google_test/gtest/test/production.h
index 98fd5e476..542723b70 100644
--- a/security/nss/gtests/google_test/gtest/test/production.h
+++ b/security/nss/gtests/google_test/gtest/test/production.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// This is part of the unit test for include/gtest/gtest_prod.h.
+// This is part of the unit test for gtest_prod.h.
 
 #ifndef GTEST_TEST_PRODUCTION_H_
 #define GTEST_TEST_PRODUCTION_H_
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
index 3d68157d5..645701e22 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
@@ -5,7 +5,7 @@
 //  examples. It is set in the "Based On:" dropdown in the "Project" info
 //  dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 #include "General.xcconfig"
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
index 357b1c8fb..77081fbcb 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
@@ -4,7 +4,7 @@
 //  These are Framework target settings for the gtest framework and examples. It
 //  is set in the "Based On:" dropdown in the "Target" info dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Dynamic libs need to be position independent
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
index f23e32227..1aba486f0 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
@@ -4,7 +4,7 @@
 //  These are General configuration settings for the gtest framework and
 //  examples.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Build for PPC and Intel, 32- and 64-bit
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
index 5349f0a04..df9a38f89 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
@@ -5,7 +5,7 @@
 //  and examples. It is set in the "Based On:" dropdown in the "Project" info
 //  dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 #include "General.xcconfig"
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
index 3922fa51d..d2424fe80 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
@@ -4,7 +4,7 @@
 //  These are static library target settings for libgtest.a. It
 //  is set in the "Based On:" dropdown in the "Target" info dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Static libs can be included in bundles so make them position independent
diff --git a/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py b/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
index 81de8c96a..bdd7541ad 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
+++ b/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
@@ -29,7 +29,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""A script to prepare version informtion for use the gtest Info.plist file.
+"""A script to prepare version information for use the gtest Info.plist file.
 
   This script extracts the version information from the configure.ac file and
   uses it to generate a header file containing the same information. The
@@ -42,7 +42,7 @@
     1. The AC_INIT macro will be contained within the first 1024 characters
        of configure.ac
     2. The version string will be 3 integers separated by periods and will be
-       surrounded by squre brackets, "[" and "]" (e.g. [1.0.1]). The first
+       surrounded by square brackets, "[" and "]" (e.g. [1.0.1]). The first
        segment represents the major version, the second represents the minor
        version and the third represents the fix version.
     3. No ")" character exists between the opening "(" and closing ")" of
@@ -68,7 +68,7 @@ config_file.close()
 
 # Extract the version string from the AC_INIT macro
 #   The following init_expression means:
-#     Extract three integers separated by periods and surrounded by squre
+#     Extract three integers separated by periods and surrounded by square
 #     brackets(e.g. "[1.0.1]") between "AC_INIT(" and ")". Do not be greedy
 #     (*? is the non-greedy flag) since that would pull in everything between
 #     the first "(" and the last ")" in the file.
@@ -88,7 +88,7 @@ file_data = """//
 // is executed in a "Run Script" build phase when creating gtest.framework. This
 // header file is not used during compilation of C-source. Rather, it simply
 // defines some version strings for substitution in the Info.plist. Because of
-// this, we are not not restricted to C-syntax nor are we using include guards.
+// this, we are not restricted to C-syntax nor are we using include guards.
 //
 
 #define GTEST_VERSIONINFO_SHORT %s.%s
diff --git a/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj b/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
index 0452a63d0..003bff8cb 100644
--- a/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
+++ b/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
@@ -46,7 +46,7 @@
 		4048843B0E2F799B00CF7658 /* gtest.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883DE0E2F799B00CF7658 /* gtest.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		4048843C0E2F799B00CF7658 /* gtest_pred_impl.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883DF0E2F799B00CF7658 /* gtest_pred_impl.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		4048843D0E2F799B00CF7658 /* gtest_prod.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883E00E2F799B00CF7658 /* gtest_prod.h */; settings = {ATTRIBUTES = (Public, ); }; };
-		404884500E2F799B00CF7658 /* README in Resources */ = {isa = PBXBuildFile; fileRef = 404883F60E2F799B00CF7658 /* README */; };
+		404884500E2F799B00CF7658 /* README.md in Resources */ = {isa = PBXBuildFile; fileRef = 404883F60E2F799B00CF7658 /* README.md */; };
 		404884A00E2F7BE600CF7658 /* gtest-death-test-internal.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E20E2F799B00CF7658 /* gtest-death-test-internal.h */; };
 		404884A10E2F7BE600CF7658 /* gtest-filepath.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E30E2F799B00CF7658 /* gtest-filepath.h */; };
 		404884A20E2F7BE600CF7658 /* gtest-internal.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E40E2F799B00CF7658 /* gtest-internal.h */; };
@@ -79,6 +79,13 @@
 		4539C9390EC280E200A70F4C /* gtest-param-util-generated.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */; };
 		4539C93A0EC280E200A70F4C /* gtest-param-util.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 4539C9370EC280E200A70F4C /* gtest-param-util.h */; };
 		4567C8181264FF71007740BE /* gtest-printers.h in Headers */ = {isa = PBXBuildFile; fileRef = 4567C8171264FF71007740BE /* gtest-printers.h */; settings = {ATTRIBUTES = (Public, ); }; };
+		F67D4F3E1C7F5D8B0017C729 /* gtest-port-arch.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */; };
+		F67D4F3F1C7F5DA70017C729 /* gtest-port-arch.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */; };
+		F67D4F441C7F5DD00017C729 /* gtest-port.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F411C7F5DD00017C729 /* gtest-port.h */; };
+		F67D4F451C7F5DD00017C729 /* gtest-printers.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F421C7F5DD00017C729 /* gtest-printers.h */; };
+		F67D4F461C7F5DD00017C729 /* gtest.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F431C7F5DD00017C729 /* gtest.h */; };
+		F67D4F481C7F5E160017C729 /* gtest-port.h in Copy Headers Internal Custom */ = {isa = PBXBuildFile; fileRef = F67D4F411C7F5DD00017C729 /* gtest-port.h */; };
+		F67D4F491C7F5E260017C729 /* gtest-printers.h in Copy Headers Internal Custom */ = {isa = PBXBuildFile; fileRef = F67D4F421C7F5DD00017C729 /* gtest-printers.h */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -182,6 +189,7 @@
 			dstPath = Headers/internal;
 			dstSubfolderSpec = 6;
 			files = (
+				F67D4F3F1C7F5DA70017C729 /* gtest-port-arch.h in Copy Headers Internal */,
 				404884A00E2F7BE600CF7658 /* gtest-death-test-internal.h in Copy Headers Internal */,
 				404884A10E2F7BE600CF7658 /* gtest-filepath.h in Copy Headers Internal */,
 				404884A20E2F7BE600CF7658 /* gtest-internal.h in Copy Headers Internal */,
@@ -196,6 +204,18 @@
 			name = "Copy Headers Internal";
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		F67D4F471C7F5DF60017C729 /* Copy Headers Internal Custom */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = Headers/internal/custom;
+			dstSubfolderSpec = 6;
+			files = (
+				F67D4F491C7F5E260017C729 /* gtest-printers.h in Copy Headers Internal Custom */,
+				F67D4F481C7F5E160017C729 /* gtest-port.h in Copy Headers Internal Custom */,
+			);
+			name = "Copy Headers Internal Custom";
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
@@ -217,7 +237,7 @@
 		404883E40E2F799B00CF7658 /* gtest-internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-internal.h"; sourceTree = "<group>"; };
 		404883E50E2F799B00CF7658 /* gtest-port.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port.h"; sourceTree = "<group>"; };
 		404883E60E2F799B00CF7658 /* gtest-string.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-string.h"; sourceTree = "<group>"; };
-		404883F60E2F799B00CF7658 /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README; path = ../README; sourceTree = SOURCE_ROOT; };
+		404883F60E2F799B00CF7658 /* README.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README.md; path = ../README.md; sourceTree = SOURCE_ROOT; };
 		4048840D0E2F799B00CF7658 /* gtest_main.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = gtest_main.cc; sourceTree = "<group>"; };
 		404884A90E2F7CD900CF7658 /* CHANGES */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = CHANGES; path = ../CHANGES; sourceTree = SOURCE_ROOT; };
 		404884AA0E2F7CD900CF7658 /* CONTRIBUTORS */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = CONTRIBUTORS; path = ../CONTRIBUTORS; sourceTree = SOURCE_ROOT; };
@@ -244,6 +264,10 @@
 		4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-param-util-generated.h"; sourceTree = "<group>"; };
 		4539C9370EC280E200A70F4C /* gtest-param-util.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-param-util.h"; sourceTree = "<group>"; };
 		4567C8171264FF71007740BE /* gtest-printers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-printers.h"; sourceTree = "<group>"; };
+		F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port-arch.h"; sourceTree = "<group>"; };
+		F67D4F411C7F5DD00017C729 /* gtest-port.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port.h"; sourceTree = "<group>"; };
+		F67D4F421C7F5DD00017C729 /* gtest-printers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-printers.h"; sourceTree = "<group>"; };
+		F67D4F431C7F5DD00017C729 /* gtest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = gtest.h; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -318,7 +342,7 @@
 				404884A90E2F7CD900CF7658 /* CHANGES */,
 				404884AA0E2F7CD900CF7658 /* CONTRIBUTORS */,
 				404884AB0E2F7CD900CF7658 /* LICENSE */,
-				404883F60E2F799B00CF7658 /* README */,
+				404883F60E2F799B00CF7658 /* README.md */,
 				404883D90E2F799B00CF7658 /* include */,
 				4089A02F0FFACF84000B29AE /* samples */,
 				404884070E2F799B00CF7658 /* src */,
@@ -375,6 +399,7 @@
 		404883E10E2F799B00CF7658 /* internal */ = {
 			isa = PBXGroup;
 			children = (
+				F67D4F401C7F5DD00017C729 /* custom */,
 				404883E20E2F799B00CF7658 /* gtest-death-test-internal.h */,
 				404883E30E2F799B00CF7658 /* gtest-filepath.h */,
 				404883E40E2F799B00CF7658 /* gtest-internal.h */,
@@ -382,6 +407,7 @@
 				4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */,
 				4539C9370EC280E200A70F4C /* gtest-param-util.h */,
 				404883E50E2F799B00CF7658 /* gtest-port.h */,
+				F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */,
 				404883E60E2F799B00CF7658 /* gtest-string.h */,
 				40899F4D0FFA7271000B29AE /* gtest-tuple.h */,
 				3BF6F29F0E79B5AD000F2EEE /* gtest-type-util.h */,
@@ -430,6 +456,16 @@
 			path = Resources;
 			sourceTree = "<group>";
 		};
+		F67D4F401C7F5DD00017C729 /* custom */ = {
+			isa = PBXGroup;
+			children = (
+				F67D4F411C7F5DD00017C729 /* gtest-port.h */,
+				F67D4F421C7F5DD00017C729 /* gtest-printers.h */,
+				F67D4F431C7F5DD00017C729 /* gtest.h */,
+			);
+			path = custom;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */
 
 /* Begin PBXHeadersBuildPhase section */
@@ -437,10 +473,14 @@
 			isa = PBXHeadersBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				F67D4F451C7F5DD00017C729 /* gtest-printers.h in Headers */,
 				404884380E2F799B00CF7658 /* gtest-death-test.h in Headers */,
 				404884390E2F799B00CF7658 /* gtest-message.h in Headers */,
 				4539C9340EC280AE00A70F4C /* gtest-param-test.h in Headers */,
+				F67D4F461C7F5DD00017C729 /* gtest.h in Headers */,
+				F67D4F441C7F5DD00017C729 /* gtest-port.h in Headers */,
 				4567C8181264FF71007740BE /* gtest-printers.h in Headers */,
+				F67D4F3E1C7F5D8B0017C729 /* gtest-port-arch.h in Headers */,
 				3BF6F2A50E79B616000F2EEE /* gtest-typed-test.h in Headers */,
 				4048843A0E2F799B00CF7658 /* gtest-spi.h in Headers */,
 				4048843B0E2F799B00CF7658 /* gtest.h in Headers */,
@@ -560,6 +600,7 @@
 				8D07F2C10486CC7A007CD1D0 /* Sources */,
 				8D07F2BD0486CC7A007CD1D0 /* Headers */,
 				404884A50E2F7C0400CF7658 /* Copy Headers Internal */,
+				F67D4F471C7F5DF60017C729 /* Copy Headers Internal Custom */,
 				8D07F2BF0486CC7A007CD1D0 /* Resources */,
 			);
 			buildRules = (
@@ -617,7 +658,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				404884500E2F799B00CF7658 /* README in Resources */,
+				404884500E2F799B00CF7658 /* README.md in Resources */,
 				404884AC0E2F7CD900CF7658 /* CHANGES in Resources */,
 				404884AD0E2F7CD900CF7658 /* CONTRIBUTORS in Resources */,
 				404884AE0E2F7CD900CF7658 /* LICENSE in Resources */,
@@ -1026,6 +1067,9 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 40D4CDF10E30E07400294801 /* DebugProject.xcconfig */;
 			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+				CLANG_CXX_LIBRARY = "libc++";
+				MACOSX_DEPLOYMENT_TARGET = 10.7;
 			};
 			name = Debug;
 		};
@@ -1033,6 +1077,9 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 40D4CDF40E30E07400294801 /* ReleaseProject.xcconfig */;
 			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+				CLANG_CXX_LIBRARY = "libc++";
+				MACOSX_DEPLOYMENT_TARGET = 10.7;
 			};
 			name = Release;
 		};
diff --git a/security/nss/gtests/google_test/update.sh b/security/nss/gtests/google_test/update.sh
new file mode 100644
index 000000000..cab804f69
--- /dev/null
+++ b/security/nss/gtests/google_test/update.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Use this script to update the copy of google test.
+# This won't commit any changes, so build and test afterwards.
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <tag/commit>" 1>&2
+    exit 2
+fi
+
+cd "$(dirname "$0")"
+d=$(mktemp -d)
+trap 'rm -rf "$d"' EXIT
+../../fuzz/config/git-copy.sh https://github.com/google/googletest \
+    "$1" "$d"/googletest
+rm -rf gtest
+mv "$d"/googletest/googletest gtest
+echo "$1" > VERSION
+cat "$d"/googletest/.git-copy >> VERSION
diff --git a/security/nss/gtests/mozpkix_gtest/README.txt b/security/nss/gtests/mozpkix_gtest/README.txt
new file mode 100644
index 000000000..5d3484a21
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/README.txt
@@ -0,0 +1,61 @@
+-------------
+Running Tests
+-------------
+
+Because of the rules below, you can run all the unit tests in this directory,
+and only these tests, with:
+
+  mach gtest "pkix*"
+
+You can run just the tests for functions defined in filename pkixfoo.cpp with:
+
+  mach gtest "pkixfoo*"
+
+If you run "mach gtest" then you'll end up running every gtest in Gecko.
+
+
+
+------------
+Naming Files
+------------
+
+Name files containing tests according to one of the following patterns:
+
+  * <filename>_tests.cpp
+  * <filename>_<Function>_tests.cpp
+  * <filename>_<category>_tests.cpp
+
+  <filename> is the name of the file containing the definitions of the
+             function(s) being tested by every test.
+  <Function> is the name of the function that is being tested by every
+             test.
+  <category> describes the group of related functions that are being
+             tested by every test.
+
+
+
+------------------------------------------------
+Always Use a Fixture Class: TEST_F(), not TEST()
+------------------------------------------------
+
+Many tests don't technically need a fixture, and so TEST() could technically
+be used to define the test. However, when you use TEST_F() instead of TEST(),
+the compiler will not allow you to make any typos in the test case name, but
+if you use TEST() then the name of the test case is not checked.
+
+See https://code.google.com/p/googletest/wiki/Primer#Test_Fixtures:_Using_the_Same_Data_Configuration_for_Multiple_Te
+to learn more about test fixtures.
+
+---------------
+Naming Fixtures
+---------------
+
+When all tests in a file use the same fixture, use the base name of the file
+without the "_tests" suffix as the name of the fixture class; e.g. tests in
+"pkixocsp.cpp" should use a fixture "class pkixocsp" by default.
+
+Sometimes tests in a file need separate fixtures. In this case, name the
+fixture class according to the pattern <fixture_base>_<fixture_suffix>, where
+<fixture_base> is the base name of the file without the "_tests" suffix, and
+<fixture_suffix> is a descriptive name for the fixture class, e.g.
+"class pkixocsp_DelegatedResponder".
diff --git a/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp b/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp
new file mode 100644
index 000000000..899b849fc
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix_gtest',
+      'type': 'executable',
+      'sources': [
+        '<(DEPTH)/gtests/common/gtests.cc',
+        'pkixbuild_tests.cpp',
+        'pkixcert_extension_tests.cpp',
+        'pkixcert_signature_algorithm_tests.cpp',
+        'pkixcheck_CheckExtendedKeyUsage_tests.cpp',
+        'pkixcheck_CheckIssuer_tests.cpp',
+        'pkixcheck_CheckKeyUsage_tests.cpp',
+        'pkixcheck_CheckSignatureAlgorithm_tests.cpp',
+        'pkixcheck_CheckValidity_tests.cpp',
+        'pkixcheck_ParseValidity_tests.cpp',
+        'pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp',
+        'pkixder_input_tests.cpp',
+        'pkixder_pki_types_tests.cpp',
+        'pkixder_universal_types_tests.cpp',
+        'pkixgtest.cpp',
+        'pkixnames_tests.cpp',
+        'pkixocsp_CreateEncodedOCSPRequest_tests.cpp',
+        'pkixocsp_VerifyEncodedOCSPResponse.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
+        '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+        '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
+        '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+        '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+        '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+        '<(DEPTH)/lib/base/base.gyp:nssb',
+        '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+        '<(DEPTH)/lib/pki/pki.gyp:nsspki',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+      ],
+      'include_dirs': [
+        '<(DEPTH)/lib/mozpkix/',
+        '<(DEPTH)/lib/mozpkix/lib',
+        '<(DEPTH)/lib/mozpkix/include/',
+        '<(DEPTH)/lib/mozpkix/include/pkix-test/',
+      ],
+      'conditions': [
+        [ 'OS=="win"', {
+          'libraries': [
+            'advapi32.lib',
+          ],
+        }],
+      ],
+      'defines': [
+        'NSS_USE_STATIC_LIBS'
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss',
+    'use_static_libs': 1,
+  }
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
new file mode 100644
index 000000000..e17321075
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
@@ -0,0 +1,894 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+// When building with -D_HAS_EXCEPTIONS=0, MSVC's <xtree> header triggers
+// warning C4702: unreachable code.
+// https://connect.microsoft.com/VisualStudio/feedback/details/809962
+#pragma warning(push)
+#pragma warning(disable: 4702)
+#endif
+
+#include <map>
+#include <vector>
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+#pragma warning(pop)
+#endif
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN, // null means "empty name"
+           const char* subjectCN, // null means "empty name"
+           EndEntityOrCA endEntityOrCA,
+           /*optional modified*/ std::map<ByteString, ByteString>*
+             subjectDERToCertDER = nullptr,
+           /*optional*/ const ByteString* extension = nullptr,
+           /*optional*/ const TestKeyPair* issuerKeyPair = nullptr,
+           /*optional*/ const TestKeyPair* subjectKeyPair = nullptr)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(issuerCN ? CNToDERName(issuerCN) : Name(ByteString()));
+  ByteString subjectDER(subjectCN ? CNToDERName(subjectCN) : Name(ByteString()));
+
+  std::vector<ByteString> extensions;
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    ByteString basicConstraints =
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(basicConstraints));
+    extensions.push_back(basicConstraints);
+  }
+  if (extension) {
+    extensions.push_back(*extension);
+  }
+  extensions.push_back(ByteString()); // marks the end of the list
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                       oneDayBeforeNow, oneDayAfterNow, subjectDER,
+                       subjectKeyPair ? *subjectKeyPair : *reusedKey,
+                       extensions.data(),
+                       issuerKeyPair ? *issuerKeyPair : *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  if (subjectDERToCertDER) {
+    (*subjectDERToCertDER)[subjectDER] = certDER;
+  }
+
+  return certDER;
+}
+
+class TestTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  // The "cert chain tail" is a longish chain of certificates that is used by
+  // all of the tests here. We share this chain across all the tests in order
+  // to speed up the tests (generating keypairs for the certs is very slow).
+  bool SetUpCertChainTail()
+  {
+    static char const* const names[] = {
+        "CA1 (Root)", "CA2", "CA3", "CA4", "CA5", "CA6", "CA7"
+    };
+
+    for (size_t i = 0; i < MOZILLA_PKIX_ARRAY_LENGTH(names); ++i) {
+      const char* issuerName = i == 0 ? names[0] : names[i-1];
+      CreateCACert(issuerName, names[i]);
+      if (i == 0) {
+        rootCACertDER = leafCACertDER;
+      }
+    }
+
+    return true;
+  }
+
+  void CreateCACert(const char* issuerName, const char* subjectName)
+  {
+    leafCACertDER = CreateCert(issuerName, subjectName,
+                               EndEntityOrCA::MustBeCA, &subjectDERToCertDER);
+    assert(!ENCODING_FAILED(leafCACertDER));
+  }
+
+  ByteString GetLeafCACertDER() const { return leafCACertDER; }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString subjectDER(InputToByteString(encodedIssuerName));
+    ByteString certDER(subjectDERToCertDER[subjectDER]);
+    Input derCert;
+    Result rv = derCert.Init(certDER.data(), certDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/,
+                       keepGoing);
+    if (rv != Success) {
+      return rv;
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::map<ByteString, ByteString> subjectDERToCertDER;
+  ByteString leafCACertDER;
+  ByteString rootCACertDER;
+};
+
+class pkixbuild : public ::testing::Test
+{
+public:
+  static void SetUpTestCase()
+  {
+    if (!trustDomain.SetUpCertChainTail()) {
+      abort();
+    }
+  }
+
+protected:
+
+  static TestTrustDomain trustDomain;
+};
+
+/*static*/ TestTrustDomain pkixbuild::trustDomain;
+
+TEST_F(pkixbuild, MaxAcceptableCertChainLength)
+{
+  {
+    ByteString leafCACert(trustDomain.GetLeafCACertDER());
+    Input certDER;
+    ASSERT_EQ(Success, certDER.Init(leafCACert.data(), leafCACert.length()));
+    ASSERT_EQ(Success,
+              BuildCertChain(trustDomain, certDER, Now(),
+                             EndEntityOrCA::MustBeCA,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+
+  {
+    ByteString certDER(CreateCert("CA7", "Direct End-Entity",
+                                  EndEntityOrCA::MustBeEndEntity));
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Success,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+}
+
+TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
+{
+  static char const* const caCertName = "CA Too Far";
+
+  trustDomain.CreateCACert("CA7", caCertName);
+
+  {
+    ByteString certDER(trustDomain.GetLeafCACertDER());
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeCA,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+
+  {
+    ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
+                                  EndEntityOrCA::MustBeEndEntity));
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+}
+
+// A TrustDomain that checks certificates against a given root certificate.
+// It is initialized with the DER encoding of a root certificate that
+// is treated as a trust anchor and is assumed to have issued all certificates
+// (i.e. FindIssuer always attempts to build the next step in the chain with
+// it).
+class SingleRootTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+  explicit SingleRootTrustDomain(ByteString aRootDER)
+    : rootDER(aRootDER)
+  {
+  }
+
+  // The CertPolicyId argument is unused because we don't care about EV.
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    Input rootCert;
+    Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    if (InputsAreEqual(candidateCert, rootCert)) {
+      trustLevel = TrustLevel::TrustAnchor;
+    } else {
+      trustLevel = TrustLevel::InheritsTrust;
+    }
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    // keepGoing is an out parameter from IssuerChecker.Check. It would tell us
+    // whether or not to continue attempting other potential issuers. We only
+    // know of one potential issuer, however, so we ignore it.
+    bool keepGoing;
+    Input rootCert;
+    Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    return checker.Check(rootCert, nullptr, keepGoing);
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+private:
+  ByteString rootDER;
+};
+
+// A TrustDomain that explicitly fails if CheckRevocation is called.
+class ExpiredCertTrustDomain final : public SingleRootTrustDomain
+{
+public:
+  explicit ExpiredCertTrustDomain(ByteString aRootDER)
+    : SingleRootTrustDomain(aRootDER)
+  {
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    ADD_FAILURE();
+    return NotReached("CheckRevocation should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+};
+
+TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
+{
+  const char* rootCN = "Root CA";
+  ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+                                nullptr));
+  EXPECT_FALSE(ENCODING_FAILED(rootDER));
+  ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
+
+  ByteString serialNumber(CreateEncodedSerialNumber(100));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+  ByteString issuerDER(CNToDERName(rootCN));
+  ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(),
+                       serialNumber, issuerDER,
+                       twoDaysBeforeNow,
+                       oneDayBeforeNow,
+                       subjectDER, *reusedKey, nullptr, *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  Input cert;
+  ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
+            BuildCertChain(expiredCertTrustDomain, cert, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr));
+}
+
+class DSSTrustDomain final : public EverythingFailsByDefaultTrustDomain
+{
+public:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+                      Input, /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = TrustLevel::TrustAnchor;
+    return Success;
+  }
+};
+
+class pkixbuild_DSS : public ::testing::Test { };
+
+TEST_F(pkixbuild_DSS, DSSEndEntityKeyNotAccepted)
+{
+  DSSTrustDomain trustDomain;
+
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  ASSERT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString subjectDER(CNToDERName("DSS"));
+  ASSERT_FALSE(ENCODING_FAILED(subjectDER));
+  ScopedTestKeyPair subjectKey(GenerateDSSKeyPair());
+  ASSERT_TRUE(subjectKey.get());
+
+  ByteString issuerDER(CNToDERName("RSA"));
+  ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+  ScopedTestKeyPair issuerKey(CloneReusedKeyPair());
+  ASSERT_TRUE(issuerKey.get());
+
+  ByteString cert(CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+                                           serialNumber, issuerDER,
+                                           oneDayBeforeNow, oneDayAfterNow,
+                                           subjectDER, *subjectKey, nullptr,
+                                           *issuerKey, sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certDER;
+  ASSERT_EQ(Success, certDER.Init(cert.data(), cert.length()));
+
+  ASSERT_EQ(Result::ERROR_UNSUPPORTED_KEYALG,
+            BuildCertChain(trustDomain, certDER, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+class IssuerNameCheckTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  IssuerNameCheckTrustDomain(const ByteString& aIssuer, bool aExpectedKeepGoing)
+    : issuer(aIssuer)
+    , expectedKeepGoing(aExpectedKeepGoing)
+  {
+  }
+
+  Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = endEntityOrCA == EndEntityOrCA::MustBeCA
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    Input issuerInput;
+    EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+    bool keepGoing;
+    EXPECT_EQ(Success,
+              checker.Check(issuerInput, nullptr /*additionalNameConstraints*/,
+                            keepGoing));
+    EXPECT_EQ(expectedKeepGoing, keepGoing);
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+private:
+  const ByteString issuer;
+  const bool expectedKeepGoing;
+};
+
+struct IssuerNameCheckParams
+{
+  const char* subjectIssuerCN; // null means "empty name"
+  const char* issuerSubjectCN; // null means "empty name"
+  bool matches;
+  Result expectedError;
+};
+
+static const IssuerNameCheckParams ISSUER_NAME_CHECK_PARAMS[] =
+{
+  { "foo", "foo", true, Success },
+  { "foo", "bar", false, Result::ERROR_UNKNOWN_ISSUER },
+  { "f", "foo", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+  { "foo", "f", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+  { "foo", "Foo", false, Result::ERROR_UNKNOWN_ISSUER }, // case sensitive
+  { "", "", true, Success },
+  { nullptr, nullptr, false, Result::ERROR_EMPTY_ISSUER_NAME }, // empty issuer
+
+  // check that certificate-related errors are deferred and superseded by
+  // ERROR_UNKNOWN_ISSUER when a chain can't be built due to name mismatches
+  { "foo", nullptr, false, Result::ERROR_UNKNOWN_ISSUER },
+  { nullptr, "foo", false, Result::ERROR_UNKNOWN_ISSUER }
+};
+
+class pkixbuild_IssuerNameCheck
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IssuerNameCheckParams>
+{
+};
+
+TEST_P(pkixbuild_IssuerNameCheck, MatchingName)
+{
+  const IssuerNameCheckParams& params(GetParam());
+
+  ByteString issuerCertDER(CreateCert(params.issuerSubjectCN,
+                                      params.issuerSubjectCN,
+                                      EndEntityOrCA::MustBeCA, nullptr));
+  ASSERT_FALSE(ENCODING_FAILED(issuerCertDER));
+
+  ByteString subjectCertDER(CreateCert(params.subjectIssuerCN, "end-entity",
+                                       EndEntityOrCA::MustBeEndEntity,
+                                       nullptr));
+  ASSERT_FALSE(ENCODING_FAILED(subjectCertDER));
+
+  Input subjectCertDERInput;
+  ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+                                              subjectCertDER.length()));
+
+  IssuerNameCheckTrustDomain trustDomain(issuerCertDER, !params.matches);
+  ASSERT_EQ(params.expectedError,
+            BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixbuild_IssuerNameCheck, pkixbuild_IssuerNameCheck,
+                        testing::ValuesIn(ISSUER_NAME_CHECK_PARAMS));
+
+
+// Records the embedded SCT list extension for later examination.
+class EmbeddedSCTListTestTrustDomain final : public SingleRootTrustDomain
+{
+public:
+  explicit EmbeddedSCTListTestTrustDomain(ByteString aRootDER)
+    : SingleRootTrustDomain(aRootDER)
+  {
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) override
+  {
+    if (extension == AuxiliaryExtension::EmbeddedSCTList) {
+      signedCertificateTimestamps = InputToByteString(extensionData);
+    } else {
+      ADD_FAILURE();
+    }
+  }
+
+  ByteString signedCertificateTimestamps;
+};
+
+TEST_F(pkixbuild, CertificateTransparencyExtension)
+{
+  // python security/pkix/tools/DottedOIDToCode.py --tlv
+  //   id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  static const uint8_t tlv_id_embeddedSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+
+  ByteString ctExtension = TLV(der::SEQUENCE,
+    BytesToByteString(tlv_id_embeddedSctList) +
+    Boolean(false) +
+    TLV(der::OCTET_STRING,
+      // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+      // within the X.509v3 extension (see RFC 6962 section 3.3).
+      // pkix decodes it internally and returns the actual structure.
+      TLV(der::OCTET_STRING, BytesToByteString(dummySctList))));
+
+  const char* rootCN = "Root CA";
+  ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA));
+  ASSERT_FALSE(ENCODING_FAILED(rootDER));
+
+  ByteString certDER(CreateCert(rootCN, "Cert with SCT list",
+                                EndEntityOrCA::MustBeEndEntity,
+                                nullptr, /*subjectDERToCertDER*/
+                                &ctExtension));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+  EmbeddedSCTListTestTrustDomain extTrustDomain(rootDER);
+  ASSERT_EQ(Success,
+            BuildCertChain(extTrustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr /*stapledOCSPResponse*/));
+  ASSERT_EQ(BytesToByteString(dummySctList),
+            extTrustDomain.signedCertificateTimestamps);
+}
+
+// This TrustDomain implements a hierarchy like so:
+//
+// A   B
+// |   |
+// C   D
+//  \ /
+//   E
+//
+// where A is a trust anchor, B is not a trust anchor and has no known issuer, C
+// and D are intermediates with the same subject and subject public key, and E
+// is an end-entity (in practice, the end-entity will be generated by the test
+// functions using this trust domain).
+class MultiplePathTrustDomain: public DefaultCryptoTrustDomain
+{
+public:
+  void SetUpCerts()
+  {
+    ASSERT_FALSE(ENCODING_FAILED(CreateCert("UntrustedRoot", "UntrustedRoot",
+                                            EndEntityOrCA::MustBeCA,
+                                            &subjectDERToCertDER)));
+    // The subject DER -> cert DER mapping would be overwritten for subject
+    // "Intermediate" when we create the second "Intermediate" certificate, so
+    // we keep a copy of this "Intermediate".
+    intermediateSignedByUntrustedRootCertDER =
+      CreateCert("UntrustedRoot", "Intermediate", EndEntityOrCA::MustBeCA);
+    ASSERT_FALSE(ENCODING_FAILED(intermediateSignedByUntrustedRootCertDER));
+    rootCACertDER = CreateCert("TrustedRoot", "TrustedRoot",
+                               EndEntityOrCA::MustBeCA, &subjectDERToCertDER);
+    ASSERT_FALSE(ENCODING_FAILED(rootCACertDER));
+    ASSERT_FALSE(ENCODING_FAILED(CreateCert("TrustedRoot", "Intermediate",
+                                            EndEntityOrCA::MustBeCA,
+                                            &subjectDERToCertDER)));
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing)
+  {
+    Input derCert;
+    Result rv = derCert.Init(certDER.data(), certDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    return checker.Check(derCert, nullptr/*additionalNameConstraints*/,
+                         keepGoing);
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString subjectDER(InputToByteString(encodedIssuerName));
+    ByteString certDER(subjectDERToCertDER[subjectDER]);
+    assert(!ENCODING_FAILED(certDER));
+    bool keepGoing;
+    Result rv = CheckCert(certDER, checker, keepGoing);
+    if (rv != Success) {
+      return rv;
+    }
+    // Also try the other intermediate.
+    if (keepGoing) {
+      rv = CheckCert(intermediateSignedByUntrustedRootCertDER, checker,
+                     keepGoing);
+      if (rv != Success) {
+        return rv;
+      }
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::map<ByteString, ByteString> subjectDERToCertDER;
+  ByteString rootCACertDER;
+  ByteString intermediateSignedByUntrustedRootCertDER;
+};
+
+TEST_F(pkixbuild, BadEmbeddedSCTWithMultiplePaths)
+{
+  MultiplePathTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
+
+  // python security/pkix/tools/DottedOIDToCode.py --tlv
+  //   id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  static const uint8_t tlv_id_embeddedSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+  ByteString ctExtension = TLV(der::SEQUENCE,
+    BytesToByteString(tlv_id_embeddedSctList) +
+    Boolean(false) +
+    // The contents of the OCTET STRING are supposed to consist of an OCTET
+    // STRING of useful data. We're testing what happens if it isn't, so shove
+    // some bogus (non-OCTET STRING) data in there.
+    TLV(der::OCTET_STRING, BytesToByteString(dummySctList)));
+  ByteString certDER(CreateCert("Intermediate", "Cert with bogus SCT list",
+                                EndEntityOrCA::MustBeEndEntity,
+                                nullptr, /*subjectDERToCertDER*/
+                                &ctExtension));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+// Same as a MultiplePathTrustDomain, but the end-entity is revoked.
+class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain
+{
+public:
+  Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time,
+                         Duration, /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+      return Result::ERROR_REVOKED_CERTIFICATE;
+    }
+    return Success;
+  }
+};
+
+TEST_F(pkixbuild, RevokedEndEntityWithMultiplePaths)
+{
+  RevokedEndEntityTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
+  ByteString certDER(CreateCert("Intermediate", "RevokedEndEntity",
+                                EndEntityOrCA::MustBeEndEntity));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+// This represents a collection of different certificates that all have the same
+// subject and issuer distinguished name.
+class SelfIssuedCertificatesTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  void SetUpCerts(size_t totalCerts)
+  {
+    ASSERT_TRUE(totalCerts > 0);
+    // First we generate a trust anchor.
+    ScopedTestKeyPair rootKeyPair(GenerateKeyPair());
+    rootCACertDER = CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                               nullptr, rootKeyPair.get(), rootKeyPair.get());
+    ASSERT_FALSE(ENCODING_FAILED(rootCACertDER));
+    certs.push_back(rootCACertDER);
+    ScopedTestKeyPair issuerKeyPair(rootKeyPair.release());
+    size_t subCAsGenerated;
+    // Then we generate 6 sub-CAs (given that we were requested to generate at
+    // least that many).
+    for (subCAsGenerated = 0;
+         subCAsGenerated < totalCerts - 1 && subCAsGenerated < 6;
+         subCAsGenerated++) {
+      // Each certificate has to have a unique SPKI (mozilla::pkix does loop
+      // detection and stops searching if it encounters two certificates in a
+      // path with the same subject and SPKI).
+      ScopedTestKeyPair keyPair(GenerateKeyPair());
+      ByteString cert(CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                                 nullptr, issuerKeyPair.get(), keyPair.get()));
+      ASSERT_FALSE(ENCODING_FAILED(cert));
+      certs.push_back(cert);
+      issuerKeyPair.reset(keyPair.release());
+    }
+    // We set firstIssuerKey here because we can't end up with a path that has
+    // more than 7 CAs in it (because mozilla::pkix limits the path length).
+    firstIssuerKey.reset(issuerKeyPair.release());
+    // For any more sub CAs we generate, it doesn't matter what their keys are
+    // as long as they're different.
+    for (; subCAsGenerated < totalCerts - 1; subCAsGenerated++) {
+      ScopedTestKeyPair keyPair(GenerateKeyPair());
+      ByteString cert(CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                                 nullptr, keyPair.get(), keyPair.get()));
+      ASSERT_FALSE(ENCODING_FAILED(cert));
+      certs.insert(certs.begin(), cert);
+    }
+  }
+
+  const TestKeyPair* GetFirstIssuerKey()
+  {
+    return firstIssuerKey.get();
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    bool keepGoing;
+    for (auto& cert: certs) {
+      Input certInput;
+      Result rv = certInput.Init(cert.data(), cert.length());
+      if (rv != Success) {
+        return rv;
+      }
+      rv = checker.Check(certInput, nullptr, keepGoing);
+      if (rv != Success || !keepGoing) {
+        return rv;
+      }
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::vector<ByteString> certs;
+  ByteString rootCACertDER;
+  ScopedTestKeyPair firstIssuerKey;
+};
+
+TEST_F(pkixbuild, AvoidUnboundedPathSearchingFailure)
+{
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
+  // This creates a few hundred million potential paths of length 8 (end entity
+  // + 6 sub-CAs + root). It would be prohibitively expensive to enumerate all
+  // of these, so we give mozilla::pkix a budget that is spent when searching
+  // paths. If the budget is exhausted, it simply returns an unknown issuer
+  // error. In the future it might be nice to return a specific error that would
+  // give the front-end a hint that maybe it shouldn't have so many certificates
+  // that all have the same subject and issuer DN but different SPKIs.
+  localTrustDomain.SetUpCerts(18);
+  ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
+                                nullptr, nullptr,
+                                localTrustDomain.GetFirstIssuerKey()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+TEST_F(pkixbuild, AvoidUnboundedPathSearchingSuccess)
+{
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
+  // This creates a few hundred thousand possible potential paths of length 8
+  // (end entity + 6 sub-CAs + root). This will nearly exhaust mozilla::pkix's
+  // search budget, so this should succeed.
+  localTrustDomain.SetUpCerts(10);
+  ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
+                                nullptr, nullptr,
+                                localTrustDomain.GetFirstIssuerKey()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Success,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
new file mode 100644
index 000000000..762fac146
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
@@ -0,0 +1,276 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithExtensions(const char* subjectCN,
+                         const ByteString* extensions)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+  ByteString issuerDER(CNToDERName(subjectCN));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+  ByteString subjectDER(CNToDERName(subjectCN));
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+  ScopedTestKeyPair subjectKey(CloneReusedKeyPair());
+  return CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+                                  serialNumber, issuerDER,
+                                  oneDayBeforeNow, oneDayAfterNow,
+                                  subjectDER, *subjectKey, extensions,
+                                  *subjectKey,
+                                  sha256WithRSAEncryption());
+}
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithOneExtension(const char* subjectStr, const ByteString& extension)
+{
+  const ByteString extensions[] = { extension, ByteString() };
+  return CreateCertWithExtensions(subjectStr, extensions);
+}
+
+class TrustEverythingTrustDomain final : public DefaultCryptoTrustDomain
+{
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = TrustLevel::TrustAnchor;
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+};
+
+// python DottedOIDToCode.py --tlv unknownExtensionOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownExtensionOID[] = {
+  0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+  0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id-pe-authorityInformationAccess 1.3.6.1.5.5.7.1.1
+static const uint8_t tlv_id_pe_authorityInformationAccess[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv wrongExtensionOID 1.3.6.6.1.5.5.7.1.1
+// (there is an extra "6" that shouldn't be in this OID)
+static const uint8_t tlv_wrongExtensionOID[] = {
+  0x06, 0x09, 0x2b, 0x06, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv id-ce-unknown 2.5.29.55
+// (this is a made-up OID for testing "id-ce"-prefixed OIDs that mozilla::pkix
+// doesn't handle)
+static const uint8_t tlv_id_ce_unknown[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x37
+};
+
+// python DottedOIDToCode.py --tlv id-ce-inhibitAnyPolicy 2.5.29.54
+static const uint8_t tlv_id_ce_inhibitAnyPolicy[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x36
+};
+
+// python DottedOIDToCode.py --tlv id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+static const uint8_t tlv_id_pkix_ocsp_nocheck[] = {
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+};
+
+struct ExtensionTestcase
+{
+  ByteString extension;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const ExtensionTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+static const ExtensionTestcase EXTENSION_TESTCASES[] =
+{
+  // Tests that a non-critical extension not in the id-ce or id-pe arcs (which
+  // is thus unknown to us) verifies successfully even if empty (extensions we
+  // know about aren't normally allowed to be empty).
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_unknownExtensionOID) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Success
+  },
+
+  // Tests that a critical extension not in the id-ce or id-pe arcs (which is
+  // thus unknown to us) is detected and that verification fails with the
+  // appropriate error.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_unknownExtensionOID) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // Tests that a id-pe-authorityInformationAccess critical extension
+  // is detected and that verification succeeds.
+  // XXX: According to RFC 5280 an AIA that consists of an empty sequence is
+  // not legal, but we accept it and that is not what we're testing here.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pe_authorityInformationAccess) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ByteString()))),
+    Success
+  },
+
+  // Tests that an incorrect OID for id-pe-authorityInformationAccess
+  // (when marked critical) is detected and that verification fails.
+  // (Until bug 1020993 was fixed, this wrong value was used for
+  // id-pe-authorityInformationAccess.)
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_wrongExtensionOID) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // We know about some id-ce extensions (OID arc 2.5.29), but not all of them.
+  // Tests that an unknown id-ce extension is detected and that verification
+  // fails.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_unknown) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // Tests that a certificate with a known critical id-ce extension (in this
+  // case, OID 2.5.29.54, which is id-ce-inhibitAnyPolicy), verifies
+  // successfully.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_inhibitAnyPolicy) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, Integer(0))),
+    Success
+  },
+
+  // Tests that a certificate with the id-pkix-ocsp-nocheck extension (marked
+  // critical) verifies successfully.
+  // RFC 6960:
+  //   ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED
+  //                                    BY id-pkix-ocsp-nocheck }
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, TLV(der::NULLTag, ByteString()))),
+    Success
+  },
+
+  // Tests that a certificate with another representation of the
+  // id-pkix-ocsp-nocheck extension (marked critical) verifies successfully.
+  // According to http://comments.gmane.org/gmane.ietf.x509/30947,
+  // some code creates certificates where value of the extension is
+  // an empty OCTET STRING.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Success
+  },
+};
+
+class pkixcert_extension
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ExtensionTestcase>
+{
+protected:
+  static TrustEverythingTrustDomain trustDomain;
+};
+
+/*static*/ TrustEverythingTrustDomain pkixcert_extension::trustDomain;
+
+TEST_P(pkixcert_extension, ExtensionHandledProperly)
+{
+  const ExtensionTestcase& testcase(GetParam());
+  const char* cn = "Cert Extension Test";
+  ByteString cert(CreateCertWithOneExtension(cn, testcase.extension));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+  ASSERT_EQ(testcase.expectedResult,
+            BuildCertChain(trustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_extension,
+                        pkixcert_extension,
+                        testing::ValuesIn(EXTENSION_TESTCASES));
+
+// Two subjectAltNames must result in an error.
+TEST_F(pkixcert_extension, DuplicateSubjectAltName)
+{
+  // python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+  static const uint8_t tlv_id_ce_subjectAltName[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x11
+  };
+
+  ByteString subjectAltName(
+    TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_subjectAltName) +
+        TLV(der::OCTET_STRING, TLV(der::SEQUENCE, DNSName("example.com")))));
+  static const ByteString extensions[] = { subjectAltName, subjectAltName,
+                                           ByteString() };
+  static const char* certCN = "Cert With Duplicate subjectAltName";
+  ByteString cert(CreateCertWithExtensions(certCN, extensions));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+  ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+            BuildCertChain(trustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
new file mode 100644
index 000000000..00ccffb04
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
@@ -0,0 +1,259 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN,
+           const char* subjectCN,
+           EndEntityOrCA endEntityOrCA,
+           const TestSignatureAlgorithm& signatureAlgorithm,
+           /*out*/ ByteString& subjectDER)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(CNToDERName(issuerCN));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+  subjectDER = CNToDERName(subjectCN);
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+
+  ByteString extensions[2];
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    extensions[0] =
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
+                                              serialNumber, issuerDER,
+                                              oneDayBeforeNow, oneDayAfterNow,
+                                              subjectDER, *reusedKey,
+                                              extensions, *reusedKey,
+                                              signatureAlgorithm));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+  return certDER;
+}
+
+class AlgorithmTestsTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  AlgorithmTestsTrustDomain(const ByteString& aRootDER,
+                            const ByteString& aRootSubjectDER,
+               /*optional*/ const ByteString& aIntDER,
+               /*optional*/ const ByteString& aIntSubjectDER)
+    : rootDER(aRootDER)
+    , rootSubjectDER(aRootSubjectDER)
+    , intDER(aIntDER)
+    , intSubjectDER(aIntSubjectDER)
+  {
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    if (InputEqualsByteString(candidateCert, rootDER)) {
+      trustLevel = TrustLevel::TrustAnchor;
+    } else {
+      trustLevel = TrustLevel::InheritsTrust;
+    }
+    return Success;
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString* issuerDER = nullptr;
+    if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) {
+      issuerDER = &rootDER;
+    } else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) {
+      issuerDER = &intDER;
+    } else {
+      // FindIssuer just returns success if it can't find a potential issuer.
+      return Success;
+    }
+    Input issuerCert;
+    Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    return checker.Check(issuerCert, nullptr, keepGoing);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString rootDER;
+  ByteString rootSubjectDER;
+  ByteString intDER;
+  ByteString intSubjectDER;
+};
+
+static const TestSignatureAlgorithm NO_INTERMEDIATE
+{
+  TestPublicKeyAlgorithm(ByteString()),
+  TestDigestAlgorithmID::MD2,
+  ByteString(),
+  false
+};
+
+struct ChainValidity final
+{
+  ChainValidity(const TestSignatureAlgorithm& aEndEntitySignatureAlgorithm,
+                const TestSignatureAlgorithm& aOptionalIntSignatureAlgorithm,
+                const TestSignatureAlgorithm& aRootSignatureAlgorithm,
+                bool aIsValid)
+    : endEntitySignatureAlgorithm(aEndEntitySignatureAlgorithm)
+    , optionalIntermediateSignatureAlgorithm(aOptionalIntSignatureAlgorithm)
+    , rootSignatureAlgorithm(aRootSignatureAlgorithm)
+    , isValid(aIsValid)
+  { }
+
+  // In general, a certificate is generated for each of these.  However, if
+  // optionalIntermediateSignatureAlgorithm is NO_INTERMEDIATE, then only 2
+  // certificates are generated.
+  // The certificate generated for the given rootSignatureAlgorithm is the
+  // trust anchor.
+  TestSignatureAlgorithm endEntitySignatureAlgorithm;
+  TestSignatureAlgorithm optionalIntermediateSignatureAlgorithm;
+  TestSignatureAlgorithm rootSignatureAlgorithm;
+  bool isValid;
+};
+
+static const ChainValidity CHAIN_VALIDITY[] =
+{
+  // The trust anchor may have a signature with an unsupported signature
+  // algorithm.
+  ChainValidity(sha256WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md5WithRSAEncryption(),
+                true),
+  ChainValidity(sha256WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md2WithRSAEncryption(),
+                true),
+
+  // Certificates that are not trust anchors must not have a signature with an
+  // unsupported signature algorithm.
+  ChainValidity(md5WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(md2WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(md2WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md5WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md5WithRSAEncryption(),
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md2WithRSAEncryption(),
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md2WithRSAEncryption(),
+                md5WithRSAEncryption(),
+                false),
+};
+
+class pkixcert_IsValidChainForAlgorithm
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ChainValidity>
+{
+};
+
+::std::ostream& operator<<(::std::ostream& os,
+                           const pkixcert_IsValidChainForAlgorithm&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+::std::ostream& operator<<(::std::ostream& os, const ChainValidity&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm)
+{
+  const ChainValidity& chainValidity(GetParam());
+  const char* rootCN = "CN=Root";
+  ByteString rootSubjectDER;
+  ByteString rootEncoded(
+    CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+               chainValidity.rootSignatureAlgorithm, rootSubjectDER));
+  EXPECT_FALSE(ENCODING_FAILED(rootEncoded));
+  EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER));
+
+  const char* issuerCN = rootCN;
+
+  const char* intermediateCN = "CN=Intermediate";
+  ByteString intermediateSubjectDER;
+  ByteString intermediateEncoded;
+
+  // If the the algorithmIdentifier is empty, then it's NO_INTERMEDIATE.
+  if (!chainValidity.optionalIntermediateSignatureAlgorithm
+                    .algorithmIdentifier.empty()) {
+    intermediateEncoded =
+      CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA,
+                 chainValidity.optionalIntermediateSignatureAlgorithm,
+                 intermediateSubjectDER);
+    EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded));
+    EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER));
+    issuerCN = intermediateCN;
+  }
+
+  AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER,
+                                        intermediateEncoded,
+                                        intermediateSubjectDER);
+
+  const char* endEntityCN = "CN=End Entity";
+  ByteString endEntitySubjectDER;
+  ByteString endEntityEncoded(
+    CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity,
+               chainValidity.endEntitySignatureAlgorithm,
+               endEntitySubjectDER));
+  EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded));
+  EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER));
+
+  Input endEntity;
+  ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(),
+                                    endEntityEncoded.length()));
+  Result expectedResult = chainValidity.isValid
+                        ? Success
+                        : Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+  ASSERT_EQ(expectedResult,
+            BuildCertChain(trustDomain, endEntity, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy, nullptr));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_IsValidChainForAlgorithm,
+                        pkixcert_IsValidChainForAlgorithm,
+                        testing::ValuesIn(CHAIN_VALIDITY));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
new file mode 100644
index 000000000..0aef3d5c1
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@@ -0,0 +1,722 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+                                    const Input* encodedExtendedKeyUsage,
+                                    KeyPurposeId requiredEKU,
+                                    TrustDomain& trustDomain, Time notBefore);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test
+{
+protected:
+  DefaultCryptoTrustDomain mTrustDomain;
+};
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_CERT_TYPE, x)
+
+// tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h
+
+// python DottedOIDToCode.py --tlv id-kp-clientAuth 1.3.6.1.5.5.7.3.2
+static const uint8_t tlv_id_kp_clientAuth[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02
+};
+
+// python DottedOIDToCode.py --tlv id-kp-codeSigning 1.3.6.1.5.5.7.3.3
+static const uint8_t tlv_id_kp_codeSigning[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4
+static const uint8_t tlv_id_kp_emailProtection[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
+};
+
+// python DottedOIDToCode.py --tlv id-Netscape-stepUp 2.16.840.1.113730.4.1
+static const uint8_t tlv_id_Netscape_stepUp[] = {
+  0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01
+};
+
+// python DottedOIDToCode.py --tlv unknownOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownOID[] = {
+  0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+  0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv anyExtendedKeyUsage 2.5.29.37.0
+static const uint8_t tlv_anyExtendedKeyUsage[] = {
+  0x06, 0x04, 0x55, 0x1d, 0x25, 0x00
+};
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, none)
+{
+  // The input Input is nullptr. This means the cert had no extended key usage
+  // extension. This is always valid except for when the certificate is an
+  // end-entity and the required usage is id-kp-OCSPSigning.
+
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::anyExtendedKeyUsage,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::anyExtendedKeyUsage,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_serverAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_serverAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_clientAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_clientAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_codeSigning,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_codeSigning,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_emailProtection,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_emailProtection,
+                                           mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyPurposeId::id_kp_OCSPSigning,
+                                   mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_OCSPSigning,
+                                           mTrustDomain, Now()));
+}
+
+static const Input empty_null;
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, empty)
+{
+  // The input Input is empty. The cert has an empty extended key usage
+  // extension, which is syntactically invalid.
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+}
+
+struct EKUTestcase
+{
+  ByteString ekuSEQUENCE;
+  KeyPurposeId keyPurposeId;
+  Result expectedResultEndEntity;
+  Result expectedResultCA;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const EKUTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class CheckExtendedKeyUsageTest
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<EKUTestcase>
+{
+protected:
+  DefaultCryptoTrustDomain mTrustDomain;
+};
+
+TEST_P(CheckExtendedKeyUsageTest, EKUTestcase)
+{
+  const EKUTestcase& param(GetParam());
+  Input encodedEKU;
+  ASSERT_EQ(Success, encodedEKU.Init(param.ekuSEQUENCE.data(),
+                                     param.ekuSEQUENCE.length()));
+  ASSERT_EQ(param.expectedResultEndEntity,
+            CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &encodedEKU,
+                                  param.keyPurposeId,
+                                  mTrustDomain, Now()));
+  ASSERT_EQ(param.expectedResultCA,
+            CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &encodedEKU,
+                                  param.keyPurposeId,
+                                  mTrustDomain, Now()));
+}
+
+#define SINGLE_EKU_SUCCESS(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Success, Success }
+#define SINGLE_EKU_SUCCESS_CA(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define SINGLE_EKU_FAILURE(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+#define DOUBLE_EKU_SUCCESS(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Success, Success }
+#define DOUBLE_EKU_SUCCESS_CA(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define DOUBLE_EKU_FAILURE(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+
+static const EKUTestcase EKU_TESTCASES[] =
+{
+  SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed
+  // except OCSPSigning.
+  SINGLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  // For compatibility, id-Netscape-stepUp is treated as equivalent to
+  // id-kp-serverAuth for CAs.
+  SINGLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+                        CheckExtendedKeyUsageTest,
+                        ::testing::ValuesIn(EKU_TESTCASES));
+
+struct EKUChainTestcase
+{
+  ByteString ekuExtensionEE;
+  ByteString ekuExtensionCA;
+  KeyPurposeId keyPurposeId;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const EKUChainTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class CheckExtendedKeyUsageChainTest
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<EKUChainTestcase>
+{
+};
+
+static ByteString
+CreateCert(const char* issuerCN, const char* subjectCN,
+           EndEntityOrCA endEntityOrCA, ByteString encodedEKU)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(CNToDERName(issuerCN));
+  ByteString subjectDER(CNToDERName(subjectCN));
+
+  ByteString extensions[3];
+  extensions[0] =
+    CreateEncodedBasicConstraints(endEntityOrCA == EndEntityOrCA::MustBeCA,
+                                  nullptr, Critical::Yes);
+  EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  if (encodedEKU.length() > 0) {
+    extensions[1] = encodedEKU;
+  }
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                       oneDayBeforeNow, oneDayAfterNow, subjectDER,
+                       *reusedKey, extensions, *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  return certDER;
+}
+
+class EKUTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  explicit EKUTrustDomain(ByteString issuerCertDER)
+    : mIssuerCertDER(issuerCertDER)
+  {
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, mIssuerCertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    Input derCert;
+    Result rv = derCert.Init(mIssuerCertDER.data(), mIssuerCertDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    return checker.Check(derCert, nullptr, keepGoing);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString mIssuerCertDER;
+};
+
+TEST_P(CheckExtendedKeyUsageChainTest, EKUChainTestcase)
+{
+  const EKUChainTestcase& param(GetParam());
+  ByteString issuerCertDER(CreateCert("CA", "CA", EndEntityOrCA::MustBeCA,
+                                      param.ekuExtensionCA));
+  ByteString subjectCertDER(CreateCert("CA", "EE",
+                                       EndEntityOrCA::MustBeEndEntity,
+                                       param.ekuExtensionEE));
+
+  EKUTrustDomain trustDomain(issuerCertDER);
+
+  Input subjectCertDERInput;
+  ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+                                              subjectCertDER.length()));
+  ASSERT_EQ(param.expectedResult,
+            BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           param.keyPurposeId,
+                           CertPolicyId::anyPolicy,
+                           nullptr));
+}
+
+// python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+static const uint8_t tlv_id_ce_extKeyUsage[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x25
+};
+
+static inline ByteString
+CreateEKUExtension(ByteString ekuOIDs)
+{
+  return TLV(der::SEQUENCE,
+             BytesToByteString(tlv_id_ce_extKeyUsage) +
+               TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ekuOIDs)));
+}
+
+static const EKUChainTestcase EKU_CHAIN_TESTCASES[] =
+{
+  {
+    // Both end-entity and CA have id-kp-serverAuth => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // CA has no EKU extension => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has no EKU extension => should succeed
+    ByteString(),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // No EKU extensions at all => should succeed
+    ByteString(),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // CA has EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity has EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // Both end-entity and CA have EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity has no EKU, CA doesn't have id-kp-serverAuth => should fail
+    ByteString(),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity doesn't have id-kp-serverAuth, CA has no EKU => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // CA has id-Netscape-stepUp => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has id-Netscape-stepUp => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity and CA have id-kp-serverAuth and id-kp-clientAuth => should
+    // succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has id-kp-serverAuth and id-kp-OCSPSigning => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_OCSPSigning)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // CA has id-kp-serverAuth and id-kp-OCSPSigning => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_OCSPSigning)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+                        CheckExtendedKeyUsageChainTest,
+                        ::testing::ValuesIn(EKU_CHAIN_TESTCASES));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
new file mode 100644
index 000000000..bcc2c1198
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
@@ -0,0 +1,63 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class pkixcheck_CheckIssuer : public ::testing::Test { };
+
+static const uint8_t EMPTY_NAME_DATA[] = {
+  0x30, 0x00 /* tag, length */
+};
+static const Input EMPTY_NAME(EMPTY_NAME_DATA);
+
+static const uint8_t VALID_NAME_DATA[] = {
+  /* From https://www.example.com/: C=US, O=DigiCert Inc, OU=www.digicert.com,
+   * CN=DigiCert SHA2 High Assurance Server CA */
+  0x30, 0x70, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+  0x02, 0x55, 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
+  0x13, 0x0C, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49,
+  0x6E, 0x63, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13,
+  0x10, 0x77, 0x77, 0x77, 0x2E, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72,
+  0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x2F, 0x30, 0x2D, 0x06, 0x03, 0x55,
+  0x04, 0x03, 0x13, 0x26, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74,
+  0x20, 0x53, 0x48, 0x41, 0x32, 0x20, 0x48, 0x69, 0x67, 0x68, 0x20, 0x41,
+  0x73, 0x73, 0x75, 0x72, 0x61, 0x6E, 0x63, 0x65, 0x20, 0x53, 0x65, 0x72,
+  0x76, 0x65, 0x72, 0x20, 0x43, 0x41
+};
+static const Input VALID_NAME(VALID_NAME_DATA);
+
+TEST_F(pkixcheck_CheckIssuer, ValidIssuer)
+{
+  ASSERT_EQ(Success, CheckIssuer(VALID_NAME));
+}
+
+TEST_F(pkixcheck_CheckIssuer, EmptyIssuer)
+{
+  ASSERT_EQ(Result::ERROR_EMPTY_ISSUER_NAME, CheckIssuer(EMPTY_NAME));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
new file mode 100644
index 000000000..136f8719a
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
@@ -0,0 +1,284 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckKeyUsage(EndEntityOrCA endEntityOrCA,
+                            const Input* encodedKeyUsage,
+                            KeyUsage requiredKeyUsageIfPresent);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckKeyUsage : public ::testing::Test { };
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_KEY_USAGE, x)
+
+// Make it easy to define test data for the common, simplest cases.
+#define NAMED_SIMPLE_KU(name, unusedBits, bits) \
+  const uint8_t name##_bytes[4] = { \
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, unusedBits, bits \
+  }; \
+  const Input name(name##_bytes);
+
+static const Input empty_null;
+
+// Note that keyCertSign is really the only interesting case for CA
+// certificates since we don't support cRLSign.
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_none)
+{
+  // The input Input is nullptr. This means the cert had no keyUsage
+  // extension. This is always valid because no key usage in an end-entity
+  // means that there are no key usage restrictions.
+
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::noParticularKeyUsageRequired));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::nonRepudiation));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::keyEncipherment));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::dataEncipherment));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::keyAgreement));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_empty)
+{
+  // The input Input is empty. The cert had an empty keyUsage extension,
+  // which is syntactically invalid.
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+                           KeyUsage::digitalSignature));
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+                           KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_none)
+{
+  // A CA certificate does not have a KU extension.
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                   KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_empty)
+{
+  // A CA certificate has an empty KU extension.
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+                           KeyUsage::keyCertSign));
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, maxUnusedBits)
+{
+  NAMED_SIMPLE_KU(encoded, 7, 0x80);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &encoded,
+                                   KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, tooManyUnusedBits)
+{
+  static uint8_t oneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 8/*unused bits*/, 0x80
+  };
+  static const Input oneValueByte(oneValueByteData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+                           KeyUsage::digitalSignature));
+
+  static uint8_t twoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 8/*unused bits*/, 0x01, 0x00
+  };
+  static const Input twoValueBytes(twoValueBytesData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
+  };
+  static const Input DER(DER_BYTES);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
+  };
+  static const Input DER(DER_BYTES);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
+void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
+{
+  // Test that only the right bit is accepted for the usage for both EE and CA
+  // certs.
+  NAMED_SIMPLE_KU(good, unusedBits, bits);
+  ASSERT_EQ(Success,
+            CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good, usage));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good, usage));
+
+  // We use (~bits >> unusedBits) << unusedBits) instead of using the same
+  // calculation that is in CheckKeyUsage to validate that the calculation in
+  // CheckKeyUsage is correct.
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the single-byte value case.
+  NAMED_SIMPLE_KU(notGood, unusedBits,
+                  static_cast<uint8_t>((~bits >> unusedBits) << unusedBits));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood, usage));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood, usage));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the two-byte value case.
+  const uint8_t twoByteNotGoodData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, unusedBits,
+    static_cast<uint8_t>(~bits),
+    static_cast<uint8_t>((0xFFu >> unusedBits) << unusedBits)
+  };
+  Input twoByteNotGood(twoByteNotGoodData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+                           usage));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood, usage));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, simpleCases)
+{
+  ASSERT_SimpleCase(7, 0x80, KeyUsage::digitalSignature);
+  ASSERT_SimpleCase(6, 0x40, KeyUsage::nonRepudiation);
+  ASSERT_SimpleCase(5, 0x20, KeyUsage::keyEncipherment);
+  ASSERT_SimpleCase(4, 0x10, KeyUsage::dataEncipherment);
+  ASSERT_SimpleCase(3, 0x08, KeyUsage::keyAgreement);
+}
+
+// Only CAs are allowed to assert keyCertSign.
+// End-entity certs may assert it along with other key usages if keyCertSign
+// isn't the required key usage. This is for compatibility.
+TEST_F(pkixcheck_CheckKeyUsage, keyCertSign)
+{
+  NAMED_SIMPLE_KU(good, 2, 0x04);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good,
+                           KeyUsage::keyCertSign));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good,
+                                   KeyUsage::keyCertSign));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the one-byte value case.
+  NAMED_SIMPLE_KU(notGood, 2, 0xFB);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood,
+                           KeyUsage::keyCertSign));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood,
+                           KeyUsage::keyCertSign));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the two-byte value case.
+  static uint8_t twoByteNotGoodData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 2/*unused bits*/, 0xFBu, 0xFCu
+  };
+  static const Input twoByteNotGood(twoByteNotGoodData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+                           KeyUsage::keyCertSign));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood,
+                           KeyUsage::keyCertSign));
+
+  // If an end-entity certificate does assert keyCertSign, this is allowed
+  // as long as that isn't the required key usage.
+  NAMED_SIMPLE_KU(digitalSignatureAndKeyCertSign, 2, 0x84);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &digitalSignatureAndKeyCertSign,
+                                   KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                           &digitalSignatureAndKeyCertSign,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
+{
+  // single byte control case
+  static uint8_t controlOneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80
+  };
+  static const Input controlOneValueByte(controlOneValueByteData);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &controlOneValueByte,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+                                   &controlOneValueByte,
+                                   KeyUsage::digitalSignature));
+
+  // single-byte test case
+  static uint8_t oneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80 | 0x01
+  };
+  static const Input oneValueByte(oneValueByteData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &oneValueByte,
+                           KeyUsage::digitalSignature));
+
+  // two-byte control case
+  static uint8_t controlTwoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+    0x80 | 0x01, 0x80
+  };
+  static const Input controlTwoValueBytes(controlTwoValueBytesData);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &controlTwoValueBytes,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+                                   &controlTwoValueBytes,
+                                   KeyUsage::digitalSignature));
+
+  // two-byte test case
+  static uint8_t twoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+    0x80 | 0x01, 0x80 | 0x01
+  };
+  static const Input twoValueBytes(twoValueBytesData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
new file mode 100644
index 000000000..70e6fd410
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@@ -0,0 +1,367 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckSignatureAlgorithm(
+                TrustDomain& trustDomain, EndEntityOrCA endEntityOrCA,
+                Time notBefore,
+                const der::SignedDataWithSignature& signedData,
+                Input signatureValue);
+
+} } // namespace mozilla::pkix
+
+struct CheckSignatureAlgorithmTestParams
+{
+  ByteString signatureAlgorithmValue;
+  ByteString signatureValue;
+  unsigned int signatureLengthInBytes;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os,
+                           const CheckSignatureAlgorithmTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+
+// python DottedOIDToCode.py --tlv sha256WithRSAEncryption 1.2.840.113549.1.1.11
+static const uint8_t tlv_sha256WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+};
+
+// Same as tlv_sha256WithRSAEncryption, except one without the "0x0b" and with
+// the DER length decreased accordingly.
+static const uint8_t tlv_sha256WithRSAEncryption_truncated[] = {
+  0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+static const uint8_t tlv_sha_1WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+};
+
+// python DottedOIDToCode.py --tlv sha1WithRSASignature 1.3.14.3.2.29
+static const uint8_t tlv_sha1WithRSASignature[] = {
+  0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d
+};
+
+// python DottedOIDToCode.py --tlv md5WithRSAEncryption 1.2.840.113549.1.1.4
+static const uint8_t tlv_md5WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
+};
+
+static const CheckSignatureAlgorithmTestParams
+  CHECKSIGNATUREALGORITHM_TEST_PARAMS[] =
+{
+  { // Both algorithm IDs are empty
+    ByteString(),
+    ByteString(),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // signatureAlgorithm is empty, signature is supported.
+    ByteString(),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // signatureAlgorithm is supported, signature is empty.
+    BS(tlv_sha256WithRSAEncryption),
+    ByteString(),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // Algorithms match, both are supported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Success
+  },
+  { // Algorithms do not match because signatureAlgorithm is truncated.
+    BS(tlv_sha256WithRSAEncryption_truncated),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Algorithms do not match because signature is truncated.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption_truncated),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Algorithms do not match, both are supported.
+    BS(tlv_sha_1WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+  },
+  { // Algorithms do not match, both are supported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha_1WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+  },
+  { // Algorithms match, both are unsupported.
+    BS(tlv_md5WithRSAEncryption),
+    BS(tlv_md5WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // signatureAlgorithm is unsupported, signature is supported.
+    BS(tlv_md5WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // signatureAlgorithm is supported, signature is unsupported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_md5WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Both have the optional NULL parameter.
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    2048 / 8,
+    Success
+  },
+  { // signatureAlgorithm has the optional NULL parameter, signature doesn't.
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Success
+  },
+  { // signatureAlgorithm does not have the optional NULL parameter, signature
+    // does.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    2048 / 8,
+    Success
+  },
+  { // The different OIDs for RSA-with-SHA1 we support are semantically
+    // equivalent.
+    BS(tlv_sha1WithRSASignature),
+    BS(tlv_sha_1WithRSAEncryption),
+    2048 / 8,
+    Success,
+  },
+  { // The different OIDs for RSA-with-SHA1 we support are semantically
+    // equivalent (opposite order).
+    BS(tlv_sha_1WithRSAEncryption),
+    BS(tlv_sha1WithRSASignature),
+    2048 / 8,
+    Success,
+  },
+  { // Algorithms match, both are supported, key size is not a multile of 128
+    // bits. This test verifies that we're not wrongly rounding up the
+    // signature size like we did in the original patch for bug 1131767.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    (2048 / 8) - 1,
+    Success
+  },
+};
+
+class pkixcheck_CheckSignatureAlgorithm
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<CheckSignatureAlgorithmTestParams>
+{
+};
+
+class pkixcheck_CheckSignatureAlgorithm_TrustDomain final
+  : public EverythingFailsByDefaultTrustDomain
+{
+public:
+  explicit pkixcheck_CheckSignatureAlgorithm_TrustDomain(
+             unsigned int aPublicKeySizeInBits)
+    : publicKeySizeInBits(aPublicKeySizeInBits)
+    , checkedDigestAlgorithm(false)
+    , checkedModulusSizeInBits(false)
+  {
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, Time)
+    override
+  {
+    checkedDigestAlgorithm = true;
+    return Success;
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA endEntityOrCA,
+                                            unsigned int modulusSizeInBits)
+    override
+  {
+    EXPECT_EQ(EndEntityOrCA::MustBeEndEntity, endEntityOrCA);
+    EXPECT_EQ(publicKeySizeInBits, modulusSizeInBits);
+    checkedModulusSizeInBits = true;
+    return Success;
+  }
+
+  const unsigned int publicKeySizeInBits;
+  bool checkedDigestAlgorithm;
+  bool checkedModulusSizeInBits;
+};
+
+TEST_P(pkixcheck_CheckSignatureAlgorithm, CheckSignatureAlgorithm)
+{
+  const Time now(Now());
+  const CheckSignatureAlgorithmTestParams& params(GetParam());
+
+  Input signatureValueInput;
+  ASSERT_EQ(Success,
+            signatureValueInput.Init(params.signatureValue.data(),
+                                     params.signatureValue.length()));
+
+  pkixcheck_CheckSignatureAlgorithm_TrustDomain
+    trustDomain(params.signatureLengthInBytes * 8);
+
+  der::SignedDataWithSignature signedData;
+  ASSERT_EQ(Success,
+            signedData.algorithm.Init(params.signatureAlgorithmValue.data(),
+                                      params.signatureAlgorithmValue.length()));
+
+  ByteString dummySignature(params.signatureLengthInBytes, 0xDE);
+  ASSERT_EQ(Success,
+            signedData.signature.Init(dummySignature.data(),
+                                      dummySignature.length()));
+
+  ASSERT_EQ(params.expectedResult,
+            CheckSignatureAlgorithm(trustDomain, EndEntityOrCA::MustBeEndEntity,
+                                    now, signedData, signatureValueInput));
+  ASSERT_EQ(params.expectedResult == Success,
+            trustDomain.checkedDigestAlgorithm);
+  ASSERT_EQ(params.expectedResult == Success,
+            trustDomain.checkedModulusSizeInBits);
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixcheck_CheckSignatureAlgorithm, pkixcheck_CheckSignatureAlgorithm,
+  testing::ValuesIn(CHECKSIGNATUREALGORITHM_TEST_PARAMS));
+
+class pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+  : public DefaultCryptoTrustDomain
+{
+public:
+  explicit pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain(
+             const ByteString& aIssuer)
+    : issuer(aIssuer)
+  {
+  }
+
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+                      Input cert, /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(cert, issuer)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    EXPECT_FALSE(ENCODING_FAILED(issuer));
+
+    Input issuerInput;
+    EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+
+    bool keepGoing;
+    EXPECT_EQ(Success, checker.Check(issuerInput, nullptr, keepGoing));
+    EXPECT_FALSE(keepGoing);
+
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString issuer;
+};
+
+// Test that CheckSignatureAlgorithm actually gets called at some point when
+// BuildCertChain is called.
+TEST_F(pkixcheck_CheckSignatureAlgorithm, BuildCertChain)
+{
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  ASSERT_TRUE(keyPair.get());
+
+  ByteString issuerExtensions[2];
+  issuerExtensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+                                                      Critical::No);
+  ASSERT_FALSE(ENCODING_FAILED(issuerExtensions[0]));
+
+  ByteString issuer(CreateEncodedCertificate(3,
+                                             sha256WithRSAEncryption(),
+                                             CreateEncodedSerialNumber(1),
+                                             CNToDERName("issuer"),
+                                             oneDayBeforeNow, oneDayAfterNow,
+                                             CNToDERName("issuer"),
+                                             *keyPair,
+                                             issuerExtensions,
+                                             *keyPair,
+                                             sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(issuer));
+
+  ByteString subject(CreateEncodedCertificate(3,
+                                              sha1WithRSAEncryption(),
+                                              CreateEncodedSerialNumber(2),
+                                              CNToDERName("issuer"),
+                                              oneDayBeforeNow, oneDayAfterNow,
+                                              CNToDERName("subject"),
+                                              *keyPair,
+                                              nullptr,
+                                              *keyPair,
+                                              sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(subject));
+
+  Input subjectInput;
+  ASSERT_EQ(Success, subjectInput.Init(subject.data(), subject.length()));
+  pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+    trustDomain(issuer);
+  Result rv = BuildCertChain(trustDomain, subjectInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::anyExtendedKeyUsage,
+                             CertPolicyId::anyPolicy,
+                             nullptr);
+  ASSERT_EQ(Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH, rv);
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
new file mode 100644
index 000000000..a1a6f998b
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
@@ -0,0 +1,128 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static const Time PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
+
+#define OLDER_GENERALIZEDTIME \
+  0x18, 15,                               /* tag, length */ \
+  '1', '9', '9', '9', '0', '1', '0', '1', /* 1999-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define OLDER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '9', '9', '0', '1', '0', '1',           /* (19)99-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time NOW(YMDHMS(2016, 12, 31, 12, 23, 56));
+
+#define NEWER_GENERALIZEDTIME \
+  0x18, 15,                               /* tag, length */ \
+  '2', '0', '2', '1', '0', '1', '0', '1', /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '2', '1', '0', '1', '0', '1',           /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_CheckValidity : public ::testing::Test { };
+
+static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
+  OLDER_UTCTIME,
+  NEWER_UTCTIME,
+};
+static const Input
+OLDER_UTCTIME_NEWER_UTCTIME(OLDER_UTCTIME_NEWER_UTCTIME_DATA);
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_UTCTIME)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_GENERALIZEDTIME,
+    NEWER_GENERALIZEDTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_UTCTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_GENERALIZEDTIME,
+    NEWER_UTCTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_UTCTIME,
+    NEWER_GENERALIZEDTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, CheckValidity(PAST_TIME, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidAfterNotAfter)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(FUTURE_TIME, notBefore, notAfter));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
new file mode 100644
index 000000000..7255bb5df
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+#define OLDER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '9', '9', '0', '1', '0', '1',           /* (19)99-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '2', '1', '0', '1', '0', '1',           /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_ParseValidity : public ::testing::Test { };
+
+TEST_F(pkixcheck_ParseValidity, BothEmptyNull)
+{
+  static const uint8_t DER[] = {
+    0x17/*UTCTime*/, 0/*length*/,
+    0x17/*UTCTime*/, 0/*length*/,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotBeforeEmptyNull)
+{
+  static const uint8_t DER[] = {
+    0x17/*UTCTime*/, 0x00/*length*/,
+    NEWER_UTCTIME
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotAfterEmptyNull)
+{
+  static const uint8_t DER[] = {
+    NEWER_UTCTIME,
+    0x17/*UTCTime*/, 0x00/*length*/,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, InvalidNotAfterBeforeNotBefore)
+{
+  static const uint8_t DER[] = {
+    NEWER_UTCTIME,
+    OLDER_UTCTIME,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
new file mode 100644
index 000000000..b7809cc60
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
@@ -0,0 +1,120 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+  extern Result TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+                                             const Input* stapledOCSPResponse);
+} } // namespace mozilla::pkix
+
+struct TLSFeaturesTestParams
+{
+  ByteString requiredTLSFeatures;
+  Result expectedResultWithResponse;
+  Result expectedResultWithoutResponse;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const TLSFeaturesTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+static const uint8_t statusRequest[] = {
+  0x30, 0x03, 0x02, 0x01, 0x05
+};
+
+static const uint8_t unknown[] = {
+  0x30, 0x03, 0x02, 0x01, 0x06
+};
+
+static const uint8_t statusRequestAndUnknown[] = {
+  0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x06
+};
+
+static const uint8_t duplicateStatusRequest[] = {
+  0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x05
+};
+
+static const uint8_t twoByteUnknown[] = {
+  0x30, 0x04, 0x02, 0x02, 0x05, 0x05
+};
+
+static const uint8_t zeroByteInteger[] = {
+  0x30, 0x02, 0x02, 0x00
+};
+
+static const TLSFeaturesTestParams
+  TLSFEATURESSATISFIED_TEST_PARAMS[] =
+{
+  // some tests with checks enforced
+  { ByteString(), Result::ERROR_BAD_DER, Result::ERROR_BAD_DER },
+  { BS(statusRequest), Success, Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(unknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(statusRequestAndUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(duplicateStatusRequest), Success,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(twoByteUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(zeroByteInteger), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+};
+
+class pkixcheck_TLSFeaturesSatisfiedInternal
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<TLSFeaturesTestParams>
+{
+};
+
+TEST_P(pkixcheck_TLSFeaturesSatisfiedInternal, TLSFeaturesSatisfiedInternal) {
+  const TLSFeaturesTestParams& params(GetParam());
+
+  Input featuresInput;
+  ASSERT_EQ(Success, featuresInput.Init(params.requiredTLSFeatures.data(),
+                                        params.requiredTLSFeatures.length()));
+  Input responseInput;
+  // just create an input with any data in it
+  ByteString stapledOCSPResponse = BS(statusRequest);
+  ASSERT_EQ(Success, responseInput.Init(stapledOCSPResponse.data(),
+                                        stapledOCSPResponse.length()));
+  // first we omit the response
+  ASSERT_EQ(params.expectedResultWithoutResponse,
+            TLSFeaturesSatisfiedInternal(&featuresInput, nullptr));
+  // then we try again with the response
+  ASSERT_EQ(params.expectedResultWithResponse,
+            TLSFeaturesSatisfiedInternal(&featuresInput, &responseInput));
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixcheck_TLSFeaturesSatisfiedInternal,
+  pkixcheck_TLSFeaturesSatisfiedInternal,
+  testing::ValuesIn(TLSFEATURESSATISFIED_TEST_PARAMS));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp
new file mode 100644
index 000000000..cf91fa2c6
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp
@@ -0,0 +1,920 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+namespace {
+
+class pkixder_input_tests : public ::testing::Test { };
+
+static const uint8_t DER_SEQUENCE_EMPTY[] = {
+  0x30,                       // SEQUENCE
+  0x00,                       // length
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY[] = {
+  0x30,                       // SEQUENCE
+  0x01,                       // length
+  'X',                        // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE[] = {
+  'X',                        // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED[] = {
+  0x30,                       // SEQUENCE
+  0x01,                       // length
+};
+
+const uint8_t DER_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02,           // INTEGER length 1 value 0x02
+  0x02, 0x01, 0x03            // INTEGER length 1 value 0x03
+};
+
+const uint8_t DER_TRUNCATED_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02            // INTEGER length 1 value 0x02
+  // MISSING DATA HERE ON PURPOSE
+};
+
+const uint8_t DER_OVERRUN_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02,           // INTEGER length 1 value 0x02
+  0x02, 0x02, 0xFF, 0x03      // INTEGER length 2 value 0xFF03
+};
+
+const uint8_t DER_INT16[] = {
+  0x02,                       // INTEGER
+  0x02,                       // length
+  0x12, 0x34                  // 0x1234
+};
+
+static const Input EMPTY_INPUT;
+
+TEST_F(pkixder_input_tests, InputInit)
+{
+  Input buf;
+  ASSERT_EQ(Success,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, InputInitWithNullPointerOrZeroLength)
+{
+  Input buf;
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 0));
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 100));
+
+  // Though it seems odd to initialize with zero-length and non-null ptr, this
+  // is working as intended. The Reader class was intended to protect against
+  // buffer overflows, and there's no risk with the current behavior. See bug
+  // 1000354.
+  ASSERT_EQ(Success, buf.Init((const uint8_t*) "hello", 0));
+  ASSERT_TRUE(buf.GetLength() == 0);
+}
+
+TEST_F(pkixder_input_tests, InputInitWithLargeData)
+{
+  Input buf;
+  // Data argument length does not matter, it is not touched, just
+  // needs to be non-null
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init((const uint8_t*) "", 0xffff+1));
+
+  ASSERT_EQ(Success, buf.Init((const uint8_t*) "", 0xffff));
+}
+
+TEST_F(pkixder_input_tests, InputInitMultipleTimes)
+{
+  Input buf;
+
+  ASSERT_EQ(Success,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, PeekWithinBounds)
+{
+  const uint8_t der[] = { 0x11, 0x11 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_TRUE(input.Peek(0x11));
+  ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, PeekPastBounds)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint8_t readByte;
+  ASSERT_EQ(Success, input.Read(readByte));
+  ASSERT_EQ(0x11, readByte);
+  ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, ReadByte)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf(der);
+  Reader input(buf);
+
+  uint8_t readByte1;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x11, readByte1);
+
+  uint8_t readByte2;
+  ASSERT_EQ(Success, input.Read(readByte2));
+  ASSERT_EQ(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadBytePastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x11, readByte1);
+
+  uint8_t readByte2 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readByte2));
+  ASSERT_NE(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadByteWrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+
+  uint8_t b;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, ReadWord)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Success, input.Read(readWord1));
+  ASSERT_EQ(0x1122, readWord1);
+
+  uint16_t readWord2 = 0;
+  ASSERT_EQ(Success, input.Read(readWord2));
+  ASSERT_EQ(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 2)); // Initialize with too-short length
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Success, input.Read(readWord1));
+  ASSERT_EQ(0x1122, readWord1);
+
+  uint16_t readWord2 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord2));
+  ASSERT_NE(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWithInsufficentData)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord1));
+  ASSERT_NE(0x1122, readWord1);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  uint16_t b;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, Skip)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  ASSERT_EQ(Success, input.Skip(1));
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x22, readByte1);
+
+  ASSERT_EQ(Success, input.Skip(1));
+
+  uint8_t readByte2 = 0;
+  ASSERT_EQ(Success, input.Read(readByte2));
+  ASSERT_EQ(0x44, readByte2);
+}
+
+TEST_F(pkixder_input_tests, Skip_ToEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(sizeof der));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_PastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInput)
+{
+  const uint8_t der[] = { 0x01, 0x02, 0x03, 0x04 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader skippedInput;
+  ASSERT_EQ(Success, input.Skip(3, skippedInput));
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x04, readByte1);
+
+  ASSERT_TRUE(input.AtEnd());
+
+  // Reader has no Remaining() or Length() so we simply read the bytes
+  // and then expect to be at the end.
+
+  for (uint8_t i = 1; i <= 3; ++i) {
+    uint8_t readByte = 0;
+    ASSERT_EQ(Success, skippedInput.Read(readByte));
+    ASSERT_EQ(i, readByte);
+  }
+
+  ASSERT_TRUE(skippedInput.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInputPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader skippedInput;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der * 2, skippedInput));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+  Input item;
+  ASSERT_EQ(Success, input.Skip(sizeof expectedItemData, item));
+
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_input_tests, Skip_WrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInputPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Input skipped;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1, skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput)
+{
+  static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Input skipped;
+  ASSERT_EQ(Success, input.SkipToEnd(skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput_InputAlreadyInited)
+{
+  static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  static const uint8_t initialValue[] = { 0x01, 0x02, 0x03 };
+  Input x(initialValue);
+  // Fails because skipped was already initialized once, and Inputs are not
+  // allowed to be Init()d multiple times.
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.SkipToEnd(x));
+  ASSERT_TRUE(InputsAreEqual(x, Input(initialValue)));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
+{
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithTruncatedData)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndSkipValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithOverrunData)
+{
+  Input buf(DER_OVERRUN_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, AtEndOnUnInitializedInput)
+{
+  Reader input;
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtBeginning)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(sizeof der));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MarkAndGetInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader::Mark mark = input.GetMark();
+
+  const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+  ASSERT_EQ(Success, input.Skip(sizeof expectedItemData));
+
+  Input item;
+  ASSERT_EQ(Success, input.GetInput(mark, item));
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+// Cannot run this test on debug builds because of the NotReached
+#ifdef NDEBUG
+TEST_F(pkixder_input_tests, MarkAndGetInputDifferentInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader another;
+  Reader::Mark mark = another.GetMark();
+
+  ASSERT_EQ(Success, input.Skip(3));
+
+  Input item;
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.GetInput(mark, item));
+}
+#endif
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_AtEnd)
+{
+  Reader input(EMPTY_INPUT);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_TruncatedAfterTag)
+{
+  static const uint8_t DER[] = { SEQUENCE };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  uint8_t tag = 0;
+  Input value;
+  ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+  ASSERT_EQ(SEQUENCE, tag);
+  ASSERT_EQ(0u, value.GetLength());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  uint8_t tag = 0;
+  Input value;
+  ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+  ASSERT_EQ(SEQUENCE, tag);
+  Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+  ASSERT_TRUE(InputsAreEqual(expected, value));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ReadTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm1)
+{
+  // High tag number form is not allowed (illegal 1 byte tag)
+  //
+  // If the decoder treats 0x1F as a valid low tag number tag, then it will
+  // treat the actual tag (1) as a length, and then it will return Success
+  // with value == { 0x00 } and tag == 0x1f.
+  //
+  // It is illegal to encode tag 1 in the high tag number form because it isn't
+  // the shortest encoding (the low tag number form is).
+  static const uint8_t DER[] = {
+    0x1F, // high tag number form indicator
+    1,    // tag 1 (not legal!)
+    0     // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm2)
+{
+  // High tag number form is not allowed (legal 1 byte tag).
+  //
+  // ReadTagAndGetValue's check to prohibit the high tag number form has no
+  // effect on whether this test passes or fails, because ReadTagAndGetValue
+  // will interpret the second byte (31) as a length, and the input doesn't
+  // have 31 bytes following it. This test is here to guard against the case
+  // where somebody actually implements high tag number form parsing, to remind
+  // that person that they need to add tests here, including in particular
+  // tests for overly-long encodings.
+  static const uint8_t DER[] = {
+    0x1F, // high tag number form indicator
+    31,   // tag 31
+    0     // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm3)
+{
+  // High tag number form is not allowed (2 byte legal tag)
+  //
+  // ReadTagAndGetValue's check to prohibit the high tag number form has no
+  // effect on whether this test passes or fails, because ReadTagAndGetValue
+  // will interpret the second byte as a length, and the input doesn't have
+  // that many bytes following it. This test is here to guard against the case
+  // where somebody actually implements high tag number form parsing, to remind
+  // that person that they need to add tests here, including in particular
+  // tests for overly-long encodings.
+  static const uint8_t DER[] = {
+    0x1F,              // high tag number form indicator
+    0x80 | 0x01, 0x00, // tag 0x100 (256)
+    0                  // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_TRUE(value.AtEnd());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_TRUE(value.MatchRest(DER_SEQUENCE_NOT_EMPTY_VALUE));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetValue_Reader_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_EQ(0u, value.GetLength());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+  ASSERT_TRUE(InputsAreEqual(expected, value));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Success, ExpectTagAndEmptyValue(input, SEQUENCE));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndEmptyValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, INTEGER));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_NOT_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetTLV_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, INTEGER, tlv));
+}
+
+TEST_F(pkixder_input_tests, EndAtEnd)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(4));
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndBeforeEnd)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(2));
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndAtBeginning)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+// TODO: Need tests for Nested too?
+
+Result NestedOfHelper(Reader& input, std::vector<uint8_t>& readValues)
+{
+  uint8_t value = 0;
+  Result rv = input.Read(value);
+  EXPECT_EQ(Success, rv);
+  if (rv != Success) {
+    return rv;
+  }
+  readValues.push_back(value);
+  return Success;
+}
+
+TEST_F(pkixder_input_tests, NestedOf)
+{
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  std::vector<uint8_t> readValues;
+  ASSERT_EQ(Success,
+            NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+                     [&readValues](Reader& r) {
+                       return NestedOfHelper(r, readValues);
+                     }));
+  ASSERT_EQ(3u, readValues.size());
+  ASSERT_EQ(0x01, readValues[0]);
+  ASSERT_EQ(0x02, readValues[1]);
+  ASSERT_EQ(0x03, readValues[2]);
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  std::vector<uint8_t> readValues;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+                     [&readValues](Reader& r) {
+                       return NestedOfHelper(r, readValues);
+                     }));
+  ASSERT_EQ(0u, readValues.size());
+}
+
+TEST_F(pkixder_input_tests, MatchRestAtEnd)
+{
+  static const uint8_t der[1] = { };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  ASSERT_TRUE(input.AtEnd());
+  static const uint8_t toMatch[] = { 1 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Match)
+{
+  static const uint8_t der[] = { 1 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_FALSE(input.AtEnd());
+  ASSERT_TRUE(input.MatchRest(der));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Mismatch)
+{
+  static const uint8_t der[] = { 1 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatch[] = { 2 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+  ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
+{
+  static const uint8_t der[] = { 1, 2, 3 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatch[] = { 1, 2 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest2Mismatch)
+{
+  static const uint8_t der[] = { 1, 2, 3 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatchMismatch[] = { 1, 3 };
+  ASSERT_FALSE(input.MatchRest(toMatchMismatch));
+  ASSERT_TRUE(input.MatchRest(der));
+}
+
+} // namespace
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
new file mode 100644
index 000000000..989f3d296
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
@@ -0,0 +1,480 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+class pkixder_pki_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
+{
+  const uint8_t DER_CERT_SERIAL[] = {
+    0x02,                       // INTEGER
+    8,                          // length
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
+  };
+  Input input(DER_CERT_SERIAL);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+  Input expected;
+  ASSERT_EQ(Success,
+            expected.Init(DER_CERT_SERIAL + 2, sizeof DER_CERT_SERIAL - 2));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
+{
+  const uint8_t DER_CERT_SERIAL_LONGEST[] = {
+    0x02,                       // INTEGER
+    20,                         // length
+    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
+  };
+  Input input(DER_CERT_SERIAL_LONGEST);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+  Input expected;
+  ASSERT_EQ(Success,
+            expected.Init(DER_CERT_SERIAL_LONGEST + 2,
+                          sizeof DER_CERT_SERIAL_LONGEST - 2));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
+{
+  const uint8_t DER_CERT_SERIAL_CRAZY_LONG[] = {
+    0x02,                       // INTEGER
+    32,                         // length
+    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+    17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32
+  };
+  Input input(DER_CERT_SERIAL_CRAZY_LONG);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
+{
+  const uint8_t DER_CERT_SERIAL_ZERO_LENGTH[] = {
+    0x02,                       // INTEGER
+    0x00                        // length
+  };
+  Input input(DER_CERT_SERIAL_ZERO_LENGTH);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING,
+            CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V1[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x00              // INTEGER(0)
+  };
+  Input input(DER_OPTIONAL_VERSION_V1);
+  Reader reader(input);
+
+  // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+  // do here for compatibility reasons.
+  // Version version;
+  // ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+  der::Version version = der::Version::v3;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v1, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV2)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V2[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x01              // INTEGER(1)
+  };
+  Input input(DER_OPTIONAL_VERSION_V2);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v2, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV3)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V3[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x02              // INTEGER(2)
+  };
+  Input input(DER_OPTIONAL_VERSION_V3);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v3, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionUnknown)
+{
+  const uint8_t DER_OPTIONAL_VERSION_INVALID[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x42              // INTEGER(0x42)
+  };
+  Input input(DER_OPTIONAL_VERSION_INVALID);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
+{
+  const uint8_t DER_OPTIONAL_VERSION_INVALID_TOO_LONG[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x02, 0x12, 0x34        // INTEGER(0x1234)
+  };
+  Input input(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
+  Reader reader(input);
+
+  der::Version version;
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
+{
+  const uint8_t DER_OPTIONAL_VERSION_MISSING[] = {
+    0x02, 0x11, 0x22              // INTEGER
+  };
+  Input input(DER_OPTIONAL_VERSION_MISSING);
+  Reader reader(input);
+
+  der::Version version = der::Version::v3;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v1, version);
+}
+
+static const size_t MAX_ALGORITHM_OID_DER_LENGTH = 13;
+
+struct InvalidAlgorithmIdentifierTestInfo
+{
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+struct ValidDigestAlgorithmIdentifierTestInfo
+{
+  DigestAlgorithm algorithm;
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+class pkixder_DigestAlgorithmIdentifier_Valid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ValidDigestAlgorithmIdentifierTestInfo>
+{
+};
+
+static const ValidDigestAlgorithmIdentifierTestInfo
+  VALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+  { DigestAlgorithm::sha512,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 },
+    13
+  },
+  { DigestAlgorithm::sha384,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 },
+    13
+  },
+  { DigestAlgorithm::sha256,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+    13
+  },
+  { DigestAlgorithm::sha1,
+    { 0x30, 0x07, 0x06, 0x05,
+      0x2b, 0x0e, 0x03, 0x02, 0x1a },
+    9
+  },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Valid, Valid)
+{
+  const ValidDigestAlgorithmIdentifierTestInfo& param(GetParam());
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
+    DigestAlgorithm alg;
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+    ASSERT_EQ(param.algorithm, alg);
+    ASSERT_EQ(Success, End(reader));
+  }
+
+  {
+    uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+    memcpy(derWithNullParam, param.der, param.derLength);
+    derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
+    derWithNullParam[param.derLength] = 0x05; // NULL tag
+    derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
+    DigestAlgorithm alg;
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+    ASSERT_EQ(param.algorithm, alg);
+    ASSERT_EQ(Success, End(reader));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Valid,
+                        pkixder_DigestAlgorithmIdentifier_Valid,
+                        testing::ValuesIn(VALID_DIGEST_ALGORITHM_TEST_INFO));
+
+class pkixder_DigestAlgorithmIdentifier_Invalid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+static const InvalidAlgorithmIdentifierTestInfo
+  INVALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+  { // MD5
+    { 0x30, 0x0a, 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05 },
+    12,
+  },
+  { // ecdsa-with-SHA256 (1.2.840.10045.4.3.2) (not a hash algorithm)
+    { 0x30, 0x0a, 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+    12,
+  },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Invalid, Invalid)
+{
+  const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+  Reader reader(input);
+  DigestAlgorithm alg;
+  ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
+            DigestAlgorithmIdentifier(reader, alg));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Invalid,
+                        pkixder_DigestAlgorithmIdentifier_Invalid,
+                        testing::ValuesIn(INVALID_DIGEST_ALGORITHM_TEST_INFO));
+
+struct ValidSignatureAlgorithmIdentifierValueTestInfo
+{
+  PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+static const ValidSignatureAlgorithmIdentifierValueTestInfo
+  VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+  // ECDSA
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha512,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha384,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha256,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha1,
+    { 0x06, 0x07,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01 },
+    9,
+  },
+
+  // RSA
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha512,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha384,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha256,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha1,
+    // IETF Standard OID
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05 },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha1,
+    // Legacy OIW OID (bug 1042479)
+    { 0x06, 0x05,
+      0x2b, 0x0e, 0x03, 0x02, 0x1d },
+    7,
+  },
+};
+
+class pkixder_SignatureAlgorithmIdentifierValue_Valid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<
+             ValidSignatureAlgorithmIdentifierValueTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifierValue_Valid, Valid)
+{
+  const ValidSignatureAlgorithmIdentifierValueTestInfo& param(GetParam());
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
+    PublicKeyAlgorithm publicKeyAlg;
+    DigestAlgorithm digestAlg;
+    ASSERT_EQ(Success,
+              SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+                                                digestAlg));
+    ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+    ASSERT_EQ(param.digestAlg, digestAlg);
+    ASSERT_EQ(Success, End(reader));
+  }
+
+  {
+    uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+    memcpy(derWithNullParam, param.der, param.derLength);
+    derWithNullParam[param.derLength] = 0x05; // NULL tag
+    derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
+    PublicKeyAlgorithm publicKeyAlg;
+    DigestAlgorithm digestAlg;
+    ASSERT_EQ(Success,
+              SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+                                                digestAlg));
+    ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+    ASSERT_EQ(param.digestAlg, digestAlg);
+    ASSERT_EQ(Success, End(reader));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixder_SignatureAlgorithmIdentifierValue_Valid,
+  pkixder_SignatureAlgorithmIdentifierValue_Valid,
+  testing::ValuesIn(VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
+
+static const InvalidAlgorithmIdentifierTestInfo
+  INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+  // id-dsa-with-sha256 (2.16.840.1.101.3.4.3.2)
+  { { 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 },
+    11,
+  },
+
+  // id-dsa-with-sha1 (1.2.840.10040.4.3)
+  { { 0x06, 0x07,
+      0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03 },
+    9,
+  },
+
+  // RSA-with-MD5 (1.2.840.113549.1.1.4)
+  { { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04 },
+    11,
+  },
+
+  // id-sha256 (2.16.840.1.101.3.4.2.1). It is invalid because SHA-256 is not
+  // a signature algorithm.
+  { { 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+    11,
+  },
+};
+
+class pkixder_SignatureAlgorithmIdentifier_Invalid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifier_Invalid, Invalid)
+{
+  const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+  Reader reader(input);
+  der::PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            SignatureAlgorithmIdentifierValue(reader, publicKeyAlg, digestAlg));
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixder_SignatureAlgorithmIdentifier_Invalid,
+  pkixder_SignatureAlgorithmIdentifier_Invalid,
+  testing::ValuesIn(INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
new file mode 100644
index 000000000..260c735ec
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
@@ -0,0 +1,1226 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+#include <stdint.h>
+#include <vector>
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+using namespace mozilla::pkix::test;
+using namespace std;
+
+class pkixder_universal_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue01)
+{
+  const uint8_t DER_BOOLEAN_TRUE_01[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x01                        // invalid
+  };
+  Input input(DER_BOOLEAN_TRUE_01);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue42)
+{
+  const uint8_t DER_BOOLEAN_TRUE_42[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x42                        // invalid
+  };
+  Input input(DER_BOOLEAN_TRUE_42);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+static const uint8_t DER_BOOLEAN_TRUE[] = {
+  0x01,                       // BOOLEAN
+  0x01,                       // length
+  0xff                        // true
+};
+
+TEST_F(pkixder_universal_types_tests, BooleanTrueFF)
+{
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Success, Boolean(reader, value));
+  ASSERT_TRUE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanFalse)
+{
+  const uint8_t DER_BOOLEAN_FALSE[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x00                        // false
+  };
+  Input input(DER_BOOLEAN_FALSE);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Success, Boolean(reader, value));
+  ASSERT_FALSE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidLength)
+{
+  const uint8_t DER_BOOLEAN_INVALID_LENGTH[] = {
+    0x01,                       // BOOLEAN
+    0x02,                       // length
+    0x42, 0x42                  // invalid
+  };
+  Input input(DER_BOOLEAN_INVALID_LENGTH);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
+{
+  const uint8_t DER_BOOLEAN_INVALID_ZERO_LENGTH[] = {
+    0x01,                       // BOOLEAN
+    0x00                        // length
+  };
+  Input input(DER_BOOLEAN_INVALID_ZERO_LENGTH);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+// OptionalBoolean implements decoding of OPTIONAL BOOLEAN DEFAULT FALSE.
+// If the field is present, it must be a valid encoding of a BOOLEAN with
+// value TRUE. If the field is not present, it defaults to FALSE. For
+// compatibility reasons, OptionalBoolean also accepts encodings where the field
+// is present with value FALSE (this is technically not a valid DER encoding).
+TEST_F(pkixder_universal_types_tests, OptionalBooleanValidEncodings)
+{
+  {
+    const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
+      0x01,                       // BOOLEAN
+      0x01,                       // length
+      0xff                        // true
+    };
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
+    Reader reader(input);
+    bool value = false;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
+    ASSERT_TRUE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+
+  {
+    // The OPTIONAL BOOLEAN is omitted in this data.
+    const uint8_t DER_INTEGER_05[] = {
+      0x02,                       // INTEGER
+      0x01,                       // length
+      0x05
+    };
+    Input input(DER_INTEGER_05);
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_FALSE(reader.AtEnd());
+  }
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(reinterpret_cast<const uint8_t*>(""), 0));
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
+{
+  const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_FALSE[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x00                        // false
+  };
+
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept an invalid, default-value encoding of OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+
+  const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_42[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x42                        // (invalid value for a BOOLEAN)
+  };
+
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_42);
+    Reader reader(input);
+    bool value;
+    ASSERT_EQ(Result::ERROR_BAD_DER, OptionalBoolean(reader, value)) <<
+      "Should reject an invalid-valued encoding of OPTIONAL BOOLEAN";
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, Enumerated)
+{
+  const uint8_t DER_ENUMERATED[] = {
+    0x0a,                       // ENUMERATED
+    0x01,                       // length
+    0x42                        // value
+  };
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Success, Enumerated(reader, value));
+  ASSERT_EQ(0x42, value);
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedNotShortestPossibleDER)
+{
+  const uint8_t DER_ENUMERATED[] = {
+    0x0a,                       // ENUMERATED
+    0x02,                       // length
+    0x00, 0x01                  // value
+  };
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
+{
+  // Although this is a valid ENUMERATED value according to ASN.1, we
+  // intentionally don't support these large values because there are no
+  // ENUMERATED values in X.509 certs or OCSP this large, and we're trying to
+  // keep the parser simple and fast.
+  const uint8_t DER_ENUMERATED_INVALID_LENGTH[] = {
+    0x0a,                       // ENUMERATED
+    0x02,                       // length
+    0x12, 0x34                  // value
+  };
+  Input input(DER_ENUMERATED_INVALID_LENGTH);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
+{
+  const uint8_t DER_ENUMERATED_INVALID_ZERO_LENGTH[] = {
+    0x0a,                       // ENUMERATED
+    0x00                        // length
+  };
+  Input input(DER_ENUMERATED_INVALID_ZERO_LENGTH);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+////////////////////////////////////////
+// GeneralizedTime and TimeChoice
+//
+// From RFC 5280 section 4.1.2.5.2
+//
+//   For the purposes of this profile, GeneralizedTime values MUST be
+//   expressed in Greenwich Mean Time (Zulu) and MUST include seconds
+//   (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
+//   is zero.  GeneralizedTime values MUST NOT include fractional seconds.
+//
+// And from from RFC 6960 (OCSP) section 4.2.2.1:
+//
+//   Responses can contain four times -- thisUpdate, nextUpdate,
+//   producedAt, and revocationTime.  The semantics of these fields are
+//   defined in Section 2.4.  The format for GeneralizedTime is as
+//   specified in Section 4.1.2.5.2 of [RFC5280].
+//
+// So while we can could accept other ASN1 (ITU-T X.680) encodings for
+// GeneralizedTime we should not accept them, and breaking reading of these
+// other encodings is actually encouraged.
+
+// e.g. TWO_CHARS(53) => '5', '3'
+#define TWO_CHARS(t) \
+  static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) / 10u)), \
+  static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) % 10u))
+
+// Calls TimeChoice on the UTCTime variant of the given generalized time.
+template <uint16_t LENGTH>
+Result
+TimeChoiceForEquivalentUTCTime(const uint8_t (&generalizedTimeDER)[LENGTH],
+                               /*out*/ Time& value)
+{
+  static_assert(LENGTH >= 4,
+                "TimeChoiceForEquivalentUTCTime input too small");
+  uint8_t utcTimeDER[LENGTH - 2];
+  utcTimeDER[0] = 0x17; // tag UTCTime
+  utcTimeDER[1] = LENGTH - 1/*tag*/ - 1/*value*/ - 2/*century*/;
+  // Copy the value except for the first two digits of the year
+  for (size_t i = 2; i < LENGTH - 2; ++i) {
+    utcTimeDER[i] = generalizedTimeDER[i + 2];
+  }
+
+  Input input(utcTimeDER);
+  Reader reader(input);
+  return TimeChoice(reader, value);
+}
+
+template <uint16_t LENGTH>
+void
+ExpectGoodTime(Time expectedValue,
+               const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+  // GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, TimeChoice(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: UTCTime
+  {
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success,
+              TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+}
+
+template <uint16_t LENGTH>
+void
+ExpectBadTime(const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+  // GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+
+  // TimeChoice: UTCTime
+  {
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME,
+              TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+  }
+}
+
+// Control value: a valid time
+TEST_F(pkixder_universal_types_tests, ValidControl)
+{
+  const uint8_t GT_DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+  };
+  ExpectGoodTime(YMDHMS(1991, 5, 6, 16, 45, 40), GT_DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTimeZoneOffset)
+{
+  const uint8_t DER_GENERALIZED_TIME_OFFSET[] = {
+    0x18,                           // Generalized Time
+    19,                             // Length = 19
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', '-',
+    '0', '7', '0', '0'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_OFFSET);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZeroLength)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH[] = {
+    0x18,                           // GeneralizedTime
+    0x00                            // Length = 0
+  };
+
+  Time value(Time::uninitialized);
+
+  // GeneralizedTime
+  Input gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader gt(gtBuf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(gt, value));
+
+  // TimeChoice: GeneralizedTime
+  Input tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader tc_gt(tc_gt_buf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_gt, value));
+
+  // TimeChoice: UTCTime
+  const uint8_t DER_UTCTIME_INVALID_ZERO_LENGTH[] = {
+    0x17, // UTCTime
+    0x00  // Length = 0
+  };
+  Input tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
+  Reader tc_utc(tc_utc_buf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_utc, value));
+}
+
+// A non zulu time should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidLocal)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_LOCAL[] = {
+    0x18,                           // Generalized Time
+    14,                             // Length = 14
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_LOCAL);
+}
+
+// A time missing seconds and zulu should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidTruncated)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_TRUNCATED[] = {
+    0x18,                           // Generalized Time
+    12,                             // Length = 12
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_TRUNCATED);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeNoSeconds)
+{
+  const uint8_t DER_GENERALIZED_TIME_NO_SECONDS[] = {
+    0x18,                           // Generalized Time
+    13,                             // Length = 13
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_NO_SECONDS);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidPrefixedYear)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    ' ', '1', '9', '9', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTooManyDigits)
+{
+  const uint8_t DER_GENERALIZED_TIME_TOO_MANY_DIGITS[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    '1', '1', '1', '1', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_TOO_MANY_DIGITS);
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeYearValidRange)
+{
+  // Note that by using the last second of the last day of the year, we're also
+  // effectively testing all the accumulated conversions from Gregorian to to
+  // Julian time, including in particular the effects of leap years.
+
+  for (uint16_t i = 1970; i <= 9999; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      TWO_CHARS(i / 100), TWO_CHARS(i % 100), // YYYY
+      '1', '2', '3', '1', // 12-31
+      '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+    };
+
+    Time expectedValue = YMDHMS(i, 12, 31, 23, 59, 59);
+
+    // We have to test GeneralizedTime separately from UTCTime instead of using
+    // ExpectGooDtime because the range of UTCTime is less than the range of
+    // GeneralizedTime.
+
+    // GeneralizedTime
+    {
+      Input input(DER);
+      Reader reader(input);
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, GeneralizedTime(reader, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+
+    // TimeChoice: GeneralizedTime
+    {
+      Input input(DER);
+      Reader reader(input);
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, TimeChoice(reader, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+
+    // TimeChoice: UTCTime, which is limited to years less than 2049.
+    if (i <= 2049) {
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, TimeChoiceForEquivalentUTCTime(DER, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+  }
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, TimeYearInvalid1969)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '6', '9', '1', '2', '3', '1', // !!!1969!!!-12-31
+    '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+  };
+  ExpectBadTime(DER);
+}
+
+static const uint8_t DAYS_IN_MONTH[] = {
+  0,  // unused
+  31, // January
+  28, // February (leap years tested separately)
+  31, // March
+  30, // April
+  31, // May
+  30, // Jun
+  31, // July
+  31, // August
+  30, // September
+  31, // October
+  30, // November
+  31, // December
+};
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDaysValidRange)
+{
+  for (uint16_t month = 1; month <= 12; ++month) {
+    for (uint8_t day = 1; day <= DAYS_IN_MONTH[month]; ++day) {
+      const uint8_t DER[] = {
+        0x18,                           // Generalized Time
+        15,                             // Length = 15
+        '2', '0', '1', '5', TWO_CHARS(month), TWO_CHARS(day), // (2015-mm-dd)
+        '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+      };
+      ExpectGoodTime(YMDHMS(2015, month, day, 16, 45, 40), DER);
+    }
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid0)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '5', '0', '0', '1', '5', // 2015-!!!00!!!-15
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid13)
+{
+  const uint8_t DER_GENERALIZED_TIME_13TH_MONTH[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', //YYYY (1991)
+    '1', '3', //MM 13th month of the year
+    '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_13TH_MONTH);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeDayInvalid0)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '5', '0', '1', '0', '0', // 2015-01-!!!00!!!
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDayInvalidPastEndOfMonth)
+{
+  for (int16_t month = 1; month <= 12; ++month) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '1', '9', '9', '1', // YYYY 1991
+      TWO_CHARS(month), // MM
+      TWO_CHARS(1 + (month == 2 ? 29 : DAYS_IN_MONTH[month])), // !!!DD!!!
+      '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+    };
+    ExpectBadTime(DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2016)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '6', '0', '2', '2', '9', // 2016-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectGoodTime(YMDHMS(2016, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2000)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '0', '0', '0', '2', '2', '9', // 2000-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectGoodTime(YMDHMS(2000, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2400)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '4', '0', '0', '0', '2', '2', '9', // 2400-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+
+  // We don't use ExpectGoodTime here because UTCTime can't represent 2400.
+
+  Time expectedValue = YMDHMS(2400, 2, 29, 16, 45, 40);
+
+  // GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, TimeChoice(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2014)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '4', '0', '2', '2', '9', // 2014-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2100)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '1', '0', '0', '0', '2', '2', '9', // 2100-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+
+  // We don't use ExpectBadTime here because UTCTime can't represent 2100.
+
+  // GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursValidRange)
+{
+  for (uint8_t i = 0; i <= 23; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      TWO_CHARS(i), '5', '9', '0', '1', 'Z' // HHMMSSZ (!!!!ii!!!!:59:01 Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, i, 59, 1), DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursInvalid_24_00_00)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '4', '0', '0', '0', '0', 'Z' // HHMMSSZ (!!24!!:00:00 Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesValidRange)
+{
+  for (uint8_t i = 0; i <= 59; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      '2', '3', TWO_CHARS(i), '0', '1', 'Z' // HHMMSSZ (23:!!!!ii!!!!:01 Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, 23, i, 1), DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesInvalid60)
+{
+  const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '6', '0', '5', '9', 'Z' // HHMMSSZ (23:!!!60!!!:01 Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeSecondsValidRange)
+{
+  for (uint8_t i = 0; i <= 59; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      '2', '3', '5', '9', TWO_CHARS(i), 'Z' // HHMMSSZ (23:59:!!!!ii!!!! Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, 23, 59, i), DER);
+  }
+}
+
+// No Leap Seconds (60)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid60)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '6', '0', 'Z' // HHMMSSZ (23:59:!!!!60!!!! Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+// No Leap Seconds (61)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid61)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '6', '1', 'Z' // HHMMSSZ (23:59:!!!!61!!!! Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZulu)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_ZULU[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '5', '9', 'z' // HHMMSSZ (23:59:59 !!!z!!!) should be Z
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_ZULU);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidExtraData)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_EXTRA_DATA[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '5', '9', 'Z', // HHMMSSZ (23:59:59Z)
+    0 // Extra null character
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_EXTRA_DATA);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidCenturyChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    'X', '9', '9', '1', '1', '2', '0', '6', // YYYYMMDD (X991-12-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+
+  // We can't use ExpectBadTime here, because ExpectBadTime requires
+  // consistent results for GeneralizedTime and UTCTime, but the results
+  // for this input are different.
+
+  // GeneralizedTime
+  {
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+
+  // This test is not applicable to TimeChoice: UTCTime
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidYearChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_YEAR_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', 'I', '0', '1', '0', '6', // YYYYMMDD (199I-12-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_YEAR_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeInvalidMonthChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_MONTH_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', 'I', '0', '6', // YYYYMMDD (1991-0I-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_MONTH_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidDayChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_DAY_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', '1', '0', 'S', // YYYYMMDD (1991-01-0S)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_DAY_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidFractionalSeconds)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS[] = {
+    0x18,                           // Generalized Time
+    17,                             // Length = 17
+    '1', '9', '9', '1', '0', '1', '0', '1', // YYYYMMDD (1991-01-01)
+    '1', '6', '4', '5', '4', '0', '.', '3', 'Z' // HHMMSS.FFF (16:45:40.3Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS);
+}
+
+struct IntegerTestParams
+{
+  ByteString encoded;
+  struct PositiveIntegerParams
+  {
+    Result expectedResult;
+    Input::size_type significantBytesIfValid;
+  } positiveInteger;
+  struct SmallNonnegativeIntegerParams
+  {
+    Result expectedResult;
+    uint8_t valueIfValid;
+  } smallNonnegativeInteger;
+};
+
+class pkixder_universal_types_tests_Integer
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IntegerTestParams>
+{
+};
+
+::std::ostream& operator<<(::std::ostream& os, const IntegerTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define INVALID 0xFF
+
+static const IntegerTestParams INTEGER_TEST_PARAMS[] =
+{
+  // Zero is encoded with one value byte of 0x00.
+  { TLV(2, ByteString()),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Success, 0 } },
+
+  // Positive single-byte values
+  { TLV(2, "\x01"), { Success, 1 }, { Success, 1} },
+  { TLV(2, "\x02"), { Success, 1 }, { Success, 2} },
+  { TLV(2, "\x7e"), { Success, 1 }, { Success, 0x7e} },
+  { TLV(2, "\x7f"), { Success, 1 }, { Success, 0x7f} },
+
+  // Negative single-byte values
+  { TLV(2, "\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x81"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFE"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Positive two-byte values not starting with 0x00
+  { TLV(2, "\x7F\x00"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x01\x00"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x01\x02"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Negative two-byte values not starting with 0xFF
+  { TLV(2, "\x80\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading zero is necessary.
+  { TLV(2, "\x00\x80"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\x81"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\xFF"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading zero is unnecessary.
+  { TLV(2, "\x00\x01"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading 0xFF is necessary.
+  { TLV(2, "\xFF\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading 0xFF is unnecessary.
+  { TLV(2, "\xFF\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Truncated values
+  { TLV(2, 1, ByteString(/*missing value*/)),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\x11\x22" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 4, "\x11\x22" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 2, "\x00" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 2, "\xFF" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\x00\x80" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\xFF\x00" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+
+  // Misc. larger values
+  { TLV(2, 4, "\x11\x22\x33\x44"),
+    { Success, 4 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2,
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"),
+    { Success, 256 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+};
+
+TEST_P(pkixder_universal_types_tests_Integer, Integer)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.smallNonnegativeInteger.expectedResult;
+  uint8_t value;
+  ASSERT_EQ(expectedResult, der::Integer(reader, value));
+  if (expectedResult == Success) {
+    ASSERT_EQ(params.smallNonnegativeInteger.valueIfValid, value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+       PositiveInteger_without_significantBytes)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.positiveInteger.expectedResult;
+  Input value;
+  ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value));
+  if (expectedResult == Success) {
+    Reader anotherReader(input);
+    Input expectedValue;
+    ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+                                            der::INTEGER, expectedValue));
+    ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+       PositiveInteger_with_significantBytes)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.positiveInteger.expectedResult;
+  Input value;
+  Input::size_type significantBytes = INVALID;
+  ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value,
+                                                 &significantBytes));
+  if (expectedResult == Success) {
+    ASSERT_NE(INVALID, params.positiveInteger.significantBytesIfValid);
+    ASSERT_EQ(params.positiveInteger.significantBytesIfValid,
+              significantBytes);
+
+    Reader anotherReader(input);
+    Input expectedValue;
+    ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+                                            der::INTEGER, expectedValue));
+    ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+#undef INVALID
+
+INSTANTIATE_TEST_CASE_P(pkixder_universal_types_tests_Integer,
+                        pkixder_universal_types_tests_Integer,
+                        testing::ValuesIn(INTEGER_TEST_PARAMS));
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefault)
+{
+  // The input is a BOOLEAN and not INTEGER for the input so we'll not parse
+  // anything and instead use the default value.
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+
+  long value = 1;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(-1, value);
+  bool boolValue;
+  ASSERT_EQ(Success, Boolean(reader, boolValue));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerUnsupportedDefault)
+{
+  // The same as the previous test, except with an unsupported default value
+  // passed in.
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+
+  long value;
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(reader, 0, value));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
+{
+  static const uint8_t dummy = 1;
+  Input input;
+  ASSERT_EQ(Success, input.Init(&dummy, 0));
+  Reader reader(input);
+
+  long value = 1;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(-1, value);
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerNonDefaultValue)
+{
+  static const uint8_t DER[] = {
+    0x02, // INTEGER
+    0x01, // length
+    0x00
+  };
+  Input input(DER);
+  Reader reader(input);
+
+  long value = 2;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(0, value);
+  ASSERT_TRUE(reader.AtEnd());
+}
+
+TEST_F(pkixder_universal_types_tests, Null)
+{
+  const uint8_t DER_NUL[] = {
+    0x05,
+    0x00
+  };
+  Input input(DER_NUL);
+  Reader reader(input);
+
+  ASSERT_EQ(Success, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, NullWithBadLength)
+{
+  const uint8_t DER_NULL_BAD_LENGTH[] = {
+    0x05,
+    0x01,
+    0x00
+  };
+  Input input(DER_NULL_BAD_LENGTH);
+  Reader reader(input);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, OID)
+{
+  const uint8_t DER_VALID_OID[] = {
+    0x06,
+    0x09,
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+  Input input(DER_VALID_OID);
+  Reader reader(input);
+
+  const uint8_t expectedOID[] = {
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+
+  ASSERT_EQ(Success, OID(reader, expectedOID));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp b/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp
new file mode 100644
index 000000000..45932731b
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp
@@ -0,0 +1,46 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include <ctime>
+
+#include "mozpkix/Time.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+static const std::time_t ONE_DAY_IN_SECONDS_AS_TIME_T =
+  static_cast<std::time_t>(Time::ONE_DAY_IN_SECONDS);
+
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static const std::time_t now(time(nullptr));
+const std::time_t oneDayBeforeNow(now - ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t oneDayAfterNow(now + ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t twoDaysBeforeNow(now - (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t twoDaysAfterNow(now + (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysBeforeNow(now - (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysAfterNow(now + (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.h b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
new file mode 100644
index 000000000..bb3491d44
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
@@ -0,0 +1,229 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef mozilla_pkix_pkixgtest_h
+#define mozilla_pkix_pkixgtest_h
+
+#include <ostream>
+
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated"
+#pragma clang diagnostic ignored "-Wmissing-noreturn"
+#pragma clang diagnostic ignored "-Wshift-sign-overflow"
+#pragma clang diagnostic ignored "-Wsign-conversion"
+#pragma clang diagnostic ignored "-Wundef"
+#elif defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wextra"
+#elif defined(_MSC_VER)
+#pragma warning(push, 3)
+// C4224: Nonstandard extension used: formal parameter 'X' was previously
+//        defined as a type.
+#pragma warning(disable : 4224)
+// C4826: Conversion from 'type1 ' to 'type_2' is sign - extended. This may
+//        cause unexpected runtime behavior.
+#pragma warning(disable : 4826)
+#endif
+
+#include "gtest/gtest.h"
+
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(__GNUC__)
+#pragma GCC diagnostic pop
+#elif defined(_MSC_VER)
+#pragma warning(pop)
+#endif
+
+#include "mozpkix/pkix.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+// PrintTo must be in the same namespace as the type we're overloading it for.
+namespace mozilla {
+namespace pkix {
+
+inline void PrintTo(const Result& result, ::std::ostream* os) {
+  const char* stringified = MapResultToName(result);
+  if (stringified) {
+    *os << stringified;
+  } else {
+    *os << "mozilla::pkix::Result(" << static_cast<unsigned int>(result) << ")";
+  }
+}
+}
+}  // namespace mozilla::pkix
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+extern const std::time_t oneDayBeforeNow;
+extern const std::time_t oneDayAfterNow;
+extern const std::time_t twoDaysBeforeNow;
+extern const std::time_t twoDaysAfterNow;
+extern const std::time_t tenDaysBeforeNow;
+extern const std::time_t tenDaysAfterNow;
+
+class EverythingFailsByDefaultTrustDomain : public TrustDomain {
+ public:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel&) override {
+    ADD_FAILURE();
+    return NotReached("GetCertTrust should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result FindIssuer(Input, IssuerChecker&, Time) override {
+    ADD_FAILURE();
+    return NotReached("FindIssuer should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override {
+    ADD_FAILURE();
+    return NotReached("CheckRevocation should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override {
+    ADD_FAILURE();
+    return NotReached("IsChainValid should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result DigestBuf(Input, DigestAlgorithm, /*out*/ uint8_t*, size_t) override {
+    ADD_FAILURE();
+    return NotReached("DigestBuf should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+                                       Time) override {
+    ADD_FAILURE();
+    return NotReached("CheckSignatureDigestAlgorithm should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
+    ADD_FAILURE();
+    return NotReached("CheckECDSACurveIsAcceptable should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result VerifyECDSASignedDigest(const SignedDigest&, Input) override {
+    ADD_FAILURE();
+    return NotReached("VerifyECDSASignedDigest should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+                                            unsigned int) override {
+    ADD_FAILURE();
+    return NotReached("CheckRSAPublicKeyModulusSizeInBits should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override {
+    ADD_FAILURE();
+    return NotReached("VerifyRSAPKCS1SignedDigest should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                   KeyPurposeId) override {
+    ADD_FAILURE();
+    return NotReached("CheckValidityIsAcceptable should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result NetscapeStepUpMatchesServerAuth(Time, bool&) override {
+    ADD_FAILURE();
+    return NotReached("NetscapeStepUpMatchesServerAuth should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {
+    ADD_FAILURE();
+  }
+};
+
+class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain {
+  Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                   /*out*/ uint8_t* digestBuf, size_t digestBufLen) override {
+    return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+                                       Time) override {
+    return Success;
+  }
+
+  Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
+    return Success;
+  }
+
+  Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                 Input subjectPublicKeyInfo) override {
+    return TestVerifyECDSASignedDigest(signedDigest, subjectPublicKeyInfo);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+                                            unsigned int) override {
+    return Success;
+  }
+
+  Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                    Input subjectPublicKeyInfo) override {
+    return TestVerifyRSAPKCS1SignedDigest(signedDigest, subjectPublicKeyInfo);
+  }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                   KeyPurposeId) override {
+    return Success;
+  }
+
+  Result NetscapeStepUpMatchesServerAuth(Time, /*out*/ bool& matches) override {
+    matches = true;
+    return Success;
+  }
+
+  void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {}
+};
+
+class DefaultNameMatchingPolicy : public NameMatchingPolicy {
+ public:
+  virtual Result FallBackToCommonName(
+      Time,
+      /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override {
+    fallBackToCommonName = FallBackToSearchWithinSubject::Yes;
+    return Success;
+  }
+};
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_pkixgtest_h
diff --git a/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp
new file mode 100644
index 000000000..2169db9db
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp
@@ -0,0 +1,2838 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+                                             Input referenceDNSID,
+                                             /*out*/ bool& matches);
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+} } // namespace mozilla::pkix
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+struct PresentedMatchesReference
+{
+  ByteString presentedDNSID;
+  ByteString referenceDNSID;
+  Result expectedResult;
+  bool expectedMatches; // only valid when expectedResult == Success
+};
+
+::std::ostream& operator<<(::std::ostream& os, const PresentedMatchesReference&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define DNS_ID_MATCH(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Success, \
+    true \
+  }
+
+#define DNS_ID_MISMATCH(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Success, \
+    false \
+  }
+
+#define DNS_ID_BAD_DER(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Result::ERROR_BAD_DER, \
+    false \
+  }
+
+static const PresentedMatchesReference DNSID_MATCH_PARAMS[] =
+{
+  DNS_ID_BAD_DER("", "a"),
+
+  DNS_ID_MATCH("a", "a"),
+  DNS_ID_MISMATCH("b", "a"),
+
+  DNS_ID_MATCH("*.b.a", "c.b.a"),
+  DNS_ID_MISMATCH("*.b.a", "b.a"),
+  DNS_ID_MISMATCH("*.b.a", "b.a."),
+
+  // We allow underscores for compatibility with existing practices.
+  DNS_ID_MATCH("a_b", "a_b"),
+  DNS_ID_MATCH("*.example.com", "uses_underscore.example.com"),
+  DNS_ID_MATCH("*.uses_underscore.example.com", "a.uses_underscore.example.com"),
+
+  // See bug 1139039
+  DNS_ID_MATCH("_.example.com", "_.example.com"),
+  DNS_ID_MATCH("*.example.com", "_.example.com"),
+  DNS_ID_MATCH("_", "_"),
+  DNS_ID_MATCH("___", "___"),
+  DNS_ID_MATCH("example_", "example_"),
+  DNS_ID_MATCH("_example", "_example"),
+  DNS_ID_MATCH("*._._", "x._._"),
+
+  // See bug 1139039
+  // A DNS-ID must not end in an all-numeric label. We don't consider
+  // underscores to be numeric.
+  DNS_ID_MATCH("_1", "_1"),
+  DNS_ID_MATCH("example._1", "example._1"),
+  DNS_ID_MATCH("example.1_", "example.1_"),
+
+  // Wildcard not in leftmost label
+  DNS_ID_MATCH("d.c.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.*.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.c*.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.c*.b.a", "d.cc.b.a"),
+
+  // case sensitivity
+  DNS_ID_MATCH("abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"),
+  DNS_ID_MATCH("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz"),
+  DNS_ID_MATCH("aBc", "Abc"),
+
+  // digits
+  DNS_ID_MATCH("a1", "a1"),
+
+  // A trailing dot indicates an absolute name. Absolute presented names are
+  // not allowed, but absolute reference names are allowed.
+  DNS_ID_MATCH("example", "example"),
+  DNS_ID_BAD_DER("example.", "example."),
+  DNS_ID_MATCH("example", "example."),
+  DNS_ID_BAD_DER("example.", "example"),
+  DNS_ID_MATCH("example.com", "example.com"),
+  DNS_ID_BAD_DER("example.com.", "example.com."),
+  DNS_ID_MATCH("example.com", "example.com."),
+  DNS_ID_BAD_DER("example.com.", "example.com"),
+  DNS_ID_BAD_DER("example.com..", "example.com."),
+  DNS_ID_BAD_DER("example.com..", "example.com"),
+  DNS_ID_BAD_DER("example.com...", "example.com."),
+
+  // xn-- IDN prefix
+  DNS_ID_BAD_DER("x*.b.a", "xa.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xna.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xn-a.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn---*.b.a", "xn--a.b.a"),
+
+  // "*" cannot expand to nothing.
+  DNS_ID_BAD_DER("c*.b.a", "c.b.a"),
+
+  /////////////////////////////////////////////////////////////////////////////
+  // These are test cases adapted from Chromium's x509_certificate_unittest.cc.
+  // The parameter order is the opposite in Chromium's tests. Also, some tests
+  // were modified to fit into this framework or due to intentional differences
+  // between mozilla::pkix and Chromium.
+
+  DNS_ID_MATCH("foo.com", "foo.com"),
+  DNS_ID_MATCH("f", "f"),
+  DNS_ID_MISMATCH("i", "h"),
+  DNS_ID_MATCH("*.foo.com", "bar.foo.com"),
+  DNS_ID_MATCH("*.test.fr", "www.test.fr"),
+  DNS_ID_MATCH("*.test.FR", "wwW.tESt.fr"),
+  DNS_ID_BAD_DER(".uk", "f.uk"),
+  DNS_ID_BAD_DER("?.bar.foo.com", "w.bar.foo.com"),
+  DNS_ID_BAD_DER("(www|ftp).foo.com", "www.foo.com"), // regex!
+  DNS_ID_BAD_DER("www.foo.com\0", "www.foo.com"),
+  DNS_ID_BAD_DER("www.foo.com\0*.foo.com", "www.foo.com"),
+  DNS_ID_MISMATCH("ww.house.example", "www.house.example"),
+  DNS_ID_MISMATCH("www.test.org", "test.org"),
+  DNS_ID_MISMATCH("*.test.org", "test.org"),
+  DNS_ID_BAD_DER("*.org", "test.org"),
+  DNS_ID_BAD_DER("w*.bar.foo.com", "w.bar.foo.com"),
+  DNS_ID_BAD_DER("ww*ww.bar.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("ww*ww.bar.foo.com", "wwww.bar.foo.com"),
+
+  // Different than Chromium, matches NSS.
+  DNS_ID_BAD_DER("w*w.bar.foo.com", "wwww.bar.foo.com"),
+
+  DNS_ID_BAD_DER("w*w.bar.foo.c0m", "wwww.bar.foo.com"),
+
+  // '*' must be the only character in the wildcard label
+  DNS_ID_BAD_DER("wa*.bar.foo.com", "WALLY.bar.foo.com"),
+
+  // We require "*" to be the last character in a wildcard label, but
+  // Chromium does not.
+  DNS_ID_BAD_DER("*Ly.bar.foo.com", "wally.bar.foo.com"),
+
+  // Chromium does URL decoding of the reference ID, but we don't, and we also
+  // require that the reference ID is valid, so we can't test these two.
+  // DNS_ID_MATCH("www.foo.com", "ww%57.foo.com"),
+  // DNS_ID_MATCH("www&.foo.com", "www%26.foo.com"),
+
+  DNS_ID_MISMATCH("*.test.de", "www.test.co.jp"),
+  DNS_ID_BAD_DER("*.jp", "www.test.co.jp"),
+  DNS_ID_MISMATCH("www.test.co.uk", "www.test.co.jp"),
+  DNS_ID_BAD_DER("www.*.co.jp", "www.test.co.jp"),
+  DNS_ID_MATCH("www.bar.foo.com", "www.bar.foo.com"),
+  DNS_ID_MISMATCH("*.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+
+  // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+  // test this case.
+  //DNS_ID_BAD_DER("*.*.bar.foo.com", "*..bar.foo.com"),
+
+  DNS_ID_MATCH("www.bath.org", "www.bath.org"),
+
+  // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+  // test these cases.
+  // DNS_ID_BAD_DER("www.bath.org", ""),
+  // DNS_ID_BAD_DER("www.bath.org", "20.30.40.50"),
+  // DNS_ID_BAD_DER("www.bath.org", "66.77.88.99"),
+
+  // IDN tests
+  DNS_ID_MATCH("xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+  DNS_ID_MISMATCH("*.xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("xn--poema-*.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("xn--*-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("*--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+
+  // The following are adapted from the examples quoted from
+  //   http://tools.ietf.org/html/rfc6125#section-6.4.3
+  // (e.g., *.example.com would match foo.example.com but
+  // not bar.foo.example.com or example.com).
+  DNS_ID_MATCH("*.example.com", "foo.example.com"),
+  DNS_ID_MISMATCH("*.example.com", "bar.foo.example.com"),
+  DNS_ID_MISMATCH("*.example.com", "example.com"),
+  // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
+  // be taken to match baz1.example.net and foobaz.example.net and
+  // buzz.example.net, respectively. However, we don't allow any characters
+  // other than '*' in the wildcard label.
+  DNS_ID_BAD_DER("baz*.example.net", "baz1.example.net"),
+
+  // Both of these are different from Chromium, but match NSS, becaues the
+  // wildcard character "*" is not the last character of the label.
+  DNS_ID_BAD_DER("*baz.example.net", "foobaz.example.net"),
+  DNS_ID_BAD_DER("b*z.example.net", "buzz.example.net"),
+
+  // Wildcards should not be valid for public registry controlled domains,
+  // and unknown/unrecognized domains, at least three domain components must
+  // be present. For mozilla::pkix and NSS, there must always be at least two
+  // labels after the wildcard label.
+  DNS_ID_MATCH("*.test.example", "www.test.example"),
+  DNS_ID_MATCH("*.example.co.uk", "test.example.co.uk"),
+  DNS_ID_BAD_DER("*.exmaple", "test.example"),
+
+  // The result is different than Chromium, because Chromium takes into account
+  // the additional knowledge it has that "co.uk" is a TLD. mozilla::pkix does
+  // not know that.
+  DNS_ID_MATCH("*.co.uk", "example.co.uk"),
+
+  DNS_ID_BAD_DER("*.com", "foo.com"),
+  DNS_ID_BAD_DER("*.us", "foo.us"),
+  DNS_ID_BAD_DER("*", "foo"),
+
+  // IDN variants of wildcards and registry controlled domains.
+  DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+  DNS_ID_MATCH("*.example.xn--mgbaam7a8h", "test.example.xn--mgbaam7a8h"),
+
+  // RFC6126 allows this, and NSS accepts it, but Chromium disallows it.
+  // TODO: File bug against Chromium.
+  DNS_ID_MATCH("*.com.br", "xn--poema-9qae5a.com.br"),
+
+  DNS_ID_BAD_DER("*.xn--mgbaam7a8h", "example.xn--mgbaam7a8h"),
+  // Wildcards should be permissible for 'private' registry-controlled
+  // domains. (In mozilla::pkix, we do not know if it is a private registry-
+  // controlled domain or not.)
+  DNS_ID_MATCH("*.appspot.com", "www.appspot.com"),
+  DNS_ID_MATCH("*.s3.amazonaws.com", "foo.s3.amazonaws.com"),
+
+  // Multiple wildcards are not valid.
+  DNS_ID_BAD_DER("*.*.com", "foo.example.com"),
+  DNS_ID_BAD_DER("*.bar.*.com", "foo.bar.example.com"),
+
+  // Absolute vs relative DNS name tests. Although not explicitly specified
+  // in RFC 6125, absolute reference names (those ending in a .) should
+  // match either absolute or relative presented names. We don't allow
+  // absolute presented names.
+  // TODO: File errata against RFC 6125 about this.
+  DNS_ID_BAD_DER("foo.com.", "foo.com"),
+  DNS_ID_MATCH("foo.com", "foo.com."),
+  DNS_ID_BAD_DER("foo.com.", "foo.com."),
+  DNS_ID_BAD_DER("f.", "f"),
+  DNS_ID_MATCH("f", "f."),
+  DNS_ID_BAD_DER("f.", "f."),
+  DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com"),
+  DNS_ID_MATCH("*.bar.foo.com", "www-3.bar.foo.com."),
+  DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com."),
+
+  // We require the reference ID to be a valid DNS name, so we cannot test this
+  // case.
+  // DNS_ID_MISMATCH(".", "."),
+
+  DNS_ID_BAD_DER("*.com.", "example.com"),
+  DNS_ID_BAD_DER("*.com", "example.com."),
+  DNS_ID_BAD_DER("*.com.", "example.com."),
+  DNS_ID_BAD_DER("*.", "foo."),
+  DNS_ID_BAD_DER("*.", "foo"),
+
+  // The result is different than Chromium because we don't know that co.uk is
+  // a TLD.
+  DNS_ID_MATCH("*.co.uk", "foo.co.uk"),
+  DNS_ID_MATCH("*.co.uk", "foo.co.uk."),
+  DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk"),
+  DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk."),
+
+  DNS_ID_MISMATCH("*.example.com", "localhost"),
+  DNS_ID_MISMATCH("*.example.com", "localhost."),
+  // Note that we already have the testcase DNS_ID_BAD_DER("*", "foo") above
+};
+
+struct InputValidity
+{
+  ByteString input;
+  bool isValidReferenceID;
+  bool isValidPresentedID;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const InputValidity&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+// str is null-terminated, which is why we subtract 1. str may contain embedded
+// nulls (including at the end) preceding the null terminator though.
+#define I(str, validReferenceID, validPresentedID) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    validReferenceID, \
+    validPresentedID, \
+  }
+
+static const InputValidity DNSNAMES_VALIDITY[] =
+{
+  I("a", true, true),
+  I("a.b", true, true),
+  I("a.b.c", true, true),
+  I("a.b.c.d", true, true),
+
+  // empty labels
+  I("", false, false),
+  I(".", false, false),
+  I("a", true, true),
+  I(".a", false, false),
+  I(".a.b", false, false),
+  I("..a", false, false),
+  I("a..b", false, false),
+  I("a...b", false, false),
+  I("a..b.c", false, false),
+  I("a.b..c", false, false),
+  I(".a.b.c.", false, false),
+
+  // absolute names (only allowed for reference names)
+  I("a.", true, false),
+  I("a.b.", true, false),
+  I("a.b.c.", true, false),
+
+  // absolute names with empty label at end
+  I("a..", false, false),
+  I("a.b..", false, false),
+  I("a.b.c..", false, false),
+  I("a...", false, false),
+
+  // Punycode
+  I("xn--", false, false),
+  I("xn--.", false, false),
+  I("xn--.a", false, false),
+  I("a.xn--", false, false),
+  I("a.xn--.", false, false),
+  I("a.xn--.b", false, false),
+  I("a.xn--.b", false, false),
+  I("a.xn--\0.b", false, false),
+  I("a.xn--a.b", true, true),
+  I("xn--a", true, true),
+  I("a.xn--a", true, true),
+  I("a.xn--a.a", true, true),
+  I("\xc4\x95.com", false, false), // UTF-8 ĕ
+  I("xn--jea.com", true, true), // punycode ĕ
+  I("xn--\xc4\x95.com", false, false), // UTF-8 ĕ, malformed punycode + UTF-8 mashup
+
+  // Surprising punycode
+  I("xn--google.com", true, true), // 䕮䕵䕶䕱.com
+  I("xn--citibank.com", true, true), // 岍岊岊岅岉岎.com
+  I("xn--cnn.com", true, true), // 䁾.com
+  I("a.xn--cnn", true, true), // a.䁾
+  I("a.xn--cnn.com", true, true), // a.䁾.com
+
+  I("1.2.3.4", false, false), // IPv4 address
+  I("1::2", false, false), // IPV6 address
+
+  // whitespace not allowed anywhere.
+  I(" ", false, false),
+  I(" a", false, false),
+  I("a ", false, false),
+  I("a b", false, false),
+  I("a.b 1", false, false),
+  I("a\t", false, false),
+
+  // Nulls not allowed
+  I("\0", false, false),
+  I("a\0", false, false),
+  I("example.org\0.example.com", false, false), // Hi Moxie!
+  I("\0a", false, false),
+  I("xn--\0", false, false),
+
+  // Allowed character set
+  I("a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z", true, true),
+  I("A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z", true, true),
+  I("0.1.2.3.4.5.6.7.8.9.a", true, true), // "a" needed to avoid numeric last label
+  I("a-b", true, true), // hyphen (a label cannot start or end with a hyphen)
+
+  // Underscores
+  I("a_b", true, true),
+  // See bug 1139039
+  I("_", true, true),
+  I("a_", true, true),
+  I("_a", true, true),
+  I("_1", true, true),
+  I("1_", true, true),
+  I("___", true, true),
+
+  // An invalid character in various positions
+  I("!", false, false),
+  I("!a", false, false),
+  I("a!", false, false),
+  I("a!b", false, false),
+  I("a.!", false, false),
+  I("a.a!", false, false),
+  I("a.!a", false, false),
+  I("a.a!a", false, false),
+  I("a.!a.a", false, false),
+  I("a.a!.a", false, false),
+  I("a.a!a.a", false, false),
+
+  // Various other invalid characters
+  I("a!", false, false),
+  I("a@", false, false),
+  I("a#", false, false),
+  I("a$", false, false),
+  I("a%", false, false),
+  I("a^", false, false),
+  I("a&", false, false),
+  I("a*", false, false),
+  I("a(", false, false),
+  I("a)", false, false),
+
+  // last label can't be fully numeric
+  I("1", false, false),
+  I("a.1", false, false),
+
+  // other labels can be fully numeric
+  I("1.a", true, true),
+  I("1.2.a", true, true),
+  I("1.2.3.a", true, true),
+
+  // last label can be *partly* numeric
+  I("1a", true, true),
+  I("1.1a", true, true),
+  I("1-1", true, true),
+  I("a.1-1", true, true),
+  I("a.1-a", true, true),
+
+  // labels cannot start with a hyphen
+  I("-", false, false),
+  I("-1", false, false),
+
+  // labels cannot end with a hyphen
+  I("1-", false, false),
+  I("1-.a", false, false),
+  I("a-", false, false),
+  I("a-.a", false, false),
+  I("a.1-.a", false, false),
+  I("a.a-.a", false, false),
+
+  // labels can contain a hyphen in the middle
+  I("a-b", true, true),
+  I("1-2", true, true),
+  I("a.a-1", true, true),
+
+  // multiple consecutive hyphens allowed
+  I("a--1", true, true),
+  I("1---a", true, true),
+  I("a-----------------b", true, true),
+
+  // Wildcard specifications are not valid reference names, but are valid
+  // presented names if there are enough labels and if '*' is the only
+  // character in the wildcard label.
+  I("*.a", false, false),
+  I("a*", false, false),
+  I("a*.", false, false),
+  I("a*.a", false, false),
+  I("a*.a.", false, false),
+  I("*.a.b", false, true),
+  I("*.a.b.", false, false),
+  I("a*.b.c", false, false),
+  I("*.a.b.c", false, true),
+  I("a*.b.c.d", false, false),
+
+  // Multiple wildcards are not allowed.
+  I("a**.b.c", false, false),
+  I("a*b*.c.d", false, false),
+  I("a*.b*.c", false, false),
+
+  // Wildcards are only allowed in the first label.
+  I("a.*", false, false),
+  I("a.*.b", false, false),
+  I("a.b.*", false, false),
+  I("a.b*.c", false, false),
+  I("*.b*.c", false, false),
+  I(".*.a.b", false, false),
+  I(".a*.b.c", false, false),
+
+  // Wildcards must be at the *end* of the first label.
+  I("*a.b.c", false, false),
+  I("a*b.c.d", false, false),
+
+  // Wildcards not allowed with IDNA prefix
+  I("x*.a.b", false, false),
+  I("xn*.a.b", false, false),
+  I("xn-*.a.b", false, false),
+  I("xn--*.a.b", false, false),
+  I("xn--w*.a.b", false, false),
+
+  // Redacted labels from RFC6962bis draft 4
+  // https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-04#section-3.2.2
+  I("(PRIVATE).foo", false, false),
+
+  // maximum label length is 63 characters
+  I("1234567890" "1234567890" "1234567890"
+    "1234567890" "1234567890" "1234567890" "abc", true, true),
+  I("1234567890" "1234567890" "1234567890"
+    "1234567890" "1234567890" "1234567890" "abcd", false, false),
+
+  // maximum total length is 253 characters
+  I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "12345678" "a",
+    true, true),
+  I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "123456789" "a",
+    false, false),
+};
+
+static const InputValidity DNSNAMES_VALIDITY_TURKISH_I[] =
+{
+  // http://en.wikipedia.org/wiki/Dotted_and_dotless_I#In_computing
+  // IDN registration rules disallow "latin capital letter i with dot above,"
+  // but our checks aren't intended to enforce those rules.
+  I("I", true, true), // ASCII capital I
+  I("i", true, true), // ASCII lowercase i
+  I("\xC4\xB0", false, false), // latin capital letter i with dot above
+  I("\xC4\xB1", false, false), // latin small letter dotless i
+  I("xn--i-9bb", true, true), // latin capital letter i with dot above, in punycode
+  I("xn--cfa", true, true), // latin small letter dotless i, in punycode
+  I("xn--\xC4\xB0", false, false), // latin capital letter i with dot above, mashup
+  I("xn--\xC4\xB1", false, false), // latin small letter dotless i, mashup
+};
+
+static const uint8_t LOWERCASE_I_VALUE[1] = { 'i' };
+static const uint8_t UPPERCASE_I_VALUE[1] = { 'I' };
+static const Input LOWERCASE_I(LOWERCASE_I_VALUE);
+static const Input UPPERCASE_I(UPPERCASE_I_VALUE);
+
+template <unsigned int L>
+struct IPAddressParams
+{
+  ByteString input;
+  bool isValid;
+  uint8_t expectedValueIfValid[L];
+};
+
+template <unsigned int L>
+::std::ostream& operator<<(::std::ostream& os, const IPAddressParams<L>&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define IPV4_VALID(str, a, b, c, d) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    true, \
+    { a, b, c, d } \
+  }
+
+// The value of expectedValueIfValid must be ignored for invalid IP addresses.
+// The value { 73, 73, 73, 73 } is used because it is unlikely to result in an
+// accidental match, unlike { 0, 0, 0, 0 }, which is a value we actually test.
+#define IPV4_INVALID(str) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    false, \
+    { 73, 73, 73, 73 } \
+  }
+
+static const IPAddressParams<4> IPV4_ADDRESSES[] =
+{
+  IPV4_INVALID(""),
+  IPV4_INVALID("1"),
+  IPV4_INVALID("1.2"),
+  IPV4_INVALID("1.2.3"),
+  IPV4_VALID("1.2.3.4", 1, 2, 3, 4),
+  IPV4_INVALID("1.2.3.4.5"),
+
+  IPV4_INVALID("1.2.3.4a"), // a DNSName!
+  IPV4_INVALID("a.2.3.4"), // not even a DNSName!
+  IPV4_INVALID("1::2"), // IPv6 address
+
+  // Whitespace not allowed
+  IPV4_INVALID(" 1.2.3.4"),
+  IPV4_INVALID("1.2.3.4 "),
+  IPV4_INVALID("1 .2.3.4"),
+  IPV4_INVALID("\n1.2.3.4"),
+  IPV4_INVALID("1.2.3.4\n"),
+
+  // Nulls not allowed
+  IPV4_INVALID("\0"),
+  IPV4_INVALID("\0" "1.2.3.4"),
+  IPV4_INVALID("1.2.3.4\0"),
+  IPV4_INVALID("1.2.3.4\0.5"),
+
+  // Range
+  IPV4_VALID("0.0.0.0", 0, 0, 0, 0),
+  IPV4_VALID("255.255.255.255", 255, 255, 255, 255),
+  IPV4_INVALID("256.0.0.0"),
+  IPV4_INVALID("0.256.0.0"),
+  IPV4_INVALID("0.0.256.0"),
+  IPV4_INVALID("0.0.0.256"),
+  IPV4_INVALID("999.0.0.0"),
+  IPV4_INVALID("9999999999999999999.0.0.0"),
+
+  // All digits allowed
+  IPV4_VALID("0.1.2.3", 0, 1, 2, 3),
+  IPV4_VALID("4.5.6.7", 4, 5, 6, 7),
+  IPV4_VALID("8.9.0.1", 8, 9, 0, 1),
+
+  // Leading zeros not allowed
+  IPV4_INVALID("01.2.3.4"),
+  IPV4_INVALID("001.2.3.4"),
+  IPV4_INVALID("00000000001.2.3.4"),
+  IPV4_INVALID("010.2.3.4"),
+  IPV4_INVALID("1.02.3.4"),
+  IPV4_INVALID("1.2.03.4"),
+  IPV4_INVALID("1.2.3.04"),
+
+  // Empty components
+  IPV4_INVALID(".2.3.4"),
+  IPV4_INVALID("1..3.4"),
+  IPV4_INVALID("1.2..4"),
+  IPV4_INVALID("1.2.3."),
+
+  // Too many components
+  IPV4_INVALID("1.2.3.4.5"),
+  IPV4_INVALID("1.2.3.4.5.6"),
+  IPV4_INVALID("0.1.2.3.4"),
+  IPV4_INVALID("1.2.3.4.0"),
+
+  // Leading/trailing dot
+  IPV4_INVALID(".1.2.3.4"),
+  IPV4_INVALID("1.2.3.4."),
+
+  // Other common forms of IPv4 address
+  // http://en.wikipedia.org/wiki/IPv4#Address_representations
+  IPV4_VALID("192.0.2.235", 192, 0, 2, 235), // dotted decimal (control value)
+  IPV4_INVALID("0xC0.0x00.0x02.0xEB"), // dotted hex
+  IPV4_INVALID("0301.0000.0002.0353"), // dotted octal
+  IPV4_INVALID("0xC00002EB"), // non-dotted hex
+  IPV4_INVALID("3221226219"), // non-dotted decimal
+  IPV4_INVALID("030000001353"), // non-dotted octal
+  IPV4_INVALID("192.0.0002.0xEB"), // mixed
+};
+
+#define IPV6_VALID(str, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    true, \
+    { a, b, c, d, \
+      e, f, g, h, \
+      i, j, k, l, \
+      m, n, o, p } \
+  }
+
+#define IPV6_INVALID(str) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    false, \
+    { 73, 73, 73, 73, \
+      73, 73, 73, 73, \
+      73, 73, 73, 73, \
+      73, 73, 73, 73 } \
+  }
+
+static const IPAddressParams<16> IPV6_ADDRESSES[] =
+{
+  IPV6_INVALID(""),
+  IPV6_INVALID("1234"),
+  IPV6_INVALID("1234:5678"),
+  IPV6_INVALID("1234:5678:9abc"),
+  IPV6_INVALID("1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:"),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc:def0",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:"),
+  IPV6_INVALID(":1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:0000"),
+
+  // Valid contractions
+  IPV6_VALID("::1",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::1234",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x12, 0x34),
+  IPV6_VALID("1234::",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("1234::5678",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x56, 0x78),
+  IPV6_VALID("1234:5678::abcd",
+             0x12, 0x34, 0x56, 0x78,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0xab, 0xcd),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc::",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0x00, 0x00),
+
+  // Contraction in full IPv6 addresses not allowed
+  IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"), // start
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"), // end
+  IPV6_INVALID("1234:5678::9abc:def0:1234:5678:9abc:def0"), // interior
+
+  // Multiple contractions not allowed
+  IPV6_INVALID("::1::"),
+  IPV6_INVALID("::1::2"),
+  IPV6_INVALID("1::2::"),
+
+  // Colon madness!
+  IPV6_INVALID(":"),
+  IPV6_INVALID("::"),
+  IPV6_INVALID(":::"),
+  IPV6_INVALID("::::"),
+  IPV6_INVALID(":::1"),
+  IPV6_INVALID("::::1"),
+  IPV6_INVALID("1:::2"),
+  IPV6_INVALID("1::::2"),
+  IPV6_INVALID("1:2:::"),
+  IPV6_INVALID("1:2::::"),
+  IPV6_INVALID("::1234:"),
+  IPV6_INVALID(":1234::"),
+
+  IPV6_INVALID("01234::"), // too many digits, even if zero
+  IPV6_INVALID("12345678::"), // too many digits or missing colon
+
+  // uppercase
+  IPV6_VALID("ABCD:EFAB::",
+             0xab, 0xcd, 0xef, 0xab,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+
+  // miXeD CAse
+  IPV6_VALID("aBcd:eFAb::",
+             0xab, 0xcd, 0xef, 0xab,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+
+  // IPv4-style
+  IPV6_VALID("::2.3.4.5",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("1234::2.3.4.5",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("::abcd:2.3.4.5",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0xab, 0xcd,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:252.253.254.255",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             252,  253,  254,  255),
+  IPV6_VALID("1234:5678:9abc:def0:1234::252.253.254.255",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x00, 0x00,
+             252,  253,  254,  255),
+  IPV6_INVALID("1234::252.253.254"),
+  IPV6_INVALID("::252.253.254"),
+  IPV6_INVALID("::252.253.254.300"),
+  IPV6_INVALID("1234::252.253.254.255:"),
+  IPV6_INVALID("1234::252.253.254.255:5678"),
+
+  // Contractions that don't contract
+  IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"),
+  IPV6_INVALID("1234:5678:9abc:def0::1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678::252.253.254.255"),
+
+  // With and without leading zeros
+  IPV6_VALID("::123",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x01, 0x23),
+  IPV6_VALID("::0123",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x01, 0x23),
+  IPV6_VALID("::012",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x12),
+  IPV6_VALID("::0012",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x12),
+  IPV6_VALID("::01",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::001",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::0001",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::0",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::00",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::000",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::0000",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_INVALID("::01234"),
+  IPV6_INVALID("::00123"),
+  IPV6_INVALID("::000123"),
+
+  // Trailing zero
+  IPV6_INVALID("::12340"),
+
+  // Whitespace
+  IPV6_INVALID(" 1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0\n"),
+  IPV6_INVALID("1234 :5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234: 5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID(":: 2.3.4.5"),
+  IPV6_INVALID("1234::252.253.254.255 "),
+  IPV6_INVALID("1234::252.253.254.255\n"),
+  IPV6_INVALID("1234::252.253. 254.255"),
+
+  // Nulls
+  IPV6_INVALID("\0"),
+  IPV6_INVALID("::1\0:2"),
+  IPV6_INVALID("::1\0"),
+  IPV6_INVALID("::1.2.3.4\0"),
+  IPV6_INVALID("::1.2\02.3.4"),
+};
+
+class pkixnames_MatchPresentedDNSIDWithReferenceDNSID
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+       MatchPresentedDNSIDWithReferenceDNSID)
+{
+  const PresentedMatchesReference& param(GetParam());
+  SCOPED_TRACE(param.presentedDNSID.c_str());
+  SCOPED_TRACE(param.referenceDNSID.c_str());
+  Input presented;
+  ASSERT_EQ(Success, presented.Init(param.presentedDNSID.data(),
+                                    param.presentedDNSID.length()));
+  Input reference;
+  ASSERT_EQ(Success, reference.Init(param.referenceDNSID.data(),
+                                    param.referenceDNSID.length()));
+
+  // sanity check that test makes sense
+  ASSERT_TRUE(IsValidReferenceDNSID(reference));
+
+  bool matches;
+  ASSERT_EQ(param.expectedResult,
+            MatchPresentedDNSIDWithReferenceDNSID(presented, reference,
+                                                  matches));
+  if (param.expectedResult == Success) {
+    ASSERT_EQ(param.expectedMatches, matches);
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+                        pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+                        testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+class pkixnames_Turkish_I_Comparison
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_Turkish_I_Comparison, MatchPresentedDNSIDWithReferenceDNSID)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales.
+
+  const InputValidity& inputValidity(GetParam());
+  SCOPED_TRACE(inputValidity.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+                                inputValidity.input.length()));
+
+  bool isASCII = InputsAreEqual(LOWERCASE_I, input) ||
+                 InputsAreEqual(UPPERCASE_I, input);
+  {
+    bool matches;
+    ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+                                               : Result::ERROR_BAD_DER,
+              MatchPresentedDNSIDWithReferenceDNSID(input, LOWERCASE_I,
+                                                    matches));
+    if (inputValidity.isValidPresentedID) {
+      ASSERT_EQ(isASCII, matches);
+    }
+  }
+  {
+    bool matches;
+    ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+                                               : Result::ERROR_BAD_DER,
+              MatchPresentedDNSIDWithReferenceDNSID(input, UPPERCASE_I,
+                                                    matches));
+    if (inputValidity.isValidPresentedID) {
+      ASSERT_EQ(isASCII, matches);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_Turkish_I_Comparison,
+                        pkixnames_Turkish_I_Comparison,
+                        testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_IsValidReferenceDNSID
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_IsValidReferenceDNSID, IsValidReferenceDNSID)
+{
+  const InputValidity& inputValidity(GetParam());
+  SCOPED_TRACE(inputValidity.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+                                inputValidity.input.length()));
+  ASSERT_EQ(inputValidity.isValidReferenceID, IsValidReferenceDNSID(input));
+  ASSERT_EQ(inputValidity.isValidPresentedID, IsValidPresentedDNSID(input));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID,
+                        pkixnames_IsValidReferenceDNSID,
+                        testing::ValuesIn(DNSNAMES_VALIDITY));
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID_Turkish_I,
+                        pkixnames_IsValidReferenceDNSID,
+                        testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_ParseIPv4Address
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv4Address, ParseIPv4Address)
+{
+  const IPAddressParams<4>& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(),
+                                param.input.length()));
+  uint8_t ipAddress[4];
+  ASSERT_EQ(param.isValid, ParseIPv4Address(input, ipAddress));
+  if (param.isValid) {
+    for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+      ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv4Address,
+                        pkixnames_ParseIPv4Address,
+                        testing::ValuesIn(IPV4_ADDRESSES));
+
+class pkixnames_ParseIPv6Address
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<16>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv6Address, ParseIPv6Address)
+{
+  const IPAddressParams<16>& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(),
+                                param.input.length()));
+  uint8_t ipAddress[16];
+  ASSERT_EQ(param.isValid, ParseIPv6Address(input, ipAddress));
+  if (param.isValid) {
+    for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+      ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv6Address,
+                        pkixnames_ParseIPv6Address,
+                        testing::ValuesIn(IPV6_ADDRESSES));
+
+// This is an arbitrary string that is used to indicate that no SAN extension
+// should be put into the generated certificate. It needs to be different from
+// "" or any other subjectAltName value that we actually want to test, but its
+// actual value does not matter. Note that this isn't a correctly-encoded SAN
+// extension value!
+static const ByteString
+  NO_SAN(reinterpret_cast<const uint8_t*>("I'm a bad, bad, certificate"));
+
+struct CheckCertHostnameParams
+{
+  ByteString hostname;
+  ByteString subject;
+  ByteString subjectAltName;
+  Result result;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const CheckCertHostnameParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class pkixnames_CheckCertHostname
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<CheckCertHostnameParams>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+#define WITH_SAN(r, ps, psan, result) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+    ps, \
+    psan, \
+    result \
+  }
+
+#define WITHOUT_SAN(r, ps, result) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+    ps, \
+    NO_SAN, \
+    result \
+  }
+
+static const uint8_t example_com[] = {
+  'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'
+};
+
+// Note that We avoid zero-valued bytes in these IP addresses so that we don't
+// get false negatives from anti-NULL-byte defenses in dNSName decoding.
+static const uint8_t ipv4_addr_bytes[] = {
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_addr_bytes_as_str[] = "\x01\x02\x03\x04";
+static const uint8_t ipv4_addr_str[] = "1.2.3.4";
+static const uint8_t ipv4_addr_bytes_FFFFFFFF[8] = {
+  1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_compatible_ipv6_addr_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_compatible_ipv6_addr_str[] = "::1.2.3.4";
+
+static const uint8_t ipv4_mapped_ipv6_addr_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  0, 0, 0xFF, 0xFF,
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_mapped_ipv6_addr_str[] = "::FFFF:1.2.3.4";
+
+static const uint8_t ipv6_addr_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff, 0x11
+};
+static const uint8_t ipv6_addr_bytes_as_str[] =
+  "\x11\x22\x33\x44"
+  "\x55\x66\x77\x88"
+  "\x99\xaa\xbb\xcc"
+  "\xdd\xee\xff\x11";
+
+static const uint8_t ipv6_addr_str[] =
+  "1122:3344:5566:7788:99aa:bbcc:ddee:ff11";
+
+static const uint8_t ipv6_other_addr_bytes[] = {
+  0xff, 0xee, 0xdd, 0xcc,
+  0xbb, 0xaa, 0x99, 0x88,
+  0x77, 0x66, 0x55, 0x44,
+  0x33, 0x22, 0x11, 0x00,
+};
+
+static const uint8_t ipv4_other_addr_bytes[] = {
+  5, 6, 7, 8
+};
+static const uint8_t ipv4_other_addr_bytes_FFFFFFFF[] = {
+  5, 6, 7, 8, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_addr_00000000_bytes[] = {
+  0, 0, 0, 0
+};
+static const uint8_t ipv4_addr_FFFFFFFF_bytes[] = {
+  0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static const uint8_t ipv6_constraint_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_CIDR_16_bytes[] = {
+  1, 2, 0, 0, 0xff, 0xff, 0, 0
+};
+static const uint8_t ipv4_constraint_CIDR_17_bytes[] = {
+  1, 2, 0, 0, 0xff, 0xff, 0x80, 0
+};
+
+// The subnet is 1.2.0.0/16 but it is specified as 1.2.3.0/16
+static const uint8_t ipv4_constraint_CIDR_16_bad_addr_bytes[] = {
+  1, 2, 3, 0, 0xff, 0xff, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv4_constraint_bad_mask_bytes[] = {
+  1, 2, 3, 0, 0xff, 0, 0xff, 0
+};
+
+static const uint8_t ipv6_constraint_CIDR_16_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0
+};
+
+// The subnet is 1122::/16 but it is specified as 1122:3344::/16
+static const uint8_t ipv6_constraint_CIDR_16_bad_addr_bytes[] = {
+  0x11, 0x22, 0x33, 0x44, 0, 0, 0, 0,
+     0,    0,    0,    0, 0, 0, 0, 0,
+  0xff, 0xff,    0,    0, 0, 0, 0, 0,
+     0,    0,    0,    0, 0, 0, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv6_constraint_bad_mask_bytes[] = {
+  0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0, 0,
+     0,    0,    0,    0,    0,    0, 0, 0,
+  0xff, 0xff,    0,    0, 0xff, 0xff, 0, 0,
+     0,    0,    0,    0,    0,    0, 0, 0,
+};
+
+static const uint8_t ipv4_addr_truncated_bytes[] = {
+  1, 2, 3
+};
+static const uint8_t ipv4_addr_overlong_bytes[] = {
+  1, 2, 3, 4, 5
+};
+static const uint8_t ipv4_constraint_truncated_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0,
+};
+static const uint8_t ipv4_constraint_overlong_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_truncated_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff
+};
+static const uint8_t ipv6_addr_overlong_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff, 0x11, 0x00
+};
+static const uint8_t ipv6_constraint_truncated_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0
+};
+static const uint8_t ipv6_constraint_overlong_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0, 0
+};
+
+// Note that, for DNSNames, these test cases in CHECK_CERT_HOSTNAME_PARAMS are
+// mostly about testing different scenerios regarding the structure of entries
+// in the subjectAltName and subject of the certificate, than about the how
+// specific presented identifier values are matched against the reference
+// identifier values. This is because we also use the test cases in
+// DNSNAMES_VALIDITY to test CheckCertHostname. Consequently, tests about
+// whether specific presented DNSNames (including wildcards, in particular) are
+// matched against a reference DNSName only need to be added to
+// DNSNAMES_VALIDITY, and not here.
+static const CheckCertHostnameParams CHECK_CERT_HOSTNAME_PARAMS[] =
+{
+  // This is technically illegal. PrintableString is defined in such a way that
+  // '*' is not an allowed character, but there are many real-world certificates
+  // that are encoded this way.
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::PrintableString)),
+              Success),
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::UTF8String)),
+              Success),
+
+  // Many certificates use TeletexString when encoding wildcards in CN-IDs
+  // because PrintableString is defined as not allowing '*' and UTF8String was,
+  // at one point in history, considered too new to depend on for compatibility.
+  // We accept TeletexString-encoded CN-IDs when they don't contain any escape
+  // sequences. The reference I used for the escape codes was
+  // https://tools.ietf.org/html/rfc1468. The escaping mechanism is actually
+  // pretty complex and these tests don't even come close to testing all the
+  // possibilities.
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::TeletexString)),
+              Success),
+  // "ESC ( B" ({0x1B,0x50,0x42}) is the escape code to switch to ASCII, which
+  // is redundant because it already the default.
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("\x1B(B*.example.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example\x1B(B.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example.com\x1B(B", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // "ESC $ B" ({0x1B,0x24,0x42}) is the escape code to switch to
+  // JIS X 0208-1983 (a Japanese character set).
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("\x1B$B*.example.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example.com\x1B$B", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Match a DNSName SAN entry with a redundant (ignored) matching CN-ID.
+  WITH_SAN("a", RDN(CN("a")), DNSName("a"), Success),
+  // Match a DNSName SAN entry when there is an CN-ID that doesn't match.
+  WITH_SAN("b", RDN(CN("a")), DNSName("b"), Success),
+  // Do not match a CN-ID when there is a valid DNSName SAN Entry.
+  WITH_SAN("a", RDN(CN("a")), DNSName("b"), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a CN-ID when there is a malformed DNSName SAN Entry.
+  WITH_SAN("a", RDN(CN("a")), DNSName("!"), Result::ERROR_BAD_DER),
+  // Do not match a matching CN-ID when there is a valid IPAddress SAN entry.
+  WITH_SAN("a", RDN(CN("a")), IPAddress(ipv4_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching CN-ID when there is a malformed IPAddress SAN entry.
+  WITH_SAN("a", RDN(CN("a")), IPAddress(example_com),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Match a DNSName against a matching CN-ID when there is a SAN, but the SAN
+  // does not contain an DNSName or IPAddress entry.
+  WITH_SAN("a", RDN(CN("a")), RFC822Name("foo@example.com"), Success),
+  // Match a matching CN-ID when there is no SAN.
+  WITHOUT_SAN("a", RDN(CN("a")), Success),
+  // Do not match a mismatching CN-ID when there is no SAN.
+  WITHOUT_SAN("a", RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // The first DNSName matches.
+  WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+  // The last DNSName matches.
+  WITH_SAN("b", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+  // The middle DNSName matches.
+  WITH_SAN("b", RDN(CN("foo")),
+           DNSName("a") + DNSName("b") + DNSName("c"), Success),
+  // After an IP address.
+  WITH_SAN("b", RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes) + DNSName("b"), Success),
+  // Before an IP address.
+  WITH_SAN("a", RDN(CN("foo")),
+           DNSName("a") + IPAddress(ipv4_addr_bytes), Success),
+  // Between an RFC822Name and an IP address.
+  WITH_SAN("b", RDN(CN("foo")),
+           RFC822Name("foo@example.com") + DNSName("b") +
+                                           IPAddress(ipv4_addr_bytes),
+           Success),
+  // Duplicate DNSName.
+  WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("a"), Success),
+  // After an invalid DNSName.
+  WITH_SAN("b", RDN(CN("foo")), DNSName("!") + DNSName("b"),
+           Result::ERROR_BAD_DER),
+
+  // http://tools.ietf.org/html/rfc5280#section-4.2.1.6: "If the subjectAltName
+  // extension is present, the sequence MUST contain at least one entry."
+  // However, for compatibility reasons, this is not enforced. See bug 1143085.
+  // This case is treated as if the extension is not present (i.e. name
+  // matching falls back to the subject CN).
+  WITH_SAN("a", RDN(CN("a")), ByteString(), Success),
+  WITH_SAN("a", RDN(CN("b")), ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // http://tools.ietf.org/html/rfc5280#section-4.1.2.6 says "If subject naming
+  // information is present only in the subjectAltName extension (e.g., a key
+  // bound only to an email address or URI), then the subject name MUST be an
+  // empty sequence and the subjectAltName extension MUST be critical." So, we
+  // have to support an empty subject. We don't enforce that the SAN must be
+  // critical or even that there is a SAN when the subject is empty, though.
+  WITH_SAN("a", ByteString(), DNSName("a"), Success),
+  // Make sure we return ERROR_BAD_CERT_DOMAIN and not ERROR_BAD_DER.
+  WITHOUT_SAN("a", ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Two CNs in the same RDN, both match.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("a")), Success),
+  // Two CNs in the same RDN, both DNSNames, first one matches.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in the same RDN, both DNSNames, last one matches.
+  WITHOUT_SAN("b", RDN(CN("a") + CN("b")), Success),
+  // Two CNs in the same RDN, first one matches, second isn't a DNSName.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("Not a DNSName")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in the same RDN, first one not a DNSName, second matches.
+  WITHOUT_SAN("b", RDN(CN("Not a DNSName") + CN("b")), Success),
+
+  // Two CNs in separate RDNs, both match.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("a")), Success),
+  // Two CNs in separate RDNs, both DNSNames, first one matches.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in separate RDNs, both DNSNames, last one matches.
+  WITHOUT_SAN("b", RDN(CN("a")) + RDN(CN("b")), Success),
+  // Two CNs in separate RDNs, first one matches, second isn't a DNSName.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("Not a DNSName")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in separate RDNs, first one not a DNSName, second matches.
+  WITHOUT_SAN("b", RDN(CN("Not a DNSName")) + RDN(CN("b")), Success),
+
+  // One CN, one RDN, CN is the first AVA in the RDN, CN matches.
+  WITHOUT_SAN("a", RDN(CN("a") + OU("b")), Success),
+  // One CN, one RDN, CN is the first AVA in the RDN, CN does not match.
+  WITHOUT_SAN("b", RDN(CN("a") + OU("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // One CN, one RDN, CN is not the first AVA in the RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a") + CN("b")), Success),
+  // One CN, one RDN, CN is not the first AVA in the RDN, CN does not match.
+  WITHOUT_SAN("a", RDN(OU("a") + CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // One CN, multiple RDNs, CN is in the first RDN, CN matches.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(OU("b")), Success),
+  // One CN, multiple RDNs, CN is in the first RDN, CN does not match.
+  WITHOUT_SAN("b", RDN(CN("a")) + RDN(OU("b")), Result::ERROR_BAD_CERT_DOMAIN),
+  // One CN, multiple RDNs, CN is not in the first RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")), Success),
+  // One CN, multiple RDNs, CN is not in the first RDN, CN does not match.
+  WITHOUT_SAN("a", RDN(OU("a")) + RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // One CN, one RDN, CN is not in the first or last AVA, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a") + CN("b") + OU("c")), Success),
+  // One CN, multiple RDNs, CN is not in the first or last RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")) + RDN(OU("c")), Success),
+
+  // Empty CN does not match.
+  WITHOUT_SAN("example.com", RDN(CN("")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  WITHOUT_SAN("uses_underscore.example.com", RDN(CN("*.example.com")), Success),
+  WITHOUT_SAN("a.uses_underscore.example.com",
+              RDN(CN("*.uses_underscore.example.com")), Success),
+  WITH_SAN("uses_underscore.example.com", RDN(CN("foo")),
+           DNSName("*.example.com"), Success),
+  WITH_SAN("a.uses_underscore.example.com", RDN(CN("foo")),
+           DNSName("*.uses_underscore.example.com"), Success),
+
+  // Do not match a DNSName that is encoded in a malformed IPAddress.
+  WITH_SAN("example.com", RDN(CN("foo")), IPAddress(example_com),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We skip over the malformed IPAddress and match the DNSName entry because
+  // we've heard reports of real-world certificates that have malformed
+  // IPAddress SANs.
+  WITH_SAN("example.org", RDN(CN("foo")),
+           IPAddress(example_com) + DNSName("example.org"), Success),
+
+  WITH_SAN("example.com", RDN(CN("foo")),
+           DNSName("!") + DNSName("example.com"), Result::ERROR_BAD_DER),
+
+  // Match a matching IPv4 address SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")), IPAddress(ipv4_addr_bytes),
+           Success),
+  // Match a matching IPv4 addresses in the CN when there is no SAN
+  WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), Success),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with
+  // a DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with
+  // a non-matching IPAddress entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           IPAddress(ipv6_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+  // Match a matching IPv4 address in the CN when there is a SAN with a
+  // non-IPAddress, non-DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           RFC822Name("foo@example.com"), Success),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with a
+  // malformed IPAddress entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           IPAddress(example_com), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with a
+  // malformed DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           DNSName("!"), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We don't match IPv6 addresses in the CN, regardless of whether there is
+  // a SAN.
+  WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+           DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+                          IPAddress(ipv6_addr_bytes), Success),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")), IPAddress(ipv6_addr_bytes),
+           Success),
+
+  // We don't match the binary encoding of the bytes of IP addresses in the
+  // CN.
+  WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_bytes_as_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_bytes_as_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We don't match IP addresses with DNSName SANs.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           DNSName(ipv4_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")), DNSName(ipv4_addr_str),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")),
+           DNSName(ipv6_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")), DNSName(ipv6_addr_str),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Do not match an IPv4 reference ID against the equivalent IPv4-compatible
+  // IPv6 SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_compatible_ipv6_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+  // SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_mapped_ipv6_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4-compatible IPv6 reference ID against the equivalent
+  // IPv4 SAN entry.
+  WITH_SAN(ipv4_compatible_ipv6_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+  // SAN entry.
+  WITH_SAN(ipv4_mapped_ipv6_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Test that the presence of an otherName entry is handled appropriately.
+  // (The actual value of the otherName entry isn't important - that's not what
+  // we're testing here.)
+  WITH_SAN("example.com", ByteString(),
+           // The tag for otherName is CONTEXT_SPECIFIC | CONSTRUCTED | 0
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"),
+           Success),
+  WITH_SAN("example.com", ByteString(),
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()),
+           Result::ERROR_BAD_CERT_DOMAIN),
+};
+
+ByteString
+CreateCert(const ByteString& subject, const ByteString& subjectAltName,
+           EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity)
+{
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(Name(RDN(CN("issuer"))));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+
+  ByteString extensions[2];
+  if (subjectAltName != NO_SAN) {
+    extensions[0] = CreateEncodedSubjectAltName(subjectAltName);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    // Currently, these tests assume that if we're creating a CA certificate, it
+    // will not have a subjectAlternativeName extension. If that assumption
+    // changes, this code will have to be updated. Ideally this would be
+    // ASSERT_EQ, but that inserts a 'return;', which doesn't match this
+    // function's return type.
+    EXPECT_EQ(subjectAltName, NO_SAN);
+    extensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+                                                  Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  return CreateEncodedCertificate(
+                    v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                    oneDayBeforeNow, oneDayAfterNow, Name(subject), *keyPair,
+                    extensions, *keyPair, sha256WithRSAEncryption());
+}
+
+TEST_P(pkixnames_CheckCertHostname, CheckCertHostname)
+{
+  const CheckCertHostnameParams& param(GetParam());
+
+  ByteString cert(CreateCert(param.subject, param.subjectAltName));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.hostname.data(),
+                                        param.hostname.length()));
+
+  ASSERT_EQ(param.result, CheckCertHostname(certInput, hostnameInput,
+                                            mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname,
+                        pkixnames_CheckCertHostname,
+                        testing::ValuesIn(CHECK_CERT_HOSTNAME_PARAMS));
+
+TEST_F(pkixnames_CheckCertHostname, SANWithoutSequence)
+{
+  // A certificate with a truly empty SAN extension (one that doesn't even
+  // contain a SEQUENCE at all) is malformed. If we didn't treat this as
+  // malformed then we'd have to treat it like the CN_EmptySAN cases.
+
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString extensions[2];
+  extensions[0] = CreateEncodedEmptySubjectAltName();
+  ASSERT_FALSE(ENCODING_FAILED(extensions[0]));
+
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber,
+                       Name(RDN(CN("issuer"))), oneDayBeforeNow, oneDayAfterNow,
+                       Name(RDN(CN("a"))), *keyPair, extensions,
+                       *keyPair, sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+  static const uint8_t a[] = { 'a' };
+  ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+            CheckCertHostname(certInput, Input(a), mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_PresentedMatchesReference
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference, CN_NoSAN)
+{
+  // Since there is no SAN, a valid presented DNS ID in the subject CN field
+  // should result in a match.
+
+  const PresentedMatchesReference& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN(param.presentedDNSID)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+                                        param.referenceDNSID.length()));
+
+  ASSERT_EQ(param.expectedMatches ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+            CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference,
+       SubjectAltName_CNNotDNSName)
+{
+  // A DNSName SAN entry should match, regardless of the contents of the
+  // subject CN.
+
+  const PresentedMatchesReference& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")),
+                             DNSName(param.presentedDNSID)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+                                        param.referenceDNSID.length()));
+  Result expectedResult
+    = param.expectedResult != Success ? param.expectedResult
+    : param.expectedMatches ? Success
+    : Result::ERROR_BAD_CERT_DOMAIN;
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+                                              mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_DNSID_MATCH_PARAMS,
+                        pkixnames_CheckCertHostname_PresentedMatchesReference,
+                        testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_CN_NoSAN)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+  // when we're matching a CN due to lack of subjectAltName.
+
+  const InputValidity& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+  ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Result expectedResult = (InputsAreEqual(LOWERCASE_I, input) ||
+                           InputsAreEqual(UPPERCASE_I, input))
+                        ? Success
+                        : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+                                              mNameMatchingPolicy));
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+                                              mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_SAN)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+  // when we're matching a dNSName in the SAN.
+
+  const InputValidity& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")), DNSName(param.input)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Result expectedResult
+    = (!param.isValidPresentedID) ? Result::ERROR_BAD_DER
+    : (InputsAreEqual(LOWERCASE_I, input) ||
+       InputsAreEqual(UPPERCASE_I, input)) ? Success
+    : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+                                              mNameMatchingPolicy));
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+                                              mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_IPV4_Addresses
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+       ValidIPv4AddressInIPAddressSAN)
+{
+  // When the reference hostname is a valid IPv4 address, a correctly-formed
+  // IPv4 Address SAN matches it.
+
+  const IPAddressParams<4>& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")),
+                             IPAddress(param.expectedValueIfValid)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+                                        param.input.length()));
+
+  ASSERT_EQ(param.isValid ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+            CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+       ValidIPv4AddressInCN_NoSAN)
+{
+  // When the reference hostname is a valid IPv4 address, a correctly-formed
+  // IPv4 Address in the CN matches it when there is no SAN.
+
+  const IPAddressParams<4>& param(GetParam());
+
+  SCOPED_TRACE(param.input.c_str());
+
+  ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+                                        param.input.length()));
+
+  // Some of the invalid IPv4 addresses are valid DNS names!
+  Result expectedResult = (param.isValid || IsValidReferenceDNSID(hostnameInput))
+                        ? Success
+                        : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+                                              mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_IPV4_ADDRESSES,
+                        pkixnames_CheckCertHostname_IPV4_Addresses,
+                        testing::ValuesIn(IPV4_ADDRESSES));
+
+struct NameConstraintParams
+{
+  ByteString subject;
+  ByteString subjectAltName;
+  ByteString subtrees;
+  Result expectedPermittedSubtreesResult;
+  Result expectedExcludedSubtreesResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const NameConstraintParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+static ByteString
+PermittedSubtrees(const ByteString& generalSubtrees)
+{
+  return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+             generalSubtrees);
+}
+
+static ByteString
+ExcludedSubtrees(const ByteString& generalSubtrees)
+{
+  return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+             generalSubtrees);
+}
+
+// Does not encode min or max.
+static ByteString
+GeneralSubtree(const ByteString& base)
+{
+  return TLV(der::SEQUENCE, base);
+}
+
+static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
+{
+  /////////////////////////////////////////////////////////////////////////////
+  // XXX: Malformed name constraints for supported types of names are ignored
+  // when there are no names of that type to constrain.
+  { ByteString(), NO_SAN,
+    GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { // DirectoryName constraints are an exception, because *every* certificate
+    // has at least one DirectoryName (tbsCertificate.subject).
+    ByteString(), NO_SAN,
+    GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(RFC822Name("!")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Edge cases of name constraint absolute vs. relative and subdomain matching
+  // that are not clearly explained in RFC 5280. (See the long comment above
+  // MatchPresentedDNSIDWithReferenceDNSID.)
+
+  // Q: Does a presented identifier equal (case insensitive) to the name
+  //    constraint match the constraint? For example, does the presented
+  //    ID "host.example.com" match a "host.example.com" constraint?
+  { ByteString(), DNSName("host.example.com"),
+    GeneralSubtree(DNSName("host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // This test case is an example from RFC 5280.
+    ByteString(), DNSName("host1.example.com"),
+    GeneralSubtree(DNSName("host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), RFC822Name("a@host.example.com"),
+    GeneralSubtree(RFC822Name("host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // This test case is an example from RFC 5280.
+    ByteString(), RFC822Name("a@host1.example.com"),
+    GeneralSubtree(RFC822Name("host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: When the name constraint does not start with ".", do subdomain
+  //    presented identifiers match it? For example, does the presented
+  //    ID "www.host.example.com" match a "host.example.com" constraint?
+  { // This test case is an example from RFC 5280.
+    ByteString(),  DNSName("www.host.example.com"),
+    GeneralSubtree(DNSName(    "host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The subdomain matching rule for host names that do not start with "." is
+    // different for RFC822Names than for DNSNames!
+    ByteString(),  RFC822Name("a@www.host.example.com"),
+    GeneralSubtree(RFC822Name(      "host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+    Success
+  },
+
+  // Q: When the name constraint does not start with ".", does a
+  //    non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+  //    match "foo.bar.com"?
+  { ByteString(), DNSName("bigfoo.bar.com"),
+    GeneralSubtree(DNSName(  "foo.bar.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), RFC822Name("a@bigfoo.bar.com"),
+    GeneralSubtree(RFC822Name(    "foo.bar.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: Is a name constraint that starts with "." valid, and if so, what
+  //    semantics does it have? For example, does a presented ID of
+  //    "www.example.com" match a constraint of ".example.com"? Does a
+  //    presented ID of "example.com" match a constraint of ".example.com"?
+  { ByteString(), DNSName("www.example.com"),
+    GeneralSubtree(DNSName(  ".example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // When there is no Local-part, an RFC822 name constraint's domain may
+    // start with '.', and the semantics are the same as for DNSNames.
+    ByteString(), RFC822Name("a@www.example.com"),
+    GeneralSubtree(RFC822Name(    ".example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // When there is a Local-part, an RFC822 name constraint's domain must not
+    // start with '.'.
+    ByteString(), RFC822Name("a@www.example.com"),
+    GeneralSubtree(RFC822Name(  "a@.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Check that we only allow subdomains to match.
+    ByteString(), DNSName(  "example.com"),
+    GeneralSubtree(DNSName(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we only allow subdomains to match.
+    ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we don't get confused and consider "b" == "."
+    ByteString(), DNSName("bexample.com"),
+    GeneralSubtree(DNSName(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we don't get confused and consider "b" == "."
+    ByteString(), RFC822Name("a@bexample.com"),
+    GeneralSubtree(RFC822Name( ".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: Is there a way to prevent subdomain matches?
+  // (This is tested in a different set of tests because it requires a
+  // combination of permittedSubtrees and excludedSubtrees.)
+
+  // Q: Are name constraints allowed to be specified as absolute names?
+  //    For example, does a presented ID of "example.com" match a name
+  //    constraint of "example.com." and vice versa?
+  //
+  { // The DNSName in the constraint is not valid because constraint DNS IDs
+    // are not allowed to be absolute.
+    ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name( "example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The DNSName in the SAN is not valid because presented DNS IDs are not
+    // allowed to be absolute.
+    ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name( "example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The presented DNSName is the same length as the constraint, because the
+    // subdomain is only one character long and because the constraint both
+    // begins and ends with ".". But, it doesn't matter because absolute names
+    // are not allowed for DNSName constraints.
+    ByteString(), DNSName("p.example.com"),
+    GeneralSubtree(DNSName(".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The presented DNSName is the same length as the constraint, because the
+    // subdomain is only one character long and because the constraint both
+    // begins and ends with ".".
+    ByteString(), RFC822Name("a@p.example.com"),
+    GeneralSubtree(RFC822Name(  ".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // Same as previous test case, but using a wildcard presented ID.
+    ByteString(), DNSName("*.example.com"),
+    GeneralSubtree(DNSName(".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Same as previous test case, but using a wildcard presented ID, which is
+    // invalid in an RFC822Name.
+    ByteString(), RFC822Name("a@*.example.com"),
+    GeneralSubtree(RFC822Name(  ".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  // Q: Are "" and "." valid DNSName constraints? If so, what do they mean?
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The malformed (absolute) presented ID does not match.
+    ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName("")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name("")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Invalid syntax in name constraint
+    ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // Invalid syntax in name constraint
+    ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Basic IP Address constraints (non-CN-ID)
+
+  // The Mozilla CA Policy says this means "no IPv4 addresses allowed."
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_00000000_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_FFFFFFFF_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // The Mozilla CA Policy says this means "no IPv6 addresses allowed."
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv6_addr_all_zeros_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // RFC 5280 doesn't partition IP address constraints into separate IPv4 and
+  // IPv6 categories, so a IPv4 permittedSubtrees constraint excludes all IPv6
+  // addresses, and vice versa.
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // IPv4 Subnets
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_17_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bad_addr_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_bad_mask_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // IPv6 Subnets
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv6_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bad_addr_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv6_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_bad_mask_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Malformed presented IP addresses and constraints
+
+  { // The presented IPv4 address is empty
+    ByteString(), IPAddress(),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 address is truncated
+    ByteString(), IPAddress(ipv4_addr_truncated_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 address is too long
+    ByteString(), IPAddress(ipv4_addr_overlong_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is empty
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress()),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is truncated
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is too long
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is empty
+    ByteString(), IPAddress(),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is truncated
+    ByteString(), IPAddress(ipv6_addr_truncated_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is too long
+    ByteString(), IPAddress(ipv6_addr_overlong_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is empty
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress()),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is truncated
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is too long
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // XXX: We don't reject malformed name constraints when there are no names of
+  // that type.
+  { ByteString(), NO_SAN, GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv4_addr_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv6_addr_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(RFC822Name("\0")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Basic CN-ID DNSName constraint tests.
+
+  { // Empty Name is ignored for DNSName constraints.
+    ByteString(), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // Empty CN is ignored for DNSName constraints because it isn't a
+    // syntactically-valid DNSName.
+    //
+    // NSS gives different results.
+    RDN(CN("")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // IP Address is ignored for DNSName constraints.
+    //
+    // NSS gives different results.
+    RDN(CN("1.2.3.4")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // OU has something that looks like a dNSName that matches.
+    RDN(OU("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // OU has something that looks like a dNSName that does not match.
+    RDN(OU("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // NSS gives different results.
+    RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // DNSName CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID match not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+  },
+  { // DNSName CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Success
+  },
+
+  { // IPAddress CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // IPAddress CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID match not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Test that constraints are applied to the most specific (last) CN, and only
+  // that CN-ID.
+
+  { // Name constraint only matches a.example.com, but the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+    RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Name constraint only matches a.example.com, but the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+    RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Name constraint only permits b.example.com, and the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+    RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Name constraint only permits b.example.com, and the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+    RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Additional RFC822 name constraint tests. There are more tests regarding
+  // the DNSName part of the constraint mixed into the DNSName constraint
+  // tests.
+
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // Bug 1056773: name constraints that omit Local-part but include '@' are
+  // invalid.
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@mail.example.com"),
+    GeneralSubtree(RFC822Name("a@*.example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@*.example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@a.example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Test name constraints with underscores.
+  //
+  { ByteString(), DNSName("uses_underscore.example.com"),
+    GeneralSubtree(DNSName("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("uses_underscore.example.com"),
+    GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("a.uses_underscore.example.com"),
+    GeneralSubtree(DNSName("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@uses_underscore.example.com"),
+    GeneralSubtree(RFC822Name("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("uses_underscore@example.com"),
+    GeneralSubtree(RFC822Name("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@a.uses_underscore.example.com"),
+    GeneralSubtree(RFC822Name(".uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Name constraint tests that relate to having an empty SAN. According to RFC
+  // 5280 this isn't valid, but we allow it for compatibility reasons (see bug
+  // 1143085).
+  { // For DNSNames, we fall back to the subject CN.
+    RDN(CN("a.example.com")), ByteString(),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // For RFC822Names, we do not fall back to the subject emailAddress.
+    // This new implementation seems to conform better to the standards for
+    // RFC822 name constraints, by only applying the name constraints to
+    // emailAddress names in the certificate subject if there is no
+    // subjectAltName extension in the cert.
+    // In this case, the presence of the (empty) SAN extension means that RFC822
+    // name constraints are not enforced on the emailAddress attributes of the
+    // subject.
+    RDN(emailAddress("a@example.com")), ByteString(),
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Success
+  },
+  { // Compare this to the case where there is no SAN (i.e. the name
+    // constraints are enforced, because the extension is not present at all).
+    RDN(emailAddress("a@example.com")), NO_SAN,
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // DirectoryName name constraint tests
+
+  { // One AVA per RDN
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // RDNs can have multiple AVAs.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The constraint is a prefix of the subject DN.
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The name constraint is not a prefix of the subject DN.
+    // Note that for excludedSubtrees, we simply prohibit any non-empty
+    // directoryName constraint to ensure we are not being too lenient.
+    RDN(OU("Other Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Same as the previous one, but one RDN with multiple AVAs.
+    RDN(OU("Other Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // With multiple AVAs per RDN in the subject DN, the constraint is not a
+    // prefix of the subject DN.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The subject DN RDN has multiple AVAs, but the name constraint has only
+    // one AVA per RDN.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The name constraint RDN has multiple AVAs, but the subject DN has only
+    // one AVA per RDN.
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // In this case, the constraint uses a different encoding from the subject.
+    // We consider them to match because we allow UTF8String and
+    // PrintableString to compare equal when their contents are equal.
+    RDN(OU("Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::PrintableString)) +
+                                              RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Same as above, but with UTF8String/PrintableString switched.
+    RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::UTF8String)) +
+                                              RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // If the contents aren't the same, then they shouldn't match.
+    RDN(OU("Other Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::PrintableString)) +
+                                              RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Only UTF8String and PrintableString are considered equivalent.
+    RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::TeletexString)) +
+                                              RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Some additional tests for completeness:
+  // Ensure that wildcards are handled:
+  { RDN(CN("*.example.com")), NO_SAN, GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("*.example.com"),
+    GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("www.example.com"),
+    GeneralSubtree(DNSName("*.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  // Handle multiple name constraint entries:
+  { RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle multiple names in subject alternative name extension:
+  { ByteString(), DNSName("example.com") + DNSName("example.org"),
+    GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a mix of DNSName and DirectoryName:
+  { RDN(OU("Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Other Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Example Organization")), DNSName("example.org"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a certificate with no DirectoryName:
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+};
+
+class pkixnames_CheckNameConstraints
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckNameConstraints,
+       NameConstraintsEnforcedForDirectlyIssuedEndEntity)
+{
+  // Test that name constraints are enforced on a certificate directly issued by
+  // a certificate with the given name constraints.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, param.subjectAltName));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ((param.expectedPermittedSubtreesResult ==
+               param.expectedExcludedSubtreesResult)
+                ? param.expectedExcludedSubtreesResult
+                : Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraints,
+                        pkixnames_CheckNameConstraints,
+                        testing::ValuesIn(NAME_CONSTRAINT_PARAMS));
+
+// The |subjectAltName| param is not used for these test cases (hence the use of
+// "NO_SAN").
+static const NameConstraintParams NO_FALLBACK_NAME_CONSTRAINT_PARAMS[] =
+{
+  // The only difference between end-entities being verified for serverAuth and
+  // intermediates or end-entities being verified for other uses is that for
+  // the latter cases, there is no fallback matching of DNSName entries to the
+  // subject common name.
+  { RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  // Sanity-check that name constraints are in fact enforced in these cases.
+  { RDN(CN("Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // (In this implementation, if a DirectoryName is in excludedSubtrees, nothing
+  // is considered to be in the name space.)
+  { RDN(CN("Other Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+};
+
+class pkixnames_CheckNameConstraintsOnIntermediate
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsOnIntermediate,
+       NameConstraintsEnforcedOnIntermediate)
+{
+  // Test that name constraints are enforced on an intermediate certificate
+  // directly issued by a certificate with the given name constraints.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN,
+                                EndEntityOrCA::MustBeCA));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsOnIntermediate,
+                        pkixnames_CheckNameConstraintsOnIntermediate,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
+
+class pkixnames_CheckNameConstraintsForNonServerAuthUsage
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+       NameConstraintsEnforcedForNonServerAuthUsage)
+{
+  // Test that for key purposes other than serverAuth, fallback to the subject
+  // common name does not occur.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
new file mode 100644
index 000000000..ff154e7ec
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -0,0 +1,146 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class CreateEncodedOCSPRequestTrustDomain final
+  : public EverythingFailsByDefaultTrustDomain
+{
+private:
+  Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                   /*out*/ uint8_t *digestBuf, size_t digestBufLen)
+                   override
+  {
+    return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+                                            override
+  {
+    return Success;
+  }
+};
+
+class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
+{
+protected:
+  void MakeIssuerCertIDComponents(const char* issuerASCII,
+                                  /*out*/ ByteString& issuerDER,
+                                  /*out*/ ByteString& issuerSPKI)
+  {
+    issuerDER = CNToDERName(issuerASCII);
+    ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+
+    ScopedTestKeyPair keyPair(GenerateKeyPair());
+    ASSERT_TRUE(keyPair.get());
+    issuerSPKI = keyPair->subjectPublicKeyInfo;
+  }
+
+  CreateEncodedOCSPRequestTrustDomain trustDomain;
+};
+
+// Test that the large length of the child serial number causes
+// CreateEncodedOCSPRequest to fail.
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
+{
+  static const uint8_t UNSUPPORTED_LEN = 128; // must be larger than 127
+
+  ByteString serialNumberString;
+  // tag + length + value is 1 + 2 + UNSUPPORTED_LEN
+  // Encoding the length takes two bytes: one byte to indicate that a
+  // second byte follows, and the second byte to indicate the length.
+  serialNumberString.push_back(0x80 + 1);
+  serialNumberString.push_back(UNSUPPORTED_LEN);
+  // value is 0x010000...00
+  serialNumberString.push_back(0x01);
+  for (size_t i = 1; i < UNSUPPORTED_LEN; ++i) {
+    serialNumberString.push_back(0x00);
+  }
+
+  ByteString issuerDER;
+  ByteString issuerSPKI;
+  ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+                                                     issuerSPKI));
+
+  Input issuer;
+  ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+  Input spki;
+  ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+  Input serialNumber;
+  ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+                                       serialNumberString.length()));
+
+  uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+  size_t ocspRequestLength;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            CreateEncodedOCSPRequest(trustDomain,
+                                     CertID(issuer, spki, serialNumber),
+                                     ocspRequest, ocspRequestLength));
+}
+
+// Test that CreateEncodedOCSPRequest handles the longest serial number that
+// it's required to support (i.e. 20 octets).
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
+{
+  static const uint8_t LONGEST_REQUIRED_LEN = 20;
+
+  ByteString serialNumberString;
+  // tag + length + value is 1 + 1 + LONGEST_REQUIRED_LEN
+  serialNumberString.push_back(der::INTEGER);
+  serialNumberString.push_back(LONGEST_REQUIRED_LEN);
+  serialNumberString.push_back(0x01);
+  // value is 0x010000...00
+  for (size_t i = 1; i < LONGEST_REQUIRED_LEN; ++i) {
+    serialNumberString.push_back(0x00);
+  }
+
+  ByteString issuerDER;
+  ByteString issuerSPKI;
+  ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+                                                     issuerSPKI));
+
+  Input issuer;
+  ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+  Input spki;
+  ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+  Input serialNumber;
+  ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+                                       serialNumberString.length()));
+
+  uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+  size_t ocspRequestLength;
+  ASSERT_EQ(Success,
+            CreateEncodedOCSPRequest(trustDomain,
+                                     CertID(issuer, spki, serialNumber),
+                                     ocspRequest, ocspRequestLength));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
new file mode 100644
index 000000000..3fe4e7b5a
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -0,0 +1,1064 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+const uint16_t END_ENTITY_MAX_LIFETIME_IN_DAYS = 10;
+
+// Note that CheckRevocation is never called for OCSP signing certificates.
+class OCSPTestTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+  OCSPTestTrustDomain() { }
+
+  Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+                      Input, /*out*/ TrustLevel& trustLevel)
+                      /*non-final*/ override
+  {
+    EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+    trustLevel = TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) override
+  {
+    if (extension == AuxiliaryExtension::SCTListFromOCSPResponse) {
+      signedCertificateTimestamps = InputToByteString(extensionData);
+    } else {
+      // We do not currently expect to receive any other extension here.
+      ADD_FAILURE();
+    }
+  }
+
+  ByteString signedCertificateTimestamps;
+};
+
+namespace {
+char const* const rootName = "Test CA 1";
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse : public ::testing::Test
+{
+public:
+  static void SetUpTestCase()
+  {
+    rootKeyPair.reset(GenerateKeyPair());
+    if (!rootKeyPair) {
+      abort();
+    }
+  }
+
+  void SetUp()
+  {
+    rootNameDER = CNToDERName(rootName);
+    if (ENCODING_FAILED(rootNameDER)) {
+      abort();
+    }
+    Input rootNameDERInput;
+    if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
+          != Success) {
+      abort();
+    }
+
+    serialNumberDER =
+      CreateEncodedSerialNumber(static_cast<long>(++rootIssuedCount));
+    if (ENCODING_FAILED(serialNumberDER)) {
+      abort();
+    }
+    Input serialNumberDERInput;
+    if (serialNumberDERInput.Init(serialNumberDER.data(),
+                                  serialNumberDER.length()) != Success) {
+      abort();
+    }
+
+    Input rootSPKIDER;
+    if (rootSPKIDER.Init(rootKeyPair->subjectPublicKeyInfo.data(),
+                         rootKeyPair->subjectPublicKeyInfo.length())
+          != Success) {
+      abort();
+    }
+    endEntityCertID.reset(new (std::nothrow) CertID(rootNameDERInput, rootSPKIDER,
+                                                    serialNumberDERInput));
+    if (!endEntityCertID) {
+      abort();
+    }
+  }
+
+  static ScopedTestKeyPair rootKeyPair;
+  static uint32_t rootIssuedCount;
+  OCSPTestTrustDomain trustDomain;
+
+  // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+  ByteString rootNameDER;
+  ByteString serialNumberDER;
+  // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+  ScopedCertID endEntityCertID;
+};
+
+/*static*/ ScopedTestKeyPair pkixocsp_VerifyEncodedResponse::rootKeyPair;
+/*static*/ uint32_t pkixocsp_VerifyEncodedResponse::rootIssuedCount = 0;
+
+///////////////////////////////////////////////////////////////////////////////
+// responseStatus
+
+struct WithoutResponseBytes
+{
+  uint8_t responseStatus;
+  Result expectedError;
+};
+
+static const WithoutResponseBytes WITHOUT_RESPONSEBYTES[] = {
+  { OCSPResponseContext::successful, Result::ERROR_OCSP_MALFORMED_RESPONSE },
+  { OCSPResponseContext::malformedRequest, Result::ERROR_OCSP_MALFORMED_REQUEST },
+  { OCSPResponseContext::internalError, Result::ERROR_OCSP_SERVER_ERROR },
+  { OCSPResponseContext::tryLater, Result::ERROR_OCSP_TRY_SERVER_LATER },
+  { 4/*unused*/, Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS },
+  { OCSPResponseContext::sigRequired, Result::ERROR_OCSP_REQUEST_NEEDS_SIG },
+  { OCSPResponseContext::unauthorized, Result::ERROR_OCSP_UNAUTHORIZED_REQUEST },
+  { OCSPResponseContext::unauthorized + 1,
+    Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+  },
+};
+
+class pkixocsp_VerifyEncodedResponse_WithoutResponseBytes
+  : public pkixocsp_VerifyEncodedResponse
+  , public ::testing::WithParamInterface<WithoutResponseBytes>
+{
+protected:
+  ByteString CreateEncodedOCSPErrorResponse(uint8_t status)
+  {
+    static const Input EMPTY;
+    OCSPResponseContext context(CertID(EMPTY, EMPTY, EMPTY),
+                                oneDayBeforeNow);
+    context.responseStatus = status;
+    context.skipResponseBytes = true;
+    return CreateEncodedOCSPResponse(context);
+  }
+};
+
+TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
+{
+  ByteString
+    responseString(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(GetParam().expectedError,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+                        pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+                        testing::ValuesIn(WITHOUT_RESPONSEBYTES));
+
+///////////////////////////////////////////////////////////////////////////////
+// "successful" responses
+
+namespace {
+
+// Alias for nullptr to aid readability in the code below.
+static const char* byKey = nullptr;
+
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse_successful
+  : public pkixocsp_VerifyEncodedResponse
+{
+public:
+  void SetUp()
+  {
+    pkixocsp_VerifyEncodedResponse::SetUp();
+  }
+
+  static void SetUpTestCase()
+  {
+    pkixocsp_VerifyEncodedResponse::SetUpTestCase();
+  }
+
+  ByteString CreateEncodedOCSPSuccessfulResponse(
+                    OCSPResponseContext::CertStatus certStatus,
+                    const CertID& certID,
+       /*optional*/ const char* signerName,
+                    const TestKeyPair& signerKeyPair,
+                    time_t producedAt, time_t thisUpdate,
+       /*optional*/ const time_t* nextUpdate,
+                    const TestSignatureAlgorithm& signatureAlgorithm,
+       /*optional*/ const ByteString* certs = nullptr,
+       /*optional*/ OCSPResponseExtension* singleExtensions = nullptr,
+       /*optional*/ OCSPResponseExtension* responseExtensions = nullptr)
+  {
+    OCSPResponseContext context(certID, producedAt);
+    if (signerName) {
+      context.signerNameDER = CNToDERName(signerName);
+      EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
+    }
+    context.signerKeyPair.reset(signerKeyPair.Clone());
+    EXPECT_TRUE(context.signerKeyPair.get());
+    context.responseStatus = OCSPResponseContext::successful;
+    context.producedAt = producedAt;
+    context.signatureAlgorithm = signatureAlgorithm;
+    context.certs = certs;
+    context.singleExtensions = singleExtensions;
+    context.responseExtensions = responseExtensions;
+
+    context.certStatus = static_cast<uint8_t>(certStatus);
+    context.thisUpdate = thisUpdate;
+    context.nextUpdate = nextUpdate ? *nextUpdate : 0;
+    context.includeNextUpdate = nextUpdate != nullptr;
+
+    return CreateEncodedOCSPResponse(context);
+  }
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, rootName,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::revoked, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::unknown, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful,
+       good_unsupportedSignatureAlgorithm)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         md5WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// Added for bug 1079436. The output variable validThrough represents the
+// latest time for which VerifyEncodedOCSPResponse will succeed, which is
+// different from the nextUpdate time in the OCSP response due to the slop we
+// add for time comparisons to deal with clock skew.
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Time validThrough(Time::uninitialized);
+  {
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    ASSERT_EQ(Success,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired, nullptr,
+                                        &validThrough));
+    ASSERT_FALSE(expired);
+    // The response was created to be valid until one day after now, so the
+    // value we got for validThrough should be after that.
+    Time oneDayAfterNowAsPKIXTime(
+          TimeFromEpochInSeconds(static_cast<uint64_t>(oneDayAfterNow)));
+    ASSERT_TRUE(validThrough > oneDayAfterNowAsPKIXTime);
+  }
+  {
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    // Given validThrough from a previous verification, this response should be
+    // valid through that time.
+    ASSERT_EQ(Success,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        validThrough, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired));
+    ASSERT_FALSE(expired);
+  }
+  {
+    Time noLongerValid(validThrough);
+    ASSERT_EQ(Success, noLongerValid.AddSeconds(1));
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    // The verification time is now after when the response will be considered
+    // valid.
+    ASSERT_EQ(Result::ERROR_OCSP_OLD_RESPONSE,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        noLongerValid, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired));
+    ASSERT_TRUE(expired);
+  }
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, ct_extension)
+{
+  // python DottedOIDToCode.py --tlv
+  //   id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+  static const uint8_t tlv_id_ocsp_singleExtensionSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+
+  OCSPResponseExtension ctExtension;
+  ctExtension.id = BytesToByteString(tlv_id_ocsp_singleExtensionSctList);
+  // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+  // within the extension value (see RFC 6962 section 3.3).
+  // pkix decodes it internally and returns the actual structure.
+  ctExtension.value = TLV(der::OCTET_STRING, BytesToByteString(dummySctList));
+
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(),
+                         /*certs*/ nullptr,
+                         &ctExtension));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+  ASSERT_EQ(BytesToByteString(dummySctList),
+            trustDomain.signedCertificateTimestamps);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// indirect responses (signed by a delegated OCSP responder cert)
+
+class pkixocsp_VerifyEncodedResponse_DelegatedResponder
+  : public pkixocsp_VerifyEncodedResponse_successful
+{
+protected:
+  // certSubjectName should be unique for each call. This way, we avoid any
+  // issues with NSS caching the certificates internally. For the same reason,
+  // we generate a new keypair on each call. Either one of these should be
+  // sufficient to avoid issues with the NSS cache, but we do both to be
+  // cautious.
+  //
+  // signerName should be byKey to use the byKey ResponderID construction, or
+  // another value (usually equal to certSubjectName) to use the byName
+  // ResponderID construction.
+  //
+  // certSignatureAlgorithm specifies the signature algorithm that the
+  // certificate will be signed with, not the OCSP response.
+  //
+  // If signerEKU is omitted, then the certificate will have the
+  // id-kp-OCSPSigning EKU. If signerEKU is SEC_OID_UNKNOWN then it will not
+  // have any EKU extension. Otherwise, the certificate will have the given
+  // EKU.
+  ByteString CreateEncodedIndirectOCSPSuccessfulResponse(
+               const char* certSubjectName,
+               OCSPResponseContext::CertStatus certStatus,
+               const char* signerName,
+               const TestSignatureAlgorithm& certSignatureAlgorithm,
+               /*optional*/ const Input* signerEKUDER = &OCSPSigningEKUDER,
+               /*optional, out*/ ByteString* signerDEROut = nullptr)
+  {
+    assert(certSubjectName);
+
+    const ByteString extensions[] = {
+      signerEKUDER
+        ? CreateEncodedEKUExtension(*signerEKUDER, Critical::No)
+        : ByteString(),
+      ByteString()
+    };
+    ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+    ByteString signerDER(CreateEncodedCertificate(
+                           ++rootIssuedCount, certSignatureAlgorithm,
+                           rootName, oneDayBeforeNow, oneDayAfterNow,
+                           certSubjectName, *signerKeyPair,
+                           signerEKUDER ? extensions : nullptr,
+                           *rootKeyPair));
+    EXPECT_FALSE(ENCODING_FAILED(signerDER));
+    if (signerDEROut) {
+      *signerDEROut = signerDER;
+    }
+
+    ByteString signerNameDER;
+    if (signerName) {
+      signerNameDER = CNToDERName(signerName);
+      EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
+    }
+    ByteString certs[] = { signerDER, ByteString() };
+    return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
+                                               signerName, *signerKeyPair,
+                                               oneDayBeforeNow,
+                                               oneDayBeforeNow,
+                                               &oneDayAfterNow,
+                                               sha256WithRSAEncryption(),
+                                               certs);
+  }
+
+  static ByteString CreateEncodedCertificate(uint32_t serialNumber,
+                                             const TestSignatureAlgorithm& signatureAlg,
+                                             const char* issuer,
+                                             time_t notBefore,
+                                             time_t notAfter,
+                                             const char* subject,
+                                             const TestKeyPair& subjectKeyPair,
+                                /*optional*/ const ByteString* extensions,
+                                             const TestKeyPair& signerKeyPair)
+  {
+    ByteString serialNumberDER(CreateEncodedSerialNumber(
+                                 static_cast<long>(serialNumber)));
+    if (ENCODING_FAILED(serialNumberDER)) {
+      return ByteString();
+    }
+    ByteString issuerDER(CNToDERName(issuer));
+    if (ENCODING_FAILED(issuerDER)) {
+      return ByteString();
+    }
+    ByteString subjectDER(CNToDERName(subject));
+    if (ENCODING_FAILED(subjectDER)) {
+      return ByteString();
+    }
+    return ::mozilla::pkix::test::CreateEncodedCertificate(
+                                    v3, signatureAlg, serialNumberDER,
+                                    issuerDER, notBefore, notAfter,
+                                    subjectDER, subjectKeyPair, extensions,
+                                    signerKeyPair, signatureAlg);
+  }
+
+  static const Input OCSPSigningEKUDER;
+};
+
+/*static*/ const Input pkixocsp_VerifyEncodedResponse_DelegatedResponder::
+  OCSPSigningEKUDER(tlv_id_kp_OCSPSigning);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_byKey", OCSPResponseContext::good,
+                         byKey, sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_byName", OCSPResponseContext::good,
+                         "good_indirect_byName", sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_byKey_missing_signer)
+{
+  ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(missingSignerKeyPair.get());
+
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *missingSignerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_byName_missing_signer)
+{
+  ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(missingSignerKeyPair.get());
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         "missing", *missingSignerKeyPair,
+                         oneDayBeforeNow, oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
+{
+  static const char* signerName = "good_indirect_expired";
+
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                          ++rootIssuedCount, sha256WithRSAEncryption(),
+                          rootName,
+                          tenDaysBeforeNow,
+                          twoDaysBeforeNow,
+                          signerName, *signerKeyPair, extensions,
+                          *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
+{
+  static const char* signerName = "good_indirect_future";
+
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         ++rootIssuedCount, sha256WithRSAEncryption(),
+                         rootName,
+                         twoDaysAfterNow,
+                         tenDaysAfterNow,
+                         signerName, *signerKeyPair, extensions,
+                         *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_wrong_eku",
+                         OCSPResponseContext::good, byKey,
+                         sha256WithRSAEncryption(), nullptr));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+static const Input serverAuthEKUDER(tlv_id_kp_serverAuth);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_wrong_eku)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                        "good_indirect_wrong_eku",
+                        OCSPResponseContext::good, byKey,
+                        sha256WithRSAEncryption(), &serverAuthEKUDER));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// Test that signature of OCSP response signer cert is verified
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
+{
+  ByteString tamperedResponse(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_tampered_eku",
+                         OCSPResponseContext::good, byKey,
+                         sha256WithRSAEncryption(), &serverAuthEKUDER));
+  ASSERT_EQ(Success,
+            TamperOnce(tamperedResponse,
+                       ByteString(tlv_id_kp_serverAuth,
+                                  sizeof(tlv_id_kp_serverAuth)),
+                       ByteString(tlv_id_kp_OCSPSigning,
+                                  sizeof(tlv_id_kp_OCSPSigning))));
+  Input tamperedResponseInput;
+  ASSERT_EQ(Success, tamperedResponseInput.Init(tamperedResponse.data(),
+                                                tamperedResponse.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      tamperedResponseInput, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer)
+{
+  static const char* subCAName = "good_indirect_unknown_issuer sub-CA";
+  static const char* signerName = "good_indirect_unknown_issuer OCSP signer";
+
+  // unknown issuer
+  ScopedTestKeyPair unknownKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(unknownKeyPair.get());
+
+  // Delegated responder cert signed by unknown issuer
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *unknownKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by that delegated responder
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response before the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_subca_1_first)
+{
+  static const char* subCAName = "good_indirect_subca_1_first sub-CA";
+  static const char* signerName = "good_indirect_subca_1_first OCSP signer";
+  static const long zero = 0;
+
+  // sub-CA of root (root is the direct issuer of endEntity)
+  const ByteString subCAExtensions[] = {
+    CreateEncodedBasicConstraints(true, &zero, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+  ByteString subCADER(CreateEncodedCertificate(
+                        ++rootIssuedCount, sha256WithRSAEncryption(), rootName,
+                        oneDayBeforeNow, oneDayAfterNow, subCAName,
+                        *subCAKeyPair, subCAExtensions, *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+  // Delegated responder cert signed by that sub-CA
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString(),
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *subCAKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by the delegated responder issued by the sub-CA
+  // that is trying to impersonate the root.
+  ByteString certs[] = { subCADER, signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response after the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_subca_1_second)
+{
+  static const char* subCAName = "good_indirect_subca_1_second sub-CA";
+  static const char* signerName = "good_indirect_subca_1_second OCSP signer";
+  static const long zero = 0;
+
+  // sub-CA of root (root is the direct issuer of endEntity)
+  const ByteString subCAExtensions[] = {
+    CreateEncodedBasicConstraints(true, &zero, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+  ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount,
+                                               sha256WithRSAEncryption(),
+                                               rootName,
+                                               oneDayBeforeNow, oneDayAfterNow,
+                                               subCAName, *subCAKeyPair,
+                                               subCAExtensions, *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+  // Delegated responder cert signed by that sub-CA
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *subCAKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by the delegated responder issued by the sub-CA
+  // that is trying to impersonate the root.
+  ByteString certs[] = { signerDER, subCADER, ByteString() };
+  ByteString responseString(
+                 CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_unsupportedSignatureAlgorithmOnResponder)
+{
+  // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
+  // algorithm that will be used to sign the certificate that issues the OCSP
+  // responses, not the responses themselves.
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_unsupportedSignatureAlgorithm",
+                         OCSPResponseContext::good, byKey,
+                         md5WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+class pkixocsp_VerifyEncodedResponse_GetCertTrust
+  : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
+public:
+  void SetUp()
+  {
+    pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
+
+    responseString =
+        CreateEncodedIndirectOCSPSuccessfulResponse(
+          "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
+          byKey, sha256WithRSAEncryption(), &OCSPSigningEKUDER,
+          &signerCertDER);
+    if (ENCODING_FAILED(responseString)) {
+      abort();
+    }
+    if (response.Init(responseString.data(), responseString.length())
+          != Success) {
+      abort();
+    }
+    if (signerCertDER.length() == 0) {
+      abort();
+    }
+  }
+
+  class TrustDomain final : public OCSPTestTrustDomain
+  {
+  public:
+    TrustDomain()
+      : certTrustLevel(TrustLevel::InheritsTrust)
+    {
+    }
+
+    bool SetCertTrust(const ByteString& aCertDER, TrustLevel aCertTrustLevel)
+    {
+      this->certDER = aCertDER;
+      this->certTrustLevel = aCertTrustLevel;
+      return true;
+    }
+  private:
+    Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+                        Input candidateCert, /*out*/ TrustLevel& trustLevel)
+                        override
+    {
+      EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+      EXPECT_FALSE(certDER.empty());
+      Input certDERInput;
+      EXPECT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+      EXPECT_TRUE(InputsAreEqual(certDERInput, candidateCert));
+      trustLevel = certTrustLevel;
+      return Success;
+    }
+
+    ByteString certDER;
+    TrustLevel certTrustLevel;
+  };
+
+// trustDomain deliberately shadows the inherited field so that it isn't used
+// by accident. See bug 1339921.
+// Unfortunately GCC can't parse __has_warning("-Wshadow-field") even if it's
+// the latter part of a conjunction that would evaluate to false, so we have to
+// wrap it in a separate preprocessor conditional rather than using &&.
+#if defined(__clang__)
+  #if __has_warning("-Wshadow-field")
+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wshadow-field"
+  #endif
+#endif
+  TrustDomain trustDomain;
+#if defined(__clang__)
+  #if __has_warning("-Wshadow-field")
+    #pragma clang diagnostic pop
+  #endif
+#endif
+  ByteString signerCertDER;
+  ByteString responseString;
+  Input response; // references data in responseString
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::InheritsTrust));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, TrustAnchor)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::TrustAnchor));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, ActivelyDistrusted)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::ActivelyDistrusted));
+  Input responseInput;
+  ASSERT_EQ(Success,
+            responseInput.Init(responseString.data(),
+                               responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      responseInput, expired));
+  ASSERT_FALSE(expired);
+}
diff --git a/security/nss/gtests/nss_bogo_shim/config.json b/security/nss/gtests/nss_bogo_shim/config.json
index 6dc155bef..5c7a2e348 100644
--- a/security/nss/gtests/nss_bogo_shim/config.json
+++ b/security/nss/gtests/nss_bogo_shim/config.json
@@ -1,6 +1,9 @@
 {
     "DisabledTests": {
         "### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
+        "*TLS13Draft*":"NSS supports RFC 8446 only.",
+        "IgnoreClientVersionOrder":"Uses draft23",
+        "DuplicateCertCompressionExt*":"BoGo expects that an alert is sent if more than one compression algorithm is sent.",
         "ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
         "DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
         "VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
@@ -12,17 +15,10 @@
         "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
         "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
         "SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
-        "*TLS13*":"(NSS=19, BoGo=18)",
-        "*HelloRetryRequest*":"(NSS=19, BoGo=18)",
-        "*KeyShare*":"(NSS=19, BoGo=18)",
-        "*EncryptedExtensions*":"(NSS=19, BoGo=18)",
-        "*SecondClientHello*":"(NSS=19, BoGo=18)",
-        "*IgnoreClientVersionOrder*":"(NSS=19, BoGo=18)",
-        "SkipEarlyData*":"(NSS=19, BoGo=18)",
-        "*Binder*":"(NSS=19, BoGo=18)",
         "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
         "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
         "CheckRecordVersion-TLS*":"Bug 1317634",
+        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version",
         "GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
         "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
         "*KeyUpdate*":"KeyUpdate Unimplemented",
@@ -48,14 +44,14 @@
         "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
         "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
         "FragmentedClientVersion":"received a malformed Client Hello handshake message",
-        "UnofferedExtension-Client-TLS13":"nss updated/broken",
-        "UnknownExtension-Client-TLS13":"nss updated/broken",
-        "WrongMessageType-TLS13-EncryptedExtensions":"nss updated/broken",
-        "WrongMessageType-TLS13-CertificateRequest":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerCertificateVerify":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerCertificate":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
-        "EmptyEncryptedExtensions":"nss updated/broken",
+        "WrongMessageType-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "TrailingMessageData-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnofferedExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnknownExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-CertificateRequest":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificateVerify":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificate":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerFinished":"Boring expects CCS (Bugs 1481209, 1304603)",
         "TrailingMessageData-*": "Bug 1304575",
         "DuplicateKeyShares":"Bug 1304578",
         "Resume-Server-TLS13-TLS13":"Bug 1314351",
@@ -68,7 +64,8 @@
         "RequireAnyClientCertificate-TLS1*":"Bug 1339387",
         "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
         "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
-        "P224-Server":"NSS doesn't support P-224"
+        "P224-Server":"NSS doesn't support P-224",
+        "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
     },
     "ErrorMap" : {
         ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
diff --git a/security/nss/gtests/nss_bogo_shim/manifest.mn b/security/nss/gtests/nss_bogo_shim/manifest.mn
index 2d60ddea3..f8a6b07af 100644
--- a/security/nss/gtests/nss_bogo_shim/manifest.mn
+++ b/security/nss/gtests/nss_bogo_shim/manifest.mn
@@ -12,9 +12,11 @@ CPPSRCS = \
       nss_bogo_shim.cc \
       $(NULL)
 
-REQUIRES = nspr nss libdbm
+INCLUDES += -I$(CORE_DEPTH)/cpputil
+
+REQUIRES = nspr nss libdbm cpputil
 
 PROGRAM = nss_bogo_shim
-#EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX)
 
 USE_STATIC_LIBS = 1
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
index 72dbd5771..b2ce6898d 100644
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -18,6 +18,7 @@
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
+#include "nss_scoped_ptrs.h"
 
 #include "nsskeys.h"
 
@@ -33,30 +34,9 @@ std::string FormatError(PRErrorCode code) {
 
 class TestAgent {
  public:
-  TestAgent(const Config& cfg)
-      : cfg_(cfg),
-        pr_fd_(nullptr),
-        ssl_fd_(nullptr),
-        cert_(nullptr),
-        key_(nullptr) {}
+  TestAgent(const Config& cfg) : cfg_(cfg) {}
 
-  ~TestAgent() {
-    if (pr_fd_) {
-      PR_Close(pr_fd_);
-    }
-
-    if (ssl_fd_) {
-      PR_Close(ssl_fd_);
-    }
-
-    if (key_) {
-      SECKEY_DestroyPrivateKey(key_);
-    }
-
-    if (cert_) {
-      CERT_DestroyCertificate(cert_);
-    }
-  }
+  ~TestAgent() {}
 
   static std::unique_ptr<TestAgent> Create(const Config& cfg) {
     std::unique_ptr<TestAgent> agent(new TestAgent(cfg));
@@ -81,39 +61,46 @@ class TestAgent {
       return false;
     }
 
-    SECStatus rv = SSL_ResetHandshake(ssl_fd_, cfg_.get<bool>("server"));
+    SECStatus rv = SSL_ResetHandshake(ssl_fd_.get(), cfg_.get<bool>("server"));
     if (rv != SECSuccess) return false;
 
     return true;
   }
 
   bool ConnectTcp() {
+    // Try IPv6 first, then IPv4 in case of failure.
+    if (!OpenConnection("::1") && !OpenConnection("127.0.0.1")) {
+      return false;
+    }
+
+    ssl_fd_ = ScopedPRFileDesc(SSL_ImportFD(NULL, pr_fd_.get()));
+    if (!ssl_fd_) {
+      return false;
+    }
+    pr_fd_.release();
+
+    return true;
+  }
+
+  bool OpenConnection(const char* ip) {
     PRStatus prv;
     PRNetAddr addr;
 
-    // Try IPv6 first.
-    prv = PR_StringToNetAddr("::1", &addr);
+    prv = PR_StringToNetAddr(ip, &addr);
+
     if (prv != PR_SUCCESS) {
-      // If that fails, try IPv4.
-      prv = PR_StringToNetAddr("127.0.0.1", &addr);
-      if (prv != PR_SUCCESS) {
-        return false;
-      }
+      return false;
     }
+
     addr.inet.port = PR_htons(cfg_.get<int>("port"));
 
-    pr_fd_ = PR_OpenTCPSocket(addr.raw.family);
+    pr_fd_ = ScopedPRFileDesc(PR_OpenTCPSocket(addr.raw.family));
     if (!pr_fd_) return false;
 
-    prv = PR_Connect(pr_fd_, &addr, PR_INTERVAL_NO_TIMEOUT);
+    prv = PR_Connect(pr_fd_.get(), &addr, PR_INTERVAL_NO_TIMEOUT);
     if (prv != PR_SUCCESS) {
       return false;
     }
-
-    ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
     return true;
   }
 
@@ -121,21 +108,24 @@ class TestAgent {
     SECStatus rv;
 
     if (cfg_.get<std::string>("key-file") != "") {
-      key_ = ReadPrivateKey(cfg_.get<std::string>("key-file"));
+      key_ = ScopedSECKEYPrivateKey(
+          ReadPrivateKey(cfg_.get<std::string>("key-file")));
       if (!key_) return false;
     }
     if (cfg_.get<std::string>("cert-file") != "") {
-      cert_ = ReadCertificate(cfg_.get<std::string>("cert-file"));
+      cert_ = ScopedCERTCertificate(
+          ReadCertificate(cfg_.get<std::string>("cert-file")));
       if (!cert_) return false;
     }
 
     // Needed because certs are not entirely valid.
-    rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
+    rv = SSL_AuthCertificateHook(ssl_fd_.get(), AuthCertificateHook, this);
     if (rv != SECSuccess) return false;
 
     if (cfg_.get<bool>("server")) {
       // Server
-      rv = SSL_ConfigServerCert(ssl_fd_, cert_, key_, nullptr, 0);
+      rv = SSL_ConfigServerCert(ssl_fd_.get(), cert_.get(), key_.get(), nullptr,
+                                0);
       if (rv != SECSuccess) {
         std::cerr << "Couldn't configure server cert\n";
         return false;
@@ -143,7 +133,8 @@ class TestAgent {
 
     } else if (key_ && cert_) {
       // Client.
-      rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
+      rv =
+          SSL_GetClientAuthDataHook(ssl_fd_.get(), GetClientAuthDataHook, this);
       if (rv != SECSuccess) return false;
     }
 
@@ -263,36 +254,36 @@ class TestAgent {
 
   bool SetupOptions() {
     SECStatus rv =
-        SSL_OptionSet(ssl_fd_, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+        SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
     if (rv != SECSuccess) return false;
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
     if (rv != SECSuccess) return false;
 
     SSLVersionRange vrange;
     if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
 
-    rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
+    rv = SSL_VersionRangeSet(ssl_fd_.get(), &vrange);
     if (rv != SECSuccess) return false;
 
     SSLVersionRange verify_vrange;
-    rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
+    rv = SSL_VersionRangeGet(ssl_fd_.get(), &verify_vrange);
     if (rv != SECSuccess) return false;
     if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
       return false;
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_NO_CACHE, false);
     if (rv != SECSuccess) return false;
 
     auto alpn = cfg_.get<std::string>("advertise-alpn");
     if (!alpn.empty()) {
       assert(!cfg_.get<bool>("server"));
 
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_ALPN, PR_TRUE);
       if (rv != SECSuccess) return false;
 
       rv = SSL_SetNextProtoNego(
-          ssl_fd_, reinterpret_cast<const unsigned char*>(alpn.c_str()),
+          ssl_fd_.get(), reinterpret_cast<const unsigned char*>(alpn.c_str()),
           alpn.size());
       if (rv != SECSuccess) return false;
     }
@@ -312,23 +303,23 @@ class TestAgent {
           [](int scheme) { return static_cast<SSLSignatureScheme>(scheme); });
 
       rv = SSL_SignatureSchemePrefSet(
-          ssl_fd_, sig_schemes.data(),
+          ssl_fd_.get(), sig_schemes.data(),
           static_cast<unsigned int>(sig_schemes.size()));
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("fallback-scsv")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("false-start")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALSE_START, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_FALSE_START, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("enable-ocsp-stapling")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
@@ -336,29 +327,63 @@ class TestAgent {
     if (requireClientCert || cfg_.get<bool>("verify-peer")) {
       assert(cfg_.get<bool>("server"));
 
-      rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_REQUEST_CERTIFICATE, PR_TRUE);
       if (rv != SECSuccess) return false;
 
       rv = SSL_OptionSet(
-          ssl_fd_, SSL_REQUIRE_CERTIFICATE,
+          ssl_fd_.get(), SSL_REQUIRE_CERTIFICATE,
           requireClientCert ? SSL_REQUIRE_ALWAYS : SSL_REQUIRE_NO_ERROR);
       if (rv != SECSuccess) return false;
     }
 
     if (!cfg_.get<bool>("server")) {
       // Needed to make resumption work.
-      rv = SSL_SetURL(ssl_fd_, "server");
+      rv = SSL_SetURL(ssl_fd_.get(), "server");
       if (rv != SECSuccess) return false;
     }
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_EXTENDED_MASTER_SECRET,
+                       PR_TRUE);
     if (rv != SECSuccess) return false;
 
-    if (!EnableNonExportCiphers()) return false;
+    if (!ConfigureCiphers()) return false;
 
     return true;
   }
 
+  bool ConfigureCiphers() {
+    auto cipherList = cfg_.get<std::string>("nss-cipher");
+
+    if (cipherList.empty()) {
+      return EnableNonExportCiphers();
+    }
+
+    for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+      SSLCipherSuiteInfo csinfo;
+      std::string::size_type n;
+      SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &csinfo,
+                                            sizeof(csinfo));
+      if (rv != SECSuccess) {
+        return false;
+      }
+
+      // Check if cipherList contains the name of the Cipher Suite and
+      // enable/disable accordingly.
+      n = cipherList.find(csinfo.cipherSuiteName, 0);
+      if (std::string::npos == n) {
+        rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i],
+                               PR_FALSE);
+      } else {
+        rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i],
+                               PR_TRUE);
+      }
+      if (rv != SECSuccess) {
+        return false;
+      }
+    }
+    return true;
+  }
+
   bool EnableNonExportCiphers() {
     for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
       SSLCipherSuiteInfo csinfo;
@@ -369,7 +394,7 @@ class TestAgent {
         return false;
       }
 
-      rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_TRUE);
+      rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i], PR_TRUE);
       if (rv != SECSuccess) {
         return false;
       }
@@ -388,19 +413,19 @@ class TestAgent {
                                          CERTCertificate** cert,
                                          SECKEYPrivateKey** privKey) {
     TestAgent* a = static_cast<TestAgent*>(self);
-    *cert = CERT_DupCertificate(a->cert_);
-    *privKey = SECKEY_CopyPrivateKey(a->key_);
+    *cert = CERT_DupCertificate(a->cert_.get());
+    *privKey = SECKEY_CopyPrivateKey(a->key_.get());
     return SECSuccess;
   }
 
-  SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_); }
+  SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_.get()); }
 
   // Implement a trivial echo client/server. Read bytes from the other side,
   // flip all the bits, and send them back.
   SECStatus ReadWrite() {
     for (;;) {
       uint8_t block[512];
-      int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
+      int32_t rv = PR_Read(ssl_fd_.get(), block, sizeof(block));
       if (rv < 0) {
         std::cerr << "Failure reading\n";
         return SECFailure;
@@ -412,7 +437,7 @@ class TestAgent {
         block[i] ^= 0xff;
       }
 
-      rv = PR_Write(ssl_fd_, block, len);
+      rv = PR_Write(ssl_fd_.get(), block, len);
       if (rv != len) {
         std::cerr << "Write failure\n";
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
@@ -431,7 +456,7 @@ class TestAgent {
     // reader and writer.
     uint8_t block[600];
     memset(block, ch, sizeof(block));
-    int32_t rv = PR_Write(ssl_fd_, block, sizeof(block));
+    int32_t rv = PR_Write(ssl_fd_.get(), block, sizeof(block));
     if (rv != sizeof(block)) {
       std::cerr << "Write failure\n";
       PORT_SetError(SEC_ERROR_OUTPUT_LEN);
@@ -440,7 +465,7 @@ class TestAgent {
 
     size_t left = sizeof(block);
     while (left) {
-      rv = PR_Read(ssl_fd_, block, left);
+      rv = PR_Read(ssl_fd_.get(), block, left);
       if (rv < 0) {
         std::cerr << "Failure reading\n";
         return SECFailure;
@@ -494,7 +519,7 @@ class TestAgent {
       SSLNextProtoState state;
       char chosen[256];
       unsigned int chosen_len;
-      rv = SSL_GetNextProto(ssl_fd_, &state,
+      rv = SSL_GetNextProto(ssl_fd_.get(), &state,
                             reinterpret_cast<unsigned char*>(chosen),
                             &chosen_len, sizeof(chosen));
       if (rv != SECSuccess) {
@@ -514,7 +539,7 @@ class TestAgent {
     auto sig_alg = cfg_.get<int>("expect-peer-signature-algorithm");
     if (sig_alg) {
       SSLChannelInfo info;
-      rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
+      rv = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
       if (rv != SECSuccess) {
         PRErrorCode err = PR_GetError();
         std::cerr << "SSL_GetChannelInfo failed with error=" << FormatError(err)
@@ -534,10 +559,10 @@ class TestAgent {
 
  private:
   const Config& cfg_;
-  PRFileDesc* pr_fd_;
-  PRFileDesc* ssl_fd_;
-  CERTCertificate* cert_;
-  SECKEYPrivateKey* key_;
+  ScopedPRFileDesc pr_fd_;
+  ScopedPRFileDesc ssl_fd_;
+  ScopedCERTCertificate cert_;
+  ScopedSECKEYPrivateKey key_;
 };
 
 std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
@@ -559,11 +584,14 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
   cfg->AddEntry<bool>("write-then-read", false);
   cfg->AddEntry<bool>("require-any-client-certificate", false);
   cfg->AddEntry<bool>("verify-peer", false);
+  cfg->AddEntry<bool>("is-handshaker-supported", false);
+  cfg->AddEntry<std::string>("handshaker-path", "");  // Ignore this
   cfg->AddEntry<std::string>("advertise-alpn", "");
   cfg->AddEntry<std::string>("expect-alpn", "");
   cfg->AddEntry<std::vector<int>>("signing-prefs", std::vector<int>());
   cfg->AddEntry<std::vector<int>>("verify-prefs", std::vector<int>());
   cfg->AddEntry<int>("expect-peer-signature-algorithm", 0);
+  cfg->AddEntry<std::string>("nss-cipher", "");
 
   auto rv = cfg->ParseArgs(argc, argv);
   switch (rv) {
@@ -602,6 +630,11 @@ int main(int argc, char** argv) {
     return GetExitCode(false);
   }
 
+  if (cfg->get<bool>("is-handshaker-supported")) {
+    std::cout << "No\n";
+    return 0;
+  }
+
   if (cfg->get<bool>("server")) {
     if (SSL_ConfigServerSessionIDCache(1024, 0, 0, ".") != SECSuccess) {
       std::cerr << "Couldn't configure session cache\n";
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
index b8f71f95f..d08a6bde3 100644
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
@@ -37,6 +37,7 @@
         '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
         '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib',
         '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
       ],
       'conditions': [
         [ 'disable_dbm==0', {
diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn
index a3dff9d10..ea7b43a2b 100644
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -16,6 +16,7 @@ CPPSRCS = \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_prng_unittest.cc \
+      pk11_rsapkcs1_unittest.cc \
       pk11_rsapss_unittest.cc \
       pk11_der_private_key_import_unittest.cc \
       $(NULL)
diff --git a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
index a4e8bedba..4072cf2b7 100644
--- a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
@@ -10,7 +10,7 @@
 #include "secerr.h"
 #include "sechash.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gcm-vectors.h"
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
index a0226e6df..4d4250a5e 100644
--- a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
@@ -129,4 +129,4 @@ TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest6) {
   WrapUnwrap(kKEK3, sizeof(kKEK3), kKD6, sizeof(kKD6), kC6);
 }
 
-} /* nss_test */
-\ No newline at end of file
+} /* nss_test */
diff --git a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
index dac2a41ba..07bc91ee6 100644
--- a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -10,7 +10,7 @@
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
new file mode 100644
index 000000000..38982fd88
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
@@ -0,0 +1,80 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#include "gtest/gtest.h"
+
+#include <assert.h>
+#include <limits.h>
+#include <prinit.h>
+#include <nss.h>
+#include <pk11pub.h>
+
+static const size_t kKeyLen = 128 / 8;
+
+namespace nss_test {
+
+//
+// The ciper tests using the bltest command cover a great deal of testing.
+// However, Bug 1489691 revealed a corner case which is covered here.
+// This test will make multiple calls to PK11_CipherOp using the same
+// cipher context with data that is not cipher block aligned.
+//
+
+static SECStatus GetBytes(PK11Context* ctx, uint8_t* bytes, size_t len) {
+  std::vector<uint8_t> in(len, 0);
+
+  int outlen;
+  SECStatus rv = PK11_CipherOp(ctx, bytes, &outlen, len, &in[0], len);
+  if (static_cast<size_t>(outlen) != len) {
+    return SECFailure;
+  }
+  return rv;
+}
+
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+  PK11SlotInfo* slot;
+  PK11SymKey* key;
+  PK11Context* ctx;
+
+  NSSInitContext* globalctx =
+      NSS_InitContext("", "", "", "", NULL,
+                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+  const CK_MECHANISM_TYPE cipher = CKM_AES_CTR;
+
+  slot = PK11_GetInternalSlot();
+  ASSERT_TRUE(slot);
+
+  // Use arbitrary bytes for the AES key
+  uint8_t key_bytes[kKeyLen];
+  for (size_t i = 0; i < kKeyLen; i++) {
+    key_bytes[i] = i;
+  }
+
+  SECItem keyItem = {siBuffer, key_bytes, kKeyLen};
+
+  // The IV can be all zeros since we only encrypt once with
+  // each AES key.
+  CK_AES_CTR_PARAMS param = {128, {}};
+  SECItem paramItem = {siBuffer, reinterpret_cast<unsigned char*>(&param),
+                       sizeof(CK_AES_CTR_PARAMS)};
+
+  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+                          &keyItem, NULL);
+  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, &paramItem);
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(ctx);
+
+  uint8_t outbuf[128];
+  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECSuccess);
+  ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+
+  PK11_FreeSymKey(key);
+  PK11_FreeSlot(slot);
+  PK11_DestroyContext(ctx, PR_TRUE);
+  NSS_ShutdownContext(globalctx);
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
index 40b536207..009c44fce 100644
--- a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -7,7 +7,7 @@
 #include "pk11pub.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
index 836cc7876..88c283317 100644
--- a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
@@ -11,7 +11,7 @@
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
index fb0659852..e905f7835 100644
--- a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
@@ -8,7 +8,7 @@
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_ecdsa_vectors.h"
 #include "pk11_signature_test.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
index aa92756f2..f4accac02 100644
--- a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
@@ -8,7 +8,7 @@
 #include "prerror.h"
 #include "nss.h"
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cpputil.h"
 #include "databuffer.h"
 #include "util.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
index e5d5ae8e9..bfd65b952 100644
--- a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
index 076b4d37f..c73139b05 100644
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -14,12 +14,14 @@
         'pk11_aeskeywrap_unittest.cc',
         'pk11_aes_gcm_unittest.cc',
         'pk11_chacha20poly1305_unittest.cc',
+        'pk11_cipherop_unittest.cc',
         'pk11_curve25519_unittest.cc',
         'pk11_ecdsa_unittest.cc',
         'pk11_encrypt_derive_unittest.cc',
         'pk11_pbkdf2_unittest.cc',
         'pk11_prf_unittest.cc',
         'pk11_prng_unittest.cc',
+        'pk11_rsapkcs1_unittest.cc',
         'pk11_rsapss_unittest.cc',
         'pk11_der_private_key_import_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
diff --git a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
index d72f94c2c..fc055f400 100644
--- a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
new file mode 100644
index 000000000..044d4e25e
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
@@ -0,0 +1,109 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+#include "cryptohi.h"
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "nss_scoped_ptrs.h"
+#include "cpputil.h"
+
+namespace nss_test {
+
+// Test that the RSASSA-PKCS1-v1_5 implementation enforces the missing NULL
+// parameter.
+TEST(RsaPkcs1Test, RequireNullParameter) {
+  // kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo.
+  const uint8_t kSpki[] = {
+      0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+      0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
+      0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9,
+      0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb,
+      0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0,
+      0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef,
+      0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa,
+      0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76,
+      0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25,
+      0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79,
+      0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49,
+      0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd,
+      0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61,
+      0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
+  };
+  // kHash is the SHA-256 hash of {1,2,3,4}.
+  const uint8_t kHash[] = {
+      0x9f, 0x64, 0xa7, 0x47, 0xe1, 0xb9, 0x7f, 0x13, 0x1f, 0xab, 0xb6,
+      0xb4, 0x47, 0x29, 0x6c, 0x9b, 0x6f, 0x02, 0x01, 0xe7, 0x9f, 0xb3,
+      0xc5, 0x35, 0x6e, 0x6c, 0x77, 0xe8, 0x9b, 0x6a, 0x80, 0x6a,
+  };
+  // kSignature is the signature of kHash with RSASSA-PKCS1-v1_5.
+  const uint8_t kSignature[] = {
+      0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
+      0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
+      0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
+      0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
+      0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
+      0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
+      0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
+      0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
+      0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
+      0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
+      0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
+  };
+  // kSignature is an invalid signature of kHash with RSASSA-PKCS1-v1_5 with the
+  // NULL parameter omitted.
+  const uint8_t kSignatureInvalid[] = {
+      0x71, 0x6c, 0x24, 0x4e, 0xc9, 0x9b, 0x19, 0xc7, 0x49, 0x29, 0xb8, 0xd4,
+      0xfb, 0x26, 0x23, 0xc0, 0x96, 0x18, 0xcd, 0x1e, 0x60, 0xe8, 0x88, 0x94,
+      0x8c, 0x59, 0xfb, 0x58, 0x5c, 0x61, 0x58, 0x7a, 0xae, 0xcc, 0xeb, 0xee,
+      0x1e, 0x85, 0x7d, 0x83, 0xa9, 0xdc, 0x6f, 0x4c, 0x34, 0x5c, 0xcb, 0xd9,
+      0xde, 0x58, 0x76, 0xdf, 0x1f, 0x5e, 0xd4, 0x57, 0x5b, 0xeb, 0xaf, 0x4f,
+      0x7a, 0xa7, 0x6b, 0x21, 0xf1, 0x0a, 0x96, 0x78, 0xc7, 0xa8, 0x02, 0x7a,
+      0xc2, 0x06, 0xd3, 0x18, 0x79, 0x72, 0x6b, 0xfe, 0x2d, 0xec, 0xd8, 0x8e,
+      0x98, 0x86, 0x89, 0xf4, 0x67, 0x14, 0x2b, 0xac, 0x6d, 0xd7, 0x04, 0xd8,
+      0xab, 0x05, 0xe6, 0x51, 0xf6, 0xee, 0x58, 0x63, 0xef, 0x6a, 0x3e, 0x89,
+      0x99, 0x2a, 0x1c, 0x10, 0xc2, 0xd0, 0x41, 0x9e, 0x1e, 0x9a, 0x9a, 0x57,
+      0x32, 0x0f, 0x49, 0xb4, 0x57, 0x37, 0xa4, 0x26,
+  };
+
+  // The test vectors may be verified with:
+  //
+  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii
+  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii
+
+  // Import public key.
+  SECItem spkiItem = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)};
+  ScopedCERTSubjectPublicKeyInfo certSpki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+  ASSERT_TRUE(certSpki);
+  ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+  ASSERT_TRUE(pubKey);
+
+  SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)};
+
+  // kSignature is a valid signature.
+  SECItem sigItem = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)};
+  SECStatus rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+                                        SEC_OID_PKCS1_RSA_ENCRYPTION,
+                                        SEC_OID_SHA256, nullptr);
+  EXPECT_EQ(SECSuccess, rv);
+
+  // kSignatureInvalid is not.
+  sigItem = {siBuffer, toUcharPtr(kSignatureInvalid),
+             sizeof(kSignatureInvalid)};
+  rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+                              SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256,
+                              nullptr);
+#ifdef NSS_PKCS1_AllowMissingParameters
+  EXPECT_EQ(SECSuccess, rv);
+#else
+  EXPECT_EQ(SECFailure, rv);
+#endif
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
index 6c8c5ab4e..ed0573027 100644
--- a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -10,7 +10,7 @@
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_signature_test.h"
 #include "pk11_rsapss_vectors.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_signature_test.h b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
index 8a12171a0..0526fea55 100644
--- a/security/nss/gtests/pk11_gtest/pk11_signature_test.h
+++ b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
@@ -8,7 +8,7 @@
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "databuffer.h"
 
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/softoken_gtest/softoken_gtest.cc b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
index d61e2e75f..5e2a497b8 100644
--- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc
+++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
@@ -11,7 +11,7 @@
 #include "pk11pub.h"
 #include "secerr.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/ssl_gtest/manifest.mn b/security/nss/gtests/ssl_gtest/manifest.mn
index 8547e56d1..7f4ee7953 100644
--- a/security/nss/gtests/ssl_gtest/manifest.mn
+++ b/security/nss/gtests/ssl_gtest/manifest.mn
@@ -52,6 +52,7 @@ CPPSRCS = \
       tls_hkdf_unittest.cc \
       tls_filter.cc \
       tls_protect.cc \
+      tls_esni_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
diff --git a/security/nss/gtests/ssl_gtest/rsa8193.h b/security/nss/gtests/ssl_gtest/rsa8193.h
index 626516389..1ac8503bc 100644
--- a/security/nss/gtests/ssl_gtest/rsa8193.h
+++ b/security/nss/gtests/ssl_gtest/rsa8193.h
@@ -206,4 +206,4 @@ static const uint8_t rsa8193[] = {
     0x13, 0x34, 0x9d, 0x34, 0xb8, 0xef, 0x13, 0x3a, 0x20, 0xf5, 0x74, 0x02,
     0x70, 0x3b, 0x41, 0x60, 0x1f, 0x5e, 0x76, 0x0a, 0xb1, 0x17, 0xd5, 0xcf,
     0x79, 0xef, 0xf7, 0xab, 0xe7, 0xd6, 0x0f, 0xad, 0x85, 0x2c, 0x52, 0x67,
-    0xb5, 0xa0, 0x4a, 0xfd, 0xaf};
-\ No newline at end of file
+    0xb5, 0xa0, 0x4a, 0xfd, 0xaf};
diff --git a/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc b/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
index 4bae9dec9..0c62c4cac 100644
--- a/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
@@ -19,7 +19,7 @@ extern "C" {
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
index 28fdc6631..07eadfbd1 100644
--- a/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -16,7 +16,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
index 6be3b61f8..c3455d130 100644
--- a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
@@ -34,7 +34,7 @@ const static uint8_t kCannedTls13ClientHello[] = {
     0xc2, 0xb3, 0xc6, 0x80, 0x72, 0x86, 0x08, 0x86, 0x8f, 0x52, 0xc5, 0xcb,
     0xbf, 0x2a, 0xb5, 0x59, 0x64, 0xcc, 0x0c, 0x49, 0x95, 0x36, 0xe4, 0xd9,
     0x2f, 0xd4, 0x24, 0x66, 0x71, 0x6f, 0x5d, 0x70, 0xe2, 0xa0, 0xea, 0x26,
-    0x00, 0x2b, 0x00, 0x03, 0x02, 0x7f, kD13, 0x00, 0x0d, 0x00, 0x20, 0x00,
+    0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04, 0x00, 0x0d, 0x00, 0x20, 0x00,
     0x1e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08,
     0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01, 0x04,
     0x02, 0x05, 0x02, 0x06, 0x02, 0x02, 0x02};
@@ -64,8 +64,8 @@ TEST_P(TlsAgentTestClient13, CannedHello) {
   auto sh = MakeCannedTls13ServerHello();
   MakeHandshakeMessage(kTlsHandshakeServerHello, sh.data(), sh.len(),
                        &server_hello);
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), server_hello.len(), &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             server_hello.len(), &buffer);
   ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
 }
 
@@ -79,8 +79,8 @@ TEST_P(TlsAgentTestClient13, EncryptedExtensionsInClear) {
                        &encrypted_extensions, 1);
   server_hello.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), server_hello.len(), &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             server_hello.len(), &buffer);
   EnsureInit();
   ExpectAlert(kTlsAlertUnexpectedMessage);
   ProcessMessage(buffer, TlsAgent::STATE_ERROR,
@@ -97,11 +97,11 @@ TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
                        &encrypted_extensions, 1);
   server_hello.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), kFirstFragmentSize, &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             kFirstFragmentSize, &buffer);
 
   DataBuffer buffer2;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello.data() + kFirstFragmentSize,
              server_hello.len() - kFirstFragmentSize, &buffer2);
 
@@ -129,11 +129,11 @@ TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
                        &encrypted_extensions, 1);
   server_hello_frag2.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello_frag1.data(), server_hello_frag1.len(), &buffer);
 
   DataBuffer buffer2;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello_frag2.data(), server_hello_frag2.len(), &buffer2, 1);
 
   EnsureInit();
@@ -150,7 +150,7 @@ TEST_F(TlsAgentDgramTestClient, AckWithBogusLengthField) {
   // Length doesn't match
   const uint8_t ackBuf[] = {0x00, 0x08, 0x00};
   DataBuffer record;
-  MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
+  MakeRecord(variant_, ssl_ct_ack, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
              sizeof(ackBuf), &record, 0);
   agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
                           SSL_LIBRARY_VERSION_TLS_1_3);
@@ -164,7 +164,7 @@ TEST_F(TlsAgentDgramTestClient, AckWithNonEvenLength) {
   // Length isn't a multiple of 8
   const uint8_t ackBuf[] = {0x00, 0x01, 0x00};
   DataBuffer record;
-  MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
+  MakeRecord(variant_, ssl_ct_ack, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
              sizeof(ackBuf), &record, 0);
   agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
                           SSL_LIBRARY_VERSION_TLS_1_3);
@@ -196,7 +196,7 @@ TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenRead) {
   agent_->StartConnect();
   agent_->Set0RttEnabled(true);
   DataBuffer buffer;
-  MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_application_data, SSL_LIBRARY_VERSION_TLS_1_3,
              reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
              &buffer);
   ExpectAlert(kTlsAlertUnexpectedMessage);
@@ -214,10 +214,10 @@ TEST_F(TlsAgentStreamTestServer, Set0RttOptionClientHelloThenRead) {
   agent_->StartConnect();
   agent_->Set0RttEnabled(true);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              kCannedTls13ClientHello, sizeof(kCannedTls13ClientHello), &buffer);
   ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
-  MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_application_data, SSL_LIBRARY_VERSION_TLS_1_3,
              reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
              &buffer);
   ExpectAlert(kTlsAlertBadRecordMac);
diff --git a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
index e2a30e6bc..3a52ac20c 100644
--- a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -15,7 +15,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -37,6 +37,50 @@ TEST_P(TlsConnectGeneric, ServerAuthRsaChain) {
   EXPECT_EQ(2UL, chain_length);
 }
 
+TEST_P(TlsConnectTls12Plus, ServerAuthRsaPss) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsaPss);
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  Connect();
+  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_pss,
+            ssl_sig_rsa_pss_pss_sha256);
+}
+
+// PSS doesn't work with TLS 1.0 or 1.1 because we can't signal it.
+TEST_P(TlsConnectPre12, ServerAuthRsaPssFails) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsaPss);
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
+  server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
+// Check that a PSS certificate with no parameters works.
+TEST_P(TlsConnectTls12Plus, ServerAuthRsaPssNoParameters) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset("rsa_pss_noparam");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  Connect();
+  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_pss,
+            ssl_sig_rsa_pss_pss_sha256);
+}
+
 TEST_P(TlsConnectGeneric, ServerAuthRsaPssChain) {
   Reset("rsa_pss_chain");
   Connect();
@@ -55,6 +99,76 @@ TEST_P(TlsConnectGeneric, ServerAuthRsaCARsaPssChain) {
   EXPECT_EQ(2UL, chain_length);
 }
 
+TEST_P(TlsConnectGeneric, ServerAuthRejected) {
+  EnsureTlsSetup();
+  client_->SetAuthCertificateCallback(
+      [](TlsAgent*, PRBool, PRBool) -> SECStatus { return SECFailure; });
+  ConnectExpectAlert(client_, kTlsAlertBadCertificate);
+  client_->CheckErrorCode(SSL_ERROR_BAD_CERTIFICATE);
+  server_->CheckErrorCode(SSL_ERROR_BAD_CERT_ALERT);
+  EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
+}
+
+struct AuthCompleteArgs : public PollTarget {
+  AuthCompleteArgs(const std::shared_ptr<TlsAgent>& a, PRErrorCode c)
+      : agent(a), code(c) {}
+
+  std::shared_ptr<TlsAgent> agent;
+  PRErrorCode code;
+};
+
+static void CallAuthComplete(PollTarget* target, Event event) {
+  EXPECT_EQ(TIMER_EVENT, event);
+  auto args = reinterpret_cast<AuthCompleteArgs*>(target);
+  std::cerr << args->agent->role_str() << ": call SSL_AuthCertificateComplete "
+            << (args->code ? PR_ErrorToName(args->code) : "no error")
+            << std::endl;
+  EXPECT_EQ(SECSuccess,
+            SSL_AuthCertificateComplete(args->agent->ssl_fd(), args->code));
+  args->agent->Handshake();  // Make the TlsAgent aware of the error.
+  delete args;
+}
+
+// Install an AuthCertificateCallback that blocks when called.  Then
+// SSL_AuthCertificateComplete is called on a very short timer.  This allows any
+// processing that might follow the callback to complete.
+static void SetDeferredAuthCertificateCallback(std::shared_ptr<TlsAgent> agent,
+                                               PRErrorCode code) {
+  auto args = new AuthCompleteArgs(agent, code);
+  agent->SetAuthCertificateCallback(
+      [args](TlsAgent*, PRBool, PRBool) -> SECStatus {
+        // This can't be 0 or we race the message from the client to the server,
+        // and tests assume that we lose that race.
+        std::shared_ptr<Poller::Timer> timer_handle;
+        Poller::Instance()->SetTimer(1U, args, CallAuthComplete, &timer_handle);
+        return SECWouldBlock;
+      });
+}
+
+TEST_P(TlsConnectTls13, ServerAuthRejectAsync) {
+  SetDeferredAuthCertificateCallback(client_, SEC_ERROR_REVOKED_CERTIFICATE);
+  ConnectExpectAlert(client_, kTlsAlertCertificateRevoked);
+  // We only detect the error here when we attempt to handshake, so all the
+  // client learns is that the handshake has already failed.
+  client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILED);
+  server_->CheckErrorCode(SSL_ERROR_REVOKED_CERT_ALERT);
+}
+
+// In TLS 1.2 and earlier, this will result in the client sending its Finished
+// before learning that the server certificate is bad.  That means that the
+// server will believe that the handshake is complete.
+TEST_P(TlsConnectGenericPre13, ServerAuthRejectAsync) {
+  SetDeferredAuthCertificateCallback(client_, SEC_ERROR_EXPIRED_CERTIFICATE);
+  client_->ExpectSendAlert(kTlsAlertCertificateExpired);
+  server_->ExpectReceiveAlert(kTlsAlertCertificateExpired);
+  ConnectExpectFailOneSide(TlsAgent::CLIENT);
+  client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILED);
+
+  // The server might not receive the alert that the client sends, which would
+  // cause the test to fail when it cleans up.  Reset expectations.
+  server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning);
+}
+
 TEST_P(TlsConnectGeneric, ClientAuth) {
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
@@ -153,6 +267,81 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
                  2048);
 }
 
+// Replaces the signature scheme in a CertificateVerify message.
+class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
+ public:
+  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
+                                  SSLSignatureScheme scheme)
+      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
+        scheme_(scheme) {
+    EnableDecryption();
+  }
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+    output->Write(0, scheme_, 2);
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme scheme_;
+};
+
+// Check if CertificateVerify signed with rsa_pss_rsae_* is properly
+// rejected when the certificate is RSA-PSS.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentRsaeSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa_pss");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_rsae_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
+// Check if CertificateVerify signed with rsa_pss_pss_* is properly
+// rejected when the certificate is RSA.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentPssSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_pss_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
  public:
   TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
@@ -197,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
   }
 };
 
-// Check that we fall back to SHA-1 when the server doesn't provide any
+// Check that we send an alert when the server doesn't provide any
 // supported_signature_algorithms in the CertificateRequest message.
-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
   auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
@@ -207,24 +396,19 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
 
-  ConnectExpectAlert(server_, kTlsAlertDecryptError);
-
-  // We're expecting a bad signature here because we tampered with a handshake
-  // message (CertReq). Previously, without the SHA-1 fallback, we would've
-  // seen a malformed record alert.
-  server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
 
-  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
+  server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
 }
 
-static const SSLSignatureScheme SignatureSchemeEcdsaSha384[] = {
+static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {
     ssl_sig_ecdsa_secp384r1_sha384};
-static const SSLSignatureScheme SignatureSchemeEcdsaSha256[] = {
+static const SSLSignatureScheme kSignatureSchemeEcdsaSha256[] = {
     ssl_sig_ecdsa_secp256r1_sha256};
-static const SSLSignatureScheme SignatureSchemeRsaSha384[] = {
+static const SSLSignatureScheme kSignatureSchemeRsaSha384[] = {
     ssl_sig_rsa_pkcs1_sha384};
-static const SSLSignatureScheme SignatureSchemeRsaSha256[] = {
+static const SSLSignatureScheme kSignatureSchemeRsaSha256[] = {
     ssl_sig_rsa_pkcs1_sha256};
 
 static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
@@ -241,10 +425,10 @@ static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
 // for TLS 1.1 and 1.0, where they should be ignored.
 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
   Reset(TlsAgent::kServerEcdsa384);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
   CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
             ssl_sig_ecdsa_secp384r1_sha384);
@@ -273,8 +457,8 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
 // Defaults on the client include the provided option.
 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
   Reset(TlsAgent::kServerEcdsa384);
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
   CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
             ssl_sig_ecdsa_secp384r1_sha384);
@@ -283,16 +467,16 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
 // In TLS 1.2, curve and hash aren't bound together.
 TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
 }
 
 // In TLS 1.3, curve and hash are coupled.
 TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
@@ -301,16 +485,16 @@ TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
 // Configuring a P-256 cert with only SHA-384 signatures is OK in TLS 1.2.
 TEST_P(TlsConnectTls12, SignatureSchemeBadConfig) {
   Reset(TlsAgent::kServerEcdsa256);  // P-256 cert can't be used.
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
 }
 
 // A P-256 certificate in TLS 1.3 needs a SHA-256 signature scheme.
 TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
   Reset(TlsAgent::kServerEcdsa256);  // P-256 cert can't be used.
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
@@ -319,10 +503,10 @@ TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
 // Where there is no overlap on signature schemes, we still connect successfully
 // if we aren't going to use a signature.
 TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
-  client_->SetSignatureSchemes(SignatureSchemeRsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeRsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeRsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha256));
   EnableOnlyStaticRsaCiphers();
   Connect();
   CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
@@ -330,10 +514,10 @@ TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
 
 TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha256));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
@@ -342,10 +526,10 @@ TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
 // Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
 TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha256));
   Connect();
 }
 
@@ -366,29 +550,6 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
   server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
-// Replaces the signature scheme in a TLS 1.3 CertificateVerify message.
-class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
- public:
-  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
-                                  SSLSignatureScheme scheme)
-      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
-        scheme_(scheme) {
-    EnableDecryption();
-  }
-
- protected:
-  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
-                                               const DataBuffer& input,
-                                               DataBuffer* output) {
-    *output = input;
-    output->Write(0, scheme_, 2);
-    return CHANGE;
-  }
-
- private:
-  SSLSignatureScheme scheme_;
-};
-
 TEST_P(TlsConnectTls13, UnsupportedSignatureSchemeAlert) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, ssl_sig_none);
@@ -411,8 +572,8 @@ TEST_P(TlsConnectTls13, InconsistentSignatureSchemeAlert) {
 }
 
 TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
-  server_->SetSignatureSchemes(SignatureSchemeRsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
   server_->RequestClientAuth(false);
   Connect();
 }
@@ -438,7 +599,7 @@ class BeforeFinished : public TlsRecordFilter {
     switch (state_) {
       case BEFORE_CCS:
         // Awaken when we see the CCS.
-        if (header.content_type() == kTlsChangeCipherSpecType) {
+        if (header.content_type() == ssl_ct_change_cipher_spec) {
           before_ccs_();
 
           // Write the CCS out as a separate write, so that we can make
@@ -455,7 +616,7 @@ class BeforeFinished : public TlsRecordFilter {
         break;
 
       case AFTER_CCS:
-        EXPECT_EQ(kTlsHandshakeType, header.content_type());
+        EXPECT_EQ(ssl_ct_handshake, header.content_type());
         // This could check that data contains a Finished message, but it's
         // encrypted, so that's too much extra work.
 
@@ -552,25 +713,11 @@ TEST_F(TlsConnectDatagram13, AuthCompleteBeforeFinished) {
   Connect();
 }
 
-static void TriggerAuthComplete(PollTarget* target, Event event) {
-  std::cerr << "client: call SSL_AuthCertificateComplete" << std::endl;
-  EXPECT_EQ(TIMER_EVENT, event);
-  TlsAgent* client = static_cast<TlsAgent*>(target);
-  EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client->ssl_fd(), 0));
-}
-
 // This test uses a simple AuthCertificateCallback.  Due to the way that the
 // entire server flight is processed, the call to SSL_AuthCertificateComplete
 // will trigger after the Finished message is processed.
 TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
-  client_->SetAuthCertificateCallback(
-      [this](TlsAgent*, PRBool, PRBool) -> SECStatus {
-        std::shared_ptr<Poller::Timer> timer_handle;
-        // This is really just to unroll the stack.
-        Poller::Instance()->SetTimer(1U, client_.get(), TriggerAuthComplete,
-                                     &timer_handle);
-        return SECWouldBlock;
-      });
+  SetDeferredAuthCertificateCallback(client_, 0);  // 0 = success.
   Connect();
 }
 
@@ -754,15 +901,15 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1SignAndKEX) {
   PRFileDesc* ssl_fd = agent_->ssl_fd();
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
-  EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
+  EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
 
-  // Configuring for only rsa_sign, rsa_pss, or rsa_decrypt should work.
+  // Configuring for only rsa_sign or rsa_decrypt should work.
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
                                        &ServerCertDataRsaPkcs1Decrypt));
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
                                        &ServerCertDataRsaPkcs1Sign));
-  EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
-                                       &ServerCertDataRsaPss));
+  EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
+                                        &ServerCertDataRsaPss));
 }
 
 // Test RSA cert with usage=[signature].
@@ -772,17 +919,17 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1Sign) {
   PRFileDesc* ssl_fd = agent_->ssl_fd();
   EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
-  EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
+  EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
 
   // Configuring for only rsa_decrypt should fail.
   EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
                                         &ServerCertDataRsaPkcs1Decrypt));
 
-  // Configuring for only rsa_sign or rsa_pss should work.
+  // Configuring for only rsa_sign should work.
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
                                        &ServerCertDataRsaPkcs1Sign));
-  EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
-                                       &ServerCertDataRsaPss));
+  EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
+                                        &ServerCertDataRsaPss));
 }
 
 // Test RSA cert with usage=[encipherment].
diff --git a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
index ec289bdd6..194cbab47 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -84,6 +84,18 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
           Reset(TlsAgent::kRsa2048);
           auth_type_ = ssl_auth_rsa_sign;
           break;
+        case ssl_sig_rsa_pss_pss_sha256:
+          Reset(TlsAgent::kServerRsaPss);
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
+        case ssl_sig_rsa_pss_pss_sha384:
+          Reset("rsa_pss384");
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
+        case ssl_sig_rsa_pss_pss_sha512:
+          Reset("rsa_pss512");
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
         case ssl_sig_ecdsa_secp256r1_sha256:
           Reset(TlsAgent::kServerEcdsa256);
           auth_type_ = ssl_auth_ecdsa;
@@ -270,7 +282,7 @@ TEST_P(TlsCipherSuiteTest, ReadLimit) {
   } else {
     epoch = 0;
   }
-  TlsAgentTestBase::MakeRecord(variant_, kTlsApplicationDataType, version_,
+  TlsAgentTestBase::MakeRecord(variant_, ssl_ct_application_data, version_,
                                payload, sizeof(payload), &record,
                                (epoch << 48) | record_limit());
   client_->SendDirect(record);
@@ -310,14 +322,13 @@ static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none);
 static const auto kDummySignatureSchemesParams =
     ::testing::Values(ssl_sig_none);
 
-#ifndef NSS_DISABLE_TLS_1_3
 static SSLSignatureScheme kSignatureSchemesParamsArr[] = {
     ssl_sig_rsa_pkcs1_sha256,       ssl_sig_rsa_pkcs1_sha384,
     ssl_sig_rsa_pkcs1_sha512,       ssl_sig_ecdsa_secp256r1_sha256,
     ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_rsae_sha256,
     ssl_sig_rsa_pss_rsae_sha384,    ssl_sig_rsa_pss_rsae_sha512,
-};
-#endif
+    ssl_sig_rsa_pss_pss_sha256,     ssl_sig_rsa_pss_pss_sha384,
+    ssl_sig_rsa_pss_pss_sha512};
 
 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
                           kDummySignatureSchemesParams,
@@ -372,6 +383,14 @@ INSTANTIATE_CIPHER_TEST_P(
     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+INSTANTIATE_CIPHER_TEST_P(
+    TLS12SigSchemes, All, V12, ::testing::ValuesIn(kFasterDHEGroups),
+    ::testing::ValuesIn(kSignatureSchemesParamsArr),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
                           ::testing::ValuesIn(kFasterDHEGroups),
diff --git a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
index 5be62e506..68c789a38 100644
--- a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
@@ -132,7 +132,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionEmptyWriterServer) {
   // Sending extensions that the client doesn't expect leads to extensions
   // appearing even if the client didn't send one, or in the wrong messages.
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
@@ -350,7 +350,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionUnsolicitedServer) {
   auto capture = MakeTlsFilter<TlsExtensionCapture>(server_, extension_code);
 
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 
   EXPECT_TRUE(capture->captured());
@@ -401,7 +401,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionClientReject) {
   EXPECT_EQ(SECSuccess, rv);
 
   client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
@@ -451,7 +451,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionClientRejectAlert) {
   EXPECT_EQ(SECSuccess, rv);
 
   client_->ExpectSendAlert(kCustomAlert);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
index b8836d7fc..0723c9bee 100644
--- a/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
index b99461632..f1ccc2864 100644
--- a/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -13,7 +13,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -643,4 +643,43 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
   client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
+// Replace SignatureAndHashAlgorithm of a SKE.
+class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
+ public:
+  DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
+                             SSLSignatureScheme sig_scheme)
+      : TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
+        sig_scheme_(sig_scheme) {}
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+
+    uint32_t len;
+    uint32_t idx = 0;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    output->Write(idx, sig_scheme_, 2);
+
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme sig_scheme_;
+};
+
+TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
+  EnableOnlyDheCiphers();
+
+  MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_,
+                                            ssl_sig_ecdsa_secp256r1_sha256);
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+}
+
 }  // namespace nss_test
diff --git a/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
index e5b52ff06..f25efc77a 100644
--- a/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
@@ -14,7 +14,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -123,7 +123,7 @@ class TlsDropDatagram13 : public TlsConnectDatagram13,
 
     void Init(const std::shared_ptr<TlsAgent>& agent) {
       records_ = std::make_shared<TlsRecordRecorder>(agent);
-      ack_ = std::make_shared<TlsRecordRecorder>(agent, content_ack);
+      ack_ = std::make_shared<TlsRecordRecorder>(agent, ssl_ct_ack);
       ack_->EnableDecryption();
       drop_ = std::make_shared<SelectiveRecordDropFilter>(agent, 0, false);
       chain_ = std::make_shared<ChainedPacketFilter>(
@@ -670,7 +670,7 @@ TEST_P(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
   ASSERT_NE(nullptr, spec.get());
   ASSERT_EQ(2, spec->epoch());
   ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
-                                           kTlsApplicationDataType,
+                                           ssl_ct_application_data,
                                            DataBuffer(buf, sizeof(buf))));
 
   // Now have the server consume the bogus message.
@@ -696,7 +696,7 @@ TEST_P(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
   ASSERT_NE(nullptr, spec.get());
   ASSERT_EQ(2, spec->epoch());
   ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
-                                           kTlsHandshakeType,
+                                           ssl_ct_handshake,
                                            DataBuffer(buf, sizeof(buf))));
   server_->Handshake();
   EXPECT_EQ(2UL, server_filters_.ack_->count());
@@ -899,7 +899,7 @@ class TlsReplaceFirstRecordWithJunk : public TlsRecordFilter {
     }
     replaced_ = true;
     TlsRecordHeader out_header(header.variant(), header.version(),
-                               kTlsApplicationDataType,
+                               ssl_ct_application_data,
                                header.sequence_number());
 
     static const uint8_t junk[] = {1, 2, 3, 4};
diff --git a/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
index 12c6e8516..f1cf1fabc 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
index dad6ca026..39b2d5873 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
index 6965e9ca7..5819af746 100644
--- a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -9,6 +9,9 @@
 #include "sslerr.h"
 #include "sslproto.h"
 
+// This is only to get DTLS_1_3_DRAFT_VERSION
+#include "ssl3prot.h"
+
 #include <memory>
 
 #include "tls_connect.h"
@@ -41,28 +44,6 @@ class TlsExtensionTruncator : public TlsExtensionFilter {
   size_t length_;
 };
 
-class TlsExtensionDamager : public TlsExtensionFilter {
- public:
-  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
-                      size_t index)
-      : TlsExtensionFilter(a), extension_(extension), index_(index) {}
-  virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
-                                               const DataBuffer& input,
-                                               DataBuffer* output) {
-    if (extension_type != extension_) {
-      return KEEP;
-    }
-
-    *output = input;
-    output->data()[index_] += 73;  // Increment selected for maximum damage
-    return CHANGE;
-  }
-
- private:
-  uint16_t extension_;
-  size_t index_;
-};
-
 class TlsExtensionAppender : public TlsHandshakeFilter {
  public:
   TlsExtensionAppender(const std::shared_ptr<TlsAgent>& a,
@@ -454,6 +435,25 @@ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
       client_, ssl_signature_algorithms_xtn, extension));
 }
 
+TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
+  // 31 unknown signature algorithms followed by sha-256, rsa
+  const uint8_t val[] = {
+      0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+  DataBuffer extension(val, sizeof(val));
+  MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
+                                      extension);
+  client_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+}
+
 TEST_P(TlsExtensionTestGeneric, NoSupportedGroups) {
   ClientHelloErrorTest(
       std::make_shared<TlsExtensionDropper>(client_, ssl_supported_groups_xtn),
@@ -563,10 +563,10 @@ TEST_F(TlsExtensionTest13Stream, DropServerKeyShare) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_key_share_xtn);
   client_->ExpectSendAlert(kTlsAlertMissingExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_MISSING_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
@@ -583,13 +583,12 @@ TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_RX_MALFORMED_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
-// TODO(ekr@rtfm.com): This is the wrong error code. See bug 1307269.
 TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
   const uint16_t wrong_group = 0xffff;
 
@@ -603,11 +602,11 @@ TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
   DataBuffer buf(key_share, sizeof(key_share));
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
-  client_->ExpectSendAlert(kTlsAlertMissingExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  client_->ExpectSendAlert(kTlsAlertIllegalParameter);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
-  EXPECT_EQ(SSL_ERROR_MISSING_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_MALFORMED_KEY_SHARE, client_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 TEST_F(TlsExtensionTest13Stream, AddServerSignatureAlgorithmsOnResumption) {
@@ -616,10 +615,10 @@ TEST_F(TlsExtensionTest13Stream, AddServerSignatureAlgorithmsOnResumption) {
   MakeTlsFilter<TlsExtensionInjector>(server_, ssl_signature_algorithms_xtn,
                                       empty);
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 struct PskIdentity {
@@ -912,23 +911,32 @@ TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListServerV12) {
 // 3. Server supports 1.2 and 1.3, client supports 1.2 and 1.3
 // but advertises 1.2 (because we changed things).
 TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListBothV12) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-#ifndef TLS_1_3_DRAFT_VERSION
-  ExpectAlert(server_, kTlsAlertIllegalParameter);
-#else
-  ExpectAlert(server_, kTlsAlertDecryptError);
+// The downgrade check is disabled in DTLS 1.3, so all that happens when we
+// tamper with the supported versions is that the Finished check fails.
+#ifdef DTLS_1_3_DRAFT_VERSION
+  if (variant_ == ssl_variant_datagram) {
+    ExpectAlert(server_, kTlsAlertDecryptError);
+  } else
 #endif
+  {
+    ExpectAlert(client_, kTlsAlertIllegalParameter);
+  }
   ConnectWithReplacementVersionList(SSL_LIBRARY_VERSION_TLS_1_2);
-#ifndef TLS_1_3_DRAFT_VERSION
-  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
-  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
-#else
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
-  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+#ifdef DTLS_1_3_DRAFT_VERSION
+  if (variant_ == ssl_variant_datagram) {
+    client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+    server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+  } else
 #endif
+  {
+    client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+    server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+  }
 }
 
 TEST_P(TlsExtensionTest13, HrrThenRemoveSignatureAlgorithms) {
@@ -1017,7 +1025,7 @@ class TlsBogusExtensionTest13 : public TlsBogusExtensionTest {
     client_->ExpectSendAlert(alert);
     client_->Handshake();
     if (variant_ == ssl_variant_stream) {
-      server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+      server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
     }
     server_->Handshake();
   }
diff --git a/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
index 92947c2c7..375281263 100644
--- a/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -106,8 +106,8 @@ class RecordFragmenter : public PacketFilter {
         }
 
         // Just rewrite the sequence number (CCS only).
-        if (header.content_type() != kTlsHandshakeType) {
-          EXPECT_EQ(kTlsChangeCipherSpecType, header.content_type());
+        if (header.content_type() != ssl_ct_handshake) {
+          EXPECT_EQ(ssl_ct_change_cipher_spec, header.content_type());
           WriteRecord(header, record);
           continue;
         }
diff --git a/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
index f0afc9118..f033b7843 100644
--- a/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
@@ -33,7 +33,7 @@ class TlsApplicationDataRecorder : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output) {
-    if (header.content_type() == kTlsApplicationDataType) {
+    if (header.content_type() == ssl_ct_application_data) {
       buffer_.Append(input);
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
index f47b2f445..745432951 100644
--- a/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
@@ -15,6 +15,7 @@ class GatherV2ClientHelloTest : public TlsConnectTestBase {
 
   void ConnectExpectMalformedClientHello(const DataBuffer &data) {
     EnsureTlsSetup();
+    server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_TRUE);
     server_->ExpectSendAlert(kTlsAlertIllegalParameter);
     client_->SendDirect(data);
     server_->StartConnect();
diff --git a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
index 17677713d..be1c4ea32 100644
--- a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
@@ -51,6 +51,7 @@
         'tls_connect.cc',
         'tls_filter.cc',
         'tls_hkdf_unittest.cc',
+        'tls_esni_unittest.cc',
         'tls_protect.cc'
       ],
       'dependencies': [
diff --git a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
index 77b335e86..27bc03654 100644
--- a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -9,11 +9,11 @@
 #include "sslerr.h"
 #include "sslproto.h"
 
-// This is internal, just to get TLS_1_3_DRAFT_VERSION.
+// This is internal, just to get DTLS_1_3_DRAFT_VERSION.
 #include "ssl3prot.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -76,7 +76,7 @@ class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& record, size_t* offset,
                                     DataBuffer* output) {
-    if (filtered_packets() > 0 || header.content_type() != content_handshake) {
+    if (filtered_packets() > 0 || header.content_type() != ssl_ct_handshake) {
       return KEEP;
     }
 
@@ -718,6 +718,86 @@ TEST_F(TlsConnectStreamTls13, RetryStatelessDamageSecondClientHello) {
   client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
 }
 
+// Stream because SSL_SendSessionTicket only supports that.
+TEST_F(TlsConnectStreamTls13, SecondClientHelloSendSameTicket) {
+  // This simulates the scenario described at:
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=1481271#c7
+  //
+  // Here two connections are interleaved.  Tickets are issued on one
+  // connection.  A HelloRetryRequest is triggered on the second connection,
+  // meaning that there are two ClientHellos.  We need to check that both
+  // ClientHellos have the same ticket, even if a new ticket is issued on the
+  // other connection in the meantime.
+  //
+  // Connection 1: <handshake>
+  // Connection 1: S->C: NST=X
+  // Connection 2: C->S: CH [PSK_ID=X]
+  // Connection 1: S->C: NST=Y
+  // Connection 2: S->C: HRR
+  // Connection 2: C->S: CH [PSK_ID=Y]
+
+  // Connection 1, send a ticket after handshake is complete.
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+
+  Connect();
+
+  // Set this token so that RetryHelloWithToken() will check that this
+  // is the token that it receives in the HelloRetryRequest callback.
+  EXPECT_EQ(SECSuccess,
+            SSL_SendSessionTicket(server_->ssl_fd(), kApplicationToken,
+                                  sizeof(kApplicationToken)));
+  SendReceive(50);
+
+  // Connection 2, trigger HRR.
+  auto client2 =
+      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, variant_);
+  auto server2 =
+      std::make_shared<TlsAgent>(server_->name(), TlsAgent::SERVER, variant_);
+
+  client2->SetPeer(server2);
+  server2->SetPeer(client2);
+
+  client_.swap(client2);
+  server_.swap(server2);
+
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+  client_->StartConnect();
+  server_->StartConnect();
+
+  size_t cb_called = 0;
+  EXPECT_EQ(SECSuccess,
+            SSL_HelloRetryRequestCallback(server_->ssl_fd(),
+                                          RetryHelloWithToken, &cb_called));
+  client_->Handshake();  // Send ClientHello.
+  server_->Handshake();  // Process ClientHello, send HelloRetryRequest.
+
+  EXPECT_EQ(1U, cb_called) << "callback should be called once here";
+
+  // Connection 1, send another ticket.
+  client_.swap(client2);
+  server_.swap(server2);
+
+  // If the client uses this token, RetryHelloWithToken() will fail the test.
+  const uint8_t kAnotherApplicationToken[] = {0x92, 0x44, 0x01};
+  EXPECT_EQ(SECSuccess,
+            SSL_SendSessionTicket(server_->ssl_fd(), kAnotherApplicationToken,
+                                  sizeof(kAnotherApplicationToken)));
+  SendReceive(60);
+
+  // Connection 2, continue the handshake.
+  // The client should use kApplicationToken, not kAnotherApplicationToken.
+  client_.swap(client2);
+  server_.swap(server2);
+
+  client_->Handshake();
+  server_->Handshake();
+
+  EXPECT_EQ(2U, cb_called) << "callback should be called twice here";
+}
+
 // Read the cipher suite from the HRR and disable it on the identified agent.
 static void DisableSuiteFromHrr(
     std::shared_ptr<TlsAgent>& agent,
@@ -844,10 +924,10 @@ TEST_F(TlsConnectStreamTls13, RetryWithDifferentCipherSuite) {
                                              TLS_CHACHA20_POLY1305_SHA256);
 
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 // This tests that the second attempt at sending a ClientHello (after receiving
@@ -1007,14 +1087,17 @@ class HelloRetryRequestAgentTest : public TlsAgentTestClient {
     // Now the supported version.
     i = hrr_data.Write(i, ssl_tls13_supported_versions_xtn, 2);
     i = hrr_data.Write(i, 2, 2);
-    i = hrr_data.Write(i, 0x7f00 | TLS_1_3_DRAFT_VERSION, 2);
+    i = hrr_data.Write(i, (variant_ == ssl_variant_datagram)
+                              ? (0x7f00 | DTLS_1_3_DRAFT_VERSION)
+                              : SSL_LIBRARY_VERSION_TLS_1_3,
+                       2);
     if (len) {
       hrr_data.Write(i, body, len);
     }
     DataBuffer hrr;
     MakeHandshakeMessage(kTlsHandshakeServerHello, hrr_data.data(),
                          hrr_data.len(), &hrr, seq_num);
-    MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3, hrr.data(),
+    MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, hrr.data(),
                hrr.len(), hrr_record, seq_num);
   }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
index d03775c25..d6ac99a58 100644
--- a/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
@@ -15,7 +15,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
index 5adbd9dc7..12c2496a6 100644
--- a/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -18,7 +18,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -65,7 +65,7 @@ class TlsAlertRecorder : public TlsRecordFilter {
     if (level_ != 255) {  // Already captured.
       return KEEP;
     }
-    if (header.content_type() != kTlsAlertType) {
+    if (header.content_type() != ssl_ct_alert) {
       return KEEP;
     }
 
@@ -130,7 +130,7 @@ TEST_P(TlsConnectTls13, CaptureAlertClient) {
   client_->Handshake();
   if (variant_ == ssl_variant_stream) {
     // DTLS just drops the alert it can't decrypt.
-    server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   }
   server_->Handshake();
   EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
@@ -320,6 +320,53 @@ TEST_F(TlsConnectStreamTls13, DropRecordClient) {
   SendReceive();
 }
 
+// Check that a server can use 0.5 RTT if client authentication isn't enabled.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinished) {
+  EnsureTlsSetup();
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  server_->SendData(10);
+  client_->ReadBytes(10);  // Client should emit the Finished as a side-effect.
+  server_->Handshake();    // Server consumes the Finished.
+  CheckConnected();
+}
+
+// We don't allow 0.5 RTT if client authentication is requested.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuth) {
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(false);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  static const uint8_t data[] = {1, 2, 3};
+  EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data)));
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
+// 0.5 RTT should fail with client authentication required.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuthRequired) {
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  static const uint8_t data[] = {1, 2, 3};
+  EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data)));
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
 // The next two tests takes advantage of the fact that we
 // automatically read the first 1024 bytes, so if
 // we provide 1200 bytes, they overrun the read buffer
@@ -426,13 +473,15 @@ class TlsPreCCSHeaderInjector : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
       size_t* offset, DataBuffer* output) override {
-    if (record_header.content_type() != kTlsChangeCipherSpecType) return KEEP;
+    if (record_header.content_type() != ssl_ct_change_cipher_spec) {
+      return KEEP;
+    }
 
     std::cerr << "Injecting Finished header before CCS\n";
     const uint8_t hhdr[] = {kTlsHandshakeFinished, 0x00, 0x00, 0x0c};
     DataBuffer hhdr_buf(hhdr, sizeof(hhdr));
     TlsRecordHeader nhdr(record_header.variant(), record_header.version(),
-                         kTlsHandshakeType, 0);
+                         ssl_ct_handshake, 0);
     *offset = nhdr.Write(output, *offset, hhdr_buf);
     *offset = record_header.Write(output, *offset, input);
     return CHANGE;
@@ -477,6 +526,26 @@ TEST_P(TlsConnectTls13, AlertWrongLevel) {
   client_->WaitForErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, 2000);
 }
 
+TEST_P(TlsConnectTls13, UnknownRecord) {
+  static const uint8_t kUknownRecord[] = {
+      0xff, SSL_LIBRARY_VERSION_TLS_1_2 >> 8,
+      SSL_LIBRARY_VERSION_TLS_1_2 & 0xff, 0, 0};
+
+  Connect();
+  if (variant_ == ssl_variant_stream) {
+    // DTLS just drops the record with an invalid type.
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+  }
+  client_->SendDirect(DataBuffer(kUknownRecord, sizeof(kUknownRecord)));
+  server_->ExpectReadWriteError();
+  server_->ReadBytes();
+  if (variant_ == ssl_variant_stream) {
+    EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
+  } else {
+    EXPECT_EQ(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, server_->error_code());
+  }
+}
+
 TEST_F(TlsConnectStreamTls13, Tls13FailedWriteSecondFlight) {
   EnsureTlsSetup();
   StartConnect();
@@ -539,6 +608,126 @@ TEST_F(TlsConnectTest, OneNRecordSplitting) {
   EXPECT_EQ(ExpectedCbcLen(20), records->record(2).buffer.len());
 }
 
+// We can't test for randomness easily here, but we can test that we don't
+// produce a zero value, or produce the same value twice.  There are 5 values
+// here: two ClientHello.random, two ServerHello.random, and one zero value.
+// Matrix them and fail if any are the same.
+TEST_P(TlsConnectGeneric, CheckRandoms) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+
+  static const size_t random_len = 32;
+  uint8_t crandom1[random_len], srandom1[random_len];
+  uint8_t z[random_len] = {0};
+
+  auto ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
+  auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  memcpy(crandom1, ch->buffer().data() + 2, random_len);
+  memcpy(srandom1, sh->buffer().data() + 2, random_len);
+  EXPECT_NE(0, memcmp(crandom1, srandom1, random_len));
+  EXPECT_NE(0, memcmp(crandom1, z, random_len));
+  EXPECT_NE(0, memcmp(srandom1, z, random_len));
+
+  Reset();
+  ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
+  sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  const uint8_t* crandom2 = ch->buffer().data() + 2;
+  const uint8_t* srandom2 = sh->buffer().data() + 2;
+
+  EXPECT_NE(0, memcmp(crandom2, srandom2, random_len));
+  EXPECT_NE(0, memcmp(crandom2, z, random_len));
+  EXPECT_NE(0, memcmp(srandom2, z, random_len));
+
+  EXPECT_NE(0, memcmp(crandom1, crandom2, random_len));
+  EXPECT_NE(0, memcmp(crandom1, srandom2, random_len));
+  EXPECT_NE(0, memcmp(srandom1, crandom2, random_len));
+  EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
+}
+
+void FailOnCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) {
+  ADD_FAILURE() << "received alert " << alert->description;
+}
+
+void CheckCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) {
+  *reinterpret_cast<bool*>(arg) = true;
+  EXPECT_EQ(close_notify, alert->description);
+  EXPECT_EQ(alert_warning, alert->level);
+}
+
+TEST_P(TlsConnectGeneric, ShutdownOneSide) {
+  Connect();
+
+  // Setup to check alerts.
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(),
+                                              FailOnCloseNotify, nullptr));
+  EXPECT_EQ(SECSuccess, SSL_AlertReceivedCallback(client_->ssl_fd(),
+                                                  FailOnCloseNotify, nullptr));
+
+  bool client_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(),
+                                              CheckCloseNotify, &client_sent));
+  bool server_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify,
+                                      &server_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  // Make sure that the server reads out the close_notify.
+  uint8_t buf[10];
+  EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf)));
+
+  // Reading and writing should still work in the one open direction.
+  EXPECT_TRUE(client_sent);
+  EXPECT_TRUE(server_received);
+  server_->SendData(10, 10);
+  client_->ReadBytes(10);
+
+  // Now close the other side and do the same checks.
+  bool server_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(),
+                                              CheckCloseNotify, &server_sent));
+  bool client_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(client_->ssl_fd(), CheckCloseNotify,
+                                      &client_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  EXPECT_EQ(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf)));
+  EXPECT_TRUE(server_sent);
+  EXPECT_TRUE(client_received);
+}
+
+TEST_P(TlsConnectGeneric, ShutdownOneSideThenCloseTcp) {
+  Connect();
+
+  bool client_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(),
+                                              CheckCloseNotify, &client_sent));
+  bool server_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify,
+                                      &server_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  // Make sure that the server reads out the close_notify.
+  uint8_t buf[10];
+  EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf)));
+
+  // Now simulate the underlying connection closing.
+  client_->adapter()->Reset();
+
+  // Now close the other side and see that things don't explode.
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  EXPECT_GT(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf)));
+  EXPECT_EQ(PR_NOT_CONNECTED_ERROR, PR_GetError());
+}
+
 INSTANTIATE_TEST_CASE_P(
     GenericStream, TlsConnectGeneric,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
diff --git a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
index 53b11c61a..f1e85e898 100644
--- a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
@@ -111,7 +111,7 @@ class RecordReplacer : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& data,
                                     DataBuffer* changed) override {
-    EXPECT_EQ(kTlsApplicationDataType, header.content_type());
+    EXPECT_EQ(ssl_ct_application_data, header.content_type());
     changed->Allocate(size_);
 
     for (size_t i = 0; i < size_; ++i) {
diff --git a/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
index 00651aec5..0a54ae1a8 100644
--- a/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -34,7 +34,7 @@ class TlsRecordMaximum : public TlsRecordFilter {
                                     DataBuffer* output) override {
     std::cerr << "max: " << record << std::endl;
     // Ignore unprotected packets.
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
 
@@ -187,7 +187,7 @@ class TlsRecordExpander : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& data,
                                             DataBuffer* changed) {
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
     changed->Allocate(data.len() + expansion_);
@@ -252,7 +252,7 @@ class TlsRecordPadder : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& record, size_t* offset,
                                     DataBuffer* output) override {
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
 
@@ -262,7 +262,7 @@ class TlsRecordPadder : public TlsRecordFilter {
       return KEEP;
     }
 
-    if (inner_content_type != kTlsApplicationDataType) {
+    if (inner_content_type != ssl_ct_application_data) {
       return KEEP;
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
index 2cc98a327..264bde67f 100644
--- a/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -18,7 +18,8 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -171,21 +172,143 @@ TEST_P(TlsConnectGenericResumption, ConnectResumeClientNoneServerBoth) {
   SendReceive();
 }
 
-TEST_P(TlsConnectGenericPre13, ConnectResumeWithHigherVersion) {
+TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13) {
+  uint16_t lower_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  EnsureTlsSetup();
+  auto psk_ext = std::make_shared<TlsExtensionCapture>(
+      client_, ssl_tls13_pre_shared_key_xtn);
+  auto ticket_ext =
+      std::make_shared<TlsExtensionCapture>(client_, ssl_session_ticket_xtn);
+  client_->SetFilter(std::make_shared<ChainedPacketFilter>(
+      ChainedPacketFilterInit({psk_ext, ticket_ext})));
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+
+  // The client shouldn't have sent a PSK, though it will send a ticket.
+  EXPECT_FALSE(psk_ext->captured());
+  EXPECT_TRUE(ticket_ext->captured());
+}
+
+class CaptureSessionId : public TlsHandshakeFilter {
+ public:
+  CaptureSessionId(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(
+            a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}),
+        sid_() {}
+
+  const DataBuffer& sid() const { return sid_; }
+
+ protected:
+  PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                       const DataBuffer& input,
+                                       DataBuffer* output) override {
+    // The session_id is in the same place in both Hello messages:
+    size_t offset = 2 + 32;  // Version(2) + Random(32)
+    uint32_t len = 0;
+    EXPECT_TRUE(input.Read(offset, 1, &len));
+    offset++;
+    if (input.len() < offset + len) {
+      ADD_FAILURE() << "session_id overflows the Hello message";
+      return KEEP;
+    }
+    sid_.Assign(input.data() + offset, len);
+    return KEEP;
+  }
+
+ private:
+  DataBuffer sid_;
+};
+
+// Attempting to resume from TLS 1.2 when 1.3 is possible should not result in
+// resumption, though it will appear to be TLS 1.3 compatibility mode if the
+// server uses a session ID.
+TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13SessionId) {
+  uint16_t lower_version = version_;
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
-  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_1);
-  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
+  auto original_sid = MakeTlsFilter<CaptureSessionId>(server_);
+  Connect();
+  CheckKeys();
+  EXPECT_EQ(32U, original_sid->sid().len());
+
+  // The client should now attempt to resume with the session ID from the last
+  // connection.  This looks like compatibility mode, we just want to ensure
+  // that we get TLS 1.3 rather than 1.2 (and no resumption).
+  Reset();
+  auto client_sid = MakeTlsFilter<CaptureSessionId>(client_);
+  auto server_sid = MakeTlsFilter<CaptureSessionId>(server_);
+  ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+
+  Connect();
+  SendReceive();
+
+  EXPECT_EQ(client_sid->sid(), original_sid->sid());
+  if (variant_ == ssl_variant_stream) {
+    EXPECT_EQ(client_sid->sid(), server_sid->sid());
+  } else {
+    // DTLS servers don't echo the session ID.
+    EXPECT_EQ(0U, server_sid->sid().len());
+  }
+}
+
+TEST_P(TlsConnectPre12, ResumeWithHigherVersionTls12) {
+  uint16_t lower_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   Connect();
 
   Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   EnsureTlsSetup();
-  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2);
-  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
-  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+}
+
+TEST_P(TlsConnectGenericPre13, ResumeWithLowerVersionFromTls13) {
+  uint16_t original_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(original_version);
   ExpectResumption(RESUME_NONE);
   Connect();
+  SendReceive();
+}
+
+TEST_P(TlsConnectPre12, ResumeWithLowerVersionFromTls12) {
+  uint16_t original_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_2);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(original_version);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+  SendReceive();
 }
 
 TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicketForget) {
@@ -276,8 +399,13 @@ TEST_P(TlsConnectGeneric, ConnectResumeCorruptTicket) {
   ASSERT_NE(nullptr, hmac_key);
   SSLInt_SetSelfEncryptMacKey(hmac_key);
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
-  ConnectExpectAlert(server_, illegal_parameter);
-  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    ExpectResumption(RESUME_NONE);
+    Connect();
+  } else {
+    ConnectExpectAlert(server_, illegal_parameter);
+    server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+  }
 }
 
 // This callback switches out the "server" cert used on the server with
@@ -394,6 +522,64 @@ TEST_P(TlsConnectTls13, TestTls13ResumeDifferentGroup) {
             ssl_sig_rsa_pss_rsae_sha256);
 }
 
+// Verify that TLS 1.3 server doesn't request certificate in the main
+// handshake, after resumption.
+TEST_P(TlsConnectTls13, TestTls13ResumeNoCertificateRequest) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  Connect();
+  SendReceive();  // Need to read so that we absorb the session ticket.
+  ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd()));
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  ExpectResumption(RESUME_TICKET);
+  server_->RequestClientAuth(false);
+  auto cr_capture =
+      MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_certificate_request);
+  cr_capture->EnableDecryption();
+  Connect();
+  SendReceive();
+  EXPECT_EQ(0U, cr_capture->buffer().len()) << "expect nothing captured yet";
+
+  // Sanity check whether the client certificate matches the one
+  // decrypted from ticket.
+  ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd()));
+  EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
+// Here we test that 0.5 RTT is available at the server when resuming, even if
+// configured to request a client certificate.  The resumed handshake relies on
+// the authentication from the original handshake, so no certificate is
+// requested this time around.  The server can write before the handshake
+// completes because the PSK binder is sufficient authentication for the client.
+TEST_P(TlsConnectTls13, WriteBeforeHandshakeCompleteOnResumption) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  Connect();
+  SendReceive();  // Absorb the session ticket.
+  ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd()));
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  ExpectResumption(RESUME_TICKET);
+  server_->RequestClientAuth(false);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  server_->SendData(10);
+  client_->ReadBytes(10);  // Client should emit the Finished as a side-effect.
+  server_->Handshake();    // Server consumes the Finished.
+  CheckConnected();
+
+  // Check whether the client certificate matches the one from the ticket.
+  ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd()));
+  EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
 // We need to enable different cipher suites at different times in the following
 // tests.  Those cipher suites need to be suited to the version.
 static uint16_t ChooseOneCipher(uint16_t version) {
@@ -467,7 +653,7 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
 
   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-    server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   } else {
     ExpectAlert(client_, kTlsAlertHandshakeFailure);
   }
@@ -476,7 +662,7 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     // The reason this test is stream only: the server is unable to decrypt
     // the alert that the client sends, see bug 1304603.
-    server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+    server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
   } else {
     server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
   }
@@ -760,6 +946,36 @@ TEST_F(TlsConnectDatagram13, SendSessionTicketDtls) {
   EXPECT_EQ(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, PORT_GetError());
 }
 
+TEST_F(TlsConnectStreamTls13, ExternalResumptionUseSecondTicket) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+  struct ResumptionTicketState {
+    std::vector<uint8_t> ticket;
+    size_t invoked = 0;
+  } ticket_state;
+  auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len,
+               void* arg) -> SECStatus {
+    auto state = reinterpret_cast<ResumptionTicketState*>(arg);
+    state->ticket.assign(ticket, ticket + ticket_len);
+    state->invoked++;
+    return SECSuccess;
+  };
+  SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, &ticket_state);
+
+  Connect();
+  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
+  SendReceive();
+  EXPECT_EQ(2U, ticket_state.invoked);
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  client_->SetResumptionToken(ticket_state.ticket);
+  ExpectResumption(RESUME_TICKET);
+  Connect();
+  SendReceive();
+}
+
 TEST_F(TlsConnectTest, TestTls13ResumptionDowngrade) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
@@ -830,10 +1046,10 @@ TEST_F(TlsConnectTest, TestTls13ResumptionForcedDowngrade) {
   // client expects to receive an unencrypted TLS 1.2 Certificate message.
   // The server can't decrypt the alert.
   client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);  // Server can't read
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);  // Server can't read
   ConnectExpectFail();
   client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
-  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
 }
 
 TEST_P(TlsConnectGenericResumption, ReConnectTicket) {
@@ -908,6 +1124,36 @@ void CheckGetInfoResult(uint32_t alpnSize, uint32_t earlyDataSize,
   EXPECT_EQ(0, memcmp("a", token->alpnSelection, token->alpnSelectionLen));
 
   ASSERT_EQ(earlyDataSize, token->maxEarlyDataSize);
+
+  ASSERT_LT(ssl_TimeUsec(), token->expirationTime);
+}
+
+// The client should generate a new, randomized session_id
+// when resuming using an external token.
+TEST_P(TlsConnectGenericResumptionToken, CheckSessionId) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  auto original_sid = MakeTlsFilter<CaptureSessionId>(client_);
+  Connect();
+  SendReceive();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ExpectResumption(RESUME_TICKET);
+
+  StartConnect();
+  ASSERT_TRUE(client_->MaybeSetResumptionToken());
+  auto resumed_sid = MakeTlsFilter<CaptureSessionId>(client_);
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+
+  if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) {
+    EXPECT_NE(resumed_sid->sid(), original_sid->sid());
+    EXPECT_EQ(32U, resumed_sid->sid().len());
+  } else {
+    EXPECT_EQ(0U, resumed_sid->sid().len());
+  }
 }
 
 TEST_P(TlsConnectGenericResumptionToken, ConnectResumeGetInfo) {
@@ -1026,4 +1272,34 @@ TEST_P(TlsConnectGenericResumption, ConnectResumeClientAuth) {
   SendReceive();
 }
 
+TEST_F(TlsConnectStreamTls13, ExternalTokenAfterHrr) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+  SendReceive();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ExpectResumption(RESUME_TICKET);
+
+  static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
+                                                    ssl_grp_ec_secp521r1};
+  server_->ConfigNamedGroups(groups);
+
+  StartConnect();
+  ASSERT_TRUE(client_->MaybeSetResumptionToken());
+
+  client_->Handshake();  // Send ClientHello.
+  server_->Handshake();  // Process ClientHello, send HelloRetryRequest.
+
+  auto& token = client_->GetResumptionToken();
+  SECStatus rv =
+      SSL_SetResumptionToken(client_->ssl_fd(), token.data(), token.size());
+  ASSERT_EQ(SECFailure, rv);
+  ASSERT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
 }  // namespace nss_test
diff --git a/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
index 9ef19653b..3ed42e86b 100644
--- a/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
@@ -32,7 +32,7 @@ class TlsHandshakeSkipFilter : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
       DataBuffer* output) {
-    if (record_header.content_type() != kTlsHandshakeType) {
+    if (record_header.content_type() != ssl_ct_handshake) {
       return KEEP;
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
index ff4091b9a..abddaa5b6 100644
--- a/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
index 42f1065f6..ecb63d476 100644
--- a/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
@@ -82,7 +82,7 @@ class Tls13CompatTest : public TlsConnectStreamTls13 {
         // Only the second record can be a CCS.
         bool expected_match = expected && (i == 1);
         EXPECT_EQ(expected_match,
-                  kTlsChangeCipherSpecType ==
+                  ssl_ct_change_cipher_spec ==
                       records_->record(i).header.content_type());
       }
     }
@@ -299,15 +299,15 @@ TEST_F(TlsConnectTest, TLS13NonCompatModeSessionID) {
 
   MakeTlsFilter<TlsSessionIDInjectFilter>(server_);
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 
   client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
-  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
 }
 
 static const uint8_t kCannedCcs[] = {
-    kTlsChangeCipherSpecType,
+    ssl_ct_change_cipher_spec,
     SSL_LIBRARY_VERSION_TLS_1_2 >> 8,
     SSL_LIBRARY_VERSION_TLS_1_2 & 0xff,
     0,
@@ -362,6 +362,19 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) {
   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
 }
 
+TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterFinished13) {
+  EnsureTlsSetup();
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  SendReceive(10);
+  // Client sends CCS after the handshake.
+  client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+  server_->ExpectReadWriteError();
+  server_->ReadBytes();
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
+}
+
 TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
   EnsureTlsSetup();
   client_->SetOption(SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
@@ -370,14 +383,14 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
   Connect();
 
   ASSERT_EQ(2U, client_records->count());  // CH, Fin
-  EXPECT_EQ(kTlsHandshakeType, client_records->record(0).header.content_type());
-  EXPECT_EQ(kTlsApplicationDataType,
+  EXPECT_EQ(ssl_ct_handshake, client_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_application_data,
             client_records->record(1).header.content_type());
 
   ASSERT_EQ(6U, server_records->count());  // SH, EE, CT, CV, Fin, Ack
-  EXPECT_EQ(kTlsHandshakeType, server_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, server_records->record(0).header.content_type());
   for (size_t i = 1; i < server_records->count(); ++i) {
-    EXPECT_EQ(kTlsApplicationDataType,
+    EXPECT_EQ(ssl_ct_application_data,
               server_records->record(i).header.content_type());
   }
 }
@@ -422,12 +435,12 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsServer) {
   client_->Handshake();
 
   ASSERT_EQ(1U, client_records->count());
-  EXPECT_EQ(kTlsHandshakeType, client_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, client_records->record(0).header.content_type());
 
   ASSERT_EQ(5U, server_records->count());  // SH, EE, CT, CV, Fin
-  EXPECT_EQ(kTlsHandshakeType, server_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, server_records->record(0).header.content_type());
   for (size_t i = 1; i < server_records->count(); ++i) {
-    EXPECT_EQ(kTlsApplicationDataType,
+    EXPECT_EQ(ssl_ct_application_data,
               server_records->record(i).header.content_type());
   }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
index 100595732..cafbcce68 100644
--- a/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
@@ -151,6 +151,7 @@ class SSLv2ClientHelloTestF : public TlsConnectTestBase {
   void SetUp() override {
     TlsConnectTestBase::SetUp();
     filter_ = MakeTlsFilter<SSLv2ClientHelloFilter>(client_, version_);
+    server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_TRUE);
   }
 
   void SetExpectedVersion(uint16_t version) {
@@ -197,6 +198,27 @@ TEST_P(SSLv2ClientHelloTest, Connect) {
   Connect();
 }
 
+TEST_P(SSLv2ClientHelloTest, ConnectDisabled) {
+  server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_FALSE);
+  SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+
+  StartConnect();
+  client_->Handshake();  // Send the modified ClientHello.
+  server_->Handshake();  // Read some.
+  // The problem here is that the v2 ClientHello puts the version where the v3
+  // ClientHello puts a version number.  So the version number (0x0301+) appears
+  // to be a length and server blocks waiting for that much data.
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  // This is usually what happens with v2-compatible: the server hangs.
+  // But to be certain, feed in more data to see if an error comes out.
+  uint8_t zeros[SSL_LIBRARY_VERSION_TLS_1_2] = {0};
+  client_->SendDirect(DataBuffer(zeros, sizeof(zeros)));
+  ExpectAlert(server_, kTlsAlertIllegalParameter);
+  server_->Handshake();
+  client_->Handshake();
+}
+
 // Sending a v2 ClientHello after a no-op v3 record must fail.
 TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) {
   DataBuffer buffer;
@@ -328,6 +350,30 @@ TEST_P(SSLv2ClientHelloTest, RequireSafeRenegotiationWithSCSV) {
   Connect();
 }
 
+TEST_P(SSLv2ClientHelloTest, CheckServerRandom) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+  SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+
+  static const size_t random_len = 32;
+  uint8_t srandom1[random_len];
+  uint8_t z[random_len] = {0};
+
+  auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  memcpy(srandom1, sh->buffer().data() + 2, random_len);
+  EXPECT_NE(0, memcmp(srandom1, z, random_len));
+
+  Reset();
+  sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  const uint8_t* srandom2 = sh->buffer().data() + 2;
+
+  EXPECT_NE(0, memcmp(srandom2, z, random_len));
+  EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
+}
+
 // Connect to the server with TLS 1.1, signalling that this is a fallback from
 // a higher version. As the server doesn't support anything higher than TLS 1.1
 // it must accept the connection.
diff --git a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
index 4e9099561..ffc0893e9 100644
--- a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -11,7 +11,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -48,7 +48,6 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
                            SSL_LIBRARY_VERSION_TLS_1_2);
   Connect();
 }
-#ifndef TLS_1_3_DRAFT_VERSION
 
 // Test the ServerRandom version hack from
 // [draft-ietf-tls-tls13-11 Section 6.3.1.1].
@@ -56,71 +55,116 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
 // two validate that we can also detect fallback using the
 // SSL_SetDowngradeCheckVersion() API.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
                                              SSL_LIBRARY_VERSION_TLS_1_1);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
 
-/* Attempt to negotiate the bogus DTLS 1.1 version. */
+// Attempt to negotiate the bogus DTLS 1.1 version.
 TEST_F(DtlsConnectTest, TestDtlsVersion11) {
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
-  ConnectExpectFail();
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   // It's kind of surprising that SSL_ERROR_NO_CYPHER_OVERLAP is
   // what is returned here, but this is deliberate in ssl3_HandleAlert().
-  EXPECT_EQ(SSL_ERROR_NO_CYPHER_OVERLAP, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_UNSUPPORTED_VERSION, server_->error_code());
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
 }
 
-// Disabled as long as we have draft version.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
-  EnsureTlsSetup();
-  MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
-                                             SSL_LIBRARY_VERSION_TLS_1_2);
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
+  MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_supported_versions_xtn);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+}
+
+// Disabling downgrade checks will be caught when the Finished MAC check fails.
+TEST_F(TlsConnectTest, TestDisableDowngradeDetection) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_FALSE);
+  MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_supported_versions_xtn);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  ConnectExpectAlert(server_, kTlsAlertDecryptError);
+  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
 // TLS 1.1 clients do not check the random values, so we should
 // instead get a handshake failure alert from the server.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
+  // Setting the option here has no effect.
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
                                              SSL_LIBRARY_VERSION_TLS_1_0);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
                            SSL_LIBRARY_VERSION_TLS_1_1);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
                            SSL_LIBRARY_VERSION_TLS_1_2);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, server_->error_code());
-  ASSERT_EQ(SSL_ERROR_DECRYPT_ERROR_ALERT, client_->error_code());
+  ConnectExpectAlert(server_, kTlsAlertDecryptError);
+  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
 }
 
 TEST_F(TlsConnectTest, TestFallbackFromTls12) {
-  EnsureTlsSetup();
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_2);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+}
+
+static SECStatus AllowFalseStart(PRFileDesc* fd, void* arg,
+                                 PRBool* can_false_start) {
+  bool* false_start_attempted = reinterpret_cast<bool*>(arg);
+  *false_start_attempted = true;
+  *can_false_start = PR_TRUE;
+  return SECSuccess;
+}
+
+// If we disable the downgrade check, the sentinel is still generated, and we
+// disable false start instead.
+TEST_F(TlsConnectTest, DisableFalseStartOnFallback) {
+  // Don't call client_->EnableFalseStart(), because that sets the client up for
+  // success, and we want false start to fail.
+  client_->SetOption(SSL_ENABLE_FALSE_START, PR_TRUE);
+  bool false_start_attempted = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_SetCanFalseStartCallback(client_->ssl_fd(), AllowFalseStart,
+                                         &false_start_attempted));
+
+  client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_2);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  EXPECT_FALSE(false_start_attempted);
 }
 
 TEST_F(TlsConnectTest, TestFallbackFromTls13) {
-  EnsureTlsSetup();
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_3);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
-#endif
 
 TEST_P(TlsConnectGeneric, TestFallbackSCSVVersionMatch) {
   client_->SetOption(SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
@@ -132,6 +176,7 @@ TEST_P(TlsConnectGenericPre13, TestFallbackSCSVVersionMismatch) {
   server_->SetVersionRange(version_, version_ + 1);
   ConnectExpectAlert(server_, kTlsAlertInappropriateFallback);
   client_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
 }
 
 // The TLS v1.3 spec section C.4 states that 'Implementations MUST NOT send or
@@ -158,7 +203,7 @@ TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
   static const uint8_t kWarningAlert[] = {kTlsAlertWarning,
                                           kTlsAlertUnrecognizedName};
   DataBuffer alert;
-  TlsAgentTestBase::MakeRecord(variant_, kTlsAlertType,
+  TlsAgentTestBase::MakeRecord(variant_, ssl_ct_alert,
                                SSL_LIBRARY_VERSION_TLS_1_0, kWarningAlert,
                                PR_ARRAY_SIZE(kWarningAlert), &alert);
   client_->adapter()->PacketReceived(alert);
diff --git a/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
index 09d7801e9..a75dbb7aa 100644
--- a/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
@@ -12,7 +12,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/test_io.cc b/security/nss/gtests/ssl_gtest/test_io.cc
index d76b3526c..6d792c520 100644
--- a/security/nss/gtests/ssl_gtest/test_io.cc
+++ b/security/nss/gtests/ssl_gtest/test_io.cc
@@ -31,6 +31,20 @@ ScopedPRFileDesc DummyPrSocket::CreateFD() {
   return DummyIOLayerMethods::CreateFD(test_fd_identity, this);
 }
 
+void DummyPrSocket::Reset() {
+  auto p = peer_.lock();
+  peer_.reset();
+  if (p) {
+    p->peer_.reset();
+    p->Reset();
+  }
+  while (!input_.empty()) {
+    input_.pop();
+  }
+  filter_ = nullptr;
+  write_error_ = 0;
+}
+
 void DummyPrSocket::PacketReceived(const DataBuffer &packet) {
   input_.push(Packet(packet));
 }
@@ -42,6 +56,12 @@ int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) {
     return -1;
   }
 
+  auto dst = peer_.lock();
+  if (!dst) {
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
+    return -1;
+  }
+
   if (input_.empty()) {
     LOGV("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
@@ -74,6 +94,12 @@ int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen,
     return Read(f, buf, buflen);
   }
 
+  auto dst = peer_.lock();
+  if (!dst) {
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
+    return -1;
+  }
+
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
@@ -101,7 +127,7 @@ int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
 
   auto dst = peer_.lock();
   if (!dst) {
-    PR_SetError(PR_IO_ERROR, 0);
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
     return -1;
   }
 
diff --git a/security/nss/gtests/ssl_gtest/test_io.h b/security/nss/gtests/ssl_gtest/test_io.h
index 8327373ce..062ae86c8 100644
--- a/security/nss/gtests/ssl_gtest/test_io.h
+++ b/security/nss/gtests/ssl_gtest/test_io.h
@@ -17,7 +17,7 @@
 #include "databuffer.h"
 #include "dummy_io.h"
 #include "prio.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslt.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/ssl_gtest/tls_agent.cc b/security/nss/gtests/ssl_gtest/tls_agent.cc
index 9bed1ce1b..fb66196b5 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc
+++ b/security/nss/gtests/ssl_gtest/tls_agent.cc
@@ -15,6 +15,9 @@
 #include "tls_filter.h"
 #include "tls_parser.h"
 
+// This is an internal header, used to get DTLS_1_3_DRAFT_VERSION.
+#include "ssl3prot.h"
+
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
@@ -23,7 +26,7 @@ extern "C" {
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 extern std::string g_working_dir_path;
 
@@ -53,7 +56,7 @@ static const uint8_t kCannedTls13ServerHello[] = {
     0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
     0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
     0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,
-    0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x7f, kD13};
+    0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04};
 
 TlsAgent::TlsAgent(const std::string& nm, Role rl, SSLProtocolVariant var)
     : name_(nm),
@@ -226,6 +229,7 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
 
 bool TlsAgent::MaybeSetResumptionToken() {
   if (!resumption_token_.empty()) {
+    LOG("setting external resumption token");
     SECStatus rv = SSL_SetResumptionToken(ssl_fd(), resumption_token_.data(),
                                           resumption_token_.size());
 
@@ -583,6 +587,7 @@ void TlsAgent::CheckAuthType(SSLAuthType auth,
   // switch statement because default label is different.
   switch (auth) {
     case ssl_auth_rsa_sign:
+    case ssl_auth_rsa_pss:
       EXPECT_EQ(ssl_auth_rsa_decrypt, csinfo_.authAlgorithm)
           << "authAlgorithm for RSA is always decrypt";
       break;
@@ -934,8 +939,8 @@ void TlsAgent::SendRecordDirect(const TlsRecord& record) {
   SendDirect(buf);
 }
 
-static bool ErrorIsNonFatal(PRErrorCode code) {
-  return code == PR_WOULD_BLOCK_ERROR || code == SSL_ERROR_RX_SHORT_DTLS_READ;
+static bool ErrorIsFatal(PRErrorCode code) {
+  return code != PR_WOULD_BLOCK_ERROR && code != SSL_ERROR_RX_SHORT_DTLS_READ;
 }
 
 void TlsAgent::SendData(size_t bytes, size_t blocksize) {
@@ -975,7 +980,7 @@ bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
   LOGV("Encrypting " << buf.len() << " bytes");
   // Ensure that we are doing TLS 1.3.
   EXPECT_GE(expected_version_, SSL_LIBRARY_VERSION_TLS_1_3);
-  TlsRecordHeader header(variant_, expected_version_, kTlsApplicationDataType,
+  TlsRecordHeader header(variant_, expected_version_, ssl_ct_application_data,
                          seq);
   DataBuffer padded = buf;
   padded.Write(padded.len(), ct, 1);
@@ -994,28 +999,39 @@ bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
 void TlsAgent::ReadBytes(size_t amount) {
   uint8_t block[16384];
 
-  int32_t rv = PR_Read(ssl_fd(), block, (std::min)(amount, sizeof(block)));
-  LOGV("ReadBytes " << rv);
-  int32_t err;
+  size_t remaining = amount;
+  while (remaining > 0) {
+    int32_t rv = PR_Read(ssl_fd(), block, (std::min)(amount, sizeof(block)));
+    LOGV("ReadBytes " << rv);
 
-  if (rv >= 0) {
-    size_t count = static_cast<size_t>(rv);
-    for (size_t i = 0; i < count; ++i) {
-      ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
-      recv_ctr_++;
-    }
-  } else {
-    err = PR_GetError();
-    LOG("Read error " << PORT_ErrorToName(err) << ": "
-                      << PORT_ErrorToString(err));
-    if (err != PR_WOULD_BLOCK_ERROR && expect_readwrite_error_) {
-      error_code_ = err;
-      expect_readwrite_error_ = false;
+    if (rv > 0) {
+      size_t count = static_cast<size_t>(rv);
+      for (size_t i = 0; i < count; ++i) {
+        ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
+        recv_ctr_++;
+      }
+      remaining -= rv;
+    } else {
+      PRErrorCode err = 0;
+      if (rv < 0) {
+        err = PR_GetError();
+        LOG("Read error " << PORT_ErrorToName(err) << ": "
+                          << PORT_ErrorToString(err));
+        if (err != PR_WOULD_BLOCK_ERROR && expect_readwrite_error_) {
+          error_code_ = err;
+          expect_readwrite_error_ = false;
+        }
+      }
+      if (err != 0 && ErrorIsFatal(err)) {
+        // If we hit a fatal error, we're done.
+        remaining = 0;
+      }
+      break;
     }
   }
 
   // If closed, then don't bother waiting around.
-  if (rv > 0 || (rv < 0 && ErrorIsNonFatal(err))) {
+  if (remaining) {
     LOGV("Re-arming");
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                              &TlsAgent::ReadableCallback);
@@ -1104,7 +1120,7 @@ void TlsAgentTestBase::MakeRecord(SSLProtocolVariant variant, uint8_t type,
   if (variant == ssl_variant_stream) {
     index = out->Write(index, version, 2);
   } else if (version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-             type == kTlsApplicationDataType) {
+             type == ssl_ct_application_data) {
     uint32_t epoch = (sequence_number >> 48) & 0x3;
     uint32_t seqno = sequence_number & ((1ULL << 30) - 1);
     index = out->Write(index, (epoch << 30) | seqno, 4);
@@ -1157,10 +1173,10 @@ void TlsAgentTestBase::MakeTrivialHandshakeRecord(uint8_t hs_type,
                                                   size_t hs_len,
                                                   DataBuffer* out) {
   size_t index = 0;
-  index = out->Write(index, kTlsHandshakeType, 1);  // Content Type
-  index = out->Write(index, 3, 1);                  // Version high
-  index = out->Write(index, 1, 1);                  // Version low
-  index = out->Write(index, 4 + hs_len, 2);         // Length
+  index = out->Write(index, ssl_ct_handshake, 1);  // Content Type
+  index = out->Write(index, 3, 1);                 // Version high
+  index = out->Write(index, 1, 1);                 // Version low
+  index = out->Write(index, 4 + hs_len, 2);        // Length
 
   index = out->Write(index, hs_type, 1);  // Handshake record type.
   index = out->Write(index, hs_len, 3);   // Handshake length
@@ -1173,6 +1189,11 @@ DataBuffer TlsAgentTestBase::MakeCannedTls13ServerHello() {
   DataBuffer sh(kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello));
   if (variant_ == ssl_variant_datagram) {
     sh.Write(0, SSL_LIBRARY_VERSION_DTLS_1_2_WIRE, 2);
+    // The version should be at the end.
+    uint32_t v;
+    EXPECT_TRUE(sh.Read(sh.len() - 2, 2, &v));
+    EXPECT_EQ(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_3), v);
+    sh.Write(sh.len() - 2, 0x7f00 | DTLS_1_3_DRAFT_VERSION, 2);
   }
   return sh;
 }
diff --git a/security/nss/gtests/ssl_gtest/tls_agent.h b/security/nss/gtests/ssl_gtest/tls_agent.h
index a93d0c6ee..020221868 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.h
+++ b/security/nss/gtests/ssl_gtest/tls_agent.h
@@ -10,9 +10,6 @@
 #include "prio.h"
 #include "ssl.h"
 
-// This is an internal header, used to get TLS_1_3_DRAFT_VERSION.
-#include "ssl3prot.h"
-
 #include <functional>
 #include <iostream>
 
@@ -20,7 +17,8 @@
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 
 extern bool g_ssl_gtest_verbose;
 
@@ -60,8 +58,6 @@ typedef std::function<int32_t(TlsAgent* agent, const SECItem* srvNameArr,
                               PRUint32 srvNameArrSize)>
     SniCallbackFunction;
 
-static const uint8_t kD13 = TLS_1_3_DRAFT_VERSION;
-
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
diff --git a/security/nss/gtests/ssl_gtest/tls_connect.cc b/security/nss/gtests/ssl_gtest/tls_connect.cc
index 68f6d21e9..c48ae38ec 100644
--- a/security/nss/gtests/ssl_gtest/tls_connect.cc
+++ b/security/nss/gtests/ssl_gtest/tls_connect.cc
@@ -14,7 +14,7 @@ extern "C" {
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslproto.h"
 
 extern std::string g_working_dir_path;
@@ -559,13 +559,15 @@ void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
   EXPECT_EQ(stateless_count, stats->hsh_sid_stateless_resumes);
 
   if (expected != RESUME_NONE) {
-    if (client_->version() < SSL_LIBRARY_VERSION_TLS_1_3) {
+    if (client_->version() < SSL_LIBRARY_VERSION_TLS_1_3 &&
+        client_->GetResumptionToken().size() == 0) {
       // Check that the last two session ids match.
       ASSERT_EQ(1U + expected_resumptions_, session_ids_.size());
       EXPECT_EQ(session_ids_[session_ids_.size() - 1],
                 session_ids_[session_ids_.size() - 2]);
     } else {
-      // TLS 1.3 only uses tickets.
+      // We've either chosen TLS 1.3 or are using an external resumption token,
+      // both of which only use tickets.
       EXPECT_TRUE(expected & RESUME_TICKET);
     }
   }
diff --git a/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc
new file mode 100644
index 000000000..3c860a0b2
--- /dev/null
+++ b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc
@@ -0,0 +1,470 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <ctime>
+
+#include "secerr.h"
+#include "ssl.h"
+
+#include "gtest_utils.h"
+#include "tls_agent.h"
+#include "tls_connect.h"
+
+namespace nss_test {
+
+static const char* kDummySni("dummy.invalid");
+
+std::vector<uint16_t> kDefaultSuites = {TLS_AES_256_GCM_SHA384,
+                                        TLS_AES_128_GCM_SHA256};
+std::vector<uint16_t> kChaChaSuite = {TLS_CHACHA20_POLY1305_SHA256};
+std::vector<uint16_t> kBogusSuites = {0};
+std::vector<uint16_t> kTls12Suites = {
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256};
+
+static void NamedGroup2ECParams(SSLNamedGroup group, SECItem* params) {
+  auto groupDef = ssl_LookupNamedGroup(group);
+  ASSERT_NE(nullptr, groupDef);
+
+  auto oidData = SECOID_FindOIDByTag(groupDef->oidTag);
+  ASSERT_NE(nullptr, oidData);
+  ASSERT_NE(nullptr,
+            SECITEM_AllocItem(nullptr, params, (2 + oidData->oid.len)));
+
+  /*
+   * params->data needs to contain the ASN encoding of an object ID (OID)
+   * representing the named curve. The actual OID is in
+   * oidData->oid.data so we simply prepend 0x06 and OID length
+   */
+  params->data[0] = SEC_ASN1_OBJECT_ID;
+  params->data[1] = oidData->oid.len;
+  memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
+}
+
+/* Checksum is a 4-byte array. */
+static void UpdateEsniKeysChecksum(DataBuffer* buf) {
+  SECStatus rv;
+  PRUint8 sha256[32];
+
+  /* Stomp the checksum. */
+  PORT_Memset(buf->data() + 2, 0, 4);
+
+  rv = PK11_HashBuf(ssl3_HashTypeToOID(ssl_hash_sha256), sha256, buf->data(),
+                    buf->len());
+  ASSERT_EQ(SECSuccess, rv);
+  buf->Write(2, sha256, 4);
+}
+
+static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
+                            std::vector<uint16_t>& cipher_suites,
+                            DataBuffer* record,
+                            ScopedSECKEYPublicKey* pubKey = nullptr,
+                            ScopedSECKEYPrivateKey* privKey = nullptr) {
+  SECKEYECParams ecParams = {siBuffer, NULL, 0};
+  NamedGroup2ECParams(group, &ecParams);
+
+  SECKEYPublicKey* pub = nullptr;
+  SECKEYPrivateKey* priv = SECKEY_CreateECPrivateKey(&ecParams, &pub, nullptr);
+  ASSERT_NE(nullptr, priv);
+  SECITEM_FreeItem(&ecParams, PR_FALSE);
+  PRUint8 encoded[1024];
+  unsigned int encoded_len;
+
+  SECStatus rv = SSL_EncodeESNIKeys(
+      &cipher_suites[0], cipher_suites.size(), group, pub, 100, windowStart,
+      windowStart + 10, encoded, &encoded_len, sizeof(encoded));
+  ASSERT_EQ(SECSuccess, rv);
+  ASSERT_GT(encoded_len, 0U);
+
+  if (pubKey) {
+    pubKey->reset(pub);
+  } else {
+    SECKEY_DestroyPublicKey(pub);
+  }
+  if (privKey) {
+    privKey->reset(priv);
+  } else {
+    SECKEY_DestroyPrivateKey(priv);
+  }
+  record->Truncate(0);
+  record->Write(0, encoded, encoded_len);
+}
+
+static void SetupEsni(const std::shared_ptr<TlsAgent>& client,
+                      const std::shared_ptr<TlsAgent>& server,
+                      SSLNamedGroup group = ssl_grp_ec_curve25519) {
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server->ssl_fd(), priv.get(), record.data(),
+                                    record.len());
+  ASSERT_EQ(SECSuccess, rv);
+
+  rv = SSL_EnableESNI(client->ssl_fd(), record.data(), record.len(), kDummySni);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+static void CheckSniExtension(const DataBuffer& data) {
+  TlsParser parser(data.data(), data.len());
+  uint32_t tmp;
+  ASSERT_TRUE(parser.Read(&tmp, 2));
+  ASSERT_EQ(parser.remaining(), tmp);
+  ASSERT_TRUE(parser.Read(&tmp, 1));
+  ASSERT_EQ(0U, tmp); /* sni_nametype_hostname */
+  DataBuffer name;
+  ASSERT_TRUE(parser.ReadVariable(&name, 2));
+  ASSERT_EQ(0U, parser.remaining());
+  DataBuffer expected(reinterpret_cast<const uint8_t*>(kDummySni),
+                      strlen(kDummySni));
+  ASSERT_EQ(expected, name);
+}
+
+static void ClientInstallEsni(std::shared_ptr<TlsAgent>& agent,
+                              const DataBuffer& record, PRErrorCode err = 0) {
+  SECStatus rv =
+      SSL_EnableESNI(agent->ssl_fd(), record.data(), record.len(), kDummySni);
+  if (err == 0) {
+    ASSERT_EQ(SECSuccess, rv);
+  } else {
+    ASSERT_EQ(SECFailure, rv);
+    ASSERT_EQ(err, PORT_GetError());
+  }
+}
+
+TEST_P(TlsAgentTestClient13, EsniInstall) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  ClientInstallEsni(agent_, record);
+}
+
+// The next set of tests fail at setup time.
+TEST_P(TlsAgentTestClient13, EsniInvalidHash) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.data()[2]++;
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniInvalidVersion) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(0, 0xffff, 2);
+  ClientInstallEsni(agent_, record, SSL_ERROR_UNSUPPORTED_VERSION);
+}
+
+TEST_P(TlsAgentTestClient13, EsniShort) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Truncate(record.len() - 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniLong) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(record.len(), 1, 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniExtensionMismatch) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(record.len() - 1, 1, 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+// The following tests fail by ignoring the Esni block.
+TEST_P(TlsAgentTestClient13, EsniUnknownGroup) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(8, 0xffff, 2);  // Fake group
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniUnknownCS) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kBogusSuites, &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniInvalidCS) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kTls12Suites, &record);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniNotReady) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0) + 1000, ssl_grp_ec_curve25519, kDefaultSuites,
+                  &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniExpired) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0) - 1000, ssl_grp_ec_curve25519, kDefaultSuites,
+                  &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, NoSniSoNoEsni) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  SSL_SetURL(agent_->ssl_fd(), "");
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+static int32_t SniCallback(TlsAgent* agent, const SECItem* srvNameAddr,
+                           PRUint32 srvNameArrSize) {
+  EXPECT_EQ(1U, srvNameArrSize);
+  SECItem expected = {
+      siBuffer, reinterpret_cast<unsigned char*>(const_cast<char*>("server")),
+      6};
+  EXPECT_TRUE(!SECITEM_CompareItem(&expected, &srvNameAddr[0]));
+  return SECSuccess;
+}
+
+TEST_P(TlsConnectTls13, ConnectEsni) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto cFilterSni =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto cFilterEsni =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_encrypted_sni_xtn);
+  client_->SetFilter(std::make_shared<ChainedPacketFilter>(
+      ChainedPacketFilterInit({cFilterSni, cFilterEsni})));
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  sfilter->EnableDecryption();
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cFilterSni->extension());
+  ASSERT_TRUE(cFilterEsni->captured());
+  // Check that our most preferred suite got chosen.
+  uint32_t suite;
+  ASSERT_TRUE(cFilterEsni->extension().Read(0, 2, &suite));
+  ASSERT_EQ(TLS_AES_128_GCM_SHA256, static_cast<PRUint16>(suite));
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniHrr) {
+  EnsureTlsSetup();
+  const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
+  server_->ConfigNamedGroups(groups);
+  SetupEsni(client_, server_);
+  auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
+      server_, kTlsHandshakeHelloRetryRequest);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cfilter->extension());
+  EXPECT_NE(0UL, hrr_capture->buffer().len());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniNoDummy) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
+                                    record.data(), record.len());
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), "");
+  ASSERT_EQ(SECSuccess, rv);
+
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  ASSERT_TRUE(!cfilter->captured());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniNullDummy) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
+                                    record.data(), record.len());
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), nullptr);
+  ASSERT_EQ(SECSuccess, rv);
+
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  ASSERT_TRUE(!cfilter->captured());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+/* Tell the client that it supports AES but the server that it supports ChaCha
+ */
+TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  PRUint8 encoded[1024];
+  unsigned int encoded_len;
+
+  SECStatus rv = SSL_EncodeESNIKeys(
+      &kChaChaSuite[0], kChaChaSuite.size(), ssl_grp_ec_curve25519, pub.get(),
+      100, time(0), time(0) + 10, encoded, &encoded_len, sizeof(encoded));
+  rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), encoded, encoded_len);
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), "");
+  ASSERT_EQ(SECSuccess, rv);
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniP256) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_, ssl_grp_ec_secp256r1);
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cfilter->extension());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectMismatchedEsniKeys) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  // Now install a new set of keys on the client, so we have a mismatch.
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  ClientInstallEsni(client_, record, 0);
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto filter = MakeTlsFilter<TlsExtensionDamager>(
+      client_, ssl_tls13_encrypted_sni_xtn, 50);  // in the ciphertext
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto filter =
+      MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_encrypted_sni_xtn);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, missing_extension);
+  client_->CheckErrorCode(SSL_ERROR_MISSING_ESNI_EXTENSION);
+}
+
+TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  DataBuffer shortNonce;
+  auto filter = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_tls13_encrypted_sni_xtn, shortNonce);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, illegal_parameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION);
+}
+
+TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  const uint8_t bogusNonceBuf[16] = {0};
+  DataBuffer bogusNonce(bogusNonceBuf, sizeof(bogusNonceBuf));
+  auto filter = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_tls13_encrypted_sni_xtn, bogusNonce);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, illegal_parameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION);
+}
+
+// ESNI is a commitment to doing TLS 1.3 or above.
+// The TLS 1.2 server ignores ESNI and processes the dummy SNI.
+// The client then aborts when it sees the server did TLS 1.2.
+TEST_P(TlsConnectTls13, EsniButTLS12Server) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_2);
+  ConnectExpectAlert(client_, kTlsAlertProtocolVersion);
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
+  server_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
+  ASSERT_FALSE(SSLInt_ExtensionNegotiated(server_->ssl_fd(),
+                                          ssl_tls13_encrypted_sni_xtn));
+}
+}
diff --git a/security/nss/gtests/ssl_gtest/tls_filter.cc b/security/nss/gtests/ssl_gtest/tls_filter.cc
index aa03cba70..25ad606fc 100644
--- a/security/nss/gtests/ssl_gtest/tls_filter.cc
+++ b/security/nss/gtests/ssl_gtest/tls_filter.cc
@@ -131,7 +131,7 @@ PacketFilter::Action TlsRecordFilter::Filter(const DataBuffer& input,
     // spec to another active cipher spec (KeyUpdate for instance) AND writes
     // are consolidated across that change, this code could use the wrong
     // sequence numbers when re-encrypting records with the old keys.
-    if (header.content_type() == kTlsApplicationDataType) {
+    if (header.content_type() == ssl_ct_application_data) {
       in_sequence_number_ =
           (std::max)(in_sequence_number_, header.sequence_number() + 1);
     }
@@ -194,7 +194,7 @@ PacketFilter::Action TlsRecordFilter::FilterRecord(
 
   uint64_t seq_num;
   if (header.is_dtls() || !cipher_spec_ ||
-      header.content_type() != kTlsApplicationDataType) {
+      header.content_type() != ssl_ct_application_data) {
     seq_num = header.sequence_number();
   } else {
     seq_num = out_sequence_number_++;
@@ -277,7 +277,7 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
 
 #ifndef UNSAFE_FUZZER_MODE
     // Deal with the 7 octet header.
-    if (content_type_ == kTlsApplicationDataType) {
+    if (content_type_ == ssl_ct_application_data) {
       uint32_t tmp;
       if (!parser->Read(&tmp, 4)) {
         return false;
@@ -298,7 +298,7 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
       }
       // Need to use the low 5 bits of the first octet too.
       tmp |= (content_type_ & 0x1f) << 8;
-      content_type_ = kTlsApplicationDataType;
+      content_type_ = ssl_ct_application_data;
       sequence_number_ = ParseSequenceNumber(seqno, tmp, 12, 1);
 
       if (!parser->ReadFromMark(&header_, parser->consumed() - mark, mark)) {
@@ -308,9 +308,9 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
     }
 
     // The full 13 octet header can only be used for a few types.
-    EXPECT_TRUE(content_type_ == kTlsAlertType ||
-                content_type_ == kTlsHandshakeType ||
-                content_type_ == kTlsAckType);
+    EXPECT_TRUE(content_type_ == ssl_ct_alert ||
+                content_type_ == ssl_ct_handshake ||
+                content_type_ == ssl_ct_ack);
 #endif
   }
 
@@ -347,7 +347,7 @@ size_t TlsRecordHeader::WriteHeader(DataBuffer* buffer, size_t offset,
                                     size_t body_len) const {
   offset = buffer->Write(offset, content_type_, 1);
   if (is_dtls() && version_ >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-      content_type() == kTlsApplicationDataType) {
+      content_type() == ssl_ct_application_data) {
     // application_data records in TLS 1.3 have a different header format.
     // Always use the long header here for simplicity.
     uint32_t e = (sequence_number_ >> 48) & 0x3;
@@ -377,7 +377,7 @@ bool TlsRecordFilter::Unprotect(const TlsRecordHeader& header,
                                 const DataBuffer& ciphertext,
                                 uint8_t* inner_content_type,
                                 DataBuffer* plaintext) {
-  if (!cipher_spec_ || header.content_type() != kTlsApplicationDataType) {
+  if (!cipher_spec_ || header.content_type() != ssl_ct_application_data) {
     *inner_content_type = header.content_type();
     *plaintext = ciphertext;
     return true;
@@ -411,7 +411,7 @@ bool TlsRecordFilter::Protect(const TlsRecordHeader& header,
                               uint8_t inner_content_type,
                               const DataBuffer& plaintext,
                               DataBuffer* ciphertext, size_t padding) {
-  if (!cipher_spec_ || header.content_type() != kTlsApplicationDataType) {
+  if (!cipher_spec_ || header.content_type() != ssl_ct_application_data) {
     *ciphertext = plaintext;
     return true;
   }
@@ -453,8 +453,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord(
     const TlsRecordHeader& record_header, const DataBuffer& input,
     DataBuffer* output) {
   // Check that the first byte is as requested.
-  if ((record_header.content_type() != kTlsHandshakeType) &&
-      (record_header.content_type() != kTlsAltHandshakeType)) {
+  if (record_header.content_type() != ssl_ct_handshake) {
     return KEEP;
   }
 
@@ -879,6 +878,17 @@ PacketFilter::Action TlsExtensionDropper::FilterExtension(
   return KEEP;
 }
 
+PacketFilter::Action TlsExtensionDamager::FilterExtension(
+    uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
+  if (extension_type != extension_) {
+    return KEEP;
+  }
+
+  *output = input;
+  output->data()[index_] += 73;  // Increment selected for maximum damage
+  return CHANGE;
+}
+
 PacketFilter::Action TlsExtensionInjector::FilterHandshake(
     const HandshakeHeader& header, const DataBuffer& input,
     DataBuffer* output) {
diff --git a/security/nss/gtests/ssl_gtest/tls_filter.h b/security/nss/gtests/ssl_gtest/tls_filter.h
index effda4aa0..2b6e88645 100644
--- a/security/nss/gtests/ssl_gtest/tls_filter.h
+++ b/security/nss/gtests/ssl_gtest/tls_filter.h
@@ -172,20 +172,19 @@ inline std::ostream& operator<<(std::ostream& stream,
   hdr.WriteStream(stream);
   stream << ' ';
   switch (hdr.content_type()) {
-    case kTlsChangeCipherSpecType:
+    case ssl_ct_change_cipher_spec:
       stream << "CCS";
       break;
-    case kTlsAlertType:
+    case ssl_ct_alert:
       stream << "Alert";
       break;
-    case kTlsHandshakeType:
-    case kTlsAltHandshakeType:
+    case ssl_ct_handshake:
       stream << "Handshake";
       break;
-    case kTlsApplicationDataType:
+    case ssl_ct_application_data:
       stream << "Data";
       break;
-    case kTlsAckType:
+    case ssl_ct_ack:
       stream << "ACK";
       break;
     default:
@@ -301,7 +300,7 @@ class TlsRecordRecorder : public TlsRecordFilter {
   TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a)
       : TlsRecordFilter(a),
         filter_(false),
-        ct_(content_handshake),  // dummy (<optional> is C++14)
+        ct_(ssl_ct_handshake),  // dummy (<optional> is C++14)
         records_() {}
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
@@ -466,6 +465,20 @@ class TlsExtensionInjector : public TlsHandshakeFilter {
   const DataBuffer data_;
 };
 
+class TlsExtensionDamager : public TlsExtensionFilter {
+ public:
+  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
+                      size_t index)
+      : TlsExtensionFilter(a), extension_(extension), index_(index) {}
+  virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
+                                               const DataBuffer& input,
+                                               DataBuffer* output);
+
+ private:
+  uint16_t extension_;
+  size_t index_;
+};
+
 typedef std::function<void(void)> VoidFunction;
 
 class AfterRecordN : public TlsRecordFilter {
diff --git a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
index 45f6cf2bd..004da3b1c 100644
--- a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
@@ -11,7 +11,7 @@
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
@@ -60,9 +60,11 @@ const std::string kHashName[] = {"None",    "MD5",     "SHA-1",  "SHA-224",
                                  "SHA-256", "SHA-384", "SHA-512"};
 
 static void ImportKey(ScopedPK11SymKey* to, const DataBuffer& key,
-                      PK11SlotInfo* slot) {
+                      SSLHashType hash_type, PK11SlotInfo* slot) {
+  ASSERT_LT(hash_type, sizeof(kHashLength));
+  ASSERT_LE(kHashLength[hash_type], key.len());
   SECItem key_item = {siBuffer, const_cast<uint8_t*>(key.data()),
-                      static_cast<unsigned int>(key.len())};
+                      static_cast<unsigned int>(kHashLength[hash_type])};
 
   PK11SymKey* inner =
       PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, PK11_OriginUnwrap,
@@ -106,8 +108,8 @@ class TlsHkdfTest : public ::testing::Test,
   }
 
   void SetUp() {
-    ImportKey(&k1_, kKey1, slot_.get());
-    ImportKey(&k2_, kKey2, slot_.get());
+    ImportKey(&k1_, kKey1, hash_type_, slot_.get());
+    ImportKey(&k2_, kKey2, hash_type_, slot_.get());
   }
 
   void VerifyKey(const ScopedPK11SymKey& key, const DataBuffer& expected) {
@@ -183,9 +185,9 @@ TEST_P(TlsHkdfTest, HkdfKey1Only) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {0x11, 0x87, 0x38, 0x28, 0xa9, 0x19, 0x78, 0x11, 0x33, 0x91, 0x24,
-       0xb5, 0x8a, 0x1b, 0xb0, 0x9f, 0x7f, 0x0d, 0x8d, 0xbb, 0x10, 0xf4,
-       0x9c, 0x54, 0xbd, 0x1f, 0xd8, 0x85, 0xcd, 0x15, 0x30, 0x33},
+      {0x41, 0x6c, 0x53, 0x92, 0xb9, 0xf3, 0x6d, 0xf1, 0x88, 0xe9, 0x0e,
+       0xb1, 0x4d, 0x17, 0xbf, 0x0d, 0xa1, 0x90, 0xbf, 0xdb, 0x7f, 0x1f,
+       0x49, 0x56, 0xe6, 0xe5, 0x66, 0xa5, 0x69, 0xc8, 0xb1, 0x5c},
       {0x51, 0xb1, 0xd5, 0xb4, 0x59, 0x79, 0x79, 0x08, 0x4a, 0x15, 0xb2, 0xdb,
        0x84, 0xd3, 0xd6, 0xbc, 0xfc, 0x93, 0x45, 0xd9, 0xdc, 0x74, 0xda, 0x1a,
        0x57, 0xc2, 0x76, 0x9f, 0x3f, 0x83, 0x45, 0x2f, 0xf6, 0xf3, 0x56, 0x1f,
@@ -201,11 +203,9 @@ TEST_P(TlsHkdfTest, HkdfKey2Only) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {
-          0x2f, 0x5f, 0x78, 0xd0, 0xa4, 0xc4, 0x36, 0xee, 0x6c, 0x8a, 0x4e,
-          0xf9, 0xd0, 0x43, 0x81, 0x02, 0x13, 0xfd, 0x47, 0x83, 0x63, 0x3a,
-          0xd2, 0xe1, 0x40, 0x6d, 0x2d, 0x98, 0x00, 0xfd, 0xc1, 0x87,
-      },
+      {0x16, 0xaf, 0x00, 0x54, 0x3a, 0x56, 0xc8, 0x26, 0xa2, 0xa7, 0xfc,
+       0xb6, 0x34, 0x66, 0x8a, 0xfd, 0x36, 0xdc, 0x8e, 0xce, 0xc4, 0xd2,
+       0x6c, 0x7a, 0xdc, 0xe3, 0x70, 0x36, 0x3d, 0x60, 0xfa, 0x0b},
       {0x7b, 0x40, 0xf9, 0xef, 0x91, 0xff, 0xc9, 0xd1, 0x29, 0x24, 0x5c, 0xbf,
        0xf8, 0x82, 0x76, 0x68, 0xae, 0x4b, 0x63, 0xe8, 0x03, 0xdd, 0x39, 0xa8,
        0xd4, 0x6a, 0xf6, 0xe5, 0xec, 0xea, 0xf8, 0x7d, 0x91, 0x71, 0x81, 0xf1,
@@ -221,11 +221,9 @@ TEST_P(TlsHkdfTest, HkdfKey1Key2) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {
-          0x79, 0x53, 0xb8, 0xdd, 0x6b, 0x98, 0xce, 0x00, 0xb7, 0xdc, 0xe8,
-          0x03, 0x70, 0x8c, 0xe3, 0xac, 0x06, 0x8b, 0x22, 0xfd, 0x0e, 0x34,
-          0x48, 0xe6, 0xe5, 0xe0, 0x8a, 0xd6, 0x16, 0x18, 0xe5, 0x48,
-      },
+      {0xa5, 0x68, 0x02, 0x5a, 0x95, 0xc9, 0x7f, 0x55, 0x38, 0xbc, 0xf7,
+       0x97, 0xcc, 0x0f, 0xd5, 0xf6, 0xa8, 0x8d, 0x15, 0xbc, 0x0e, 0x85,
+       0x74, 0x70, 0x3c, 0xa3, 0x65, 0xbd, 0x76, 0xcf, 0x9f, 0xd3},
       {0x01, 0x93, 0xc0, 0x07, 0x3f, 0x6a, 0x83, 0x0e, 0x2e, 0x4f, 0xb2, 0x58,
        0xe4, 0x00, 0x08, 0x5c, 0x68, 0x9c, 0x37, 0x32, 0x00, 0x37, 0xff, 0xc3,
        0x1c, 0x5b, 0x98, 0x0b, 0x02, 0x92, 0x3f, 0xfd, 0x73, 0x5a, 0x6f, 0x2a,
@@ -241,9 +239,9 @@ TEST_P(TlsHkdfTest, HkdfExpandLabel) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {0xc6, 0xdd, 0x6e, 0xc4, 0x76, 0xb8, 0x55, 0xf2, 0xa4, 0xfc, 0x59,
-       0x04, 0xa4, 0x90, 0xdc, 0xa7, 0xa7, 0x0d, 0x94, 0x8f, 0xc2, 0xdc,
-       0x15, 0x6d, 0x48, 0x93, 0x9d, 0x05, 0xbb, 0x9a, 0xbc, 0xc1},
+      {0x3e, 0x4e, 0x6e, 0xd0, 0xbc, 0xc4, 0xf4, 0xff, 0xf0, 0xf5, 0x69,
+       0xd0, 0x6c, 0x1e, 0x0e, 0x10, 0x32, 0xaa, 0xd7, 0xa3, 0xef, 0xf6,
+       0xa8, 0x65, 0x8e, 0xbe, 0xee, 0xc7, 0x1f, 0x01, 0x6d, 0x3c},
       {0x41, 0xea, 0x77, 0x09, 0x8c, 0x90, 0x04, 0x10, 0xec, 0xbc, 0x37, 0xd8,
        0x5b, 0x54, 0xcd, 0x7b, 0x08, 0x15, 0x13, 0x20, 0xed, 0x1e, 0x3f, 0x54,
        0x74, 0xf7, 0x8b, 0x06, 0x38, 0x28, 0x06, 0x37, 0x75, 0x23, 0xa2, 0xb7,
diff --git a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
index 5f1d94acf..680e2f4a2 100644
--- a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
+++ b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
@@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) {
 
 TEST_F(PK11URITest, ParseFormatTest) {
   TestParseFormat("pkcs11:", "pkcs11:");
+  TestParseFormat("PKCS11:", "pkcs11:");
   TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa");
   TestParseFormat("pkcs11:token=aaa;manufacturer=bbb",
                   "pkcs11:token=aaa;manufacturer=bbb");
diff --git a/security/nss/help.txt b/security/nss/help.txt
index b4ffc0382..1df72736e 100644
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -1,15 +1,15 @@
-Usage: build.sh [-hcv] [-cc] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
-                [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
-                [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
-                [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-                [--enable-fips]
+Usage: build.sh [-h] [-c|-cc] [-v] [-j <n>] [--gyp|-g] [--opt|-o]
+                [-t <x64|x86|...>|--target=<x64|x86|...>]
+                [--clang|--gcc|--msvc] [--scan-build[=dir]] [--disable-tests]
+                [--pprof] [--asan] [--msan] [--ubsan[=bool,shift,...]
+                [--fuzz[=tls|oss]] [--sancov[=edge|bb|func|...]]
+                [--emit-llvm] [--no-zdefs] [--test] [--ct-verif]
+                [--nspr|--with-nspr=<include>:<lib>|--system-nspr]
+                [--system-sqlite] [--enable-fips] [--enable-libpkix]
+                [--mozpkix-only]
 
 This script builds NSS with gyp and ninja.
 
-This build system is still under development.  It does not yet support all
-the features or platforms that NSS supports.
-
 NSS build tool options:
 
     -h               display this help and exit
@@ -17,34 +17,37 @@ NSS build tool options:
     -cc              clean without building
     -v               verbose build
     -j <n>           run at most <n> concurrent jobs
-    --nspr           force a rebuild of NSPR
     --gyp|-g         force a rerun of gyp
     --opt|-o         do an opt build
-    -m32             do a 32-bit build on a 64-bit system
+    --target|-t      specify target architecture (e.g., x86, x64, aarch64)
     --clang          build with clang and clang++
     --gcc            build with gcc and g++
-    --test           ignore map files and export everything we have
+    --msvc           build with MSVC
+    --scan-build     run the build with scan-build
+                     --scan-build=<dir> sets the output path for scan-build
+    --disable-tests  don't build tests and corresponding cmdline utils
+    --pprof          build with gperftool support
+    --asan           enable address sanitizer
+    --msan           enable memory sanitizer
+    --ubsan          enable undefined behavior sanitizer
+                     --ubsan=bool,shift,... sets specific UB sanitizers
     --fuzz           build fuzzing targets (this always enables test builds)
                      --fuzz=tls to enable TLS fuzzing mode
                      --fuzz=oss to build for OSS-Fuzz
-    --pprof          build with gperftool support
-    --ct-verif       build with valgrind for ct-verif
-    --scan-build     run the build with scan-build (scan-build has to be in the path)
-                     --scan-build=/out/path sets the output path for scan-build
-    --asan           do an asan build
-    --ubsan          do an ubsan build
-                     --ubsan=bool,shift,... sets specific UB sanitizers
-    --msan           do an msan build
     --sancov         do sanitize coverage builds
                      --sancov=func sets coverage to function level for example
     --emit-llvm      emit LLVM bitcode while building
                      (requires the gold linker, use clang-3.8 for SAW)
-    --disable-tests  don't build tests and corresponding cmdline utils
-    --system-sqlite  use system sqlite
     --no-zdefs       don't set -Wl,-z,defs
-    --with-nspr      don't build NSPR but use the one at the given location, e.g.
-                     --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
-    --system-nspr    use system nspr. This requires an installation of NSPR and
-                     might not work on all systems.
-    --enable-libpkix make libpkix part of the build.
-    --enable-fips    don't disable FIPS checks.
+    --test           ignore map files and export everything we have
+    --ct-verif       build with valgrind for ct-verif
+    --nspr           force a rebuild of NSPR
+    --with-nspr      use the NSPR build at the given locations
+                     --with-nspr=<include>:<lib> sets include and lib paths
+    --system-nspr    attempt to use system nspr
+                     shorthand for --with-nspr=/usr/include/nspr:
+    --system-sqlite  use system sqlite
+    --enable-fips    enable FIPS checks
+    --enable-libpkix make libpkix part of the build
+    --mozpkix-only   build only static mozpkix and mozpkix-test libraries
+                     support for this build option is limited
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
index 95a76cf79..2ef032933 100644
--- a/security/nss/lib/base/error.c
+++ b/security/nss/lib/base/error.c
@@ -15,6 +15,10 @@
 #include <limits.h> /* for UINT_MAX */
 #include <string.h> /* for memmove */
 
+#if defined(__MINGW32__)
+#include <windows.h>
+#endif
+
 #define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
 
 /*
@@ -65,7 +69,32 @@ static const PRCallOnceType error_call_again;
 static PRStatus
 error_once_function(void)
 {
+
+/*
+ * This #ifdef function is redundant. It performs the same thing as the
+ * else case.
+ *
+ * However, the MinGW version looks up the function from nss3's export
+ * table, and on MinGW _that_ behaves differently than passing a
+ * function pointer in a different module because MinGW has
+ * -mnop-fun-dllimport specified, which generates function thunks for
+ * cross-module calls. And when a module (like nssckbi) gets unloaded,
+ * and you try to call into that thunk (which is now missing) you'll
+ * crash. So we do this bit of ugly to avoid that crash. Fortunately
+ * this is the only place we've had to do this.
+ */
+#if defined(__MINGW32__)
+    HMODULE nss3 = GetModuleHandleW(L"nss3");
+    if (nss3) {
+        FARPROC freePtr = GetProcAddress(nss3, "PR_Free");
+        if (freePtr) {
+            return PR_NewThreadPrivateIndex(&error_stack_index, freePtr);
+        }
+    }
+    return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+#else
     return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+#endif
 }
 
 /*
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index c76a5a9b0..333ba4c9d 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -18,7 +18,7 @@
 #include "seccomon.h"
 #include "secdert.h"
 #include "secoidt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 
 SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 1a676a720..85b5f2917 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -446,6 +446,74 @@ cert_GetCertType(CERTCertificate *cert)
     return SECSuccess;
 }
 
+PRBool
+cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+{
+    SECStatus rv;
+    SECItem encodedExtKeyUsage;
+    CERTOidSequence *extKeyUsage = NULL;
+    PRBool result = PR_FALSE;
+
+    rv = CERT_GetExtenCriticality(cert->extensions,
+                                  SEC_OID_X509_EXT_KEY_USAGE,
+                                  isCritical);
+    if (rv != SECSuccess) {
+        *isCritical = PR_FALSE;
+    }
+
+    encodedExtKeyUsage.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
+                                &encodedExtKeyUsage);
+    if (rv != SECSuccess) {
+        /* EKU not present, allowed. */
+        result = PR_TRUE;
+        goto done;
+    }
+
+    extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+    if (!extKeyUsage) {
+        /* failure */
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_IPSEC_IKE_END) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+done:
+    if (encodedExtKeyUsage.data != NULL) {
+        PORT_Free(encodedExtKeyUsage.data);
+    }
+    if (extKeyUsage != NULL) {
+        CERT_DestroyOidSequence(extKeyUsage);
+    }
+    return result;
+}
+
 PRUint32
 cert_ComputeCertType(CERTCertificate *cert)
 {
@@ -1083,6 +1151,10 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
                 break;
+            case certUsageIPsec:
+                requiredKeyUsage = KU_KEY_CERT_SIGN;
+                requiredCertType = NS_CERT_TYPE_SSL_CA;
+                break;
             case certUsageSSLCA:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
@@ -1125,6 +1197,11 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
                 requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;
                 break;
+            case certUsageIPsec:
+                /* RFC 4945 Section 5.1.3.2 */
+                requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
+                requiredCertType = 0;
+                break;
             case certUsageSSLServerWithStepUp:
                 requiredKeyUsage =
                     KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
index 456f2fc4e..2a8ae2758 100644
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -294,6 +294,9 @@ extern SECStatus cert_GetCertType(CERTCertificate* cert);
  */
 extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);
 
+extern PRBool cert_EKUAllowsIPsecIKE(CERTCertificate* cert,
+                                     PRBool* isCritical);
+
 void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,
                          long errorCode, unsigned int depth, void* arg);
 
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 797f9f585..9cac70ca6 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -447,7 +447,8 @@ typedef enum SECCertUsageEnum {
     certUsageVerifyCA = 8,
     certUsageProtectedObjectSigner = 9,
     certUsageStatusResponder = 10,
-    certUsageAnyCA = 11
+    certUsageAnyCA = 11,
+    certUsageIPsec = 12
 } SECCertUsage;
 
 typedef PRInt64 SECCertificateUsage;
@@ -465,8 +466,9 @@ typedef PRInt64 SECCertificateUsage;
 #define certificateUsageProtectedObjectSigner (0x0200)
 #define certificateUsageStatusResponder (0x0400)
 #define certificateUsageAnyCA (0x0800)
+#define certificateUsageIPsec (0x1000)
 
-#define certificateUsageHighest certificateUsageAnyCA
+#define certificateUsageHighest certificateUsageIPsec
 
 /*
  * Does the cert belong to the user, a peer, or a CA.
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
index 4087bc978..2ab4f1ab7 100644
--- a/security/nss/lib/certhigh/certreq.c
+++ b/security/nss/lib/certhigh/certreq.c
@@ -5,7 +5,7 @@
 #include "cert.h"
 #include "certt.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secasn1.h"
 #include "secerr.h"
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
index ccd38e660..3a94a4150 100644
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -25,7 +25,7 @@
 #include "pkim.h"
 #include "pki3hack.h"
 #include "base.h"
-#include "keyhi.h"
+#include "keyi.h"
 
 /*
  * Check the validity times of a certificate
@@ -73,12 +73,38 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
                 return SECFailure;
             }
             return SECSuccess;
+
+        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: {
+            PORTCheapArenaPool tmpArena;
+            SECOidTag hashAlg;
+            SECOidTag maskHashAlg;
+
+            PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+            rv = sec_DecodeRSAPSSParams(&tmpArena.arena,
+                                        &sigAlgorithm->parameters,
+                                        &hashAlg, &maskHashAlg, NULL);
+            PORT_DestroyCheapArena(&tmpArena);
+            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+
+            if (NSS_GetAlgorithmPolicy(hashAlg, &policyFlags) == SECSuccess &&
+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+                return SECFailure;
+            }
+            if (NSS_GetAlgorithmPolicy(maskHashAlg, &policyFlags) == SECSuccess &&
+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+                return SECFailure;
+            }
+        }
+        /* fall through to RSA key checking */
         case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
         case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
         case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
             if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
@@ -289,6 +315,10 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
             requiredFlags = CERTDB_TRUSTED_CA;
             trustType = trustSSL;
             break;
+        case certUsageIPsec:
+            requiredFlags = CERTDB_TRUSTED_CA;
+            trustType = trustSSL;
+            break;
         case certUsageSSLServerWithStepUp:
             requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
             trustType = trustSSL;
@@ -579,6 +609,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
     switch (certUsage) {
         case certUsageSSLClient:
         case certUsageSSLServer:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageSSLServerWithStepUp:
         case certUsageEmailSigner:
@@ -645,7 +676,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
             CERTGeneralName *subjectNameList;
             int subjectNameListLen;
             int i;
-            PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
+            PRBool getSubjectCN = (!count &&
+                                   (certUsage == certUsageSSLServer || certUsage == certUsageIPsec));
             subjectNameList =
                 CERT_GetConstrainedCertificateNames(subjectCert, arena,
                                                     getSubjectCN);
@@ -986,6 +1018,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
     switch (certUsage) {
         case certUsageSSLClient:
         case certUsageSSLServer:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageSSLServerWithStepUp:
         case certUsageEmailSigner:
@@ -1171,6 +1204,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
         switch (certUsage) {
             case certUsageSSLClient:
             case certUsageSSLServer:
+            case certUsageIPsec:
                 flags = trust.sslFlags;
 
                 /* is the cert directly trusted or not trusted ? */
@@ -1347,7 +1381,8 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                             (requiredUsages & certificateUsageSSLServerWithStepUp));
+                             (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+                             (requiredUsages & certificateUsageIPsec));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if (validity != secCertTimeValid) {
         valid = SECFailure;
@@ -1360,6 +1395,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     for (i = 1; i <= certificateUsageHighest &&
                 (SECSuccess == valid || returnedUsages || log);) {
+        PRBool typeAndEKUAllowed = PR_TRUE;
         PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
         if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
             NEXT_USAGE();
@@ -1376,6 +1412,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
             case certUsageEmailRecipient:
             case certUsageObjectSigner:
             case certUsageStatusResponder:
+            case certUsageIPsec:
                 rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
                                                       &requiredKeyUsage,
                                                       &requiredCertType);
@@ -1408,7 +1445,19 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
             LOG_ERROR(log, cert, 0, requiredKeyUsage);
             INVALID_USAGE();
         }
-        if (!(certType & requiredCertType)) {
+        if (certUsage != certUsageIPsec) {
+            if (!(certType & requiredCertType)) {
+                typeAndEKUAllowed = PR_FALSE;
+            }
+        } else {
+            PRBool isCritical;
+            PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);
+            /* If the extension isn't critical, we allow any EKU value. */
+            if (isCritical && !allowed) {
+                typeAndEKUAllowed = PR_FALSE;
+            }
+        }
+        if (!typeAndEKUAllowed) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
             }
@@ -1508,7 +1557,8 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
-                             (certUsage == certUsageSSLServerWithStepUp));
+                             (certUsage == certUsageSSLServerWithStepUp) ||
+                             (certUsage == certUsageIPsec));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if (validity != secCertTimeValid) {
         LOG_ERROR_OR_EXIT(log, cert, 0, validity);
@@ -1521,6 +1571,7 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
         case certUsageSSLClient:
         case certUsageSSLServer:
         case certUsageSSLServerWithStepUp:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageEmailSigner:
         case certUsageEmailRecipient:
@@ -1633,6 +1684,7 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
  *  certUsageSSLClient
  *  certUsageSSLServer
  *  certUsageSSLServerWithStepUp
+ *  certUsageIPsec
  *  certUsageEmailSigner
  *  certUsageEmailRecipient
  *  certUsageObjectSigner
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
index ac9dd6465..1b94aec2e 100644
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -12,7 +12,7 @@
 #include "plarena.h"
 #include "seccomon.h"
 #include "secoidt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "ocspt.h"
 
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
index d291f28a5..182dda65e 100644
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -2145,146 +2145,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Visa eCommerce Root"
-#
-# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023
-\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060
-\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055
-\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145
-\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143
-\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060
-\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157
-\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060
-\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062
-\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003
-\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125
-\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141
-\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101
-\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003
-\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145
-\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241
-\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266
-\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063
-\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004
-\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105
-\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215
-\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125
-\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143
-\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115
-\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352
-\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132
-\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072
-\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055
-\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040
-\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013
-\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213
-\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102
-\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070
-\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327
-\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340
-\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106
-\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021
-\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267
-\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122
-\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367
-\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214
-\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105
-\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035
-\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174
-\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
-\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
-\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
-\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
-\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
-\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
-\222\340\134\366\007\017
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Visa eCommerce Root"
-# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
-\275\340\005\142
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Certum Root CA"
 #
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
@@ -7054,193 +6914,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "AC Raiz Certicamara S.A."
-#
-# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
-# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Not Valid Before: Mon Nov 27 20:46:29 2006
-# Not Valid After : Tue Apr 02 21:42:02 2030
-# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
-# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
-\014
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\006\146\060\202\004\116\240\003\002\001\002\002\017\007
-\176\122\223\173\340\025\343\127\360\151\214\313\354\014\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\060\173\061
-\013\060\011\006\003\125\004\006\023\002\103\117\061\107\060\105
-\006\003\125\004\012\014\076\123\157\143\151\145\144\141\144\040
-\103\141\155\145\162\141\154\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\303\263\156\040\104\151\147\151\164\141
-\154\040\055\040\103\145\162\164\151\143\303\241\155\141\162\141
-\040\123\056\101\056\061\043\060\041\006\003\125\004\003\014\032
-\101\103\040\122\141\303\255\172\040\103\145\162\164\151\143\303
-\241\155\141\162\141\040\123\056\101\056\060\036\027\015\060\066
-\061\061\062\067\062\060\064\066\062\071\132\027\015\063\060\060
-\064\060\062\062\061\064\062\060\062\132\060\173\061\013\060\011
-\006\003\125\004\006\023\002\103\117\061\107\060\105\006\003\125
-\004\012\014\076\123\157\143\151\145\144\141\144\040\103\141\155
-\145\162\141\154\040\144\145\040\103\145\162\164\151\146\151\143
-\141\143\151\303\263\156\040\104\151\147\151\164\141\154\040\055
-\040\103\145\162\164\151\143\303\241\155\141\162\141\040\123\056
-\101\056\061\043\060\041\006\003\125\004\003\014\032\101\103\040
-\122\141\303\255\172\040\103\145\162\164\151\143\303\241\155\141
-\162\141\040\123\056\101\056\060\202\002\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
-\202\002\012\002\202\002\001\000\253\153\211\243\123\314\110\043
-\010\373\303\317\121\226\010\056\270\010\172\155\074\220\027\206
-\251\351\355\056\023\064\107\262\320\160\334\311\074\320\215\312
-\356\113\027\253\320\205\260\247\043\004\313\250\242\374\345\165
-\333\100\312\142\211\217\120\236\001\075\046\133\030\204\034\313
-\174\067\267\175\354\323\177\163\031\260\152\262\330\210\212\055
-\105\164\250\367\263\270\300\324\332\315\042\211\164\115\132\025
-\071\163\030\164\117\265\353\231\247\301\036\210\264\302\223\220
-\143\227\363\247\247\022\262\011\042\007\063\331\221\315\016\234
-\037\016\040\307\356\273\063\215\217\302\322\130\247\137\375\145
-\067\342\210\302\330\217\206\165\136\371\055\247\207\063\362\170
-\067\057\213\274\035\206\067\071\261\224\362\330\274\112\234\203
-\030\132\006\374\363\324\324\272\214\025\011\045\360\371\266\215
-\004\176\027\022\063\153\127\110\114\117\333\046\036\353\314\220
-\347\213\371\150\174\160\017\243\052\320\072\070\337\067\227\342
-\133\336\200\141\323\200\330\221\203\102\132\114\004\211\150\021
-\074\254\137\150\200\101\314\140\102\316\015\132\052\014\017\233
-\060\300\246\360\206\333\253\111\327\227\155\110\213\371\003\300
-\122\147\233\022\367\302\362\056\230\145\102\331\326\232\343\320
-\031\061\014\255\207\325\127\002\172\060\350\206\046\373\217\043
-\212\124\207\344\277\074\356\353\303\165\110\137\036\071\157\201
-\142\154\305\055\304\027\124\031\267\067\215\234\067\221\310\366
-\013\325\352\143\157\203\254\070\302\363\077\336\232\373\341\043
-\141\360\310\046\313\066\310\241\363\060\217\244\243\242\241\335
-\123\263\336\360\232\062\037\203\221\171\060\301\251\037\123\233
-\123\242\025\123\077\335\235\263\020\073\110\175\211\017\374\355
-\003\365\373\045\144\165\016\027\031\015\217\000\026\147\171\172
-\100\374\055\131\007\331\220\372\232\255\075\334\200\212\346\134
-\065\242\147\114\021\153\261\370\200\144\000\055\157\042\141\305
-\254\113\046\345\132\020\202\233\244\203\173\064\367\236\211\221
-\040\227\216\267\102\307\146\303\320\351\244\326\365\040\215\304
-\303\225\254\104\012\235\133\163\074\046\075\057\112\276\247\311
-\247\020\036\373\237\120\151\363\002\003\001\000\001\243\201\346
-\060\201\343\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\321
-\011\320\351\327\316\171\164\124\371\072\060\263\364\155\054\003
-\003\033\150\060\201\240\006\003\125\035\040\004\201\230\060\201
-\225\060\201\222\006\004\125\035\040\000\060\201\211\060\053\006
-\010\053\006\001\005\005\007\002\001\026\037\150\164\164\160\072
-\057\057\167\167\167\056\143\145\162\164\151\143\141\155\141\162
-\141\056\143\157\155\057\144\160\143\057\060\132\006\010\053\006
-\001\005\005\007\002\002\060\116\032\114\114\151\155\151\164\141
-\143\151\157\156\145\163\040\144\145\040\147\141\162\141\156\164
-\355\141\163\040\144\145\040\145\163\164\145\040\143\145\162\164
-\151\146\151\143\141\144\157\040\163\145\040\160\165\145\144\145
-\156\040\145\156\143\157\156\164\162\141\162\040\145\156\040\154
-\141\040\104\120\103\056\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\002\001\000\134\224\265\270\105\221
-\115\216\141\037\003\050\017\123\174\346\244\131\251\263\212\172
-\305\260\377\010\174\054\243\161\034\041\023\147\241\225\022\100
-\065\203\203\217\164\333\063\134\360\111\166\012\201\122\335\111
-\324\232\062\063\357\233\247\313\165\345\172\313\227\022\220\134
-\272\173\305\233\337\273\071\043\310\377\230\316\012\115\042\001
-\110\007\176\212\300\325\040\102\224\104\357\277\167\242\211\147
-\110\033\100\003\005\241\211\354\317\142\343\075\045\166\146\277
-\046\267\273\042\276\157\377\071\127\164\272\172\311\001\225\301
-\225\121\350\253\054\370\261\206\040\351\077\313\065\133\322\027
-\351\052\376\203\023\027\100\356\210\142\145\133\325\073\140\351
-\173\074\270\311\325\177\066\002\045\252\150\302\061\025\267\060
-\145\353\177\035\110\171\261\317\071\342\102\200\026\323\365\223
-\043\374\114\227\311\132\067\154\174\042\330\112\315\322\216\066
-\203\071\221\220\020\310\361\311\065\176\077\270\323\201\306\040
-\144\032\266\120\302\041\244\170\334\320\057\073\144\223\164\360
-\226\220\361\357\373\011\132\064\100\226\360\066\022\301\243\164
-\214\223\176\101\336\167\213\354\206\331\322\017\077\055\321\314
-\100\242\211\146\110\036\040\263\234\043\131\163\251\104\163\274
-\044\171\220\126\067\263\306\051\176\243\017\361\051\071\357\176
-\134\050\062\160\065\254\332\270\310\165\146\374\233\114\071\107
-\216\033\157\233\115\002\124\042\063\357\141\272\236\051\204\357
-\116\113\063\107\166\227\152\313\176\137\375\025\246\236\102\103
-\133\146\132\212\210\015\367\026\271\077\121\145\053\146\152\213
-\321\070\122\242\326\106\021\372\374\232\034\164\236\217\227\013
-\002\117\144\306\365\150\323\113\055\377\244\067\036\213\077\277
-\104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
-\147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
-\302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
-\060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
-\107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
-\053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
-\005\211\374\170\326\134\054\046\103\251
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AC Raiz Certicamara S.A."
-# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
-# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Not Valid Before: Mon Nov 27 20:46:29 2006
-# Not Valid After : Tue Apr 02 21:42:02 2030
-# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
-# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351
-\006\020\323\066
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\052\076\366\375\043\151\015\161\040\324\053\107\231\053\246
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
-\014
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Deutsche Telekom Root CA 2"
 #
 # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
@@ -7382,136 +7055,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ComSign CA"
-#
-# Issuer: C=IL,O=ComSign,CN=ComSign CA
-# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
-# Subject: C=IL,O=ComSign,CN=ComSign CA
-# Not Valid Before: Wed Mar 24 11:32:18 2004
-# Not Valid After : Mon Mar 19 15:02:18 2029
-# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
-# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207
-\167\104
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\223\060\202\002\173\240\003\002\001\002\002\020\024
-\023\226\203\024\125\214\352\173\143\345\374\064\207\167\104\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\064
-\061\023\060\021\006\003\125\004\003\023\012\103\157\155\123\151
-\147\156\040\103\101\061\020\060\016\006\003\125\004\012\023\007
-\103\157\155\123\151\147\156\061\013\060\011\006\003\125\004\006
-\023\002\111\114\060\036\027\015\060\064\060\063\062\064\061\061
-\063\062\061\070\132\027\015\062\071\060\063\061\071\061\065\060
-\062\061\070\132\060\064\061\023\060\021\006\003\125\004\003\023
-\012\103\157\155\123\151\147\156\040\103\101\061\020\060\016\006
-\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013\060
-\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\360\344\124\151\053
-\323\307\217\152\104\344\176\130\047\370\013\320\344\224\022\212
-\361\033\070\070\057\037\061\234\006\324\054\247\336\013\052\256
-\032\240\343\236\152\277\237\074\307\156\242\371\213\144\154\072
-\255\205\125\121\124\245\070\125\270\253\203\004\362\077\144\066
-\367\300\215\103\103\152\146\321\367\027\052\325\357\066\372\060
-\020\102\327\123\315\371\372\063\163\114\263\351\204\040\212\326
-\101\047\065\344\070\372\224\233\270\172\344\171\037\063\373\033
-\330\041\011\050\174\115\030\151\136\144\212\172\031\223\312\176
-\354\363\162\347\067\007\130\131\050\254\102\371\305\377\315\077
-\347\245\372\070\261\320\014\307\331\122\032\123\326\201\314\102
-\172\065\133\355\113\072\172\366\265\216\314\377\017\174\344\140
-\066\207\057\255\360\241\045\175\377\322\113\021\210\160\124\246
-\101\250\147\123\122\102\136\344\064\236\344\276\243\354\252\142
-\135\335\303\114\246\202\101\344\063\013\254\311\063\017\144\202
-\127\052\375\014\255\066\341\014\256\113\305\357\073\231\331\043
-\263\133\135\264\127\354\164\160\014\052\117\002\003\001\000\001
-\243\201\240\060\201\235\060\014\006\003\125\035\023\004\005\060
-\003\001\001\377\060\075\006\003\125\035\037\004\066\060\064\060
-\062\240\060\240\056\206\054\150\164\164\160\072\057\057\146\145
-\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056\151
-\154\057\143\162\154\057\103\157\155\123\151\147\156\103\101\056
-\143\162\154\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\206\060\037\006\003\125\035\043\004\030\060\026\200\024
-\113\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356
-\062\347\050\061\060\035\006\003\125\035\016\004\026\004\024\113
-\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356\062
-\347\050\061\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\202\001\001\000\320\331\245\176\376\051\140\105\235
-\176\203\317\156\274\107\156\365\032\236\124\166\102\161\264\074
-\130\077\055\100\045\102\366\201\234\361\211\020\310\016\252\170
-\117\070\011\127\260\074\300\010\374\065\216\361\110\121\215\014
-\161\164\272\204\304\327\162\233\204\174\070\116\144\006\047\052
-\341\247\265\354\010\231\264\012\015\324\205\163\310\022\341\065
-\355\361\005\061\035\163\231\014\353\226\312\335\323\346\205\252
-\360\212\373\165\301\362\011\074\145\145\144\363\114\330\255\313
-\210\151\363\344\203\267\014\275\027\132\226\027\312\133\377\255
-\273\034\351\055\204\200\330\041\276\205\122\331\324\164\271\151
-\205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
-\157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
-\023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
-\105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
-\055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
-\214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
-\000\147\240\161\000\202\110
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "ComSign CA"
-# Issuer: C=IL,O=ComSign,CN=ComSign CA
-# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
-# Subject: C=IL,O=ComSign,CN=ComSign CA
-# Not Valid Before: Wed Mar 24 11:32:18 2004
-# Not Valid After : Mon Mar 19 15:02:18 2029
-# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
-# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\244\133\024\032\041\332\032\171\364\032\102\251\141\326\151
-\315\006\064\301
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\315\364\071\363\265\030\120\327\076\244\305\221\240\076\041\113
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207
-\167\104
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Cybertrust Global Root"
 #
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
@@ -19149,707 +18692,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Certplus Root CA G1"
-#
-# Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
-# Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
-# Fingerprint (SHA1): 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\125\203\344\055\076\124\126\205\055\203\067\267
-\054\334\106\021
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\153\060\202\003\123\240\003\002\001\002\002\022\021
-\040\125\203\344\055\076\124\126\205\055\203\067\267\054\334\106
-\021\060\015\006\011\052\206\110\206\367\015\001\001\015\005\000
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-\060\036\027\015\061\064\060\065\062\066\060\060\060\060\060\060
-\132\027\015\063\070\060\061\061\065\060\060\060\060\060\060\132
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
-\000\332\120\207\266\332\270\251\076\235\144\372\126\063\232\126
-\075\026\345\003\225\262\064\034\232\155\142\005\324\330\217\347
-\211\144\237\272\333\144\213\144\346\171\052\141\315\257\217\132
-\211\221\145\271\130\374\264\003\137\221\077\055\020\025\340\176
-\317\274\374\177\103\147\250\255\136\066\043\330\230\263\115\363
-\103\236\071\174\052\374\354\210\325\210\356\160\275\205\026\055
-\352\113\211\074\243\161\102\376\034\375\323\034\055\020\270\206
-\124\352\103\270\333\306\207\332\250\256\200\045\317\172\046\035
-\252\221\260\110\157\256\265\336\236\330\327\372\000\375\306\217
-\320\121\273\142\175\244\261\214\262\377\040\021\272\065\143\005
-\206\107\140\103\063\220\366\107\242\003\117\226\115\235\117\301
-\352\352\234\242\376\064\056\336\267\312\033\166\244\267\255\237
-\351\250\324\170\077\170\376\362\070\011\066\035\322\026\002\310
-\354\052\150\257\365\216\224\357\055\023\172\036\102\112\035\025
-\061\256\014\004\127\374\141\163\363\061\126\206\061\200\240\304
-\021\156\060\166\343\224\360\137\004\304\254\207\162\211\230\305
-\235\314\127\010\232\364\014\374\175\172\005\072\372\107\200\071
-\266\317\204\023\167\157\047\352\377\226\147\027\010\155\351\015
-\326\043\120\060\260\025\164\023\076\345\057\377\016\315\304\013
-\112\135\360\330\000\063\111\146\353\241\030\174\131\056\075\050
-\271\141\161\313\265\245\272\270\352\334\342\160\157\010\152\334
-\207\147\064\357\337\060\162\335\363\311\077\043\377\065\341\276
-\041\051\040\060\201\344\031\245\040\351\045\312\163\061\164\051
-\276\342\102\325\363\262\046\146\307\150\375\031\263\347\040\223
-\231\350\135\340\136\207\347\106\350\045\234\012\051\044\324\315
-\130\206\122\100\044\262\173\017\230\022\040\044\366\220\154\107
-\310\015\273\030\040\056\331\375\374\213\362\051\352\207\164\225
-\340\102\120\170\204\004\101\141\260\364\041\043\217\055\313\050
-\041\362\152\154\364\032\246\305\024\264\067\145\117\225\375\200
-\310\370\162\345\045\153\304\140\261\173\155\216\112\212\163\316
-\131\373\160\172\163\006\023\331\323\164\067\044\101\012\021\157
-\227\334\347\344\176\241\275\025\362\272\207\017\075\150\212\026
-\007\002\003\001\000\001\243\143\060\141\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
-\035\016\004\026\004\024\250\301\300\233\221\250\103\025\174\135
-\006\047\264\052\121\330\227\013\201\261\060\037\006\003\125\035
-\043\004\030\060\026\200\024\250\301\300\233\221\250\103\025\174
-\135\006\047\264\052\121\330\227\013\201\261\060\015\006\011\052
-\206\110\206\367\015\001\001\015\005\000\003\202\002\001\000\234
-\126\157\001\176\321\275\114\365\212\306\360\046\037\344\340\070
-\030\314\062\303\051\073\235\101\051\064\141\306\327\360\000\241
-\353\244\162\217\224\027\274\023\054\165\264\127\356\012\174\011
-\172\334\325\312\241\320\064\023\370\167\253\237\345\376\330\036
-\164\212\205\007\217\177\314\171\172\312\226\315\315\375\117\373
-\375\043\015\220\365\364\136\323\306\141\175\236\021\340\002\356
-\011\004\331\007\335\246\212\267\014\203\044\273\203\120\222\376
-\140\165\021\076\330\235\260\212\172\265\340\235\233\313\220\122
-\113\260\223\052\324\076\026\063\345\236\306\145\025\076\144\073
-\004\077\333\014\217\137\134\035\151\037\257\363\351\041\214\363
-\357\227\366\232\267\031\266\204\164\234\243\124\265\160\116\143
-\330\127\135\123\041\233\100\222\103\372\326\167\125\063\117\144
-\325\373\320\054\152\216\155\045\246\357\205\350\002\304\123\076
-\271\236\207\274\314\065\032\336\241\351\212\143\207\145\036\021
-\052\333\143\167\227\024\276\232\024\231\021\262\300\356\260\117
-\370\024\041\062\103\117\237\253\242\313\250\017\252\073\006\125
-\306\022\051\127\010\324\067\327\207\047\255\111\131\247\221\253
-\104\172\136\215\160\333\227\316\110\120\261\163\223\366\360\203
-\140\371\315\361\341\061\375\133\174\161\041\143\024\024\252\257
-\305\336\223\176\150\261\354\042\242\252\220\165\236\265\103\162
-\352\144\243\204\113\375\014\250\046\153\161\227\356\126\143\146
-\350\102\124\371\307\035\337\320\217\133\337\310\060\157\210\376
-\015\304\063\034\123\250\243\375\110\020\362\344\012\116\341\025
-\127\374\156\144\060\302\125\021\334\352\251\315\112\124\254\051
-\143\104\317\112\100\240\326\150\131\033\063\371\357\072\213\333
-\040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
-\203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
-\141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
-\202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
-\373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
-\244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
-\014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Certplus Root CA G1"
-# Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
-# Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
-# Fingerprint (SHA1): 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\042\375\320\267\375\242\116\015\254\111\054\240\254\246\173\152
-\037\343\367\146
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\177\011\234\367\331\271\134\151\151\126\325\067\076\024\015\102
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\125\203\344\055\076\124\126\205\055\203\067\267
-\054\334\106\021
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Certplus Root CA G2"
-#
-# Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
-# Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
-# Fingerprint (SHA1): 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\331\221\316\256\243\350\305\347\377\351\002\257
-\317\163\274\125
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\034\060\202\001\242\240\003\002\001\002\002\022\021
-\040\331\221\316\256\243\350\305\347\377\351\002\257\317\163\274
-\125\060\012\006\010\052\206\110\316\075\004\003\003\060\076\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\021\060\017
-\006\003\125\004\012\014\010\103\145\162\164\160\154\165\163\061
-\034\060\032\006\003\125\004\003\014\023\103\145\162\164\160\154
-\165\163\040\122\157\157\164\040\103\101\040\107\062\060\036\027
-\015\061\064\060\065\062\066\060\060\060\060\060\060\132\027\015
-\063\070\060\061\061\065\060\060\060\060\060\060\132\060\076\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\021\060\017
-\006\003\125\004\012\014\010\103\145\162\164\160\154\165\163\061
-\034\060\032\006\003\125\004\003\014\023\103\145\162\164\160\154
-\165\163\040\122\157\157\164\040\103\101\040\107\062\060\166\060
-\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
-\042\003\142\000\004\315\017\133\126\202\337\360\105\032\326\255
-\367\171\360\035\311\254\226\326\236\116\234\037\264\102\021\312
-\206\277\155\373\205\243\305\345\031\134\327\356\246\077\151\147
-\330\170\342\246\311\304\333\055\171\056\347\213\215\002\157\061
-\042\115\006\343\140\162\105\235\016\102\167\236\316\317\345\177
-\205\233\030\344\374\314\056\162\323\026\223\116\312\231\143\134
-\241\005\052\154\006\243\143\060\141\060\016\006\003\125\035\017
-\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
-\016\004\026\004\024\332\203\143\002\171\216\332\114\306\074\043
-\024\330\217\303\040\253\050\140\131\060\037\006\003\125\035\043
-\004\030\060\026\200\024\332\203\143\002\171\216\332\114\306\074
-\043\024\330\217\303\040\253\050\140\131\060\012\006\010\052\206
-\110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
-\013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
-\230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
-\247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
-\206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
-\345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
-\123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Certplus Root CA G2"
-# Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
-# Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
-# Fingerprint (SHA1): 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\117\145\216\037\351\006\330\050\002\351\124\107\101\311\124\045
-\135\151\314\032
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\247\356\304\170\055\033\356\055\271\051\316\326\247\226\062\061
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\331\221\316\256\243\350\305\347\377\351\002\257
-\317\163\274\125
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G1"
-#
-# Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
-# Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 08:45:50 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
-# Fingerprint (SHA1): 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\263\220\125\071\175\177\066\155\144\302\247\237
-\153\143\216\147
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\157\060\202\003\127\240\003\002\001\002\002\022\021
-\040\263\220\125\071\175\177\066\155\144\302\247\237\153\143\216
-\147\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061\060\036\027\015\061\064\060\065\062\066\060\070\064\065
-\065\060\132\027\015\063\070\060\061\061\065\060\060\060\060\060
-\060\132\060\100\061\013\060\011\006\003\125\004\006\023\002\106
-\122\061\022\060\020\006\003\125\004\012\014\011\117\160\145\156
-\124\162\165\163\164\061\035\060\033\006\003\125\004\003\014\024
-\117\160\145\156\124\162\165\163\164\040\122\157\157\164\040\103
-\101\040\107\061\060\202\002\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
-\002\202\002\001\000\370\171\106\332\226\305\060\136\212\161\003
-\055\160\244\273\260\305\010\334\315\346\065\300\200\244\021\055
-\335\346\207\256\135\075\221\322\207\154\067\267\332\142\236\233
-\302\044\327\217\361\333\246\246\337\106\157\121\246\161\313\076
-\033\061\147\142\367\021\133\064\047\325\171\116\214\233\130\275
-\042\020\015\134\047\014\335\060\345\250\323\135\041\070\164\027
-\376\343\037\266\117\073\153\055\333\175\140\037\214\175\114\005
-\302\353\001\026\025\230\024\216\321\220\167\042\077\354\302\071
-\270\171\072\360\111\044\342\225\221\334\141\064\222\214\124\164
-\357\261\175\214\001\342\070\175\301\137\152\137\044\262\216\142
-\027\255\171\040\255\253\035\267\340\264\226\110\117\146\103\020
-\006\026\044\003\341\340\234\216\306\106\117\216\032\231\341\217
-\271\216\063\154\151\336\130\255\240\016\247\144\124\021\151\104
-\146\117\114\022\247\216\054\175\304\324\133\305\000\064\060\301
-\331\231\376\062\316\007\204\264\116\315\012\377\066\115\142\361
-\247\143\127\344\333\152\247\256\277\053\271\311\346\262\047\211
-\345\176\232\034\115\150\306\301\030\336\063\053\121\106\113\034
-\216\367\075\014\371\212\064\024\304\373\063\065\043\361\314\361
-\052\307\245\273\260\242\316\376\123\153\115\101\033\146\050\262
-\226\372\247\256\012\116\271\071\063\104\234\164\301\223\034\370
-\340\236\044\045\103\361\233\043\202\252\337\054\040\260\334\066
-\116\003\263\174\002\324\346\173\032\252\207\023\277\076\241\164
-\273\233\016\341\300\223\237\327\244\146\312\273\033\073\343\060
-\364\063\131\212\007\162\003\125\347\163\152\003\061\156\157\226
-\033\343\242\237\257\222\307\355\365\102\267\045\114\073\023\004
-\317\034\226\257\034\042\243\320\253\005\262\114\022\043\122\334
-\375\031\133\047\234\036\073\172\375\102\043\333\043\200\023\360
-\274\121\025\124\224\246\167\076\320\164\121\275\121\024\010\071
-\067\313\037\064\251\060\235\122\204\056\125\220\261\272\337\125
-\000\013\330\126\055\261\111\111\162\200\251\142\327\300\366\030
-\021\004\125\315\164\173\317\141\160\171\364\173\054\134\134\222
-\374\345\270\132\253\114\223\225\241\047\356\245\276\317\161\043
-\102\272\233\166\055\002\003\001\000\001\243\143\060\141\060\016
-\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\035\006\003\125\035\016\004\026\004\024\227\106\041\127\041\065
-\332\066\125\307\363\361\067\160\345\010\366\223\051\266\060\037
-\006\003\125\035\043\004\030\060\026\200\024\227\106\041\127\041
-\065\332\066\125\307\363\361\067\160\345\010\366\223\051\266\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
-\002\001\000\035\335\002\140\174\340\065\247\346\230\173\352\104
-\316\147\100\117\362\223\156\146\324\071\211\046\254\323\115\004
-\074\273\207\041\077\067\364\161\045\332\113\272\253\226\202\201
-\221\266\355\331\261\244\145\227\342\157\144\131\244\226\356\140
-\312\037\043\373\105\272\377\217\044\360\312\251\061\177\171\037
-\200\263\055\062\272\144\147\140\257\271\131\315\337\232\111\323
-\250\202\261\371\230\224\212\314\340\273\340\004\033\231\140\261
-\106\145\334\010\242\262\106\236\104\210\352\223\176\127\026\322
-\025\162\137\056\113\253\324\235\143\270\343\110\345\376\204\056
-\130\012\237\103\035\376\267\030\222\206\103\113\016\234\062\206
-\054\140\365\351\110\352\225\355\160\051\361\325\057\375\065\264
-\127\317\333\205\110\231\271\302\157\154\217\315\170\225\254\144
-\050\375\126\260\303\157\303\276\131\122\341\137\204\217\200\362
-\364\015\066\255\166\263\243\265\341\144\166\072\130\334\175\117
-\136\126\154\345\125\131\127\245\337\361\212\146\060\214\324\122
-\142\070\167\264\276\050\327\312\066\304\233\005\360\370\025\333
-\333\361\357\064\235\035\170\112\210\126\147\156\140\377\217\310
-\213\341\216\275\102\251\063\012\131\102\022\022\052\372\261\235
-\103\216\005\233\231\332\142\255\127\066\263\035\266\015\171\055
-\226\270\353\362\014\113\014\245\224\306\060\247\046\031\055\355
-\114\006\120\060\361\375\130\075\271\113\027\137\031\264\152\204
-\124\264\070\117\071\242\015\226\150\303\050\224\375\355\055\037
-\112\153\103\226\056\220\001\020\373\070\246\201\013\320\277\165
-\323\324\271\316\361\077\157\016\034\036\067\161\345\030\207\165
-\031\077\120\271\136\244\105\064\255\260\312\346\345\023\166\017
-\061\024\251\216\055\224\326\325\205\115\163\025\117\113\362\262
-\076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
-\021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
-\212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
-\003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
-\262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
-\315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
-\326\214\161
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G1"
-# Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
-# Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 08:45:50 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
-# Fingerprint (SHA1): 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\171\221\350\064\367\342\356\335\010\225\001\122\351\125\055\024
-\351\130\325\176
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\166\000\314\201\051\315\125\136\210\152\172\056\367\115\071\332
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\263\220\125\071\175\177\066\155\144\302\247\237
-\153\143\216\147
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G2"
-#
-# Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
-# Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
-# Fingerprint (SHA1): 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\241\151\033\277\275\271\275\122\226\217\043\350
-\110\277\046\021
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\157\060\202\003\127\240\003\002\001\002\002\022\021
-\040\241\151\033\277\275\271\275\122\226\217\043\350\110\277\046
-\021\060\015\006\011\052\206\110\206\367\015\001\001\015\005\000
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062\060\036\027\015\061\064\060\065\062\066\060\060\060\060
-\060\060\132\027\015\063\070\060\061\061\065\060\060\060\060\060
-\060\132\060\100\061\013\060\011\006\003\125\004\006\023\002\106
-\122\061\022\060\020\006\003\125\004\012\014\011\117\160\145\156
-\124\162\165\163\164\061\035\060\033\006\003\125\004\003\014\024
-\117\160\145\156\124\162\165\163\164\040\122\157\157\164\040\103
-\101\040\107\062\060\202\002\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
-\002\202\002\001\000\314\266\127\245\063\224\020\201\062\123\337
-\141\176\017\166\071\317\134\302\123\165\035\111\172\226\070\335
-\242\163\152\361\157\336\136\242\132\271\161\041\276\066\331\241
-\374\274\356\154\250\174\064\032\161\032\350\032\330\137\016\104
-\006\355\247\340\363\322\141\013\340\062\242\226\321\070\360\302
-\332\001\027\374\344\254\117\350\356\211\036\164\253\117\277\036
-\011\266\066\152\126\363\341\356\226\211\146\044\006\344\315\102
-\072\112\335\340\232\260\304\202\105\263\376\311\253\134\174\076
-\311\353\027\057\014\175\156\256\245\217\310\254\045\012\157\372
-\325\105\230\322\065\011\366\003\103\224\376\331\277\040\225\171
-\200\230\212\331\211\065\273\121\033\244\067\175\374\231\073\253
-\377\277\254\015\217\103\261\231\173\026\020\176\035\157\107\304
-\025\217\004\226\010\006\102\004\370\204\326\035\274\221\246\102
-\276\111\325\152\210\077\274\055\121\321\236\215\340\122\314\127
-\335\065\065\130\333\264\217\044\210\344\213\337\334\153\124\322
-\201\053\262\316\222\113\034\037\106\372\035\330\222\313\166\147
-\265\011\231\011\345\254\027\024\125\160\306\074\240\126\012\003
-\263\334\142\031\337\310\265\060\177\365\074\046\165\021\275\327
-\033\263\207\236\007\257\145\161\345\240\317\032\247\011\020\035
-\223\211\146\133\350\074\142\062\265\265\072\156\351\205\001\213
-\236\103\214\147\163\050\131\133\353\343\334\054\314\245\046\162
-\142\022\264\346\234\203\104\366\121\244\342\300\172\044\127\312
-\016\245\077\072\265\073\213\345\166\356\160\346\222\336\026\134
-\050\133\227\031\047\222\376\172\222\124\316\223\071\012\026\207
-\274\143\263\365\261\223\134\340\156\267\320\352\371\142\062\210
-\104\373\277\047\050\266\060\225\135\022\050\271\225\276\217\123
-\030\345\242\030\026\342\126\244\262\054\020\365\035\067\246\370
-\267\366\320\131\134\211\367\302\325\265\224\164\321\325\376\033
-\266\360\346\326\036\173\322\074\313\250\343\365\030\363\041\037
-\156\357\115\150\006\173\055\135\156\103\211\246\300\371\240\277
-\202\036\317\123\177\264\353\054\333\135\366\152\175\100\044\005
-\162\211\070\001\223\313\161\302\071\135\006\021\366\157\170\370
-\067\015\071\204\047\002\003\001\000\001\243\143\060\141\060\016
-\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\035\006\003\125\035\016\004\026\004\024\152\071\372\102\042\367
-\346\211\000\115\136\175\063\203\313\270\156\167\206\257\060\037
-\006\003\125\035\043\004\030\060\026\200\024\152\071\372\102\042
-\367\346\211\000\115\136\175\063\203\313\270\156\167\206\257\060
-\015\006\011\052\206\110\206\367\015\001\001\015\005\000\003\202
-\002\001\000\230\313\253\100\074\345\063\002\227\177\055\207\246
-\217\324\136\112\257\270\036\347\273\161\373\200\144\045\251\263
-\032\076\150\135\047\046\247\272\052\341\360\127\203\012\144\117
-\036\042\164\033\351\220\137\360\254\317\377\117\150\172\070\244
-\020\154\015\261\307\244\167\200\030\266\242\050\104\166\247\064
-\235\161\204\057\312\131\322\107\210\231\101\042\311\060\230\141
-\156\075\250\250\005\155\321\037\300\121\104\126\177\047\065\002
-\335\136\230\012\102\353\060\277\215\241\233\121\252\073\352\223
-\106\144\305\000\171\336\041\153\366\127\240\206\327\006\162\354
-\160\106\113\213\163\335\240\041\165\076\334\035\300\217\323\117
-\163\034\205\331\376\177\142\310\225\157\266\323\173\214\272\123
-\302\157\233\104\114\171\320\035\160\263\327\237\002\364\262\007
-\260\307\345\370\255\043\016\246\126\311\051\022\167\110\331\057
-\106\375\073\360\374\164\160\222\245\216\070\010\037\144\060\266
-\267\113\373\066\254\020\216\240\122\063\143\235\003\065\126\305
-\151\275\306\043\132\047\224\366\244\022\370\055\063\074\241\126
-\245\137\326\031\351\355\174\010\275\167\315\047\144\314\224\332
-\116\106\120\207\340\371\301\123\200\036\273\255\373\107\122\213
-\033\375\242\371\336\016\042\267\075\063\131\154\324\336\365\225
-\006\062\015\121\031\101\134\076\117\006\367\271\053\200\047\366
-\243\252\172\174\006\341\103\303\023\071\142\032\066\275\340\050
-\056\224\002\344\051\056\140\125\256\100\075\260\164\222\136\360
-\040\144\226\077\137\105\135\210\265\212\332\002\240\133\105\124
-\336\070\075\011\300\250\112\145\106\026\374\252\277\124\116\115
-\133\276\070\103\267\050\312\213\063\252\032\045\272\045\134\051
-\057\133\112\156\214\352\055\234\052\366\005\166\340\167\227\200
-\210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
-\237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
-\010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
-\130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
-\170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
-\174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
-\113\122\012
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G2"
-# Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
-# Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
-# Fingerprint (SHA1): 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\171\137\210\140\305\253\174\075\222\346\313\364\215\341\105\315
-\021\357\140\013
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\127\044\266\131\044\153\256\310\376\034\014\040\362\300\116\353
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\241\151\033\277\275\271\275\122\226\217\043\350
-\110\277\046\021
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G3"
-#
-# Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
-# Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
-# Fingerprint (SHA1): 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\346\370\114\374\044\260\276\005\100\254\332\203
-\033\064\140\077
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\041\060\202\001\246\240\003\002\001\002\002\022\021
-\040\346\370\114\374\044\260\276\005\100\254\332\203\033\064\140
-\077\060\012\006\010\052\206\110\316\075\004\003\003\060\100\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\022\060\020
-\006\003\125\004\012\014\011\117\160\145\156\124\162\165\163\164
-\061\035\060\033\006\003\125\004\003\014\024\117\160\145\156\124
-\162\165\163\164\040\122\157\157\164\040\103\101\040\107\063\060
-\036\027\015\061\064\060\065\062\066\060\060\060\060\060\060\132
-\027\015\063\070\060\061\061\065\060\060\060\060\060\060\132\060
-\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061\022
-\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162\165
-\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160\145
-\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040\107
-\063\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005
-\053\201\004\000\042\003\142\000\004\112\356\130\256\115\312\146
-\336\006\072\243\021\374\340\030\360\156\034\272\055\060\014\211
-\331\326\356\233\163\203\251\043\025\214\057\131\212\132\335\024
-\352\235\131\053\103\267\006\354\062\266\272\356\101\265\255\135
-\241\205\314\352\035\024\146\243\147\176\106\342\224\363\347\266
-\126\241\025\131\241\117\067\227\271\042\036\275\021\353\364\262
-\037\136\303\024\232\345\331\227\231\243\143\060\141\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006
-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
-\006\003\125\035\016\004\026\004\024\107\167\303\024\213\142\071
-\014\311\157\341\120\115\320\020\130\334\225\210\155\060\037\006
-\003\125\035\043\004\030\060\026\200\024\107\167\303\024\213\142
-\071\014\311\157\341\120\115\320\020\130\334\225\210\155\060\012
-\006\010\052\206\110\316\075\004\003\003\003\151\000\060\146\002
-\061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
-\001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
-\217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
-\221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
-\132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
-\342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
-\315\215\361\373\301
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G3"
-# Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
-# Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
-# Fingerprint (SHA1): 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\156\046\144\363\126\277\064\125\277\321\223\077\174\001\336\330
-\023\332\212\246
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\067\264\027\026\222\173\147\106\160\251\226\327\250\023\044
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\346\370\114\374\044\260\276\005\100\254\332\203
-\033\064\140\077
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "ISRG Root X1"
 #
 # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
@@ -22993,3 +21835,1321 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign Root CA - R6"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Not Valid Before: Wed Dec 10 00:00:00 2014
+# Not Valid After : Sun Dec 10 00:00:00 2034
+# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69
+# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA - R6"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\203\060\202\003\153\240\003\002\001\002\002\016\105
+\346\273\003\203\063\303\205\145\110\346\377\105\121\060\015\006
+\011\052\206\110\206\367\015\001\001\014\005\000\060\114\061\040
+\060\036\006\003\125\004\013\023\027\107\154\157\142\141\154\123
+\151\147\156\040\122\157\157\164\040\103\101\040\055\040\122\066
+\061\023\060\021\006\003\125\004\012\023\012\107\154\157\142\141
+\154\123\151\147\156\061\023\060\021\006\003\125\004\003\023\012
+\107\154\157\142\141\154\123\151\147\156\060\036\027\015\061\064
+\061\062\061\060\060\060\060\060\060\060\132\027\015\063\064\061
+\062\061\060\060\060\060\060\060\060\132\060\114\061\040\060\036
+\006\003\125\004\013\023\027\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101\040\055\040\122\066\061\023
+\060\021\006\003\125\004\012\023\012\107\154\157\142\141\154\123
+\151\147\156\061\023\060\021\006\003\125\004\003\023\012\107\154
+\157\142\141\154\123\151\147\156\060\202\002\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000
+\060\202\002\012\002\202\002\001\000\225\007\350\163\312\146\371
+\354\024\312\173\074\367\015\010\361\264\105\013\054\202\264\110
+\306\353\133\074\256\203\270\101\222\063\024\244\157\177\351\052
+\314\306\260\210\153\305\266\211\321\306\262\377\024\316\121\024
+\041\354\112\335\033\132\306\326\207\356\115\072\025\006\355\144
+\146\013\222\200\312\104\336\163\224\116\363\247\211\177\117\170
+\143\010\310\022\120\155\102\146\057\115\271\171\050\115\122\032
+\212\032\200\267\031\201\016\176\304\212\274\144\114\041\034\103
+\150\327\075\074\212\305\262\146\325\220\232\267\061\006\305\276
+\342\155\062\006\246\036\371\271\353\252\243\270\277\276\202\143
+\120\320\360\030\211\337\344\017\171\365\352\242\037\052\322\160
+\056\173\347\274\223\273\155\123\342\110\174\214\020\007\070\377
+\146\262\167\141\176\340\352\214\074\252\264\244\366\363\225\112
+\022\007\155\375\214\262\211\317\320\240\141\167\310\130\164\260
+\324\043\072\367\135\072\312\242\333\235\011\336\135\104\055\220
+\361\201\315\127\222\372\176\274\120\004\143\064\337\153\223\030
+\276\153\066\262\071\344\254\044\066\267\360\357\266\034\023\127
+\223\266\336\262\370\342\205\267\163\242\270\065\252\105\362\340
+\235\066\241\157\124\212\361\162\126\156\056\210\305\121\102\104
+\025\224\356\243\305\070\226\233\116\116\132\013\107\363\006\066
+\111\167\060\274\161\067\345\246\354\041\010\165\374\346\141\026
+\077\167\325\331\221\227\204\012\154\324\002\115\164\300\024\355
+\375\071\373\203\362\136\024\241\004\260\013\351\376\356\217\341
+\156\013\262\010\263\141\146\011\152\261\006\072\145\226\131\300
+\360\065\375\311\332\050\215\032\021\207\160\201\012\250\232\165
+\035\236\072\206\005\000\236\333\200\326\045\371\334\005\236\047
+\131\114\166\071\133\352\371\245\241\330\203\017\321\377\337\060
+\021\371\205\317\063\110\365\312\155\144\024\054\172\130\117\323
+\113\010\111\305\225\144\032\143\016\171\075\365\263\214\312\130
+\255\234\102\105\171\156\016\207\031\134\124\261\145\266\277\214
+\233\334\023\351\015\157\270\056\334\147\156\311\213\021\265\204
+\024\212\000\031\160\203\171\221\227\221\324\032\047\277\067\036
+\062\007\330\024\143\074\050\114\257\002\003\001\000\001\243\143
+\060\141\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\035\006\003\125\035\016\004\026\004\024\256\154
+\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310\147
+\123\240\060\037\006\003\125\035\043\004\030\060\026\200\024\256
+\154\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310
+\147\123\240\060\015\006\011\052\206\110\206\367\015\001\001\014
+\005\000\003\202\002\001\000\203\045\355\350\321\375\225\122\315
+\236\300\004\240\221\151\346\134\320\204\336\334\255\242\117\350
+\107\170\326\145\230\251\133\250\074\207\174\002\212\321\156\267
+\026\163\346\137\300\124\230\325\164\276\301\315\342\021\221\255
+\043\030\075\335\341\162\104\226\264\225\136\300\173\216\231\170
+\026\103\023\126\127\263\242\263\073\265\167\334\100\162\254\243
+\353\233\065\076\261\010\041\241\347\304\103\067\171\062\276\265
+\347\234\054\114\274\103\051\231\216\060\323\254\041\340\343\035
+\372\330\007\063\166\124\000\042\052\271\115\040\056\160\150\332
+\345\123\374\203\134\323\235\362\377\104\014\104\146\362\322\343
+\275\106\000\032\155\002\272\045\135\215\241\061\121\335\124\106
+\034\115\333\231\226\357\032\034\004\134\246\025\357\170\340\171
+\376\135\333\076\252\114\125\375\232\025\251\157\341\246\373\337
+\160\060\351\303\356\102\106\355\302\223\005\211\372\175\143\173
+\077\320\161\201\174\000\350\230\256\016\170\064\303\045\373\257
+\012\237\040\153\335\073\023\217\022\214\342\101\032\110\172\163
+\240\167\151\307\266\134\177\202\310\036\376\130\033\050\053\250
+\154\255\136\155\300\005\322\173\267\353\200\376\045\067\376\002
+\233\150\254\102\135\303\356\365\314\334\360\120\165\322\066\151
+\234\346\173\004\337\156\006\151\266\336\012\011\110\131\207\353
+\173\024\140\172\144\252\151\103\357\221\307\114\354\030\335\154
+\357\123\055\214\231\341\136\362\162\076\317\124\310\275\147\354
+\244\017\114\105\377\323\271\060\043\007\114\217\020\277\206\226
+\331\231\132\264\231\127\034\244\314\273\025\211\123\272\054\005
+\017\344\304\236\031\261\030\064\325\114\235\272\355\367\037\257
+\044\225\004\170\250\003\273\356\201\345\332\137\174\213\112\241
+\220\164\045\247\263\076\113\310\054\126\275\307\310\357\070\342
+\134\222\360\171\367\234\204\272\164\055\141\001\040\176\176\321
+\362\117\007\131\137\213\055\103\122\353\106\014\224\341\365\146
+\107\171\167\325\124\133\037\255\044\067\313\105\132\116\240\104
+\110\310\330\260\231\305\025\204\011\366\326\111\111\300\145\270
+\346\032\161\156\240\250\361\202\350\105\076\154\326\002\327\012
+\147\203\005\132\311\244\020
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GlobalSign Root CA - R6"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Not Valid Before: Wed Dec 10 00:00:00 2014
+# Not Valid After : Sun Dec 10 00:00:00 2034
+# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69
+# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA - R6"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\200\224\144\016\265\247\241\312\021\234\037\335\325\237\201\002
+\143\247\373\321
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\117\335\007\344\324\042\144\071\036\014\067\102\352\321\306\256
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE WISeKey Global Root GC CA"
+#
+# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea
+# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Not Valid Before: Tue May 09 09:48:34 2017
+# Not Valid After : Fri May 09 09:58:33 2042
+# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D
+# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055
+\072\352
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\151\060\202\001\357\240\003\002\001\002\002\020\041
+\052\126\014\256\332\014\253\100\105\277\053\242\055\072\352\060
+\012\006\010\052\206\110\316\075\004\003\003\060\155\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003
+\125\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040
+\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165
+\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144
+\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105
+\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040
+\122\157\157\164\040\107\103\040\103\101\060\036\027\015\061\067
+\060\065\060\071\060\071\064\070\063\064\132\027\015\064\062\060
+\065\060\071\060\071\065\070\063\063\132\060\155\061\013\060\011
+\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003\125
+\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040\006
+\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156
+\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061
+\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040
+\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122
+\157\157\164\040\107\103\040\103\101\060\166\060\020\006\007\052
+\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142\000
+\004\114\351\120\300\306\017\162\030\274\330\361\272\263\211\342
+\171\112\243\026\247\153\124\044\333\121\377\352\364\011\044\303
+\013\042\237\313\152\047\202\201\015\322\300\257\061\344\164\202
+\156\312\045\331\214\165\235\361\333\320\232\242\113\041\176\026
+\247\143\220\322\071\324\261\207\170\137\030\226\017\120\033\065
+\067\017\152\306\334\331\023\115\244\216\220\067\346\275\133\061
+\221\243\124\060\122\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
+\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
+\024\110\207\024\254\343\303\236\220\140\072\327\312\211\356\323
+\255\214\264\120\146\060\020\006\011\053\006\001\004\001\202\067
+\025\001\004\003\002\001\000\060\012\006\010\052\206\110\316\075
+\004\003\003\003\150\000\060\145\002\060\046\307\151\133\334\325
+\347\262\347\310\014\214\214\303\335\171\214\033\143\325\311\122
+\224\116\115\202\112\163\036\262\200\204\251\045\300\114\132\155
+\111\051\140\170\023\342\176\110\353\144\002\061\000\333\064\040
+\062\010\377\232\111\002\266\210\336\024\257\135\154\231\161\215
+\032\077\213\327\340\242\066\206\034\007\202\072\166\123\375\302
+\242\355\357\173\260\200\117\130\017\113\123\071\275
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "OISTE WISeKey Global Root GC CA"
+# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea
+# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Not Valid Before: Tue May 09 09:48:34 2017
+# Not Valid After : Fri May 09 09:58:33 2042
+# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D
+# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\340\021\204\136\064\336\276\210\201\271\234\366\026\046\321\226
+\037\303\271\061
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\326\271\055\057\223\144\370\245\151\312\221\351\150\007\043
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055
+\072\352
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R1"
+#
+# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1
+# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72
+# Fingerprint (SHA1): E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\305\113\107\014\015\354\063\320\211\271\034
+\364\341
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\156
+\107\251\305\113\107\014\015\354\063\320\211\271\034\364\341\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\042\060
+\040\006\003\125\004\012\023\031\107\157\157\147\154\145\040\124
+\162\165\163\164\040\123\145\162\166\151\143\145\163\040\114\114
+\103\061\024\060\022\006\003\125\004\003\023\013\107\124\123\040
+\122\157\157\164\040\122\061\060\036\027\015\061\066\060\066\062
+\062\060\060\060\060\060\060\132\027\015\063\066\060\066\062\062
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012\023
+\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123\145
+\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006\003
+\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122\061
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\266\021\002\213\036\343\241\167\233\073\334\277\224\076\267
+\225\247\100\074\241\375\202\371\175\062\006\202\161\366\366\214
+\177\373\350\333\274\152\056\227\227\243\214\113\371\053\366\261
+\371\316\204\035\261\371\305\227\336\357\271\362\243\351\274\022
+\211\136\247\252\122\253\370\043\047\313\244\261\234\143\333\327
+\231\176\360\012\136\353\150\246\364\306\132\107\015\115\020\063
+\343\116\261\023\243\310\030\154\113\354\374\011\220\337\235\144
+\051\045\043\007\241\264\322\075\056\140\340\317\322\011\207\273
+\315\110\360\115\302\302\172\210\212\273\272\317\131\031\326\257
+\217\260\007\260\236\061\361\202\301\300\337\056\246\155\154\031
+\016\265\330\176\046\032\105\003\075\260\171\244\224\050\255\017
+\177\046\345\250\010\376\226\350\074\150\224\123\356\203\072\210
+\053\025\226\011\262\340\172\214\056\165\326\234\353\247\126\144
+\217\226\117\150\256\075\227\302\204\217\300\274\100\300\013\134
+\275\366\207\263\065\154\254\030\120\177\204\340\114\315\222\323
+\040\351\063\274\122\231\257\062\265\051\263\045\052\264\110\371
+\162\341\312\144\367\346\202\020\215\350\235\302\212\210\372\070
+\146\212\374\143\371\001\371\170\375\173\134\167\372\166\207\372
+\354\337\261\016\171\225\127\264\275\046\357\326\001\321\353\026
+\012\273\216\013\265\305\305\212\125\253\323\254\352\221\113\051
+\314\031\244\062\045\116\052\361\145\104\320\002\316\252\316\111
+\264\352\237\174\203\260\100\173\347\103\253\247\154\243\217\175
+\211\201\372\114\245\377\325\216\303\316\113\340\265\330\263\216
+\105\317\166\300\355\100\053\375\123\017\260\247\325\073\015\261
+\212\242\003\336\061\255\314\167\352\157\173\076\326\337\221\042
+\022\346\276\372\330\062\374\020\143\024\121\162\336\135\326\026
+\223\275\051\150\063\357\072\146\354\007\212\046\337\023\327\127
+\145\170\047\336\136\111\024\000\242\000\177\232\250\041\266\251
+\261\225\260\245\271\015\026\021\332\307\154\110\074\100\340\176
+\015\132\315\126\074\321\227\005\271\313\113\355\071\113\234\304
+\077\322\125\023\156\044\260\326\161\372\364\301\272\314\355\033
+\365\376\201\101\330\000\230\075\072\310\256\172\230\067\030\005
+\225\002\003\001\000\001\243\102\060\100\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
+\035\016\004\026\004\024\344\257\053\046\161\032\053\110\047\205
+\057\122\146\054\357\360\211\023\161\076\060\015\006\011\052\206
+\110\206\367\015\001\001\014\005\000\003\202\002\001\000\070\226
+\012\356\075\264\226\036\137\357\235\234\013\063\237\053\340\312
+\375\322\216\012\037\101\164\245\174\252\204\324\345\362\036\346
+\067\122\062\234\013\321\141\035\277\050\301\266\104\051\065\165
+\167\230\262\174\331\275\164\254\212\150\343\251\061\011\051\001
+\140\163\343\107\174\123\250\220\112\047\357\113\327\237\223\347
+\202\066\316\232\150\014\202\347\317\324\020\026\157\137\016\231
+\134\366\037\161\175\357\357\173\057\176\352\066\326\227\160\013
+\025\356\327\134\126\152\063\245\343\111\070\014\270\175\373\215
+\205\244\261\131\136\364\152\341\335\241\366\144\104\256\346\121
+\203\041\146\306\021\076\363\316\107\356\234\050\037\045\332\377
+\254\146\225\335\065\017\134\357\040\054\142\375\221\272\251\314
+\374\132\234\223\201\203\051\227\112\174\132\162\264\071\320\267
+\167\313\171\375\151\072\222\067\355\156\070\145\106\176\351\140
+\275\171\210\227\137\070\022\364\356\257\133\202\310\206\325\341
+\231\155\214\004\362\166\272\111\366\156\351\155\036\137\240\357
+\047\202\166\100\370\246\323\130\134\017\054\102\332\102\306\173
+\210\064\307\301\330\105\233\301\076\305\141\035\331\143\120\111
+\366\064\205\152\340\030\305\156\107\253\101\102\051\233\366\140
+\015\322\061\323\143\230\043\223\132\000\201\110\264\357\315\212
+\315\311\317\231\356\331\236\252\066\341\150\113\161\111\024\066
+\050\072\075\035\316\232\217\045\346\200\161\141\053\265\173\314
+\371\045\026\201\341\061\137\241\243\176\026\244\234\026\152\227
+\030\275\166\162\245\013\236\035\066\346\057\241\057\276\160\221
+\017\250\346\332\370\304\222\100\154\045\176\173\263\011\334\262
+\027\255\200\104\360\150\245\217\224\165\377\164\132\350\250\002
+\174\014\011\342\251\113\013\240\205\013\142\271\357\241\061\222
+\373\357\366\121\004\211\154\350\251\164\241\273\027\263\265\375
+\111\017\174\074\354\203\030\040\103\116\325\223\272\264\064\261
+\037\026\066\037\014\346\144\071\026\114\334\340\376\035\310\251
+\142\075\100\352\312\305\064\002\264\256\211\210\063\065\334\054
+\023\163\330\047\361\320\162\356\165\073\042\336\230\150\146\133
+\361\306\143\107\125\034\272\245\010\121\165\246\110\045
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R1"
+# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1
+# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72
+# Fingerprint (SHA1): E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\341\311\120\346\357\042\370\114\126\105\162\213\222\040\140\327
+\325\247\243\350
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\202\032\357\324\322\112\362\237\342\075\227\006\024\160\162\205
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\305\113\107\014\015\354\063\320\211\271\034
+\364\341
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R2"
+#
+# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f
+# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
+# Fingerprint (SHA1): D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\306\132\263\347\040\305\060\232\077\150\122
+\362\157
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\156
+\107\251\306\132\263\347\040\305\060\232\077\150\122\362\157\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\042\060
+\040\006\003\125\004\012\023\031\107\157\157\147\154\145\040\124
+\162\165\163\164\040\123\145\162\166\151\143\145\163\040\114\114
+\103\061\024\060\022\006\003\125\004\003\023\013\107\124\123\040
+\122\157\157\164\040\122\062\060\036\027\015\061\066\060\066\062
+\062\060\060\060\060\060\060\132\027\015\063\066\060\066\062\062
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012\023
+\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123\145
+\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006\003
+\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122\062
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\316\336\375\246\373\354\354\024\064\074\007\006\132\154\131
+\367\031\065\335\367\301\235\125\252\323\315\073\244\223\162\357
+\012\372\155\235\366\360\205\200\133\241\110\122\237\071\305\267
+\356\050\254\357\313\166\150\024\271\337\255\001\154\231\037\304
+\042\035\237\376\162\167\340\054\133\257\344\004\277\117\162\240
+\032\064\230\350\071\150\354\225\045\173\166\241\346\151\271\205
+\031\275\211\214\376\255\355\066\352\163\274\377\203\342\313\175
+\301\322\316\112\263\215\005\236\213\111\223\337\301\133\320\156
+\136\360\056\060\056\202\374\372\274\264\027\012\110\345\210\233
+\305\233\153\336\260\312\264\003\360\332\364\220\270\145\144\367
+\134\114\255\350\176\146\136\231\327\270\302\076\310\320\023\235
+\255\356\344\105\173\211\125\367\212\037\142\122\204\022\263\302
+\100\227\343\212\037\107\221\246\164\132\322\370\261\143\050\020
+\270\263\011\270\126\167\100\242\046\230\171\306\376\337\045\356
+\076\345\240\177\324\141\017\121\113\074\077\214\332\341\160\164
+\330\302\150\241\371\301\014\351\241\342\177\273\125\074\166\006
+\356\152\116\314\222\210\060\115\232\275\117\013\110\232\204\265
+\230\243\325\373\163\301\127\141\335\050\126\165\023\256\207\216
+\347\014\121\011\020\165\210\114\274\215\371\173\074\324\042\110
+\037\052\334\353\153\273\104\261\313\063\161\062\106\257\255\112
+\361\214\350\164\072\254\347\032\042\163\200\322\060\367\045\102
+\307\042\073\073\022\255\226\056\306\303\166\007\252\040\267\065
+\111\127\351\222\111\350\166\026\162\061\147\053\226\176\212\243
+\307\224\126\042\277\152\113\176\001\041\262\043\062\337\344\232
+\104\155\131\133\135\365\000\240\034\233\306\170\227\215\220\377
+\233\310\252\264\257\021\121\071\136\331\373\147\255\325\133\021
+\235\062\232\033\275\325\272\133\245\311\313\045\151\123\125\047
+\134\340\312\066\313\210\141\373\036\267\320\313\356\026\373\323
+\246\114\336\222\245\324\342\337\365\006\124\336\056\235\113\264
+\223\060\252\201\316\335\032\334\121\163\015\117\160\351\345\266
+\026\041\031\171\262\346\211\013\165\144\312\325\253\274\011\301
+\030\241\377\324\124\241\205\074\375\024\044\003\262\207\323\244
+\267\002\003\001\000\001\243\102\060\100\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
+\035\016\004\026\004\024\273\377\312\216\043\237\117\231\312\333
+\342\150\246\245\025\047\027\036\331\016\060\015\006\011\052\206
+\110\206\367\015\001\001\014\005\000\003\202\002\001\000\266\151
+\360\246\167\376\236\356\013\201\255\341\300\251\307\371\065\035
+\100\202\253\346\004\264\337\313\367\035\017\203\360\176\023\115
+\215\214\356\343\063\042\303\071\374\100\337\156\101\113\102\123
+\276\026\210\361\322\070\136\304\150\231\034\230\122\223\214\347
+\150\355\033\152\163\172\005\100\115\177\145\073\326\130\361\316
+\203\107\140\343\377\227\251\234\140\167\030\125\265\176\010\223
+\317\320\366\074\147\003\025\141\011\371\201\171\365\354\123\244
+\237\311\217\001\213\163\304\167\166\334\203\242\365\014\111\032
+\250\166\336\222\233\144\370\263\054\305\047\323\007\300\010\200
+\244\230\222\343\001\226\002\252\002\356\217\073\305\321\155\012
+\063\060\163\170\271\117\124\026\277\013\007\241\244\134\346\313
+\311\134\204\217\017\340\025\167\054\176\046\176\332\304\113\333
+\247\026\167\007\260\315\165\350\162\102\326\225\204\235\206\203
+\362\344\220\315\011\107\324\213\003\160\332\132\306\003\102\364
+\355\067\242\360\033\120\124\113\016\330\204\336\031\050\231\201
+\107\256\011\033\077\110\321\303\157\342\260\140\027\365\356\043
+\002\245\332\000\133\155\220\253\356\242\351\033\073\351\307\104
+\047\105\216\153\237\365\244\204\274\167\371\153\227\254\076\121
+\105\242\021\246\314\205\356\012\150\362\076\120\070\172\044\142
+\036\027\040\067\155\152\115\267\011\233\311\374\244\130\365\266
+\373\234\116\030\273\225\002\347\241\255\233\007\356\066\153\044
+\322\071\206\301\223\203\120\322\201\106\250\137\142\127\054\273
+\154\144\210\010\156\357\023\124\137\335\055\304\147\143\323\317
+\211\067\277\235\040\364\373\172\203\233\240\036\201\000\120\302
+\344\014\042\131\122\020\355\103\126\207\000\370\024\122\247\035
+\213\223\214\242\115\106\177\047\306\161\233\044\336\344\332\206
+\213\015\176\153\040\301\300\236\341\145\330\152\243\246\350\205
+\213\072\007\010\034\272\365\217\125\232\030\165\176\345\354\201
+\146\321\041\163\241\065\104\013\200\075\133\234\136\157\052\027
+\226\321\203\043\210\146\155\346\206\342\160\062\057\122\042\347
+\310\347\177\304\054\140\135\057\303\257\236\105\005\303\204\002
+\267\375\054\010\122\117\202\335\243\360\324\206\011\002
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R2"
+# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f
+# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
+# Fingerprint (SHA1): D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\322\163\226\052\052\136\071\237\163\077\341\307\036\144\077\003
+\070\064\374\115
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\104\355\232\016\244\011\073\000\362\256\114\243\306\141\260\213
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\306\132\263\347\040\305\060\232\077\150\122
+\362\157
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R3"
+#
+# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d
+# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5
+# Fingerprint (SHA1): 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\307\154\251\163\044\100\211\017\003\125\335
+\215\035
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\014\060\202\001\221\240\003\002\001\002\002\020\156
+\107\251\307\154\251\163\044\100\211\017\003\125\335\215\035\060
+\012\006\010\052\206\110\316\075\004\003\003\060\107\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003
+\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163
+\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024
+\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157
+\164\040\122\063\060\036\027\015\061\066\060\066\062\062\060\060
+\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060
+\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157
+\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151
+\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003
+\023\013\107\124\123\040\122\157\157\164\040\122\063\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\037\117\063\207\063\051\212\241\204\336\313
+\307\041\130\101\211\352\126\235\053\113\205\306\035\114\047\274
+\177\046\121\162\157\342\237\326\243\312\314\105\024\106\213\255
+\357\176\206\214\354\261\176\057\377\251\161\235\030\204\105\004
+\101\125\156\053\352\046\177\273\220\001\343\113\031\272\344\124
+\226\105\011\261\325\154\221\104\255\204\023\216\232\214\015\200
+\014\062\366\340\047\243\102\060\100\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
+\016\004\026\004\024\301\361\046\272\240\055\256\205\201\317\323
+\361\052\022\275\270\012\147\375\274\060\012\006\010\052\206\110
+\316\075\004\003\003\003\151\000\060\146\002\061\000\200\133\244
+\174\043\300\225\245\054\334\276\211\157\043\271\243\335\145\000
+\122\136\221\254\310\235\162\164\202\123\013\175\251\100\275\150
+\140\305\341\270\124\073\301\066\027\045\330\301\275\002\061\000
+\236\065\222\164\205\045\121\365\044\354\144\122\044\120\245\037
+\333\350\313\311\166\354\354\202\156\365\205\030\123\350\270\343
+\232\051\252\226\323\203\043\311\244\173\141\263\314\002\350\135
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R3"
+# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d
+# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5
+# Fingerprint (SHA1): 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\060\324\044\157\007\377\333\221\211\212\013\351\111\146\021\353
+\214\136\106\345
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\032\171\133\153\004\122\234\135\307\164\063\033\045\232\371\045
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\307\154\251\163\044\100\211\017\003\125\335
+\215\035
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R4"
+#
+# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99
+# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD
+# Fingerprint (SHA1): 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\310\213\224\266\350\273\073\052\330\242\262
+\301\231
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\012\060\202\001\221\240\003\002\001\002\002\020\156
+\107\251\310\213\224\266\350\273\073\052\330\242\262\301\231\060
+\012\006\010\052\206\110\316\075\004\003\003\060\107\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003
+\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163
+\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024
+\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157
+\164\040\122\064\060\036\027\015\061\066\060\066\062\062\060\060
+\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060
+\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157
+\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151
+\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003
+\023\013\107\124\123\040\122\157\157\164\040\122\064\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\363\164\163\247\150\213\140\256\103\270\065
+\305\201\060\173\113\111\235\373\301\141\316\346\336\106\275\153
+\325\141\030\065\256\100\335\163\367\211\221\060\132\353\074\356
+\205\174\242\100\166\073\251\306\270\107\330\052\347\222\221\152
+\163\351\261\162\071\237\051\237\242\230\323\137\136\130\206\145
+\017\241\204\145\006\321\334\213\311\307\163\310\214\152\057\345
+\304\253\321\035\212\243\102\060\100\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
+\016\004\026\004\024\200\114\326\353\164\377\111\066\243\325\330
+\374\265\076\305\152\360\224\035\214\060\012\006\010\052\206\110
+\316\075\004\003\003\003\147\000\060\144\002\060\152\120\122\164
+\010\304\160\334\236\120\164\041\350\215\172\041\303\117\226\156
+\025\321\042\065\141\055\372\010\067\356\031\155\255\333\262\314
+\175\007\064\365\140\031\054\265\064\331\157\040\002\060\003\161
+\261\272\243\140\013\206\355\232\010\152\225\150\237\342\263\341
+\223\144\174\136\223\246\337\171\055\215\205\343\224\317\043\135
+\161\314\362\260\115\326\376\231\310\224\251\165\242\343
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R4"
+# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99
+# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD
+# Fingerprint (SHA1): 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\052\035\140\047\331\112\261\012\034\115\221\134\315\063\240\313
+\076\055\124\313
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\135\266\152\304\140\027\044\152\032\231\250\113\356\136\264\046
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\310\213\224\266\350\273\073\052\330\242\262
+\301\231
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "UCA Global G2 Root"
+#
+# Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef
+# Subject: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 11 00:00:00 2016
+# Not Valid After : Mon Dec 31 00:00:00 2040
+# Fingerprint (SHA-256): 9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C
+# Fingerprint (SHA1): 28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Global G2 Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\337\261\332\132\243\355\135\276\132\145\040\145\003
+\220\357
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\106\060\202\003\056\240\003\002\001\002\002\020\135
+\337\261\332\132\243\355\135\276\132\145\040\145\003\220\357\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\075
+\061\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060
+\017\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164
+\061\033\060\031\006\003\125\004\003\014\022\125\103\101\040\107
+\154\157\142\141\154\040\107\062\040\122\157\157\164\060\036\027
+\015\061\066\060\063\061\061\060\060\060\060\060\060\132\027\015
+\064\060\061\062\063\061\060\060\060\060\060\060\132\060\075\061
+\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060\017
+\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164\061
+\033\060\031\006\003\125\004\003\014\022\125\103\101\040\107\154
+\157\142\141\154\040\107\062\040\122\157\157\164\060\202\002\042
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\202\002\017\000\060\202\002\012\002\202\002\001\000\305\346\053
+\157\174\357\046\005\047\243\201\044\332\157\313\001\371\231\232
+\251\062\302\042\207\141\101\221\073\313\303\150\033\006\305\114
+\251\053\301\147\027\042\035\053\355\371\051\211\223\242\170\275
+\222\153\240\243\015\242\176\312\223\263\246\321\214\065\325\165
+\371\027\366\317\105\305\345\172\354\167\223\240\217\043\256\016
+\032\003\177\276\324\320\355\056\173\253\106\043\133\377\054\346
+\124\172\224\300\052\025\360\311\215\260\172\073\044\341\327\150
+\342\061\074\006\063\106\266\124\021\246\245\057\042\124\052\130
+\015\001\002\361\372\025\121\147\154\300\372\327\266\033\177\321
+\126\210\057\032\072\215\073\273\202\021\340\107\000\320\122\207
+\253\373\206\176\017\044\153\100\235\064\147\274\215\307\055\206
+\157\171\076\216\251\074\027\113\177\260\231\343\260\161\140\334
+\013\365\144\303\316\103\274\155\161\271\322\336\047\133\212\350
+\330\306\256\341\131\175\317\050\055\065\270\225\126\032\361\262
+\130\113\267\022\067\310\174\263\355\113\200\341\215\372\062\043
+\266\157\267\110\225\010\261\104\116\205\214\072\002\124\040\057
+\337\277\127\117\073\072\220\041\327\301\046\065\124\040\354\307
+\077\107\354\357\132\277\113\172\301\255\073\027\120\134\142\330
+\017\113\112\334\053\372\156\274\163\222\315\354\307\120\350\101
+\226\327\251\176\155\330\351\035\217\212\265\271\130\222\272\112
+\222\053\014\126\375\200\353\010\360\136\051\156\033\034\014\257
+\217\223\211\255\333\275\243\236\041\312\211\031\354\337\265\303
+\032\353\026\376\170\066\114\326\156\320\076\027\034\220\027\153
+\046\272\373\172\057\277\021\034\030\016\055\163\003\217\240\345
+\065\240\132\342\114\165\035\161\341\071\070\123\170\100\314\203
+\223\327\012\236\235\133\217\212\344\345\340\110\344\110\262\107
+\315\116\052\165\052\173\362\042\366\311\276\011\221\226\127\172
+\210\210\254\356\160\254\371\334\051\343\014\034\073\022\116\104
+\326\247\116\260\046\310\363\331\032\227\221\150\352\357\215\106
+\006\322\126\105\130\232\074\014\017\203\270\005\045\303\071\317
+\073\244\064\211\267\171\022\057\107\305\347\251\227\151\374\246
+\167\147\265\337\173\361\172\145\025\344\141\126\145\002\003\001
+\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
+\004\024\201\304\214\314\365\344\060\377\245\014\010\137\214\025
+\147\041\164\001\337\337\060\015\006\011\052\206\110\206\367\015
+\001\001\013\005\000\003\202\002\001\000\023\145\042\365\216\053
+\255\104\344\313\377\271\150\346\303\200\110\075\004\173\372\043
+\057\172\355\066\332\262\316\155\366\346\236\345\137\130\217\313
+\067\062\241\310\145\266\256\070\075\065\033\076\274\073\266\004
+\320\274\371\111\365\233\367\205\305\066\266\313\274\370\310\071
+\325\344\137\007\275\025\124\227\164\312\312\355\117\272\272\144
+\166\237\201\270\204\105\111\114\215\157\242\353\261\314\321\303
+\224\332\104\302\346\342\352\030\350\242\037\047\005\272\327\345
+\326\251\315\335\357\166\230\215\000\016\315\033\372\003\267\216
+\200\130\016\047\077\122\373\224\242\312\136\145\311\326\204\332
+\271\065\161\363\046\300\117\167\346\201\047\322\167\073\232\024
+\157\171\364\366\320\341\323\224\272\320\127\121\275\047\005\015
+\301\375\310\022\060\356\157\215\021\053\010\235\324\324\277\200
+\105\024\232\210\104\332\060\352\264\247\343\356\357\133\202\325
+\076\326\255\170\222\333\134\074\363\330\255\372\270\153\177\304
+\066\050\266\002\025\212\124\054\234\260\027\163\216\320\067\243
+\024\074\230\225\000\014\051\005\133\236\111\111\261\137\307\343
+\313\317\047\145\216\065\027\267\127\310\060\331\101\133\271\024
+\266\350\302\017\224\061\247\224\230\314\152\353\265\341\047\365
+\020\250\001\350\216\022\142\350\210\314\265\177\106\227\300\233
+\020\146\070\032\066\106\137\042\150\075\337\311\306\023\047\253
+\123\006\254\242\074\206\006\145\157\261\176\261\051\104\232\243
+\272\111\151\050\151\217\327\345\137\255\004\206\144\157\032\240
+\014\305\010\142\316\200\243\320\363\354\150\336\276\063\307\027
+\133\177\200\304\114\114\261\246\204\212\303\073\270\011\315\024
+\201\272\030\343\124\127\066\376\333\057\174\107\241\072\063\310
+\371\130\073\104\117\261\312\002\211\004\226\050\150\305\113\270
+\046\211\273\326\063\057\120\325\376\232\211\272\030\062\222\124
+\306\133\340\235\371\136\345\015\042\233\366\332\342\310\041\262
+\142\041\252\206\100\262\056\144\323\137\310\343\176\021\147\105
+\037\005\376\343\242\357\263\250\263\363\175\217\370\014\037\042
+\037\055\160\264\270\001\064\166\060\000\345\043\170\247\126\327
+\120\037\212\373\006\365\302\031\360\320
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "UCA Global G2 Root"
+# Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef
+# Subject: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 11 00:00:00 2016
+# Not Valid After : Mon Dec 31 00:00:00 2040
+# Fingerprint (SHA-256): 9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C
+# Fingerprint (SHA1): 28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Global G2 Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\050\371\170\026\031\172\377\030\045\030\252\104\376\301\240\316
+\134\266\114\212
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\200\376\360\304\112\360\134\142\062\237\034\272\170\251\120\370
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\337\261\332\132\243\355\135\276\132\145\040\145\003
+\220\357
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "UCA Extended Validation Root"
+#
+# Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60
+# Subject: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 13 00:00:00 2015
+# Not Valid After : Fri Dec 31 00:00:00 2038
+# Fingerprint (SHA-256): D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24
+# Fingerprint (SHA1): A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Extended Validation Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\117\322\053\217\365\144\310\063\236\117\064\130\146\043
+\160\140
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\117
+\322\053\217\365\144\310\063\236\117\064\130\146\043\160\140\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060
+\017\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164
+\061\045\060\043\006\003\125\004\003\014\034\125\103\101\040\105
+\170\164\145\156\144\145\144\040\126\141\154\151\144\141\164\151
+\157\156\040\122\157\157\164\060\036\027\015\061\065\060\063\061
+\063\060\060\060\060\060\060\132\027\015\063\070\061\062\063\061
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\103\116\061\021\060\017\006\003\125\004\012\014
+\010\125\156\151\124\162\165\163\164\061\045\060\043\006\003\125
+\004\003\014\034\125\103\101\040\105\170\164\145\156\144\145\144
+\040\126\141\154\151\144\141\164\151\157\156\040\122\157\157\164
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\251\011\007\050\023\002\260\231\340\144\252\036\103\026\172
+\163\261\221\240\165\076\250\372\343\070\000\172\354\211\152\040
+\017\213\305\260\233\063\003\132\206\306\130\206\325\301\205\273
+\117\306\234\100\115\312\276\356\151\226\270\255\201\060\232\174
+\222\005\353\005\053\232\110\320\270\166\076\226\310\040\273\322
+\260\361\217\330\254\105\106\377\252\147\140\264\167\176\152\037
+\074\032\122\172\004\075\007\074\205\015\204\320\037\166\012\367
+\152\024\337\162\343\064\174\127\116\126\001\076\171\361\252\051
+\073\154\372\370\217\155\115\310\065\337\256\353\334\044\356\171
+\105\247\205\266\005\210\336\210\135\045\174\227\144\147\011\331
+\277\132\025\005\206\363\011\036\354\130\062\063\021\363\167\144
+\260\166\037\344\020\065\027\033\362\016\261\154\244\052\243\163
+\374\011\037\036\062\031\123\021\347\331\263\054\056\166\056\241
+\243\336\176\152\210\011\350\362\007\212\370\262\315\020\347\342
+\163\100\223\273\010\321\077\341\374\013\224\263\045\357\174\246
+\327\321\257\237\377\226\232\365\221\173\230\013\167\324\176\350
+\007\322\142\265\225\071\343\363\361\155\017\016\145\204\212\143
+\124\305\200\266\340\236\113\175\107\046\247\001\010\135\321\210
+\236\327\303\062\104\372\202\112\012\150\124\177\070\123\003\314
+\244\000\063\144\121\131\013\243\202\221\172\136\354\026\302\363
+\052\346\142\332\052\333\131\142\020\045\112\052\201\013\107\007
+\103\006\160\207\322\372\223\021\051\172\110\115\353\224\307\160
+\115\257\147\325\121\261\200\040\001\001\264\172\010\246\220\177
+\116\340\357\007\101\207\257\152\245\136\213\373\317\120\262\232
+\124\257\303\211\272\130\055\365\060\230\261\066\162\071\176\111
+\004\375\051\247\114\171\344\005\127\333\224\271\026\123\215\106
+\263\035\225\141\127\126\177\257\360\026\133\141\130\157\066\120
+\021\013\330\254\053\225\026\032\016\037\010\315\066\064\145\020
+\142\146\325\200\137\024\040\137\055\014\240\170\012\150\326\054
+\327\351\157\053\322\112\005\223\374\236\157\153\147\377\210\361
+\116\245\151\112\122\067\005\352\306\026\215\322\304\231\321\202
+\053\073\272\065\165\367\121\121\130\363\310\007\335\344\264\003
+\177\002\003\001\000\001\243\102\060\100\060\035\006\003\125\035
+\016\004\026\004\024\331\164\072\344\060\075\015\367\022\334\176
+\132\005\237\036\064\232\367\341\024\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\206\060\015\006\011\052\206
+\110\206\367\015\001\001\013\005\000\003\202\002\001\000\066\215
+\227\314\102\025\144\051\067\233\046\054\326\373\256\025\151\054
+\153\032\032\367\137\266\371\007\114\131\352\363\311\310\271\256
+\314\272\056\172\334\300\365\260\055\300\073\257\237\160\005\021
+\152\237\045\117\001\051\160\343\345\014\341\352\132\174\334\111
+\273\301\036\052\201\365\026\113\162\221\310\242\061\271\252\332
+\374\235\037\363\135\100\002\023\374\116\034\006\312\263\024\220
+\124\027\031\022\032\361\037\327\014\151\132\366\161\170\364\224
+\175\221\013\216\354\220\124\216\274\157\241\114\253\374\164\144
+\375\161\232\370\101\007\241\315\221\344\074\232\340\233\062\071
+\163\253\052\325\151\310\170\221\046\061\175\342\307\060\361\374
+\024\170\167\022\016\023\364\335\026\224\277\113\147\173\160\123
+\205\312\260\273\363\070\115\054\220\071\300\015\302\135\153\351
+\342\345\325\210\215\326\054\277\253\033\276\265\050\207\022\027
+\164\156\374\175\374\217\320\207\046\260\033\373\271\154\253\342
+\236\075\025\301\073\056\147\002\130\221\237\357\370\102\037\054
+\267\150\365\165\255\317\265\366\377\021\175\302\360\044\245\255
+\323\372\240\074\251\372\135\334\245\240\357\104\244\276\326\350
+\345\344\023\226\027\173\006\076\062\355\307\267\102\274\166\243
+\330\145\070\053\070\065\121\041\016\016\157\056\064\023\100\341
+\053\147\014\155\112\101\060\030\043\132\062\125\231\311\027\340
+\074\336\366\354\171\255\053\130\031\242\255\054\042\032\225\216
+\276\226\220\135\102\127\304\371\024\003\065\053\034\055\121\127
+\010\247\072\336\077\344\310\264\003\163\302\301\046\200\273\013
+\102\037\255\015\257\046\162\332\314\276\263\243\203\130\015\202
+\305\037\106\121\343\234\030\314\215\233\215\354\111\353\165\120
+\325\214\050\131\312\164\064\332\214\013\041\253\036\352\033\345
+\307\375\025\076\300\027\252\373\043\156\046\106\313\372\371\261
+\162\153\151\317\042\204\013\142\017\254\331\031\000\224\242\166
+\074\324\055\232\355\004\236\055\006\142\020\067\122\034\205\162
+\033\047\345\314\306\061\354\067\354\143\131\233\013\035\166\314
+\176\062\232\210\225\010\066\122\273\336\166\137\166\111\111\255
+\177\275\145\040\262\311\301\053\166\030\166\237\126\261
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "UCA Extended Validation Root"
+# Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60
+# Subject: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 13 00:00:00 2015
+# Not Valid After : Fri Dec 31 00:00:00 2038
+# Fingerprint (SHA-256): D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24
+# Fingerprint (SHA1): A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Extended Validation Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\243\241\260\157\044\141\043\112\343\066\245\302\067\374\246\377
+\335\360\327\072
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\241\363\137\103\306\064\233\332\277\214\176\005\123\255\226\342
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\117\322\053\217\365\144\310\063\236\117\064\130\146\043
+\160\140
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Certigna Root CA"
+#
+# Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1
+# Subject: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Not Valid Before: Tue Oct 01 08:32:27 2013
+# Not Valid After : Sat Oct 01 08:32:27 2033
+# Fingerprint (SHA-256): D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68
+# Fingerprint (SHA1): 2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Certigna Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
+\343\246\341
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\133\060\202\004\103\240\003\002\001\002\002\021\000
+\312\351\033\211\361\125\003\015\243\346\101\155\304\343\246\341
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061\022
+\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157\164
+\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060\060
+\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063\066
+\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164\151
+\147\156\141\040\122\157\157\164\040\103\101\060\036\027\015\061
+\063\061\060\060\061\060\070\063\062\062\067\132\027\015\063\063
+\061\060\060\061\060\070\063\062\062\067\132\060\132\061\013\060
+\011\006\003\125\004\006\023\002\106\122\061\022\060\020\006\003
+\125\004\012\014\011\104\150\151\155\171\157\164\151\163\061\034
+\060\032\006\003\125\004\013\014\023\060\060\060\062\040\064\070
+\061\064\066\063\060\070\061\060\060\060\063\066\061\031\060\027
+\006\003\125\004\003\014\020\103\145\162\164\151\147\156\141\040
+\122\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052
+\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
+\202\002\012\002\202\002\001\000\315\030\071\145\032\131\261\352
+\144\026\016\214\224\044\225\174\203\323\305\071\046\334\014\357
+\026\127\215\327\330\254\243\102\177\202\312\355\315\133\333\016
+\267\055\355\105\010\027\262\331\263\313\326\027\122\162\050\333
+\216\116\236\212\266\013\371\236\204\232\115\166\336\042\051\134
+\322\263\322\006\076\060\071\251\164\243\222\126\034\241\157\114
+\012\040\155\237\043\172\264\306\332\054\344\035\054\334\263\050
+\320\023\362\114\116\002\111\241\124\100\236\346\345\005\240\055
+\204\310\377\230\154\320\353\212\032\204\010\036\267\150\043\356
+\043\325\160\316\155\121\151\020\356\241\172\302\321\042\061\302
+\202\205\322\362\125\166\120\174\045\172\311\204\134\013\254\335
+\102\116\053\347\202\242\044\211\313\220\262\320\356\043\272\146
+\114\273\142\244\371\123\132\144\173\174\230\372\243\110\236\017
+\225\256\247\030\364\152\354\056\003\105\257\360\164\370\052\315
+\172\135\321\276\104\046\062\051\361\361\365\154\314\176\002\041
+\013\237\157\244\077\276\235\123\342\317\175\251\054\174\130\032
+\227\341\075\067\067\030\146\050\322\100\305\121\212\214\303\055
+\316\123\210\044\130\144\060\026\305\252\340\326\012\246\100\337
+\170\366\365\004\174\151\023\204\274\321\321\247\006\317\001\367
+\150\300\250\127\273\072\141\255\004\214\223\343\255\374\360\333
+\104\155\131\334\111\131\256\254\232\231\066\060\101\173\166\063
+\042\207\243\302\222\206\156\371\160\356\256\207\207\225\033\304
+\172\275\061\363\324\322\345\231\377\276\110\354\165\365\170\026
+\035\246\160\301\177\074\033\241\222\373\317\310\074\326\305\223
+\012\217\365\125\072\166\225\316\131\230\212\011\225\167\062\232
+\203\272\054\004\072\227\275\324\057\276\327\154\233\242\312\175
+\155\046\311\125\325\317\303\171\122\010\011\231\007\044\055\144
+\045\153\246\041\151\233\152\335\164\115\153\227\172\101\275\253
+\027\371\220\027\110\217\066\371\055\325\305\333\356\252\205\105
+\101\372\315\072\105\261\150\346\066\114\233\220\127\354\043\271
+\207\010\302\304\011\361\227\206\052\050\115\342\164\300\332\304
+\214\333\337\342\241\027\131\316\044\131\164\061\332\177\375\060
+\155\331\334\341\152\341\374\137\002\003\001\000\001\243\202\001
+\032\060\202\001\026\060\017\006\003\125\035\023\001\001\377\004
+\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\035\006\003\125\035\016\004\026\004
+\024\030\207\126\340\156\167\356\044\065\074\116\163\232\037\326
+\341\342\171\176\053\060\037\006\003\125\035\043\004\030\060\026
+\200\024\030\207\126\340\156\167\356\044\065\074\116\163\232\037
+\326\341\342\171\176\053\060\104\006\003\125\035\040\004\075\060
+\073\060\071\006\004\125\035\040\000\060\061\060\057\006\010\053
+\006\001\005\005\007\002\001\026\043\150\164\164\160\163\072\057
+\057\167\167\167\167\056\143\145\162\164\151\147\156\141\056\146
+\162\057\141\165\164\157\162\151\164\145\163\057\060\155\006\003
+\125\035\037\004\146\060\144\060\057\240\055\240\053\206\051\150
+\164\164\160\072\057\057\143\162\154\056\143\145\162\164\151\147
+\156\141\056\146\162\057\143\145\162\164\151\147\156\141\162\157
+\157\164\143\141\056\143\162\154\060\061\240\057\240\055\206\053
+\150\164\164\160\072\057\057\143\162\154\056\144\150\151\155\171
+\157\164\151\163\056\143\157\155\057\143\145\162\164\151\147\156
+\141\162\157\157\164\143\141\056\143\162\154\060\015\006\011\052
+\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\224
+\270\236\117\360\343\225\010\042\347\315\150\101\367\034\125\325
+\174\000\342\055\072\211\135\150\070\057\121\042\013\112\215\313
+\351\273\135\076\273\134\075\261\050\376\344\123\125\023\317\241
+\220\033\002\035\137\146\106\011\063\050\341\015\044\227\160\323
+\020\037\352\144\127\226\273\135\332\347\304\214\117\114\144\106
+\035\134\207\343\131\336\102\321\233\250\176\246\211\335\217\034
+\311\060\202\355\073\234\315\300\351\031\340\152\330\002\165\067
+\253\367\064\050\050\221\362\004\012\117\065\343\140\046\001\372
+\320\021\214\371\021\152\356\257\075\303\120\323\217\137\063\171
+\074\206\250\163\105\220\214\040\266\162\163\027\043\276\007\145
+\345\170\222\015\272\001\300\353\214\034\146\277\254\206\167\001
+\224\015\234\346\351\071\215\037\246\121\214\231\014\071\167\341
+\264\233\372\034\147\127\157\152\152\216\251\053\114\127\171\172
+\127\042\317\315\137\143\106\215\134\131\072\206\370\062\107\142
+\243\147\015\030\221\334\373\246\153\365\110\141\163\043\131\216
+\002\247\274\104\352\364\111\235\361\124\130\371\140\257\332\030
+\244\057\050\105\334\172\240\210\206\135\363\073\347\377\051\065
+\200\374\144\103\224\346\343\034\157\276\255\016\052\143\231\053
+\311\176\205\366\161\350\006\003\225\376\336\217\110\034\132\324
+\222\350\053\356\347\061\333\272\004\152\207\230\347\305\137\357
+\175\247\042\367\001\330\115\371\211\320\016\232\005\131\244\236
+\230\331\157\053\312\160\276\144\302\125\243\364\351\257\303\222
+\051\334\210\026\044\231\074\215\046\230\266\133\267\314\316\267
+\067\007\375\046\331\230\205\044\377\131\043\003\232\355\235\235
+\250\344\136\070\316\327\122\015\157\322\077\155\261\005\153\111
+\316\212\221\106\163\364\366\057\360\250\163\167\016\145\254\241
+\215\146\122\151\176\113\150\014\307\036\067\047\203\245\214\307
+\002\344\024\315\111\001\260\163\263\375\306\220\072\157\322\154
+\355\073\356\354\221\276\242\103\135\213\000\112\146\045\104\160
+\336\100\017\370\174\025\367\242\316\074\327\136\023\214\201\027
+\030\027\321\275\361\167\020\072\324\145\071\301\047\254\127\054
+\045\124\377\242\332\117\212\141\071\136\256\075\112\214\275
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "Certigna Root CA"
+# Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1
+# Subject: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Not Valid Before: Tue Oct 01 08:32:27 2013
+# Not Valid After : Sat Oct 01 08:32:27 2033
+# Fingerprint (SHA-256): D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68
+# Fingerprint (SHA1): 2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Certigna Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\055\015\122\024\377\236\255\231\044\001\164\040\107\156\154\205
+\047\047\365\103
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\016\134\060\142\047\353\133\274\327\256\142\272\351\325\337\167
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
+\343\246\341
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
index d40c8080e..157d9c40d 100644
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 24
-#define NSS_BUILTINS_LIBRARY_VERSION "2.24"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 30
+#define NSS_BUILTINS_LIBRARY_VERSION "2.30"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
index d4a2ead99..9e7e17e36 100644
--- a/security/nss/lib/ckfw/ckfw.h
+++ b/security/nss/lib/ckfw/ckfw.h
@@ -1604,8 +1604,8 @@ nssCKFWSession_InitPIN(
 NSS_EXTERN CK_RV
 nssCKFWSession_SetPIN(
     NSSCKFWSession *fwSession,
-    NSSItem *newPin,
-    NSSItem *oldPin);
+    const NSSItem *oldPin,
+    NSSItem *newPin);
 
 /*
  * nssCKFWSession_GetOperationStateLen
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
index 7efedf403..e2613089b 100644
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -871,7 +871,7 @@ nssCKFWSession_InitPIN(
 NSS_IMPLEMENT CK_RV
 nssCKFWSession_SetPIN(
     NSSCKFWSession *fwSession,
-    NSSItem *oldPin,
+    const NSSItem *oldPin,
     NSSItem *newPin)
 {
     CK_RV error = CKR_OK;
@@ -907,7 +907,7 @@ nssCKFWSession_SetPIN(
 
     error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
                                          fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-                                         fwSession->fwInstance, oldPin, newPin);
+                                         fwSession->fwInstance, (NSSItem *)oldPin, newPin);
 
     return error;
 }
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
index e529fa34f..7b66f0b0b 100644
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -14,7 +14,7 @@
 #include "secoidt.h"
 #include "secdert.h"
 #include "cryptoht.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 
 SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
index 3e89b74cb..8392031c5 100644
--- a/security/nss/lib/cryptohi/key.h
+++ b/security/nss/lib/cryptohi/key.h
@@ -2,11 +2,13 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/* This header is deprecated.  Please include keyhi.h instead. */
-
 #ifndef _KEY_H_
 #define _KEY_H_
 
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("key.h is deprecated. Please include keyhi.h instead.")
+#endif
+
 #include "keyhi.h"
 
 #endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyi.h b/security/nss/lib/cryptohi/keyi.h
index ee11fc905..b746d3c8d 100644
--- a/security/nss/lib/cryptohi/keyi.h
+++ b/security/nss/lib/cryptohi/keyi.h
@@ -17,8 +17,21 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
 SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
                            const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
 
-SECStatus sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
-                                      const SECKEYRSAPSSParams *params);
+/* extract the RSA-PSS hash algorithms and salt length from
+ * parameters, taking into account of the default implications.
+ *
+ * (parameters is the parameters field of a algorithm ID structure
+ * (SECAlgorithmID)*/
+SECStatus sec_DecodeRSAPSSParams(PLArenaPool *arena,
+                                 const SECItem *params,
+                                 SECOidTag *hashAlg,
+                                 SECOidTag *maskHashAlg,
+                                 unsigned long *saltLength);
+
+/* convert the encoded RSA-PSS parameters into PKCS #11 mechanism parameters */
+SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+                                            const SECItem *params,
+                                            CK_RSA_PKCS_PSS_PARAMS *mech);
 
 SEC_END_PROTOS
 
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
index 99da312f6..5a0d2c2e7 100644
--- a/security/nss/lib/cryptohi/keyt.h
+++ b/security/nss/lib/cryptohi/keyt.h
@@ -5,6 +5,10 @@
 #ifndef _KEYT_H_
 #define _KEYT_H_
 
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("keyt.h is deprecated. Please include keythi.h instead.")
+#endif
+
 #include "keythi.h"
 
 #endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 0f9353f3b..080909772 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -2015,66 +2015,63 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
 }
 
 SECStatus
-sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
-                            const SECKEYRSAPSSParams *params)
+sec_DecodeRSAPSSParams(PLArenaPool *arena,
+                       const SECItem *params,
+                       SECOidTag *retHashAlg, SECOidTag *retMaskHashAlg,
+                       unsigned long *retSaltLength)
 {
-    SECStatus rv = SECSuccess;
-    SECOidTag hashAlgTag;
+    SECKEYRSAPSSParams pssParams;
+    SECOidTag hashAlg;
+    SECOidTag maskHashAlg;
     unsigned long saltLength;
     unsigned long trailerField;
+    SECStatus rv;
 
-    PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+    PORT_Memset(&pssParams, 0, sizeof(pssParams));
+    rv = SEC_QuickDERDecodeItem(arena, &pssParams,
+                                SECKEY_RSAPSSParamsTemplate,
+                                params);
+    if (rv != SECSuccess) {
+        return rv;
+    }
 
-    if (params->hashAlg) {
-        hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg);
+    if (pssParams.hashAlg) {
+        hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg);
     } else {
-        hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
-    }
-    mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
-    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
-        return SECFailure;
+        hashAlg = SEC_OID_SHA1; /* default, SHA-1 */
     }
 
-    if (params->maskAlg) {
-        SECAlgorithmID maskHashAlg;
-        SECOidTag maskHashAlgTag;
-        PORTCheapArenaPool tmpArena;
+    if (pssParams.maskAlg) {
+        SECAlgorithmID algId;
 
-        if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) {
+        if (SECOID_GetAlgorithmTag(pssParams.maskAlg) != SEC_OID_PKCS1_MGF1) {
             /* only MGF1 is known to PKCS#11 */
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
             return SECFailure;
         }
 
-        PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
-        rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &maskHashAlg,
+        rv = SEC_QuickDERDecodeItem(arena, &algId,
                                     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
-                                    &params->maskAlg->parameters);
-        PORT_DestroyCheapArena(&tmpArena);
+                                    &pssParams.maskAlg->parameters);
         if (rv != SECSuccess) {
             return rv;
         }
-        maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
-        mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
-        if (mech->mgf == 0) {
-            return SECFailure;
-        }
+        maskHashAlg = SECOID_GetAlgorithmTag(&algId);
     } else {
-        mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+        maskHashAlg = SEC_OID_SHA1; /* default, MGF1 with SHA-1 */
     }
 
-    if (params->saltLength.data) {
-        rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
+    if (pssParams.saltLength.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength, &saltLength);
         if (rv != SECSuccess) {
             return rv;
         }
     } else {
         saltLength = 20; /* default, 20 */
     }
-    mech->sLen = saltLength;
 
-    if (params->trailerField.data) {
-        rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+    if (pssParams.trailerField.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.trailerField, &trailerField);
         if (rv != SECSuccess) {
             return rv;
         }
@@ -2086,5 +2083,46 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
         }
     }
 
-    return rv;
+    if (retHashAlg) {
+        *retHashAlg = hashAlg;
+    }
+    if (retMaskHashAlg) {
+        *retMaskHashAlg = maskHashAlg;
+    }
+    if (retSaltLength) {
+        *retSaltLength = saltLength;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+                                  const SECItem *params,
+                                  CK_RSA_PKCS_PSS_PARAMS *mech)
+{
+    SECOidTag hashAlg;
+    SECOidTag maskHashAlg;
+    unsigned long saltLength;
+    SECStatus rv;
+
+    rv = sec_DecodeRSAPSSParams(arena, params,
+                                &hashAlg, &maskHashAlg, &saltLength);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlg);
+    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+        return SECFailure;
+    }
+
+    mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlg);
+    if (mech->mgf == 0) {
+        return SECFailure;
+    }
+
+    mech->sLen = saltLength;
+
+    return SECSuccess;
 }
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
index dc10f2fa6..8a8d0f664 100644
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -225,22 +225,13 @@ SGN_End(SGNContext *cx, SECItem *result)
         PORT_Memset(&mech, 0, sizeof(mech));
 
         if (cx->params && cx->params->data) {
-            SECKEYRSAPSSParams params;
-
             arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
             if (!arena) {
                 rv = SECFailure;
                 goto loser;
             }
 
-            PORT_Memset(&params, 0, sizeof(params));
-            rv = SEC_QuickDERDecodeItem(arena, &params,
-                                        SECKEY_RSAPSSParamsTemplate,
-                                        cx->params);
-            if (rv != SECSuccess) {
-                goto loser;
-            }
-            rv = sec_RSAPSSParamsToMechanism(&mech, &params);
+            rv = sec_DecodeRSAPSSParamsToMechanism(arena, cx->params, &mech);
             if (rv != SECSuccess) {
                 goto loser;
             }
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
index 83c9c579d..aa3d6778c 100644
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -161,7 +161,7 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
     pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
     return _SGN_VerifyPKCS1DigestInfo(
         cx->hashAlg, digest, &pkcs1DigestInfo,
-        PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+        PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
 }
 
 /*
@@ -257,25 +257,13 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
             break;
         case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
             if (param && param->data) {
-                SECKEYRSAPSSParams pssParam;
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (arena == NULL) {
-                    return SECFailure;
-                }
-                PORT_Memset(&pssParam, 0, sizeof pssParam);
-                rv = SEC_QuickDERDecodeItem(arena, &pssParam,
-                                            SECKEY_RSAPSSParamsTemplate,
-                                            param);
-                if (rv != SECSuccess) {
-                    PORT_FreeArena(arena, PR_FALSE);
-                    return rv;
-                }
-                if (pssParam.hashAlg) {
-                    *hashalg = SECOID_GetAlgorithmTag(pssParam.hashAlg);
-                } else {
-                    *hashalg = SEC_OID_SHA1; /* default, SHA-1 */
-                }
-                PORT_FreeArena(arena, PR_FALSE);
+                PORTCheapArenaPool tmpArena;
+
+                PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+                rv = sec_DecodeRSAPSSParams(&tmpArena.arena, param,
+                                            hashalg, NULL, NULL);
+                PORT_DestroyCheapArena(&tmpArena);
+
                 /* only accept hash algorithms */
                 if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
                     /* error set by HASH_GetHashTypeByOidTag */
@@ -658,27 +646,17 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
             if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
                 CK_RSA_PKCS_PSS_PARAMS mech;
                 SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) };
-                SECKEYRSAPSSParams params;
-                PLArenaPool *arena;
+                PORTCheapArenaPool tmpArena;
 
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (arena == NULL) {
-                    return SECFailure;
-                }
-
-                PORT_Memset(&params, 0, sizeof(params));
-                rv = SEC_QuickDERDecodeItem(arena, &params,
-                                            SECKEY_RSAPSSParamsTemplate,
-                                            cx->params);
-                if (rv != SECSuccess) {
-                    PORT_FreeArena(arena, PR_FALSE);
-                    return SECFailure;
-                }
-                rv = sec_RSAPSSParamsToMechanism(&mech, &params);
-                PORT_FreeArena(arena, PR_FALSE);
+                PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+                rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena,
+                                                       cx->params,
+                                                       &mech);
+                PORT_DestroyCheapArena(&tmpArena);
                 if (rv != SECSuccess) {
                     return SECFailure;
                 }
+
                 rsasig.data = cx->u.buffer;
                 rsasig.len = SECKEY_SignatureLen(cx->key);
                 if (rsasig.len == 0) {
diff --git a/security/nss/lib/freebl/ctr.c b/security/nss/lib/freebl/ctr.c
index b7167d4c4..d7652c060 100644
--- a/security/nss/lib/freebl/ctr.c
+++ b/security/nss/lib/freebl/ctr.c
@@ -219,15 +219,18 @@ CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf,
         PORT_Assert(ctr->bufPtr == blocksize);
     }
 
-    intel_aes_ctr_worker(((AESContext *)(ctr->context))->Nr)(
-        ctr, outbuf, outlen, maxout, inbuf, inlen, blocksize);
-    /* XXX intel_aes_ctr_worker should set *outlen. */
-    PORT_Assert(*outlen == 0);
-    fullblocks = (inlen / blocksize) * blocksize;
-    *outlen += fullblocks;
-    outbuf += fullblocks;
-    inbuf += fullblocks;
-    inlen -= fullblocks;
+    if (inlen >= blocksize) {
+        rv = intel_aes_ctr_worker(((AESContext *)(ctr->context))->Nr)(
+            ctr, outbuf, outlen, maxout, inbuf, inlen, blocksize);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        fullblocks = (inlen / blocksize) * blocksize;
+        *outlen += fullblocks;
+        outbuf += fullblocks;
+        inbuf += fullblocks;
+        inlen -= fullblocks;
+    }
 
     if (inlen == 0) {
         return SECSuccess;
diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
index 004807483..288ff07a3 100644
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -7,6 +7,30 @@
   ],
   'targets': [
     {
+      'target_name': 'intel-gcm-s_lib',
+      'type': 'static_library',
+      'sources': [
+        'intel-aes.s',
+        'intel-gcm.s',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ],
+      'conditions': [
+        [ 'cc_is_clang==1', {
+          'cflags': [
+            '-no-integrated-as',
+          ],
+          'cflags_mozilla': [
+            '-no-integrated-as',
+          ],
+          'asflags_mozilla': [
+            '-no-integrated-as',
+          ],
+        }],
+      ],
+    },
+    {
       'target_name': 'intel-gcm-wrap_c_lib',
       'type': 'static_library',
       'sources': [
@@ -15,12 +39,19 @@
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
+      'conditions': [
+        [ '(OS=="linux" or OS=="android") and target_arch=="x64"', {
+          'dependencies': [
+            'intel-gcm-s_lib',
+          ],
+        }],
+      ],
       'cflags': [
-        '-mssse3'
+        '-mssse3',
       ],
       'cflags_mozilla': [
         '-mssse3'
-      ]
+      ],
     },
     {
       # TODO: make this so that all hardware accelerated code is in here.
diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
index 1372994f4..76df71497 100644
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@@ -67,14 +67,12 @@
         [ 'target_arch=="x64"', {
           'sources': [
             'arcfour-amd64-gas.s',
-            'intel-aes.s',
-            'intel-gcm.s',
             'mpi/mpi_amd64.c',
             'mpi/mpi_amd64_gas.s',
             'mpi/mp_comba.c',
           ],
           'conditions': [
-            [ 'cc_is_clang==1', {
+            [ 'cc_is_clang==1 and fuzz!=1', {
               'cflags': [
                 '-no-integrated-as',
               ],
@@ -114,8 +112,7 @@
             'intel-gcm-x64-masm.asm',
           ],
         }],
-	      [ 'cc_use_gnu_ld!=1 and target_arch!="x64"', {
-          # not x64
+        [ 'cc_use_gnu_ld!=1 and target_arch=="ia32"', {
           'sources': [
             'mpi/mpi_x86_asm.c',
             'intel-aes-x86-masm.asm',
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
index 8c893fb5f..401eac51d 100644
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -4775,38 +4775,61 @@ mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
 /* }}} */
 
 /* {{{ mp_to_fixlen_octets(mp, str) */
-/* output a buffer of big endian octets exactly as long as requested. */
+/* output a buffer of big endian octets exactly as long as requested.
+   constant time on the value of mp. */
 mp_err
 mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
 {
-    int ix, pos = 0;
+    int ix, jx;
     unsigned int bytes;
 
-    ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
-    bytes = mp_unsigned_octet_size(mp);
-    ARGCHK(bytes <= length, MP_BADARG);
+    ARGCHK(mp != NULL, MP_BADARG);
+    ARGCHK(str != NULL, MP_BADARG);
+    ARGCHK(!SIGN(mp), MP_BADARG);
+    ARGCHK(length > 0, MP_BADARG);
+
+    /* Constant time on the value of mp.  Don't use mp_unsigned_octet_size. */
+    bytes = USED(mp) * MP_DIGIT_SIZE;
+
+    /* If the output is shorter than the native size of mp, then check that any
+     * bytes not written have zero values.  This check isn't constant time on
+     * the assumption that timing-sensitive callers can guarantee that mp fits
+     * in the allocated space. */
+    ix = USED(mp) - 1;
+    if (bytes > length) {
+        unsigned int zeros = bytes - length;
+
+        while (zeros >= MP_DIGIT_SIZE) {
+            ARGCHK(DIGIT(mp, ix) == 0, MP_BADARG);
+            zeros -= MP_DIGIT_SIZE;
+            ix--;
+        }
 
-    /* place any needed leading zeros */
-    for (; length > bytes; --length) {
-        *str++ = 0;
+        if (zeros > 0) {
+            mp_digit d = DIGIT(mp, ix);
+            mp_digit m = ~0ULL << ((MP_DIGIT_SIZE - zeros) * CHAR_BIT);
+            ARGCHK((d & m) == 0, MP_BADARG);
+            for (jx = MP_DIGIT_SIZE - zeros - 1; jx >= 0; jx--) {
+                *str++ = d >> (jx * CHAR_BIT);
+            }
+            ix--;
+        }
+    } else if (bytes < length) {
+        /* Place any needed leading zeros. */
+        unsigned int zeros = length - bytes;
+        memset(str, 0, zeros);
+        str += zeros;
     }
 
-    /* Iterate over each digit... */
-    for (ix = USED(mp) - 1; ix >= 0; ix--) {
+    /* Iterate over each whole digit... */
+    for (; ix >= 0; ix--) {
         mp_digit d = DIGIT(mp, ix);
-        int jx;
 
         /* Unpack digit bytes, high order first */
-        for (jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-            unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
-            if (!pos && !x) /* suppress leading zeros */
-                continue;
-            str[pos++] = x;
+        for (jx = MP_DIGIT_SIZE - 1; jx >= 0; jx--) {
+            *str++ = d >> (jx * CHAR_BIT);
         }
     }
-    if (!pos)
-        str[pos++] = 0;
     return MP_OKAY;
 } /* end mp_to_fixlen_octets() */
 /* }}} */
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
index 97af0f069..d5aef46d7 100644
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -128,7 +128,8 @@ typedef int mp_sword;
 #define MP_WORD_MAX UINT_MAX
 #endif
 
-#define MP_DIGIT_BIT (CHAR_BIT * sizeof(mp_digit))
+#define MP_DIGIT_SIZE sizeof(mp_digit)
+#define MP_DIGIT_BIT (CHAR_BIT * MP_DIGIT_SIZE)
 #define MP_WORD_BIT (CHAR_BIT * sizeof(mp_word))
 #define MP_RADIX (1 + (mp_word)MP_DIGIT_MAX)
 
diff --git a/security/nss/lib/freebl/mpi/mpi_arm.c b/security/nss/lib/freebl/mpi/mpi_arm.c
index b5139f28d..27e4efdad 100644
--- a/security/nss/lib/freebl/mpi/mpi_arm.c
+++ b/security/nss/lib/freebl/mpi/mpi_arm.c
@@ -29,17 +29,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
         "1:\n"
         "mov     r4, #0\n"
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
         "bne     1b\n"
 
         "2:\n"
-        "str     r5, [%3]\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        "str     r5, [%2]\n"
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 
@@ -57,22 +57,22 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "1:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
 
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
         "bne     1b\n"
 
         "2:\n"
-        "str     r5, [%3]\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        "str     r5, [%2]\n"
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 
@@ -87,12 +87,12 @@ s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "1:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
@@ -107,16 +107,16 @@ s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "2:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
-        "str     r5, [%3], #4\n"
+        "str     r5, [%2], #4\n"
         "movs    r5, r4\n"
         "bne     2b\n"
 
         "3:\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 #endif
@@ -167,8 +167,8 @@ s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
         "bne     2b\n"
 
         "3:"
+        : "+r"(pa), "+r"(a_len), "+r"(ps)
         :
-        : "r"(pa), "r"(a_len), "r"(ps)
         : "memory", "cc", "%r3", "%r4", "%r5", "%r6");
 }
 #endif
diff --git a/security/nss/lib/freebl/rsapkcs.c b/security/nss/lib/freebl/rsapkcs.c
index ad18c8b73..875e4e28d 100644
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@@ -938,48 +938,56 @@ RSA_DecryptBlock(RSAPrivateKey *key,
                  const unsigned char *input,
                  unsigned int inputLen)
 {
-    SECStatus rv;
+    PRInt8 rv;
     unsigned int modulusLen = rsa_modulusLen(&key->modulus);
     unsigned int i;
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
+    unsigned int outLen = 0;
+    unsigned int copyOutLen = modulusLen - 11;
 
-    if (inputLen != modulusLen)
-        goto failure;
+    if (inputLen != modulusLen || modulusLen < 10) {
+        return SECFailure;
+    }
 
-    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
-    if (!buffer)
-        goto failure;
+    if (copyOutLen > maxOutputLen) {
+        copyOutLen = maxOutputLen;
+    }
 
-    rv = RSA_PrivateKeyOp(key, buffer, input);
-    if (rv != SECSuccess)
-        goto loser;
+    // Allocate enough space to decrypt + copyOutLen to allow copying outLen later.
+    buffer = PORT_ZAlloc(modulusLen + 1 + copyOutLen);
+    if (!buffer) {
+        return SECFailure;
+    }
 
-    /* XXX(rsleevi): Constant time */
-    if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
-        buffer[1] != (unsigned char)RSA_BlockPublic) {
-        goto loser;
+    // rv is 0 if everything is going well and 1 if an error occurs.
+    rv = RSA_PrivateKeyOp(key, buffer, input) != SECSuccess;
+    rv |= (buffer[0] != RSA_BLOCK_FIRST_OCTET) |
+          (buffer[1] != (unsigned char)RSA_BlockPublic);
+
+    // There have to be at least 8 bytes of padding.
+    for (i = 2; i < 10; i++) {
+        rv |= buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET;
     }
-    *outputLen = 0;
-    for (i = 2; i < modulusLen; i++) {
-        if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
-            *outputLen = modulusLen - i - 1;
-            break;
-        }
+
+    for (i = 10; i < modulusLen; i++) {
+        unsigned int newLen = modulusLen - i - 1;
+        unsigned int c = (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) & (outLen == 0);
+        outLen = constantTimeCondition(c, newLen, outLen);
     }
-    if (*outputLen == 0)
-        goto loser;
-    if (*outputLen > maxOutputLen)
-        goto loser;
+    rv |= outLen == 0;
+    rv |= outLen > maxOutputLen;
 
-    PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+    // Note that output is set even if SECFailure is returned.
+    PORT_Memcpy(output, buffer + modulusLen - outLen, copyOutLen);
+    *outputLen = constantTimeCondition(outLen > maxOutputLen, maxOutputLen,
+                                       outLen);
 
     PORT_Free(buffer);
-    return SECSuccess;
 
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
+    for (i = 1; i < sizeof(rv) * 8; i <<= 1) {
+        rv |= rv << i;
+    }
+    return (SECStatus)rv;
 }
 
 /*
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
index 21aecef89..0f40f931f 100644
--- a/security/nss/lib/jar/jarint.h
+++ b/security/nss/lib/jar/jarint.h
@@ -5,7 +5,7 @@
 /* JAR internal routines */
 
 #include "nspr.h"
-#include "key.h"
+#include "keyhi.h"
 #include "base64.h"
 
 extern CERTCertDBHandle *JAR_open_database(void);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index fa8f1851e..145dcff9a 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -2914,7 +2914,8 @@ PKIX_PL_Cert_CheckValidity(
         requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
         allowOverride =
             (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                     (requiredUsages & certificateUsageSSLServerWithStepUp));
+                     (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+                     (requiredUsages & certificateUsageIPsec));
         val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
         if (val != secCertTimeValid){
                 PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);
@@ -3001,8 +3002,17 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
     }
-    if (!(certType & requiredCertType)) {
-        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+    if (certUsage != certUsageIPsec) {
+        if (!(certType & requiredCertType)) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
+    } else {
+        PRBool isCritical;
+        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
+        /* If the extension isn't critical, we allow any EKU value. */
+        if (isCritical && !allowed) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
     }
 cleanup:
     PKIX_DECREF(basicConstraints);
diff --git a/security/nss/lib/mozpkix/.clang-format b/security/nss/lib/mozpkix/.clang-format
new file mode 100644
index 000000000..06e3c5115
--- /dev/null
+++ b/security/nss/lib/mozpkix/.clang-format
@@ -0,0 +1,4 @@
+---
+Language: Cpp
+BasedOnStyle: Google
+...
diff --git a/security/nss/lib/mozpkix/exports.gyp b/security/nss/lib/mozpkix/exports.gyp
new file mode 100644
index 000000000..248efc910
--- /dev/null
+++ b/security/nss/lib/mozpkix/exports.gyp
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'lib_mozpkix_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            '<(DEPTH)/cpputil/nss_scoped_ptrs.h',
+            'include/pkix/Input.h',
+            'include/pkix/Time.h',
+            'include/pkix/Result.h',
+            'include/pkix/pkix.h',
+            'include/pkix/pkixnss.h',
+            'include/pkix/pkixtypes.h',
+            'include/pkix/pkixutil.h',
+            'include/pkix/pkixcheck.h',
+            'include/pkix/pkixder.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix'
+        },
+      ],
+    },
+    {
+      'target_name': 'lib_mozpkix_test_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            'include/pkix-test/pkixtestutil.h',
+            'include/pkix-test/pkixtestnss.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix/test'
+        },
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
+\ No newline at end of file
diff --git a/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h b/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h
new file mode 100644
index 000000000..5ae776f6a
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2018 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This file provides some implementation-specific test utilities. This is only
+// necessary because some PSM xpcshell test utilities overlap in functionality
+// with these test utilities, so the underlying implementation is shared.
+
+#ifndef mozilla_pkix_test_pkixtestnss_h
+#define mozilla_pkix_test_pkixtestnss_h
+
+#include <keyhi.h>
+#include <keythi.h>
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
+                               const ScopedSECKEYPublicKey& publicKey,
+                               const ScopedSECKEYPrivateKey& privateKey);
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_test_pkixtestnss_h
diff --git a/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h b/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h
new file mode 100644
index 000000000..55c435419
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h
@@ -0,0 +1,406 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_test_pkixtestutil_h
+#define mozilla_pkix_test_pkixtestutil_h
+
+#include <cstdint>
+#include <cstring>
+#include <ctime>
+#include <string>
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+typedef std::basic_string<uint8_t> ByteString;
+
+inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
+
+template <size_t L>
+inline ByteString BytesToByteString(const uint8_t (&bytes)[L]) {
+  return ByteString(bytes, L);
+}
+
+// XXX: Ideally, we should define this instead:
+//
+//   template <typename T, std::size_t N>
+//   constexpr inline std::size_t
+//   ArrayLength(T (&)[N])
+//   {
+//     return N;
+//   }
+//
+// However, we don't because not all supported compilers support constexpr,
+// and we need to calculate array lengths in static_assert sometimes.
+//
+// XXX: Evaluates its argument twice
+#define MOZILLA_PKIX_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
+
+bool InputEqualsByteString(Input input, const ByteString& bs);
+ByteString InputToByteString(Input input);
+
+// python DottedOIDToCode.py --tlv id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
+static const uint8_t tlv_id_kp_OCSPSigning[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+                                                0x05, 0x05, 0x07, 0x03, 0x09};
+
+// python DottedOIDToCode.py --tlv id-kp-serverAuth 1.3.6.1.5.5.7.3.1
+static const uint8_t tlv_id_kp_serverAuth[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+                                               0x05, 0x05, 0x07, 0x03, 0x01};
+
+enum class TestDigestAlgorithmID {
+  MD2,
+  MD5,
+  SHA1,
+  SHA224,
+  SHA256,
+  SHA384,
+  SHA512,
+};
+
+struct TestPublicKeyAlgorithm {
+  explicit TestPublicKeyAlgorithm(const ByteString& aAlgorithmIdentifier)
+      : algorithmIdentifier(aAlgorithmIdentifier) {}
+  bool operator==(const TestPublicKeyAlgorithm& other) const {
+    return algorithmIdentifier == other.algorithmIdentifier;
+  }
+  ByteString algorithmIdentifier;
+};
+
+ByteString DSS_P();
+ByteString DSS_Q();
+ByteString DSS_G();
+
+TestPublicKeyAlgorithm DSS();
+TestPublicKeyAlgorithm RSA_PKCS1();
+
+struct TestSignatureAlgorithm {
+  TestSignatureAlgorithm(const TestPublicKeyAlgorithm& publicKeyAlg,
+                         TestDigestAlgorithmID digestAlg,
+                         const ByteString& algorithmIdentifier, bool accepted);
+
+  TestPublicKeyAlgorithm publicKeyAlg;
+  TestDigestAlgorithmID digestAlg;
+  ByteString algorithmIdentifier;
+  bool accepted;
+};
+
+TestSignatureAlgorithm md2WithRSAEncryption();
+TestSignatureAlgorithm md5WithRSAEncryption();
+TestSignatureAlgorithm sha1WithRSAEncryption();
+TestSignatureAlgorithm sha256WithRSAEncryption();
+
+// e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
+mozilla::pkix::Time YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+                           uint16_t hour, uint16_t minutes, uint16_t seconds);
+
+ByteString TLV(uint8_t tag, size_t length, const ByteString& value);
+
+inline ByteString TLV(uint8_t tag, const ByteString& value) {
+  return TLV(tag, value.length(), value);
+}
+
+// Although we can't enforce it without relying on Cuser-defined literals,
+// which aren't supported by all of our compilers yet, you should only pass
+// string literals as the last parameter to the following two functions.
+
+template <size_t N>
+inline ByteString TLV(uint8_t tag, const char (&value)[N]) {
+  static_assert(N > 0, "cannot have string literal of size 0");
+  assert(value[N - 1] == 0);
+  return TLV(tag, ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+template <size_t N>
+inline ByteString TLV(uint8_t tag, size_t length, const char (&value)[N]) {
+  static_assert(N > 0, "cannot have string literal of size 0");
+  assert(value[N - 1] == 0);
+  return TLV(tag, length,
+             ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+ByteString Boolean(bool value);
+ByteString Integer(long value);
+
+ByteString CN(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString CN(const char* value,
+                     uint8_t encodingTag = 0x0c /*UTF8String*/) {
+  return CN(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+      encodingTag);
+}
+
+ByteString OU(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString OU(const char* value,
+                     uint8_t encodingTag = 0x0c /*UTF8String*/) {
+  return OU(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+      encodingTag);
+}
+
+ByteString emailAddress(const ByteString&);
+
+inline ByteString emailAddress(const char* value) {
+  return emailAddress(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)));
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString RDN(const ByteString& avas);
+
+// Name ::= CHOICE { -- only one possibility for now --
+//   rdnSequence  RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString Name(const ByteString& rdns);
+
+inline ByteString CNToDERName(const ByteString& cn) {
+  return Name(RDN(CN(cn)));
+}
+
+inline ByteString CNToDERName(const char* cn) { return Name(RDN(CN(cn))); }
+
+// GeneralName ::= CHOICE {
+//      otherName                       [0]     OtherName,
+//      rfc822Name                      [1]     IA5String,
+//      dNSName                         [2]     IA5String,
+//      x400Address                     [3]     ORAddress,
+//      directoryName                   [4]     Name,
+//      ediPartyName                    [5]     EDIPartyName,
+//      uniformResourceIdentifier       [6]     IA5String,
+//      iPAddress                       [7]     OCTET STRING,
+//      registeredID                    [8]     OBJECT IDENTIFIER }
+
+inline ByteString RFC822Name(const ByteString& name) {
+  // (2 << 6) means "context-specific", 1 is the GeneralName tag.
+  return TLV((2 << 6) | 1, name);
+}
+
+template <size_t L>
+inline ByteString RFC822Name(const char (&bytes)[L]) {
+  return RFC822Name(
+      ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
+}
+
+inline ByteString DNSName(const ByteString& name) {
+  // (2 << 6) means "context-specific", 2 is the GeneralName tag.
+  return TLV((2 << 6) | 2, name);
+}
+
+template <size_t L>
+inline ByteString DNSName(const char (&bytes)[L]) {
+  return DNSName(ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
+}
+
+inline ByteString DirectoryName(const ByteString& name) {
+  // (2 << 6) means "context-specific", (1 << 5) means "constructed", and 4 is
+  // the DirectoryName tag.
+  return TLV((2 << 6) | (1 << 5) | 4, name);
+}
+
+inline ByteString IPAddress() {
+  // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+  return TLV((2 << 6) | 7, ByteString());
+}
+
+template <size_t L>
+inline ByteString IPAddress(const uint8_t (&bytes)[L]) {
+  // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+  return TLV((2 << 6) | 7, ByteString(bytes, L));
+}
+
+// Names should be zero or more GeneralNames, like DNSName and IPAddress return,
+// concatenated together.
+//
+// CreatedEncodedSubjectAltName(ByteString()) results in a SAN with an empty
+// sequence. CreateEmptyEncodedSubjectName() results in a SAN without any
+// sequence.
+ByteString CreateEncodedSubjectAltName(const ByteString& names);
+ByteString CreateEncodedEmptySubjectAltName();
+
+class TestKeyPair {
+ public:
+  virtual ~TestKeyPair() {}
+
+  const TestPublicKeyAlgorithm publicKeyAlg;
+
+  // The DER encoding of the entire SubjectPublicKeyInfo structure. This is
+  // what is encoded in certificates.
+  const ByteString subjectPublicKeyInfo;
+
+  // The DER encoding of subjectPublicKeyInfo.subjectPublicKey. This is what is
+  // hashed to create CertIDs for OCSP.
+  const ByteString subjectPublicKey;
+
+  virtual Result SignData(const ByteString& tbs,
+                          const TestSignatureAlgorithm& signatureAlgorithm,
+                          /*out*/ ByteString& signature) const = 0;
+
+  virtual TestKeyPair* Clone() const = 0;
+
+ protected:
+  TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg,
+              const ByteString& spk);
+  TestKeyPair(const TestKeyPair&) = delete;
+  void operator=(const TestKeyPair&) = delete;
+};
+
+TestKeyPair* CloneReusedKeyPair();
+TestKeyPair* GenerateKeyPair();
+TestKeyPair* GenerateDSSKeyPair();
+inline void DeleteTestKeyPair(TestKeyPair* keyPair) { delete keyPair; }
+typedef std::unique_ptr<TestKeyPair> ScopedTestKeyPair;
+
+Result TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                   Input subjectPublicKeyInfo);
+Result TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                      Input subjectPublicKeyInfo);
+Result TestDigestBuf(Input item, DigestAlgorithm digestAlg,
+                     /*out*/ uint8_t* digestBuf, size_t digestBufLen);
+
+// Replace one substring in item with another of the same length, but only if
+// the substring was found exactly once. The "same length" restriction is
+// useful for avoiding invalidating lengths encoded within the item. The
+// "only once" restriction is helpful for avoiding making accidental changes.
+//
+// The string to search for must be 8 or more bytes long so that it is
+// extremely unlikely that there will ever be any false positive matches
+// in digital signatures, keys, hashes, etc.
+Result TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+                  const ByteString& to);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode Certificates
+
+enum Version { v1 = 0, v2 = 1, v3 = 2 };
+
+// signature is assumed to be the DER encoding of an AlgorithmIdentifer. It is
+// put into the signature field of the TBSCertificate. In most cases, it will
+// be the same as signatureAlgorithm, which is the algorithm actually used
+// to sign the certificate.
+// serialNumber is assumed to be the DER encoding of an INTEGER.
+//
+// If extensions is null, then no extensions will be encoded. Otherwise,
+// extensions must point to an array of ByteStrings, terminated with an empty
+// ByteString. (If the first item of the array is empty then an empty
+// Extensions sequence will be encoded.)
+ByteString CreateEncodedCertificate(
+    long version, const TestSignatureAlgorithm& signature,
+    const ByteString& serialNumber, const ByteString& issuerNameDER,
+    time_t notBefore, time_t notAfter, const ByteString& subjectNameDER,
+    const TestKeyPair& subjectKeyPair,
+    /*optional*/ const ByteString* extensions, const TestKeyPair& issuerKeyPair,
+    const TestSignatureAlgorithm& signatureAlgorithm);
+
+ByteString CreateEncodedSerialNumber(long value);
+
+enum class Critical { No = 0, Yes = 1 };
+
+ByteString CreateEncodedBasicConstraints(
+    bool isCA,
+    /*optional in*/ const long* pathLenConstraint, Critical critical);
+
+// Creates a DER-encoded extKeyUsage extension with one EKU OID.
+ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode OCSP responses
+
+class OCSPResponseExtension final {
+ public:
+  OCSPResponseExtension();
+
+  ByteString id;
+  bool critical;
+  ByteString value;
+  OCSPResponseExtension* next;
+};
+
+class OCSPResponseContext final {
+ public:
+  OCSPResponseContext(const CertID& certID, std::time_t time);
+
+  const CertID& certID;
+  // TODO(bug 980538): add a way to specify what certificates are included.
+
+  // The fields below are in the order that they appear in an OCSP response.
+
+  enum OCSPResponseStatus {
+    successful = 0,
+    malformedRequest = 1,
+    internalError = 2,
+    tryLater = 3,
+    // 4 is not used
+    sigRequired = 5,
+    unauthorized = 6,
+  };
+  uint8_t responseStatus;  // an OCSPResponseStatus or an invalid value
+  bool skipResponseBytes;  // If true, don't include responseBytes
+
+  // responderID
+  ByteString signerNameDER;  // If set, responderID will use the byName
+                             // form; otherwise responderID will use the
+                             // byKeyHash form.
+
+  std::time_t producedAt;
+
+  // SingleResponse extensions (for the certID given in the constructor).
+  OCSPResponseExtension* singleExtensions;
+  // ResponseData extensions.
+  OCSPResponseExtension* responseExtensions;
+  bool includeEmptyExtensions;  // If true, include the extension wrapper
+                                // regardless of if there are any actual
+                                // extensions.
+  ScopedTestKeyPair signerKeyPair;
+  TestSignatureAlgorithm signatureAlgorithm;
+  bool badSignature;        // If true, alter the signature to fail verification
+  const ByteString* certs;  // optional; array terminated by an empty string
+
+  // The following fields are on a per-SingleResponse basis. In the future we
+  // may support including multiple SingleResponses per response.
+  enum CertStatus {
+    good = 0,
+    revoked = 1,
+    unknown = 2,
+  };
+  uint8_t certStatus;          // CertStatus or an invalid value
+  std::time_t revocationTime;  // For certStatus == revoked
+  std::time_t thisUpdate;
+  std::time_t nextUpdate;
+  bool includeNextUpdate;
+};
+
+ByteString CreateEncodedOCSPResponse(OCSPResponseContext& context);
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_test_pkixtestutil_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Input.h b/security/nss/lib/mozpkix/include/pkix/Input.h
new file mode 100644
index 000000000..11b2a0f7e
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Input.h
@@ -0,0 +1,310 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Input_h
+#define mozilla_pkix_Input_h
+
+#include <algorithm>
+
+#include "mozpkix/Result.h"
+#include "stdint.h"
+
+namespace mozilla {
+namespace pkix {
+
+class Reader;
+
+// An Input is a safety-oriented immutable weak reference to a array of bytes
+// of a known size. The data can only be legally accessed by constructing a
+// Reader object, which guarantees all accesses to the data are memory safe.
+// Neither Input not Reader provide any facilities for modifying the data
+// they reference.
+//
+// Inputs are small and should usually be passed by value, not by reference,
+// though for inline functions the distinction doesn't matter:
+//
+//    Result GoodExample(Input input);
+//    Result BadExample(const Input& input);
+//    Result WorseExample(const uint8_t* input, size_t len);
+//
+// Note that in the example, GoodExample has the same performance
+// characteristics as WorseExample, but with much better safety guarantees.
+class Input final {
+ public:
+  typedef uint16_t size_type;
+
+  // This constructor is useful for inputs that are statically known to be of a
+  // fixed size, e.g.:
+  //
+  //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+  //   const Input expected(EXPECTED_BYTES);
+  //
+  // This is equivalent to (and preferred over):
+  //
+  //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+  //   Input expected;
+  //   Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
+  template <size_type N>
+  explicit Input(const uint8_t (&aData)[N]) : data(aData), len(N) {}
+
+  // Construct a valid, empty, Init-able Input.
+  Input() : data(nullptr), len(0u) {}
+
+  // This is intentionally not explicit in order to allow value semantics.
+  Input(const Input&) = default;
+
+  // Initialize the input. data must be non-null and len must be less than
+  // 65536. Init may not be called more than once.
+  Result Init(const uint8_t* aData, size_t aLen) {
+    if (this->data) {
+      // already initialized
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    if (!aData || aLen > 0xffffu) {
+      // input too large
+      return Result::ERROR_BAD_DER;
+    }
+
+    this->data = aData;
+    this->len = aLen;
+
+    return Success;
+  }
+
+  // Initialize the input to be equivalent to the given input. Init may not be
+  // called more than once.
+  //
+  // This is basically operator=, but it wasn't given that name because
+  // normally callers do not check the result of operator=, and normally
+  // operator= can be used multiple times.
+  Result Init(Input other) { return Init(other.data, other.len); }
+
+  // Returns the length of the input.
+  //
+  // Having the return type be size_type instead of size_t avoids the need for
+  // callers to ensure that the result is small enough.
+  size_type GetLength() const { return static_cast<size_type>(len); }
+
+  // Don't use this. It is here because we have some "friend" functions that we
+  // don't want to declare in this header file.
+  const uint8_t* UnsafeGetData() const { return data; }
+
+ private:
+  const uint8_t* data;
+  size_t len;
+
+  void operator=(const Input&) = delete;  // Use Init instead.
+};
+
+inline bool InputsAreEqual(const Input& a, const Input& b) {
+  return a.GetLength() == b.GetLength() &&
+         std::equal(a.UnsafeGetData(), a.UnsafeGetData() + a.GetLength(),
+                    b.UnsafeGetData());
+}
+
+// An Reader is a cursor/iterator through the contents of an Input, designed to
+// maximize safety during parsing while minimizing the performance cost of that
+// safety. In particular, all methods do strict bounds checking to ensure
+// buffer overflows are impossible, and they are all inline so that the
+// compiler can coalesce as many of those checks together as possible.
+//
+// In general, Reader allows for one byte of lookahead and no backtracking.
+// However, the Match* functions internally may have more lookahead.
+class Reader final {
+ public:
+  Reader() : input(nullptr), end(nullptr) {}
+
+  explicit Reader(Input aInput)
+      : input(aInput.UnsafeGetData()),
+        end(aInput.UnsafeGetData() + aInput.GetLength()) {}
+
+  Result Init(Input aInput) {
+    if (this->input) {
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    this->input = aInput.UnsafeGetData();
+    this->end = aInput.UnsafeGetData() + aInput.GetLength();
+    return Success;
+  }
+
+  bool Peek(uint8_t expectedByte) const {
+    return input < end && *input == expectedByte;
+  }
+
+  Result Read(uint8_t& out) {
+    Result rv = EnsureLength(1);
+    if (rv != Success) {
+      return rv;
+    }
+    out = *input++;
+    return Success;
+  }
+
+  Result Read(uint16_t& out) {
+    Result rv = EnsureLength(2);
+    if (rv != Success) {
+      return rv;
+    }
+    out = *input++;
+    out <<= 8u;
+    out |= *input++;
+    return Success;
+  }
+
+  template <Input::size_type N>
+  bool MatchRest(const uint8_t (&toMatch)[N]) {
+    // Normally we use EnsureLength which compares (input + len < end), but
+    // here we want to be sure that there is nothing following the matched
+    // bytes
+    if (static_cast<size_t>(end - input) != N) {
+      return false;
+    }
+    if (!std::equal(input, end, toMatch)) {
+      return false;
+    }
+    input = end;
+    return true;
+  }
+
+  bool MatchRest(Input toMatch) {
+    // Normally we use EnsureLength which compares (input + len < end), but
+    // here we want to be sure that there is nothing following the matched
+    // bytes
+    size_t remaining = static_cast<size_t>(end - input);
+    if (toMatch.GetLength() != remaining) {
+      return false;
+    }
+    if (!std::equal(input, end, toMatch.UnsafeGetData())) {
+      return false;
+    }
+    input = end;
+    return true;
+  }
+
+  Result Skip(Input::size_type len) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  Result Skip(Input::size_type len, Reader& skipped) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = skipped.Init(input, len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  Result Skip(Input::size_type len, /*out*/ Input& skipped) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = skipped.Init(input, len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  void SkipToEnd() { input = end; }
+
+  Result SkipToEnd(/*out*/ Input& skipped) {
+    return Skip(static_cast<Input::size_type>(end - input), skipped);
+  }
+
+  Result EnsureLength(Input::size_type len) {
+    if (static_cast<size_t>(end - input) < len) {
+      return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  }
+
+  bool AtEnd() const { return input == end; }
+
+  class Mark final {
+   public:
+    Mark(const Mark&) = default;  // Intentionally not explicit.
+   private:
+    friend class Reader;
+    Mark(const Reader& aInput, const uint8_t* aMark)
+        : input(aInput), mark(aMark) {}
+    const Reader& input;
+    const uint8_t* const mark;
+    void operator=(const Mark&) = delete;
+  };
+
+  Mark GetMark() const { return Mark(*this, input); }
+
+  Result GetInput(const Mark& mark, /*out*/ Input& item) {
+    if (&mark.input != this || mark.mark > input) {
+      return NotReached("invalid mark", Result::FATAL_ERROR_INVALID_ARGS);
+    }
+    return item.Init(mark.mark,
+                     static_cast<Input::size_type>(input - mark.mark));
+  }
+
+ private:
+  Result Init(const uint8_t* data, Input::size_type len) {
+    if (input) {
+      // already initialized
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    input = data;
+    end = data + len;
+    return Success;
+  }
+
+  const uint8_t* input;
+  const uint8_t* end;
+
+  Reader(const Reader&) = delete;
+  void operator=(const Reader&) = delete;
+};
+
+inline bool InputContains(const Input& input, uint8_t toFind) {
+  Reader reader(input);
+  for (;;) {
+    uint8_t b;
+    if (reader.Read(b) != Success) {
+      return false;
+    }
+    if (b == toFind) {
+      return true;
+    }
+  }
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Input_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Result.h b/security/nss/lib/mozpkix/include/pkix/Result.h
new file mode 100644
index 000000000..29461dc1a
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Result.h
@@ -0,0 +1,219 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Result_h
+#define mozilla_pkix_Result_h
+
+#include <cassert>
+
+namespace mozilla {
+namespace pkix {
+
+static const unsigned int FATAL_ERROR_FLAG = 0x800;
+
+// ----------------------------------------------------------------------------
+// SELECTED ERROR CODE EXPLANATIONS
+//
+// Result::ERROR_UNTRUSTED_CERT
+//         means that the end-entity certificate was actively distrusted.
+// Result::ERROR_UNTRUSTED_ISSUER
+//         means that path building failed because of active distrust.
+// Result::ERROR_INVALID_DER_TIME
+//         means the DER-encoded time was unexpected, such as being before the
+//         UNIX epoch (allowed by X500, but not valid here).
+// Result::ERROR_EXPIRED_CERTIFICATE
+//         means the end entity certificate expired.
+// Result::ERROR_EXPIRED_ISSUER_CERTIFICATE
+//         means the CA certificate expired.
+// Result::ERROR_UNKNOWN_ISSUER
+//         means that the CA could not be found in the root store.
+// Result::ERROR_POLICY_VALIDATION_FAILED
+//         means that an encoded policy could not be applied or wasn't present
+//         when expected. Usually this is in the context of Extended Validation.
+// Result::ERROR_BAD_CERT_DOMAIN
+//         means that the certificate's name couldn't be matched to the
+//         reference identifier.
+// Result::ERROR_CERT_NOT_IN_NAME_SPACE
+//         typically means the certificate violates name constraints applied
+//         by the issuer.
+// Result::ERROR_BAD_DER
+//         means the input was improperly encoded.
+// Result::ERROR_UNKNOWN_ERROR
+//         means that an external library (NSS) provided an error we didn't
+//         anticipate. See the map below in Result.h to add new ones.
+// Result::FATAL_ERROR_LIBRARY_FAILURE
+//         is an unexpected fatal error indicating a library had an unexpected
+//         failure, and we can't proceed.
+// Result::FATAL_ERROR_INVALID_ARGS
+//         means that we violated our own expectations on inputs and there's a
+//         bug somewhere.
+// Result::FATAL_ERROR_INVALID_STATE
+//         means that we violated our own expectations on state and there's a
+//         bug somewhere.
+// Result::FATAL_ERROR_NO_MEMORY
+//         means a memory allocation failed, prohibiting validation.
+// ----------------------------------------------------------------------------
+
+// The first argument to MOZILLA_PKIX_MAP() is used for building the mapping
+// from error code to error name in MapResultToName.
+//
+// The second argument is for defining the value for the enum literal in the
+// Result enum class.
+//
+// The third argument to MOZILLA_PKIX_MAP() is used, along with the first
+// argument, for maintaining the mapping of mozilla::pkix error codes to
+// NSS/NSPR error codes in pkixnss.cpp.
+#define MOZILLA_PKIX_MAP_LIST                                                  \
+  MOZILLA_PKIX_MAP(Success, 0, 0)                                              \
+  MOZILLA_PKIX_MAP(ERROR_BAD_DER, 1, SEC_ERROR_BAD_DER)                        \
+  MOZILLA_PKIX_MAP(ERROR_CA_CERT_INVALID, 2, SEC_ERROR_CA_CERT_INVALID)        \
+  MOZILLA_PKIX_MAP(ERROR_BAD_SIGNATURE, 3, SEC_ERROR_BAD_SIGNATURE)            \
+  MOZILLA_PKIX_MAP(ERROR_CERT_BAD_ACCESS_LOCATION, 4,                          \
+                   SEC_ERROR_CERT_BAD_ACCESS_LOCATION)                         \
+  MOZILLA_PKIX_MAP(ERROR_CERT_NOT_IN_NAME_SPACE, 5,                            \
+                   SEC_ERROR_CERT_NOT_IN_NAME_SPACE)                           \
+  MOZILLA_PKIX_MAP(ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 6,                 \
+                   SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)                \
+  MOZILLA_PKIX_MAP(ERROR_CONNECT_REFUSED, 7, PR_CONNECT_REFUSED_ERROR)         \
+  MOZILLA_PKIX_MAP(ERROR_EXPIRED_CERTIFICATE, 8,                               \
+                   SEC_ERROR_EXPIRED_CERTIFICATE)                              \
+  MOZILLA_PKIX_MAP(ERROR_EXTENSION_VALUE_INVALID, 9,                           \
+                   SEC_ERROR_EXTENSION_VALUE_INVALID)                          \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_CERT_TYPE, 10,                             \
+                   SEC_ERROR_INADEQUATE_CERT_TYPE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_USAGE, 11,                             \
+                   SEC_ERROR_INADEQUATE_KEY_USAGE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_ALGORITHM, 12, SEC_ERROR_INVALID_ALGORITHM)   \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_DER_TIME, 13, SEC_ERROR_INVALID_TIME)         \
+  MOZILLA_PKIX_MAP(ERROR_KEY_PINNING_FAILURE, 14,                              \
+                   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)                     \
+  MOZILLA_PKIX_MAP(ERROR_PATH_LEN_CONSTRAINT_INVALID, 15,                      \
+                   SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID)                      \
+  MOZILLA_PKIX_MAP(ERROR_POLICY_VALIDATION_FAILED, 16,                         \
+                   SEC_ERROR_POLICY_VALIDATION_FAILED)                         \
+  MOZILLA_PKIX_MAP(ERROR_REVOKED_CERTIFICATE, 17,                              \
+                   SEC_ERROR_REVOKED_CERTIFICATE)                              \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_CRITICAL_EXTENSION, 18,                       \
+                   SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)                       \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ERROR, 19, PR_UNKNOWN_ERROR)                  \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ISSUER, 20, SEC_ERROR_UNKNOWN_ISSUER)         \
+  MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_CERT, 21, SEC_ERROR_UNTRUSTED_CERT)         \
+  MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_ISSUER, 22, SEC_ERROR_UNTRUSTED_ISSUER)     \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_BAD_SIGNATURE, 23, SEC_ERROR_OCSP_BAD_SIGNATURE) \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_INVALID_SIGNING_CERT, 24,                        \
+                   SEC_ERROR_OCSP_INVALID_SIGNING_CERT)                        \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_REQUEST, 25,                           \
+                   SEC_ERROR_OCSP_MALFORMED_REQUEST)                           \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_RESPONSE, 26,                          \
+                   SEC_ERROR_OCSP_MALFORMED_RESPONSE)                          \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_OLD_RESPONSE, 27, SEC_ERROR_OCSP_OLD_RESPONSE)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_REQUEST_NEEDS_SIG, 28,                           \
+                   SEC_ERROR_OCSP_REQUEST_NEEDS_SIG)                           \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONDER_CERT_INVALID, 29,                      \
+                   SEC_ERROR_OCSP_RESPONDER_CERT_INVALID)                      \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_SERVER_ERROR, 30, SEC_ERROR_OCSP_SERVER_ERROR)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_TRY_SERVER_LATER, 31,                            \
+                   SEC_ERROR_OCSP_TRY_SERVER_LATER)                            \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNAUTHORIZED_REQUEST, 32,                        \
+                   SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST)                        \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, 33,                     \
+                   SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS)                     \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_CERT, 34, SEC_ERROR_OCSP_UNKNOWN_CERT)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_FUTURE_RESPONSE, 35,                             \
+                   SEC_ERROR_OCSP_FUTURE_RESPONSE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_KEY, 36, SEC_ERROR_INVALID_KEY)               \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_KEYALG, 37, SEC_ERROR_UNSUPPORTED_KEYALG) \
+  MOZILLA_PKIX_MAP(ERROR_EXPIRED_ISSUER_CERTIFICATE, 38,                       \
+                   SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)                       \
+  MOZILLA_PKIX_MAP(ERROR_CA_CERT_USED_AS_END_ENTITY, 39,                       \
+                   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY)              \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40,                              \
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE)                     \
+  MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41,                               \
+                   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA)                      \
+  MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, SSL_ERROR_BAD_CERT_DOMAIN)       \
+  MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43,                              \
+                   MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH)                     \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44,                       \
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE)                       \
+  MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45,                        \
+                   MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE)               \
+  MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46,                 \
+                   MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE)        \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47,                        \
+                   SEC_ERROR_UNSUPPORTED_EC_POINT_FORM)                        \
+  MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48,                     \
+                   MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH)            \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49,                   \
+                   MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING)          \
+  MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50,                                \
+                   MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG)                       \
+  MOZILLA_PKIX_MAP(ERROR_REQUIRED_TLS_FEATURE_MISSING, 51,                     \
+                   MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING)            \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_INTEGER_ENCODING, 52,                         \
+                   MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING)                \
+  MOZILLA_PKIX_MAP(ERROR_EMPTY_ISSUER_NAME, 53,                                \
+                   MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME)                       \
+  MOZILLA_PKIX_MAP(ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, 54,              \
+                   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED)     \
+  MOZILLA_PKIX_MAP(ERROR_SELF_SIGNED_CERT, 55,                                 \
+                   MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)                        \
+  MOZILLA_PKIX_MAP(ERROR_MITM_DETECTED, 56, MOZILLA_PKIX_ERROR_MITM_DETECTED)  \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1,             \
+                   SEC_ERROR_INVALID_ARGS)                                     \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2,            \
+                   PR_INVALID_STATE_ERROR)                                     \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3,          \
+                   SEC_ERROR_LIBRARY_FAILURE)                                  \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4,                \
+                   SEC_ERROR_NO_MEMORY)                                        \
+/* nothing here */
+
+enum class Result {
+#define MOZILLA_PKIX_MAP(name, value, nss_name) name = value,
+  MOZILLA_PKIX_MAP_LIST
+#undef MOZILLA_PKIX_MAP
+};
+
+// Returns the stringified name of the given result, e.g. "Result::Success",
+// or nullptr if result is unknown (invalid).
+const char* MapResultToName(Result result);
+
+// We write many comparisons as (x != Success), and this shortened name makes
+// those comparisons clearer, especially because the shortened name often
+// results in less line wrapping.
+static const Result Success = Result::Success;
+
+inline bool IsFatalError(Result rv) {
+  return (static_cast<unsigned int>(rv) & FATAL_ERROR_FLAG) != 0;
+}
+
+inline Result NotReached(const char* /*explanation*/, Result result) {
+  assert(false);
+  return result;
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Result_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Time.h b/security/nss/lib/mozpkix/include/pkix/Time.h
new file mode 100644
index 000000000..8aea5479b
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Time.h
@@ -0,0 +1,137 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Time_h
+#define mozilla_pkix_Time_h
+
+#include <stdint.h>
+#include <ctime>
+#include <limits>
+
+#include "mozpkix/Result.h"
+
+namespace mozilla {
+namespace pkix {
+
+// Time with a range from the first second of year 0 (AD) through at least the
+// last second of year 9999, which is the range of legal times in X.509 and
+// OCSP. This type has second-level precision. The time zone is always UTC.
+//
+// Pass by value, not by reference.
+class Time final {
+ public:
+  // Construct an uninitialized instance.
+  //
+  // This will fail to compile because there is no default constructor:
+  //    Time x;
+  //
+  // This will succeed, leaving the time uninitialized:
+  //    Time x(Time::uninitialized);
+  enum Uninitialized { uninitialized };
+  explicit Time(Uninitialized) {}
+
+  bool operator==(const Time& other) const {
+    return elapsedSecondsAD == other.elapsedSecondsAD;
+  }
+  bool operator>(const Time& other) const {
+    return elapsedSecondsAD > other.elapsedSecondsAD;
+  }
+  bool operator>=(const Time& other) const {
+    return elapsedSecondsAD >= other.elapsedSecondsAD;
+  }
+  bool operator<(const Time& other) const {
+    return elapsedSecondsAD < other.elapsedSecondsAD;
+  }
+  bool operator<=(const Time& other) const {
+    return elapsedSecondsAD <= other.elapsedSecondsAD;
+  }
+
+  Result AddSeconds(uint64_t seconds) {
+    if (std::numeric_limits<uint64_t>::max() - elapsedSecondsAD < seconds) {
+      return Result::FATAL_ERROR_INVALID_ARGS;  // integer overflow
+    }
+    elapsedSecondsAD += seconds;
+    return Success;
+  }
+
+  Result SubtractSeconds(uint64_t seconds) {
+    if (seconds > elapsedSecondsAD) {
+      return Result::FATAL_ERROR_INVALID_ARGS;  // integer overflow
+    }
+    elapsedSecondsAD -= seconds;
+    return Success;
+  }
+
+  static const uint64_t ONE_DAY_IN_SECONDS =
+      UINT64_C(24) * UINT64_C(60) * UINT64_C(60);
+
+ private:
+  // This constructor is hidden to prevent accidents like this:
+  //
+  //    Time foo(time_t t)
+  //    {
+  //      // WRONG! 1970-01-01-00:00:00 == time_t(0), but not Time(0)!
+  //      return Time(t);
+  //    }
+  explicit Time(uint64_t aElapsedSecondsAD)
+      : elapsedSecondsAD(aElapsedSecondsAD) {}
+  friend Time TimeFromElapsedSecondsAD(uint64_t);
+  friend class Duration;
+
+  uint64_t elapsedSecondsAD;
+};
+
+inline Time TimeFromElapsedSecondsAD(uint64_t aElapsedSecondsAD) {
+  return Time(aElapsedSecondsAD);
+}
+
+Time Now();
+
+// Note the epoch is the unix epoch (ie 00:00:00 UTC, 1 January 1970)
+Time TimeFromEpochInSeconds(uint64_t secondsSinceEpoch);
+
+class Duration final {
+ public:
+  Duration(Time timeA, Time timeB)
+      : durationInSeconds(
+            timeA < timeB ? timeB.elapsedSecondsAD - timeA.elapsedSecondsAD
+                          : timeA.elapsedSecondsAD - timeB.elapsedSecondsAD) {}
+
+  explicit Duration(uint64_t aDurationInSeconds)
+      : durationInSeconds(aDurationInSeconds) {}
+
+  bool operator>(const Duration& other) const {
+    return durationInSeconds > other.durationInSeconds;
+  }
+  bool operator<(const Duration& other) const {
+    return durationInSeconds < other.durationInSeconds;
+  }
+
+ private:
+  uint64_t durationInSeconds;
+};
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Time_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkix.h b/security/nss/lib/mozpkix/include/pkix/pkix.h
new file mode 100644
index 000000000..1cd6548e4
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkix.h
@@ -0,0 +1,160 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkix_h
+#define mozilla_pkix_pkix_h
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+
+// ----------------------------------------------------------------------------
+// LIMITED SUPPORT FOR CERTIFICATE POLICIES
+//
+// If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
+// parameter then all policy validation will be skipped. Otherwise, path
+// building and validation will be done for the given policy.
+//
+// In RFC 5280 terms:
+//
+//    * user-initial-policy-set = { requiredPolicy }.
+//    * initial-explicit-policy = true
+//    * initial-any-policy-inhibit = false
+//
+// We allow intermediate cerificates to use this extension but since
+// we do not process the inhibit anyPolicy extesion we will fail if this
+// extension is present. TODO(bug 989051)
+// Because we force explicit policy and because we prohibit policy mapping, we
+// do not bother processing the policy mapping, or policy constraint.
+//
+// ----------------------------------------------------------------------------
+// ERROR RANKING
+//
+// BuildCertChain prioritizes certain checks ahead of others so that when a
+// certificate chain has multiple errors, the "most serious" error is
+// returned. In practice, this ranking of seriousness is tied directly to how
+// Firefox's certificate error override mechanism.
+//
+// The ranking is:
+//
+//    1. Active distrust (Result::ERROR_UNTRUSTED_CERT).
+//    2. Problems with issuer-independent properties for CA certificates.
+//    3. Unknown issuer (Result::ERROR_UNKNOWN_ISSUER).
+//    4. Problems with issuer-independent properties for EE certificates.
+//    5. Revocation.
+//
+// In particular, if BuildCertChain returns Result::ERROR_UNKNOWN_ISSUER then
+// the caller can call CERT_CheckCertValidTimes to determine if the certificate
+// is ALSO expired.
+//
+// It would be better if revocation were prioritized above expiration and
+// unknown issuer. However, it is impossible to do revocation checking without
+// knowing the issuer, since the issuer information is needed to validate the
+// revocation information. Also, generally revocation checking only works
+// during the validity period of the certificate.
+//
+// In general, when path building fails, BuildCertChain will return
+// Result::ERROR_UNKNOWN_ISSUER. However, if all attempted paths resulted in
+// the same error (which is trivially true when there is only one potential
+// path), more specific errors will be returned.
+//
+// ----------------------------------------------------------------------------
+// Meanings of specific error codes can be found in Result.h
+
+// This function attempts to find a trustworthy path from the supplied
+// certificate to a trust anchor. In the event that no trusted path is found,
+// the method returns an error result; the error ranking is described above.
+//
+// Parameters:
+//  time:
+//         Timestamp for which the chain should be valid; this is useful to
+//         analyze whether a record was trustworthy when it was made.
+//  requiredKeyUsageIfPresent:
+//         What key usage bits must be set, if the extension is present at all,
+//         to be considered a valid chain. Multiple values should be OR'd
+//         together. If you don't want to specify anything, use
+//         KeyUsage::noParticularKeyUsageRequired.
+//  requiredEKUIfPresent:
+//         What extended key usage bits must be set, if the EKU extension
+//         exists, to be considered a valid chain. Multiple values should be
+//         OR'd together. If you don't want to specify anything, use
+//         KeyPurposeId::anyExtendedKeyUsage.
+//  requiredPolicy:
+//         This is the policy to apply; typically included in EV certificates.
+//         If there is no policy, pass in CertPolicyId::anyPolicy.
+Result BuildCertChain(TrustDomain& trustDomain, Input cert, Time time,
+                      EndEntityOrCA endEntityOrCA,
+                      KeyUsage requiredKeyUsageIfPresent,
+                      KeyPurposeId requiredEKUIfPresent,
+                      const CertPolicyId& requiredPolicy,
+                      /*optional*/ const Input* stapledOCSPResponse);
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. The matching
+// function attempts to implement RFC 6125 with a couple of differences:
+// - IP addresses are out of scope of RFC 6125, but this method accepts them for
+//   backward compatibility (see SearchNames in pkixnames.cpp)
+// - A wildcard in a DNS-ID may only appear as the entirety of the first label.
+Result CheckCertHostname(Input cert, Input hostname,
+                         NameMatchingPolicy& nameMatchingPolicy);
+
+// Construct an RFC-6960-encoded OCSP request, ready for submission to a
+// responder, for the provided CertID. The request has no extensions.
+static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
+Result CreateEncodedOCSPRequest(TrustDomain& trustDomain, const CertID& certID,
+                                /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+                                /*out*/ size_t& outLen);
+
+// The out parameter expired will be true if the response has expired. If the
+// response also indicates a revoked or unknown certificate, that error
+// will be returned. Otherwise, Result::ERROR_OCSP_OLD_RESPONSE will be
+// returned for an expired response.
+//
+// The optional parameter thisUpdate will be the thisUpdate value of
+// the encoded response if it is considered trustworthy. Only
+// good, unknown, or revoked responses that verify correctly are considered
+// trustworthy. If the response is not trustworthy, thisUpdate will be 0.
+// Similarly, the optional parameter validThrough will be the time through
+// which the encoded response is considered trustworthy (that is, as long as
+// the given time at which to validate is less than or equal to validThrough,
+// the response will be considered trustworthy).
+Result VerifyEncodedOCSPResponse(
+    TrustDomain& trustDomain, const CertID& certID, Time time,
+    uint16_t maxLifetimeInDays, Input encodedResponse,
+    /* out */ bool& expired,
+    /* optional out */ Time* thisUpdate = nullptr,
+    /* optional out */ Time* validThrough = nullptr);
+
+// Check that the TLSFeature extensions in a given end-entity cert (which is
+// assumed to have been already validated with BuildCertChain) are satisfied.
+// The only feature which we cancurrently process a requirement for is
+// status_request (OCSP stapling) so we reject any extension that specifies a
+// requirement for another value. Empty extensions are also rejected.
+Result CheckTLSFeaturesAreSatisfied(Input& cert,
+                                    const Input* stapledOCSPResponse);
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkix_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixcheck.h b/security/nss/lib/mozpkix/include/pkix/pkixcheck.h
new file mode 100644
index 000000000..e04780e57
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixcheck.h
@@ -0,0 +1,65 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixcheck_h
+#define mozilla_pkix_pkixcheck_h
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+
+class BackCert;
+
+Result CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+                                        const BackCert& cert, Time time,
+                                        KeyUsage requiredKeyUsageIfPresent,
+                                        KeyPurposeId requiredEKUIfPresent,
+                                        const CertPolicyId& requiredPolicy,
+                                        unsigned int subCACount,
+                                        /*out*/ TrustLevel& trustLevel);
+
+Result CheckNameConstraints(Input encodedNameConstraints,
+                            const BackCert& firstChild,
+                            KeyPurposeId requiredEKUIfPresent);
+
+Result CheckIssuer(Input encodedIssuer);
+
+// ParseValidity and CheckValidity are usually used together.  First you parse
+// the dates from the DER Validity sequence, then you compare them to the time
+// at which you are validating.  They are separate so that the notBefore and
+// notAfter times can be used for other things before they are checked against
+// the time of validation.
+Result ParseValidity(Input encodedValidity,
+                     /*optional out*/ Time* notBeforeOut = nullptr,
+                     /*optional out*/ Time* notAfterOut = nullptr);
+Result CheckValidity(Time time, Time notBefore, Time notAfter);
+
+// Check that a subject has TLS Feature (rfc7633) requirements that match its
+// potential issuer
+Result CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer);
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixcheck_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
new file mode 100644
index 000000000..3aae0ecf6
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
@@ -0,0 +1,520 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixder_h
+#define mozilla_pkix_pkixder_h
+
+// Expect* functions advance the input mark and return Success if the input
+// matches the given criteria; they fail with the input mark in an undefined
+// state if the input does not match the criteria.
+//
+// Match* functions advance the input mark and return true if the input matches
+// the given criteria; they return false without changing the input mark if the
+// input does not match the criteria.
+//
+// Skip* functions unconditionally advance the input mark and return Success if
+// they are able to do so; otherwise they fail with the input mark in an
+// undefined state.
+
+#include "mozpkix/Input.h"
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+namespace der {
+
+enum Class : uint8_t {
+  UNIVERSAL = 0 << 6,
+  // APPLICATION = 1 << 6, // unused
+  CONTEXT_SPECIFIC = 2 << 6,
+  // PRIVATE = 3 << 6 // unused
+};
+
+enum Constructed { CONSTRUCTED = 1 << 5 };
+
+enum Tag : uint8_t {
+  BOOLEAN = UNIVERSAL | 0x01,
+  INTEGER = UNIVERSAL | 0x02,
+  BIT_STRING = UNIVERSAL | 0x03,
+  OCTET_STRING = UNIVERSAL | 0x04,
+  NULLTag = UNIVERSAL | 0x05,
+  OIDTag = UNIVERSAL | 0x06,
+  ENUMERATED = UNIVERSAL | 0x0a,
+  UTF8String = UNIVERSAL | 0x0c,
+  SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10,  // 0x30
+  SET = UNIVERSAL | CONSTRUCTED | 0x11,       // 0x31
+  PrintableString = UNIVERSAL | 0x13,
+  TeletexString = UNIVERSAL | 0x14,
+  IA5String = UNIVERSAL | 0x16,
+  UTCTime = UNIVERSAL | 0x17,
+  GENERALIZED_TIME = UNIVERSAL | 0x18,
+};
+
+enum class EmptyAllowed { No = 0, Yes = 1 };
+
+Result ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag,
+                          /*out*/ Input& value);
+Result End(Reader& input);
+
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+                                   /*out*/ Input& value) {
+  uint8_t actualTag;
+  Result rv = ReadTagAndGetValue(input, actualTag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  if (tag != actualTag) {
+    return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+                                   /*out*/ Reader& value) {
+  Input valueInput;
+  Result rv = ExpectTagAndGetValue(input, tag, valueInput);
+  if (rv != Success) {
+    return rv;
+  }
+  return value.Init(valueInput);
+}
+
+inline Result ExpectTagAndEmptyValue(Reader& input, uint8_t tag) {
+  Reader value;
+  Result rv = ExpectTagAndGetValue(input, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(value);
+}
+
+inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
+  Input ignoredValue;
+  return ExpectTagAndGetValue(input, tag, ignoredValue);
+}
+
+// Like ExpectTagAndGetValue, except the output Input will contain the
+// encoded tag and length along with the value.
+inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,
+                                 /*out*/ Input& tlv) {
+  Reader::Mark mark(input.GetMark());
+  Result rv = ExpectTagAndSkipValue(input, tag);
+  if (rv != Success) {
+    return rv;
+  }
+  return input.GetInput(mark, tlv);
+}
+
+inline Result End(Reader& input) {
+  if (!input.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  return Success;
+}
+
+template <typename Decoder>
+inline Result Nested(Reader& input, uint8_t tag, Decoder decoder) {
+  Reader nested;
+  Result rv = ExpectTagAndGetValue(input, tag, nested);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = decoder(nested);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(nested);
+}
+
+template <typename Decoder>
+inline Result Nested(Reader& input, uint8_t outerTag, uint8_t innerTag,
+                     Decoder decoder) {
+  Reader nestedInput;
+  Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = Nested(nestedInput, innerTag, decoder);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(nestedInput);
+}
+
+// This can be used to decode constructs like this:
+//
+//     ...
+//     foos SEQUENCE OF Foo,
+//     ...
+//     Foo ::= SEQUENCE {
+//     }
+//
+// using code like this:
+//
+//    Result Foo(Reader& r) { /*...*/ }
+//
+//    rv = der::NestedOf(input, der::SEQEUENCE, der::SEQUENCE, Foo);
+//
+// or:
+//
+//    Result Bar(Reader& r, int value) { /*...*/ }
+//
+//    int value = /*...*/;
+//
+//    rv = der::NestedOf(input, der::SEQUENCE, [value](Reader& r) {
+//      return Bar(r, value);
+//    });
+//
+// In these examples the function will get called once for each element of
+// foos.
+//
+template <typename Decoder>
+inline Result NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
+                       EmptyAllowed mayBeEmpty, Decoder decoder) {
+  Reader inner;
+  Result rv = ExpectTagAndGetValue(input, outerTag, inner);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (inner.AtEnd()) {
+    if (mayBeEmpty != EmptyAllowed::Yes) {
+      return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  }
+
+  do {
+    rv = Nested(inner, innerTag, decoder);
+    if (rv != Success) {
+      return rv;
+    }
+  } while (!inner.AtEnd());
+
+  return Success;
+}
+
+// Often, a function will need to decode an Input or Reader that contains
+// DER-encoded data wrapped in a SEQUENCE (or similar) with nothing after it.
+// This function reduces the boilerplate necessary for stripping the outermost
+// SEQUENCE (or similar) and ensuring that nothing follows it.
+inline Result ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
+                                        /*out*/ Reader& inner) {
+  Result rv = der::ExpectTagAndGetValue(outer, expectedTag, inner);
+  if (rv != Success) {
+    return rv;
+  }
+  return der::End(outer);
+}
+
+// Similar to the above, but takes an Input instead of a Reader&.
+inline Result ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
+                                        /*out*/ Reader& inner) {
+  Reader outerReader(outer);
+  return ExpectTagAndGetValueAtEnd(outerReader, expectedTag, inner);
+}
+
+// Universal types
+
+namespace internal {
+
+enum class IntegralValueRestriction {
+  NoRestriction,
+  MustBePositive,
+  MustBe0To127,
+};
+
+Result IntegralBytes(
+    Reader& input, uint8_t tag, IntegralValueRestriction valueRestriction,
+    /*out*/ Input& value,
+    /*optional out*/ Input::size_type* significantBytes = nullptr);
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value);
+
+}  // namespace internal
+
+Result BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
+
+inline Result Boolean(Reader& input, /*out*/ bool& value) {
+  Reader valueReader;
+  Result rv = ExpectTagAndGetValue(input, BOOLEAN, valueReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t intValue;
+  rv = valueReader.Read(intValue);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = End(valueReader);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (intValue) {
+    case 0:
+      value = false;
+      return Success;
+    case 0xFF:
+      value = true;
+      return Success;
+    default:
+      return Result::ERROR_BAD_DER;
+  }
+}
+
+// This is for BOOLEAN DEFAULT FALSE.
+// The standard stipulates that "The encoding of a set value or sequence value
+// shall not include an encoding for any component value which is equal to its
+// default value." However, it appears to be common that other libraries
+// incorrectly include the value of a BOOLEAN even when it's equal to the
+// default value, so we allow invalid explicit encodings here.
+inline Result OptionalBoolean(Reader& input, /*out*/ bool& value) {
+  value = false;
+  if (input.Peek(BOOLEAN)) {
+    Result rv = Boolean(input, value);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+  return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result Enumerated(Reader& input, uint8_t& value) {
+  return internal::IntegralValue(input, ENUMERATED | 0, value);
+}
+
+namespace internal {
+
+// internal::TimeChoice implements the shared functionality of GeneralizedTime
+// and TimeChoice. tag must be either UTCTime or GENERALIZED_TIME.
+//
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+Result TimeChoice(Reader& input, uint8_t tag, /*out*/ Time& time);
+
+}  // namespace internal
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result GeneralizedTime(Reader& input, /*out*/ Time& time) {
+  return internal::TimeChoice(input, GENERALIZED_TIME, time);
+}
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result TimeChoice(Reader& input, /*out*/ Time& time) {
+  uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
+  return internal::TimeChoice(input, expectedTag, time);
+}
+
+// Parse a DER integer value into value. Empty values, negative values, and
+// zero are rejected. If significantBytes is not null, then it will be set to
+// the number of significant bytes in the value (the length of the value, less
+// the length of any leading padding), which is useful for key size checks.
+inline Result PositiveInteger(
+    Reader& input, /*out*/ Input& value,
+    /*optional out*/ Input::size_type* significantBytes = nullptr) {
+  return internal::IntegralBytes(
+      input, INTEGER, internal::IntegralValueRestriction::MustBePositive, value,
+      significantBytes);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result Integer(Reader& input, /*out*/ uint8_t& value) {
+  return internal::IntegralValue(input, INTEGER, value);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed. The default value must be
+// -1; defaultValue is only a parameter to make it clear in the calling code
+// what the default value is.
+inline Result OptionalInteger(Reader& input, long defaultValue,
+                              /*out*/ long& value) {
+  // If we need to support a different default value in the future, we need to
+  // test that parsedValue != defaultValue.
+  if (defaultValue != -1) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  if (!input.Peek(INTEGER)) {
+    value = defaultValue;
+    return Success;
+  }
+
+  uint8_t parsedValue;
+  Result rv = Integer(input, parsedValue);
+  if (rv != Success) {
+    return rv;
+  }
+  value = parsedValue;
+  return Success;
+}
+
+inline Result Null(Reader& input) {
+  return ExpectTagAndEmptyValue(input, NULLTag);
+}
+
+template <uint8_t Len>
+Result OID(Reader& input, const uint8_t (&expectedOid)[Len]) {
+  Reader value;
+  Result rv = ExpectTagAndGetValue(input, OIDTag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!value.MatchRest(expectedOid)) {
+    return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+// PKI-specific types
+
+inline Result CertificateSerialNumber(Reader& input, /*out*/ Input& value) {
+  // http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
+  //
+  // * "The serial number MUST be a positive integer assigned by the CA to
+  //   each certificate."
+  // * "Certificate users MUST be able to handle serialNumber values up to 20
+  //   octets. Conforming CAs MUST NOT use serialNumber values longer than 20
+  //   octets."
+  // * "Note: Non-conforming CAs may issue certificates with serial numbers
+  //   that are negative or zero.  Certificate users SHOULD be prepared to
+  //   gracefully handle such certificates."
+  return internal::IntegralBytes(
+      input, INTEGER, internal::IntegralValueRestriction::NoRestriction, value);
+}
+
+// x.509 and OCSP both use this same version numbering scheme, though OCSP
+// only supports v1.
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3, Uninitialized = 255 };
+
+// X.509 Certificate and OCSP ResponseData both use
+// "[0] EXPLICIT Version DEFAULT v1". Although an explicit encoding of v1 is
+// illegal, we support it because some real-world OCSP responses explicitly
+// encode it.
+Result OptionalVersion(Reader& input, /*out*/ Version& version);
+
+template <typename ExtensionHandler>
+inline Result OptionalExtensions(Reader& input, uint8_t tag,
+                                 ExtensionHandler extensionHandler) {
+  if (!input.Peek(tag)) {
+    return Success;
+  }
+
+  return Nested(input, tag, [extensionHandler](Reader& tagged) {
+    // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+    //
+    // TODO(bug 997994): According to the specification, there should never be
+    // an empty sequence of extensions but we've found OCSP responses that have
+    // that (see bug 991898).
+    return NestedOf(
+        tagged, SEQUENCE, SEQUENCE, EmptyAllowed::Yes,
+        [extensionHandler](Reader& extension) -> Result {
+          // Extension  ::=  SEQUENCE  {
+          //      extnID      OBJECT IDENTIFIER,
+          //      critical    BOOLEAN DEFAULT FALSE,
+          //      extnValue   OCTET STRING
+          //      }
+          Reader extnID;
+          Result rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
+          if (rv != Success) {
+            return rv;
+          }
+          bool critical;
+          rv = OptionalBoolean(extension, critical);
+          if (rv != Success) {
+            return rv;
+          }
+          Input extnValue;
+          rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
+          if (rv != Success) {
+            return rv;
+          }
+          bool understood = false;
+          rv = extensionHandler(extnID, extnValue, critical, understood);
+          if (rv != Success) {
+            return rv;
+          }
+          if (critical && !understood) {
+            return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+          }
+          return Success;
+        });
+  });
+}
+
+Result DigestAlgorithmIdentifier(Reader& input,
+                                 /*out*/ DigestAlgorithm& algorithm);
+
+enum class PublicKeyAlgorithm { RSA_PKCS1, ECDSA, Uninitialized };
+
+Result SignatureAlgorithmIdentifierValue(
+    Reader& input,
+    /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+    /*out*/ DigestAlgorithm& digestAlgorithm);
+
+struct SignedDataWithSignature final {
+ public:
+  Input data;
+  Input algorithm;
+  Input signature;
+
+  void operator=(const SignedDataWithSignature&) = delete;
+};
+
+// Parses a SEQUENCE into tbs and then parses an AlgorithmIdentifier followed
+// by a BIT STRING into signedData. This handles the commonality between
+// parsing the signed/signature fields of certificates and OCSP responses. In
+// the case of an OCSP response, the caller needs to parse the certs
+// separately.
+//
+// Note that signatureAlgorithm is NOT parsed or validated.
+//
+// Certificate  ::=  SEQUENCE  {
+//        tbsCertificate       TBSCertificate,
+//        signatureAlgorithm   AlgorithmIdentifier,
+//        signatureValue       BIT STRING  }
+//
+// BasicOCSPResponse       ::= SEQUENCE {
+//    tbsResponseData      ResponseData,
+//    signatureAlgorithm   AlgorithmIdentifier,
+//    signature            BIT STRING,
+//    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result SignedData(Reader& input, /*out*/ Reader& tbs,
+                  /*out*/ SignedDataWithSignature& signedDataWithSignature);
+}
+}
+}  // namespace mozilla::pkix::der
+
+#endif  // mozilla_pkix_pkixder_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
new file mode 100644
index 000000000..b181ca541
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
@@ -0,0 +1,106 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixnss_h
+#define mozilla_pkix_pkixnss_h
+
+#include <seccomon.h>
+#include "mozpkix/pkixtypes.h"
+#include "prerror.h"
+
+namespace mozilla {
+namespace pkix {
+
+// Verifies the PKCS#1.5 signature on the given data using the given RSA public
+// key.
+Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+                                     Input subjectPublicKeyInfo,
+                                     void* pkcs11PinArg);
+
+// Verifies the ECDSA signature on the given data using the given ECC public
+// key.
+Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+                                  Input subjectPublicKeyInfo,
+                                  void* pkcs11PinArg);
+
+// Computes the digest of the given data using the given digest algorithm.
+//
+// item contains the data to hash.
+// digestBuf must point to a buffer to where the digest will be written.
+// digestBufLen must be the size of the buffer, which must be exactly equal
+//              to the size of the digest output (20 for SHA-1, 32 for SHA-256,
+//              etc.)
+//
+// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+// other, extensive, memory safety efforts in mozilla::pkix, and we should find
+// a way to provide a more-obviously-safe interface.
+Result DigestBufNSS(Input item, DigestAlgorithm digestAlg,
+                    /*out*/ uint8_t* digestBuf, size_t digestBufLen);
+
+Result MapPRErrorCodeToResult(PRErrorCode errorCode);
+PRErrorCode MapResultToPRErrorCode(Result result);
+
+// The error codes within each module must fit in 16 bits. We want these
+// errors to fit in the same module as the NSS errors but not overlap with
+// any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
+// involves negating the value of the error and then synthesizing an error
+// in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
+// a negative value that both doesn't overlap with the current value
+// ranges for NSS errors and that will fit in 16 bits when negated.
+static const PRErrorCode ERROR_BASE = -0x4000;
+static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
+
+enum ErrorCode {
+  MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
+  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
+  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
+  MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
+  MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
+  MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
+  MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
+  MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
+  MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
+  MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
+  MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
+  MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13,
+  MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14,
+  MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15,
+  END_OF_LIST
+};
+
+void RegisterErrorTable();
+
+inline SECItem UnsafeMapInputToSECItem(Input input) {
+  SECItem result = {siBuffer, const_cast<uint8_t*>(input.UnsafeGetData()),
+                    input.GetLength()};
+  static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
+                "input.GetLength() must fit in a SECItem");
+  return result;
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixnss_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
new file mode 100644
index 000000000..6b12edbb1
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@@ -0,0 +1,400 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixtypes_h
+#define mozilla_pkix_pkixtypes_h
+
+#include <memory>
+
+#include "mozpkix/Input.h"
+#include "mozpkix/Time.h"
+#include "stdint.h"
+
+namespace mozilla {
+namespace pkix {
+
+enum class DigestAlgorithm {
+  sha512 = 1,
+  sha384 = 2,
+  sha256 = 3,
+  sha1 = 4,
+};
+
+enum class NamedCurve {
+  // secp521r1 (OID 1.3.132.0.35, RFC 5480)
+  secp521r1 = 1,
+
+  // secp384r1 (OID 1.3.132.0.34, RFC 5480)
+  secp384r1 = 2,
+
+  // secp256r1 (OID 1.2.840.10045.3.1.7, RFC 5480)
+  secp256r1 = 3,
+};
+
+struct SignedDigest final {
+  Input digest;
+  DigestAlgorithm digestAlgorithm;
+  Input signature;
+
+  void operator=(const SignedDigest&) = delete;
+};
+
+enum class EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
+
+enum class KeyUsage : uint8_t {
+  digitalSignature = 0,
+  nonRepudiation = 1,
+  keyEncipherment = 2,
+  dataEncipherment = 3,
+  keyAgreement = 4,
+  keyCertSign = 5,
+  // cRLSign       = 6,
+  // encipherOnly  = 7,
+  // decipherOnly  = 8,
+  noParticularKeyUsageRequired = 0xff,
+};
+
+enum class KeyPurposeId {
+  anyExtendedKeyUsage = 0,
+  id_kp_serverAuth = 1,       // id-kp-serverAuth
+  id_kp_clientAuth = 2,       // id-kp-clientAuth
+  id_kp_codeSigning = 3,      // id-kp-codeSigning
+  id_kp_emailProtection = 4,  // id-kp-emailProtection
+  id_kp_OCSPSigning = 9,      // id-kp-OCSPSigning
+};
+
+struct CertPolicyId final {
+  uint16_t numBytes;
+  static const uint16_t MAX_BYTES = 24;
+  uint8_t bytes[MAX_BYTES];
+
+  bool IsAnyPolicy() const;
+  bool operator==(const CertPolicyId& other) const;
+
+  static const CertPolicyId anyPolicy;
+};
+
+enum class TrustLevel {
+  TrustAnchor = 1,         // certificate is a trusted root CA certificate or
+                           // equivalent *for the given policy*.
+  ActivelyDistrusted = 2,  // certificate is known to be bad
+  InheritsTrust = 3        // certificate must chain to a trust anchor
+};
+
+// Extensions extracted during the verification flow.
+// See TrustDomain::NoteAuxiliaryExtension.
+enum class AuxiliaryExtension {
+  // Certificate Transparency data, specifically Signed Certificate
+  // Timestamps (SCTs). See RFC 6962.
+
+  // SCT list embedded in the end entity certificate. Called by BuildCertChain
+  // after the certificate containing the SCTs has passed the revocation checks.
+  EmbeddedSCTList = 1,
+  // SCT list from OCSP response. Called by VerifyEncodedOCSPResponse
+  // when its result is a success and the SCT list is present.
+  SCTListFromOCSPResponse = 2
+};
+
+// CertID references the information needed to do revocation checking for the
+// certificate issued by the given issuer with the given serial number.
+//
+// issuer must be the DER-encoded issuer field from the certificate for which
+// revocation checking is being done, **NOT** the subject field of the issuer
+// certificate. (Those two fields must be equal to each other, but they may not
+// be encoded exactly the same, and the encoding matters for OCSP.)
+// issuerSubjectPublicKeyInfo is the entire DER-encoded subjectPublicKeyInfo
+// field from the issuer's certificate. serialNumber is the entire DER-encoded
+// serial number from the subject certificate (the certificate for which we are
+// checking the revocation status).
+struct CertID final {
+ public:
+  CertID(Input aIssuer, Input aIssuerSubjectPublicKeyInfo, Input aSerialNumber)
+      : issuer(aIssuer),
+        issuerSubjectPublicKeyInfo(aIssuerSubjectPublicKeyInfo),
+        serialNumber(aSerialNumber) {}
+  const Input issuer;
+  const Input issuerSubjectPublicKeyInfo;
+  const Input serialNumber;
+
+  void operator=(const CertID&) = delete;
+};
+typedef std::unique_ptr<CertID> ScopedCertID;
+
+class DERArray {
+ public:
+  // Returns the number of DER-encoded items in the array.
+  virtual size_t GetLength() const = 0;
+
+  // Returns a weak (non-owning) pointer the ith DER-encoded item in the array
+  // (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
+  // and the result is guaranteed to be nullptr if i >= GetLength().
+  virtual const Input* GetDER(size_t i) const = 0;
+
+ protected:
+  DERArray() {}
+  virtual ~DERArray() {}
+};
+
+// Applications control the behavior of path building and verification by
+// implementing the TrustDomain interface. The TrustDomain is used for all
+// cryptography and for determining which certificates are trusted or
+// distrusted.
+class TrustDomain {
+ public:
+  virtual ~TrustDomain() {}
+
+  // Determine the level of trust in the given certificate for the given role.
+  // This will be called for every certificate encountered during path
+  // building.
+  //
+  // When policy.IsAnyPolicy(), then no policy-related checking should be done.
+  // When !policy.IsAnyPolicy(), then GetCertTrust MUST NOT return with
+  // trustLevel == TrustAnchor unless the given cert is considered a trust
+  // anchor *for that policy*. In particular, if the user has marked an
+  // intermediate certificate as trusted, but that intermediate isn't in the
+  // list of EV roots, then GetCertTrust must result in
+  // trustLevel == InheritsTrust instead of trustLevel == TrustAnchor
+  // (assuming the candidate cert is not actively distrusted).
+  virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
+                              const CertPolicyId& policy,
+                              Input candidateCertDER,
+                              /*out*/ TrustLevel& trustLevel) = 0;
+
+  class IssuerChecker {
+   public:
+    // potentialIssuerDER is the complete DER encoding of the certificate to
+    // be checked as a potential issuer.
+    //
+    // If additionalNameConstraints is not nullptr then it must point to an
+    // encoded NameConstraints extension value; in that case, those name
+    // constraints will be checked in addition to any any name constraints
+    // contained in potentialIssuerDER.
+    virtual Result Check(Input potentialIssuerDER,
+                         /*optional*/ const Input* additionalNameConstraints,
+                         /*out*/ bool& keepGoing) = 0;
+
+   protected:
+    IssuerChecker();
+    virtual ~IssuerChecker();
+
+    IssuerChecker(const IssuerChecker&) = delete;
+    void operator=(const IssuerChecker&) = delete;
+  };
+
+  // Search for a CA certificate with the given name. The implementation must
+  // call checker.Check with the DER encoding of the potential issuer
+  // certificate. The implementation must follow these rules:
+  //
+  // * The implementation must be reentrant and must limit the amount of stack
+  //   space it uses; see the note on reentrancy and stack usage below.
+  // * When checker.Check does not return Success then immediately return its
+  //   return value.
+  // * When checker.Check returns Success and sets keepGoing = false, then
+  //   immediately return Success.
+  // * When checker.Check returns Success and sets keepGoing = true, then
+  //   call checker.Check again with a different potential issuer certificate,
+  //   if any more are available.
+  // * When no more potential issuer certificates are available, return
+  //   Success.
+  // * Don't call checker.Check with the same potential issuer certificate more
+  //   than once in a given call of FindIssuer.
+  // * The given time parameter may be used to filter out certificates that are
+  //   not valid at the given time, or it may be ignored.
+  //
+  // Note on reentrancy and stack usage: checker.Check will attempt to
+  // recursively build a certificate path from the potential issuer it is given
+  // to a trusted root, as determined by this TrustDomain. That means that
+  // checker.Check may call any/all of the methods on this TrustDomain. In
+  // particular, there will be call stacks that look like this:
+  //
+  //    BuildCertChain
+  //      [...]
+  //        TrustDomain::FindIssuer
+  //          [...]
+  //            IssuerChecker::Check
+  //              [...]
+  //                TrustDomain::FindIssuer
+  //                  [...]
+  //                    IssuerChecker::Check
+  //                      [...]
+  //
+  // checker.Check is responsible for limiting the recursion to a reasonable
+  // limit.
+  //
+  // checker.Check will verify that the subject's issuer field matches the
+  // potential issuer's subject field. It will also check that the potential
+  // issuer is valid at the given time. However, if the FindIssuer
+  // implementation has an efficient way of filtering potential issuers by name
+  // and/or validity period itself, then it is probably better for performance
+  // for it to do so.
+  virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
+                            Time time) = 0;
+
+  // Called as soon as we think we have a valid chain but before revocation
+  // checks are done. This function can be used to compute additional checks,
+  // especially checks that require the entire certificate chain. This callback
+  // can also be used to save a copy of the built certificate chain for later
+  // use.
+  //
+  // This function may be called multiple times, regardless of whether it
+  // returns success or failure. It is guaranteed that BuildCertChain will not
+  // return Success unless the last call to IsChainValid returns Success.
+  // Further,
+  // it is guaranteed that when BuildCertChain returns Success the last chain
+  // passed to IsChainValid is the valid chain that should be used for further
+  // operations that require the whole chain.
+  //
+  // Keep in mind, in particular, that if the application saves a copy of the
+  // certificate chain the last invocation of IsChainValid during a validation,
+  // it is still possible for BuildCertChain to fail, in which case the
+  // application must not assume anything about the validity of the last
+  // certificate chain passed to IsChainValid; especially, it would be very
+  // wrong to assume that the certificate chain is valid.
+  //
+  // certChain.GetDER(0) is the trust anchor.
+  virtual Result IsChainValid(const DERArray& certChain, Time time,
+                              const CertPolicyId& requiredPolicy) = 0;
+
+  virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
+                                 const CertID& certID, Time time,
+                                 Duration validityDuration,
+                                 /*optional*/ const Input* stapledOCSPresponse,
+                                 /*optional*/ const Input* aiaExtension) = 0;
+
+  // Check that the given digest algorithm is acceptable for use in signatures.
+  //
+  // Return Success if the algorithm is acceptable,
+  // Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED if the algorithm is not
+  // acceptable, or another error code if another error occurred.
+  virtual Result CheckSignatureDigestAlgorithm(DigestAlgorithm digestAlg,
+                                               EndEntityOrCA endEntityOrCA,
+                                               Time notBefore) = 0;
+
+  // Check that the RSA public key size is acceptable.
+  //
+  // Return Success if the key size is acceptable,
+  // Result::ERROR_INADEQUATE_KEY_SIZE if the key size is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckRSAPublicKeyModulusSizeInBits(
+      EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) = 0;
+
+  // Verify the given RSA PKCS#1.5 signature on the given digest using the
+  // given RSA public key.
+  //
+  // CheckRSAPublicKeyModulusSizeInBits will be called before calling this
+  // function, so it is not necessary to repeat those checks here. However,
+  // VerifyRSAPKCS1SignedDigest *is* responsible for doing the mathematical
+  // verification of the public key validity as specified in NIST SP 800-56A.
+  virtual Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                            Input subjectPublicKeyInfo) = 0;
+
+  // Check that the given named ECC curve is acceptable for ECDSA signatures.
+  //
+  // Return Success if the curve is acceptable,
+  // Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE if the curve is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
+                                             NamedCurve curve) = 0;
+
+  // Verify the given ECDSA signature on the given digest using the given ECC
+  // public key.
+  //
+  // CheckECDSACurveIsAcceptable will be called before calling this function,
+  // so it is not necessary to repeat that check here. However,
+  // VerifyECDSASignedDigest *is* responsible for doing the mathematical
+  // verification of the public key validity as specified in NIST SP 800-56A.
+  virtual Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                         Input subjectPublicKeyInfo) = 0;
+
+  // Check that the validity duration is acceptable.
+  //
+  // Return Success if the validity duration is acceptable,
+  // Result::ERROR_VALIDITY_TOO_LONG if the validity duration is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+                                           EndEntityOrCA endEntityOrCA,
+                                           KeyPurposeId keyPurpose) = 0;
+
+  // For compatibility, a CA certificate with an extended key usage that
+  // contains the id-Netscape-stepUp OID but does not contain the
+  // id-kp-serverAuth OID may be considered valid for issuing server auth
+  // certificates. This function allows TrustDomain implementations to control
+  // this setting based on the start of the validity period of the certificate
+  // in question.
+  virtual Result NetscapeStepUpMatchesServerAuth(Time notBefore,
+                                                 /*out*/ bool& matches) = 0;
+
+  // Some certificate or OCSP response extensions do not directly participate
+  // in the verification flow, but might still be of interest to the clients
+  // (notably Certificate Transparency data, RFC 6962). Such extensions are
+  // extracted and passed to this function for further processing.
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) = 0;
+
+  // Compute a digest of the data in item using the given digest algorithm.
+  //
+  // item contains the data to hash.
+  // digestBuf points to a buffer to where the digest will be written.
+  // digestBufLen will be the size of the digest output (20 for SHA-1,
+  // 32 for SHA-256, etc.).
+  //
+  // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+  // other, extensive, memory safety efforts in mozilla::pkix, and we should
+  // find a way to provide a more-obviously-safe interface.
+  virtual Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                           /*out*/ uint8_t* digestBuf, size_t digestBufLen) = 0;
+
+ protected:
+  TrustDomain() {}
+
+  TrustDomain(const TrustDomain&) = delete;
+  void operator=(const TrustDomain&) = delete;
+};
+
+enum class FallBackToSearchWithinSubject { No = 0, Yes = 1 };
+
+// Applications control the behavior of matching presented name information from
+// a certificate against a reference hostname by implementing the
+// NameMatchingPolicy interface. Used in concert with CheckCertHostname.
+class NameMatchingPolicy {
+ public:
+  virtual ~NameMatchingPolicy() {}
+
+  // Given that the certificate in question has a notBefore field with the given
+  // value, should name matching fall back to searching within the subject
+  // common name field?
+  virtual Result FallBackToCommonName(
+      Time notBefore,
+      /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) = 0;
+
+ protected:
+  NameMatchingPolicy() {}
+
+  NameMatchingPolicy(const NameMatchingPolicy&) = delete;
+  void operator=(const NameMatchingPolicy&) = delete;
+};
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixtypes_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixutil.h b/security/nss/lib/mozpkix/include/pkix/pkixutil.h
new file mode 100644
index 000000000..ca5b5a2d7
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixutil.h
@@ -0,0 +1,265 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixutil_h
+#define mozilla_pkix_pkixutil_h
+
+#include "mozpkix/pkixder.h"
+
+namespace mozilla {
+namespace pkix {
+
+// During path building and verification, we build a linked list of BackCerts
+// from the current cert toward the end-entity certificate. The linked list
+// is used to verify properties that aren't local to the current certificate
+// and/or the direct link between the current certificate and its issuer,
+// such as name constraints.
+//
+// Each BackCert contains pointers to all the given certificate's extensions
+// so that we can parse the extension block once and then process the
+// extensions in an order that may be different than they appear in the cert.
+class BackCert final {
+ public:
+  // certDER and childCert must be valid for the lifetime of BackCert.
+  BackCert(Input aCertDER, EndEntityOrCA aEndEntityOrCA,
+           const BackCert* aChildCert)
+      : der(aCertDER),
+        endEntityOrCA(aEndEntityOrCA),
+        childCert(aChildCert),
+        version(der::Version::Uninitialized) {}
+
+  Result Init();
+
+  const Input GetDER() const { return der; }
+  const der::SignedDataWithSignature& GetSignedData() const {
+    return signedData;
+  }
+
+  der::Version GetVersion() const { return version; }
+  const Input GetSerialNumber() const { return serialNumber; }
+  const Input GetSignature() const { return signature; }
+  const Input GetIssuer() const { return issuer; }
+  // XXX: "validity" is a horrible name for the structure that holds
+  // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+  // RFC 5280 names for everything.
+  const Input GetValidity() const { return validity; }
+  const Input GetSubject() const { return subject; }
+  const Input GetSubjectPublicKeyInfo() const { return subjectPublicKeyInfo; }
+  const Input* GetAuthorityInfoAccess() const {
+    return MaybeInput(authorityInfoAccess);
+  }
+  const Input* GetBasicConstraints() const {
+    return MaybeInput(basicConstraints);
+  }
+  const Input* GetCertificatePolicies() const {
+    return MaybeInput(certificatePolicies);
+  }
+  const Input* GetExtKeyUsage() const { return MaybeInput(extKeyUsage); }
+  const Input* GetKeyUsage() const { return MaybeInput(keyUsage); }
+  const Input* GetInhibitAnyPolicy() const {
+    return MaybeInput(inhibitAnyPolicy);
+  }
+  const Input* GetNameConstraints() const {
+    return MaybeInput(nameConstraints);
+  }
+  const Input* GetSubjectAltName() const { return MaybeInput(subjectAltName); }
+  const Input* GetRequiredTLSFeatures() const {
+    return MaybeInput(requiredTLSFeatures);
+  }
+  const Input* GetSignedCertificateTimestamps() const {
+    return MaybeInput(signedCertificateTimestamps);
+  }
+
+ private:
+  const Input der;
+
+ public:
+  const EndEntityOrCA endEntityOrCA;
+  BackCert const* const childCert;
+
+ private:
+  // When parsing certificates in BackCert::Init, we don't accept empty
+  // extensions. Consequently, we don't have to store a distinction between
+  // empty extensions and extensions that weren't included. However, when
+  // *processing* extensions, we distinguish between whether an extension was
+  // included or not based on whetehr the GetXXX function for the extension
+  // returns nullptr.
+  static inline const Input* MaybeInput(const Input& item) {
+    return item.GetLength() > 0 ? &item : nullptr;
+  }
+
+  der::SignedDataWithSignature signedData;
+
+  der::Version version;
+  Input serialNumber;
+  Input signature;
+  Input issuer;
+  // XXX: "validity" is a horrible name for the structure that holds
+  // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+  // RFC 5280 names for everything.
+  Input validity;
+  Input subject;
+  Input subjectPublicKeyInfo;
+
+  Input authorityInfoAccess;
+  Input basicConstraints;
+  Input certificatePolicies;
+  Input extKeyUsage;
+  Input inhibitAnyPolicy;
+  Input keyUsage;
+  Input nameConstraints;
+  Input subjectAltName;
+  Input criticalNetscapeCertificateType;
+  Input requiredTLSFeatures;
+  Input signedCertificateTimestamps;  // RFC 6962 (Certificate Transparency)
+
+  Result RememberExtension(Reader& extnID, Input extnValue, bool critical,
+                           /*out*/ bool& understood);
+
+  BackCert(const BackCert&) = delete;
+  void operator=(const BackCert&) = delete;
+};
+
+class NonOwningDERArray final : public DERArray {
+ public:
+  NonOwningDERArray() : numItems(0) {
+    // we don't need to initialize the items array because we always check
+    // numItems before accessing i.
+  }
+
+  size_t GetLength() const override { return numItems; }
+
+  const Input* GetDER(size_t i) const override {
+    return i < numItems ? &items[i] : nullptr;
+  }
+
+  Result Append(Input der) {
+    if (numItems >= MAX_LENGTH) {
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    Result rv = items[numItems].Init(der);  // structure assignment
+    if (rv != Success) {
+      return rv;
+    }
+    ++numItems;
+    return Success;
+  }
+
+  // Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
+  static const size_t MAX_LENGTH = 8;
+
+ private:
+  Input items[MAX_LENGTH];  // avoids any heap allocations
+  size_t numItems;
+
+  NonOwningDERArray(const NonOwningDERArray&) = delete;
+  void operator=(const NonOwningDERArray&) = delete;
+};
+
+// Extracts the SignedCertificateTimestampList structure which is encoded as an
+// OCTET STRING within the X.509v3 / OCSP extensions (see RFC 6962 section 3.3).
+Result ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+                                                          Input& sctList);
+
+inline unsigned int DaysBeforeYear(unsigned int year) {
+  assert(year <= 9999);
+  return ((year - 1u) * 365u) +
+         ((year - 1u) / 4u)       // leap years are every 4 years,
+         - ((year - 1u) / 100u)   // except years divisible by 100,
+         + ((year - 1u) / 400u);  // except years divisible by 400.
+}
+
+static const size_t MAX_DIGEST_SIZE_IN_BYTES = 512 / 8;  // sha-512
+
+Result DigestSignedData(TrustDomain& trustDomain,
+                        const der::SignedDataWithSignature& signedData,
+                        /*out*/ uint8_t (&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+                        /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+                        /*out*/ SignedDigest& signedDigest);
+
+Result VerifySignedDigest(TrustDomain& trustDomain,
+                          der::PublicKeyAlgorithm publicKeyAlg,
+                          const SignedDigest& signedDigest,
+                          Input signerSubjectPublicKeyInfo);
+
+// Combines DigestSignedData and VerifySignedDigest
+Result VerifySignedData(TrustDomain& trustDomain,
+                        const der::SignedDataWithSignature& signedData,
+                        Input signerSubjectPublicKeyInfo);
+
+// Extracts the key parameters from |subjectPublicKeyInfo|, invoking
+// the relevant methods of |trustDomain|.
+Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
+                                 TrustDomain& trustDomain,
+                                 EndEntityOrCA endEntityOrCA);
+
+// In a switch over an enum, sometimes some compilers are not satisfied that
+// all control flow paths have been considered unless there is a default case.
+// However, in our code, such a default case is almost always unreachable dead
+// code. That can be particularly problematic when the compiler wants the code
+// to choose a value, such as a return value, for the default case, but there's
+// no appropriate "impossible case" value to choose.
+//
+// MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM accounts for this. Example:
+//
+//     // In xy.cpp
+//     #include "xt.h"
+//
+//     enum class XY { X, Y };
+//
+//     int func(XY xy) {
+//       switch (xy) {
+//         case XY::X: return 1;
+//         case XY::Y; return 2;
+//         MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+//       }
+//     }
+#if defined(__clang__)
+// Clang will warn if not all cases are covered (-Wswitch-enum) AND it will
+// warn if a switch statement that covers every enum label has a default case
+// (-W-covered-switch-default). Versions prior to 3.5 warned about unreachable
+// code in such default cases (-Wunreachable-code) even when
+// -W-covered-switch-default was disabled, but that changed in Clang 3.5.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM  // empty
+#elif defined(__GNUC__)
+// GCC will warn if not all cases are covered (-Wswitch-enum). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+  default:                                    \
+    assert(false);                            \
+    __builtin_unreachable();
+#elif defined(_MSC_VER)
+// MSVC will warn if not all cases are covered (C4061, level 4). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+  default:                                    \
+    assert(false);                            \
+    __assume(0);
+#else
+#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
+#endif
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixutil_h
diff --git a/security/nss/lib/mozpkix/lib/pkixbuild.cpp b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
new file mode 100644
index 000000000..0ac2cb883
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
@@ -0,0 +1,418 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkix.h"
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+static Result BuildForward(TrustDomain& trustDomain,
+                           const BackCert& subject,
+                           Time time,
+                           KeyUsage requiredKeyUsageIfPresent,
+                           KeyPurposeId requiredEKUIfPresent,
+                           const CertPolicyId& requiredPolicy,
+                           /*optional*/ const Input* stapledOCSPResponse,
+                           unsigned int subCACount,
+                           unsigned int& buildForwardCallBudget);
+
+TrustDomain::IssuerChecker::IssuerChecker() { }
+TrustDomain::IssuerChecker::~IssuerChecker() { }
+
+// The implementation of TrustDomain::IssuerTracker is in a subclass only to
+// hide the implementation from external users.
+class PathBuildingStep final : public TrustDomain::IssuerChecker
+{
+public:
+  PathBuildingStep(TrustDomain& aTrustDomain, const BackCert& aSubject,
+                   Time aTime, KeyPurposeId aRequiredEKUIfPresent,
+                   const CertPolicyId& aRequiredPolicy,
+                   /*optional*/ const Input* aStapledOCSPResponse,
+                   unsigned int aSubCACount, Result aDeferredSubjectError,
+                   unsigned int& aBuildForwardCallBudget)
+    : trustDomain(aTrustDomain)
+    , subject(aSubject)
+    , time(aTime)
+    , requiredEKUIfPresent(aRequiredEKUIfPresent)
+    , requiredPolicy(aRequiredPolicy)
+    , stapledOCSPResponse(aStapledOCSPResponse)
+    , subCACount(aSubCACount)
+    , deferredSubjectError(aDeferredSubjectError)
+    , subjectSignaturePublicKeyAlg(der::PublicKeyAlgorithm::Uninitialized)
+    , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
+    , resultWasSet(false)
+    , buildForwardCallBudget(aBuildForwardCallBudget)
+  {
+  }
+
+  Result Check(Input potentialIssuerDER,
+               /*optional*/ const Input* additionalNameConstraints,
+               /*out*/ bool& keepGoing) override;
+
+  Result CheckResult() const;
+
+private:
+  TrustDomain& trustDomain;
+  const BackCert& subject;
+  const Time time;
+  const KeyPurposeId requiredEKUIfPresent;
+  const CertPolicyId& requiredPolicy;
+  /*optional*/ Input const* const stapledOCSPResponse;
+  const unsigned int subCACount;
+  const Result deferredSubjectError;
+
+  // Initialized lazily.
+  uint8_t subjectSignatureDigestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+  der::PublicKeyAlgorithm subjectSignaturePublicKeyAlg;
+  SignedDigest subjectSignature;
+
+  Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
+  Result result;
+  bool resultWasSet;
+  unsigned int& buildForwardCallBudget;
+
+  PathBuildingStep(const PathBuildingStep&) = delete;
+  void operator=(const PathBuildingStep&) = delete;
+};
+
+Result
+PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
+{
+  if (newResult == Result::ERROR_UNTRUSTED_CERT) {
+    newResult = Result::ERROR_UNTRUSTED_ISSUER;
+  } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
+    newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
+  } else if (newResult == Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+    newResult = Result::ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE;
+  }
+
+  if (resultWasSet) {
+    if (result == Success) {
+      return NotReached("RecordResult called after finding a chain",
+                        Result::FATAL_ERROR_INVALID_STATE);
+    }
+    // If every potential issuer has the same problem (e.g. expired) and/or if
+    // there is only one bad potential issuer, then return a more specific
+    // error. Otherwise, punt on trying to decide which error should be
+    // returned by returning the generic Result::ERROR_UNKNOWN_ISSUER error.
+    if (newResult != Success && newResult != result) {
+      newResult = Result::ERROR_UNKNOWN_ISSUER;
+    }
+  }
+
+  result = newResult;
+  resultWasSet = true;
+  keepGoing = result != Success;
+  return Success;
+}
+
+Result
+PathBuildingStep::CheckResult() const
+{
+  if (!resultWasSet) {
+    return Result::ERROR_UNKNOWN_ISSUER;
+  }
+  return result;
+}
+
+// The code that executes in the inner loop of BuildForward
+Result
+PathBuildingStep::Check(Input potentialIssuerDER,
+           /*optional*/ const Input* additionalNameConstraints,
+                /*out*/ bool& keepGoing)
+{
+  BackCert potentialIssuer(potentialIssuerDER, EndEntityOrCA::MustBeCA,
+                           &subject);
+  Result rv = potentialIssuer.Init();
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // Simple TrustDomain::FindIssuers implementations may pass in all possible
+  // CA certificates without any filtering. Because of this, we don't consider
+  // a mismatched name to be an error. Instead, we just pretend that any
+  // certificate without a matching name was never passed to us. In particular,
+  // we treat the case where the TrustDomain only asks us to check CA
+  // certificates with mismatched names as equivalent to the case where the
+  // TrustDomain never called Check() at all.
+  if (!InputsAreEqual(potentialIssuer.GetSubject(), subject.GetIssuer())) {
+    keepGoing = true;
+    return Success;
+  }
+
+  // Loop prevention, done as recommended by RFC4158 Section 5.2
+  // TODO: this doesn't account for subjectAltNames!
+  // TODO(perf): This probably can and should be optimized in some way.
+  for (const BackCert* prev = potentialIssuer.childCert; prev;
+       prev = prev->childCert) {
+    if (InputsAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
+                       prev->GetSubjectPublicKeyInfo()) &&
+        InputsAreEqual(potentialIssuer.GetSubject(), prev->GetSubject())) {
+      // XXX: error code
+      return RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
+    }
+  }
+
+  if (potentialIssuer.GetNameConstraints()) {
+    rv = CheckNameConstraints(*potentialIssuer.GetNameConstraints(),
+                              subject, requiredEKUIfPresent);
+    if (rv != Success) {
+       return RecordResult(rv, keepGoing);
+    }
+  }
+
+  if (additionalNameConstraints) {
+    rv = CheckNameConstraints(*additionalNameConstraints, subject,
+                              requiredEKUIfPresent);
+    if (rv != Success) {
+       return RecordResult(rv, keepGoing);
+    }
+  }
+
+  rv = CheckTLSFeatures(subject, potentialIssuer);
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // If we've ran out of budget, stop searching.
+  if (buildForwardCallBudget == 0) {
+    Result savedRv = RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
+    keepGoing = false;
+    return savedRv;
+  }
+  buildForwardCallBudget--;
+
+  // RFC 5280, Section 4.2.1.3: "If the keyUsage extension is present, then the
+  // subject public key MUST NOT be used to verify signatures on certificates
+  // or CRLs unless the corresponding keyCertSign or cRLSign bit is set."
+  rv = BuildForward(trustDomain, potentialIssuer, time, KeyUsage::keyCertSign,
+                    requiredEKUIfPresent, requiredPolicy, nullptr, subCACount,
+                    buildForwardCallBudget);
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // Calculate the digest of the subject's signed data if we haven't already
+  // done so. We do this lazily to avoid doing it at all if we backtrack before
+  // getting to this point. We cache the result to avoid recalculating it if we
+  // backtrack after getting to this point.
+  if (subjectSignature.digest.GetLength() == 0) {
+    rv = DigestSignedData(trustDomain, subject.GetSignedData(),
+                          subjectSignatureDigestBuf,
+                          subjectSignaturePublicKeyAlg, subjectSignature);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  rv = VerifySignedDigest(trustDomain, subjectSignaturePublicKeyAlg,
+                          subjectSignature,
+                          potentialIssuer.GetSubjectPublicKeyInfo());
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // We avoid doing revocation checking for expired certificates because OCSP
+  // responders are allowed to forget about expired certificates, and many OCSP
+  // responders return an error when asked for the status of an expired
+  // certificate.
+  if (deferredSubjectError != Result::ERROR_EXPIRED_CERTIFICATE) {
+    CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
+                  subject.GetSerialNumber());
+    Time notBefore(Time::uninitialized);
+    Time notAfter(Time::uninitialized);
+    // This should never fail. If we're here, we've already parsed the validity
+    // and checked that the given time is in the certificate's validity period.
+    rv = ParseValidity(subject.GetValidity(), &notBefore, &notAfter);
+    if (rv != Success) {
+      return rv;
+    }
+    Duration validityDuration(notAfter, notBefore);
+    rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
+                                     validityDuration, stapledOCSPResponse,
+                                     subject.GetAuthorityInfoAccess());
+    if (rv != Success) {
+      // Since this is actually a problem with the current subject certificate
+      // (rather than the issuer), it doesn't make sense to keep going; all
+      // paths through this certificate will fail.
+      Result savedRv = RecordResult(rv, keepGoing);
+      keepGoing = false;
+      return savedRv;
+    }
+
+    if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+      const Input* sctExtension = subject.GetSignedCertificateTimestamps();
+      if (sctExtension) {
+        Input sctList;
+        rv = ExtractSignedCertificateTimestampListFromExtension(*sctExtension,
+                                                                sctList);
+        if (rv != Success) {
+          // Again, the problem is with this certificate, and all paths through
+          // it will fail.
+          Result savedRv = RecordResult(rv, keepGoing);
+          keepGoing = false;
+          return savedRv;
+        }
+        trustDomain.NoteAuxiliaryExtension(AuxiliaryExtension::EmbeddedSCTList,
+                                           sctList);
+      }
+    }
+  }
+
+  return RecordResult(Success, keepGoing);
+}
+
+// Recursively build the path from the given subject certificate to the root.
+//
+// Be very careful about changing the order of checks. The order is significant
+// because it affects which error we return when a certificate or certificate
+// chain has multiple problems. See the error ranking documentation in
+// pkix/pkix.h.
+static Result
+BuildForward(TrustDomain& trustDomain,
+             const BackCert& subject,
+             Time time,
+             KeyUsage requiredKeyUsageIfPresent,
+             KeyPurposeId requiredEKUIfPresent,
+             const CertPolicyId& requiredPolicy,
+             /*optional*/ const Input* stapledOCSPResponse,
+             unsigned int subCACount,
+             unsigned int& buildForwardCallBudget)
+{
+  Result rv;
+
+  TrustLevel trustLevel;
+  // If this is an end-entity and not a trust anchor, we defer reporting
+  // any error found here until after attempting to find a valid chain.
+  // See the explanation of error prioritization in pkix.h.
+  rv = CheckIssuerIndependentProperties(trustDomain, subject, time,
+                                        requiredKeyUsageIfPresent,
+                                        requiredEKUIfPresent, requiredPolicy,
+                                        subCACount, trustLevel);
+  Result deferredEndEntityError = Success;
+  if (rv != Success) {
+    if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+        trustLevel != TrustLevel::TrustAnchor) {
+      deferredEndEntityError = rv;
+    } else {
+      return rv;
+    }
+  }
+
+  if (trustLevel == TrustLevel::TrustAnchor) {
+    // End of the recursion.
+
+    NonOwningDERArray chain;
+    for (const BackCert* cert = &subject; cert; cert = cert->childCert) {
+      rv = chain.Append(cert->GetDER());
+      if (rv != Success) {
+        return NotReached("NonOwningDERArray::SetItem failed.", rv);
+      }
+    }
+
+    // This must be done here, after the chain is built but before any
+    // revocation checks have been done.
+    return trustDomain.IsChainValid(chain, time, requiredPolicy);
+  }
+
+  if (subject.endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    // Avoid stack overflows and poor performance by limiting cert chain
+    // length.
+    static const unsigned int MAX_SUBCA_COUNT = 6;
+    static_assert(1/*end-entity*/ + MAX_SUBCA_COUNT + 1/*root*/ ==
+                  NonOwningDERArray::MAX_LENGTH,
+                  "MAX_SUBCA_COUNT and NonOwningDERArray::MAX_LENGTH mismatch.");
+    if (subCACount >= MAX_SUBCA_COUNT) {
+      return Result::ERROR_UNKNOWN_ISSUER;
+    }
+    ++subCACount;
+  } else {
+    assert(subCACount == 0);
+  }
+
+  // Find a trusted issuer.
+
+  PathBuildingStep pathBuilder(trustDomain, subject, time,
+                               requiredEKUIfPresent, requiredPolicy,
+                               stapledOCSPResponse, subCACount,
+                               deferredEndEntityError, buildForwardCallBudget);
+
+  // TODO(bug 965136): Add SKI/AKI matching optimizations
+  rv = trustDomain.FindIssuer(subject.GetIssuer(), pathBuilder, time);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = pathBuilder.CheckResult();
+  if (rv != Success) {
+    return rv;
+  }
+
+  // If we found a valid chain but deferred reporting an error with the
+  // end-entity certificate, report it now.
+  if (deferredEndEntityError != Success) {
+    return deferredEndEntityError;
+  }
+
+  // We've built a valid chain from the subject cert up to a trusted root.
+  return Success;
+}
+
+Result
+BuildCertChain(TrustDomain& trustDomain, Input certDER,
+               Time time, EndEntityOrCA endEntityOrCA,
+               KeyUsage requiredKeyUsageIfPresent,
+               KeyPurposeId requiredEKUIfPresent,
+               const CertPolicyId& requiredPolicy,
+               /*optional*/ const Input* stapledOCSPResponse)
+{
+  // XXX: Support the legacy use of the subject CN field for indicating the
+  // domain name the certificate is valid for.
+  BackCert cert(certDER, endEntityOrCA, nullptr);
+  Result rv = cert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  // See bug 1056341 for context. If mozilla::pkix is being used in an
+  // environment where there are many certificates that all have the same
+  // distinguished name as their subject and issuer (but different SPKIs - see
+  // the loop prevention as per RFC4158 Section 5.2 in PathBuildingStep::Check),
+  // the space to search becomes exponential. Because it would be prohibitively
+  // expensive to explore the entire space, we introduce a budget here that,
+  // when exhausted, terminates the search with the result
+  // Result::ERROR_UNKNOWN_ISSUER. Essentially, we limit the total number of
+  // times `BuildForward` can be called. The current value appears to be a good
+  // balance between finding a path when one exists (when the space isn't too
+  // large) and timing out quickly enough when the space is too large or there
+  // is no valid path to a trust anchor.
+  unsigned int buildForwardCallBudget = 200000;
+  return BuildForward(trustDomain, cert, time, requiredKeyUsageIfPresent,
+                      requiredEKUIfPresent, requiredPolicy, stapledOCSPResponse,
+                      0/*subCACount*/, buildForwardCallBudget);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixcert.cpp b/security/nss/lib/mozpkix/lib/pkixcert.cpp
new file mode 100644
index 000000000..a30483738
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixcert.cpp
@@ -0,0 +1,323 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+BackCert::Init()
+{
+  Result rv;
+
+  // Certificate  ::=  SEQUENCE  {
+  //         tbsCertificate       TBSCertificate,
+  //         signatureAlgorithm   AlgorithmIdentifier,
+  //         signatureValue       BIT STRING  }
+
+  Reader tbsCertificate;
+
+  // The scope of |input| and |certificate| are limited to this block so we
+  // don't accidentally confuse them for tbsCertificate later.
+  {
+    Reader certificate;
+    rv = der::ExpectTagAndGetValueAtEnd(der, der::SEQUENCE, certificate);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::SignedData(certificate, tbsCertificate, signedData);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::End(certificate);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // TBSCertificate  ::=  SEQUENCE  {
+  //      version         [0]  EXPLICIT Version DEFAULT v1,
+  //      serialNumber         CertificateSerialNumber,
+  //      signature            AlgorithmIdentifier,
+  //      issuer               Name,
+  //      validity             Validity,
+  //      subject              Name,
+  //      subjectPublicKeyInfo SubjectPublicKeyInfo,
+  //      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                           -- If present, version MUST be v2 or v3
+  //      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                           -- If present, version MUST be v2 or v3
+  //      extensions      [3]  EXPLICIT Extensions OPTIONAL
+  //                           -- If present, version MUST be v3
+  //      }
+  rv = der::OptionalVersion(tbsCertificate, version);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::CertificateSerialNumber(tbsCertificate, serialNumber);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, signature);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, issuer);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, validity);
+  if (rv != Success) {
+    return rv;
+  }
+  // TODO(bug XXXXXXX): We rely on the the caller of mozilla::pkix to validate
+  // that the name is syntactically valid, if they care. In Gecko we do this
+  // implicitly by parsing the certificate into a CERTCertificate object.
+  // Instead of relying on the caller to do this, we should do it ourselves.
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, subject);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE,
+                               subjectPublicKeyInfo);
+  if (rv != Success) {
+    return rv;
+  }
+
+  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
+
+  // According to RFC 5280, all fields below this line are forbidden for
+  // certificate versions less than v3.  However, for compatibility reasons,
+  // we parse v1/v2 certificates in the same way as v3 certificates.  So if
+  // these fields appear in a v1 certificate, they will be used.
+
+  // Ignore issuerUniqueID if present.
+  if (tbsCertificate.Peek(CSC | 1)) {
+    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // Ignore subjectUniqueID if present.
+  if (tbsCertificate.Peek(CSC | 2)) {
+    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  rv = der::OptionalExtensions(
+         tbsCertificate, CSC | 3,
+         [this](Reader& extnID, const Input& extnValue, bool critical,
+                /*out*/ bool& understood) {
+           return RememberExtension(extnID, extnValue, critical, understood);
+         });
+  if (rv != Success) {
+    return rv;
+  }
+
+  // The Netscape Certificate Type extension is an obsolete
+  // Netscape-proprietary mechanism that we ignore in favor of the standard
+  // extensions. However, some CAs have issued certificates with the Netscape
+  // Cert Type extension marked critical. Thus, for compatibility reasons, we
+  // "understand" this extension by ignoring it when it is not critical, and
+  // by ensuring that the equivalent standardized extensions are present when
+  // it is marked critical, based on the assumption that the information in
+  // the Netscape Cert Type extension is consistent with the information in
+  // the standard extensions.
+  //
+  // Here is a mapping between the Netscape Cert Type extension and the
+  // standard extensions:
+  //
+  // Netscape Cert Type  |  BasicConstraints.cA  |  Extended Key Usage
+  // --------------------+-----------------------+----------------------
+  // SSL Server          |  false                |  id_kp_serverAuth
+  // SSL Client          |  false                |  id_kp_clientAuth
+  // S/MIME Client       |  false                |  id_kp_emailProtection
+  // Object Signing      |  false                |  id_kp_codeSigning
+  // SSL Server CA       |  true                 |  id_kp_serverAuth
+  // SSL Client CA       |  true                 |  id_kp_clientAuth
+  // S/MIME CA           |  true                 |  id_kp_emailProtection
+  // Object Signing CA   |  true                 |  id_kp_codeSigning
+  if (criticalNetscapeCertificateType.GetLength() > 0 &&
+      (basicConstraints.GetLength() == 0 || extKeyUsage.GetLength() == 0)) {
+    return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+  }
+
+  return der::End(tbsCertificate);
+}
+
+Result
+BackCert::RememberExtension(Reader& extnID, Input extnValue,
+                            bool critical, /*out*/ bool& understood)
+{
+  understood = false;
+
+  // python DottedOIDToCode.py id-ce-keyUsage 2.5.29.15
+  static const uint8_t id_ce_keyUsage[] = {
+    0x55, 0x1d, 0x0f
+  };
+  // python DottedOIDToCode.py id-ce-subjectAltName 2.5.29.17
+  static const uint8_t id_ce_subjectAltName[] = {
+    0x55, 0x1d, 0x11
+  };
+  // python DottedOIDToCode.py id-ce-basicConstraints 2.5.29.19
+  static const uint8_t id_ce_basicConstraints[] = {
+    0x55, 0x1d, 0x13
+  };
+  // python DottedOIDToCode.py id-ce-nameConstraints 2.5.29.30
+  static const uint8_t id_ce_nameConstraints[] = {
+    0x55, 0x1d, 0x1e
+  };
+  // python DottedOIDToCode.py id-ce-certificatePolicies 2.5.29.32
+  static const uint8_t id_ce_certificatePolicies[] = {
+    0x55, 0x1d, 0x20
+  };
+  // python DottedOIDToCode.py id-ce-policyConstraints 2.5.29.36
+  static const uint8_t id_ce_policyConstraints[] = {
+    0x55, 0x1d, 0x24
+  };
+  // python DottedOIDToCode.py id-ce-extKeyUsage 2.5.29.37
+  static const uint8_t id_ce_extKeyUsage[] = {
+    0x55, 0x1d, 0x25
+  };
+  // python DottedOIDToCode.py id-ce-inhibitAnyPolicy 2.5.29.54
+  static const uint8_t id_ce_inhibitAnyPolicy[] = {
+    0x55, 0x1d, 0x36
+  };
+  // python DottedOIDToCode.py id-pe-authorityInfoAccess 1.3.6.1.5.5.7.1.1
+  static const uint8_t id_pe_authorityInfoAccess[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+  };
+  // python DottedOIDToCode.py id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+  static const uint8_t id_pkix_ocsp_nocheck[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+  };
+  // python DottedOIDToCode.py Netscape-certificate-type 2.16.840.1.113730.1.1
+  static const uint8_t Netscape_certificate_type[] = {
+    0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01
+  };
+  // python DottedOIDToCode.py id-pe-tlsfeature 1.3.6.1.5.5.7.1.24
+  static const uint8_t id_pe_tlsfeature[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x18
+  };
+  // python DottedOIDToCode.py id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  // See Section 3.3 of RFC 6962.
+  static const uint8_t id_embeddedSctList[] = {
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+
+  Input* out = nullptr;
+
+  // We already enforce the maximum possible constraints for policies so we
+  // can safely ignore even critical policy constraint extensions.
+  //
+  // XXX: Doing it this way won't allow us to detect duplicate
+  // policyConstraints extensions, but that's OK because (and only because) we
+  // ignore the extension.
+  Input dummyPolicyConstraints;
+
+  // We don't need to save the contents of this extension if it is present. We
+  // just need to handle its presence (it is essentially ignored right now).
+  Input dummyOCSPNocheck;
+
+  // For compatibility reasons, for some extensions we have to allow empty
+  // extension values. This would normally interfere with our duplicate
+  // extension checking code. However, as long as the extensions we allow to
+  // have empty values are also the ones we implicitly allow duplicates of,
+  // this will work fine.
+  bool emptyValueAllowed = false;
+
+  // RFC says "Conforming CAs MUST mark this extension as non-critical" for
+  // both authorityKeyIdentifier and subjectKeyIdentifier, and we do not use
+  // them for anything, so we totally ignore them here.
+
+  if (extnID.MatchRest(id_ce_keyUsage)) {
+    out = &keyUsage;
+  } else if (extnID.MatchRest(id_ce_subjectAltName)) {
+    out = &subjectAltName;
+  } else if (extnID.MatchRest(id_ce_basicConstraints)) {
+    out = &basicConstraints;
+  } else if (extnID.MatchRest(id_ce_nameConstraints)) {
+    out = &nameConstraints;
+  } else if (extnID.MatchRest(id_ce_certificatePolicies)) {
+    out = &certificatePolicies;
+  } else if (extnID.MatchRest(id_ce_policyConstraints)) {
+    out = &dummyPolicyConstraints;
+  } else if (extnID.MatchRest(id_ce_extKeyUsage)) {
+    out = &extKeyUsage;
+  } else if (extnID.MatchRest(id_ce_inhibitAnyPolicy)) {
+    out = &inhibitAnyPolicy;
+  } else if (extnID.MatchRest(id_pe_authorityInfoAccess)) {
+    out = &authorityInfoAccess;
+  } else if (extnID.MatchRest(id_pe_tlsfeature)) {
+    out = &requiredTLSFeatures;
+  } else if (extnID.MatchRest(id_embeddedSctList)) {
+    out = &signedCertificateTimestamps;
+  } else if (extnID.MatchRest(id_pkix_ocsp_nocheck) && critical) {
+    // We need to make sure we don't reject delegated OCSP response signing
+    // certificates that contain the id-pkix-ocsp-nocheck extension marked as
+    // critical when validating OCSP responses. Without this, an application
+    // that implements soft-fail OCSP might ignore a valid Revoked or Unknown
+    // response, and an application that implements hard-fail OCSP might fail
+    // to connect to a server given a valid Good response.
+    out = &dummyOCSPNocheck;
+    // We allow this extension to have an empty value.
+    // See http://comments.gmane.org/gmane.ietf.x509/30947
+    emptyValueAllowed = true;
+  } else if (extnID.MatchRest(Netscape_certificate_type) && critical) {
+    out = &criticalNetscapeCertificateType;
+  }
+
+  if (out) {
+    // Don't allow an empty value for any extension we understand. This way, we
+    // can test out->GetLength() != 0 or out->Init() to check for duplicates.
+    if (extnValue.GetLength() == 0 && !emptyValueAllowed) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (out->Init(extnValue) != Success) {
+      // Duplicate extension
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    understood = true;
+  }
+
+  return Success;
+}
+
+Result
+ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+                                                   Input& sctList)
+{
+  Reader decodedValue;
+  Result rv = der::ExpectTagAndGetValueAtEnd(extnValue, der::OCTET_STRING,
+                                             decodedValue);
+  if (rv != Success) {
+    return rv;
+  }
+  return decodedValue.SkipToEnd(sctList);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
new file mode 100644
index 000000000..317db01e2
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
@@ -0,0 +1,1100 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixcheck.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+// 4.1.1.2 signatureAlgorithm
+// 4.1.2.3 signature
+
+Result
+CheckSignatureAlgorithm(TrustDomain& trustDomain,
+                        EndEntityOrCA endEntityOrCA,
+                        Time notBefore,
+                        const der::SignedDataWithSignature& signedData,
+                        Input signatureValue)
+{
+  // 4.1.1.2. signatureAlgorithm
+  der::PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  Reader signatureAlgorithmReader(signedData.algorithm);
+  Result rv = der::SignatureAlgorithmIdentifierValue(signatureAlgorithmReader,
+                                                     publicKeyAlg, digestAlg);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(signatureAlgorithmReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.1.2.3. Signature
+  der::PublicKeyAlgorithm signedPublicKeyAlg;
+  DigestAlgorithm signedDigestAlg;
+  Reader signedSignatureAlgorithmReader(signatureValue);
+  rv = der::SignatureAlgorithmIdentifierValue(signedSignatureAlgorithmReader,
+                                              signedPublicKeyAlg,
+                                              signedDigestAlg);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(signedSignatureAlgorithmReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // "This field MUST contain the same algorithm identifier as the
+  // signatureAlgorithm field in the sequence Certificate." However, it may
+  // be encoded differently. In particular, one of the fields may have a NULL
+  // parameter while the other one may omit the parameter field altogether, and
+  // these are considered equivalent. Some certificates generation software
+  // actually generates certificates like that, so we compare the parsed values
+  // instead of comparing the encoded values byte-for-byte.
+  //
+  // Along the same lines, we accept two different OIDs for RSA-with-SHA1, and
+  // we consider those OIDs to be equivalent here.
+  if (publicKeyAlg != signedPublicKeyAlg || digestAlg != signedDigestAlg) {
+    return Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH;
+  }
+
+  // During the time of the deprecation of SHA-1 and the deprecation of RSA
+  // keys of less than 2048 bits, we will encounter many certs signed using
+  // SHA-1 and/or too-small RSA keys. With this in mind, we ask the trust
+  // domain early on if it knows it will reject the signature purely based on
+  // the digest algorithm and/or the RSA key size (if an RSA signature). This
+  // is a good optimization because it completely avoids calling
+  // trustDomain.FindIssuers (which may be slow) for such rejected certs, and
+  // more generally it short-circuits any path building with them (which, of
+  // course, is even slower).
+
+  rv = trustDomain.CheckSignatureDigestAlgorithm(digestAlg, endEntityOrCA,
+                                                 notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+
+  switch (publicKeyAlg) {
+    case der::PublicKeyAlgorithm::RSA_PKCS1:
+    {
+      // The RSA computation may give a result that requires fewer bytes to
+      // encode than the public key (since it is modular arithmetic). However,
+      // the last step of generating a PKCS#1.5 signature is the I2OSP
+      // procedure, which pads any such shorter result with zeros so that it
+      // is exactly the same length as the public key.
+      unsigned int signatureSizeInBits = signedData.signature.GetLength() * 8u;
+      return trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+               endEntityOrCA, signatureSizeInBits);
+    }
+
+    case der::PublicKeyAlgorithm::ECDSA:
+      // In theory, we could implement a similar early-pruning optimization for
+      // ECDSA curves. However, since there has been no similar deprecation for
+      // for any curve that we support, the chances of us encountering a curve
+      // during path building is too low to be worth bothering with.
+      break;
+    case der::PublicKeyAlgorithm::Uninitialized:
+    {
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    }
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+
+  return Success;
+}
+
+// 4.1.2.4 Issuer
+
+Result
+CheckIssuer(Input encodedIssuer)
+{
+  // "The issuer field MUST contain a non-empty distinguished name (DN)."
+  Reader issuer(encodedIssuer);
+  Input encodedRDNs;
+  ExpectTagAndGetValue(issuer, der::SEQUENCE, encodedRDNs);
+  Reader rdns(encodedRDNs);
+  // Check that the issuer name contains at least one RDN
+  // (Note: this does not check related grammar rules, such as there being one
+  // or more AVAs in each RDN, or the values in AVAs not being empty strings)
+  if (rdns.AtEnd()) {
+    return Result::ERROR_EMPTY_ISSUER_NAME;
+  }
+  return Success;
+}
+
+// 4.1.2.5 Validity
+
+Result
+ParseValidity(Input encodedValidity,
+              /*optional out*/ Time* notBeforeOut,
+              /*optional out*/ Time* notAfterOut)
+{
+  Reader validity(encodedValidity);
+  Time notBefore(Time::uninitialized);
+  if (der::TimeChoice(validity, notBefore) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  Time notAfter(Time::uninitialized);
+  if (der::TimeChoice(validity, notAfter) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (der::End(validity) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (notBefore > notAfter) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (notBeforeOut) {
+    *notBeforeOut = notBefore;
+  }
+  if (notAfterOut) {
+    *notAfterOut = notAfter;
+  }
+
+  return Success;
+}
+
+Result
+CheckValidity(Time time, Time notBefore, Time notAfter)
+{
+  if (time < notBefore) {
+    return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
+  }
+
+  if (time > notAfter) {
+    return Result::ERROR_EXPIRED_CERTIFICATE;
+  }
+
+  return Success;
+}
+
+// 4.1.2.7 Subject Public Key Info
+
+Result
+CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
+                                  EndEntityOrCA endEntityOrCA)
+{
+  // Here, we validate the syntax and do very basic semantic validation of the
+  // public key of the certificate. The intention here is to filter out the
+  // types of bad inputs that are most likely to trigger non-mathematical
+  // security vulnerabilities in the TrustDomain, like buffer overflows or the
+  // use of unsafe elliptic curves.
+  //
+  // We don't check (all of) the mathematical properties of the public key here
+  // because it is more efficient for the TrustDomain to do it during signature
+  // verification and/or other use of the public key. In particular, we
+  // delegate the arithmetic validation of the public key, as specified in
+  // NIST SP800-56A section 5.6.2, to the TrustDomain, at least for now.
+
+  Reader algorithm;
+  Input subjectPublicKey;
+  Result rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::BitStringWithNoUnusedBits(input, subjectPublicKey);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(input);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Reader subjectPublicKeyReader(subjectPublicKey);
+
+  Reader algorithmOID;
+  rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag, algorithmOID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 3279 Section 2.3.1
+  // python DottedOIDToCode.py rsaEncryption 1.2.840.113549.1.1.1
+  static const uint8_t rsaEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01
+  };
+
+  // RFC 3279 Section 2.3.5 and RFC 5480 Section 2.1.1
+  // python DottedOIDToCode.py id-ecPublicKey 1.2.840.10045.2.1
+  static const uint8_t id_ecPublicKey[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
+  };
+
+  if (algorithmOID.MatchRest(id_ecPublicKey)) {
+    // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
+    // the curve being used. Although RFC 5480 specifies multiple forms, we
+    // only supported the NamedCurve form, where the curve is identified by an
+    // OID.
+
+    Reader namedCurveOIDValue;
+    rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag,
+                                   namedCurveOIDValue);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp256r1 1.2.840.10045.3.1.7
+    static const uint8_t secp256r1[] = {
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+    };
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp384r1 1.3.132.0.34
+    static const uint8_t secp384r1[] = {
+      0x2b, 0x81, 0x04, 0x00, 0x22
+    };
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp521r1 1.3.132.0.35
+    static const uint8_t secp521r1[] = {
+      0x2b, 0x81, 0x04, 0x00, 0x23
+    };
+
+    // Matching is attempted based on a rough estimate of the commonality of the
+    // elliptic curve, to minimize the number of MatchRest calls.
+    NamedCurve curve;
+    unsigned int bits;
+    if (namedCurveOIDValue.MatchRest(secp256r1)) {
+      curve = NamedCurve::secp256r1;
+      bits = 256;
+    } else if (namedCurveOIDValue.MatchRest(secp384r1)) {
+      curve = NamedCurve::secp384r1;
+      bits = 384;
+    } else if (namedCurveOIDValue.MatchRest(secp521r1)) {
+      curve = NamedCurve::secp521r1;
+      bits = 521;
+    } else {
+      return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+    }
+
+    rv = trustDomain.CheckECDSACurveIsAcceptable(endEntityOrCA, curve);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 5480 Section 2.2 says that the first octet will be 0x04 to indicate
+    // an uncompressed point, which is the only encoding we support.
+    uint8_t compressedOrUncompressed;
+    rv = subjectPublicKeyReader.Read(compressedOrUncompressed);
+    if (rv != Success) {
+      return rv;
+    }
+    if (compressedOrUncompressed != 0x04) {
+      return Result::ERROR_UNSUPPORTED_EC_POINT_FORM;
+    }
+
+    // The point is encoded as two raw (not DER-encoded) integers, each padded
+    // to the bit length (rounded up to the nearest byte).
+    Input point;
+    rv = subjectPublicKeyReader.SkipToEnd(point);
+    if (rv != Success) {
+      return rv;
+    }
+    if (point.GetLength() != ((bits + 7) / 8u) * 2u) {
+      return Result::ERROR_BAD_DER;
+    }
+
+    // XXX: We defer the mathematical verification of the validity of the point
+    // until signature verification. This means that if we never verify a
+    // signature, we'll never fully check whether the public key is valid.
+  } else if (algorithmOID.MatchRest(rsaEncryption)) {
+    // RFC 3279 Section 2.3.1 says "The parameters field MUST have ASN.1 type
+    // NULL for this algorithm identifier."
+    rv = der::ExpectTagAndEmptyValue(algorithm, der::NULLTag);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RSAPublicKey :: = SEQUENCE{
+    //    modulus            INTEGER,    --n
+    //    publicExponent     INTEGER  }  --e
+    rv = der::Nested(subjectPublicKeyReader, der::SEQUENCE,
+                     [&trustDomain, endEntityOrCA](Reader& r) {
+      Input modulus;
+      Input::size_type modulusSignificantBytes;
+      Result nestedRv =
+        der::PositiveInteger(r, modulus, &modulusSignificantBytes);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+      // XXX: Should we do additional checks of the modulus?
+      nestedRv = trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+        endEntityOrCA, modulusSignificantBytes * 8u);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+
+      // XXX: We don't allow the TrustDomain to validate the exponent.
+      // XXX: We don't do our own sanity checking of the exponent.
+      Input exponent;
+      return der::PositiveInteger(r, exponent);
+    });
+    if (rv != Success) {
+      return rv;
+    }
+  } else {
+    return Result::ERROR_UNSUPPORTED_KEYALG;
+  }
+
+  rv = der::End(algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(subjectPublicKeyReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return Success;
+}
+
+Result
+CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
+                          EndEntityOrCA endEntityOrCA)
+{
+  Reader spkiReader(subjectPublicKeyInfo);
+  Result rv = der::Nested(spkiReader, der::SEQUENCE, [&](Reader& r) {
+    return CheckSubjectPublicKeyInfoContents(r, trustDomain, endEntityOrCA);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+  return der::End(spkiReader);
+}
+
+// 4.2.1.3. Key Usage (id-ce-keyUsage)
+
+// As explained in the comment in CheckKeyUsage, bit 0 is the most significant
+// bit and bit 7 is the least significant bit.
+inline uint8_t KeyUsageToBitMask(KeyUsage keyUsage)
+{
+  assert(keyUsage != KeyUsage::noParticularKeyUsageRequired);
+  return 0x80u >> static_cast<uint8_t>(keyUsage);
+}
+
+Result
+CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage,
+              KeyUsage requiredKeyUsageIfPresent)
+{
+  if (!encodedKeyUsage) {
+    // TODO(bug 970196): Reject certificates that are being used to verify
+    // certificate signatures unless the certificate is a trust anchor, to
+    // reduce the chances of an end-entity certificate being abused as a CA
+    // certificate.
+    // if (endEntityOrCA == EndEntityOrCA::MustBeCA && !isTrustAnchor) {
+    //   return Result::ERROR_INADEQUATE_KEY_USAGE;
+    // }
+    //
+    // TODO: Users may configure arbitrary certificates as trust anchors, not
+    // just roots. We should only allow a certificate without a key usage to be
+    // used as a CA when it is self-issued and self-signed.
+    return Success;
+  }
+
+  Reader input(*encodedKeyUsage);
+  Reader value;
+  if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  uint8_t numberOfPaddingBits;
+  if (value.Read(numberOfPaddingBits) != Success) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+  if (numberOfPaddingBits > 7) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  uint8_t bits;
+  if (value.Read(bits) != Success) {
+    // Reject empty bit masks.
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  // The most significant bit is numbered 0 (digitalSignature) and the least
+  // significant bit is numbered 7 (encipherOnly), and the padding is in the
+  // least significant bits of the last byte. The numbering of bits in a byte
+  // is backwards from how we usually interpret them.
+  //
+  // For example, let's say bits is encoded in one byte with of value 0xB0 and
+  // numberOfPaddingBits == 4. Then, bits is 10110000 in binary:
+  //
+  //      bit 0  bit 3
+  //          |  |
+  //          v  v
+  //          10110000
+  //              ^^^^
+  //               |
+  //               4 padding bits
+  //
+  // Since bits is the last byte, we have to consider the padding by ensuring
+  // that the least significant 4 bits are all zero, since DER rules require
+  // all padding bits to be zero. Then we have to look at the bit N bits to the
+  // right of the most significant bit, where N is a value from the KeyUsage
+  // enumeration.
+  //
+  // Let's say we're interested in the keyCertSign (5) bit. We'd need to look
+  // at bit 5, which is zero, so keyCertSign is not asserted. (Since we check
+  // that the padding is all zeros, it is OK to read from the padding bits.)
+  //
+  // Let's say we're interested in the digitalSignature (0) bit. We'd need to
+  // look at the bit 0 (the most significant bit), which is set, so that means
+  // digitalSignature is asserted. Similarly, keyEncipherment (2) and
+  // dataEncipherment (3) are asserted.
+  //
+  // Note that since the KeyUsage enumeration is limited to values 0-7, we
+  // only ever need to examine the first byte test for
+  // requiredKeyUsageIfPresent.
+
+  if (requiredKeyUsageIfPresent != KeyUsage::noParticularKeyUsageRequired) {
+    // Check that the required key usage bit is set.
+    if ((bits & KeyUsageToBitMask(requiredKeyUsageIfPresent)) == 0) {
+      return Result::ERROR_INADEQUATE_KEY_USAGE;
+    }
+  }
+
+  // RFC 5280 says "The keyCertSign bit is asserted when the subject public
+  // key is used for verifying signatures on public key certificates. If the
+  // keyCertSign bit is asserted, then the cA bit in the basic constraints
+  // extension (Section 4.2.1.9) MUST also be asserted."
+  // However, we allow end-entity certificates (i.e. certificates without
+  // basicConstraints.cA set to TRUE) to claim keyCertSign for compatibility
+  // reasons. This does not compromise security because we only allow
+  // certificates with basicConstraints.cA set to TRUE to act as CAs.
+  if (requiredKeyUsageIfPresent == KeyUsage::keyCertSign &&
+      endEntityOrCA != EndEntityOrCA::MustBeCA) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  // The padding applies to the last byte, so skip to the last byte.
+  while (!value.AtEnd()) {
+    if (value.Read(bits) != Success) {
+      return Result::ERROR_INADEQUATE_KEY_USAGE;
+    }
+  }
+
+  // All of the padding bits must be zero, according to DER rules.
+  uint8_t paddingMask = static_cast<uint8_t>((1 << numberOfPaddingBits) - 1);
+  if ((bits & paddingMask) != 0) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  return Success;
+}
+
+// RFC5820 4.2.1.4. Certificate Policies
+
+// "The user-initial-policy-set contains the special value any-policy if the
+// user is not concerned about certificate policy."
+//
+// python DottedOIDToCode.py anyPolicy 2.5.29.32.0
+
+static const uint8_t anyPolicy[] = {
+  0x55, 0x1d, 0x20, 0x00
+};
+
+/*static*/ const CertPolicyId CertPolicyId::anyPolicy = {
+  4, { 0x55, 0x1d, 0x20, 0x00 }
+};
+
+bool
+CertPolicyId::IsAnyPolicy() const {
+  if (this == &CertPolicyId::anyPolicy) {
+    return true;
+  }
+  return numBytes == sizeof(::mozilla::pkix::anyPolicy) &&
+         std::equal(bytes, bytes + numBytes, ::mozilla::pkix::anyPolicy);
+}
+
+bool
+CertPolicyId::operator==(const CertPolicyId& other) const
+{
+  return numBytes == other.numBytes &&
+         std::equal(bytes, bytes + numBytes, other.bytes);
+}
+
+// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+Result
+CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
+                         const Input* encodedCertificatePolicies,
+                         const Input* encodedInhibitAnyPolicy,
+                         TrustLevel trustLevel,
+                         const CertPolicyId& requiredPolicy)
+{
+  if (requiredPolicy.numBytes == 0 ||
+      requiredPolicy.numBytes > sizeof requiredPolicy.bytes) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  bool requiredPolicyFound = requiredPolicy.IsAnyPolicy();
+  if (requiredPolicyFound) {
+    return Success;
+  }
+
+  // Bug 989051. Until we handle inhibitAnyPolicy we will fail close when
+  // inhibitAnyPolicy extension is present and we are validating for a policy.
+  if (!requiredPolicyFound && encodedInhibitAnyPolicy) {
+    return Result::ERROR_POLICY_VALIDATION_FAILED;
+  }
+
+  // The root CA certificate may omit the policies that it has been
+  // trusted for, so we cannot require the policies to be present in those
+  // certificates. Instead, the determination of which roots are trusted for
+  // which policies is made by the TrustDomain's GetCertTrust method.
+  if (trustLevel == TrustLevel::TrustAnchor &&
+      endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    requiredPolicyFound = true;
+  }
+
+  Input requiredPolicyDER;
+  if (requiredPolicyDER.Init(requiredPolicy.bytes, requiredPolicy.numBytes)
+        != Success) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  if (encodedCertificatePolicies) {
+    Reader extension(*encodedCertificatePolicies);
+    Reader certificatePolicies;
+    Result rv = der::ExpectTagAndGetValue(extension, der::SEQUENCE,
+                                          certificatePolicies);
+    if (rv != Success) {
+      return Result::ERROR_POLICY_VALIDATION_FAILED;
+    }
+    if (!extension.AtEnd()) {
+      return Result::ERROR_POLICY_VALIDATION_FAILED;
+    }
+
+    do {
+      // PolicyInformation ::= SEQUENCE {
+      //         policyIdentifier   CertPolicyId,
+      //         policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+      //                                 PolicyQualifierInfo OPTIONAL }
+      Reader policyInformation;
+      rv = der::ExpectTagAndGetValue(certificatePolicies, der::SEQUENCE,
+                                     policyInformation);
+      if (rv != Success) {
+        return Result::ERROR_POLICY_VALIDATION_FAILED;
+      }
+
+      Reader policyIdentifier;
+      rv = der::ExpectTagAndGetValue(policyInformation, der::OIDTag,
+                                     policyIdentifier);
+      if (rv != Success) {
+        return rv;
+      }
+
+      if (policyIdentifier.MatchRest(requiredPolicyDER)) {
+        requiredPolicyFound = true;
+      } else if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+                 policyIdentifier.MatchRest(anyPolicy)) {
+        requiredPolicyFound = true;
+      }
+
+      // RFC 5280 Section 4.2.1.4 says "Optional qualifiers, which MAY be
+      // present, are not expected to change the definition of the policy." Also,
+      // it seems that Section 6, which defines validation, does not require any
+      // matching of qualifiers. Thus, doing anything with the policy qualifiers
+      // would be a waste of time and a source of potential incompatibilities, so
+      // we just ignore them.
+    } while (!requiredPolicyFound && !certificatePolicies.AtEnd());
+  }
+
+  if (!requiredPolicyFound) {
+    return Result::ERROR_POLICY_VALIDATION_FAILED;
+  }
+
+  return Success;
+}
+
+static const long UNLIMITED_PATH_LEN = -1; // must be less than zero
+
+//  BasicConstraints ::= SEQUENCE {
+//          cA                      BOOLEAN DEFAULT FALSE,
+//          pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+
+// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
+Result
+CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
+                      const Input* encodedBasicConstraints,
+                      const der::Version version, TrustLevel trustLevel,
+                      unsigned int subCACount)
+{
+  bool isCA = false;
+  long pathLenConstraint = UNLIMITED_PATH_LEN;
+
+  if (encodedBasicConstraints) {
+    Reader input(*encodedBasicConstraints);
+    Result rv = der::Nested(input, der::SEQUENCE,
+                            [&isCA, &pathLenConstraint](Reader& r) {
+      Result nestedRv = der::OptionalBoolean(r, isCA);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+      // TODO(bug 985025): If isCA is false, pathLenConstraint
+      // MUST NOT be included (as per RFC 5280 section
+      // 4.2.1.9), but for compatibility reasons, we don't
+      // check this.
+      return der::OptionalInteger(r, UNLIMITED_PATH_LEN, pathLenConstraint);
+    });
+    if (rv != Success) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (der::End(input) != Success) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+  } else {
+    // "If the basic constraints extension is not present in a version 3
+    //  certificate, or the extension is present but the cA boolean is not
+    //  asserted, then the certified public key MUST NOT be used to verify
+    //  certificate signatures."
+    //
+    // For compatibility, we must accept v1 trust anchors without basic
+    // constraints as CAs.
+    //
+    // There are devices with v1 certificates that are unlikely to be trust
+    // anchors. In order to allow applications to treat this case differently
+    // from other basic constraints violations (e.g. allowing certificate error
+    // overrides for only this case), we return a different error code.
+    //
+    // TODO: add check for self-signedness?
+    if (endEntityOrCA == EndEntityOrCA::MustBeCA && version == der::Version::v1) {
+      if (trustLevel == TrustLevel::TrustAnchor) {
+        isCA = true;
+      } else {
+        return Result::ERROR_V1_CERT_USED_AS_CA;
+      }
+    }
+  }
+
+  if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+    // CA certificates are not trusted as EE certs.
+
+    if (isCA) {
+      // Note that this check prevents a delegated OCSP response signing
+      // certificate with the CA bit from successfully validating when we check
+      // it from pkixocsp.cpp, which is a good thing.
+      return Result::ERROR_CA_CERT_USED_AS_END_ENTITY;
+    }
+
+    return Success;
+  }
+
+  assert(endEntityOrCA == EndEntityOrCA::MustBeCA);
+
+  // End-entity certificates are not allowed to act as CA certs.
+  if (!isCA) {
+    return Result::ERROR_CA_CERT_INVALID;
+  }
+
+  if (pathLenConstraint >= 0 &&
+      static_cast<long>(subCACount) > pathLenConstraint) {
+    return Result::ERROR_PATH_LEN_CONSTRAINT_INVALID;
+  }
+
+  return Success;
+}
+
+// 4.2.1.12. Extended Key Usage (id-ce-extKeyUsage)
+
+static Result
+MatchEKU(Reader& value, KeyPurposeId requiredEKU,
+         EndEntityOrCA endEntityOrCA, TrustDomain& trustDomain,
+         Time notBefore, /*in/out*/ bool& found,
+         /*in/out*/ bool& foundOCSPSigning)
+{
+  // See Section 5.9 of "A Layman's Guide to a Subset of ASN.1, BER, and DER"
+  // for a description of ASN.1 DER encoding of OIDs.
+
+  // id-pkix  OBJECT IDENTIFIER  ::=
+  //            { iso(1) identified-organization(3) dod(6) internet(1)
+  //                    security(5) mechanisms(5) pkix(7) }
+  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+  // id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
+  // id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
+  // id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
+  // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+  // id-kp-OCSPSigning     OBJECT IDENTIFIER ::= { id-kp 9 }
+  static const uint8_t server[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 1 };
+  static const uint8_t client[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 2 };
+  static const uint8_t code  [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 3 };
+  static const uint8_t email [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 4 };
+  static const uint8_t ocsp  [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 9 };
+
+  // id-Netscape        OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
+  // id-Netscape-policy OBJECT IDENTIFIER ::= { id-Netscape 4 }
+  // id-Netscape-stepUp OBJECT IDENTIFIER ::= { id-Netscape-policy 1 }
+  static const uint8_t serverStepUp[] =
+    { (40*2)+16, 128+6,72, 1, 128+6,128+120,66, 4, 1 };
+
+  bool match = false;
+
+  if (!found) {
+    switch (requiredEKU) {
+      case KeyPurposeId::id_kp_serverAuth: {
+        if (value.MatchRest(server)) {
+          match = true;
+          break;
+        }
+        // Potentially treat CA certs with step-up OID as also having SSL server
+        // type. Comodo has issued certificates that require this behavior that
+        // don't expire until June 2020!
+        if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+            value.MatchRest(serverStepUp)) {
+          Result rv = trustDomain.NetscapeStepUpMatchesServerAuth(notBefore,
+                                                                  match);
+          if (rv != Success) {
+            return rv;
+          }
+        }
+        break;
+      }
+
+      case KeyPurposeId::id_kp_clientAuth:
+        match = value.MatchRest(client);
+        break;
+
+      case KeyPurposeId::id_kp_codeSigning:
+        match = value.MatchRest(code);
+        break;
+
+      case KeyPurposeId::id_kp_emailProtection:
+        match = value.MatchRest(email);
+        break;
+
+      case KeyPurposeId::id_kp_OCSPSigning:
+        match = value.MatchRest(ocsp);
+        break;
+
+      case KeyPurposeId::anyExtendedKeyUsage:
+        return NotReached("anyExtendedKeyUsage should start with found==true",
+                          Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+  }
+
+  if (match) {
+    found = true;
+    if (requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+      foundOCSPSigning = true;
+    }
+  } else if (value.MatchRest(ocsp)) {
+    foundOCSPSigning = true;
+  }
+
+  value.SkipToEnd(); // ignore unmatched OIDs.
+
+  return Success;
+}
+
+Result
+CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+                      const Input* encodedExtendedKeyUsage,
+                      KeyPurposeId requiredEKU, TrustDomain& trustDomain,
+                      Time notBefore)
+{
+  // XXX: We're using Result::ERROR_INADEQUATE_CERT_TYPE here so that callers
+  // can distinguish EKU mismatch from KU mismatch from basic constraints
+  // mismatch. We should probably add a new error code that is more clear for
+  // this type of problem.
+
+  bool foundOCSPSigning = false;
+
+  if (encodedExtendedKeyUsage) {
+    bool found = requiredEKU == KeyPurposeId::anyExtendedKeyUsage;
+
+    Reader input(*encodedExtendedKeyUsage);
+    Result rv = der::NestedOf(input, der::SEQUENCE, der::OIDTag,
+                              der::EmptyAllowed::No, [&](Reader& r) {
+      return MatchEKU(r, requiredEKU, endEntityOrCA, trustDomain, notBefore,
+                      found, foundOCSPSigning);
+    });
+    if (rv != Success) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+    if (der::End(input) != Success) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+
+    // If the EKU extension was included, then the required EKU must be in the
+    // list.
+    if (!found) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+  }
+
+  // pkixocsp.cpp depends on the following additional checks.
+
+  if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+    // When validating anything other than an delegated OCSP signing cert,
+    // reject any cert that also claims to be an OCSP responder, because such
+    // a cert does not make sense. For example, if an SSL certificate were to
+    // assert id-kp-OCSPSigning then it could sign OCSP responses for itself,
+    // if not for this check.
+    // That said, we accept CA certificates with id-kp-OCSPSigning because
+    // some CAs in Mozilla's CA program have issued such intermediate
+    // certificates, and because some CAs have reported some Microsoft server
+    // software wrongly requires CA certificates to have id-kp-OCSPSigning.
+    // Allowing this exception does not cause any security issues because we
+    // require delegated OCSP response signing certificates to be end-entity
+    // certificates.
+    if (foundOCSPSigning && requiredEKU != KeyPurposeId::id_kp_OCSPSigning) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+    // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
+    // "OCSP signing delegation SHALL be designated by the inclusion of
+    // id-kp-OCSPSigning in an extended key usage certificate extension
+    // included in the OCSP response signer's certificate."
+    //
+    // id-kp-OCSPSigning is the only EKU that isn't implicitly assumed when the
+    // EKU extension is missing from an end-entity certificate. However, any CA
+    // certificate can issue a delegated OCSP response signing certificate, so
+    // we can't require the EKU be explicitly included for CA certificates.
+    if (!foundOCSPSigning && requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+  }
+
+  return Success;
+}
+
+Result
+CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer)
+{
+  const Input* issuerTLSFeatures = potentialIssuer.GetRequiredTLSFeatures();
+  if (!issuerTLSFeatures) {
+    return Success;
+  }
+
+  const Input* subjectTLSFeatures = subject.GetRequiredTLSFeatures();
+  if (issuerTLSFeatures->GetLength() == 0 ||
+      !subjectTLSFeatures ||
+      !InputsAreEqual(*issuerTLSFeatures, *subjectTLSFeatures)) {
+    return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+  }
+
+  return Success;
+}
+
+Result
+TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+                             const Input* stapledOCSPResponse)
+{
+  if (!requiredTLSFeatures) {
+    return Success;
+  }
+
+  // RFC 6066 10.2: ExtensionType status_request
+  const static uint8_t status_request = 5;
+  const static uint8_t status_request_bytes[] = { status_request };
+
+  Reader input(*requiredTLSFeatures);
+  return der::NestedOf(input, der::SEQUENCE, der::INTEGER,
+                       der::EmptyAllowed::No, [&](Reader& r) {
+    if (!r.MatchRest(status_request_bytes)) {
+      return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+    }
+
+    if (!stapledOCSPResponse) {
+      return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+    }
+
+    return Result::Success;
+  });
+}
+
+Result
+CheckTLSFeaturesAreSatisfied(Input& cert,
+                             const Input* stapledOCSPResponse)
+{
+  BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
+  Result rv = backCert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  return TLSFeaturesSatisfiedInternal(backCert.GetRequiredTLSFeatures(),
+                                      stapledOCSPResponse);
+}
+
+Result
+CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+                                 const BackCert& cert,
+                                 Time time,
+                                 KeyUsage requiredKeyUsageIfPresent,
+                                 KeyPurposeId requiredEKUIfPresent,
+                                 const CertPolicyId& requiredPolicy,
+                                 unsigned int subCACount,
+                                 /*out*/ TrustLevel& trustLevel)
+{
+  Result rv;
+
+  const EndEntityOrCA endEntityOrCA = cert.endEntityOrCA;
+
+  // Check the cert's trust first, because we want to minimize the amount of
+  // processing we do on a distrusted cert, in case it is trying to exploit
+  // some bug in our processing.
+  rv = trustDomain.GetCertTrust(endEntityOrCA, requiredPolicy, cert.GetDER(),
+                                trustLevel);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // IMPORTANT: We parse the validity interval here, so that we can use the
+  // notBefore and notAfter values in checks for things that might be deprecated
+  // over time. However, we must not fail for semantic errors until the end of
+  // this method, in order to preserve error ranking.
+  Time notBefore(Time::uninitialized);
+  Time notAfter(Time::uninitialized);
+  rv = ParseValidity(cert.GetValidity(), &notBefore, &notAfter);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (trustLevel == TrustLevel::TrustAnchor &&
+      endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+      requiredEKUIfPresent == KeyPurposeId::id_kp_OCSPSigning) {
+    // OCSP signer certificates can never be trust anchors, especially
+    // since we don't support designated OCSP responders. All of the checks
+    // below that are dependent on trustLevel rely on this overriding of the
+    // trust level for OCSP signers.
+    trustLevel = TrustLevel::InheritsTrust;
+  }
+
+  switch (trustLevel) {
+    case TrustLevel::InheritsTrust:
+      rv = CheckSignatureAlgorithm(trustDomain, endEntityOrCA, notBefore,
+                                   cert.GetSignedData(), cert.GetSignature());
+      if (rv != Success) {
+        return rv;
+      }
+      break;
+
+    case TrustLevel::TrustAnchor:
+      // We don't even bother checking signatureAlgorithm or signature for
+      // syntactic validity for trust anchors, because we don't use those
+      // fields for anything, and because the trust anchor might be signed
+      // with a signature algorithm we don't actually support.
+      break;
+
+    case TrustLevel::ActivelyDistrusted:
+      return Result::ERROR_UNTRUSTED_CERT;
+  }
+
+  // Check the SPKI early, because it is one of the most selective properties
+  // of the certificate due to SHA-1 deprecation and the deprecation of
+  // certificates with keys weaker than RSA 2048.
+  rv = CheckSubjectPublicKeyInfo(cert.GetSubjectPublicKeyInfo(), trustDomain,
+                                 endEntityOrCA);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.1.2.4. Issuer
+  rv = CheckIssuer(cert.GetIssuer());
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.1. Authority Key Identifier is ignored (see bug 965136).
+
+  // 4.2.1.2. Subject Key Identifier is ignored (see bug 965136).
+
+  // 4.2.1.3. Key Usage
+  rv = CheckKeyUsage(endEntityOrCA, cert.GetKeyUsage(),
+                     requiredKeyUsageIfPresent);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.4. Certificate Policies
+  rv = CheckCertificatePolicies(endEntityOrCA, cert.GetCertificatePolicies(),
+                                cert.GetInhibitAnyPolicy(), trustLevel,
+                                requiredPolicy);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.5. Policy Mappings are not supported; see the documentation about
+  //          policy enforcement in pkix.h.
+
+  // 4.2.1.6. Subject Alternative Name dealt with during name constraint
+  //          checking and during name verification (CERT_VerifyCertName).
+
+  // 4.2.1.7. Issuer Alternative Name is not something that needs checking.
+
+  // 4.2.1.8. Subject Directory Attributes is not something that needs
+  //          checking.
+
+  // 4.2.1.9. Basic Constraints.
+  rv = CheckBasicConstraints(endEntityOrCA, cert.GetBasicConstraints(),
+                             cert.GetVersion(), trustLevel, subCACount);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.10. Name Constraints is dealt with in during path building.
+
+  // 4.2.1.11. Policy Constraints are implicitly supported; see the
+  //           documentation about policy enforcement in pkix.h.
+
+  // 4.2.1.12. Extended Key Usage
+  rv = CheckExtendedKeyUsage(endEntityOrCA, cert.GetExtKeyUsage(),
+                             requiredEKUIfPresent, trustDomain, notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.13. CRL Distribution Points is not supported, though the
+  //           TrustDomain's CheckRevocation method may parse it and process it
+  //           on its own.
+
+  // 4.2.1.14. Inhibit anyPolicy is implicitly supported; see the documentation
+  //           about policy enforcement in pkix.h.
+
+  // IMPORTANT: Even though we parse validity above, we wait until this point to
+  // check it, so that error ranking works correctly.
+  rv = CheckValidity(time, notBefore, notAfter);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = trustDomain.CheckValidityIsAcceptable(notBefore, notAfter, endEntityOrCA,
+                                             requiredEKUIfPresent);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp
new file mode 100644
index 000000000..152d11a23
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixder.cpp
@@ -0,0 +1,611 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixder.h"
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix { namespace der {
+
+// Too complicated to be inline
+Result
+ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag, /*out*/ Input& value)
+{
+  Result rv;
+
+  rv = input.Read(tag);
+  if (rv != Success) {
+    return rv;
+  }
+  if ((tag & 0x1F) == 0x1F) {
+    return Result::ERROR_BAD_DER; // high tag number form not allowed
+  }
+
+  uint16_t length;
+
+  // The short form of length is a single byte with the high order bit set
+  // to zero. The long form of length is one byte with the high order bit
+  // set, followed by N bytes, where N is encoded in the lowest 7 bits of
+  // the first byte.
+  uint8_t length1;
+  rv = input.Read(length1);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!(length1 & 0x80)) {
+    length = length1;
+  } else if (length1 == 0x81) {
+    uint8_t length2;
+    rv = input.Read(length2);
+    if (rv != Success) {
+      return rv;
+    }
+    if (length2 < 128) {
+      // Not shortest possible encoding
+      return Result::ERROR_BAD_DER;
+    }
+    length = length2;
+  } else if (length1 == 0x82) {
+    rv = input.Read(length);
+    if (rv != Success) {
+      return rv;
+    }
+    if (length < 256) {
+      // Not shortest possible encoding
+      return Result::ERROR_BAD_DER;
+    }
+  } else {
+    // We don't support lengths larger than 2^16 - 1.
+    return Result::ERROR_BAD_DER;
+  }
+
+  return input.Skip(length, value);
+}
+
+static Result
+OptionalNull(Reader& input)
+{
+  if (input.Peek(NULLTag)) {
+    return Null(input);
+  }
+  return Success;
+}
+
+namespace {
+
+Result
+AlgorithmIdentifierValue(Reader& input, /*out*/ Reader& algorithmOIDValue)
+{
+  Result rv = ExpectTagAndGetValue(input, der::OIDTag, algorithmOIDValue);
+  if (rv != Success) {
+    return rv;
+  }
+  return OptionalNull(input);
+}
+
+} // namespace
+
+Result
+SignatureAlgorithmIdentifierValue(Reader& input,
+                                 /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+                                 /*out*/ DigestAlgorithm& digestAlgorithm)
+{
+  // RFC 5758 Section 3.2 (ECDSA with SHA-2), and RFC 3279 Section 2.2.3
+  // (ECDSA with SHA-1) say that parameters must be omitted.
+  //
+  // RFC 4055 Section 5 and RFC 3279 Section 2.2.1 both say that parameters for
+  // RSA must be encoded as NULL; we relax that requirement by allowing the
+  // NULL to be omitted, to match all the other signature algorithms we support
+  // and for compatibility.
+  Reader algorithmID;
+  Result rv = AlgorithmIdentifierValue(input, algorithmID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 5758 Section 3.2 (ecdsa-with-SHA224 is intentionally excluded)
+  // python DottedOIDToCode.py ecdsa-with-SHA256 1.2.840.10045.4.3.2
+  static const uint8_t ecdsa_with_SHA256[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02
+  };
+  // python DottedOIDToCode.py ecdsa-with-SHA384 1.2.840.10045.4.3.3
+  static const uint8_t ecdsa_with_SHA384[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03
+  };
+  // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+  static const uint8_t ecdsa_with_SHA512[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+  };
+
+  // RFC 4055 Section 5 (sha224WithRSAEncryption is intentionally excluded)
+  // python DottedOIDToCode.py sha256WithRSAEncryption 1.2.840.113549.1.1.11
+  static const uint8_t sha256WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+  };
+  // python DottedOIDToCode.py sha384WithRSAEncryption 1.2.840.113549.1.1.12
+  static const uint8_t sha384WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c
+  };
+  // python DottedOIDToCode.py sha512WithRSAEncryption 1.2.840.113549.1.1.13
+  static const uint8_t sha512WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
+  };
+
+  // RFC 3279 Section 2.2.1
+  // python DottedOIDToCode.py sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+  static const uint8_t sha_1WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+  };
+
+  // NIST Open Systems Environment (OSE) Implementor's Workshop (OIW)
+  // http://www.oiw.org/agreements/stable/12s-9412.txt (no longer works).
+  // http://www.imc.org/ietf-pkix/old-archive-97/msg01166.html
+  // We need to support this this non-PKIX OID for compatibility.
+  // python DottedOIDToCode.py sha1WithRSASignature 1.3.14.3.2.29
+  static const uint8_t sha1WithRSASignature[] = {
+    0x2b, 0x0e, 0x03, 0x02, 0x1d
+  };
+
+  // RFC 3279 Section 2.2.3
+  // python DottedOIDToCode.py ecdsa-with-SHA1 1.2.840.10045.4.1
+  static const uint8_t ecdsa_with_SHA1[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01
+  };
+
+  // Matching is attempted based on a rough estimate of the commonality of the
+  // algorithm, to minimize the number of MatchRest calls.
+  if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha256;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA256)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha256;
+  } else if (algorithmID.MatchRest(sha_1WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA1)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA384)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha384;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA512)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha512;
+  } else if (algorithmID.MatchRest(sha384WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha384;
+  } else if (algorithmID.MatchRest(sha512WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha512;
+  } else if (algorithmID.MatchRest(sha1WithRSASignature)) {
+    // XXX(bug 1042479): recognize this old OID for compatibility.
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else {
+    return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+  }
+
+  return Success;
+}
+
+Result
+DigestAlgorithmIdentifier(Reader& input, /*out*/ DigestAlgorithm& algorithm)
+{
+  return der::Nested(input, SEQUENCE, [&algorithm](Reader& r) -> Result {
+    Reader algorithmID;
+    Result rv = AlgorithmIdentifierValue(r, algorithmID);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 4055 Section 2.1
+    // python DottedOIDToCode.py id-sha1 1.3.14.3.2.26
+    static const uint8_t id_sha1[] = {
+      0x2b, 0x0e, 0x03, 0x02, 0x1a
+    };
+    // python DottedOIDToCode.py id-sha256 2.16.840.1.101.3.4.2.1
+    static const uint8_t id_sha256[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
+    };
+    // python DottedOIDToCode.py id-sha384 2.16.840.1.101.3.4.2.2
+    static const uint8_t id_sha384[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
+    };
+    // python DottedOIDToCode.py id-sha512 2.16.840.1.101.3.4.2.3
+    static const uint8_t id_sha512[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
+    };
+
+    // Matching is attempted based on a rough estimate of the commonality of the
+    // algorithm, to minimize the number of MatchRest calls.
+    if (algorithmID.MatchRest(id_sha1)) {
+      algorithm = DigestAlgorithm::sha1;
+    } else if (algorithmID.MatchRest(id_sha256)) {
+      algorithm = DigestAlgorithm::sha256;
+    } else if (algorithmID.MatchRest(id_sha384)) {
+      algorithm = DigestAlgorithm::sha384;
+    } else if (algorithmID.MatchRest(id_sha512)) {
+      algorithm = DigestAlgorithm::sha512;
+    } else {
+      return Result::ERROR_INVALID_ALGORITHM;
+    }
+
+    return Success;
+  });
+}
+
+Result
+SignedData(Reader& input, /*out*/ Reader& tbs,
+           /*out*/ SignedDataWithSignature& signedData)
+{
+  Reader::Mark mark(input.GetMark());
+
+  Result rv;
+  rv = ExpectTagAndGetValue(input, SEQUENCE, tbs);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = input.GetInput(mark, signedData.data);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = ExpectTagAndGetValue(input, der::SEQUENCE, signedData.algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = BitStringWithNoUnusedBits(input, signedData.signature);
+  if (rv == Result::ERROR_BAD_DER) {
+    rv = Result::ERROR_BAD_SIGNATURE;
+  }
+  return rv;
+}
+
+Result
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value)
+{
+  Reader valueWithUnusedBits;
+  Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t unusedBitsAtEnd;
+  if (valueWithUnusedBits.Read(unusedBitsAtEnd) != Success) {
+    return Result::ERROR_BAD_DER;
+  }
+  // XXX: Really the constraint should be that unusedBitsAtEnd must be less
+  // than 7. But, we suspect there are no real-world values in OCSP responses
+  // or certificates with non-zero unused bits. It seems like NSS assumes this
+  // in various places, so we enforce it too in order to simplify this code. If
+  // we find compatibility issues, we'll know we're wrong and we'll have to
+  // figure out how to shift the bits around.
+  if (unusedBitsAtEnd != 0) {
+    return Result::ERROR_BAD_DER;
+  }
+  return valueWithUnusedBits.SkipToEnd(value);
+}
+
+static inline Result
+ReadDigit(Reader& input, /*out*/ unsigned int& value)
+{
+  uint8_t b;
+  if (input.Read(b) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (b < '0' || b > '9') {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  value = static_cast<unsigned int>(b - static_cast<uint8_t>('0'));
+  return Success;
+}
+
+static inline Result
+ReadTwoDigits(Reader& input, unsigned int minValue, unsigned int maxValue,
+              /*out*/ unsigned int& value)
+{
+  unsigned int hi;
+  Result rv = ReadDigit(input, hi);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int lo;
+  rv = ReadDigit(input, lo);
+  if (rv != Success) {
+    return rv;
+  }
+  value = (hi * 10) + lo;
+  if (value < minValue || value > maxValue) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  return Success;
+}
+
+namespace internal {
+
+// We parse GeneralizedTime and UTCTime according to RFC 5280 and we do not
+// accept all time formats allowed in the ASN.1 spec. That is,
+// GeneralizedTime must always be in the format YYYYMMDDHHMMSSZ and UTCTime
+// must always be in the format YYMMDDHHMMSSZ. Timezone formats of the form
+// +HH:MM or -HH:MM or NOT accepted.
+Result
+TimeChoice(Reader& tagged, uint8_t expectedTag, /*out*/ Time& time)
+{
+  unsigned int days;
+
+  Reader input;
+  Result rv = ExpectTagAndGetValue(tagged, expectedTag, input);
+  if (rv != Success) {
+    return rv;
+  }
+
+  unsigned int yearHi;
+  unsigned int yearLo;
+  if (expectedTag == GENERALIZED_TIME) {
+    rv = ReadTwoDigits(input, 0, 99, yearHi);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = ReadTwoDigits(input, 0, 99, yearLo);
+    if (rv != Success) {
+      return rv;
+    }
+  } else if (expectedTag == UTCTime) {
+    rv = ReadTwoDigits(input, 0, 99, yearLo);
+    if (rv != Success) {
+      return rv;
+    }
+    yearHi = yearLo >= 50u ? 19u : 20u;
+  } else {
+    return NotReached("invalid tag given to TimeChoice",
+                      Result::ERROR_INVALID_DER_TIME);
+  }
+  unsigned int year = (yearHi * 100u) + yearLo;
+  if (year < 1970u) {
+    // We don't support dates before January 1, 1970 because that is the epoch.
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  days = DaysBeforeYear(year);
+
+  unsigned int month;
+  rv = ReadTwoDigits(input, 1u, 12u, month);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int daysInMonth;
+  static const unsigned int jan = 31u;
+  const unsigned int feb = ((year % 4u == 0u) &&
+                           ((year % 100u != 0u) || (year % 400u == 0u)))
+                         ? 29u
+                         : 28u;
+  static const unsigned int mar = 31u;
+  static const unsigned int apr = 30u;
+  static const unsigned int may = 31u;
+  static const unsigned int jun = 30u;
+  static const unsigned int jul = 31u;
+  static const unsigned int aug = 31u;
+  static const unsigned int sep = 30u;
+  static const unsigned int oct = 31u;
+  static const unsigned int nov = 30u;
+  static const unsigned int dec = 31u;
+  switch (month) {
+    case 1:  daysInMonth = jan; break;
+    case 2:  daysInMonth = feb; days += jan; break;
+    case 3:  daysInMonth = mar; days += jan + feb; break;
+    case 4:  daysInMonth = apr; days += jan + feb + mar; break;
+    case 5:  daysInMonth = may; days += jan + feb + mar + apr; break;
+    case 6:  daysInMonth = jun; days += jan + feb + mar + apr + may; break;
+    case 7:  daysInMonth = jul; days += jan + feb + mar + apr + may + jun;
+             break;
+    case 8:  daysInMonth = aug; days += jan + feb + mar + apr + may + jun +
+                                        jul;
+             break;
+    case 9:  daysInMonth = sep; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug;
+             break;
+    case 10: daysInMonth = oct; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep;
+             break;
+    case 11: daysInMonth = nov; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep + oct;
+             break;
+    case 12: daysInMonth = dec; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep + oct + nov;
+             break;
+    default:
+      return NotReached("month already bounds-checked by ReadTwoDigits",
+                        Result::FATAL_ERROR_INVALID_STATE);
+  }
+
+  unsigned int dayOfMonth;
+  rv = ReadTwoDigits(input, 1u, daysInMonth, dayOfMonth);
+  if (rv != Success) {
+    return rv;
+  }
+  days += dayOfMonth - 1;
+
+  unsigned int hours;
+  rv = ReadTwoDigits(input, 0u, 23u, hours);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int minutes;
+  rv = ReadTwoDigits(input, 0u, 59u, minutes);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int seconds;
+  rv = ReadTwoDigits(input, 0u, 59u, seconds);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t b;
+  if (input.Read(b) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (b != 'Z') {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (End(input) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  uint64_t totalSeconds = (static_cast<uint64_t>(days) * 24u * 60u * 60u) +
+                          (static_cast<uint64_t>(hours)      * 60u * 60u) +
+                          (static_cast<uint64_t>(minutes)          * 60u) +
+                          seconds;
+
+  time = TimeFromElapsedSecondsAD(totalSeconds);
+  return Success;
+}
+
+Result
+IntegralBytes(Reader& input, uint8_t tag,
+              IntegralValueRestriction valueRestriction,
+              /*out*/ Input& value,
+              /*optional out*/ Input::size_type* significantBytes)
+{
+  Result rv = ExpectTagAndGetValue(input, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader reader(value);
+
+  // There must be at least one byte in the value. (Zero is encoded with a
+  // single 0x00 value byte.)
+  uint8_t firstByte;
+  rv = reader.Read(firstByte);
+  if (rv != Success) {
+    if (rv == Result::ERROR_BAD_DER) {
+      return Result::ERROR_INVALID_INTEGER_ENCODING;
+    }
+
+    return rv;
+  }
+
+  // If there is a byte after an initial 0x00/0xFF, then the initial byte
+  // indicates a positive/negative integer value with its high bit set/unset.
+  bool prefixed = !reader.AtEnd() && (firstByte == 0 || firstByte == 0xff);
+
+  if (prefixed) {
+    uint8_t nextByte;
+    if (reader.Read(nextByte) != Success) {
+      return NotReached("Read of one byte failed but not at end.",
+                        Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+    if ((firstByte & 0x80) == (nextByte & 0x80)) {
+      return Result::ERROR_INVALID_INTEGER_ENCODING;
+    }
+  }
+
+  switch (valueRestriction) {
+    case IntegralValueRestriction::MustBe0To127:
+      if (value.GetLength() != 1 || (firstByte & 0x80) != 0) {
+        return Result::ERROR_INVALID_INTEGER_ENCODING;
+      }
+      break;
+
+    case IntegralValueRestriction::MustBePositive:
+      if ((value.GetLength() == 1 && firstByte == 0) ||
+          (firstByte & 0x80) != 0) {
+        return Result::ERROR_INVALID_INTEGER_ENCODING;
+      }
+      break;
+
+    case IntegralValueRestriction::NoRestriction:
+      break;
+  }
+
+  if (significantBytes) {
+    *significantBytes = value.GetLength();
+    if (prefixed) {
+      assert(*significantBytes > 1);
+      --*significantBytes;
+    }
+
+    assert(*significantBytes > 0);
+  }
+
+  return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result
+IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value)
+{
+  // Conveniently, all the Integers that we actually have to be able to parse
+  // are positive and very small. Consequently, this parser is *much* simpler
+  // than a general Integer parser would need to be.
+  Input valueBytes;
+  Result rv = IntegralBytes(input, tag, IntegralValueRestriction::MustBe0To127,
+                            valueBytes, nullptr);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader valueReader(valueBytes);
+  rv = valueReader.Read(value);
+  if (rv != Success) {
+    return NotReached("IntegralBytes already validated the value.", rv);
+  }
+  rv = End(valueReader);
+  assert(rv == Success); // guaranteed by IntegralBytes's range checks.
+  return rv;
+}
+
+} // namespace internal
+
+Result
+OptionalVersion(Reader& input, /*out*/ Version& version)
+{
+  static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
+  if (!input.Peek(TAG)) {
+    version = Version::v1;
+    return Success;
+  }
+  return Nested(input, TAG, [&version](Reader& value) -> Result {
+    uint8_t integerValue;
+    Result rv = Integer(value, integerValue);
+    if (rv != Success) {
+      return rv;
+    }
+    // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1,
+    // but we do here for compatibility reasons.
+    switch (integerValue) {
+      case static_cast<uint8_t>(Version::v3): version = Version::v3; break;
+      case static_cast<uint8_t>(Version::v2): version = Version::v2; break;
+      case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
+      case static_cast<uint8_t>(Version::v4): version = Version::v4; break;
+      default:
+        return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  });
+}
+
+} } } // namespace mozilla::pkix::der
diff --git a/security/nss/lib/mozpkix/lib/pkixnames.cpp b/security/nss/lib/mozpkix/lib/pkixnames.cpp
new file mode 100644
index 000000000..6f40800d7
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixnames.cpp
@@ -0,0 +1,2050 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This code implements RFC6125-ish name matching, RFC5280-ish name constraint
+// checking, and related things.
+//
+// In this code, identifiers are classified as either "presented" or
+// "reference" identifiers are defined in
+// http://tools.ietf.org/html/rfc6125#section-1.8. A "presented identifier" is
+// one in the subjectAltName of the certificate, or sometimes within a CN of
+// the certificate's subject. The "reference identifier" is the one we are
+// being asked to match the certificate against. When checking name
+// constraints, the reference identifier is the entire encoded name constraint
+// extension value.
+
+#include <algorithm>
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+// GeneralName ::= CHOICE {
+//      otherName                       [0]     OtherName,
+//      rfc822Name                      [1]     IA5String,
+//      dNSName                         [2]     IA5String,
+//      x400Address                     [3]     ORAddress,
+//      directoryName                   [4]     Name,
+//      ediPartyName                    [5]     EDIPartyName,
+//      uniformResourceIdentifier       [6]     IA5String,
+//      iPAddress                       [7]     OCTET STRING,
+//      registeredID                    [8]     OBJECT IDENTIFIER }
+enum class GeneralNameType : uint8_t
+{
+  // Note that these values are NOT contiguous. Some values have the
+  // der::CONSTRUCTED bit set while others do not.
+  // (The der::CONSTRUCTED bit is for types where the value is a SEQUENCE.)
+  otherName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+  rfc822Name = der::CONTEXT_SPECIFIC | 1,
+  dNSName = der::CONTEXT_SPECIFIC | 2,
+  x400Address = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3,
+  directoryName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 4,
+  ediPartyName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 5,
+  uniformResourceIdentifier = der::CONTEXT_SPECIFIC | 6,
+  iPAddress = der::CONTEXT_SPECIFIC | 7,
+  registeredID = der::CONTEXT_SPECIFIC | 8,
+  // nameConstraints is a pseudo-GeneralName used to signify that a
+  // reference ID is actually the entire name constraint extension.
+  nameConstraints = 0xff
+};
+
+inline Result
+ReadGeneralName(Reader& reader,
+                /*out*/ GeneralNameType& generalNameType,
+                /*out*/ Input& value)
+{
+  uint8_t tag;
+  Result rv = der::ReadTagAndGetValue(reader, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (tag) {
+    case static_cast<uint8_t>(GeneralNameType::otherName):
+      generalNameType = GeneralNameType::otherName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::rfc822Name):
+      generalNameType = GeneralNameType::rfc822Name;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::dNSName):
+      generalNameType = GeneralNameType::dNSName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::x400Address):
+      generalNameType = GeneralNameType::x400Address;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::directoryName):
+      generalNameType = GeneralNameType::directoryName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::ediPartyName):
+      generalNameType = GeneralNameType::ediPartyName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::uniformResourceIdentifier):
+      generalNameType = GeneralNameType::uniformResourceIdentifier;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::iPAddress):
+      generalNameType = GeneralNameType::iPAddress;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::registeredID):
+      generalNameType = GeneralNameType::registeredID;
+      break;
+    default:
+      return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+enum class MatchResult
+{
+  NoNamesOfGivenType = 0,
+  Mismatch = 1,
+  Match = 2
+};
+
+Result SearchNames(const Input* subjectAltName, Input subject,
+                   GeneralNameType referenceIDType,
+                   Input referenceID,
+                   FallBackToSearchWithinSubject fallBackToCommonName,
+                   /*out*/ MatchResult& match);
+Result SearchWithinRDN(Reader& rdn,
+                       GeneralNameType referenceIDType,
+                       Input referenceID,
+                       FallBackToSearchWithinSubject fallBackToEmailAddress,
+                       FallBackToSearchWithinSubject fallBackToCommonName,
+                       /*in/out*/ MatchResult& match);
+Result MatchAVA(Input type,
+                uint8_t valueEncodingTag,
+                Input presentedID,
+                GeneralNameType referenceIDType,
+                Input referenceID,
+                FallBackToSearchWithinSubject fallBackToEmailAddress,
+                FallBackToSearchWithinSubject fallBackToCommonName,
+                /*in/out*/ MatchResult& match);
+Result ReadAVA(Reader& rdn,
+               /*out*/ Input& type,
+               /*out*/ uint8_t& valueTag,
+               /*out*/ Input& value);
+void MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                            Input presentedID,
+                                            GeneralNameType referenceIDType,
+                                            Input referenceID,
+                                            /*in/out*/ MatchResult& match);
+
+Result MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                       Input presentedID,
+                                       GeneralNameType referenceIDType,
+                                       Input referenceID,
+                                       /*in/out*/ MatchResult& matchResult);
+Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType,
+                                             Input presentedID,
+                                             Input nameConstraints);
+
+uint8_t LocaleInsensitveToLower(uint8_t a);
+bool StartsWithIDNALabel(Input id);
+
+enum class IDRole
+{
+  ReferenceID = 0,
+  PresentedID = 1,
+  NameConstraint = 2,
+};
+
+enum class AllowWildcards { No = 0, Yes = 1 };
+
+// DNSName constraints implicitly allow subdomain matching when there is no
+// leading dot ("foo.example.com" matches a constraint of "example.com"), but
+// RFC822Name constraints only allow subdomain matching when there is a leading
+// dot ("foo.example.com" does not match "example.com" but does match
+// ".example.com").
+enum class AllowDotlessSubdomainMatches { No = 0, Yes = 1 };
+
+bool IsValidDNSID(Input hostname, IDRole idRole,
+                  AllowWildcards allowWildcards);
+
+Result MatchPresentedDNSIDWithReferenceDNSID(
+         Input presentedDNSID,
+         AllowWildcards allowWildcards,
+         AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+         IDRole referenceDNSIDRole,
+         Input referenceDNSID,
+         /*out*/ bool& matches);
+
+Result MatchPresentedRFC822NameWithReferenceRFC822Name(
+         Input presentedRFC822Name, IDRole referenceRFC822NameRole,
+         Input referenceRFC822Name, /*out*/ bool& matches);
+
+} // namespace
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+// This is used by the pkixnames_tests.cpp tests.
+Result
+MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+                                      Input referenceDNSID,
+                                      /*out*/ bool& matches)
+{
+  return MatchPresentedDNSIDWithReferenceDNSID(
+           presentedDNSID, AllowWildcards::Yes,
+           AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+           referenceDNSID, matches);
+}
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. hostname is
+// assumed to be a string representation of an IPv4 address, an IPv6 addresss,
+// or a normalized ASCII (possibly punycode) DNS name.
+Result
+CheckCertHostname(Input endEntityCertDER, Input hostname,
+                  NameMatchingPolicy& nameMatchingPolicy)
+{
+  BackCert cert(endEntityCertDER, EndEntityOrCA::MustBeEndEntity, nullptr);
+  Result rv = cert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  Time notBefore(Time::uninitialized);
+  rv = ParseValidity(cert.GetValidity(), &notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+  FallBackToSearchWithinSubject fallBackToSearchWithinSubject;
+  rv = nameMatchingPolicy.FallBackToCommonName(notBefore,
+                                               fallBackToSearchWithinSubject);
+  if (rv != Success) {
+    return rv;
+  }
+
+  const Input* subjectAltName(cert.GetSubjectAltName());
+  Input subject(cert.GetSubject());
+
+  // For backward compatibility with legacy certificates, we may fall back to
+  // searching for a name match in the subject common name for DNS names and
+  // IPv4 addresses. We don't do so for IPv6 addresses because we do not think
+  // there are many certificates that would need such fallback, and because
+  // comparisons of string representations of IPv6 addresses are particularly
+  // error prone due to the syntactic flexibility that IPv6 addresses have.
+  //
+  // IPv4 and IPv6 addresses are represented using the same type of GeneralName
+  // (iPAddress); they are differentiated by the lengths of the values.
+  MatchResult match;
+  uint8_t ipv6[16];
+  uint8_t ipv4[4];
+  if (IsValidReferenceDNSID(hostname)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::dNSName,
+                     hostname, fallBackToSearchWithinSubject, match);
+  } else if (ParseIPv6Address(hostname, ipv6)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+                     Input(ipv6), FallBackToSearchWithinSubject::No, match);
+  } else if (ParseIPv4Address(hostname, ipv4)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+                     Input(ipv4), fallBackToSearchWithinSubject, match);
+  } else {
+    return Result::ERROR_BAD_CERT_DOMAIN;
+  }
+  if (rv != Success) {
+    return rv;
+  }
+  switch (match) {
+    case MatchResult::NoNamesOfGivenType: // fall through
+    case MatchResult::Mismatch:
+      return Result::ERROR_BAD_CERT_DOMAIN;
+    case MatchResult::Match:
+      return Success;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+// 4.2.1.10. Name Constraints
+Result
+CheckNameConstraints(Input encodedNameConstraints,
+                     const BackCert& firstChild,
+                     KeyPurposeId requiredEKUIfPresent)
+{
+  for (const BackCert* child = &firstChild; child; child = child->childCert) {
+    FallBackToSearchWithinSubject fallBackToCommonName
+      = (child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+         requiredEKUIfPresent == KeyPurposeId::id_kp_serverAuth)
+      ? FallBackToSearchWithinSubject::Yes
+      : FallBackToSearchWithinSubject::No;
+
+    MatchResult match;
+    Result rv = SearchNames(child->GetSubjectAltName(), child->GetSubject(),
+                            GeneralNameType::nameConstraints,
+                            encodedNameConstraints, fallBackToCommonName,
+                            match);
+    if (rv != Success) {
+      return rv;
+    }
+    switch (match) {
+      case MatchResult::Match: // fall through
+      case MatchResult::NoNamesOfGivenType:
+        break;
+      case MatchResult::Mismatch:
+        return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+    }
+  }
+
+  return Success;
+}
+
+namespace {
+
+// SearchNames is used by CheckCertHostname and CheckNameConstraints.
+//
+// When called during name constraint checking, referenceIDType is
+// GeneralNameType::nameConstraints and referenceID is the entire encoded name
+// constraints extension value.
+//
+// The main benefit of using the exact same code paths for both is that we
+// ensure consistency between name validation and name constraint enforcement
+// regarding thing like "Which CN attributes should be considered as potential
+// CN-IDs" and "Which character sets are acceptable for CN-IDs?" If the name
+// matching and the name constraint enforcement logic were out of sync on these
+// issues (e.g. if name matching were to consider all subject CN attributes,
+// but name constraints were only enforced on the most specific subject CN),
+// trivial name constraint bypasses could result.
+
+Result
+SearchNames(/*optional*/ const Input* subjectAltName,
+            Input subject,
+            GeneralNameType referenceIDType,
+            Input referenceID,
+            FallBackToSearchWithinSubject fallBackToCommonName,
+            /*out*/ MatchResult& match)
+{
+  Result rv;
+
+  match = MatchResult::NoNamesOfGivenType;
+
+  // RFC 6125 says "A client MUST NOT seek a match for a reference identifier
+  // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or
+  // any application-specific identifier types supported by the client."
+  // Accordingly, we only consider CN-IDs if there are no DNS-IDs in the
+  // subjectAltName.
+  //
+  // RFC 6125 says that IP addresses are out of scope, but for backward
+  // compatibility we accept them, by considering IP addresses to be an
+  // "application-specific identifier type supported by the client."
+  //
+  // TODO(bug XXXXXXX): Consider strengthening this check to "A client MUST NOT
+  // seek a match for a reference identifier of CN-ID if the certificate
+  // contains a subjectAltName extension."
+  //
+  // TODO(bug XXXXXXX): Consider dropping support for IP addresses as
+  // identifiers completely.
+
+  if (subjectAltName) {
+    Reader altNames;
+    rv = der::ExpectTagAndGetValueAtEnd(*subjectAltName, der::SEQUENCE,
+                                        altNames);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // According to RFC 5280, "If the subjectAltName extension is present, the
+    // sequence MUST contain at least one entry." For compatibility reasons, we
+    // do not enforce this. See bug 1143085.
+    while (!altNames.AtEnd()) {
+      GeneralNameType presentedIDType;
+      Input presentedID;
+      rv = ReadGeneralName(altNames, presentedIDType, presentedID);
+      if (rv != Success) {
+        return rv;
+      }
+
+      rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+                                           referenceIDType, referenceID,
+                                           match);
+      if (rv != Success) {
+        return rv;
+      }
+      if (referenceIDType != GeneralNameType::nameConstraints &&
+          match == MatchResult::Match) {
+        return Success;
+      }
+      if (presentedIDType == GeneralNameType::dNSName ||
+          presentedIDType == GeneralNameType::iPAddress) {
+        fallBackToCommonName = FallBackToSearchWithinSubject::No;
+      }
+    }
+  }
+
+  if (referenceIDType == GeneralNameType::nameConstraints) {
+    rv = CheckPresentedIDConformsToConstraints(GeneralNameType::directoryName,
+                                               subject, referenceID);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  FallBackToSearchWithinSubject fallBackToEmailAddress;
+  if (!subjectAltName &&
+      (referenceIDType == GeneralNameType::rfc822Name ||
+       referenceIDType == GeneralNameType::nameConstraints)) {
+    fallBackToEmailAddress = FallBackToSearchWithinSubject::Yes;
+  } else {
+    fallBackToEmailAddress = FallBackToSearchWithinSubject::No;
+  }
+
+  // Short-circuit the parsing of the subject name if we're not going to match
+  // any names in it
+  if (fallBackToEmailAddress == FallBackToSearchWithinSubject::No &&
+      fallBackToCommonName == FallBackToSearchWithinSubject::No) {
+    return Success;
+  }
+
+  // Attempt to match the reference ID against the CN-ID, which we consider to
+  // be the most-specific CN AVA in the subject field.
+  //
+  // https://tools.ietf.org/html/rfc6125#section-2.3.1 says:
+  //
+  //   To reduce confusion, in this specification we avoid such terms and
+  //   instead use the terms provided under Section 1.8; in particular, we
+  //   do not use the term "(most specific) Common Name field in the subject
+  //   field" from [HTTP-TLS] and instead state that a CN-ID is a Relative
+  //   Distinguished Name (RDN) in the certificate subject containing one
+  //   and only one attribute-type-and-value pair of type Common Name (thus
+  //   removing the possibility that an RDN might contain multiple AVAs
+  //   (Attribute Value Assertions) of type CN, one of which could be
+  //   considered "most specific").
+  //
+  // https://tools.ietf.org/html/rfc6125#section-7.4 says:
+  //
+  //   [...] Although it would be preferable to
+  //   forbid multiple CN-IDs entirely, there are several reasons at this
+  //   time why this specification states that they SHOULD NOT (instead of
+  //   MUST NOT) be included [...]
+  //
+  // Consequently, it is unclear what to do when there are multiple CNs in the
+  // subject, regardless of whether there "SHOULD NOT" be.
+  //
+  // NSS's CERT_VerifyCertName mostly follows RFC2818 in this instance, which
+  // says:
+  //
+  //   If a subjectAltName extension of type dNSName is present, that MUST
+  //   be used as the identity. Otherwise, the (most specific) Common Name
+  //   field in the Subject field of the certificate MUST be used.
+  //
+  //   [...]
+  //
+  //   In some cases, the URI is specified as an IP address rather than a
+  //   hostname. In this case, the iPAddress subjectAltName must be present
+  //   in the certificate and must exactly match the IP in the URI.
+  //
+  // (The main difference from RFC2818 is that NSS's CERT_VerifyCertName also
+  // matches IP addresses in the most-specific CN.)
+  //
+  // NSS's CERT_VerifyCertName finds the most specific CN via
+  // CERT_GetCommoName, which uses CERT_GetLastNameElement. Note that many
+  // NSS-based applications, including Gecko, also use CERT_GetCommonName. It
+  // is likely that other, non-NSS-based, applications also expect only the
+  // most specific CN to be matched against the reference ID.
+  //
+  // "A Layman's Guide to a Subset of ASN.1, BER, and DER" and other sources
+  // agree that an RDNSequence is ordered from most significant (least
+  // specific) to least significant (most specific), as do other references.
+  //
+  // However, Chromium appears to use the least-specific (first) CN instead of
+  // the most-specific; see https://crbug.com/366957. Also, MSIE and some other
+  // popular implementations apparently attempt to match the reference ID
+  // against any/all CNs in the subject. Since we're trying to phase out the
+  // use of CN-IDs, we intentionally avoid trying to match MSIE's more liberal
+  // behavior.
+
+  // Name ::= CHOICE { -- only one possibility for now --
+  //   rdnSequence  RDNSequence }
+  //
+  // RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+  //
+  // RelativeDistinguishedName ::=
+  //   SET SIZE (1..MAX) OF AttributeTypeAndValue
+  Reader subjectReader(subject);
+  return der::NestedOf(subjectReader, der::SEQUENCE, der::SET,
+                       der::EmptyAllowed::Yes, [&](Reader& r) {
+    return SearchWithinRDN(r, referenceIDType, referenceID,
+                          fallBackToEmailAddress, fallBackToCommonName, match);
+  });
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+Result
+SearchWithinRDN(Reader& rdn,
+                GeneralNameType referenceIDType,
+                Input referenceID,
+                FallBackToSearchWithinSubject fallBackToEmailAddress,
+                FallBackToSearchWithinSubject fallBackToCommonName,
+                /*in/out*/ MatchResult& match)
+{
+  do {
+    Input type;
+    uint8_t valueTag;
+    Input value;
+    Result rv = ReadAVA(rdn, type, valueTag, value);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = MatchAVA(type, valueTag, value, referenceIDType, referenceID,
+                  fallBackToEmailAddress, fallBackToCommonName, match);
+    if (rv != Success) {
+      return rv;
+    }
+  } while (!rdn.AtEnd());
+
+  return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+//       teletexString           TeletexString (SIZE (1..MAX)),
+//       printableString         PrintableString (SIZE (1..MAX)),
+//       universalString         UniversalString (SIZE (1..MAX)),
+//       utf8String              UTF8String (SIZE (1..MAX)),
+//       bmpString               BMPString (SIZE (1..MAX)) }
+Result
+MatchAVA(Input type, uint8_t valueEncodingTag, Input presentedID,
+         GeneralNameType referenceIDType,
+         Input referenceID,
+         FallBackToSearchWithinSubject fallBackToEmailAddress,
+         FallBackToSearchWithinSubject fallBackToCommonName,
+         /*in/out*/ MatchResult& match)
+{
+  // Try to match the  CN as a DNSName or an IPAddress.
+  //
+  // id-at-commonName        AttributeType ::= { id-at 3 }
+  //
+  // -- Naming attributes of type X520CommonName:
+  // --   X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
+  // --
+  // -- Expanded to avoid parameterized type:
+  // X520CommonName ::= CHOICE {
+  //       teletexString     TeletexString   (SIZE (1..ub-common-name)),
+  //       printableString   PrintableString (SIZE (1..ub-common-name)),
+  //       universalString   UniversalString (SIZE (1..ub-common-name)),
+  //       utf8String        UTF8String      (SIZE (1..ub-common-name)),
+  //       bmpString         BMPString       (SIZE (1..ub-common-name)) }
+  //
+  // python DottedOIDToCode.py id-at-commonName 2.5.4.3
+  static const uint8_t id_at_commonName[] = {
+    0x55, 0x04, 0x03
+  };
+  if (fallBackToCommonName == FallBackToSearchWithinSubject::Yes &&
+      InputsAreEqual(type, Input(id_at_commonName))) {
+    // We might have previously found a match. Now that we've found another CN,
+    // we no longer consider that previous match to be a match, so "forget" about
+    // it.
+    match = MatchResult::NoNamesOfGivenType;
+
+    // PrintableString is a subset of ASCII that contains all the characters
+    // allowed in CN-IDs except '*'. Although '*' is illegal, there are many
+    // real-world certificates that are encoded this way, so we accept it.
+    //
+    // In the case of UTF8String, we rely on the fact that in UTF-8 the octets in
+    // a multi-byte encoding of a code point are always distinct from ASCII. Any
+    // non-ASCII byte in a UTF-8 string causes us to fail to match. We make no
+    // attempt to detect or report malformed UTF-8 (e.g. incomplete or overlong
+    // encodings of code points, or encodings of invalid code points).
+    //
+    // TeletexString is supported as long as it does not contain any escape
+    // sequences, which are not supported. We'll reject escape sequences as
+    // invalid characters in names, which means we only accept strings that are
+    // in the default character set, which is a superset of ASCII. Note that NSS
+    // actually treats TeletexString as ISO-8859-1. Many certificates that have
+    // wildcard CN-IDs (e.g. "*.example.com") use TeletexString because
+    // PrintableString is defined to not allow '*' and because, at one point in
+    // history, UTF8String was too new to use for compatibility reasons.
+    //
+    // UniversalString and BMPString are also deprecated, and they are a little
+    // harder to support because they are not single-byte ASCII superset
+    // encodings, so we don't bother.
+    if (valueEncodingTag != der::PrintableString &&
+        valueEncodingTag != der::UTF8String &&
+        valueEncodingTag != der::TeletexString) {
+      return Success;
+    }
+
+    if (IsValidPresentedDNSID(presentedID)) {
+      MatchSubjectPresentedIDWithReferenceID(GeneralNameType::dNSName,
+                                             presentedID, referenceIDType,
+                                             referenceID, match);
+    } else {
+      // We don't match CN-IDs for IPv6 addresses.
+      // MatchSubjectPresentedIDWithReferenceID ensures that it won't match an
+      // IPv4 address with an IPv6 address, so we don't need to check that
+      // referenceID is an IPv4 address here.
+      uint8_t ipv4[4];
+      if (ParseIPv4Address(presentedID, ipv4)) {
+        MatchSubjectPresentedIDWithReferenceID(GeneralNameType::iPAddress,
+                                               Input(ipv4), referenceIDType,
+                                               referenceID, match);
+      }
+    }
+
+    // Regardless of whether there was a match, we keep going in case we find
+    // another CN later. If we do find another one, then this match/mismatch
+    // will be ignored, because we only care about the most specific CN.
+
+    return Success;
+  }
+
+  // Match an email address against an emailAddress attribute in the
+  // subject.
+  //
+  // id-emailAddress      AttributeType ::= { pkcs-9 1 }
+  //
+  // EmailAddress ::=     IA5String (SIZE (1..ub-emailaddress-length))
+  //
+  // python DottedOIDToCode.py id-emailAddress 1.2.840.113549.1.9.1
+  static const uint8_t id_emailAddress[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+  };
+  if (fallBackToEmailAddress == FallBackToSearchWithinSubject::Yes &&
+      InputsAreEqual(type, Input(id_emailAddress))) {
+    if (referenceIDType == GeneralNameType::rfc822Name &&
+        match == MatchResult::Match) {
+      // We already found a match; we don't need to match another one
+      return Success;
+    }
+    if (valueEncodingTag != der::IA5String) {
+      return Result::ERROR_BAD_DER;
+    }
+    return MatchPresentedIDWithReferenceID(GeneralNameType::rfc822Name,
+                                           presentedID, referenceIDType,
+                                           referenceID, match);
+  }
+
+  return Success;
+}
+
+void
+MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                       Input presentedID,
+                                       GeneralNameType referenceIDType,
+                                       Input referenceID,
+                                       /*in/out*/ MatchResult& match)
+{
+  Result rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+                                              referenceIDType, referenceID,
+                                              match);
+  if (rv != Success) {
+    match = MatchResult::Mismatch;
+  }
+}
+
+Result
+MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                Input presentedID,
+                                GeneralNameType referenceIDType,
+                                Input referenceID,
+                                /*out*/ MatchResult& matchResult)
+{
+  if (referenceIDType == GeneralNameType::nameConstraints) {
+    // matchResult is irrelevant when checking name constraints; only the
+    // pass/fail result of CheckPresentedIDConformsToConstraints matters.
+    return CheckPresentedIDConformsToConstraints(presentedIDType, presentedID,
+                                                 referenceID);
+  }
+
+  if (presentedIDType != referenceIDType) {
+    matchResult = MatchResult::Mismatch;
+    return Success;
+  }
+
+  Result rv;
+  bool foundMatch;
+
+  switch (referenceIDType) {
+    case GeneralNameType::dNSName:
+      rv = MatchPresentedDNSIDWithReferenceDNSID(
+             presentedID, AllowWildcards::Yes,
+             AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+             referenceID, foundMatch);
+      break;
+
+    case GeneralNameType::iPAddress:
+      foundMatch = InputsAreEqual(presentedID, referenceID);
+      rv = Success;
+      break;
+
+    case GeneralNameType::rfc822Name:
+      rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+             presentedID, IDRole::ReferenceID, referenceID, foundMatch);
+      break;
+
+    case GeneralNameType::directoryName:
+      // TODO: At some point, we may add APIs for matching DirectoryNames.
+      // fall through
+
+    case GeneralNameType::otherName: // fall through
+    case GeneralNameType::x400Address: // fall through
+    case GeneralNameType::ediPartyName: // fall through
+    case GeneralNameType::uniformResourceIdentifier: // fall through
+    case GeneralNameType::registeredID: // fall through
+    case GeneralNameType::nameConstraints:
+      return NotReached("unexpected nameType for SearchType::Match",
+                        Result::FATAL_ERROR_INVALID_ARGS);
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+  if (rv != Success) {
+    return rv;
+  }
+  matchResult = foundMatch ? MatchResult::Match : MatchResult::Mismatch;
+  return Success;
+}
+
+enum class NameConstraintsSubtrees : uint8_t
+{
+  permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+  excludedSubtrees  = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1
+};
+
+Result CheckPresentedIDConformsToNameConstraintsSubtrees(
+         GeneralNameType presentedIDType,
+         Input presentedID,
+         Reader& nameConstraints,
+         NameConstraintsSubtrees subtreesType);
+Result MatchPresentedIPAddressWithConstraint(Input presentedID,
+                                             Input iPAddressConstraint,
+                                             /*out*/ bool& foundMatch);
+Result MatchPresentedDirectoryNameWithConstraint(
+         NameConstraintsSubtrees subtreesType, Input presentedID,
+         Input directoryNameConstraint, /*out*/ bool& matches);
+
+Result
+CheckPresentedIDConformsToConstraints(
+  GeneralNameType presentedIDType,
+  Input presentedID,
+  Input encodedNameConstraints)
+{
+  // NameConstraints ::= SEQUENCE {
+  //      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+  //      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+  Reader nameConstraints;
+  Result rv = der::ExpectTagAndGetValueAtEnd(encodedNameConstraints,
+                                             der::SEQUENCE, nameConstraints);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 5280 says "Conforming CAs MUST NOT issue certificates where name
+  // constraints is an empty sequence. That is, either the permittedSubtrees
+  // field or the excludedSubtrees MUST be present."
+  if (nameConstraints.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+         presentedIDType, presentedID, nameConstraints,
+         NameConstraintsSubtrees::permittedSubtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+         presentedIDType, presentedID, nameConstraints,
+         NameConstraintsSubtrees::excludedSubtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::End(nameConstraints);
+}
+
+Result
+CheckPresentedIDConformsToNameConstraintsSubtrees(
+  GeneralNameType presentedIDType,
+  Input presentedID,
+  Reader& nameConstraints,
+  NameConstraintsSubtrees subtreesType)
+{
+  if (!nameConstraints.Peek(static_cast<uint8_t>(subtreesType))) {
+    return Success;
+  }
+
+  Reader subtrees;
+  Result rv = der::ExpectTagAndGetValue(nameConstraints,
+                                        static_cast<uint8_t>(subtreesType),
+                                        subtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  bool hasPermittedSubtreesMatch = false;
+  bool hasPermittedSubtreesMismatch = false;
+
+  // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+  //
+  // do { ... } while(...) because subtrees isn't allowed to be empty.
+  do {
+    // GeneralSubtree ::= SEQUENCE {
+    //      base                    GeneralName,
+    //      minimum         [0]     BaseDistance DEFAULT 0,
+    //      maximum         [1]     BaseDistance OPTIONAL }
+    Reader subtree;
+    rv = ExpectTagAndGetValue(subtrees, der::SEQUENCE, subtree);
+    if (rv != Success) {
+      return rv;
+    }
+    GeneralNameType nameConstraintType;
+    Input base;
+    rv = ReadGeneralName(subtree, nameConstraintType, base);
+    if (rv != Success) {
+      return rv;
+    }
+    // http://tools.ietf.org/html/rfc5280#section-4.2.1.10: "Within this
+    // profile, the minimum and maximum fields are not used with any name
+    // forms, thus, the minimum MUST be zero, and maximum MUST be absent."
+    //
+    // Since the default value isn't allowed to be encoded according to the DER
+    // encoding rules for DEFAULT, this is equivalent to saying that neither
+    // minimum or maximum must be encoded.
+    rv = der::End(subtree);
+    if (rv != Success) {
+      return rv;
+    }
+
+    if (presentedIDType == nameConstraintType) {
+      bool matches;
+
+      switch (presentedIDType) {
+        case GeneralNameType::dNSName:
+          rv = MatchPresentedDNSIDWithReferenceDNSID(
+                 presentedID, AllowWildcards::Yes,
+                 AllowDotlessSubdomainMatches::Yes, IDRole::NameConstraint,
+                 base, matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::iPAddress:
+          rv = MatchPresentedIPAddressWithConstraint(presentedID, base,
+                                                     matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::directoryName:
+          rv = MatchPresentedDirectoryNameWithConstraint(subtreesType,
+                                                         presentedID, base,
+                                                         matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::rfc822Name:
+          rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+                 presentedID, IDRole::NameConstraint, base, matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        // RFC 5280 says "Conforming CAs [...] SHOULD NOT impose name
+        // constraints on the x400Address, ediPartyName, or registeredID
+        // name forms. It also says "Applications conforming to this profile
+        // [...] SHOULD be able to process name constraints that are imposed
+        // on [...] uniformResourceIdentifier [...]", but we don't bother.
+        //
+        // TODO: Ask to have spec updated to say ""Conforming CAs [...] SHOULD
+        // NOT impose name constraints on the otherName, x400Address,
+        // ediPartyName, uniformResourceIdentifier, or registeredID name
+        // forms."
+        case GeneralNameType::otherName: // fall through
+        case GeneralNameType::x400Address: // fall through
+        case GeneralNameType::ediPartyName: // fall through
+        case GeneralNameType::uniformResourceIdentifier: // fall through
+        case GeneralNameType::registeredID: // fall through
+          return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+
+        case GeneralNameType::nameConstraints:
+          return NotReached("invalid presentedIDType",
+                            Result::FATAL_ERROR_LIBRARY_FAILURE);
+
+        MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+      }
+
+      switch (subtreesType) {
+        case NameConstraintsSubtrees::permittedSubtrees:
+          if (matches) {
+            hasPermittedSubtreesMatch = true;
+          } else {
+            hasPermittedSubtreesMismatch = true;
+          }
+          break;
+        case NameConstraintsSubtrees::excludedSubtrees:
+          if (matches) {
+            return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+          }
+          break;
+      }
+    }
+  } while (!subtrees.AtEnd());
+
+  if (hasPermittedSubtreesMismatch && !hasPermittedSubtreesMatch) {
+    // If there was any entry of the given type in permittedSubtrees, then it
+    // required that at least one of them must match. Since none of them did,
+    // we have a failure.
+    return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+  }
+
+  return Success;
+}
+
+// We do not distinguish between a syntactically-invalid presentedDNSID and one
+// that is syntactically valid but does not match referenceDNSID; in both
+// cases, the result is false.
+//
+// We assume that both presentedDNSID and referenceDNSID are encoded in such a
+// way that US-ASCII (7-bit) characters are encoded in one byte and no encoding
+// of a non-US-ASCII character contains a code point in the range 0-127. For
+// example, UTF-8 is OK but UTF-16 is not.
+//
+// RFC6125 says that a wildcard label may be of the form <x>*<y>.<DNSID>, where
+// <x> and/or <y> may be empty. However, NSS requires <y> to be empty, and we
+// follow NSS's stricter policy by accepting wildcards only of the form
+// <x>*.<DNSID>, where <x> may be empty.
+//
+// An relative presented DNS ID matches both an absolute reference ID and a
+// relative reference ID. Absolute presented DNS IDs are not supported:
+//
+//      Presented ID   Reference ID  Result
+//      -------------------------------------
+//      example.com    example.com   Match
+//      example.com.   example.com   Mismatch
+//      example.com    example.com.  Match
+//      example.com.   example.com.  Mismatch
+//
+// There are more subtleties documented inline in the code.
+//
+// Name constraints ///////////////////////////////////////////////////////////
+//
+// This is all RFC 5280 has to say about DNSName constraints:
+//
+//     DNS name restrictions are expressed as host.example.com.  Any DNS
+//     name that can be constructed by simply adding zero or more labels to
+//     the left-hand side of the name satisfies the name constraint.  For
+//     example, www.host.example.com would satisfy the constraint but
+//     host1.example.com would not.
+//
+// This lack of specificity has lead to a lot of uncertainty regarding
+// subdomain matching. In particular, the following questions have been
+// raised and answered:
+//
+//     Q: Does a presented identifier equal (case insensitive) to the name
+//        constraint match the constraint? For example, does the presented
+//        ID "host.example.com" match a "host.example.com" constraint?
+//     A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+//        is the case of adding zero labels.
+//
+//     Q: When the name constraint does not start with ".", do subdomain
+//        presented identifiers match it? For example, does the presented
+//        ID "www.host.example.com" match a "host.example.com" constraint?
+//     A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+//        is the case of adding more than zero labels. The example is the
+//        one from RFC 5280.
+//
+//     Q: When the name constraint does not start with ".", does a
+//        non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+//        match "foo.bar.com"? [4]
+//     A: No. We interpret RFC 5280's language of "adding zero or more labels"
+//        to mean that whole labels must be prefixed.
+//
+//     (Note that the above three scenarios are the same as the RFC 6265
+//     domain matching rules [0].)
+//
+//     Q: Is a name constraint that starts with "." valid, and if so, what
+//        semantics does it have? For example, does a presented ID of
+//        "www.example.com" match a constraint of ".example.com"? Does a
+//        presented ID of "example.com" match a constraint of ".example.com"?
+//     A: This implementation, NSS[1], and SChannel[2] all support a
+//        leading ".", but OpenSSL[3] does not yet. Amongst the
+//        implementations that support it, a leading "." is legal and means
+//        the same thing as when the "." is omitted, EXCEPT that a
+//        presented identifier equal (case insensitive) to the name
+//        constraint is not matched; i.e. presented DNSName identifiers
+//        must be subdomains. Some CAs in Mozilla's CA program (e.g. HARICA)
+//        have name constraints with the leading "." in their root
+//        certificates. The name constraints imposed on DCISS by Mozilla also
+//        have the it, so supporting this is a requirement for backward
+//        compatibility, even if it is not yet standardized. So, for example, a
+//        presented ID of "www.example.com" matches a constraint of
+//        ".example.com" but a presented ID of "example.com" does not.
+//
+//     Q: Is there a way to prevent subdomain matches?
+//     A: Yes.
+//
+//        Some people have proposed that dNSName constraints that do not
+//        start with a "." should be restricted to exact (case insensitive)
+//        matches. However, such a change of semantics from what RFC5280
+//        specifies would be a non-backward-compatible change in the case of
+//        permittedSubtrees constraints, and it would be a security issue for
+//        excludedSubtrees constraints.
+//
+//        However, it can be done with a combination of permittedSubtrees and
+//        excludedSubtrees, e.g. "example.com" in permittedSubtrees and
+//        ".example.com" in excudedSubtrees.
+//
+//     Q: Are name constraints allowed to be specified as absolute names?
+//        For example, does a presented ID of "example.com" match a name
+//        constraint of "example.com." and vice versa.
+//     A: Absolute names are not supported as presented IDs or name
+//        constraints. Only reference IDs may be absolute.
+//
+//     Q: Is "" a valid DNSName constraints? If so, what does it mean?
+//     A: Yes. Any valid presented DNSName can be formed "by simply adding zero
+//        or more labels to the left-hand side" of "". In particular, an
+//        excludedSubtrees DNSName constraint of "" forbids all DNSNames.
+//
+//     Q: Is "." a valid DNSName constraints? If so, what does it mean?
+//     A: No, because absolute names are not allowed (see above).
+//
+// [0] RFC 6265 (Cookies) Domain Matching rules:
+//     http://tools.ietf.org/html/rfc6265#section-5.1.3
+// [1] NSS source code:
+//     https://mxr.mozilla.org/nss/source/lib/certdb/genname.c?rev=2a7348f013cb#1209
+// [2] Description of SChannel's behavior from Microsoft:
+//     http://www.imc.org/ietf-pkix/mail-archive/msg04668.html
+// [3] Proposal to add such support to OpenSSL:
+//     http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html
+//     https://rt.openssl.org/Ticket/Display.html?id=3562
+// [4] Feedback on the lack of clarify in the definition that never got
+//     incorporated into the spec:
+//     https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html
+Result
+MatchPresentedDNSIDWithReferenceDNSID(
+  Input presentedDNSID,
+  AllowWildcards allowWildcards,
+  AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+  IDRole referenceDNSIDRole,
+  Input referenceDNSID,
+  /*out*/ bool& matches)
+{
+  if (!IsValidDNSID(presentedDNSID, IDRole::PresentedID, allowWildcards)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole, AllowWildcards::No)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  Reader presented(presentedDNSID);
+  Reader reference(referenceDNSID);
+
+  switch (referenceDNSIDRole)
+  {
+    case IDRole::ReferenceID:
+      break;
+
+    case IDRole::NameConstraint:
+    {
+      if (presentedDNSID.GetLength() > referenceDNSID.GetLength()) {
+        if (referenceDNSID.GetLength() == 0) {
+          // An empty constraint matches everything.
+          matches = true;
+          return Success;
+        }
+        // If the reference ID starts with a dot then skip the prefix of
+        // of the presented ID and start the comparison at the position of that
+        // dot. Examples:
+        //
+        //                                       Matches     Doesn't Match
+        //     -----------------------------------------------------------
+        //       original presented ID:  www.example.com    badexample.com
+        //                     skipped:  www                ba
+        //     presented ID w/o prefix:     .example.com      dexample.com
+        //                reference ID:     .example.com      .example.com
+        //
+        // If the reference ID does not start with a dot then we skip the
+        // prefix of the presented ID but also verify that the prefix ends with
+        // a dot. Examples:
+        //
+        //                                       Matches     Doesn't Match
+        //     -----------------------------------------------------------
+        //       original presented ID:  www.example.com    badexample.com
+        //                     skipped:  www                ba
+        //                 must be '.':     .                 d
+        //     presented ID w/o prefix:      example.com       example.com
+        //                reference ID:      example.com       example.com
+        //
+        if (reference.Peek('.')) {
+          if (presented.Skip(static_cast<Input::size_type>(
+                               presentedDNSID.GetLength() -
+                                 referenceDNSID.GetLength())) != Success) {
+            return NotReached("skipping subdomain failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+        } else if (allowDotlessSubdomainMatches ==
+                   AllowDotlessSubdomainMatches::Yes) {
+          if (presented.Skip(static_cast<Input::size_type>(
+                               presentedDNSID.GetLength() -
+                                 referenceDNSID.GetLength() - 1)) != Success) {
+            return NotReached("skipping subdomains failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+          uint8_t b;
+          if (presented.Read(b) != Success) {
+            return NotReached("reading from presentedDNSID failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+          if (b != '.') {
+            matches = false;
+            return Success;
+          }
+        }
+      }
+      break;
+    }
+
+    case IDRole::PresentedID: // fall through
+      return NotReached("IDRole::PresentedID is not a valid referenceDNSIDRole",
+                        Result::FATAL_ERROR_INVALID_ARGS);
+  }
+
+  // We only allow wildcard labels that consist only of '*'.
+  if (presented.Peek('*')) {
+    if (presented.Skip(1) != Success) {
+      return NotReached("Skipping '*' failed",
+                        Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+    do {
+      // This will happen if reference is a single, relative label
+      if (reference.AtEnd()) {
+        matches = false;
+        return Success;
+      }
+      uint8_t referenceByte;
+      if (reference.Read(referenceByte) != Success) {
+        return NotReached("invalid reference ID",
+                          Result::FATAL_ERROR_INVALID_ARGS);
+      }
+    } while (!reference.Peek('.'));
+  }
+
+  for (;;) {
+    uint8_t presentedByte;
+    if (presented.Read(presentedByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    uint8_t referenceByte;
+    if (reference.Read(referenceByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    if (LocaleInsensitveToLower(presentedByte) !=
+        LocaleInsensitveToLower(referenceByte)) {
+      matches = false;
+      return Success;
+    }
+    if (presented.AtEnd()) {
+      // Don't allow presented IDs to be absolute.
+      if (presentedByte == '.') {
+        return Result::ERROR_BAD_DER;
+      }
+      break;
+    }
+  }
+
+  // Allow a relative presented DNS ID to match an absolute reference DNS ID,
+  // unless we're matching a name constraint.
+  if (!reference.AtEnd()) {
+    if (referenceDNSIDRole != IDRole::NameConstraint) {
+      uint8_t referenceByte;
+      if (reference.Read(referenceByte) != Success) {
+        return NotReached("read failed but not at end",
+                          Result::FATAL_ERROR_LIBRARY_FAILURE);
+      }
+      if (referenceByte != '.') {
+        matches = false;
+        return Success;
+      }
+    }
+    if (!reference.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+  }
+
+  matches = true;
+  return Success;
+}
+
+// https://tools.ietf.org/html/rfc5280#section-4.2.1.10 says:
+//
+//     For IPv4 addresses, the iPAddress field of GeneralName MUST contain
+//     eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent
+//     an address range [RFC4632].  For IPv6 addresses, the iPAddress field
+//     MUST contain 32 octets similarly encoded.  For example, a name
+//     constraint for "class C" subnet 192.0.2.0 is represented as the
+//     octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
+//     192.0.2.0/24 (mask 255.255.255.0).
+Result
+MatchPresentedIPAddressWithConstraint(Input presentedID,
+                                      Input iPAddressConstraint,
+                                      /*out*/ bool& foundMatch)
+{
+  if (presentedID.GetLength() != 4 && presentedID.GetLength() != 16) {
+    return Result::ERROR_BAD_DER;
+  }
+  if (iPAddressConstraint.GetLength() != 8 &&
+      iPAddressConstraint.GetLength() != 32) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  // an IPv4 address never matches an IPv6 constraint, and vice versa.
+  if (presentedID.GetLength() * 2 != iPAddressConstraint.GetLength()) {
+    foundMatch = false;
+    return Success;
+  }
+
+  Reader constraint(iPAddressConstraint);
+  Reader constraintAddress;
+  Result rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u,
+                              constraintAddress);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader constraintMask;
+  rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u, constraintMask);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(constraint);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Reader presented(presentedID);
+  do {
+    uint8_t presentedByte;
+    rv = presented.Read(presentedByte);
+    if (rv != Success) {
+      return rv;
+    }
+    uint8_t constraintAddressByte;
+    rv = constraintAddress.Read(constraintAddressByte);
+    if (rv != Success) {
+      return rv;
+    }
+    uint8_t constraintMaskByte;
+    rv = constraintMask.Read(constraintMaskByte);
+    if (rv != Success) {
+      return rv;
+    }
+    foundMatch =
+      ((presentedByte ^ constraintAddressByte) & constraintMaskByte) == 0;
+  } while (foundMatch && !presented.AtEnd());
+
+  return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+Result
+ReadAVA(Reader& rdn,
+        /*out*/ Input& type,
+        /*out*/ uint8_t& valueTag,
+        /*out*/ Input& value)
+{
+  return der::Nested(rdn, der::SEQUENCE, [&](Reader& ava) -> Result {
+    Result rv = der::ExpectTagAndGetValue(ava, der::OIDTag, type);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::ReadTagAndGetValue(ava, valueTag, value);
+    if (rv != Success) {
+      return rv;
+    }
+    return Success;
+  });
+}
+
+// Names are sequences of RDNs. RDNS are sets of AVAs. That means that RDNs are
+// unordered, so in theory we should match RDNs with equivalent AVAs that are
+// in different orders. Within the AVAs are DirectoryNames that are supposed to
+// be compared according to LDAP stringprep normalization rules (e.g.
+// normalizing whitespace), consideration of different character encodings,
+// etc. Indeed, RFC 5280 says we MUST deal with all of that.
+//
+// In practice, many implementations, including NSS, only match Names in a way
+// that only meets a subset of the requirements of RFC 5280. Those
+// normalization and character encoding conversion steps appear to be
+// unnecessary for processing real-world certificates, based on experience from
+// having used NSS in Firefox for many years.
+//
+// RFC 5280 also says "CAs issuing certificates with a restriction of the form
+// directoryName SHOULD NOT rely on implementation of the full
+// ISO DN name comparison algorithm. This implies name restrictions MUST
+// be stated identically to the encoding used in the subject field or
+// subjectAltName extension." It goes on to say, in the security
+// considerations:
+//
+//     In addition, name constraints for distinguished names MUST be stated
+//     identically to the encoding used in the subject field or
+//     subjectAltName extension.  If not, then name constraints stated as
+//     excludedSubtrees will not match and invalid paths will be accepted
+//     and name constraints expressed as permittedSubtrees will not match
+//     and valid paths will be rejected.  To avoid acceptance of invalid
+//     paths, CAs SHOULD state name constraints for distinguished names as
+//     permittedSubtrees wherever possible.
+//
+// For permittedSubtrees, the MUST-level requirement is relaxed for
+// compatibility in the case of PrintableString and UTF8String. That is, if a
+// name constraint has been encoded using UTF8String and the presented ID has
+// been encoded with a PrintableString (or vice-versa), they are considered to
+// match if they are equal everywhere except for the tag identifying the
+// encoding. See bug 1150114.
+//
+// For excludedSubtrees, we simply prohibit any non-empty directoryName
+// constraint to ensure we are not being too lenient. We support empty
+// DirectoryName constraints in excludedSubtrees so that a CA can say "Do not
+// allow any DirectoryNames in issued certificates."
+Result
+MatchPresentedDirectoryNameWithConstraint(NameConstraintsSubtrees subtreesType,
+                                          Input presentedID,
+                                          Input directoryNameConstraint,
+                                          /*out*/ bool& matches)
+{
+  Reader constraintRDNs;
+  Result rv = der::ExpectTagAndGetValueAtEnd(directoryNameConstraint,
+                                             der::SEQUENCE, constraintRDNs);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader presentedRDNs;
+  rv = der::ExpectTagAndGetValueAtEnd(presentedID, der::SEQUENCE,
+                                      presentedRDNs);
+  if (rv != Success) {
+    return rv;
+  }
+
+  switch (subtreesType) {
+    case NameConstraintsSubtrees::permittedSubtrees:
+      break; // dealt with below
+    case NameConstraintsSubtrees::excludedSubtrees:
+      if (!constraintRDNs.AtEnd() || !presentedRDNs.AtEnd()) {
+        return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+      }
+      matches = true;
+      return Success;
+  }
+
+  for (;;) {
+    // The AVAs have to be fully equal, but the constraint RDNs just need to be
+    // a prefix of the presented RDNs.
+    if (constraintRDNs.AtEnd()) {
+      matches = true;
+      return Success;
+    }
+    if (presentedRDNs.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+    Reader constraintRDN;
+    rv = der::ExpectTagAndGetValue(constraintRDNs, der::SET, constraintRDN);
+    if (rv != Success) {
+      return rv;
+    }
+    Reader presentedRDN;
+    rv = der::ExpectTagAndGetValue(presentedRDNs, der::SET, presentedRDN);
+    if (rv != Success) {
+      return rv;
+    }
+    while (!constraintRDN.AtEnd() && !presentedRDN.AtEnd()) {
+      Input constraintType;
+      uint8_t constraintValueTag;
+      Input constraintValue;
+      rv = ReadAVA(constraintRDN, constraintType, constraintValueTag,
+                   constraintValue);
+      if (rv != Success) {
+        return rv;
+      }
+      Input presentedType;
+      uint8_t presentedValueTag;
+      Input presentedValue;
+      rv = ReadAVA(presentedRDN, presentedType, presentedValueTag,
+                   presentedValue);
+      if (rv != Success) {
+        return rv;
+      }
+      // TODO (bug 1155767): verify that if an AVA is a PrintableString it
+      // consists only of characters valid for PrintableStrings.
+      bool avasMatch =
+        InputsAreEqual(constraintType, presentedType) &&
+        InputsAreEqual(constraintValue, presentedValue) &&
+        (constraintValueTag == presentedValueTag ||
+         (constraintValueTag == der::Tag::UTF8String &&
+          presentedValueTag == der::Tag::PrintableString) ||
+         (constraintValueTag == der::Tag::PrintableString &&
+          presentedValueTag == der::Tag::UTF8String));
+      if (!avasMatch) {
+        matches = false;
+        return Success;
+      }
+    }
+    if (!constraintRDN.AtEnd() || !presentedRDN.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+  }
+}
+
+// RFC 5280 says:
+//
+//     The format of an rfc822Name is a "Mailbox" as defined in Section 4.1.2
+//     of [RFC2821]. A Mailbox has the form "Local-part@Domain".  Note that a
+//     Mailbox has no phrase (such as a common name) before it, has no comment
+//     (text surrounded in parentheses) after it, and is not surrounded by "<"
+//     and ">".  Rules for encoding Internet mail addresses that include
+//     internationalized domain names are specified in Section 7.5.
+//
+// and:
+//
+//     A name constraint for Internet mail addresses MAY specify a
+//     particular mailbox, all addresses at a particular host, or all
+//     mailboxes in a domain.  To indicate a particular mailbox, the
+//     constraint is the complete mail address.  For example,
+//     "root@example.com" indicates the root mailbox on the host
+//     "example.com".  To indicate all Internet mail addresses on a
+//     particular host, the constraint is specified as the host name.  For
+//     example, the constraint "example.com" is satisfied by any mail
+//     address at the host "example.com".  To specify any address within a
+//     domain, the constraint is specified with a leading period (as with
+//     URIs).  For example, ".example.com" indicates all the Internet mail
+//     addresses in the domain "example.com", but not Internet mail
+//     addresses on the host "example.com".
+
+bool
+IsValidRFC822Name(Input input)
+{
+  Reader reader(input);
+
+  // Local-part@.
+  bool startOfAtom = true;
+  for (;;) {
+    uint8_t presentedByte;
+    if (reader.Read(presentedByte) != Success) {
+      return false;
+    }
+    switch (presentedByte) {
+      // atext is defined in https://tools.ietf.org/html/rfc2822#section-3.2.4
+      case 'A': case 'a': case 'N': case 'n': case '0': case '!': case '#':
+      case 'B': case 'b': case 'O': case 'o': case '1': case '$': case '%':
+      case 'C': case 'c': case 'P': case 'p': case '2': case '&': case '\'':
+      case 'D': case 'd': case 'Q': case 'q': case '3': case '*': case '+':
+      case 'E': case 'e': case 'R': case 'r': case '4': case '-': case '/':
+      case 'F': case 'f': case 'S': case 's': case '5': case '=': case '?':
+      case 'G': case 'g': case 'T': case 't': case '6': case '^': case '_':
+      case 'H': case 'h': case 'U': case 'u': case '7': case '`': case '{':
+      case 'I': case 'i': case 'V': case 'v': case '8': case '|': case '}':
+      case 'J': case 'j': case 'W': case 'w': case '9': case '~':
+      case 'K': case 'k': case 'X': case 'x':
+      case 'L': case 'l': case 'Y': case 'y':
+      case 'M': case 'm': case 'Z': case 'z':
+        startOfAtom = false;
+        break;
+
+      case '.':
+        if (startOfAtom) {
+          return false;
+        }
+        startOfAtom = true;
+        break;
+
+      case '@':
+      {
+        if (startOfAtom) {
+          return false;
+        }
+        Input domain;
+        if (reader.SkipToEnd(domain) != Success) {
+          return false;
+        }
+        return IsValidDNSID(domain, IDRole::PresentedID, AllowWildcards::No);
+      }
+
+      default:
+        return false;
+    }
+  }
+}
+
+Result
+MatchPresentedRFC822NameWithReferenceRFC822Name(Input presentedRFC822Name,
+                                                IDRole referenceRFC822NameRole,
+                                                Input referenceRFC822Name,
+                                                /*out*/ bool& matches)
+{
+  if (!IsValidRFC822Name(presentedRFC822Name)) {
+    return Result::ERROR_BAD_DER;
+  }
+  Reader presented(presentedRFC822Name);
+
+  switch (referenceRFC822NameRole)
+  {
+    case IDRole::PresentedID:
+      return Result::FATAL_ERROR_INVALID_ARGS;
+
+    case IDRole::ReferenceID:
+      break;
+
+    case IDRole::NameConstraint:
+    {
+      if (InputContains(referenceRFC822Name, '@')) {
+        // The constraint is of the form "Local-part@Domain".
+        break;
+      }
+
+      // The constraint is of the form "example.com" or ".example.com".
+
+      // Skip past the '@' in the presented ID.
+      for (;;) {
+        uint8_t presentedByte;
+        if (presented.Read(presentedByte) != Success) {
+          return Result::FATAL_ERROR_LIBRARY_FAILURE;
+        }
+        if (presentedByte == '@') {
+          break;
+        }
+      }
+
+      Input presentedDNSID;
+      if (presented.SkipToEnd(presentedDNSID) != Success) {
+        return Result::FATAL_ERROR_LIBRARY_FAILURE;
+      }
+
+      return MatchPresentedDNSIDWithReferenceDNSID(
+               presentedDNSID, AllowWildcards::No,
+               AllowDotlessSubdomainMatches::No, IDRole::NameConstraint,
+               referenceRFC822Name, matches);
+    }
+  }
+
+  if (!IsValidRFC822Name(referenceRFC822Name)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  Reader reference(referenceRFC822Name);
+
+  for (;;) {
+    uint8_t presentedByte;
+    if (presented.Read(presentedByte) != Success) {
+      matches = reference.AtEnd();
+      return Success;
+    }
+    uint8_t referenceByte;
+    if (reference.Read(referenceByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    if (LocaleInsensitveToLower(presentedByte) !=
+        LocaleInsensitveToLower(referenceByte)) {
+      matches = false;
+      return Success;
+    }
+  }
+}
+
+// We avoid isdigit because it is locale-sensitive. See
+// http://pubs.opengroup.org/onlinepubs/009695399/functions/tolower.html.
+inline uint8_t
+LocaleInsensitveToLower(uint8_t a)
+{
+  if (a >= 'A' && a <= 'Z') { // unlikely
+    return static_cast<uint8_t>(
+             static_cast<uint8_t>(a - static_cast<uint8_t>('A')) +
+             static_cast<uint8_t>('a'));
+  }
+  return a;
+}
+
+bool
+StartsWithIDNALabel(Input id)
+{
+  static const uint8_t IDN_ALABEL_PREFIX[4] = { 'x', 'n', '-', '-' };
+  Reader input(id);
+  for (const uint8_t prefixByte : IDN_ALABEL_PREFIX) {
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    if (b != prefixByte) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool
+ReadIPv4AddressComponent(Reader& input, bool lastComponent,
+                         /*out*/ uint8_t& valueOut)
+{
+  size_t length = 0;
+  unsigned int value = 0; // Must be larger than uint8_t.
+
+  for (;;) {
+    if (input.AtEnd() && lastComponent) {
+      break;
+    }
+
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+
+    if (b >= '0' && b <= '9') {
+      if (value == 0 && length > 0) {
+        return false; // Leading zeros are not allowed.
+      }
+      value = (value * 10) + (b - '0');
+      if (value > 255) {
+        return false; // Component's value is too large.
+      }
+      ++length;
+    } else if (!lastComponent && b == '.') {
+      break;
+    } else {
+      return false; // Invalid character.
+    }
+  }
+
+  if (length == 0) {
+    return false; // empty components not allowed
+  }
+
+  valueOut = static_cast<uint8_t>(value);
+  return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4])
+{
+  Reader input(hostname);
+  return ReadIPv4AddressComponent(input, false, out[0]) &&
+         ReadIPv4AddressComponent(input, false, out[1]) &&
+         ReadIPv4AddressComponent(input, false, out[2]) &&
+         ReadIPv4AddressComponent(input, true, out[3]);
+}
+
+namespace {
+
+bool
+FinishIPv6Address(/*in/out*/ uint8_t (&address)[16], int numComponents,
+                  int contractionIndex)
+{
+  assert(numComponents >= 0);
+  assert(numComponents <= 8);
+  assert(contractionIndex >= -1);
+  assert(contractionIndex <= 8);
+  assert(contractionIndex <= numComponents);
+  if (!(numComponents >= 0 &&
+        numComponents <= 8 &&
+        contractionIndex >= -1 &&
+        contractionIndex <= 8 &&
+        contractionIndex <= numComponents)) {
+    return false;
+  }
+
+  if (contractionIndex == -1) {
+    // no contraction
+    return numComponents == 8;
+  }
+
+  if (numComponents >= 8) {
+    return false; // no room left to expand the contraction.
+  }
+
+  // Shift components that occur after the contraction over.
+  std::copy_backward(address + (2u * static_cast<size_t>(contractionIndex)),
+                     address + (2u * static_cast<size_t>(numComponents)),
+                     address + (2u * 8u));
+  // Fill in the contracted area with zeros.
+  std::fill_n(address + 2u * static_cast<size_t>(contractionIndex),
+              (8u - static_cast<size_t>(numComponents)) * 2u, static_cast<uint8_t>(0u));
+
+  return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16])
+{
+  Reader input(hostname);
+
+  int currentComponentIndex = 0;
+  int contractionIndex = -1;
+
+  if (input.Peek(':')) {
+    // A valid input can only start with ':' if there is a contraction at the
+    // beginning.
+    uint8_t b;
+    if (input.Read(b) != Success || b != ':') {
+      assert(false);
+      return false;
+    }
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    if (b != ':') {
+      return false;
+    }
+    contractionIndex = 0;
+  }
+
+  for (;;) {
+    // If we encounter a '.' then we'll have to backtrack to parse the input
+    // from startOfComponent to the end of the input as an IPv4 address.
+    Reader::Mark startOfComponent(input.GetMark());
+    uint16_t componentValue = 0;
+    size_t componentLength = 0;
+    while (!input.AtEnd() && !input.Peek(':')) {
+      uint8_t value;
+      uint8_t b;
+      if (input.Read(b) != Success) {
+        assert(false);
+        return false;
+      }
+      switch (b) {
+        case '0': case '1': case '2': case '3': case '4':
+        case '5': case '6': case '7': case '8': case '9':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('0'));
+          break;
+        case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('a') +
+                                       UINT8_C(10));
+          break;
+        case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('A') +
+                                       UINT8_C(10));
+          break;
+        case '.':
+        {
+          // A dot indicates we hit a IPv4-syntax component. Backtrack, parsing
+          // the input from startOfComponent to the end of the input as an IPv4
+          // address, and then combine it with the other components.
+
+          if (currentComponentIndex > 6) {
+            return false; // Too many components before the IPv4 component
+          }
+
+          input.SkipToEnd();
+          Input ipv4Component;
+          if (input.GetInput(startOfComponent, ipv4Component) != Success) {
+            return false;
+          }
+          uint8_t (*ipv4)[4] =
+            reinterpret_cast<uint8_t(*)[4]>(&out[2 * currentComponentIndex]);
+          if (!ParseIPv4Address(ipv4Component, *ipv4)) {
+            return false;
+          }
+          assert(input.AtEnd());
+          currentComponentIndex += 2;
+
+          return FinishIPv6Address(out, currentComponentIndex,
+                                   contractionIndex);
+        }
+        default:
+          return false;
+      }
+      if (componentLength >= 4) {
+        // component too long
+        return false;
+      }
+      ++componentLength;
+      componentValue = (componentValue * 0x10u) + value;
+    }
+
+    if (currentComponentIndex >= 8) {
+      return false; // too many components
+    }
+
+    if (componentLength == 0) {
+      if (input.AtEnd() && currentComponentIndex == contractionIndex) {
+        if (contractionIndex == 0) {
+          // don't accept "::"
+          return false;
+        }
+        return FinishIPv6Address(out, currentComponentIndex,
+                                 contractionIndex);
+      }
+      return false;
+    }
+
+    out[2 * currentComponentIndex] =
+      static_cast<uint8_t>(componentValue / 0x100);
+    out[(2 * currentComponentIndex) + 1] =
+      static_cast<uint8_t>(componentValue % 0x100);
+
+    ++currentComponentIndex;
+
+    if (input.AtEnd()) {
+      return FinishIPv6Address(out, currentComponentIndex,
+                               contractionIndex);
+    }
+
+    uint8_t b;
+    if (input.Read(b) != Success || b != ':') {
+      assert(false);
+      return false;
+    }
+
+    if (input.Peek(':')) {
+      // Contraction
+      if (contractionIndex != -1) {
+        return false; // multiple contractions are not allowed.
+      }
+      if (input.Read(b) != Success || b != ':') {
+        assert(false);
+        return false;
+      }
+      contractionIndex = currentComponentIndex;
+      if (input.AtEnd()) {
+        // "::" at the end of the input.
+        return FinishIPv6Address(out, currentComponentIndex,
+                                 contractionIndex);
+      }
+    }
+  }
+}
+
+bool
+IsValidReferenceDNSID(Input hostname)
+{
+  return IsValidDNSID(hostname, IDRole::ReferenceID, AllowWildcards::No);
+}
+
+bool
+IsValidPresentedDNSID(Input hostname)
+{
+  return IsValidDNSID(hostname, IDRole::PresentedID, AllowWildcards::Yes);
+}
+
+namespace {
+
+// RFC 5280 Section 4.2.1.6 says that a dNSName "MUST be in the 'preferred name
+// syntax', as specified by Section 3.5 of [RFC1034] and as modified by Section
+// 2.1 of [RFC1123]" except "a dNSName of ' ' MUST NOT be used." Additionally,
+// we allow underscores for compatibility with existing practice.
+bool
+IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards)
+{
+  if (hostname.GetLength() > 253) {
+    return false;
+  }
+
+  Reader input(hostname);
+
+  if (idRole == IDRole::NameConstraint && input.AtEnd()) {
+    return true;
+  }
+
+  size_t dotCount = 0;
+  size_t labelLength = 0;
+  bool labelIsAllNumeric = false;
+  bool labelEndsWithHyphen = false;
+
+  // Only presented IDs are allowed to have wildcard labels. And, like
+  // Chromium, be stricter than RFC 6125 requires by insisting that a
+  // wildcard label consist only of '*'.
+  bool isWildcard = allowWildcards == AllowWildcards::Yes && input.Peek('*');
+  bool isFirstByte = !isWildcard;
+  if (isWildcard) {
+    Result rv = input.Skip(1);
+    if (rv != Success) {
+      assert(false);
+      return false;
+    }
+
+    uint8_t b;
+    rv = input.Read(b);
+    if (rv != Success) {
+      return false;
+    }
+    if (b != '.') {
+      return false;
+    }
+    ++dotCount;
+  }
+
+  do {
+    static const size_t MAX_LABEL_LENGTH = 63;
+
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    switch (b) {
+      case '-':
+        if (labelLength == 0) {
+          return false; // Labels must not start with a hyphen.
+        }
+        labelIsAllNumeric = false;
+        labelEndsWithHyphen = true;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      // We avoid isdigit because it is locale-sensitive. See
+      // http://pubs.opengroup.org/onlinepubs/009695399/functions/isdigit.html
+      case '0': case '5':
+      case '1': case '6':
+      case '2': case '7':
+      case '3': case '8':
+      case '4': case '9':
+        if (labelLength == 0) {
+          labelIsAllNumeric = true;
+        }
+        labelEndsWithHyphen = false;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      // We avoid using islower/isupper/tolower/toupper or similar things, to
+      // avoid any possibility of this code being locale-sensitive. See
+      // http://pubs.opengroup.org/onlinepubs/009695399/functions/isupper.html
+      case 'a': case 'A': case 'n': case 'N':
+      case 'b': case 'B': case 'o': case 'O':
+      case 'c': case 'C': case 'p': case 'P':
+      case 'd': case 'D': case 'q': case 'Q':
+      case 'e': case 'E': case 'r': case 'R':
+      case 'f': case 'F': case 's': case 'S':
+      case 'g': case 'G': case 't': case 'T':
+      case 'h': case 'H': case 'u': case 'U':
+      case 'i': case 'I': case 'v': case 'V':
+      case 'j': case 'J': case 'w': case 'W':
+      case 'k': case 'K': case 'x': case 'X':
+      case 'l': case 'L': case 'y': case 'Y':
+      case 'm': case 'M': case 'z': case 'Z':
+      // We allow underscores for compatibility with existing practices.
+      // See bug 1136616.
+      case '_':
+        labelIsAllNumeric = false;
+        labelEndsWithHyphen = false;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      case '.':
+        ++dotCount;
+        if (labelLength == 0 &&
+            (idRole != IDRole::NameConstraint || !isFirstByte)) {
+          return false;
+        }
+        if (labelEndsWithHyphen) {
+          return false; // Labels must not end with a hyphen.
+        }
+        labelLength = 0;
+        break;
+
+      default:
+        return false; // Invalid character.
+    }
+    isFirstByte = false;
+  } while (!input.AtEnd());
+
+  // Only reference IDs, not presented IDs or name constraints, may be
+  // absolute.
+  if (labelLength == 0 && idRole != IDRole::ReferenceID) {
+    return false;
+  }
+
+  if (labelEndsWithHyphen) {
+    return false; // Labels must not end with a hyphen.
+  }
+
+  if (labelIsAllNumeric) {
+    return false; // Last label must not be all numeric.
+  }
+
+  if (isWildcard) {
+    // If the DNS ID ends with a dot, the last dot signifies an absolute ID.
+    size_t labelCount = (labelLength == 0) ? dotCount : (dotCount + 1);
+
+    // Like NSS, require at least two labels to follow the wildcard label.
+    //
+    // TODO(bug XXXXXXX): Allow the TrustDomain to control this on a
+    // per-eTLD+1 basis, similar to Chromium. Even then, it might be better to
+    // still enforce that there are at least two labels after the wildcard.
+    if (labelCount < 3) {
+      return false;
+    }
+    // XXX: RFC6125 says that we shouldn't accept wildcards within an IDN
+    // A-Label. The consequence of this is that we effectively discriminate
+    // against users of languages that cannot be encoded with ASCII.
+    if (StartsWithIDNALabel(hostname)) {
+      return false;
+    }
+
+    // TODO(bug XXXXXXX): Wildcards are not allowed for EV certificates.
+    // Provide an option to indicate whether wildcards should be matched, for
+    // the purpose of helping the application enforce this.
+  }
+
+  return true;
+}
+
+} // namespace
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
new file mode 100644
index 000000000..9b293d5fd
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -0,0 +1,236 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixnss.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "pk11pub.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixutil.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+Result
+VerifySignedDigest(const SignedDigest& sd,
+                   Input subjectPublicKeyInfo,
+                   SECOidTag pubKeyAlg,
+                   void* pkcs11PinArg)
+{
+  SECOidTag digestAlg;
+  switch (sd.digestAlgorithm) {
+    case DigestAlgorithm::sha512: digestAlg = SEC_OID_SHA512; break;
+    case DigestAlgorithm::sha384: digestAlg = SEC_OID_SHA384; break;
+    case DigestAlgorithm::sha256: digestAlg = SEC_OID_SHA256; break;
+    case DigestAlgorithm::sha1: digestAlg = SEC_OID_SHA1; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+
+  SECItem subjectPublicKeyInfoSECItem =
+    UnsafeMapInputToSECItem(subjectPublicKeyInfo);
+  ScopedCERTSubjectPublicKeyInfo
+    spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
+  if (!spki) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+  ScopedSECKEYPublicKey
+    pubKey(SECKEY_ExtractPublicKey(spki.get()));
+  if (!pubKey) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+
+  SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest));
+  SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
+  SECStatus srv = VFY_VerifyDigestDirect(&digestSECItem, pubKey.get(),
+                                         &signatureSECItem, pubKeyAlg,
+                                         digestAlg, pkcs11PinArg);
+  if (srv != SECSuccess) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+
+  return Success;
+}
+
+} // namespace
+
+Result
+VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+                              Input subjectPublicKeyInfo,
+                              void* pkcs11PinArg)
+{
+  return VerifySignedDigest(sd, subjectPublicKeyInfo,
+                            SEC_OID_PKCS1_RSA_ENCRYPTION, pkcs11PinArg);
+}
+
+Result
+VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+                           Input subjectPublicKeyInfo,
+                           void* pkcs11PinArg)
+{
+  return VerifySignedDigest(sd, subjectPublicKeyInfo,
+                            SEC_OID_ANSIX962_EC_PUBLIC_KEY, pkcs11PinArg);
+}
+
+Result
+DigestBufNSS(Input item,
+             DigestAlgorithm digestAlg,
+             /*out*/ uint8_t* digestBuf,
+             size_t digestBufLen)
+{
+  SECOidTag oid;
+  size_t bits;
+  switch (digestAlg) {
+    case DigestAlgorithm::sha512: oid = SEC_OID_SHA512; bits = 512; break;
+    case DigestAlgorithm::sha384: oid = SEC_OID_SHA384; bits = 384; break;
+    case DigestAlgorithm::sha256: oid = SEC_OID_SHA256; bits = 256; break;
+    case DigestAlgorithm::sha1: oid = SEC_OID_SHA1; bits = 160; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+  if (digestBufLen != bits / 8) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  SECItem itemSECItem = UnsafeMapInputToSECItem(item);
+  if (itemSECItem.len >
+        static_cast<decltype(itemSECItem.len)>(
+          std::numeric_limits<int32_t>::max())) {
+    PR_NOT_REACHED("large items should not be possible here");
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  SECStatus srv = PK11_HashBuf(oid, digestBuf, itemSECItem.data,
+                               static_cast<int32_t>(itemSECItem.len));
+  if (srv != SECSuccess) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+  return Success;
+}
+
+Result
+MapPRErrorCodeToResult(PRErrorCode error)
+{
+  switch (error)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case nss_result: return Result::mozilla_pkix_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    default:
+      return Result::ERROR_UNKNOWN_ERROR;
+  }
+}
+
+PRErrorCode
+MapResultToPRErrorCode(Result result)
+{
+  switch (result)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case Result::mozilla_pkix_result: return nss_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+void
+RegisterErrorTable()
+{
+  // Note that these error strings are not localizable.
+  // When these strings change, update the localization information too.
+  static const PRErrorMessage ErrorTableText[] = {
+    { "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
+      "The server uses key pinning (HPKP) but no trusted certificate chain "
+      "could be constructed that matches the pinset. Key pinning violations "
+      "cannot be overridden." },
+    { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
+      "The server uses a certificate with a basic constraints extension "
+      "identifying it as a certificate authority. For a properly-issued "
+      "certificate, this should not be the case." },
+    { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
+      "The server presented a certificate with a key size that is too small "
+      "to establish a secure connection." },
+    { "MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA",
+      "An X.509 version 1 certificate that is not a trust anchor was used to "
+      "issue the server's certificate. X.509 version 1 certificates are "
+      "deprecated and should not be used to sign other certificates." },
+    { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH",
+      "The certificate is not valid for the given email address." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE",
+      "The server presented a certificate that is not yet valid." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE",
+      "A certificate that is not yet valid was used to issue the server's "
+      "certificate." },
+    { "MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH",
+      "The signature algorithm in the signature field of the certificate does "
+      "not match the algorithm in its signatureAlgorithm field." },
+    { "MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING",
+      "The OCSP response does not include a status for the certificate being "
+      "verified." },
+    { "MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG",
+      "The server presented a certificate that is valid for too long." },
+    { "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING",
+      "A required TLS feature is missing." },
+    { "MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING",
+      "The server presented a certificate that contains an invalid encoding of "
+      "an integer. Common causes include negative serial numbers, negative RSA "
+      "moduli, and encodings that are longer than necessary." },
+    { "MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME",
+      "The server presented a certificate with an empty issuer distinguished "
+      "name." },
+    { "MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED",
+      "An additional policy constraint failed when validating this "
+      "certificate." },
+    { "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT",
+      "The certificate is not trusted because it is self-signed." },
+    { "MOZILLA_PKIX_ERROR_MITM_DETECTED",
+      "Your connection is being intercepted by a TLS proxy. Uninstall it if "
+      "possible or configure your device to trust its root certificate." },
+  };
+  // Note that these error strings are not localizable.
+  // When these strings change, update the localization information too.
+
+  static const PRErrorTable ErrorTable = {
+    ErrorTableText,
+    "pkixerrors",
+    ERROR_BASE,
+    PR_ARRAY_SIZE(ErrorTableText)
+  };
+
+  (void) PR_ErrorInstallTable(&ErrorTable);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixocsp.cpp b/security/nss/lib/mozpkix/lib/pkixocsp.cpp
new file mode 100644
index 000000000..a81154417
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixocsp.cpp
@@ -0,0 +1,1012 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace {
+
+const size_t SHA1_DIGEST_LENGTH = 160 / 8;
+
+} // namespace
+
+namespace mozilla { namespace pkix {
+
+// These values correspond to the tag values in the ASN.1 CertStatus
+enum class CertStatus : uint8_t {
+  Good = der::CONTEXT_SPECIFIC | 0,
+  Revoked = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+  Unknown = der::CONTEXT_SPECIFIC | 2
+};
+
+class Context final
+{
+public:
+  Context(TrustDomain& aTrustDomain, const CertID& aCertID, Time aTime,
+          uint16_t aMaxLifetimeInDays, /*optional out*/ Time* aThisUpdate,
+          /*optional out*/ Time* aValidThrough)
+    : trustDomain(aTrustDomain)
+    , certID(aCertID)
+    , time(aTime)
+    , maxLifetimeInDays(aMaxLifetimeInDays)
+    , certStatus(CertStatus::Unknown)
+    , thisUpdate(aThisUpdate)
+    , validThrough(aValidThrough)
+    , expired(false)
+    , matchFound(false)
+  {
+    if (thisUpdate) {
+      *thisUpdate = TimeFromElapsedSecondsAD(0);
+    }
+    if (validThrough) {
+      *validThrough = TimeFromElapsedSecondsAD(0);
+    }
+  }
+
+  TrustDomain& trustDomain;
+  const CertID& certID;
+  const Time time;
+  const uint16_t maxLifetimeInDays;
+  CertStatus certStatus;
+  Time* thisUpdate;
+  Time* validThrough;
+  bool expired;
+
+  Input signedCertificateTimestamps;
+
+  // Keep track of whether the OCSP response contains the status of the
+  // certificate we're interested in. Responders might reply without
+  // including the status of any of the requested certs, we should
+  // indicate a server failure in those cases.
+  bool matchFound;
+
+  Context(const Context&) = delete;
+  void operator=(const Context&) = delete;
+};
+
+// Verify that potentialSigner is a valid delegated OCSP response signing cert
+// according to RFC 6960 section 4.2.2.2.
+static Result
+CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
+                            BackCert& potentialSigner,
+                            Input issuerSubject,
+                            Input issuerSubjectPublicKeyInfo,
+                            Time time)
+{
+  Result rv;
+
+  // We don't need to do a complete verification of the signer (i.e. we don't
+  // have to call BuildCertChain to verify the entire chain) because we
+  // already know that the issuer is valid, since revocation checking is done
+  // from the root to the parent after we've built a complete chain that we
+  // know is otherwise valid. Rather, we just need to do a one-step validation
+  // from potentialSigner to the issuer.
+  //
+  // It seems reasonable to require the KU_DIGITAL_SIGNATURE key usage on the
+  // OCSP responder certificate if the OCSP responder certificate has a
+  // key usage extension. However, according to bug 240456, some OCSP responder
+  // certificates may have only the nonRepudiation bit set. Also, the OCSP
+  // specification (RFC 6960) does not mandate any particular key usage to be
+  // asserted for OCSP responde signers. Oddly, the CABForum Baseline
+  // Requirements v.1.1.5 do say "If the Root CA Private Key is used for
+  // signing OCSP responses, then the digitalSignature bit MUST be set."
+  //
+  // Note that CheckIssuerIndependentProperties processes
+  // SEC_OID_OCSP_RESPONDER in the way that the OCSP specification requires us
+  // to--in particular, it doesn't allow SEC_OID_OCSP_RESPONDER to be implied
+  // by a missing EKU extension, unlike other EKUs.
+  //
+  // TODO(bug 926261): If we're validating for a policy then the policy OID we
+  // are validating for should be passed to CheckIssuerIndependentProperties.
+  TrustLevel unusedTrustLevel;
+  rv = CheckIssuerIndependentProperties(trustDomain, potentialSigner, time,
+                                        KeyUsage::noParticularKeyUsageRequired,
+                                        KeyPurposeId::id_kp_OCSPSigning,
+                                        CertPolicyId::anyPolicy, 0,
+                                        unusedTrustLevel);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // It is possible that there exists a certificate with the same key as the
+  // issuer but with a different name, so we need to compare names
+  // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+  // comparison.
+  // TODO: needs test
+  if (!InputsAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
+    return Result::ERROR_OCSP_RESPONDER_CERT_INVALID;
+  }
+
+  // TODO(bug 926260): check name constraints
+
+  rv = VerifySignedData(trustDomain, potentialSigner.GetSignedData(),
+                        issuerSubjectPublicKeyInfo);
+
+  // TODO: check for revocation of the OCSP responder certificate unless no-check
+  // or the caller forcing no-check. To properly support the no-check policy, we'd
+  // need to enforce policy constraints from the issuerChain.
+
+  return rv;
+}
+
+enum class ResponderIDType : uint8_t
+{
+  byName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+  byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
+};
+
+static inline Result OCSPResponse(Reader&, Context&);
+static inline Result ResponseBytes(Reader&, Context&);
+static inline Result BasicResponse(Reader&, Context&);
+static inline Result ResponseData(
+                       Reader& tbsResponseData,
+                       Context& context,
+                       const der::SignedDataWithSignature& signedResponseData,
+                       const DERArray& certs);
+static inline Result SingleResponse(Reader& input, Context& context);
+static Result ExtensionNotUnderstood(Reader& extnID, Input extnValue,
+                                     bool critical, /*out*/ bool& understood);
+static Result RememberSingleExtension(Context& context, Reader& extnID,
+                                      Input extnValue, bool critical,
+                                      /*out*/ bool& understood);
+// It is convention to name the function after the part of the data structure
+// we're parsing from the RFC (e.g. OCSPResponse, ResponseBytes).
+// But since we also have a C++ type called CertID, this function doesn't
+// follow the convention to prevent shadowing.
+static inline Result MatchCertID(Reader& input,
+                                 const Context& context,
+                                 /*out*/ bool& match);
+static Result MatchKeyHash(TrustDomain& trustDomain,
+                           Input issuerKeyHash,
+                           Input issuerSubjectPublicKeyInfo,
+                           /*out*/ bool& match);
+static Result KeyHash(TrustDomain& trustDomain,
+                      Input subjectPublicKeyInfo,
+                      /*out*/ uint8_t* hashBuf, size_t hashBufSize);
+
+static Result
+MatchResponderID(TrustDomain& trustDomain,
+                 ResponderIDType responderIDType,
+                 Input responderID,
+                 Input potentialSignerSubject,
+                 Input potentialSignerSubjectPublicKeyInfo,
+                 /*out*/ bool& match)
+{
+  match = false;
+
+  switch (responderIDType) {
+    case ResponderIDType::byName:
+      // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+      // comparison.
+      match = InputsAreEqual(responderID, potentialSignerSubject);
+      return Success;
+
+    case ResponderIDType::byKey:
+    {
+      Reader input(responderID);
+      Input keyHash;
+      Result rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, keyHash);
+      if (rv != Success) {
+        return rv;
+      }
+      return MatchKeyHash(trustDomain, keyHash,
+                          potentialSignerSubjectPublicKeyInfo, match);
+    }
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+static Result
+VerifyOCSPSignedData(TrustDomain& trustDomain,
+                     const der::SignedDataWithSignature& signedResponseData,
+                     Input spki)
+{
+  Result rv = VerifySignedData(trustDomain, signedResponseData, spki);
+  if (rv == Result::ERROR_BAD_SIGNATURE) {
+    rv = Result::ERROR_OCSP_BAD_SIGNATURE;
+  }
+  return rv;
+}
+
+// RFC 6960 section 4.2.2.2: The OCSP responder must either be the issuer of
+// the cert or it must be a delegated OCSP response signing cert directly
+// issued by the issuer. If the OCSP responder is a delegated OCSP response
+// signer, then its certificate is (probably) embedded within the OCSP
+// response and we'll need to verify that it is a valid certificate that chains
+// *directly* to issuerCert.
+static Result
+VerifySignature(Context& context, ResponderIDType responderIDType,
+                Input responderID, const DERArray& certs,
+                const der::SignedDataWithSignature& signedResponseData)
+{
+  bool match;
+  Result rv = MatchResponderID(context.trustDomain, responderIDType,
+                               responderID, context.certID.issuer,
+                               context.certID.issuerSubjectPublicKeyInfo,
+                               match);
+  if (rv != Success) {
+    return rv;
+  }
+  if (match) {
+    return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+                                context.certID.issuerSubjectPublicKeyInfo);
+  }
+
+  size_t numCerts = certs.GetLength();
+  for (size_t i = 0; i < numCerts; ++i) {
+    BackCert cert(*certs.GetDER(i), EndEntityOrCA::MustBeEndEntity, nullptr);
+    rv = cert.Init();
+    if (rv != Success) {
+      return rv;
+    }
+    rv = MatchResponderID(context.trustDomain, responderIDType, responderID,
+                          cert.GetSubject(), cert.GetSubjectPublicKeyInfo(),
+                          match);
+    if (rv != Success) {
+      if (IsFatalError(rv)) {
+        return rv;
+      }
+      continue;
+    }
+
+    if (match) {
+      rv = CheckOCSPResponseSignerCert(context.trustDomain, cert,
+                                       context.certID.issuer,
+                                       context.certID.issuerSubjectPublicKeyInfo,
+                                       context.time);
+      if (rv != Success) {
+        if (IsFatalError(rv)) {
+          return rv;
+        }
+        continue;
+      }
+
+      return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+                                  cert.GetSubjectPublicKeyInfo());
+    }
+  }
+
+  return Result::ERROR_OCSP_INVALID_SIGNING_CERT;
+}
+
+static inline Result
+MapBadDERToMalformedOCSPResponse(Result rv)
+{
+  if (rv == Result::ERROR_BAD_DER) {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+  return rv;
+}
+
+Result
+VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
+                          Time time, uint16_t maxOCSPLifetimeInDays,
+                          Input encodedResponse,
+                          /*out*/ bool& expired,
+                          /*optional out*/ Time* thisUpdate,
+                          /*optional out*/ Time* validThrough)
+{
+  // Always initialize this to something reasonable.
+  expired = false;
+
+  Context context(trustDomain, certID, time, maxOCSPLifetimeInDays,
+                  thisUpdate, validThrough);
+
+  Reader input(encodedResponse);
+  Result rv = der::Nested(input, der::SEQUENCE, [&context](Reader& r) {
+    return OCSPResponse(r, context);
+  });
+  if (rv != Success) {
+    return MapBadDERToMalformedOCSPResponse(rv);
+  }
+  rv = der::End(input);
+  if (rv != Success) {
+    return MapBadDERToMalformedOCSPResponse(rv);
+  }
+  if (!context.matchFound) {
+    return Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING;
+  }
+
+  expired = context.expired;
+
+  switch (context.certStatus) {
+    case CertStatus::Good:
+      if (expired) {
+        return Result::ERROR_OCSP_OLD_RESPONSE;
+      }
+      if (context.signedCertificateTimestamps.GetLength()) {
+        Input sctList;
+        rv = ExtractSignedCertificateTimestampListFromExtension(
+          context.signedCertificateTimestamps, sctList);
+        if (rv != Success) {
+          return MapBadDERToMalformedOCSPResponse(rv);
+        }
+        context.trustDomain.NoteAuxiliaryExtension(
+          AuxiliaryExtension::SCTListFromOCSPResponse, sctList);
+      }
+      return Success;
+    case CertStatus::Revoked:
+      return Result::ERROR_REVOKED_CERTIFICATE;
+    case CertStatus::Unknown:
+      return Result::ERROR_OCSP_UNKNOWN_CERT;
+     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+// OCSPResponse ::= SEQUENCE {
+//       responseStatus         OCSPResponseStatus,
+//       responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+//
+static inline Result
+OCSPResponse(Reader& input, Context& context)
+{
+  // OCSPResponseStatus ::= ENUMERATED {
+  //     successful            (0),  -- Response has valid confirmations
+  //     malformedRequest      (1),  -- Illegal confirmation request
+  //     internalError         (2),  -- Internal error in issuer
+  //     tryLater              (3),  -- Try again later
+  //                                 -- (4) is not used
+  //     sigRequired           (5),  -- Must sign the request
+  //     unauthorized          (6)   -- Request unauthorized
+  // }
+  uint8_t responseStatus;
+
+  Result rv = der::Enumerated(input, responseStatus);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (responseStatus) {
+    case 0: break; // successful
+    case 1: return Result::ERROR_OCSP_MALFORMED_REQUEST;
+    case 2: return Result::ERROR_OCSP_SERVER_ERROR;
+    case 3: return Result::ERROR_OCSP_TRY_SERVER_LATER;
+    case 5: return Result::ERROR_OCSP_REQUEST_NEEDS_SIG;
+    case 6: return Result::ERROR_OCSP_UNAUTHORIZED_REQUEST;
+    default: return Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS;
+  }
+
+  return der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                     der::SEQUENCE, [&context](Reader& r) {
+    return ResponseBytes(r, context);
+  });
+}
+
+// ResponseBytes ::=       SEQUENCE {
+//     responseType   OBJECT IDENTIFIER,
+//     response       OCTET STRING }
+static inline Result
+ResponseBytes(Reader& input, Context& context)
+{
+  static const uint8_t id_pkix_ocsp_basic[] = {
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+
+  Result rv = der::OID(input, id_pkix_ocsp_basic);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::Nested(input, der::OCTET_STRING, der::SEQUENCE,
+                     [&context](Reader& r) {
+    return BasicResponse(r, context);
+  });
+}
+
+// BasicOCSPResponse       ::= SEQUENCE {
+//    tbsResponseData      ResponseData,
+//    signatureAlgorithm   AlgorithmIdentifier,
+//    signature            BIT STRING,
+//    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result
+BasicResponse(Reader& input, Context& context)
+{
+  Reader tbsResponseData;
+  der::SignedDataWithSignature signedData;
+  Result rv = der::SignedData(input, tbsResponseData, signedData);
+  if (rv != Success) {
+    if (rv == Result::ERROR_BAD_SIGNATURE) {
+      return Result::ERROR_OCSP_BAD_SIGNATURE;
+    }
+    return rv;
+  }
+
+  // Parse certificates, if any
+  NonOwningDERArray certs;
+  if (!input.AtEnd()) {
+    rv = der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                     der::SEQUENCE, [&certs](Reader& certsDER) -> Result {
+      while (!certsDER.AtEnd()) {
+        Input cert;
+        Result nestedRv =
+          der::ExpectTagAndGetTLV(certsDER, der::SEQUENCE, cert);
+        if (nestedRv != Success) {
+          return nestedRv;
+        }
+        nestedRv = certs.Append(cert);
+        if (nestedRv != Success) {
+          return Result::ERROR_BAD_DER; // Too many certs
+        }
+      }
+      return Success;
+    });
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  return ResponseData(tbsResponseData, context, signedData, certs);
+}
+
+// ResponseData ::= SEQUENCE {
+//    version             [0] EXPLICIT Version DEFAULT v1,
+//    responderID             ResponderID,
+//    producedAt              GeneralizedTime,
+//    responses               SEQUENCE OF SingleResponse,
+//    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
+static inline Result
+ResponseData(Reader& input, Context& context,
+             const der::SignedDataWithSignature& signedResponseData,
+             const DERArray& certs)
+{
+  der::Version version;
+  Result rv = der::OptionalVersion(input, version);
+  if (rv != Success) {
+    return rv;
+  }
+  if (version != der::Version::v1) {
+    // TODO: more specific error code for bad version?
+    return Result::ERROR_BAD_DER;
+  }
+
+  // ResponderID ::= CHOICE {
+  //    byName              [1] Name,
+  //    byKey               [2] KeyHash }
+  Input responderID;
+  ResponderIDType responderIDType
+    = input.Peek(static_cast<uint8_t>(ResponderIDType::byName))
+    ? ResponderIDType::byName
+    : ResponderIDType::byKey;
+  rv = der::ExpectTagAndGetValue(input, static_cast<uint8_t>(responderIDType),
+                                 responderID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // This is the soonest we can verify the signature. We verify the signature
+  // right away to follow the principal of minimizing the processing of data
+  // before verifying its signature.
+  rv = VerifySignature(context, responderIDType, responderID, certs,
+                       signedResponseData);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // TODO: Do we even need to parse this? Should we just skip it?
+  Time producedAt(Time::uninitialized);
+  rv = der::GeneralizedTime(input, producedAt);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // We don't accept an empty sequence of responses. In practice, a legit OCSP
+  // responder will never return an empty response, and handling the case of an
+  // empty response makes things unnecessarily complicated.
+  rv = der::NestedOf(input, der::SEQUENCE, der::SEQUENCE,
+                     der::EmptyAllowed::No, [&context](Reader& r) {
+    return SingleResponse(r, context);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::OptionalExtensions(input,
+                                 der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+                                 ExtensionNotUnderstood);
+}
+
+// SingleResponse ::= SEQUENCE {
+//    certID                       CertID,
+//    certStatus                   CertStatus,
+//    thisUpdate                   GeneralizedTime,
+//    nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+//    singleExtensions     [1]     EXPLICIT Extensions{{re-ocsp-crl |
+//                                              re-ocsp-archive-cutoff |
+//                                              CrlEntryExtensions, ...}
+//                                              } OPTIONAL }
+static inline Result
+SingleResponse(Reader& input, Context& context)
+{
+  bool match = false;
+  Result rv = der::Nested(input, der::SEQUENCE, [&context, &match](Reader& r) {
+    return MatchCertID(r, context, match);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (!match) {
+    // This response does not reference the certificate we're interested in.
+    // By consuming the rest of our input and returning successfully, we can
+    // continue processing and examine another response that might have what
+    // we want.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  // We found a response for the cert we're interested in.
+  context.matchFound = true;
+
+  // CertStatus ::= CHOICE {
+  //     good        [0]     IMPLICIT NULL,
+  //     revoked     [1]     IMPLICIT RevokedInfo,
+  //     unknown     [2]     IMPLICIT UnknownInfo }
+  //
+  // In the event of multiple SingleResponses for a cert that have conflicting
+  // statuses, we use the following precedence rules:
+  //
+  // * revoked overrides good and unknown
+  // * good overrides unknown
+  if (input.Peek(static_cast<uint8_t>(CertStatus::Good))) {
+    rv = der::ExpectTagAndEmptyValue(input,
+                                     static_cast<uint8_t>(CertStatus::Good));
+    if (rv != Success) {
+      return rv;
+    }
+    if (context.certStatus != CertStatus::Revoked) {
+      context.certStatus = CertStatus::Good;
+    }
+  } else if (input.Peek(static_cast<uint8_t>(CertStatus::Revoked))) {
+    // We don't need any info from the RevokedInfo structure, so we don't even
+    // parse it. TODO: We should mention issues like this in the explanation of
+    // why we treat invalid OCSP responses equivalently to revoked for OCSP
+    // stapling.
+    rv = der::ExpectTagAndSkipValue(input,
+                                    static_cast<uint8_t>(CertStatus::Revoked));
+    if (rv != Success) {
+      return rv;
+    }
+    context.certStatus = CertStatus::Revoked;
+  } else {
+    rv = der::ExpectTagAndEmptyValue(input,
+                                     static_cast<uint8_t>(CertStatus::Unknown));
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // http://tools.ietf.org/html/rfc6960#section-3.2
+  // 5. The time at which the status being indicated is known to be
+  //    correct (thisUpdate) is sufficiently recent;
+  // 6. When available, the time at or before which newer information will
+  //    be available about the status of the certificate (nextUpdate) is
+  //    greater than the current time.
+
+  Time thisUpdate(Time::uninitialized);
+  rv = der::GeneralizedTime(input, thisUpdate);
+  if (rv != Success) {
+    return rv;
+  }
+
+  static const uint64_t SLOP_SECONDS = Time::ONE_DAY_IN_SECONDS;
+
+  Time timePlusSlop(context.time);
+  rv = timePlusSlop.AddSeconds(SLOP_SECONDS);
+  if (rv != Success) {
+    return rv;
+  }
+  if (thisUpdate > timePlusSlop) {
+    return Result::ERROR_OCSP_FUTURE_RESPONSE;
+  }
+
+  Time notAfter(Time::uninitialized);
+  static const uint8_t NEXT_UPDATE_TAG =
+    der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0;
+  if (input.Peek(NEXT_UPDATE_TAG)) {
+    Time nextUpdate(Time::uninitialized);
+    rv = der::Nested(input, NEXT_UPDATE_TAG, [&nextUpdate](Reader& r) {
+      return der::GeneralizedTime(r, nextUpdate);
+    });
+    if (rv != Success) {
+      return rv;
+    }
+
+    if (nextUpdate < thisUpdate) {
+      return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+    }
+    notAfter = thisUpdate;
+    if (notAfter.AddSeconds(context.maxLifetimeInDays *
+                            Time::ONE_DAY_IN_SECONDS) != Success) {
+      // This could only happen if we're dealing with times beyond the year
+      // 10,000AD.
+      return Result::ERROR_OCSP_FUTURE_RESPONSE;
+    }
+    if (nextUpdate <= notAfter) {
+      notAfter = nextUpdate;
+    }
+  } else {
+    // NSS requires all OCSP responses without a nextUpdate to be recent.
+    // Match that stricter behavior.
+    notAfter = thisUpdate;
+    if (notAfter.AddSeconds(Time::ONE_DAY_IN_SECONDS) != Success) {
+      // This could only happen if we're dealing with times beyond the year
+      // 10,000AD.
+      return Result::ERROR_OCSP_FUTURE_RESPONSE;
+    }
+  }
+
+  // Add some slop to hopefully handle clock-skew.
+  Time notAfterPlusSlop(notAfter);
+  rv = notAfterPlusSlop.AddSeconds(SLOP_SECONDS);
+  if (rv != Success) {
+    // This could only happen if we're dealing with times beyond the year
+    // 10,000AD.
+    return Result::ERROR_OCSP_FUTURE_RESPONSE;
+  }
+  if (context.time > notAfterPlusSlop) {
+    context.expired = true;
+  }
+
+  rv = der::OptionalExtensions(
+    input,
+    der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+    [&context](Reader& extnID, const Input& extnValue, bool critical,
+               /*out*/ bool& understood) {
+      return RememberSingleExtension(context, extnID, extnValue, critical,
+                                     understood);
+    });
+
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (context.thisUpdate) {
+    *context.thisUpdate = thisUpdate;
+  }
+  if (context.validThrough) {
+    *context.validThrough = notAfterPlusSlop;
+  }
+
+  return Success;
+}
+
+// CertID          ::=     SEQUENCE {
+//        hashAlgorithm       AlgorithmIdentifier,
+//        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
+//        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
+//        serialNumber        CertificateSerialNumber }
+static inline Result
+MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
+{
+  match = false;
+
+  DigestAlgorithm hashAlgorithm;
+  Result rv = der::DigestAlgorithmIdentifier(input, hashAlgorithm);
+  if (rv != Success) {
+    if (rv == Result::ERROR_INVALID_ALGORITHM) {
+      // Skip entries that are hashed with algorithms we don't support.
+      input.SkipToEnd();
+      return Success;
+    }
+    return rv;
+  }
+
+  Input issuerNameHash;
+  rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input issuerKeyHash;
+  rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input serialNumber;
+  rv = der::CertificateSerialNumber(input, serialNumber);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (!InputsAreEqual(serialNumber, context.certID.serialNumber)) {
+    // This does not reference the certificate we're interested in.
+    // Consume the rest of the input and return successfully to
+    // potentially continue processing other responses.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  // TODO: support SHA-2 hashes.
+
+  if (hashAlgorithm != DigestAlgorithm::sha1) {
+    // Again, not interested in this response. Consume input, return success.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+
+  // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+  // "The hash shall be calculated over the DER encoding of the
+  // issuer's name field in the certificate being checked."
+  uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+  rv = context.trustDomain.DigestBuf(context.certID.issuer,
+                                     DigestAlgorithm::sha1, hashBuf,
+                                     sizeof(hashBuf));
+  if (rv != Success) {
+    return rv;
+  }
+  Input computed(hashBuf);
+  if (!InputsAreEqual(computed, issuerNameHash)) {
+    // Again, not interested in this response. Consume input, return success.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  return MatchKeyHash(context.trustDomain, issuerKeyHash,
+                      context.certID.issuerSubjectPublicKeyInfo, match);
+}
+
+// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+// "The hash shall be calculated over the value (excluding tag and length) of
+// the subject public key field in the issuer's certificate."
+//
+// From http://tools.ietf.org/html/rfc6960#appendix-B.1:
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+//                          -- (i.e., the SHA-1 hash of the value of the
+//                          -- BIT STRING subjectPublicKey [excluding
+//                          -- the tag, length, and number of unused
+//                          -- bits] in the responder's certificate)
+static Result
+MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
+             const Input subjectPublicKeyInfo, /*out*/ bool& match)
+{
+  if (keyHash.GetLength() != SHA1_DIGEST_LENGTH)  {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+  uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+  Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
+                      sizeof hashBuf);
+  if (rv != Success) {
+    return rv;
+  }
+  Input computed(hashBuf);
+  match = InputsAreEqual(computed, keyHash);
+  return Success;
+}
+
+// TODO(bug 966856): support SHA-2 hashes
+Result
+KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
+        /*out*/ uint8_t* hashBuf, size_t hashBufSize)
+{
+  if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+
+  // RFC 5280 Section 4.1
+  //
+  // SubjectPublicKeyInfo  ::=  SEQUENCE  {
+  //    algorithm            AlgorithmIdentifier,
+  //    subjectPublicKey     BIT STRING  }
+
+  Reader spki;
+  Result rv = der::ExpectTagAndGetValueAtEnd(subjectPublicKeyInfo,
+                                             der::SEQUENCE, spki);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // Skip AlgorithmIdentifier
+  rv = der::ExpectTagAndSkipValue(spki, der::SEQUENCE);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input subjectPublicKey;
+  rv = der::BitStringWithNoUnusedBits(spki, subjectPublicKey);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(spki);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
+                               hashBuf, hashBufSize);
+}
+
+Result
+ExtensionNotUnderstood(Reader& /*extnID*/, Input /*extnValue*/,
+                       bool /*critical*/, /*out*/ bool& understood)
+{
+  understood = false;
+  return Success;
+}
+
+Result
+RememberSingleExtension(Context& context, Reader& extnID, Input extnValue,
+                        bool /*critical*/, /*out*/ bool& understood)
+{
+  understood = false;
+
+  // SingleExtension for Signed Certificate Timestamp List.
+  // See Section 3.3 of RFC 6962.
+  // python DottedOIDToCode.py
+  //   id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+  static const uint8_t id_ocsp_singleExtensionSctList[] = {
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+  };
+
+  if (extnID.MatchRest(id_ocsp_singleExtensionSctList)) {
+    // Empty values are not allowed for this extension. Note that
+    // we assume this later, when checking if the extension was present.
+    if (extnValue.GetLength() == 0) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (context.signedCertificateTimestamps.Init(extnValue) != Success) {
+      // Duplicate extension.
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    understood = true;
+  }
+
+  return Success;
+}
+
+//   1. The certificate identified in a received response corresponds to
+//      the certificate that was identified in the corresponding request;
+//   2. The signature on the response is valid;
+//   3. The identity of the signer matches the intended recipient of the
+//      request;
+//   4. The signer is currently authorized to provide a response for the
+//      certificate in question;
+//   5. The time at which the status being indicated is known to be
+//      correct (thisUpdate) is sufficiently recent;
+//   6. When available, the time at or before which newer information will
+//      be available about the status of the certificate (nextUpdate) is
+//      greater than the current time.
+//
+//   Responses whose nextUpdate value is earlier than
+//   the local system time value SHOULD be considered unreliable.
+//   Responses whose thisUpdate time is later than the local system time
+//   SHOULD be considered unreliable.
+//
+//   If nextUpdate is not set, the responder is indicating that newer
+//   revocation information is available all the time.
+//
+// http://tools.ietf.org/html/rfc5019#section-4
+
+Result
+CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
+                         /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+                         /*out*/ size_t& outLen)
+{
+  // We do not add any extensions to the request.
+
+  // RFC 6960 says "An OCSP client MAY wish to specify the kinds of response
+  // types it understands. To do so, it SHOULD use an extension with the OID
+  // id-pkix-ocsp-response." This use of MAY and SHOULD is unclear. MSIE11
+  // on Windows 8.1 does not include any extensions, whereas NSS has always
+  // included the id-pkix-ocsp-response extension. Avoiding the sending the
+  // extension is better for OCSP GET because it makes the request smaller,
+  // and thus more likely to fit within the 255 byte limit for OCSP GET that
+  // is specified in RFC 5019 Section 5.
+
+  // Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
+
+  // Since we don't know whether the OCSP responder supports anything other
+  // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
+  // issuerKeyHash.
+  static const uint8_t hashAlgorithm[11] = {
+    0x30, 0x09,                               // SEQUENCE
+    0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, //   OBJECT IDENTIFIER id-sha1
+    0x05, 0x00,                               //   NULL
+  };
+  static const uint8_t hashLen = 160 / 8;
+
+  static const unsigned int totalLenWithoutSerialNumberData
+    = 2                             // OCSPRequest
+    + 2                             //   tbsRequest
+    + 2                             //     requestList
+    + 2                             //       Request
+    + 2                             //         reqCert (CertID)
+    + sizeof(hashAlgorithm)         //           hashAlgorithm
+    + 2 + hashLen                   //           issuerNameHash
+    + 2 + hashLen                   //           issuerKeyHash
+    + 2;                            //           serialNumber (header)
+
+  // The only way we could have a request this large is if the serialNumber was
+  // ridiculously and unreasonably large. RFC 5280 says "Conforming CAs MUST
+  // NOT use serialNumber values longer than 20 octets." With this restriction,
+  // we allow for some amount of non-conformance with that requirement while
+  // still ensuring we can encode the length values in the ASN.1 TLV structures
+  // in a single byte.
+  static_assert(totalLenWithoutSerialNumberData < OCSP_REQUEST_MAX_LENGTH,
+                "totalLenWithoutSerialNumberData too big");
+  if (certID.serialNumber.GetLength() >
+        OCSP_REQUEST_MAX_LENGTH - totalLenWithoutSerialNumberData) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  outLen = totalLenWithoutSerialNumberData + certID.serialNumber.GetLength();
+
+  uint8_t totalLen = static_cast<uint8_t>(outLen);
+
+  uint8_t* d = out;
+  *d++ = 0x30; *d++ = totalLen - 2u;  // OCSPRequest (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 4u;  //   tbsRequest (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 6u;  //     requestList (SEQUENCE OF)
+  *d++ = 0x30; *d++ = totalLen - 8u;  //       Request (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 10u; //         reqCert (CertID SEQUENCE)
+
+  // reqCert.hashAlgorithm
+  for (const uint8_t hashAlgorithmByte : hashAlgorithm) {
+    *d++ = hashAlgorithmByte;
+  }
+
+  // reqCert.issuerNameHash (OCTET STRING)
+  *d++ = 0x04;
+  *d++ = hashLen;
+  Result rv = trustDomain.DigestBuf(certID.issuer, DigestAlgorithm::sha1, d,
+                                    hashLen);
+  if (rv != Success) {
+    return rv;
+  }
+  d += hashLen;
+
+  // reqCert.issuerKeyHash (OCTET STRING)
+  *d++ = 0x04;
+  *d++ = hashLen;
+  rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
+  if (rv != Success) {
+    return rv;
+  }
+  d += hashLen;
+
+  // reqCert.serialNumber (INTEGER)
+  *d++ = 0x02; // INTEGER
+  *d++ = static_cast<uint8_t>(certID.serialNumber.GetLength());
+  Reader serialNumber(certID.serialNumber);
+  do {
+    rv = serialNumber.Read(*d);
+    if (rv != Success) {
+      return rv;
+    }
+    ++d;
+  } while (!serialNumber.AtEnd());
+
+  assert(d == out + totalLen);
+
+  return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixresult.cpp b/security/nss/lib/mozpkix/lib/pkixresult.cpp
new file mode 100644
index 000000000..871d9a0fe
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixresult.cpp
@@ -0,0 +1,46 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/Result.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+const char*
+MapResultToName(Result result)
+{
+  switch (result)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case Result::mozilla_pkix_result: return "Result::" #mozilla_pkix_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixtime.cpp b/security/nss/lib/mozpkix/lib/pkixtime.cpp
new file mode 100644
index 000000000..38e063804
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixtime.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/Time.h"
+#include "mozpkix/pkixutil.h"
+
+#ifdef _WINDOWS
+#ifdef _MSC_VER
+#pragma warning(push, 3)
+#endif
+#include "windows.h"
+#ifdef _MSC_VER
+#pragma warning(pop)
+#endif
+#else
+#include "sys/time.h"
+#endif
+
+namespace mozilla { namespace pkix {
+
+Time
+Now()
+{
+  uint64_t seconds;
+
+#ifdef _WINDOWS
+  // "Contains a 64-bit value representing the number of 100-nanosecond
+  // intervals since January 1, 1601 (UTC)."
+  //   - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284(v=vs.85).aspx
+  FILETIME ft;
+  GetSystemTimeAsFileTime(&ft);
+  uint64_t ft64 = (static_cast<uint64_t>(ft.dwHighDateTime) << 32) |
+                  ft.dwLowDateTime;
+  seconds = (DaysBeforeYear(1601) * Time::ONE_DAY_IN_SECONDS) +
+            ft64 / (1000u * 1000u * 1000u / 100u);
+#else
+  // "The gettimeofday() function shall obtain the current time, expressed as
+  // seconds and microseconds since the Epoch."
+  //   - http://pubs.opengroup.org/onlinepubs/009695399/functions/gettimeofday.html
+  timeval tv;
+  (void) gettimeofday(&tv, nullptr);
+  seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+            static_cast<uint64_t>(tv.tv_sec);
+#endif
+
+  return TimeFromElapsedSecondsAD(seconds);
+}
+
+Time
+TimeFromEpochInSeconds(uint64_t secondsSinceEpoch)
+{
+  uint64_t seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+                     secondsSinceEpoch;
+  return TimeFromElapsedSecondsAD(seconds);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp
new file mode 100644
index 000000000..8ceb2c184
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp
@@ -0,0 +1,106 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+DigestSignedData(TrustDomain& trustDomain,
+                 const der::SignedDataWithSignature& signedData,
+                 /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+                 /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+                 /*out*/ SignedDigest& signedDigest)
+{
+  Reader signatureAlg(signedData.algorithm);
+  Result rv = der::SignatureAlgorithmIdentifierValue(
+                signatureAlg, publicKeyAlg, signedDigest.digestAlgorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!signatureAlg.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  size_t digestLen;
+  switch (signedDigest.digestAlgorithm) {
+    case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
+    case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
+    case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
+    case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+  assert(digestLen <= sizeof(digestBuf));
+
+  rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
+                             digestBuf, digestLen);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = signedDigest.digest.Init(digestBuf, digestLen);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return signedDigest.signature.Init(signedData.signature);
+}
+
+Result
+VerifySignedDigest(TrustDomain& trustDomain,
+                   der::PublicKeyAlgorithm publicKeyAlg,
+                   const SignedDigest& signedDigest,
+                   Input signerSubjectPublicKeyInfo)
+{
+  switch (publicKeyAlg) {
+    case der::PublicKeyAlgorithm::ECDSA:
+      return trustDomain.VerifyECDSASignedDigest(signedDigest,
+                                                 signerSubjectPublicKeyInfo);
+    case der::PublicKeyAlgorithm::RSA_PKCS1:
+      return trustDomain.VerifyRSAPKCS1SignedDigest(signedDigest,
+                                                    signerSubjectPublicKeyInfo);
+    case der::PublicKeyAlgorithm::Uninitialized:
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+Result
+VerifySignedData(TrustDomain& trustDomain,
+                 const der::SignedDataWithSignature& signedData,
+                 Input signerSubjectPublicKeyInfo)
+{
+  uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+  der::PublicKeyAlgorithm publicKeyAlg;
+  SignedDigest signedDigest;
+  Result rv = DigestSignedData(trustDomain, signedData, digestBuf,
+                               publicKeyAlg, signedDigest);
+  if (rv != Success) {
+    return rv;
+  }
+  return VerifySignedDigest(trustDomain, publicKeyAlg, signedDigest,
+                            signerSubjectPublicKeyInfo);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/mozpkix.gyp b/security/nss/lib/mozpkix/mozpkix.gyp
new file mode 100644
index 000000000..1c552ba5f
--- /dev/null
+++ b/security/nss/lib/mozpkix/mozpkix.gyp
@@ -0,0 +1,60 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'lib/pkixbuild.cpp',
+        'lib/pkixcert.cpp',
+        'lib/pkixcheck.cpp',
+        'lib/pkixder.cpp',
+        'lib/pkixnames.cpp',
+        'lib/pkixnss.cpp',
+        'lib/pkixocsp.cpp',
+        'lib/pkixresult.cpp',
+        'lib/pkixtime.cpp',
+        'lib/pkixverify.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+    {
+      'target_name': 'mozpkix-testlib',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'test-lib/pkixtestalg.cpp',
+        'test-lib/pkixtestnss.cpp',
+        'test-lib/pkixtestutil.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+  ],
+  'variables': {
+    'module': 'nss',
+  }
+}
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp
new file mode 100644
index 000000000..304641e2f
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp
@@ -0,0 +1,211 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10040 1.2.840.10040
+#define PREFIX_1_2_840_10040 0x2a, 0x86, 0x48, 0xce, 0x38
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+#define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_113549 1.2.840.113549
+#define PREFIX_1_2_840_113549 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+enum class NULLParam { NO, YES };
+
+template <size_t SIZE>
+ByteString
+OID(const uint8_t (&rawValue)[SIZE])
+{
+  return TLV(der::OIDTag, ByteString(rawValue, SIZE));
+}
+
+template <size_t SIZE>
+ByteString
+SimpleAlgID(const uint8_t (&rawValue)[SIZE],
+            NULLParam nullParam = NULLParam::NO)
+{
+  ByteString sequenceValue(OID(rawValue));
+  if (nullParam == NULLParam::YES) {
+    sequenceValue.append(TLV(der::NULLTag, ByteString()));
+  }
+  return TLV(der::SEQUENCE, sequenceValue);
+}
+
+template <size_t SIZE>
+ByteString
+DERInteger(const uint8_t (&rawValue)[SIZE])
+{
+  ByteString value(rawValue, SIZE);
+  if (value[0] & 0x80u) {
+    // Prefix with a leading zero to disambiguate this from a negative value.
+    value.insert(value.begin(), 0x00);
+  }
+  return TLV(der::INTEGER, value);
+}
+
+// Generated with "openssl dsaparam -C -noout 2048" and reformatted.
+// openssl 1.0 or later must be used so that a 256-bit Q value is
+// generated.
+static const uint8_t DSS_P_RAW[] =
+{
+  0xB3,0xCD,0x29,0x44,0xF0,0x25,0xA7,0x73,0xFC,0x86,0x70,0xA2,
+  0x69,0x5A,0x97,0x3F,0xBD,0x1C,0x6F,0xAA,0x4A,0x40,0x42,0x8E,
+  0xCF,0xAE,0x62,0x12,0xED,0xB4,0xFD,0x05,0xC2,0xAE,0xB1,0x8C,
+  0xFC,0xBE,0x38,0x90,0xBB,0x7C,0xFF,0x16,0xF4,0xED,0xCE,0x72,
+  0x12,0x93,0x83,0xF0,0xA4,0xA1,0x71,0xDC,0x4B,0xF0,0x4E,0x3A,
+  0x2B,0xFA,0x17,0xB7,0xB3,0x2A,0xCC,0x2C,0xD3,0xC8,0x21,0x49,
+  0x7A,0x83,0x71,0x8B,0x3D,0x62,0x96,0xDC,0xAD,0xA8,0x03,0xBE,
+  0x1D,0x33,0x11,0xF3,0xEB,0xD8,0x1B,0x8D,0xDB,0x62,0x79,0x83,
+  0xF8,0x67,0x4E,0x62,0x21,0x2C,0x81,0x59,0xE8,0x73,0xD7,0xAF,
+  0xB9,0x63,0x60,0xEA,0xAE,0xEC,0x68,0x6A,0xB4,0xB0,0x65,0xBA,
+  0xA3,0x4C,0x09,0x99,0x29,0x6A,0x2E,0x2B,0xFC,0x6D,0x51,0xCA,
+  0x30,0xA2,0x2F,0x7A,0x65,0x76,0xA7,0x55,0x13,0x11,0xA0,0x02,
+  0xA2,0x59,0x4B,0xCE,0xA7,0x05,0xF6,0x07,0x35,0x9B,0x41,0xD7,
+  0x11,0x5A,0x18,0x57,0xA7,0x78,0x88,0xC3,0xA8,0xE3,0x39,0xF5,
+  0x47,0x3D,0x2E,0x18,0x54,0xB0,0xF0,0xBF,0x65,0x3F,0x77,0xC7,
+  0x11,0xB8,0x0D,0x52,0xAD,0xC8,0xE8,0x6D,0xF6,0x7E,0x88,0x65,
+  0x84,0x2B,0xF7,0xEF,0x8E,0xB5,0x7C,0xBD,0x2E,0x0D,0xF3,0xC6,
+  0xDD,0x0B,0xB4,0xF2,0x23,0x1F,0xDA,0x55,0x05,0xF5,0xDC,0x53,
+  0xA6,0x83,0xDA,0x5C,0xEF,0x29,0x02,0x78,0x68,0xD0,0xA4,0x39,
+  0x09,0x7F,0xFA,0x49,0x18,0xD0,0xB5,0x19,0x35,0x31,0x8E,0xDE,
+  0x43,0x35,0xA3,0xB9,0x6D,0xC1,0x70,0xC6,0x0D,0x18,0x24,0xEB,
+  0x1E,0x4D,0x52,0xB7,
+};
+
+static const uint8_t DSS_Q_RAW[] =
+{
+  0x8D,0x6B,0x86,0x89,0x9C,0x8D,0x30,0x91,0xCC,0x6E,0x34,0xF1,
+  0xE8,0x9C,0x8A,0x5C,0xD6,0xAB,0x01,0x1E,0xC4,0xDB,0xFD,0x07,
+  0xEB,0x5F,0x4E,0xE8,0xFA,0xFC,0x98,0x2D,
+};
+
+static const uint8_t DSS_G_RAW[] =
+{
+  0x0E,0x2C,0x34,0xB2,0xE1,0x66,0x49,0xB6,0x9A,0x7D,0x67,0x3E,
+  0xEE,0x98,0x35,0x18,0x28,0x35,0xFC,0x05,0x36,0x3B,0x94,0xE6,
+  0x1E,0x1C,0x5B,0x05,0x3E,0x86,0x1B,0xE3,0xED,0xD2,0xE1,0xF3,
+  0xF7,0xF7,0x60,0x6D,0x7D,0xA1,0xAF,0x9A,0xD1,0xDF,0xA2,0x9C,
+  0xFC,0xA2,0xEB,0x90,0x8B,0x1C,0x82,0x92,0x45,0x7B,0x30,0x2A,
+  0xFD,0x7A,0xE6,0x68,0x8F,0xEC,0x89,0x3A,0x9A,0xAD,0xFE,0x25,
+  0x5E,0x51,0xC5,0x29,0x45,0x7F,0xAC,0xDE,0xFC,0xB4,0x1B,0x3A,
+  0xDA,0xC7,0x21,0x68,0x87,0x27,0x8D,0x7B,0xB2,0xBB,0x41,0x60,
+  0x46,0x42,0x5B,0x6B,0xE8,0x80,0xD2,0xE4,0xA3,0x30,0x8F,0xD5,
+  0x71,0x07,0x8A,0x7B,0x32,0x56,0x84,0x41,0x1C,0xDF,0x69,0xE9,
+  0xFD,0xBA,0x48,0xE0,0x43,0xA0,0x38,0x92,0x12,0xF3,0x52,0xA5,
+  0x40,0x87,0xCB,0x34,0xBB,0x3E,0x25,0x29,0x3C,0xC6,0xA5,0x17,
+  0xFD,0x58,0x47,0x89,0xDB,0x9B,0xB9,0xCF,0xE9,0xA8,0xF2,0xEC,
+  0x55,0x76,0xF5,0xF1,0x9C,0x6E,0x0A,0x3F,0x16,0x5F,0x49,0x31,
+  0x31,0x1C,0x43,0xA2,0x83,0xDA,0xDD,0x7F,0x1C,0xEA,0x05,0x36,
+  0x7B,0xED,0x09,0xFB,0x6F,0x8A,0x2B,0x55,0xB9,0xBC,0x4A,0x8C,
+  0x28,0xC1,0x4D,0x13,0x6E,0x47,0xF4,0xAD,0x79,0x00,0xE9,0x5A,
+  0xB6,0xC7,0x73,0x28,0xA9,0x89,0xAD,0xE8,0x6E,0xC6,0x54,0xA5,
+  0x56,0x2D,0xAA,0x81,0x83,0x9E,0xC1,0x13,0x79,0xA4,0x12,0xE0,
+  0x76,0x1F,0x25,0x43,0xB6,0xDE,0x56,0xF7,0x52,0xCC,0x07,0xB8,
+  0x37,0xE2,0x8C,0xC5,0x56,0x8C,0xDD,0x63,0xF5,0xB6,0xA3,0x46,
+  0x62,0xF6,0x35,0x76,
+};
+
+} // namespace
+
+TestSignatureAlgorithm::TestSignatureAlgorithm(
+  const TestPublicKeyAlgorithm& aPublicKeyAlg,
+  TestDigestAlgorithmID aDigestAlg,
+  const ByteString& aAlgorithmIdentifier,
+  bool aAccepted)
+  : publicKeyAlg(aPublicKeyAlg)
+  , digestAlg(aDigestAlg)
+  , algorithmIdentifier(aAlgorithmIdentifier)
+  , accepted(aAccepted)
+{
+}
+
+ByteString DSS_P() { return ByteString(DSS_P_RAW, sizeof(DSS_P_RAW)); }
+ByteString DSS_Q() { return ByteString(DSS_Q_RAW, sizeof(DSS_Q_RAW)); }
+ByteString DSS_G() { return ByteString(DSS_G_RAW, sizeof(DSS_G_RAW)); }
+
+TestPublicKeyAlgorithm
+DSS()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_10040, 4, 1 };
+
+  // RFC 3279 Section-2.3.2
+  return TestPublicKeyAlgorithm(
+           TLV(der::SEQUENCE,
+               OID(oidValue) +
+               TLV(der::SEQUENCE,
+                   DERInteger(DSS_P_RAW) +
+                   DERInteger(DSS_Q_RAW) +
+                   DERInteger(DSS_G_RAW))));
+}
+
+// RFC 3279 Section 2.3.1
+TestPublicKeyAlgorithm
+RSA_PKCS1()
+{
+  static const uint8_t rsaEncryption[] = { PREFIX_1_2_840_113549, 1, 1, 1 };
+  return TestPublicKeyAlgorithm(SimpleAlgID(rsaEncryption, NULLParam::YES));
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md2WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 2 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD2,
+                                SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md5WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 4 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD5,
+                                SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm sha1WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 5 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA1,
+                                SimpleAlgID(oidValue), true);
+}
+
+// RFC 4055 Section 5
+TestSignatureAlgorithm sha256WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 11 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA256,
+                                SimpleAlgID(oidValue), true);
+}
+
+} } } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
new file mode 100644
index 000000000..ee59b1d97
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -0,0 +1,364 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "nss.h"
+#include "pk11pqg.h"
+#include "pk11pub.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+#include "prinit.h"
+#include "secerr.h"
+#include "secitem.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+TestKeyPair* GenerateKeyPairInner();
+
+void
+InitNSSIfNeeded()
+{
+  if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+    abort();
+  }
+}
+
+static ScopedTestKeyPair reusedKeyPair;
+
+PRStatus
+InitReusedKeyPair()
+{
+  InitNSSIfNeeded();
+  reusedKeyPair.reset(GenerateKeyPairInner());
+  return reusedKeyPair ? PR_SUCCESS : PR_FAILURE;
+}
+
+class NSSTestKeyPair final : public TestKeyPair
+{
+public:
+  NSSTestKeyPair(const TestPublicKeyAlgorithm& aPublicKeyAlg,
+                 const ByteString& spk,
+                 const ByteString& aEncryptedPrivateKey,
+                 const ByteString& aEncryptionAlgorithm,
+                 const ByteString& aEncryptionParams)
+    : TestKeyPair(aPublicKeyAlg, spk)
+    , encryptedPrivateKey(aEncryptedPrivateKey)
+    , encryptionAlgorithm(aEncryptionAlgorithm)
+    , encryptionParams(aEncryptionParams)
+  {
+  }
+
+  Result SignData(const ByteString& tbs,
+                  const TestSignatureAlgorithm& signatureAlgorithm,
+                  /*out*/ ByteString& signature) const override
+  {
+    SECOidTag oidTag;
+    if (signatureAlgorithm.publicKeyAlg == RSA_PKCS1()) {
+      switch (signatureAlgorithm.digestAlg) {
+        case TestDigestAlgorithmID::MD2:
+          oidTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::MD5:
+          oidTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA1:
+          oidTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA224:
+          oidTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA256:
+          oidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA384:
+          oidTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA512:
+          oidTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+          break;
+        MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+      }
+    } else {
+      abort();
+    }
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    if (!slot) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    SECItem encryptedPrivateKeyInfoItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptedPrivateKey.data()),
+      static_cast<unsigned int>(encryptedPrivateKey.length())
+    };
+    SECItem encryptionAlgorithmItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptionAlgorithm.data()),
+      static_cast<unsigned int>(encryptionAlgorithm.length())
+    };
+    SECItem encryptionParamsItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptionParams.data()),
+      static_cast<unsigned int>(encryptionParams.length())
+    };
+    SECKEYEncryptedPrivateKeyInfo encryptedPrivateKeyInfo = {
+      nullptr,
+      { encryptionAlgorithmItem, encryptionParamsItem },
+      encryptedPrivateKeyInfoItem
+    };
+    SECItem passwordItem = { siBuffer, nullptr, 0 };
+    SECItem publicValueItem = {
+      siBuffer,
+      const_cast<uint8_t*>(subjectPublicKey.data()),
+      static_cast<unsigned int>(subjectPublicKey.length())
+    };
+    SECKEYPrivateKey* privateKey;
+    // This should always be an RSA key (we'll have aborted above if we're not
+    // doing an RSA signature).
+    if (PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(
+          slot.get(), &encryptedPrivateKeyInfo, &passwordItem, nullptr,
+          &publicValueItem, false, false, rsaKey, KU_ALL, &privateKey,
+          nullptr) != SECSuccess) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    ScopedSECKEYPrivateKey scopedPrivateKey(privateKey);
+    SECItem signatureItem;
+    if (SEC_SignData(&signatureItem, tbs.data(),
+                     static_cast<int>(tbs.length()),
+                     scopedPrivateKey.get(), oidTag) != SECSuccess) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    signature.assign(signatureItem.data, signatureItem.len);
+    SECITEM_FreeItem(&signatureItem, false);
+    return Success;
+  }
+
+  TestKeyPair* Clone() const override
+  {
+    return new (std::nothrow) NSSTestKeyPair(publicKeyAlg,
+                                             subjectPublicKey,
+                                             encryptedPrivateKey,
+                                             encryptionAlgorithm,
+                                             encryptionParams);
+  }
+
+private:
+  const ByteString encryptedPrivateKey;
+  const ByteString encryptionAlgorithm;
+  const ByteString encryptionParams;
+};
+
+} // namespace
+
+// This private function is also used by Gecko's PSM test framework
+// (OCSPCommon.cpp).
+TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
+                               const ScopedSECKEYPublicKey& publicKey,
+                               const ScopedSECKEYPrivateKey& privateKey)
+{
+  ScopedCERTSubjectPublicKeyInfo
+    spki(SECKEY_CreateSubjectPublicKeyInfo(publicKey.get()));
+  if (!spki) {
+    return nullptr;
+  }
+  SECItem spkDER = spki->subjectPublicKey;
+  DER_ConvertBitString(&spkDER); // bits to bytes
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    return nullptr;
+  }
+  // Because NSSTestKeyPair isn't tracked by XPCOM and won't otherwise be aware
+  // of shutdown, we don't have a way to release NSS resources at the
+  // appropriate time. To work around this, NSSTestKeyPair doesn't hold on to
+  // NSS resources. Instead, we export the generated private key part as an
+  // encrypted blob (with an empty password and fairly lame encryption). When we
+  // need to use it (e.g. to sign something), we decrypt it and create a
+  // temporary key object.
+  SECItem passwordItem = { siBuffer, nullptr, 0 };
+  ScopedSECKEYEncryptedPrivateKeyInfo encryptedPrivateKey(
+    PK11_ExportEncryptedPrivKeyInfo(
+      slot.get(), SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
+      &passwordItem, privateKey.get(), 1, nullptr));
+  if (!encryptedPrivateKey) {
+    return nullptr;
+  }
+
+  return new (std::nothrow) NSSTestKeyPair(
+    publicKeyAlg,
+    ByteString(spkDER.data, spkDER.len),
+    ByteString(encryptedPrivateKey->encryptedData.data,
+               encryptedPrivateKey->encryptedData.len),
+    ByteString(encryptedPrivateKey->algorithm.algorithm.data,
+               encryptedPrivateKey->algorithm.algorithm.len),
+    ByteString(encryptedPrivateKey->algorithm.parameters.data,
+               encryptedPrivateKey->algorithm.parameters.len));
+}
+
+namespace {
+
+TestKeyPair*
+GenerateKeyPairInner()
+{
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    abort();
+  }
+
+  // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
+  // entropy to generate a random key. Attempting to add some entropy and
+  // retrying appears to solve this issue.
+  for (uint32_t retries = 0; retries < 10; retries++) {
+    PK11RSAGenParams params;
+    params.keySizeInBits = 2048;
+    params.pe = 3;
+    SECKEYPublicKey* publicKeyTemp = nullptr;
+    ScopedSECKEYPrivateKey
+      privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                      &params, &publicKeyTemp, false, true,
+                                      nullptr));
+    ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+    if (privateKey) {
+      return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
+    }
+
+    assert(!publicKeyTemp);
+
+    if (PR_GetError() != SEC_ERROR_PKCS11_FUNCTION_FAILED) {
+      break;
+    }
+
+    // Since these keys are only for testing, we don't need them to be good,
+    // random keys.
+    // https://xkcd.com/221/
+    static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
+    if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
+                          sizeof(RANDOM_NUMBER)) != SECSuccess) {
+      break;
+    }
+  }
+
+  abort();
+}
+
+} // namespace
+
+TestKeyPair*
+GenerateKeyPair()
+{
+  InitNSSIfNeeded();
+  return GenerateKeyPairInner();
+}
+
+TestKeyPair*
+CloneReusedKeyPair()
+{
+  static PRCallOnceType initCallOnce;
+  if (PR_CallOnce(&initCallOnce, InitReusedKeyPair) != PR_SUCCESS) {
+    abort();
+  }
+  assert(reusedKeyPair);
+  return reusedKeyPair->Clone();
+}
+
+TestKeyPair*
+GenerateDSSKeyPair()
+{
+  InitNSSIfNeeded();
+
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    return nullptr;
+  }
+
+  ByteString p(DSS_P());
+  ByteString q(DSS_Q());
+  ByteString g(DSS_G());
+
+  static const PQGParams PARAMS = {
+    nullptr,
+    { siBuffer,
+      const_cast<uint8_t*>(p.data()),
+      static_cast<unsigned int>(p.length())
+    },
+    { siBuffer,
+      const_cast<uint8_t*>(q.data()),
+      static_cast<unsigned int>(q.length())
+    },
+    { siBuffer,
+      const_cast<uint8_t*>(g.data()),
+      static_cast<unsigned int>(g.length())
+    }
+  };
+
+  SECKEYPublicKey* publicKeyTemp = nullptr;
+  ScopedSECKEYPrivateKey
+    privateKey(PK11_GenerateKeyPair(slot.get(), CKM_DSA_KEY_PAIR_GEN,
+                                    const_cast<PQGParams*>(&PARAMS),
+                                    &publicKeyTemp, false, true, nullptr));
+  if (!privateKey) {
+    return nullptr;
+  }
+  ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+  return CreateTestKeyPair(DSS(), publicKey, privateKey);
+}
+
+Result
+TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                            Input subjectPublicKeyInfo)
+{
+  InitNSSIfNeeded();
+  return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                    nullptr);
+}
+
+Result
+TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                               Input subjectPublicKeyInfo)
+{
+  InitNSSIfNeeded();
+  return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                       nullptr);
+}
+
+Result
+TestDigestBuf(Input item,
+              DigestAlgorithm digestAlg,
+              /*out*/ uint8_t* digestBuf,
+              size_t digestBufLen)
+{
+  InitNSSIfNeeded();
+  return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp
new file mode 100644
index 000000000..b1b89c07e
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp
@@ -0,0 +1,1155 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+
+#include <cerrno>
+#include <cstdio>
+#include <limits>
+#include <new>
+#include <sstream>
+#include <cstdlib>
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+using namespace std;
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+struct ScopedMaybeDeleteFile {
+  void operator()(FILE* f) {
+    if (f) {
+      (void)fclose(f);
+    }
+  }
+};
+typedef std::unique_ptr<FILE, ScopedMaybeDeleteFile> ScopedFILE;
+
+FILE*
+OpenFile(const string& dir, const string& filename, const string& mode)
+{
+  string path = dir + '/' + filename;
+
+  ScopedFILE file;
+#ifdef _MSC_VER
+  {
+    FILE* rawFile;
+    errno_t error = fopen_s(&rawFile, path.c_str(), mode.c_str());
+    if (error) {
+      // TODO: map error to NSPR error code
+      rawFile = nullptr;
+    }
+    file.reset(rawFile);
+  }
+#else
+  file.reset(fopen(path.c_str(), mode.c_str()));
+#endif
+  return file.release();
+}
+
+} // namespace
+
+bool
+InputEqualsByteString(Input input, const ByteString& bs)
+{
+  Input bsInput;
+  if (bsInput.Init(bs.data(), bs.length()) != Success) {
+    // Init can only fail if it is given a bad pointer or if the input is too
+    // long, which won't ever happen. Plus, if it does, it is ok to call abort
+    // since this is only test code.
+    abort();
+  }
+  return InputsAreEqual(input, bsInput);
+}
+
+ByteString
+InputToByteString(Input input)
+{
+  ByteString result;
+  Reader reader(input);
+  for (;;) {
+    uint8_t b;
+    if (reader.Read(b) != Success) {
+      return result;
+    }
+    result.push_back(b);
+  }
+}
+
+Result
+TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+           const ByteString& to)
+{
+  if (from.length() < 8) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  if (from.length() != to.length()) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  size_t pos = item.find(from);
+  if (pos == string::npos) {
+    return Result::FATAL_ERROR_INVALID_ARGS; // No matches.
+  }
+  if (item.find(from, pos + from.length()) != string::npos) {
+    return Result::FATAL_ERROR_INVALID_ARGS; // More than once match.
+  }
+  item.replace(pos, from.length(), to);
+  return Success;
+}
+
+// Given a tag and a value, generates a DER-encoded tag-length-value item.
+ByteString
+TLV(uint8_t tag, size_t length, const ByteString& value)
+{
+  ByteString result;
+  result.push_back(tag);
+
+  if (value.length() < 128) {
+    result.push_back(static_cast<uint8_t>(length));
+  } else if (value.length() < 256) {
+    result.push_back(0x81u);
+    result.push_back(static_cast<uint8_t>(length));
+  } else if (value.length() < 65536) {
+    result.push_back(0x82u);
+    result.push_back(static_cast<uint8_t>(length / 256));
+    result.push_back(static_cast<uint8_t>(length % 256));
+  } else {
+    // It is MUCH more convenient for TLV to be infallible than for it to have
+    // "proper" error handling.
+    abort();
+  }
+  result.append(value);
+  return result;
+}
+
+OCSPResponseExtension::OCSPResponseExtension()
+  : id()
+  , critical(false)
+  , value()
+  , next(nullptr)
+{
+}
+
+OCSPResponseContext::OCSPResponseContext(const CertID& aCertID, time_t time)
+  : certID(aCertID)
+  , responseStatus(successful)
+  , skipResponseBytes(false)
+  , producedAt(time)
+  , singleExtensions(nullptr)
+  , responseExtensions(nullptr)
+  , includeEmptyExtensions(false)
+  , signatureAlgorithm(sha256WithRSAEncryption())
+  , badSignature(false)
+  , certs(nullptr)
+
+  , certStatus(good)
+  , revocationTime(0)
+  , thisUpdate(time)
+  , nextUpdate(time + static_cast<time_t>(Time::ONE_DAY_IN_SECONDS))
+  , includeNextUpdate(true)
+{
+}
+
+static ByteString ResponseBytes(OCSPResponseContext& context);
+static ByteString BasicOCSPResponse(OCSPResponseContext& context);
+static ByteString ResponseData(OCSPResponseContext& context);
+static ByteString ResponderID(OCSPResponseContext& context);
+static ByteString KeyHash(const ByteString& subjectPublicKeyInfo);
+static ByteString SingleResponse(OCSPResponseContext& context);
+static ByteString CertID(OCSPResponseContext& context);
+static ByteString CertStatus(OCSPResponseContext& context);
+
+static ByteString
+SHA1(const ByteString& toHash)
+{
+  uint8_t digestBuf[20];
+  Input input;
+  if (input.Init(toHash.data(), toHash.length()) != Success) {
+    abort();
+  }
+  Result rv = TestDigestBuf(input, DigestAlgorithm::sha1, digestBuf,
+                            sizeof(digestBuf));
+  if (rv != Success) {
+    abort();
+  }
+  return ByteString(digestBuf, sizeof(digestBuf));
+}
+
+static ByteString
+HashedOctetString(const ByteString& bytes)
+{
+  ByteString digest(SHA1(bytes));
+  if (ENCODING_FAILED(digest)) {
+    return ByteString();
+  }
+  return TLV(der::OCTET_STRING, digest);
+}
+
+static ByteString
+BitString(const ByteString& rawBytes, bool corrupt)
+{
+  ByteString prefixed;
+  // We have to add a byte at the beginning indicating no unused bits.
+  // TODO: add ability to have bit strings of bit length not divisible by 8,
+  // resulting in unused bits in the bitstring encoding
+  prefixed.push_back(0);
+  prefixed.append(rawBytes);
+  if (corrupt) {
+    assert(prefixed.length() > 8);
+    prefixed[8]++;
+  }
+  return TLV(der::BIT_STRING, prefixed);
+}
+
+ByteString
+Boolean(bool value)
+{
+  ByteString encodedValue;
+  encodedValue.push_back(value ? 0xffu : 0x00u);
+  return TLV(der::BOOLEAN, encodedValue);
+}
+
+ByteString
+Integer(long value)
+{
+  if (value < 0 || value > 127) {
+    // TODO: add encoding of larger values
+    // It is MUCH more convenient for Integer to be infallible than for it to
+    // have "proper" error handling.
+    abort();
+  }
+
+  ByteString encodedValue;
+  encodedValue.push_back(static_cast<uint8_t>(value));
+  return TLV(der::INTEGER, encodedValue);
+}
+
+enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
+
+// Windows doesn't provide gmtime_r, but it provides something very similar.
+#if defined(_WINDOWS) && (!defined(_POSIX_C_SOURCE) || !defined(_POSIX_THREAD_SAFE_FUNCTIONS))
+static tm*
+gmtime_r(const time_t* t, /*out*/ tm* exploded)
+{
+  if (gmtime_s(exploded, t) != 0) {
+    return nullptr;
+  }
+  return exploded;
+}
+#endif
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5
+// UTCTime:           YYMMDDHHMMSSZ (years 1950-2049 only)
+// GeneralizedTime: YYYYMMDDHHMMSSZ
+//
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static ByteString
+TimeToEncodedTime(time_t time, TimeEncoding encoding)
+{
+  assert(encoding == UTCTime || encoding == GeneralizedTime);
+
+  tm exploded;
+  if (!gmtime_r(&time, &exploded)) {
+    return ByteString();
+  }
+
+  if (exploded.tm_sec >= 60) {
+    // round down for leap seconds
+    exploded.tm_sec = 59;
+  }
+
+  // exploded.tm_year is the year offset by 1900.
+  int year = exploded.tm_year + 1900;
+
+  if (encoding == UTCTime && (year < 1950 || year >= 2050)) {
+    return ByteString();
+  }
+
+  ByteString value;
+
+  if (encoding == GeneralizedTime) {
+    value.push_back(static_cast<uint8_t>('0' + (year / 1000)));
+    value.push_back(static_cast<uint8_t>('0' + ((year % 1000) / 100)));
+  }
+
+  value.push_back(static_cast<uint8_t>('0' + ((year % 100) / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (year % 10)));
+  value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) / 10)));
+  value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec % 10)));
+  value.push_back('Z');
+
+  return TLV(encoding == GeneralizedTime ? der::GENERALIZED_TIME : der::UTCTime,
+             value);
+}
+
+static ByteString
+TimeToGeneralizedTime(time_t time)
+{
+  return TimeToEncodedTime(time, GeneralizedTime);
+}
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5: "CAs conforming to this
+// profile MUST always encode certificate validity dates through the year 2049
+// as UTCTime; certificate validity dates in 2050 or later MUST be encoded as
+// GeneralizedTime." (This is a special case of the rule that we must always
+// use the shortest possible encoding.)
+static ByteString
+TimeToTimeChoice(time_t time)
+{
+  tm exploded;
+  if (!gmtime_r(&time, &exploded)) {
+    return ByteString();
+  }
+  TimeEncoding encoding = (exploded.tm_year + 1900 >= 1950 &&
+                           exploded.tm_year + 1900 < 2050)
+                        ? UTCTime
+                        : GeneralizedTime;
+
+  return TimeToEncodedTime(time, encoding);
+}
+
+Time
+YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+       uint16_t hour, uint16_t minutes, uint16_t seconds)
+{
+  assert(year <= 9999);
+  assert(month >= 1);
+  assert(month <= 12);
+  assert(day >= 1);
+  assert(hour < 24);
+  assert(minutes < 60);
+  assert(seconds < 60);
+
+  uint64_t days = DaysBeforeYear(year);
+
+  {
+    static const int16_t DAYS_IN_MONTH[] = {
+      31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
+    };
+
+    int16_t i = 1;
+    for (;;) {
+      int16_t daysInMonth = DAYS_IN_MONTH[i - 1];
+      if (i == 2 &&
+          ((year % 4 == 0) && ((year % 100 != 0) || (year % 400 == 0)))) {
+        // Add leap day
+        ++daysInMonth;
+      }
+      if (i == month) {
+        assert(day <= daysInMonth);
+        break;
+      }
+      days += daysInMonth;
+      ++i;
+    }
+  }
+
+  days += (day - 1);
+
+  uint64_t totalSeconds = days * Time::ONE_DAY_IN_SECONDS;
+  totalSeconds += hour * 60 * 60;
+  totalSeconds += minutes * 60;
+  totalSeconds += seconds;
+  return TimeFromElapsedSecondsAD(totalSeconds);
+}
+
+static ByteString
+SignedData(const ByteString& tbsData,
+           const TestKeyPair& keyPair,
+           const TestSignatureAlgorithm& signatureAlgorithm,
+           bool corrupt, /*optional*/ const ByteString* certs)
+{
+  ByteString signature;
+  if (keyPair.SignData(tbsData, signatureAlgorithm, signature) != Success) {
+    return ByteString();
+  }
+
+  // TODO: add ability to have signatures of bit length not divisible by 8,
+  // resulting in unused bits in the bitstring encoding
+  ByteString signatureNested(BitString(signature, corrupt));
+  if (ENCODING_FAILED(signatureNested)) {
+    return ByteString();
+  }
+
+  ByteString certsNested;
+  if (certs) {
+    ByteString certsSequenceValue;
+    while (!(*certs).empty()) {
+      certsSequenceValue.append(*certs);
+      ++certs;
+    }
+    ByteString certsSequence(TLV(der::SEQUENCE, certsSequenceValue));
+    certsNested = TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                      certsSequence);
+  }
+
+  ByteString value;
+  value.append(tbsData);
+  value.append(signatureAlgorithm.algorithmIdentifier);
+  value.append(signatureNested);
+  value.append(certsNested);
+  return TLV(der::SEQUENCE, value);
+}
+
+// Extension  ::=  SEQUENCE  {
+//      extnID      OBJECT IDENTIFIER,
+//      critical    BOOLEAN DEFAULT FALSE,
+//      extnValue   OCTET STRING
+//                  -- contains the DER encoding of an ASN.1 value
+//                  -- corresponding to the extension type identified
+//                  -- by extnID
+//      }
+static ByteString
+Extension(Input extnID, Critical critical, const ByteString& extnValueBytes)
+{
+  ByteString encoded;
+
+  encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
+
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
+  }
+
+  ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
+  ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
+  encoded.append(extnValue);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+static ByteString
+EmptyExtension(Input extnID, Critical critical)
+{
+  ByteString encoded(extnID.UnsafeGetData(), extnID.GetLength());
+
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
+  }
+
+  ByteString extnValue(TLV(der::OCTET_STRING, ByteString()));
+  encoded.append(extnValue);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+std::string
+GetEnv(const char* name)
+{
+  std::string result;
+
+#ifndef _MSC_VER
+  // XXX: Not thread safe.
+  const char* value = getenv(name);
+  if (value) {
+    result = value;
+  }
+#else
+  char* value = nullptr;
+  size_t valueLength = 0;
+  if (_dupenv_s(&value, &valueLength, name) != 0) {
+    abort();
+  }
+  if (value) {
+    result = value;
+    free(value);
+  }
+#endif
+  return result;
+}
+
+void
+MaybeLogOutput(const ByteString& result, const char* suffix)
+{
+  assert(suffix);
+
+  // This allows us to more easily debug the generated output, by creating a
+  // file in the directory given by MOZILLA_PKIX_TEST_LOG_DIR for each
+  // NOT THREAD-SAFE!!!
+  std::string logPath(GetEnv("MOZILLA_PKIX_TEST_LOG_DIR"));
+  if (!logPath.empty()) {
+    static int counter = 0;
+
+    std::ostringstream counterStream;
+    counterStream << counter;
+    if (!counterStream) {
+      assert(false);
+      return;
+    }
+    string filename = counterStream.str() + '-' + suffix + ".der";
+
+    ++counter;
+    ScopedFILE file(OpenFile(logPath, filename, "wb"));
+    if (file) {
+      (void) fwrite(result.data(), result.length(), 1, file.get());
+    }
+  }
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Certificates
+
+static ByteString TBSCertificate(long version, const ByteString& serialNumber,
+                                 const ByteString& signature,
+                                 const ByteString& issuer,
+                                 time_t notBefore, time_t notAfter,
+                                 const ByteString& subject,
+                                 const ByteString& subjectPublicKeyInfo,
+                                 /*optional*/ const ByteString* extensions);
+
+// Certificate  ::=  SEQUENCE  {
+//         tbsCertificate       TBSCertificate,
+//         signatureAlgorithm   AlgorithmIdentifier,
+//         signatureValue       BIT STRING  }
+ByteString
+CreateEncodedCertificate(long version,
+                         const TestSignatureAlgorithm& signature,
+                         const ByteString& serialNumber,
+                         const ByteString& issuerNameDER,
+                         time_t notBefore, time_t notAfter,
+                         const ByteString& subjectNameDER,
+                         const TestKeyPair& subjectKeyPair,
+                         /*optional*/ const ByteString* extensions,
+                         const TestKeyPair& issuerKeyPair,
+                         const TestSignatureAlgorithm& signatureAlgorithm)
+{
+  ByteString tbsCertificate(TBSCertificate(version, serialNumber,
+                                           signature.algorithmIdentifier,
+                                           issuerNameDER, notBefore,
+                                           notAfter, subjectNameDER,
+                                           subjectKeyPair.subjectPublicKeyInfo,
+                                           extensions));
+  if (ENCODING_FAILED(tbsCertificate)) {
+    return ByteString();
+  }
+
+  ByteString result(SignedData(tbsCertificate, issuerKeyPair,
+                               signatureAlgorithm, false, nullptr));
+  if (ENCODING_FAILED(result)) {
+    return ByteString();
+  }
+
+  MaybeLogOutput(result, "cert");
+
+  return result;
+}
+
+// TBSCertificate  ::=  SEQUENCE  {
+//      version         [0]  Version DEFAULT v1,
+//      serialNumber         CertificateSerialNumber,
+//      signature            AlgorithmIdentifier,
+//      issuer               Name,
+//      validity             Validity,
+//      subject              Name,
+//      subjectPublicKeyInfo SubjectPublicKeyInfo,
+//      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                           -- If present, version MUST be v2 or v3
+//      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                           -- If present, version MUST be v2 or v3
+//      extensions      [3]  Extensions OPTIONAL
+//                           -- If present, version MUST be v3 --  }
+static ByteString
+TBSCertificate(long versionValue,
+               const ByteString& serialNumber, const ByteString& signature,
+               const ByteString& issuer, time_t notBeforeTime,
+               time_t notAfterTime, const ByteString& subject,
+               const ByteString& subjectPublicKeyInfo,
+               /*optional*/ const ByteString* extensions)
+{
+  ByteString value;
+
+  if (versionValue != static_cast<long>(der::Version::v1)) {
+    ByteString versionInteger(Integer(versionValue));
+    ByteString version(TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                           versionInteger));
+    value.append(version);
+  }
+
+  value.append(serialNumber);
+  value.append(signature);
+  value.append(issuer);
+
+  // Validity ::= SEQUENCE {
+  //       notBefore      Time,
+  //       notAfter       Time }
+  ByteString validity;
+  {
+    ByteString notBefore(TimeToTimeChoice(notBeforeTime));
+    if (ENCODING_FAILED(notBefore)) {
+      return ByteString();
+    }
+    ByteString notAfter(TimeToTimeChoice(notAfterTime));
+    if (ENCODING_FAILED(notAfter)) {
+      return ByteString();
+    }
+    ByteString validityValue;
+    validityValue.append(notBefore);
+    validityValue.append(notAfter);
+    validity = TLV(der::SEQUENCE, validityValue);
+    if (ENCODING_FAILED(validity)) {
+      return ByteString();
+    }
+  }
+  value.append(validity);
+
+  value.append(subject);
+
+  value.append(subjectPublicKeyInfo);
+
+  if (extensions) {
+    ByteString extensionsValue;
+    while (!(*extensions).empty()) {
+      extensionsValue.append(*extensions);
+      ++extensions;
+    }
+    ByteString extensionsSequence(TLV(der::SEQUENCE, extensionsValue));
+    if (ENCODING_FAILED(extensionsSequence)) {
+      return ByteString();
+    }
+    ByteString extensionsWrapped(
+      TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3, extensionsSequence));
+    if (ENCODING_FAILED(extensionsWrapped)) {
+      return ByteString();
+    }
+    value.append(extensionsWrapped);
+  }
+
+  return TLV(der::SEQUENCE, value);
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+//       teletexString           TeletexString (SIZE (1..MAX)),
+//       printableString         PrintableString (SIZE (1..MAX)),
+//       universalString         UniversalString (SIZE (1..MAX)),
+//       utf8String              UTF8String (SIZE (1..MAX)),
+//       bmpString               BMPString (SIZE (1..MAX)) }
+template <size_t N>
+static ByteString
+AVA(const uint8_t (&type)[N], uint8_t directoryStringType,
+    const ByteString& value)
+{
+  ByteString wrappedValue(TLV(directoryStringType, value));
+  ByteString ava;
+  ava.append(type, N);
+  ava.append(wrappedValue);
+  return TLV(der::SEQUENCE, ava);
+}
+
+ByteString
+CN(const ByteString& value, uint8_t encodingTag)
+{
+  // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+  // id-at-commonName        AttributeType ::= { id-at 3 }
+  // python DottedOIDToCode.py --tlv id-at-commonName 2.5.4.3
+  static const uint8_t tlv_id_at_commonName[] = {
+    0x06, 0x03, 0x55, 0x04, 0x03
+  };
+  return AVA(tlv_id_at_commonName, encodingTag, value);
+}
+
+ByteString
+OU(const ByteString& value, uint8_t encodingTag)
+{
+  // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+  // id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+  // python DottedOIDToCode.py --tlv id-at-organizationalUnitName 2.5.4.11
+  static const uint8_t tlv_id_at_organizationalUnitName[] = {
+    0x06, 0x03, 0x55, 0x04, 0x0b
+  };
+
+  return AVA(tlv_id_at_organizationalUnitName, encodingTag, value);
+}
+
+ByteString
+emailAddress(const ByteString& value)
+{
+  // id-emailAddress AttributeType ::= { pkcs-9 1 }
+  // python DottedOIDToCode.py --tlv id-emailAddress 1.2.840.113549.1.9.1
+  static const uint8_t tlv_id_emailAddress[] = {
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+  };
+
+  return AVA(tlv_id_emailAddress, der::IA5String, value);
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString
+RDN(const ByteString& avas)
+{
+  return TLV(der::SET, avas);
+}
+
+// Name ::= CHOICE { -- only one possibility for now --
+//   rdnSequence  RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString
+Name(const ByteString& rdns)
+{
+  return TLV(der::SEQUENCE, rdns);
+}
+
+ByteString
+CreateEncodedSerialNumber(long serialNumberValue)
+{
+  return Integer(serialNumberValue);
+}
+
+// BasicConstraints ::= SEQUENCE {
+//         cA                      BOOLEAN DEFAULT FALSE,
+//         pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ByteString
+CreateEncodedBasicConstraints(bool isCA,
+                              /*optional in*/ const long* pathLenConstraintValue,
+                              Critical critical)
+{
+  ByteString value;
+
+  if (isCA) {
+    ByteString cA(Boolean(true));
+    value.append(cA);
+  }
+
+  if (pathLenConstraintValue) {
+    ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
+    value.append(pathLenConstraint);
+  }
+
+  // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
+  static const uint8_t tlv_id_ce_basicConstraints[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x13
+  };
+  return Extension(Input(tlv_id_ce_basicConstraints), critical, value);
+}
+
+// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+// KeyPurposeId ::= OBJECT IDENTIFIER
+ByteString
+CreateEncodedEKUExtension(Input ekuOID, Critical critical)
+{
+  ByteString value(ekuOID.UnsafeGetData(), ekuOID.GetLength());
+
+  // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+  static const uint8_t tlv_id_ce_extKeyUsage[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x25
+  };
+
+  return Extension(Input(tlv_id_ce_extKeyUsage), critical, value);
+}
+
+// python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+static const uint8_t tlv_id_ce_subjectAltName[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x11
+};
+
+ByteString
+CreateEncodedSubjectAltName(const ByteString& names)
+{
+  return Extension(Input(tlv_id_ce_subjectAltName), Critical::No, names);
+}
+
+ByteString
+CreateEncodedEmptySubjectAltName()
+{
+  return EmptyExtension(Input(tlv_id_ce_subjectAltName), Critical::No);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// OCSP responses
+
+ByteString
+CreateEncodedOCSPResponse(OCSPResponseContext& context)
+{
+  if (!context.skipResponseBytes) {
+    if (!context.signerKeyPair) {
+      return ByteString();
+    }
+  }
+
+  // OCSPResponse ::= SEQUENCE {
+  //    responseStatus          OCSPResponseStatus,
+  //    responseBytes       [0] EXPLICIT ResponseBytes OPTIONAL }
+
+  // OCSPResponseStatus ::= ENUMERATED {
+  //    successful          (0),  -- Response has valid confirmations
+  //    malformedRequest    (1),  -- Illegal confirmation request
+  //    internalError       (2),  -- Internal error in issuer
+  //    tryLater            (3),  -- Try again later
+  //                              -- (4) is not used
+  //    sigRequired         (5),  -- Must sign the request
+  //    unauthorized        (6)   -- Request unauthorized
+  // }
+  ByteString reponseStatusValue;
+  reponseStatusValue.push_back(context.responseStatus);
+  ByteString responseStatus(TLV(der::ENUMERATED, reponseStatusValue));
+
+  ByteString responseBytesNested;
+  if (!context.skipResponseBytes) {
+    ByteString responseBytes(ResponseBytes(context));
+    if (ENCODING_FAILED(responseBytes)) {
+      return ByteString();
+    }
+
+    responseBytesNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC,
+                              responseBytes);
+  }
+
+  ByteString value;
+  value.append(responseStatus);
+  value.append(responseBytesNested);
+  ByteString result(TLV(der::SEQUENCE, value));
+
+  MaybeLogOutput(result, "ocsp");
+
+  return result;
+}
+
+// ResponseBytes ::= SEQUENCE {
+//    responseType            OBJECT IDENTIFIER,
+//    response                OCTET STRING }
+ByteString
+ResponseBytes(OCSPResponseContext& context)
+{
+  // Includes tag and length
+  static const uint8_t id_pkix_ocsp_basic_encoded[] = {
+    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+  ByteString response(BasicOCSPResponse(context));
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
+  }
+  ByteString responseNested = TLV(der::OCTET_STRING, response);
+
+  ByteString value;
+  value.append(id_pkix_ocsp_basic_encoded,
+               sizeof(id_pkix_ocsp_basic_encoded));
+  value.append(responseNested);
+  return TLV(der::SEQUENCE, value);
+}
+
+// BasicOCSPResponse ::= SEQUENCE {
+//   tbsResponseData          ResponseData,
+//   signatureAlgorithm       AlgorithmIdentifier,
+//   signature                BIT STRING,
+//   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ByteString
+BasicOCSPResponse(OCSPResponseContext& context)
+{
+  ByteString tbsResponseData(ResponseData(context));
+  if (ENCODING_FAILED(tbsResponseData)) {
+    return ByteString();
+  }
+
+  return SignedData(tbsResponseData, *context.signerKeyPair,
+                    context.signatureAlgorithm, context.badSignature,
+                    context.certs);
+}
+
+// Extension ::= SEQUENCE {
+//   id               OBJECT IDENTIFIER,
+//   critical         BOOLEAN DEFAULT FALSE
+//   value            OCTET STRING
+// }
+static ByteString
+OCSPExtension(OCSPResponseExtension& extension)
+{
+  ByteString encoded;
+  encoded.append(extension.id);
+  if (extension.critical) {
+    encoded.append(Boolean(true));
+  }
+  ByteString value(TLV(der::OCTET_STRING, extension.value));
+  encoded.append(value);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+// Extensions ::= [1] {
+//   SEQUENCE OF Extension
+// }
+static ByteString
+OCSPExtensions(OCSPResponseExtension* extensions)
+{
+  ByteString value;
+  for (OCSPResponseExtension* extension = extensions;
+       extension; extension = extension->next) {
+    ByteString extensionEncoded(OCSPExtension(*extension));
+    if (ENCODING_FAILED(extensionEncoded)) {
+      return ByteString();
+    }
+    value.append(extensionEncoded);
+  }
+  ByteString sequence(TLV(der::SEQUENCE, value));
+  return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1, sequence);
+}
+
+// ResponseData ::= SEQUENCE {
+//    version             [0] EXPLICIT Version DEFAULT v1,
+//    responderID             ResponderID,
+//    producedAt              GeneralizedTime,
+//    responses               SEQUENCE OF SingleResponse,
+//    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+ResponseData(OCSPResponseContext& context)
+{
+  ByteString responderID(ResponderID(context));
+  if (ENCODING_FAILED(responderID)) {
+    return ByteString();
+  }
+  ByteString producedAtEncoded(TimeToGeneralizedTime(context.producedAt));
+  if (ENCODING_FAILED(producedAtEncoded)) {
+    return ByteString();
+  }
+  ByteString response(SingleResponse(context));
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
+  }
+  ByteString responses(TLV(der::SEQUENCE, response));
+  ByteString responseExtensions;
+  if (context.responseExtensions || context.includeEmptyExtensions) {
+    responseExtensions = OCSPExtensions(context.responseExtensions);
+  }
+
+  ByteString value;
+  value.append(responderID);
+  value.append(producedAtEncoded);
+  value.append(responses);
+  value.append(responseExtensions);
+  return TLV(der::SEQUENCE, value);
+}
+
+// ResponderID ::= CHOICE {
+//    byName              [1] Name,
+//    byKey               [2] KeyHash }
+// }
+ByteString
+ResponderID(OCSPResponseContext& context)
+{
+  ByteString contents;
+  uint8_t responderIDType;
+  if (!context.signerNameDER.empty()) {
+    contents = context.signerNameDER;
+    responderIDType = 1; // byName
+  } else {
+    contents = KeyHash(context.signerKeyPair->subjectPublicKey);
+    if (ENCODING_FAILED(contents)) {
+      return ByteString();
+    }
+    responderIDType = 2; // byKey
+  }
+
+  // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without the
+  // static_cast.
+  uint8_t tag = static_cast<uint8_t>(der::CONSTRUCTED | der::CONTEXT_SPECIFIC |
+                                     responderIDType);
+  return TLV(tag, contents);
+}
+
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+//                          -- (i.e., the SHA-1 hash of the value of the
+//                          -- BIT STRING subjectPublicKey [excluding
+//                          -- the tag, length, and number of unused
+//                          -- bits] in the responder's certificate)
+ByteString
+KeyHash(const ByteString& subjectPublicKey)
+{
+  return HashedOctetString(subjectPublicKey);
+}
+
+// SingleResponse ::= SEQUENCE {
+//    certID                  CertID,
+//    certStatus              CertStatus,
+//    thisUpdate              GeneralizedTime,
+//    nextUpdate          [0] EXPLICIT GeneralizedTime OPTIONAL,
+//    singleExtensions    [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+SingleResponse(OCSPResponseContext& context)
+{
+  ByteString certID(CertID(context));
+  if (ENCODING_FAILED(certID)) {
+    return ByteString();
+  }
+  ByteString certStatus(CertStatus(context));
+  if (ENCODING_FAILED(certStatus)) {
+    return ByteString();
+  }
+  ByteString thisUpdateEncoded(TimeToGeneralizedTime(context.thisUpdate));
+  if (ENCODING_FAILED(thisUpdateEncoded)) {
+    return ByteString();
+  }
+  ByteString nextUpdateEncodedNested;
+  if (context.includeNextUpdate) {
+    ByteString nextUpdateEncoded(TimeToGeneralizedTime(context.nextUpdate));
+    if (ENCODING_FAILED(nextUpdateEncoded)) {
+      return ByteString();
+    }
+    nextUpdateEncodedNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+                                  nextUpdateEncoded);
+  }
+  ByteString singleExtensions;
+  if (context.singleExtensions || context.includeEmptyExtensions) {
+    singleExtensions = OCSPExtensions(context.singleExtensions);
+  }
+
+  ByteString value;
+  value.append(certID);
+  value.append(certStatus);
+  value.append(thisUpdateEncoded);
+  value.append(nextUpdateEncodedNested);
+  value.append(singleExtensions);
+  return TLV(der::SEQUENCE, value);
+}
+
+// CertID          ::=     SEQUENCE {
+//        hashAlgorithm       AlgorithmIdentifier,
+//        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
+//        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
+//        serialNumber        CertificateSerialNumber }
+ByteString
+CertID(OCSPResponseContext& context)
+{
+  ByteString issuerName(context.certID.issuer.UnsafeGetData(),
+                        context.certID.issuer.GetLength());
+  ByteString issuerNameHash(HashedOctetString(issuerName));
+  if (ENCODING_FAILED(issuerNameHash)) {
+    return ByteString();
+  }
+
+  ByteString issuerKeyHash;
+  {
+    // context.certID.issuerSubjectPublicKeyInfo is the entire
+    // SubjectPublicKeyInfo structure, but we need just the subjectPublicKey
+    // part.
+    Reader input(context.certID.issuerSubjectPublicKeyInfo);
+    Reader contents;
+    if (der::ExpectTagAndGetValue(input, der::SEQUENCE, contents) != Success) {
+      return ByteString();
+    }
+    // Skip AlgorithmIdentifier
+    if (der::ExpectTagAndSkipValue(contents, der::SEQUENCE) != Success) {
+      return ByteString();
+    }
+    Input subjectPublicKey;
+    if (der::BitStringWithNoUnusedBits(contents, subjectPublicKey)
+          != Success) {
+      return ByteString();
+    }
+    issuerKeyHash = KeyHash(ByteString(subjectPublicKey.UnsafeGetData(),
+                                       subjectPublicKey.GetLength()));
+    if (ENCODING_FAILED(issuerKeyHash)) {
+      return ByteString();
+    }
+  }
+
+  ByteString serialNumberValue(context.certID.serialNumber.UnsafeGetData(),
+                               context.certID.serialNumber.GetLength());
+  ByteString serialNumber(TLV(der::INTEGER, serialNumberValue));
+
+  // python DottedOIDToCode.py --alg id-sha1 1.3.14.3.2.26
+  static const uint8_t alg_id_sha1[] = {
+    0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a
+  };
+
+  ByteString value;
+  value.append(alg_id_sha1, sizeof(alg_id_sha1));
+  value.append(issuerNameHash);
+  value.append(issuerKeyHash);
+  value.append(serialNumber);
+  return TLV(der::SEQUENCE, value);
+}
+
+// CertStatus ::= CHOICE {
+//    good                [0] IMPLICIT NULL,
+//    revoked             [1] IMPLICIT RevokedInfo,
+//    unknown             [2] IMPLICIT UnknownInfo }
+//
+// RevokedInfo ::= SEQUENCE {
+//    revocationTime              GeneralizedTime,
+//    revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+//
+// UnknownInfo ::= NULL
+//
+ByteString
+CertStatus(OCSPResponseContext& context)
+{
+  switch (context.certStatus) {
+    // Both good and unknown are ultimately represented as NULL - the only
+    // difference is in the tag that identifies them.
+    case 0:
+    case 2:
+    {
+      // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without
+      // the static cast.
+      return TLV(static_cast<uint8_t>(der::CONTEXT_SPECIFIC |
+                                      context.certStatus), ByteString());
+    }
+    case 1:
+    {
+      ByteString revocationTime(TimeToGeneralizedTime(context.revocationTime));
+      if (ENCODING_FAILED(revocationTime)) {
+        return ByteString();
+      }
+      // TODO(bug 980536): add support for revocationReason
+      return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, revocationTime);
+    }
+    default:
+      assert(false);
+      // fall through
+  }
+  return ByteString();
+}
+
+static const ByteString NO_UNUSED_BITS(1, 0x00);
+
+// The SubjectPublicKeyInfo syntax is specified in RFC 5280 Section 4.1.
+TestKeyPair::TestKeyPair(const TestPublicKeyAlgorithm& aPublicKeyAlg,
+                         const ByteString& spk)
+  : publicKeyAlg(aPublicKeyAlg)
+  , subjectPublicKeyInfo(TLV(der::SEQUENCE,
+                             aPublicKeyAlg.algorithmIdentifier +
+                             TLV(der::BIT_STRING, NO_UNUSED_BITS + spk)))
+  , subjectPublicKey(spk)
+{
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/lib/mozpkix/tools/DottedOIDToCode.py b/security/nss/lib/mozpkix/tools/DottedOIDToCode.py
new file mode 100644
index 000000000..dfd4ade07
--- /dev/null
+++ b/security/nss/lib/mozpkix/tools/DottedOIDToCode.py
@@ -0,0 +1,216 @@
+# This code is made available to you under your choice of the following sets
+# of licensing terms:
+###############################################################################
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+###############################################################################
+# Copyright 2013 Mozilla Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import print_function
+import argparse
+import itertools
+import sys
+
+
+def base128(value):
+    """
+    Given an integral value, returns an array of the base-128 representation
+    of that value, with all but the last byte having the high bit set as
+    required by the DER rules for the nodes of an OID after the first two
+    bytes.
+
+    >>> base128(1)
+    [1]
+    >>> base128(10045)
+    [206, 61]
+    """
+
+    if value < 0:
+        raise ValueError("An OID must have only positive-value nodes.")
+
+    # least significant byte has highest bit unset
+    result = [value % 0x80]
+    value /= 0x80
+
+    while value != 0:
+        result = [0x80 | (value % 0x80)] + result
+        value /= 0x80
+
+    return result
+
+
+def dottedOIDToEncodedArray(dottedOID):
+    """
+    Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+    returns an array that contains the DER encoding of its value, without
+    the tag and length (e.g. [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04]).
+    """
+    nodes = [int(x) for x in dottedOID.strip().split(".")]
+    if len(nodes) < 2:
+        raise ValueError("An OID must have at least two nodes.")
+    if not (0 <= nodes[0] <= 2):
+        raise ValueError("The first node of an OID must be 0, 1, or 2.")
+    if not (0 <= nodes[1] <= 39):
+        # XXX: Does this restriction apply when the first part is 2?
+        raise ValueError("The second node of an OID must be 0-39.")
+    firstByte = (40 * nodes[0]) + nodes[1]
+    restBase128 = [base128(x) for x in nodes[2:]]
+    return [firstByte] + list(itertools.chain.from_iterable(restBase128))
+
+
+def dottedOIDToCArray(dottedOID, mode):
+    """
+    Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+    returns a string that contains the hex encoding of the OID in C++ literal
+    notation, e.g. '0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04'.
+    """
+    bytes = dottedOIDToEncodedArray(dottedOID)
+
+    if mode != "value" and mode != "prefixdefine":
+        bytes = [0x06, len(bytes)] + bytes
+
+    if mode == "alg":
+        # Wrap the DER-encoded OID in a SEQUENCE to create an
+        # AlgorithmIdentifier with no parameters.
+        bytes = [0x30, len(bytes)] + bytes
+
+    return ", ".join(["0x%.2x" % b for b in bytes])
+
+
+def specNameToCName(specName):
+    """
+    Given an string containing an ASN.1 name, returns a string that is a valid
+    C++ identifier that is as similar to that name as possible. Since most
+    ASN.1 identifiers used in PKIX specifications are legal C++ names except
+    for containing hyphens, this function just converts the hyphens to
+    underscores. This may need to be improved in the future if we encounter
+    names with other funny characters.
+    """
+    return specName.replace("-", "_")
+
+
+def toCode(programName, specName, dottedOID, mode):
+    """
+    Given an ASN.1 name and a string containing the dotted representation of an
+    OID, returns a string that contains a C++ declaration for a named constant
+    that contains that OID value. If mode is "value" then only the value of
+    the OID (without the tag or length) will be included in the output. If mode
+    is "tlv" then the value will be prefixed with the tag and length. If mode
+    is "alg" then the value will be a complete der-encoded AlgorithmIdentifier
+    with no parameters.
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "value")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t ecdsa_with_SHA512[] = {
+          0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "tlv")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py --tlv ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t tlv_ecdsa_with_SHA512[] = {
+          0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "alg")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py --alg ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t alg_ecdsa_with_SHA512[] = {
+          0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "PREFIX_1_2_840_10045", "1.2.840.10045",
+               "prefixdefine")
+
+    would result in a string like this (note the lack of indention):
+
+      // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+      #define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+    """
+    programNameWithOptions = programName
+
+    if mode == "prefixdefine":
+        programNameWithOptions += " --prefixdefine"
+        varName = specName
+        return ("// python %s %s %s\n" +
+                "#define %s %s\n") % (programNameWithOptions, specName,
+                                      dottedOID, varName,
+                                      dottedOIDToCArray(dottedOID, mode))
+
+    varName = specNameToCName(specName)
+    if mode == "tlv":
+        programNameWithOptions += " --tlv"
+        varName = "tlv_" + varName
+    elif mode == "alg":
+        programNameWithOptions += " --alg"
+        varName = "alg_" + varName
+    elif mode == "prefixdefine":
+        programNameWithOptions += " --alg"
+        varName = varName
+
+    return ("  // python %s %s %s\n" +
+            "  static const uint8_t %s[] = {\n" +
+            "    %s\n" +
+            "  };\n") % (programNameWithOptions, specName, dottedOID, varName,
+                         dottedOIDToCArray(dottedOID, mode))
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Generate code snippets to handle OIDs in C++",
+        epilog="example: python %s ecdsa-with-SHA1 1.2.840.10045.4.1"
+        % sys.argv[0])
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument("--tlv", action='store_true',
+                       help="Wrap the encoded OID value with the tag and length")
+    group.add_argument("--alg", action='store_true',
+                       help="Wrap the encoded OID value in an encoded SignatureAlgorithm")
+    group.add_argument("--prefixdefine", action='store_true',
+                       help="generate a OID prefix #define")
+    parser.add_argument("name",
+                        help="The name given to the OID in the specification")
+    parser.add_argument("dottedOID", metavar="dotted-oid",
+                        help="The OID value, in dotted notation")
+
+    args = parser.parse_args()
+    if args.alg:
+        mode = 'alg'
+    elif args.tlv:
+        mode = 'tlv'
+    elif args.prefixdefine:
+        mode = 'prefixdefine'
+    else:
+        mode = 'value'
+
+    print(toCode(sys.argv[0], args.name, args.dottedOID, mode))
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 4f0ade4d0..8a9b3b030 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1133,3 +1133,9 @@ SEC_CreateSignatureAlgorithmParameters;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.39 { 	# NSS 3.39 release
+;+    global:
+CERT_GetCertKeyType;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index efb0827c5..49c545ecc 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,9 +22,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.38" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.41" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 38
+#define NSS_VMINOR 41
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index 5d62d479c..9b6012771 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -12,7 +12,7 @@
 #include "prprf.h"
 #include "prmem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secmod.h"
 #include "secoid.h"
 #include "nss.h"
@@ -54,7 +54,7 @@ nss_mktemp(char *path)
 
 #define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") +                                  \
                               sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \
-                              sizeof("optimizeSpace")
+                              sizeof("optimizeSpace") + sizeof("printPolicyFeedback")
 #define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
 
 static char *
@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
         if (SECOID_Init() != SECSuccess) {
             goto loser;
         }
+#ifdef POLICY_FILE
+        /* Load the system crypto policy file if it exists,
+         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+         * variable has been set to 1. */
+        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+                SECMODModule *module = SECMOD_LoadModule(
+                    "name=\"Policy File\" "
+                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+                    "secmod='" POLICY_FILE "' "
+                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+                    parent, PR_TRUE);
+                if (module) {
+                    PRBool isLoaded = module->loaded;
+                    SECMOD_DestroyModule(module);
+                    if (!isLoaded) {
+                        goto loser;
+                    }
+                }
+            }
+        }
+#endif
         if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
             goto loser;
         }
@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
                 }
             }
         }
-#ifdef POLICY_FILE
-        /* Load the system crypto policy file if it exists,
-         * unless the NSS_IGNORE_SYSTEM_POLICY environment
-         * variable has been set to 1. */
-        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
-            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
-                SECMODModule *module = SECMOD_LoadModule(
-                    "name=\"Policy File\" "
-                    "parameters=\"configdir='sql:" POLICY_PATH "' "
-                    "secmod='" POLICY_FILE "' "
-                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-                    parent, PR_TRUE);
-                if (module) {
-                    PRBool isLoaded = module->loaded;
-                    SECMOD_DestroyModule(module);
-                    if (!isLoaded) {
-                        goto loser;
-                    }
-                }
-            }
-        }
-#endif
         pk11sdr_Init();
         cert_CreateSubjectKeyIDHashTable();
 
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index 346e473a9..c6070e264 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -13,7 +13,7 @@
 #include "pkcs11t.h"
 #include "pk11func.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "keyi.h"
 #include "secitem.h"
 #include "secasn1.h"
@@ -804,30 +804,12 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
     /* don't know? look it up */
     if (keyType == nullKey) {
         CK_KEY_TYPE pk11Type = CKK_RSA;
-        SECItem info;
 
         pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
         isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
         switch (pk11Type) {
             case CKK_RSA:
                 keyType = rsaKey;
-                /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
-                rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
-                if (rv == SECSuccess) {
-                    CERTSubjectPublicKeyInfo *spki;
-
-                    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
-                    if (spki) {
-                        SECOidTag tag;
-
-                        tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-                        if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
-                            keyType = rsaPssKey;
-                        SECKEY_DestroySubjectPublicKeyInfo(spki);
-                    }
-                    SECITEM_FreeItem(&info, PR_FALSE);
-                }
-
                 break;
             case CKK_DSA:
                 keyType = dsaKey;
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index c1caf5e60..819769643 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -15,7 +15,7 @@
 #include "cert.h"
 #include "certi.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secoid.h"
 #include "pkcs7t.h"
 #include "cmsreclist.h"
@@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
     char *delimit = NULL;
     char *tokenName;
 
-    if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
+    if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
         certs = find_certs_from_uri(nickname, wincx);
         if (certs)
             return certs;
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
index 331a19c16..1f228cfaf 100644
--- a/security/nss/lib/pk11wrap/pk11kea.c
+++ b/security/nss/lib/pk11wrap/pk11kea.c
@@ -14,7 +14,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "sechash.h"
 #include "cert.h"
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
index b97caddd4..937ac654a 100644
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -11,7 +11,7 @@
 #include "pkcs11.h"
 #include "pkcs11t.h"
 #include "pk11func.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "sslerr.h"
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index c165e1ef2..db60f7c9d 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -109,6 +109,7 @@ secmod_NewModule(void)
                                                  *other flags are set */
 #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
 
 /* private flags for internal (field in SECMODModule). */
 /* The meaing of these flags is as follows:
@@ -193,7 +194,7 @@ typedef struct {
  *  This table should be merged with the SECOID table.
  */
 #define CIPHER_NAME(x) x, (sizeof(x) - 1)
-static const oidValDef algOptList[] = {
+static const oidValDef curveOptList[] = {
     /* Curves */
     { CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@@ -315,7 +316,9 @@ static const oidValDef algOptList[] = {
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
     { CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+};
 
+static const oidValDef hashOptList[] = {
     /* Hashes */
     { CIPHER_NAME("MD2"), SEC_OID_MD2,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@@ -333,7 +336,9 @@ static const oidValDef algOptList[] = {
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
     { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+};
 
+static const oidValDef macOptList[] = {
     /* MACs */
     { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL },
@@ -341,7 +346,9 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL },
+};
 
+static const oidValDef cipherOptList[] = {
     /* Ciphers */
     { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL },
@@ -361,7 +368,9 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL },
+};
 
+static const oidValDef kxOptList[] = {
     /* Key exchange */
     { CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX },
     { CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX },
@@ -375,6 +384,20 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
 };
 
+typedef struct {
+    const oidValDef *list;
+    PRUint32 entries;
+    const char *description;
+} algListsDef;
+
+static const algListsDef algOptLists[] = {
+    { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
+    { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
+    { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
+    { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
+    { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
+};
+
 static const optionFreeDef sslOptList[] = {
     /* Versions */
     { CIPHER_NAME("SSL2.0"), 0x002 },
@@ -401,7 +424,7 @@ static const optionFreeDef freeOptList[] = {
     { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
     /* constraints on DTLS Protocols */
     { CIPHER_NAME("DTLS-VERSION-MIN"), NSS_DTLS_VERSION_MIN_POLICY },
-    { CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY }
+    { CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MAX_POLICY }
 };
 
 static const policyFlagDef policyFlagList[] = {
@@ -446,7 +469,8 @@ secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
 }
 
 static PRUint32
-secmod_parsePolicyValue(const char *policyFlags, int policyLength)
+secmod_parsePolicyValue(const char *policyFlags, int policyLength,
+                        PRBool printPolicyFeedback)
 {
     const char *flag, *currentString;
     PRUint32 flags = 0;
@@ -455,6 +479,7 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
     for (currentString = policyFlags; currentString &&
                                       currentString < policyFlags + policyLength;) {
         int length;
+        PRBool unknown = PR_TRUE;
         flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
                                      &currentString);
         if (length == 0) {
@@ -466,41 +491,49 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
             if ((policy->name_size == length) &&
                 PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
                 flags |= policy->flag;
+                unknown = PR_FALSE;
                 break;
             }
         }
+        if (unknown && printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
+                    policyLength, policyFlags, length, flag);
+        }
     }
     return flags;
 }
 
 /* allow symbolic names for values. The only ones currently defines or
  * SSL protocol versions. */
-static PRInt32
-secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
+static SECStatus
+secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
+                         PRInt32 *result)
 {
     PRInt32 val = atoi(policyValue);
     int i;
 
     if ((val != 0) || (*policyValue == '0')) {
-        return val;
+        *result = val;
+        return SECSuccess;
     }
     for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
         if (policyValueLength == sslOptList[i].name_size &&
             PORT_Strncasecmp(sslOptList[i].name, policyValue,
                              sslOptList[i].name_size) == 0) {
-            val = sslOptList[i].option;
-            break;
+            *result = sslOptList[i].option;
+            return SECSuccess;
         }
     }
-    return val;
+    return SECFailure;
 }
 
 static SECStatus
-secmod_applyCryptoPolicy(const char *policyString,
-                         PRBool allow)
+secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
+                         PRBool printPolicyFeedback)
 {
     const char *cipher, *currentString;
-    unsigned i;
+    unsigned i, j;
     SECStatus rv = SECSuccess;
     PRBool unknown;
 
@@ -525,56 +558,63 @@ secmod_applyCryptoPolicy(const char *policyString,
             /* disable or enable all options by default */
             PRUint32 value = 0;
             if (newValue) {
-                value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1);
+                value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1, printPolicyFeedback);
             }
-            for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
-                PRUint32 enable, disable;
-                if (!newValue) {
-                    value = algOptList[i].val;
-                }
-                if (allow) {
-                    enable = value;
-                    disable = 0;
-                } else {
-                    enable = 0;
-                    disable = value;
+            for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+                const algListsDef *algOptList = &algOptLists[i];
+                for (j = 0; j < algOptList->entries; j++) {
+                    PRUint32 enable, disable;
+                    if (!newValue) {
+                        value = algOptList->list[j].val;
+                    }
+                    if (allow) {
+                        enable = value;
+                        disable = 0;
+                    } else {
+                        enable = 0;
+                        disable = value;
+                    }
+                    NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
                 }
-                NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
             }
             continue;
         }
 
-        for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
-            const oidValDef *algOpt = &algOptList[i];
-            unsigned name_size = algOpt->name_size;
-            PRBool newOption = PR_FALSE;
+        for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+            const algListsDef *algOptList = &algOptLists[i];
+            for (j = 0; j < algOptList->entries; j++) {
+                const oidValDef *algOpt = &algOptList->list[j];
+                unsigned name_size = algOpt->name_size;
+                PRBool newOption = PR_FALSE;
 
-            if ((length >= name_size) && (cipher[name_size] == '/')) {
-                newOption = PR_TRUE;
-            }
-            if ((newOption || algOpt->name_size == length) &&
-                PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
-                PRUint32 value = algOpt->val;
-                PRUint32 enable, disable;
-                if (newOption) {
-                    value = secmod_parsePolicyValue(&cipher[name_size] + 1,
-                                                    length - name_size - 1);
+                if ((length >= name_size) && (cipher[name_size] == '/')) {
+                    newOption = PR_TRUE;
                 }
-                if (allow) {
-                    enable = value;
-                    disable = 0;
-                } else {
-                    enable = 0;
-                    disable = value;
-                }
-                rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
-                if (rv != SECSuccess) {
-                    /* could not enable option */
-                    /* NSS_SetAlgorithPolicy should have set the error code */
-                    return SECFailure;
+                if ((newOption || algOpt->name_size == length) &&
+                    PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
+                    PRUint32 value = algOpt->val;
+                    PRUint32 enable, disable;
+                    if (newOption) {
+                        value = secmod_parsePolicyValue(&cipher[name_size] + 1,
+                                                        length - name_size - 1,
+                                                        printPolicyFeedback);
+                    }
+                    if (allow) {
+                        enable = value;
+                        disable = 0;
+                    } else {
+                        enable = 0;
+                        disable = value;
+                    }
+                    rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
+                    if (rv != SECSuccess) {
+                        /* could not enable option */
+                        /* NSS_SetAlgorithPolicy should have set the error code */
+                        return SECFailure;
+                    }
+                    unknown = PR_FALSE;
+                    break;
                 }
-                unknown = PR_FALSE;
-                break;
             }
         }
         if (!unknown) {
@@ -587,9 +627,19 @@ secmod_applyCryptoPolicy(const char *policyString,
 
             if ((length > name_size) && cipher[name_size] == '=' &&
                 PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) {
-                PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1],
-                                                       length - name_size - 1);
-
+                PRInt32 val;
+                const char *policyValue = &cipher[name_size + 1];
+                int policyValueLength = length - name_size - 1;
+                rv = secmod_getPolicyOptValue(policyValue, policyValueLength,
+                                              &val);
+                if (rv != SECSuccess) {
+                    if (printPolicyFeedback) {
+                        PR_SetEnv("NSS_POLICY_FAIL=1");
+                        fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
+                                length, cipher, policyValueLength, policyValue);
+                    }
+                    return SECFailure;
+                }
                 rv = NSS_OptionSet(freeOpt->option, val);
                 if (rv != SECSuccess) {
                     /* could not enable option */
@@ -602,12 +652,83 @@ secmod_applyCryptoPolicy(const char *policyString,
                 break;
             }
         }
+
+        if (unknown && printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
+                    allow ? "allow" : "disallow", length, cipher);
+        }
     }
     return rv;
 }
 
+static void
+secmod_sanityCheckCryptoPolicy(void)
+{
+    unsigned i, j;
+    SECStatus rv = SECSuccess;
+    unsigned num_kx_enabled = 0;
+    unsigned num_ssl_enabled = 0;
+    unsigned num_sig_enabled = 0;
+    unsigned enabledCount[PR_ARRAY_SIZE(algOptLists)];
+    const char *sWarn = "WARN";
+    const char *sInfo = "INFO";
+    PRBool haveWarning = PR_FALSE;
+
+    for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+        const algListsDef *algOptList = &algOptLists[i];
+        enabledCount[i] = 0;
+        for (j = 0; j < algOptList->entries; j++) {
+            const oidValDef *algOpt = &algOptList->list[j];
+            PRUint32 value;
+            PRBool anyEnabled = PR_FALSE;
+            rv = NSS_GetAlgorithmPolicy(algOpt->oid, &value);
+            if (rv != SECSuccess) {
+                PR_SetEnv("NSS_POLICY_FAIL=1");
+                fprintf(stderr, "NSS-POLICY-FAIL: internal failure with NSS_GetAlgorithmPolicy at %u\n", i);
+                return;
+            }
+
+            if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) {
+                ++num_kx_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name);
+            }
+            if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) {
+                ++num_ssl_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
+            }
+            if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                ++num_sig_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
+            }
+            if (anyEnabled) {
+                ++enabledCount[i];
+            }
+        }
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG-KX: %u\n", num_kx_enabled ? sInfo : sWarn, num_kx_enabled);
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG: %u\n", num_ssl_enabled ? sInfo : sWarn, num_ssl_enabled);
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CERT-SIG: %u\n", num_sig_enabled ? sInfo : sWarn, num_sig_enabled);
+    if (!num_kx_enabled || !num_ssl_enabled || !num_sig_enabled) {
+        haveWarning = PR_TRUE;
+    }
+    for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+        const algListsDef *algOptList = &algOptLists[i];
+        fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
+        if (!enabledCount[i]) {
+            haveWarning = PR_TRUE;
+        }
+    }
+    if (haveWarning) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+}
+
 static SECStatus
-secmod_parseCryptoPolicy(const char *policyConfig)
+secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
 {
     char *disallow, *allow;
     SECStatus rv;
@@ -622,16 +743,26 @@ secmod_parseCryptoPolicy(const char *policyConfig)
         return rv;
     }
     disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
-    rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
+    rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
     if (disallow)
         PORT_Free(disallow);
     if (rv != SECSuccess) {
         return rv;
     }
     allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
-    rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
+    rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
     if (allow)
         PORT_Free(allow);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (printPolicyFeedback) {
+        /* This helps to distinguish configurations that don't contain any
+         * policy config= statement. */
+        PR_SetEnv("NSS_POLICY_LOADED=1");
+        fprintf(stderr, "NSS-POLICY-INFO: LOADED-SUCCESSFULLY\n");
+        secmod_sanityCheckCryptoPolicy();
+    }
     return rv;
 }
 
@@ -648,11 +779,16 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
     char *slotParams, *ciphers;
     /* pk11pars.h still does not have const char * interfaces */
     char *nssc = (char *)nss;
+    PRBool printPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nssc);
 
-    rv = secmod_parseCryptoPolicy(config);
+    rv = secmod_parseCryptoPolicy(config, printPolicyFeedback);
 
     /* do not load the module if policy parsing fails */
     if (rv != SECSuccess) {
+        if (printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL: policy config parsing failed, not loading module %s\n", moduleName);
+        }
         return NULL;
     }
 
@@ -703,6 +839,9 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
         }
+        if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+            flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+        }
         /* additional moduleDB flags could be added here in the future */
         mod->isModuleDB = (PRBool)flags;
     }
@@ -743,6 +882,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
 }
 
 PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+    char flags = (char)mod->isModuleDB;
+
+    return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
 secmod_IsInternalKeySlot(SECMODModule *mod)
 {
     char flags = (char)mod->internal;
@@ -1635,6 +1782,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     SECMODModule *module = NULL;
     SECMODModule *oldModule = NULL;
     SECStatus rv;
+    PRBool forwardPolicyFeedback = PR_FALSE;
 
     /* initialize the underlying module structures */
     SECMOD_Init();
@@ -1647,6 +1795,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     }
 
     module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config);
+    forwardPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nss);
     if (library)
         PORT_Free(library);
     if (moduleName)
@@ -1660,6 +1809,12 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     if (!module) {
         goto loser;
     }
+
+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
+     * been parsed as a side effect of the CreateModuleEx call */
+    if (secmod_PolicyOnly(module)) {
+        return module;
+    }
     if (parent) {
         module->parent = SECMOD_ReferenceModule(parent);
         if (module->internal && secmod_IsInternalKeySlot(parent)) {
@@ -1703,7 +1858,15 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
                     rv = SECFailure;
                     break;
                 }
-                child = SECMOD_LoadModule(*index, module, PR_TRUE);
+                if (!forwardPolicyFeedback) {
+                    child = SECMOD_LoadModule(*index, module, PR_TRUE);
+                } else {
+                    /* Add printPolicyFeedback to the nss flags */
+                    char *specWithForwards =
+                        NSSUTIL_AddNSSFlagToModuleSpec(*index, "printPolicyFeedback");
+                    child = SECMOD_LoadModule(specWithForwards, module, PR_TRUE);
+                    PORT_Free(specWithForwards);
+                }
                 if (!child)
                     break;
                 if (child->isCritical && !child->loaded) {
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
index 5f68f399e..4b6645578 100644
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -23,7 +23,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 
 typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
 struct SEC_PKCS5PBEParameterStr {
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 035143af8..47b6702c6 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -14,7 +14,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secoid.h"
 #include "secasn1.h"
 #include "secerr.h"
diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h
index 9281923fa..8848c81ec 100644
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -7,7 +7,7 @@
 #include "seccomon.h"
 #include "secoidt.h"
 #include "secdert.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "pkcs11t.h"
 #include "secmodt.h"
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
index dbd8da092..8db969e4c 100644
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -7,7 +7,7 @@
 #include "seccomon.h"
 #include "secoidt.h"
 #include "secdert.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "pkcs11t.h"
 #include "secmodt.h"
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index c39abe17e..ebe54d495 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -607,12 +607,32 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName,
     return slotList;
 }
 
-PK11SlotInfo *
-PK11_FindSlotByName(const char *name)
+typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg);
+
+static PRBool
+pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg)
+{
+    return PORT_Strcmp(slot->token_name, arg) == 0;
+}
+
+static PRBool
+pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg)
 {
+    return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
+}
+
+static PRBool
+pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg)
+{
+    return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
+}
+
+static PK11SlotInfo *
+pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
+{
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     SECMODModuleList *mlp;
     SECMODModuleList *modules;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     int i;
     PK11SlotInfo *slot = NULL;
 
@@ -620,10 +640,6 @@ PK11_FindSlotByName(const char *name)
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return slot;
     }
-    if ((name == NULL) || (*name == 0)) {
-        return PK11_GetInternalKeySlot();
-    }
-
     /* work through all the slots */
     SECMOD_GetReadLock(moduleLock);
     modules = SECMOD_GetDefaultModuleList();
@@ -631,7 +647,7 @@ PK11_FindSlotByName(const char *name)
         for (i = 0; i < mlp->module->slotCount; i++) {
             PK11SlotInfo *tmpSlot = mlp->module->slots[i];
             if (PK11_IsPresent(tmpSlot)) {
-                if (PORT_Strcmp(tmpSlot->token_name, name) == 0) {
+                if (func(tmpSlot, arg)) {
                     slot = PK11_ReferenceSlot(tmpSlot);
                     break;
                 }
@@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name)
     return slot;
 }
 
-PK11SlotInfo *
-PK11_FindSlotBySerial(char *serial)
+static PK11SlotInfo *
+pk11_FindSlotByTokenURI(const char *uriString)
 {
-    SECMODModuleList *mlp;
-    SECMODModuleList *modules;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    int i;
     PK11SlotInfo *slot = NULL;
+    PK11URI *uri;
 
-    if (!moduleLock) {
-        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+    uri = PK11URI_ParseURI(uriString);
+    if (!uri) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return slot;
     }
-    /* work through all the slots */
-    SECMOD_GetReadLock(moduleLock);
-    modules = SECMOD_GetDefaultModuleList();
-    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
-        for (i = 0; i < mlp->module->slotCount; i++) {
-            PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-            if (PK11_IsPresent(tmpSlot)) {
-                if (PORT_Memcmp(tmpSlot->serial, serial,
-                                sizeof(tmpSlot->serial)) == 0) {
-                    slot = PK11_ReferenceSlot(tmpSlot);
-                    break;
-                }
-            }
-        }
-        if (slot != NULL)
-            break;
+
+    slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
+    PK11URI_DestroyURI(uri);
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_FindSlotByName(const char *name)
+{
+    if ((name == NULL) || (*name == 0)) {
+        return PK11_GetInternalKeySlot();
     }
-    SECMOD_ReleaseReadLock(moduleLock);
 
-    if (slot == NULL) {
-        PORT_SetError(SEC_ERROR_NO_TOKEN);
+    if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
+        return pk11_FindSlotByTokenURI(name);
     }
 
-    return slot;
+    return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
+}
+
+PK11SlotInfo *
+PK11_FindSlotBySerial(char *serial)
+{
+    return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
 }
 
 /*
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
index 84f5f2a30..7ec77ced6 100644
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -13,7 +13,7 @@
 #include "secdert.h"
 #include "certt.h"
 #include "secmodt.h"
-#include "keyt.h"
+#include "keythi.h"
 
 SEC_BEGIN_PROTOS
 
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
index 118db6efa..495bbf6c4 100644
--- a/security/nss/lib/pkcs12/p12.h
+++ b/security/nss/lib/pkcs12/p12.h
@@ -6,7 +6,7 @@
 #define _P12_H_
 
 #include "secoid.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secpkcs7.h"
 #include "p12t.h"
 
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
index 62c2b502e..b22f0dd82 100644
--- a/security/nss/lib/pkcs12/p12t.h
+++ b/security/nss/lib/pkcs12/p12t.h
@@ -6,7 +6,7 @@
 #define _P12T_H_
 
 #include "secoid.h"
-#include "key.h"
+#include "keythi.h"
 #include "pkcs11.h"
 #include "secpkcs7.h"
 #include "secdig.h" /* for SGNDigestInfo */
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
index ad00d7b5b..db10d28af 100644
--- a/security/nss/lib/pkcs12/pkcs12t.h
+++ b/security/nss/lib/pkcs12/pkcs12t.h
@@ -8,7 +8,7 @@
 #include "seccomon.h"
 #include "secoid.h"
 #include "cert.h"
-#include "key.h"
+#include "keythi.h"
 #include "plarena.h"
 #include "secpkcs7.h"
 #include "secdig.h" /* for SGNDigestInfo */
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index ba51955ab..641d201e5 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -16,7 +16,7 @@
                     /* include should be removed! */
 /*#include "cdbhdl.h" */
 #include "cryptohi.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
index ca1046aa5..8a4afe45b 100644
--- a/security/nss/lib/pkcs7/secmime.c
+++ b/security/nss/lib/pkcs7/secmime.c
@@ -14,7 +14,7 @@
 #include "secasn1.h"
 #include "secitem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secerr.h"
 
 typedef struct smime_cipher_map_struct {
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
index 78270bd15..4a88df1df 100644
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -13,7 +13,7 @@
 
 #include "secoidt.h"
 #include "certt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "hasht.h"
 #include "pkcs7t.h"
 
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
index 244df4879..f4a8a39e9 100644
--- a/security/nss/lib/smime/cms.h
+++ b/security/nss/lib/smime/cms.h
@@ -13,7 +13,7 @@
 
 #include "secoidt.h"
 #include "certt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "hasht.h"
 #include "cmst.h"
 
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
index 15cf08fcc..8ba95d044 100644
--- a/security/nss/lib/smime/cmsasn1.c
+++ b/security/nss/lib/smime/cmsasn1.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
index 62b4ebfe5..69965bdd7 100644
--- a/security/nss/lib/smime/cmsdecode.c
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
index 64b64a0f8..bd1474068 100644
--- a/security/nss/lib/smime/cmsdigest.c
+++ b/security/nss/lib/smime/cmsdigest.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "pk11func.h"
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
index c3a4549ad..d2fc3358b 100644
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -8,7 +8,7 @@
 
 #include "cmslocal.h"
 
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
index 0d723e865..703492b5e 100644
--- a/security/nss/lib/smime/cmsencode.c
+++ b/security/nss/lib/smime/cmsencode.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "secitem.h"
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
index f2c8e171d..d5d5c4123 100644
--- a/security/nss/lib/smime/cmsenvdata.c
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
index bc3cd993e..8f18f60de 100644
--- a/security/nss/lib/smime/cmspubkey.c
+++ b/security/nss/lib/smime/cmspubkey.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
index 8cab288d2..20dd698e8 100644
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
index 99d7e9087..f75347407 100644
--- a/security/nss/lib/smime/cmsreclist.c
+++ b/security/nss/lib/smime/cmsreclist.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
index ce4f87c0a..79aaf8f0a 100644
--- a/security/nss/lib/smime/cmssiginfo.c
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
index cd12603fa..713b94aac 100644
--- a/security/nss/lib/smime/cmsutil.c
+++ b/security/nss/lib/smime/cmsutil.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
index 774b9f3fd..3073ab245 100644
--- a/security/nss/lib/smime/smimemessage.c
+++ b/security/nss/lib/smime/smimemessage.c
@@ -10,7 +10,7 @@
 #include "smime.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
index 7674a65fd..0e6bd32fd 100644
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@@ -13,7 +13,7 @@
 #include "secasn1.h"
 #include "secitem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secerr.h"
 #include "cms.h"
 #include "nss.h"
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 385d3c144..7eec3d7ee 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -3106,7 +3106,7 @@ RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
         digest.len = digestLen;
         rv = _SGN_VerifyPKCS1DigestInfo(
             digestOid, &digest, &pkcs1DigestInfo,
-            PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+            PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
     }
 
     PORT_Free(pkcs1DigestInfoData);
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 827bf2e22..c1f63d769 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,9 +17,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.38" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.41" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 38
+#define SOFTOKEN_VMINOR 41
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/ssl/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h
index f01d16583..9be219494 100644
--- a/security/nss/lib/ssl/SSLerrs.h
+++ b/security/nss/lib/ssl/SSLerrs.h
@@ -552,3 +552,15 @@ ER3(SSL_ERROR_RX_MALFORMED_DTLS_ACK, (SSL_ERROR_BASE + 174),
 
 ER3(SSL_ERROR_DH_KEY_TOO_LONG, (SSL_ERROR_BASE + 175),
     "SSL received a DH key share that's too long (>8192 bit).")
+
+ER3(SSL_ERROR_RX_MALFORMED_ESNI_KEYS, (SSL_ERROR_BASE + 176),
+    "SSL received a malformed ESNI keys structure")
+
+ER3(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, (SSL_ERROR_BASE + 177),
+    "SSL received a malformed ESNI extension")
+
+ER3(SSL_ERROR_MISSING_ESNI_EXTENSION, (SSL_ERROR_BASE + 178),
+    "SSL did not receive an ESNI extension")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, (SSL_ERROR_BASE + 179),
+    "SSL received an unexpected record type.")
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
index 2765c8342..d05b30a72 100644
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -13,7 +13,7 @@
 #include "cert.h"
 #include "nspr.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "nss.h"
 #include "ssl.h"
 #include "pk11func.h" /* for PK11_ function calls */
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
index e6edbee83..8ab4a7f8d 100644
--- a/security/nss/lib/ssl/cmpcert.c
+++ b/security/nss/lib/ssl/cmpcert.c
@@ -13,7 +13,7 @@
 #include "cert.h"
 #include "nspr.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "nss.h"
 
 /*
@@ -27,13 +27,9 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
     SECItem *caname;
     CERTCertificate *curcert;
     CERTCertificate *oldcert;
-    PRInt32 contentlen;
     int j;
-    int headerlen;
     int depth;
-    SECStatus rv;
     SECItem issuerName;
-    SECItem compatIssuerName;
 
     if (!cert || !caNames || !caNames->nnames || !caNames->names ||
         !caNames->names->data)
@@ -44,29 +40,11 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
     while (curcert) {
         issuerName = curcert->derIssuer;
 
-        /* compute an alternate issuer name for compatibility with 2.0
-         * enterprise server, which send the CA names without
-         * the outer layer of DER header
-         */
-        rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
-        if (rv == SECSuccess) {
-            compatIssuerName.data = &issuerName.data[headerlen];
-            compatIssuerName.len = issuerName.len - headerlen;
-        } else {
-            compatIssuerName.data = NULL;
-            compatIssuerName.len = 0;
-        }
-
         for (j = 0; j < caNames->nnames; j++) {
             caname = &caNames->names[j];
             if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
-                rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
-                goto done;
-            } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
-                rv = SECSuccess;
-                CERT_DestroyCertificate(curcert);
-                goto done;
+                return SECSuccess;
             }
         }
         if ((depth <= 20) &&
@@ -82,8 +60,5 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
             curcert = NULL;
         }
     }
-    rv = SECFailure;
-
-done:
-    return rv;
+    return SECFailure;
 }
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
index d13613f78..b901a8830 100644
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -60,3 +60,7 @@ endif
 ifdef NSS_DISABLE_TLS_1_3
 DEFINES += -DNSS_DISABLE_TLS_1_3
 endif
+
+ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
+CFLAGS += -std=gnu99
+endif
diff --git a/security/nss/lib/ssl/dtls13con.c b/security/nss/lib/ssl/dtls13con.c
index de6cb47ca..81d196dee 100644
--- a/security/nss/lib/ssl/dtls13con.c
+++ b/security/nss/lib/ssl/dtls13con.c
@@ -32,7 +32,7 @@ dtls13_InsertCipherTextHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
         return sslBuffer_AppendNumber(wrBuf, seq, 2);
     }
 
-    rv = sslBuffer_AppendNumber(wrBuf, content_application_data, 1);
+    rv = sslBuffer_AppendNumber(wrBuf, ssl_ct_application_data, 1);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -147,7 +147,7 @@ dtls13_SendAck(sslSocket *ss)
     }
 
     ssl_GetXmitBufLock(ss);
-    sent = ssl3_SendRecord(ss, NULL, content_ack,
+    sent = ssl3_SendRecord(ss, NULL, ssl_ct_ack,
                            buf.buf, buf.len, 0);
     ssl_ReleaseXmitBufLock(ss);
     if (sent != buf.len) {
@@ -343,7 +343,7 @@ dtls13_SetupAcks(sslSocket *ss)
  */
 SECStatus
 dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
-                              SSL3ContentType rType,
+                              SSLContentType rType,
                               sslBuffer *databuf)
 {
     SECStatus rv;
@@ -360,7 +360,7 @@ dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
     SSL_TRC(10, ("%d: DTLS13[%d]: handle out of epoch record: type=%d", SSL_GETPID(),
                  ss->fd, rType));
 
-    if (rType == content_ack) {
+    if (rType == ssl_ct_ack) {
         ssl_GetSSL3HandshakeLock(ss);
         rv = dtls13_HandleAck(ss, &buf);
         ssl_ReleaseSSL3HandshakeLock(ss);
@@ -380,7 +380,7 @@ dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
              * retransmitted Finished (e.g., because our ACK got lost.)
              * We just retransmit the previous Finished to let the client
              * complete. */
-            if (rType == content_handshake) {
+            if (rType == ssl_ct_handshake) {
                 if ((ss->sec.isServer) &&
                     (ss->ssl3.hs.ws == idle_handshake)) {
                     PORT_Assert(dtls_TimerActive(ss, ss->ssl3.hs.hdTimer));
diff --git a/security/nss/lib/ssl/dtls13con.h b/security/nss/lib/ssl/dtls13con.h
index ca48ef363..ce92a8a55 100644
--- a/security/nss/lib/ssl/dtls13con.h
+++ b/security/nss/lib/ssl/dtls13con.h
@@ -21,7 +21,7 @@ PRBool dtls_NextUnackedRange(sslSocket *ss, PRUint16 msgSeq, PRUint32 offset,
                              PRUint32 len, PRUint32 *startOut, PRUint32 *endOut);
 SECStatus dtls13_SetupAcks(sslSocket *ss);
 SECStatus dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
-                                        SSL3ContentType rType,
+                                        SSLContentType rType,
                                         sslBuffer *databuf);
 SECStatus dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf);
 
diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
index a82295c66..a5c604bca 100644
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -120,7 +120,7 @@ ssl3_DisableNonDTLSSuites(sslSocket *ss)
  * Called from dtls_QueueMessage()
  */
 static DTLSQueuedMessage *
-dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSL3ContentType type,
+dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSLContentType ct,
                         const unsigned char *data, PRUint32 len)
 {
     DTLSQueuedMessage *msg;
@@ -138,7 +138,7 @@ dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSL3ContentType type,
 
     msg->len = len;
     msg->cwSpec = cwSpec;
-    msg->type = type;
+    msg->type = ct;
     /* Safe if we are < 1.3, since the refct is
      * already very high. */
     ssl_CipherSpecAddRef(cwSpec);
@@ -517,7 +517,7 @@ loser:
  *              ssl3_SendChangeCipherSpecs()
  */
 SECStatus
-dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+dtls_QueueMessage(sslSocket *ss, SSLContentType ct,
                   const PRUint8 *pIn, PRInt32 nIn)
 {
     SECStatus rv = SECSuccess;
@@ -528,7 +528,7 @@ dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     spec = ss->ssl3.cwSpec;
-    msg = dtls_AllocQueuedMessage(spec, type, pIn, nIn);
+    msg = dtls_AllocQueuedMessage(spec, ct, pIn, nIn);
 
     if (!msg) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
@@ -562,7 +562,7 @@ dtls_StageHandshakeMessage(sslSocket *ss)
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
-    rv = dtls_QueueMessage(ss, content_handshake,
+    rv = dtls_QueueMessage(ss, ssl_ct_handshake,
                            ss->sec.ci.sendBuf.buf, ss->sec.ci.sendBuf.len);
 
     /* Whether we succeeded or failed, toss the old handshake data. */
@@ -696,7 +696,7 @@ dtls_FragmentHandshake(sslSocket *ss, DTLSQueuedMessage *msg)
     PORT_Assert(msg->len >= DTLS_HS_HDR_LEN);
 
     /* DTLS only supports fragmenting handshaking messages. */
-    PORT_Assert(msg->type == content_handshake);
+    PORT_Assert(msg->type == ssl_ct_handshake);
 
     msgSeq = (msg->data[4] << 8) | msg->data[5];
 
@@ -848,7 +848,7 @@ dtls_TransmitMessageFlight(sslSocket *ss)
          * be quite fragmented.  Adding an extra flush here would push new
          * messages into new records and reduce fragmentation. */
 
-        if (msg->type == content_handshake) {
+        if (msg->type == ssl_ct_handshake) {
             rv = dtls_FragmentHandshake(ss, msg);
         } else {
             PORT_Assert(!tls13_MaybeTls13(ss));
@@ -1327,9 +1327,9 @@ dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet)
 {
 #ifndef UNSAFE_FUZZER_MODE
     return version < SSL_LIBRARY_VERSION_TLS_1_3 ||
-           firstOctet == content_handshake ||
-           firstOctet == content_ack ||
-           firstOctet == content_alert;
+           firstOctet == ssl_ct_handshake ||
+           firstOctet == ssl_ct_ack ||
+           firstOctet == ssl_ct_alert;
 #else
     return PR_TRUE;
 #endif
@@ -1359,7 +1359,7 @@ dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
     }
 
     /* dtls_GatherData should ensure that this works. */
-    PORT_Assert(hdr[0] == content_application_data);
+    PORT_Assert(hdr[0] == ssl_ct_application_data);
 
     /* This uses the same method as is used to recover the sequence number in
      * dtls_ReadSequenceNumber, except that the maximum value is set to the
diff --git a/security/nss/lib/ssl/dtlscon.h b/security/nss/lib/ssl/dtlscon.h
index 45fc069b9..4ede3c2ca 100644
--- a/security/nss/lib/ssl/dtlscon.h
+++ b/security/nss/lib/ssl/dtlscon.h
@@ -23,7 +23,7 @@ extern SECStatus dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch,
 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
                                                PRUint8 *b, PRUint32 length);
 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
-extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+extern SECStatus dtls_QueueMessage(sslSocket *ss, SSLContentType type,
                                    const PRUint8 *pIn, PRInt32 nIn);
 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss);
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
index ca9b9ee7b..fe9470bd0 100644
--- a/security/nss/lib/ssl/manifest.mn
+++ b/security/nss/lib/ssl/manifest.mn
@@ -1,4 +1,3 @@
-#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
@@ -56,6 +55,7 @@ CSRCS = \
         tls13replay.c \
         sslcert.c \
         sslgrp.c \
+        tls13esni.c \
         $(NULL)
 
 LIBRARY_NAME = ssl
diff --git a/security/nss/lib/ssl/ssl.gyp b/security/nss/lib/ssl/ssl.gyp
index 3694ab91a..2e28f6775 100644
--- a/security/nss/lib/ssl/ssl.gyp
+++ b/security/nss/lib/ssl/ssl.gyp
@@ -43,6 +43,7 @@
         'ssltrace.c',
         'sslver.c',
         'tls13con.c',
+        'tls13esni.c',
         'tls13exthandle.c',
         'tls13hashstate.c',
         'tls13hkdf.c',
@@ -67,6 +68,11 @@
             'UNSAFE_FUZZER_MODE',
           ],
         }],
+        [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd" or OS=="linux"', {
+          'cflags': [
+            '-std=gnu99',
+          ],
+        }],
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index ecc4f9506..fc4a4a70c 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -13,7 +13,7 @@
 #include "prio.h"
 #include "seccomon.h"
 #include "cert.h"
-#include "keyt.h"
+#include "keythi.h"
 
 #include "sslt.h" /* public ssl data types */
 
@@ -282,6 +282,23 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_ENABLE_DTLS_SHORT_HEADER 36
 
+/*
+ * Enables the processing of the downgrade sentinel that can be added to the
+ * ServerHello.random by a server that supports Section 4.1.3 of TLS 1.3
+ * [RFC8446].  This sentinel will always be generated by a server that
+ * negotiates a version lower than its maximum, this only controls whether a
+ * client will treat receipt of a value that indicates a downgrade as an error.
+ */
+#define SSL_ENABLE_HELLO_DOWNGRADE_CHECK 37
+
+/* Enables the SSLv2-compatible ClientHello for servers. NSS does not support
+ * SSLv2 and will never send an SSLv2-compatible ClientHello as a client.  An
+ * NSS server with this option enabled will accept a ClientHello that is
+ * v2-compatible as defined in Appendix E.1 of RFC 6101.
+ *
+ * This is disabled by default and will be removed in a future version. */
+#define SSL_ENABLE_V2_COMPATIBLE_HELLO 38
+
 #ifdef SSL_DEPRECATED_FUNCTION
 /* Old deprecated function names */
 SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on);
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 466fc296f..3b5c69b11 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -93,8 +93,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
@@ -114,7 +114,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
@@ -143,7 +143,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
 
  /* RSA */
  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
@@ -501,19 +501,19 @@ ssl3_DecodeContentType(int msgType)
     static char line[40];
 
     switch (msgType) {
-        case content_change_cipher_spec:
+        case ssl_ct_change_cipher_spec:
             rv = "change_cipher_spec (20)";
             break;
-        case content_alert:
+        case ssl_ct_alert:
             rv = "alert      (21)";
             break;
-        case content_handshake:
+        case ssl_ct_handshake:
             rv = "handshake  (22)";
             break;
-        case content_application_data:
+        case ssl_ct_application_data:
             rv = "application_data (23)";
             break;
-        case content_ack:
+        case ssl_ct_ack:
             rv = "ack (25)";
             break;
         default:
@@ -656,7 +656,7 @@ ssl_LookupCipherSuiteCfgMutable(ssl3CipherSuite suite,
     return NULL;
 }
 
-const static ssl3CipherSuiteCfg *
+const ssl3CipherSuiteCfg *
 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, const ssl3CipherSuiteCfg *suites)
 {
     return ssl_LookupCipherSuiteCfgMutable(suite,
@@ -765,6 +765,9 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType)
         }
         return PR_TRUE;
     }
+    if (authType == ssl_auth_rsa_sign) {
+        return ssl_HasCert(ss, ssl_auth_rsa_pss);
+    }
     return PR_FALSE;
 }
 
@@ -851,9 +854,9 @@ ssl3_config_match_init(sslSocket *ss)
 /* Return PR_TRUE if suite is usable.  This if the suite is permitted by policy,
  * enabled, has a certificate (as needed), has a viable key agreement method, is
  * usable with the negotiated TLS version, and is otherwise usable. */
-static PRBool
-config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
-             const SSLVersionRange *vrange, const sslSocket *ss)
+PRBool
+ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
+                  const SSLVersionRange *vrange, const sslSocket *ss)
 {
     const ssl3CipherSuiteDef *cipher_def;
     const ssl3KEADef *kea_def;
@@ -896,7 +899,7 @@ count_cipher_suites(sslSocket *ss, PRUint8 policy)
         return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-        if (config_match(&ss->cipherSuites[i], policy, &ss->vrange, ss))
+        if (ssl3_config_match(&ss->cipherSuites[i], policy, &ss->vrange, ss))
             count++;
     }
     if (count == 0) {
@@ -1120,6 +1123,8 @@ ssl3_SignHashes(sslSocket *ss, SSL3Hashes *hash, SECKEYPrivateKey *key,
 
     if (ss->sec.isServer) {
         ss->sec.signatureScheme = ss->ssl3.hs.signatureScheme;
+        ss->sec.authType =
+            ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme);
     }
     PRINT_BUF(60, (NULL, "signed hashes", (unsigned char *)buf->data, buf->len));
 done:
@@ -1255,6 +1260,7 @@ ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme, SSL3Hashes *ha
     }
     if (!ss->sec.isServer) {
         ss->sec.signatureScheme = scheme;
+        ss->sec.authType = ssl_SignatureSchemeToAuthType(scheme);
     }
 
 loser:
@@ -1506,7 +1512,7 @@ loser:
 static SECStatus
 ssl3_BuildRecordPseudoHeader(DTLSEpoch epoch,
                              sslSequenceNumber seqNum,
-                             SSL3ContentType type,
+                             SSLContentType ct,
                              PRBool includesVersion,
                              SSL3ProtocolVersion version,
                              PRBool isDTLS,
@@ -1526,7 +1532,7 @@ ssl3_BuildRecordPseudoHeader(DTLSEpoch epoch,
     if (rv != SECSuccess) {
         return SECFailure;
     }
-    rv = sslBuffer_AppendNumber(buf, type, 1);
+    rv = sslBuffer_AppendNumber(buf, ct, 1);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -1994,7 +2000,7 @@ SECStatus
 ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
                       PRBool isServer,
                       PRBool isDTLS,
-                      SSL3ContentType type,
+                      SSLContentType ct,
                       const PRUint8 *pIn,
                       PRUint32 contentLen,
                       sslBuffer *wrBuf)
@@ -2041,7 +2047,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
     }
 
     rv = ssl3_BuildRecordPseudoHeader(
-        cwSpec->epoch, cwSpec->nextSeqNum, type,
+        cwSpec->epoch, cwSpec->nextSeqNum, ct,
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->recordVersion,
         isDTLS, contentLen, &pseudoHeader);
     PORT_Assert(rv == SECSuccess);
@@ -2163,7 +2169,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
 /* Note: though this can report failure, it shouldn't. */
 SECStatus
 ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
-                       SSL3ContentType contentType, sslBuffer *wrBuf,
+                       SSLContentType contentType, sslBuffer *wrBuf,
                        PRBool *needsLength)
 {
     SECStatus rv;
@@ -2175,7 +2181,7 @@ ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
             return dtls13_InsertCipherTextHeader(ss, cwSpec, wrBuf,
                                                  needsLength);
         }
-        contentType = content_application_data;
+        contentType = ssl_ct_application_data;
     }
 #endif
     rv = sslBuffer_AppendNumber(wrBuf, contentType, 1);
@@ -2202,7 +2208,7 @@ ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
 }
 
 SECStatus
-ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
+ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSLContentType ct,
                   const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf)
 {
     PRBool needsLength;
@@ -2222,7 +2228,7 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
         return SECFailure;
     }
 
-    rv = ssl_InsertRecordHeader(ss, cwSpec, type, wrBuf, &needsLength);
+    rv = ssl_InsertRecordHeader(ss, cwSpec, ct, wrBuf, &needsLength);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -2246,9 +2252,9 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
     }
 #else
     if (cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
-        rv = tls13_ProtectRecord(ss, cwSpec, type, pIn, contentLen, wrBuf);
+        rv = tls13_ProtectRecord(ss, cwSpec, ct, pIn, contentLen, wrBuf);
     } else {
-        rv = ssl3_MACEncryptRecord(cwSpec, ss->sec.isServer, IS_DTLS(ss), type,
+        rv = ssl3_MACEncryptRecord(cwSpec, ss->sec.isServer, IS_DTLS(ss), ct,
                                    pIn, contentLen, wrBuf);
     }
 #endif
@@ -2270,7 +2276,7 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
 }
 
 SECStatus
-ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
+ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSLContentType ct,
                       const PRUint8 *pIn, unsigned int nIn,
                       unsigned int *written)
 {
@@ -2294,7 +2300,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
         }
     }
 
-    rv = ssl_ProtectRecord(ss, spec, type, pIn, contentLen, wrBuf);
+    rv = ssl_ProtectRecord(ss, spec, ct, pIn, contentLen, wrBuf);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -2328,7 +2334,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
 PRInt32
 ssl3_SendRecord(sslSocket *ss,
                 ssl3CipherSpec *cwSpec, /* non-NULL for DTLS retransmits */
-                SSL3ContentType type,
+                SSLContentType ct,
                 const PRUint8 *pIn, /* input buffer */
                 PRInt32 nIn,        /* bytes of input */
                 PRInt32 flags)
@@ -2339,7 +2345,7 @@ ssl3_SendRecord(sslSocket *ss,
     PRInt32 totalSent = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
-                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(ct),
                 nIn));
     PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
 
@@ -2349,7 +2355,7 @@ ssl3_SendRecord(sslSocket *ss,
     if (ss->ssl3.fatalAlertSent) {
         SSL_TRC(3, ("%d: SSL3[%d] Suppress write, fatal alert already sent",
                     SSL_GETPID(), ss->fd));
-        if (type != content_alert) {
+        if (ct != ssl_ct_alert) {
             /* If we are sending an alert, then we already have an
              * error, so don't overwrite. */
             PORT_SetError(SSL_ERROR_HANDSHAKE_FAILED);
@@ -2366,8 +2372,8 @@ ssl3_SendRecord(sslSocket *ss,
     if (cwSpec) {
         /* cwSpec can only be set for retransmissions of the DTLS handshake. */
         PORT_Assert(IS_DTLS(ss) &&
-                    (type == content_handshake ||
-                     type == content_change_cipher_spec));
+                    (ct == ssl_ct_handshake ||
+                     ct == ssl_ct_change_cipher_spec));
         spec = cwSpec;
     } else {
         spec = ss->ssl3.cwSpec;
@@ -2378,7 +2384,7 @@ ssl3_SendRecord(sslSocket *ss,
         PRInt32 sent;
 
         ssl_GetSpecReadLock(ss);
-        rv = ssl_ProtectNextRecord(ss, spec, type, pIn, nIn, &written);
+        rv = ssl_ProtectNextRecord(ss, spec, ct, pIn, nIn, &written);
         ssl_ReleaseSpecReadLock(ss);
         if (rv != SECSuccess) {
             goto loser;
@@ -2386,7 +2392,7 @@ ssl3_SendRecord(sslSocket *ss,
 
         PORT_Assert(written > 0);
         /* DTLS should not fragment non-application data here. */
-        if (IS_DTLS(ss) && type != content_application_data) {
+        if (IS_DTLS(ss) && ct != ssl_ct_application_data) {
             PORT_Assert(written == nIn);
         }
 
@@ -2535,7 +2541,7 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
          * Note that the 0 epoch is OK because flags will never require
          * its use, as guaranteed by the PORT_Assert above.
          */
-        sent = ssl3_SendRecord(ss, NULL, content_application_data,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
@@ -2618,7 +2624,7 @@ ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
-    count = ssl3_SendRecord(ss, NULL, content_handshake,
+    count = ssl3_SendRecord(ss, NULL, ssl_ct_handshake,
                             ss->sec.ci.sendBuf.buf,
                             ss->sec.ci.sendBuf.len, flags);
     if (count < 0) {
@@ -2744,7 +2750,7 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, NULL, content_alert, bytes, 2,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_alert, bytes, 2,
                                (desc == no_certificate) ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
@@ -3041,13 +3047,13 @@ ssl3_SendChangeCipherSpecsInt(sslSocket *ss)
 
     if (!IS_DTLS(ss)) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, NULL, content_change_cipher_spec,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_change_cipher_spec,
                                &change, 1, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
         if (sent < 0) {
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
     } else {
-        rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
+        rv = dtls_QueueMessage(ss, ssl_ct_change_cipher_spec, &change, 1);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -4002,8 +4008,8 @@ ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme)
     return ssl_hash_none;
 }
 
-KeyType
-ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme)
+static PRBool
+ssl_SignatureSchemeMatchesSpkiOid(SSLSignatureScheme scheme, SECOidTag spkiOid)
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha256:
@@ -4013,133 +4019,243 @@ ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pkcs1_sha1md5:
+            return (spkiOid == SEC_OID_X500_RSA_ENCRYPTION) ||
+                   (spkiOid == SEC_OID_PKCS1_RSA_ENCRYPTION);
         case ssl_sig_rsa_pss_pss_sha256:
         case ssl_sig_rsa_pss_pss_sha384:
         case ssl_sig_rsa_pss_pss_sha512:
-        case ssl_sig_rsa_pkcs1_sha1md5:
-            return rsaKey;
+            return spkiOid == SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
         case ssl_sig_ecdsa_sha1:
-            return ecKey;
+            return spkiOid == SEC_OID_ANSIX962_EC_PUBLIC_KEY;
         case ssl_sig_dsa_sha256:
         case ssl_sig_dsa_sha384:
         case ssl_sig_dsa_sha512:
         case ssl_sig_dsa_sha1:
-            return dsaKey;
+            return spkiOid == SEC_OID_ANSIX9_DSA_SIGNATURE;
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
             break;
     }
     PORT_Assert(0);
-    return nullKey;
+    return PR_FALSE;
 }
 
-static SSLNamedGroup
-ssl_NamedGroupForSignatureScheme(SSLSignatureScheme scheme)
+/* Validate that the signature scheme works for the given key type. */
+static PRBool
+ssl_SignatureSchemeValid(SSLSignatureScheme scheme, SECOidTag spkiOid,
+                         PRBool isTls13)
 {
-    switch (scheme) {
-        case ssl_sig_ecdsa_secp256r1_sha256:
-            return ssl_grp_ec_secp256r1;
-        case ssl_sig_ecdsa_secp384r1_sha384:
-            return ssl_grp_ec_secp384r1;
-        case ssl_sig_ecdsa_secp521r1_sha512:
-            return ssl_grp_ec_secp521r1;
-        default:
+    if (!ssl_IsSupportedSignatureScheme(scheme)) {
+        return PR_FALSE;
+    }
+    if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
+        return PR_FALSE;
+    }
+    if (isTls13) {
+        if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
+            return PR_FALSE;
+        }
+        /* With TLS 1.3, EC keys should have been selected based on calling
+         * ssl_SignatureSchemeFromSpki(), reject them otherwise. */
+        return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+    }
+    return PR_TRUE;
+}
+
+static SECStatus
+ssl_SignatureSchemeFromPssSpki(CERTSubjectPublicKeyInfo *spki,
+                               SSLSignatureScheme *scheme)
+{
+    SECKEYRSAPSSParams pssParam = { 0 };
+    PORTCheapArenaPool arena;
+    SECStatus rv;
+
+    /* The key doesn't have parameters, boo. */
+    if (!spki->algorithm.parameters.len) {
+        *scheme = ssl_sig_none;
+        return SECSuccess;
+    }
+
+    PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
+    rv = SEC_QuickDERDecodeItem(&arena.arena, &pssParam,
+                                SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+                                &spki->algorithm.parameters);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Not having hashAlg means SHA-1 and we don't accept that. */
+    if (!pssParam.hashAlg) {
+        goto loser;
+    }
+    switch (SECOID_GetAlgorithmTag(pssParam.hashAlg)) {
+        case SEC_OID_SHA256:
+            *scheme = ssl_sig_rsa_pss_pss_sha256;
             break;
+        case SEC_OID_SHA384:
+            *scheme = ssl_sig_rsa_pss_pss_sha384;
+            break;
+        case SEC_OID_SHA512:
+            *scheme = ssl_sig_rsa_pss_pss_sha512;
+            break;
+        default:
+            goto loser;
     }
-    PORT_Assert(0);
-    return 0;
+
+    PORT_DestroyCheapArena(&arena);
+    return SECSuccess;
+
+loser:
+    PORT_DestroyCheapArena(&arena);
+    PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+    return SECFailure;
 }
 
-/* Validate that the signature scheme works for the given key.
- * If |allowSha1| is set, we allow the use of SHA-1.
- * If |matchGroup| is set, we also check that the group and hash match. */
-static PRBool
-ssl_SignatureSchemeValidForKey(PRBool allowSha1, PRBool matchGroup,
-                               KeyType keyType,
-                               const sslNamedGroupDef *ecGroup,
-                               SSLSignatureScheme scheme)
+static SECStatus
+ssl_SignatureSchemeFromEcSpki(CERTSubjectPublicKeyInfo *spki,
+                              SSLSignatureScheme *scheme)
 {
-    if (!ssl_IsSupportedSignatureScheme(scheme)) {
-        return PR_FALSE;
+    const sslNamedGroupDef *group;
+    SECKEYPublicKey *key;
+
+    key = SECKEY_ExtractPublicKey(spki);
+    if (!key) {
+        PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+        return SECFailure;
     }
-    if (keyType != ssl_SignatureSchemeToKeyType(scheme)) {
-        return PR_FALSE;
+    group = ssl_ECPubKey2NamedGroup(key);
+    SECKEY_DestroyPublicKey(key);
+    if (!group) {
+        PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+        return SECFailure;
     }
-    if (!allowSha1 && ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
-        return PR_FALSE;
+    switch (group->name) {
+        case ssl_grp_ec_secp256r1:
+            *scheme = ssl_sig_ecdsa_secp256r1_sha256;
+            return SECSuccess;
+        case ssl_grp_ec_secp384r1:
+            *scheme = ssl_sig_ecdsa_secp384r1_sha384;
+            return SECSuccess;
+        case ssl_grp_ec_secp521r1:
+            *scheme = ssl_sig_ecdsa_secp521r1_sha512;
+            return SECSuccess;
+        default:
+            break;
     }
-    if (keyType != ecKey) {
-        return PR_TRUE;
+    PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+    return SECFailure;
+}
+
+/* Newer signature schemes are designed so that a single SPKI can be used with
+ * that scheme.  This determines that scheme from the SPKI. If the SPKI doesn't
+ * have a single scheme, |*scheme| is set to ssl_sig_none. */
+static SECStatus
+ssl_SignatureSchemeFromSpki(CERTSubjectPublicKeyInfo *spki,
+                            PRBool isTls13, SSLSignatureScheme *scheme)
+{
+    SECOidTag spkiOid = SECOID_GetAlgorithmTag(&spki->algorithm);
+
+    if (spkiOid == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+        return ssl_SignatureSchemeFromPssSpki(spki, scheme);
     }
-    if (!ecGroup) {
-        return PR_FALSE;
+
+    /* Only do this lookup for TLS 1.3, where the scheme can be determined from
+     * the SPKI alone because the ECDSA key size determines the hash. Earlier
+     * TLS versions allow the same EC key to be used with different hashes. */
+    if (isTls13 && spkiOid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+        return ssl_SignatureSchemeFromEcSpki(spki, scheme);
     }
-    /* If |allowSha1| is present and the scheme is ssl_sig_ecdsa_sha1, it's OK.
-     * This scheme isn't bound to a specific group. */
-    if (allowSha1 && (scheme == ssl_sig_ecdsa_sha1)) {
-        return PR_TRUE;
+
+    *scheme = ssl_sig_none;
+    return SECSuccess;
+}
+
+static PRBool
+ssl_SignatureSchemeEnabled(sslSocket *ss, SSLSignatureScheme scheme)
+{
+    unsigned int i;
+    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+        if (scheme == ss->ssl3.signatureSchemes[i]) {
+            return PR_TRUE;
+        }
     }
-    if (!matchGroup) {
-        return PR_TRUE;
+    return PR_FALSE;
+}
+
+static PRBool
+ssl_SignatureKeyMatchesSpkiOid(const ssl3KEADef *keaDef, SECOidTag spkiOid)
+{
+    switch (spkiOid) {
+        case SEC_OID_X500_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+            return keaDef->signKeyType == rsaKey;
+        case SEC_OID_ANSIX9_DSA_SIGNATURE:
+            return keaDef->signKeyType == dsaKey;
+        case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+            return keaDef->signKeyType == ecKey;
+        default:
+            break;
     }
-    return ecGroup->name == ssl_NamedGroupForSignatureScheme(scheme);
+    return PR_FALSE;
 }
 
-/* ssl3_CheckSignatureSchemeConsistency checks that the signature
- * algorithm identifier in |sigAndHash| is consistent with the public key in
- * |cert|. It also checks the hash algorithm against the configured signature
- * algorithms.  If all the tests pass, SECSuccess is returned. Otherwise,
- * PORT_SetError is called and SECFailure is returned. */
+/* ssl3_CheckSignatureSchemeConsistency checks that the signature algorithm
+ * identifier in |scheme| is consistent with the public key in |cert|. It also
+ * checks the hash algorithm against the configured signature algorithms.  If
+ * all the tests pass, SECSuccess is returned. Otherwise, PORT_SetError is
+ * called and SECFailure is returned. */
 SECStatus
-ssl_CheckSignatureSchemeConsistency(
-    sslSocket *ss, SSLSignatureScheme scheme, CERTCertificate *cert)
+ssl_CheckSignatureSchemeConsistency(sslSocket *ss, SSLSignatureScheme scheme,
+                                    CERTCertificate *cert)
 {
-    unsigned int i;
-    const sslNamedGroupDef *group = NULL;
-    SECKEYPublicKey *key;
-    KeyType keyType;
+    SSLSignatureScheme spkiScheme;
     PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
+    SECOidTag spkiOid;
+    SECStatus rv;
 
-    key = CERT_ExtractPublicKey(cert);
-    if (key == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+    rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo, isTLS13,
+                                     &spkiScheme);
+    if (rv != SECSuccess) {
         return SECFailure;
     }
-
-    keyType = SECKEY_GetPublicKeyType(key);
-    if (keyType == ecKey) {
-        group = ssl_ECPubKey2NamedGroup(key);
+    if (spkiScheme != ssl_sig_none) {
+        /* The SPKI in the certificate can only be used for a single scheme. */
+        if (spkiScheme != scheme ||
+            !ssl_SignatureSchemeEnabled(ss, scheme)) {
+            PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+            return SECFailure;
+        }
+        return SECSuccess;
     }
-    SECKEY_DestroyPublicKey(key);
+
+    spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
 
     /* If we're a client, check that the signature algorithm matches the signing
      * key type of the cipher suite. */
-    if (!isTLS13 &&
-        !ss->sec.isServer &&
-        ss->ssl3.hs.kea_def->signKeyType != keyType) {
-        PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
-        return SECFailure;
+    if (!isTLS13 && !ss->sec.isServer) {
+        if (!ssl_SignatureKeyMatchesSpkiOid(ss->ssl3.hs.kea_def, spkiOid)) {
+            PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+            return SECFailure;
+        }
     }
 
     /* Verify that the signature scheme matches the signing key. */
-    if (!ssl_SignatureSchemeValidForKey(!isTLS13 /* allowSha1 */,
-                                        isTLS13 /* matchGroup */,
-                                        keyType, group, scheme)) {
+    if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
         PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
         return SECFailure;
     }
 
-    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-        if (scheme == ss->ssl3.signatureSchemes[i]) {
-            return SECSuccess;
-        }
+    if (!ssl_SignatureSchemeEnabled(ss, scheme)) {
+        PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+        return SECFailure;
     }
-    PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
-    return SECFailure;
+
+    return SECSuccess;
 }
 
 PRBool
@@ -4153,6 +4269,9 @@ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
@@ -4164,9 +4283,6 @@ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
             return PR_TRUE;
 
         case ssl_sig_rsa_pkcs1_sha1md5:
-        case ssl_sig_rsa_pss_pss_sha256:
-        case ssl_sig_rsa_pss_pss_sha384:
-        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
@@ -4182,6 +4298,9 @@ ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
             return PR_TRUE;
 
         default:
@@ -4190,6 +4309,41 @@ ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme)
     return PR_FALSE;
 }
 
+SSLAuthType
+ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
+{
+    switch (scheme) {
+        case ssl_sig_rsa_pkcs1_sha1:
+        case ssl_sig_rsa_pkcs1_sha1md5:
+        case ssl_sig_rsa_pkcs1_sha256:
+        case ssl_sig_rsa_pkcs1_sha384:
+        case ssl_sig_rsa_pkcs1_sha512:
+        /* We report based on the key type for PSS signatures. */
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
+            return ssl_auth_rsa_sign;
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
+            return ssl_auth_rsa_pss;
+        case ssl_sig_ecdsa_secp256r1_sha256:
+        case ssl_sig_ecdsa_secp384r1_sha384:
+        case ssl_sig_ecdsa_secp521r1_sha512:
+        case ssl_sig_ecdsa_sha1:
+            return ssl_auth_ecdsa;
+        case ssl_sig_dsa_sha1:
+        case ssl_sig_dsa_sha256:
+        case ssl_sig_dsa_sha384:
+        case ssl_sig_dsa_sha512:
+            return ssl_auth_dsa;
+
+        default:
+            PORT_Assert(0);
+    }
+    return ssl_auth_null;
+}
+
 /* ssl_ConsumeSignatureScheme reads a SSLSignatureScheme (formerly
  * SignatureAndHashAlgorithm) structure from |b| and puts the resulting value
  * into |out|. |b| and |length| are updated accordingly.
@@ -4617,9 +4771,13 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
      * If we have an sid and it comes from an external cache, we use it. */
     if (ss->sec.ci.sid && ss->sec.ci.sid->cached == in_external_cache) {
         PORT_Assert(!ss->sec.isServer);
-        sid = ss->sec.ci.sid;
+        sid = ssl_ReferenceSID(ss->sec.ci.sid);
         SSL_TRC(3, ("%d: SSL3[%d]: using external resumption token in ClientHello",
                     SSL_GETPID(), ss->fd));
+    } else if (ss->sec.ci.sid && ss->statelessResume && type == client_hello_retry) {
+        /* If we are sending a second ClientHello, reuse the same SID
+         * as the original one. */
+        sid = ssl_ReferenceSID(ss->sec.ci.sid);
     } else if (!ss->opt.noCache) {
         /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
          * handles expired entries and other details.
@@ -4644,7 +4802,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         suite = ssl_LookupCipherSuiteCfg(sid->u.ssl3.cipherSuite,
                                          ss->cipherSuites);
         PORT_Assert(suite);
-        if (!suite || !config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
+        if (!suite || !ssl3_config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
             sidOK = PR_FALSE;
         }
 
@@ -4765,9 +4923,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
     }
     ssl_ReleaseSpecWriteLock(ss);
 
-    if (ss->sec.ci.sid != NULL) {
-        ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
-    }
+    ssl_FreeSID(ss->sec.ci.sid); /* release the old sid */
     ss->sec.ci.sid = sid;
 
     /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
@@ -4792,6 +4948,14 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         PR_RWLock_Rlock(sid->u.ssl3.lock);
     }
 
+    /* Generate a new random if this is the first attempt. */
+    if (type == client_hello_initial) {
+        rv = ssl3_GetNewRandom(ss->ssl3.hs.client_random);
+        if (rv != SECSuccess) {
+            goto loser; /* err set by GetNewRandom. */
+        }
+    }
+
     if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
         type == client_hello_initial) {
         rv = tls13_SetupClientHello(ss);
@@ -4799,6 +4963,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
             goto loser;
         }
     }
+
     if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
         rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_client_hello);
         if (rv != SECSuccess) {
@@ -4870,13 +5035,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         goto loser; /* err set by ssl3_AppendHandshake* */
     }
 
-    /* Generate a new random if this is the first attempt. */
-    if (type == client_hello_initial) {
-        rv = ssl3_GetNewRandom(ss->ssl3.hs.client_random);
-        if (rv != SECSuccess) {
-            goto loser; /* err set by GetNewRandom. */
-        }
-    }
     rv = ssl3_AppendHandshake(ss, ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
@@ -4931,7 +5089,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-        if (config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
+        if (ssl3_config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
             actual_count++;
             if (actual_count > num_suites) {
                 /* set error card removal/insertion error */
@@ -5394,6 +5552,7 @@ ssl3_GetWrappingKey(sslSocket *ss,
     switch (authType) {
         case ssl_auth_rsa_decrypt:
         case ssl_auth_rsa_sign: /* bad: see Bug 1248320 */
+        case ssl_auth_rsa_pss:
             asymWrapMechanism = CKM_RSA_PKCS;
             rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
                                     unwrappedWrappingKey, &wrappedKey);
@@ -5843,20 +6002,59 @@ ssl3_SendClientKeyExchange(sslSocket *ss)
     return rv; /* err code already set. */
 }
 
+/* Used by ssl_PickSignatureScheme(). */
+static PRBool
+ssl_CanUseSignatureScheme(SSLSignatureScheme scheme,
+                          const SSLSignatureScheme *peerSchemes,
+                          unsigned int peerSchemeCount,
+                          PRBool requireSha1,
+                          PRBool slotDoesPss)
+{
+    SSLHashType hashType;
+    SECOidTag hashOID;
+    PRUint32 policy;
+    unsigned int i;
+
+    /* Skip RSA-PSS schemes when the certificate's private key slot does
+     * not support this signature mechanism. */
+    if (ssl_IsRsaPssSignatureScheme(scheme) && !slotDoesPss) {
+        return PR_FALSE;
+    }
+
+    hashType = ssl_SignatureSchemeToHashType(scheme);
+    if (requireSha1 && (hashType != ssl_hash_sha1)) {
+        return PR_FALSE;
+    }
+    hashOID = ssl3_HashTypeToOID(hashType);
+    if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+        !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+        return PR_FALSE;
+    }
+
+    for (i = 0; i < peerSchemeCount; i++) {
+        if (peerSchemes[i] == scheme) {
+            return PR_TRUE;
+        }
+    }
+    return PR_FALSE;
+}
+
 SECStatus
 ssl_PickSignatureScheme(sslSocket *ss,
+                        CERTCertificate *cert,
                         SECKEYPublicKey *pubKey,
                         SECKEYPrivateKey *privKey,
                         const SSLSignatureScheme *peerSchemes,
                         unsigned int peerSchemeCount,
                         PRBool requireSha1)
 {
-    unsigned int i, j;
-    const sslNamedGroupDef *group = NULL;
-    KeyType keyType;
+    unsigned int i;
     PK11SlotInfo *slot;
     PRBool slotDoesPss;
     PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
+    SECStatus rv;
+    SSLSignatureScheme scheme;
+    SECOidTag spkiOid;
 
     /* We can't require SHA-1 in TLS 1.3. */
     PORT_Assert(!(requireSha1 && isTLS13));
@@ -5874,47 +6072,35 @@ ssl_PickSignatureScheme(sslSocket *ss,
     slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
     PK11_FreeSlot(slot);
 
-    keyType = SECKEY_GetPublicKeyType(pubKey);
-    if (keyType == ecKey) {
-        group = ssl_ECPubKey2NamedGroup(pubKey);
+    /* If the certificate SPKI indicates a single scheme, don't search. */
+    rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo,
+                                     isTLS13, &scheme);
+    if (rv != SECSuccess) {
+        return SECFailure;
     }
-
-    /* Here we look for the first local preference that the client has
-     * indicated support for in their signature_algorithms extension. */
-    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-        SSLHashType hashType;
-        SECOidTag hashOID;
-        SSLSignatureScheme preferred = ss->ssl3.signatureSchemes[i];
-        PRUint32 policy;
-
-        if (!ssl_SignatureSchemeValidForKey(!isTLS13 /* allowSha1 */,
-                                            isTLS13 /* matchGroup */,
-                                            keyType, group, preferred)) {
-            continue;
+    if (scheme != ssl_sig_none) {
+        if (!ssl_SignatureSchemeEnabled(ss, scheme) ||
+            !ssl_CanUseSignatureScheme(scheme, peerSchemes, peerSchemeCount,
+                                       requireSha1, slotDoesPss)) {
+            PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+            return SECFailure;
         }
+        ss->ssl3.hs.signatureScheme = scheme;
+        return SECSuccess;
+    }
 
-        /* Skip RSA-PSS schemes when the certificate's private key slot does
-         * not support this signature mechanism. */
-        if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
-            continue;
-        }
+    spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
 
-        hashType = ssl_SignatureSchemeToHashType(preferred);
-        if (requireSha1 && (hashType != ssl_hash_sha1)) {
-            continue;
-        }
-        hashOID = ssl3_HashTypeToOID(hashType);
-        if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
-            !(policy & NSS_USE_ALG_IN_SSL_KX)) {
-            /* we ignore hashes we don't support */
-            continue;
-        }
+    /* Now we have to search based on the key type. Go through our preferred
+     * schemes in order and find the first that can be used. */
+    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+        scheme = ss->ssl3.signatureSchemes[i];
 
-        for (j = 0; j < peerSchemeCount; j++) {
-            if (peerSchemes[j] == preferred) {
-                ss->ssl3.hs.signatureScheme = preferred;
-                return SECSuccess;
-            }
+        if (ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13) &&
+            ssl_CanUseSignatureScheme(scheme, peerSchemes, peerSchemeCount,
+                                      requireSha1, slotDoesPss)) {
+            ss->ssl3.hs.signatureScheme = scheme;
+            return SECSuccess;
         }
     }
 
@@ -5956,17 +6142,19 @@ ssl_PickFallbackSignatureScheme(sslSocket *ss, SECKEYPublicKey *pubKey)
 static SECStatus
 ssl3_PickServerSignatureScheme(sslSocket *ss)
 {
-    sslKeyPair *keyPair = ss->sec.serverCert->serverKeyPair;
+    const sslServerCert *cert = ss->sec.serverCert;
     PRBool isTLS12 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_2;
 
     if (!isTLS12 || !ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) {
         /* If the client didn't provide any signature_algorithms extension then
          * we can assume that they support SHA-1: RFC5246, Section 7.4.1.4.1. */
-        return ssl_PickFallbackSignatureScheme(ss, keyPair->pubKey);
+        return ssl_PickFallbackSignatureScheme(ss, cert->serverKeyPair->pubKey);
     }
 
     /* Sets error code, if needed. */
-    return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
+    return ssl_PickSignatureScheme(ss, cert->serverCert,
+                                   cert->serverKeyPair->pubKey,
+                                   cert->serverKeyPair->privKey,
                                    ss->xtnData.sigSchemes,
                                    ss->xtnData.numSigSchemes,
                                    PR_FALSE /* requireSha1 */);
@@ -5977,23 +6165,18 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
                               unsigned int numSchemes)
 {
     SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
-    SECKEYPublicKey *pubKey;
     SECStatus rv;
-
     PRBool isTLS13 = (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
-    pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+    SECKEYPublicKey *pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+
     PORT_Assert(pubKey);
 
-    if (!isTLS13 && numSchemes == 0) {
-        /* If the server didn't provide any signature algorithms
-         * then let's assume they support SHA-1. */
-        rv = ssl_PickFallbackSignatureScheme(ss, pubKey);
-        SECKEY_DestroyPublicKey(pubKey);
-        return rv;
+    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        /* We should have already checked that a signature scheme was
+         * listed in the request. */
+        PORT_Assert(schemes && numSchemes > 0);
     }
 
-    PORT_Assert(schemes && numSchemes > 0);
-
     if (!isTLS13 &&
         (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
          SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
@@ -6004,7 +6187,8 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
          * older, DSA key size is at most 1024 bits and the hash function must
          * be SHA-1.
          */
-        rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
+        rv = ssl_PickSignatureScheme(ss, ss->ssl3.clientCertificate,
+                                     pubKey, privKey, schemes, numSchemes,
                                      PR_TRUE /* requireSha1 */);
         if (rv == SECSuccess) {
             SECKEY_DestroyPublicKey(pubKey);
@@ -6013,7 +6197,8 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
         /* If this fails, that's because the peer doesn't advertise SHA-1,
          * so fall back to the full negotiation. */
     }
-    rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
+    rv = ssl_PickSignatureScheme(ss, ss->ssl3.clientCertificate,
+                                 pubKey, privKey, schemes, numSchemes,
                                  PR_FALSE /* requireSha1 */);
     SECKEY_DestroyPublicKey(pubKey);
     return rv;
@@ -6141,7 +6326,7 @@ ssl_ClientSetCipherSuite(sslSocket *ss, SSL3ProtocolVersion version,
         ssl3CipherSuiteCfg *suiteCfg = &ss->cipherSuites[i];
         if (suite == suiteCfg->cipher_suite) {
             SSLVersionRange vrange = { version, version };
-            if (!config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
+            if (!ssl3_config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
                 /* config_match already checks whether the cipher suite is
                  * acceptable for the version, but the check is repeated here
                  * in order to give a more precise error code. */
@@ -6201,18 +6386,56 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
 
     /* TLS 1.2: Session ID shouldn't match if we sent a fake. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        return !sentFakeSid || !sidMatch;
+        if (sentFakeSid) {
+            return !sidMatch;
+        }
+        return PR_TRUE;
     }
 
     /* TLS 1.3: We sent a session ID.  The server's should match. */
-    if (sentRealSid || sentFakeSid) {
+    if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
         return sidMatch;
     }
 
-    /* TLS 1.3: The server shouldn't send a session ID. */
+    /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
     return sidBytes->len == 0;
 }
 
+static SECStatus
+ssl_CheckServerRandom(sslSocket *ss)
+{
+    /* Check the ServerHello.random per [RFC 8446 Section 4.1.3].
+     *
+     * TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
+     * MUST check that the last 8 bytes are not equal to either of these
+     * values.  TLS 1.2 clients SHOULD also check that the last 8 bytes are
+     * not equal to the second value if the ServerHello indicates TLS 1.1 or
+     * below.  If a match is found, the client MUST abort the handshake with
+     * an "illegal_parameter" alert.
+     */
+    SSL3ProtocolVersion checkVersion =
+        ss->ssl3.downgradeCheckVersion ? ss->ssl3.downgradeCheckVersion
+                                       : ss->vrange.max;
+
+    if (checkVersion >= SSL_LIBRARY_VERSION_TLS_1_2 &&
+        checkVersion > ss->version) {
+        /* Both sections use the same sentinel region. */
+        PRUint8 *downgrade_sentinel =
+            ss->ssl3.hs.server_random +
+            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
+        if (!PORT_Memcmp(downgrade_sentinel,
+                         tls13_downgrade_random,
+                         sizeof(tls13_downgrade_random)) ||
+            !PORT_Memcmp(downgrade_sentinel,
+                         tls12_downgrade_random,
+                         sizeof(tls12_downgrade_random))) {
+            return SECFailure;
+        }
+    }
+
+    return SECSuccess;
+}
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerHello message.
  * Caller must hold Handshake and RecvBuf locks.
@@ -6229,9 +6452,6 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
     SSL3AlertDescription desc = illegal_parameter;
     const PRUint8 *savedMsg = b;
     const PRUint32 savedLength = length;
-#ifndef TLS_1_3_DRAFT_VERSION
-    SSL3ProtocolVersion downgradeCheckVersion;
-#endif
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
                 SSL_GETPID(), ss->fd));
@@ -6341,9 +6561,20 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         goto alert_loser;
     }
 
-    /* The server didn't pick 1.3 although we either received a
-     * HelloRetryRequest, or we prepared to send early app data. */
+    /* There are three situations in which the server must pick
+     * TLS 1.3.
+     *
+     * 1. We offered ESNI.
+     * 2. We received HRR
+     * 3. We sent early app data.
+     *
+     */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+        if (ss->xtnData.esniPrivateKey) {
+            desc = protocol_version;
+            errCode = SSL_ERROR_UNSUPPORTED_VERSION;
+            goto alert_loser;
+        }
         if (isHelloRetry || ss->ssl3.hs.helloRetry) {
             /* SSL3_SendAlert() will uncache the SID. */
             desc = illegal_parameter;
@@ -6368,39 +6599,19 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         goto alert_loser;
     }
 
-#ifndef TLS_1_3_DRAFT_VERSION
-    /* Check the ServerHello.random per
-     * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
-     *
-     * TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check
-     * that the top eight octets are not equal to either of these values.
-     * TLS 1.2 clients SHOULD also perform this check if the ServerHello
-     * indicates TLS 1.1 or below.  If a match is found the client MUST
-     * abort the handshake with a fatal "illegal_parameter" alert.
-     *
-     * Disable this test during the TLS 1.3 draft version period.
-     */
-    downgradeCheckVersion = ss->ssl3.downgradeCheckVersion ? ss->ssl3.downgradeCheckVersion
-                                                           : ss->vrange.max;
-
-    if (downgradeCheckVersion >= SSL_LIBRARY_VERSION_TLS_1_2 &&
-        downgradeCheckVersion > ss->version) {
-        /* Both sections use the same sentinel region. */
-        PRUint8 *downgrade_sentinel =
-            ss->ssl3.hs.server_random +
-            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
-        if (!PORT_Memcmp(downgrade_sentinel,
-                         tls13_downgrade_random,
-                         sizeof(tls13_downgrade_random)) ||
-            !PORT_Memcmp(downgrade_sentinel,
-                         tls12_downgrade_random,
-                         sizeof(tls12_downgrade_random))) {
+    if (ss->opt.enableHelloDowngradeCheck
+#ifdef DTLS_1_3_DRAFT_VERSION
+        /* Disable this check while we are on draft DTLS 1.3 versions. */
+        && !IS_DTLS(ss)
+#endif
+            ) {
+        rv = ssl_CheckServerRandom(ss);
+        if (rv != SECSuccess) {
             desc = illegal_parameter;
             errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
             goto alert_loser;
         }
     }
-#endif
 
     /* Finally, now all the version-related checks have passed. */
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
@@ -6776,12 +6987,12 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
     if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
         rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
         if (rv != SECSuccess) {
-            goto loser; /* malformed or unsupported. */
+            goto alert_loser; /* malformed or unsupported. */
         }
         rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme,
                                                  ss->sec.peerCert);
         if (rv != SECSuccess) {
-            goto loser;
+            goto alert_loser;
         }
         hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
     } else {
@@ -7005,7 +7216,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
     SECStatus rv;
     SECItem buf;
     SSLSignatureScheme *schemes = NULL;
-    unsigned int numSchemes = 0;
+    unsigned int numSupported = 0;
+    unsigned int numRemaining = 0;
     unsigned int max;
 
     rv = ssl3_ExtConsumeHandshakeVariable(ss, &buf, 2, b, len);
@@ -7024,7 +7236,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
     }
 
     /* Limit the number of schemes we read. */
-    max = PR_MIN(buf.len / 2, MAX_SIGNATURE_SCHEMES);
+    numRemaining = buf.len / 2;
+    max = PR_MIN(numRemaining, MAX_SIGNATURE_SCHEMES);
 
     if (arena) {
         schemes = PORT_ArenaZNewArray(arena, SSLSignatureScheme, max);
@@ -7036,7 +7249,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
         return SECFailure;
     }
 
-    for (; max; --max) {
+    for (; numRemaining && numSupported < MAX_SIGNATURE_SCHEMES; --numRemaining) {
         PRUint32 tmp;
         rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &buf.data, &buf.len);
         if (rv != SECSuccess) {
@@ -7045,11 +7258,11 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
             return SECFailure;
         }
         if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
-            schemes[numSchemes++] = (SSLSignatureScheme)tmp;
+            schemes[numSupported++] = (SSLSignatureScheme)tmp;
         }
     }
 
-    if (!numSchemes) {
+    if (!numSupported) {
         if (!arena) {
             PORT_Free(schemes);
         }
@@ -7058,7 +7271,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
 
 done:
     *schemesOut = schemes;
-    *numSchemesOut = numSchemes;
+    *numSchemesOut = numSupported;
     return SECSuccess;
 }
 
@@ -7114,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
             PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
             goto loser; /* malformed, alert has been sent */
         }
+        if (signatureSchemeCount == 0) {
+            errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+            desc = handshake_failure;
+            goto alert_loser;
+        }
     }
 
     rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);
@@ -7239,16 +7457,25 @@ ssl3_CheckFalseStart(sslSocket *ss)
         SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
                     SSL_GETPID(), ss->fd));
     } else {
-        PRBool maybeFalseStart;
+        PRBool maybeFalseStart = PR_TRUE;
         SECStatus rv;
 
+        rv = ssl_CheckServerRandom(ss);
+        if (rv != SECSuccess) {
+            SSL_TRC(3, ("%d: SSL[%d]: no false start due to possible downgrade",
+                        SSL_GETPID(), ss->fd));
+            maybeFalseStart = PR_FALSE;
+        }
+
         /* An attacker can control the selected ciphersuite so we only wish to
          * do False Start in the case that the selected ciphersuite is
          * sufficiently strong that the attack can gain no advantage.
          * Therefore we always require an 80-bit cipher. */
-        ssl_GetSpecReadLock(ss);
-        maybeFalseStart = ss->ssl3.cwSpec->cipherDef->secret_key_size >= 10;
-        ssl_ReleaseSpecReadLock(ss);
+        if (maybeFalseStart) {
+            ssl_GetSpecReadLock(ss);
+            maybeFalseStart = ss->ssl3.cwSpec->cipherDef->secret_key_size >= 10;
+            ssl_ReleaseSpecReadLock(ss);
+        }
 
         if (!maybeFalseStart) {
             SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
@@ -7647,6 +7874,30 @@ ssl3_KEASupportsTickets(const ssl3KEADef *kea_def)
     return PR_TRUE;
 }
 
+SECStatus
+ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites,
+                               PRUint16 version, PRUint16 *suitep)
+{
+    unsigned int j;
+    unsigned int i;
+
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+        ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+        SSLVersionRange vrange = { version, version };
+        if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss)) {
+            continue;
+        }
+        for (i = 0; i + 1 < suites->len; i += 2) {
+            PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
+            if (suite_i == suite->cipher_suite) {
+                *suitep = suite_i;
+                return SECSuccess;
+            }
+        }
+    }
+    return SECFailure;
+}
+
 /* Select a cipher suite.
 **
 ** NOTE: This suite selection algorithm should be the same as the one in
@@ -7665,24 +7916,16 @@ SECStatus
 ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
                           PRBool initHashes)
 {
-    unsigned int j;
-    unsigned int i;
+    PRUint16 selected;
+    SECStatus rv;
 
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-        ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-        SSLVersionRange vrange = { ss->version, ss->version };
-        if (!config_match(suite, ss->ssl3.policy, &vrange, ss)) {
-            continue;
-        }
-        for (i = 0; i + 1 < suites->len; i += 2) {
-            PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
-            if (suite_i == suite->cipher_suite) {
-                ss->ssl3.hs.cipher_suite = suite_i;
-                return ssl3_SetupCipherSuite(ss, initHashes);
-            }
-        }
+    rv = ssl3_NegotiateCipherSuiteInner(ss, suites, ss->version, &selected);
+    if (rv != SECSuccess) {
+        return SECFailure;
     }
-    return SECFailure;
+
+    ss->ssl3.hs.cipher_suite = selected;
+    return ssl3_SetupCipherSuite(ss, initHashes);
 }
 
 /*
@@ -7814,9 +8057,12 @@ ssl3_ServerCallSNICallback(sslSocket *ss)
                 }
                 /* Need to tell the client that application has picked
                  * the name from the offered list and reconfigured the socket.
+                 * Don't do this if we negotiated ESNI.
                  */
-                ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_server_name_xtn,
-                                             ssl_SendEmptyExtension);
+                if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_sni_xtn)) {
+                    ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_server_name_xtn,
+                                                 ssl_SendEmptyExtension);
+                }
             } else {
                 /* Callback returned index outside of the boundary. */
                 PORT_Assert((unsigned int)ret < ss->xtnData.sniNameArrSize);
@@ -7845,6 +8091,7 @@ ssl3_SelectServerCert(sslSocket *ss)
 {
     const ssl3KEADef *kea_def = ss->ssl3.hs.kea_def;
     PRCList *cursor;
+    SECStatus rv;
 
     /* If the client didn't include the supported groups extension, assume just
      * P-256 support and disable all the other ECDHE groups.  This also affects
@@ -7870,30 +8117,102 @@ ssl3_SelectServerCert(sslSocket *ss)
          cursor != &ss->serverCerts;
          cursor = PR_NEXT_LINK(cursor)) {
         sslServerCert *cert = (sslServerCert *)cursor;
-        if (!SSL_CERT_IS(cert, kea_def->authKeyType)) {
-            continue;
-        }
-        if (SSL_CERT_IS_EC(cert) &&
-            !ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
-            continue;
+        if (kea_def->authKeyType == ssl_auth_rsa_sign) {
+            /* We consider PSS certificates here as well for TLS 1.2. */
+            if (!SSL_CERT_IS(cert, ssl_auth_rsa_sign) &&
+                (!SSL_CERT_IS(cert, ssl_auth_rsa_pss) ||
+                 ss->version < SSL_LIBRARY_VERSION_TLS_1_2)) {
+                continue;
+            }
+        } else {
+            if (!SSL_CERT_IS(cert, kea_def->authKeyType)) {
+                continue;
+            }
+            if (SSL_CERT_IS_EC(cert) &&
+                !ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
+                continue;
+            }
         }
 
         /* Found one. */
         ss->sec.serverCert = cert;
-        ss->sec.authType = kea_def->authKeyType;
         ss->sec.authKeyBits = cert->serverKeyBits;
 
         /* Don't pick a signature scheme if we aren't going to use it. */
         if (kea_def->signKeyType == nullKey) {
+            ss->sec.authType = kea_def->authKeyType;
             return SECSuccess;
         }
-        return ssl3_PickServerSignatureScheme(ss);
+
+        rv = ssl3_PickServerSignatureScheme(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        ss->sec.authType =
+            ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme);
+        return SECSuccess;
     }
 
     PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
     return SECFailure;
 }
 
+static SECStatus
+ssl_GenerateServerRandom(sslSocket *ss)
+{
+    SECStatus rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    if (ss->version == ss->vrange.max) {
+        return SECSuccess;
+    }
+#ifdef DTLS_1_3_DRAFT_VERSION
+    if (IS_DTLS(ss)) {
+        return SECSuccess;
+    }
+#endif
+
+    /*
+     * [RFC 8446 Section 4.1.3].
+     *
+     * TLS 1.3 servers which negotiate TLS 1.2 or below in response to a
+     * ClientHello MUST set the last 8 bytes of their Random value specially in
+     * their ServerHello.
+     *
+     * If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
+     * their Random value to the bytes:
+     *
+     *   44 4F 57 4E 47 52 44 01
+     *
+     * If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2
+     * servers SHOULD, set the last 8 bytes of their ServerHello.Random value to
+     * the bytes:
+     *
+     *   44 4F 57 4E 47 52 44 00
+     */
+    PRUint8 *downgradeSentinel =
+        ss->ssl3.hs.server_random +
+        SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
+
+    switch (ss->vrange.max) {
+        case SSL_LIBRARY_VERSION_TLS_1_3:
+            PORT_Memcpy(downgradeSentinel,
+                        tls13_downgrade_random, sizeof(tls13_downgrade_random));
+            break;
+        case SSL_LIBRARY_VERSION_TLS_1_2:
+            PORT_Memcpy(downgradeSentinel,
+                        tls12_downgrade_random, sizeof(tls12_downgrade_random));
+            break;
+        default:
+            /* Do not change random. */
+            break;
+    }
+
+    return SECSuccess;
+}
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Client Hello message.
  * Caller must hold Handshake and RecvBuf locks.
@@ -8088,56 +8407,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         }
     }
 
-    /* Generate the Server Random now so it is available
-     * when we process the ClientKeyShare in TLS 1.3 */
-    rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
-    if (rv != SECSuccess) {
-        errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE;
-        goto loser;
-    }
-
-#ifndef TLS_1_3_DRAFT_VERSION
-    /*
-     * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
-     * TLS 1.3 server implementations which respond to a ClientHello with a
-     * client_version indicating TLS 1.2 or below MUST set the last eight
-     * bytes of their Random value to the bytes:
-     *
-     * 44 4F 57 4E 47 52 44 01
-     *
-     * TLS 1.2 server implementations which respond to a ClientHello with a
-     * client_version indicating TLS 1.1 or below SHOULD set the last eight
-     * bytes of their Random value to the bytes:
-     *
-     * 44 4F 57 4E 47 52 44 00
-     *
-     * TODO(ekr@rtfm.com): Note this change was not added in the SSLv2
-     * compat processing code since that will most likely be removed before
-     * we ship the final version of TLS 1.3. Bug 1306672.
-     */
-    if (ss->vrange.max > ss->version) {
-        PRUint8 *downgrade_sentinel =
-            ss->ssl3.hs.server_random +
-            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
-
-        switch (ss->vrange.max) {
-            case SSL_LIBRARY_VERSION_TLS_1_3:
-                PORT_Memcpy(downgrade_sentinel,
-                            tls13_downgrade_random,
-                            sizeof(tls13_downgrade_random));
-                break;
-            case SSL_LIBRARY_VERSION_TLS_1_2:
-                PORT_Memcpy(downgrade_sentinel,
-                            tls12_downgrade_random,
-                            sizeof(tls12_downgrade_random));
-                break;
-            default:
-                /* Do not change random. */
-                break;
-        }
-    }
-#endif
-
     /* If there is a cookie, then this is a second ClientHello (TLS 1.3). */
     if (ssl3_FindExtension(ss, ssl_tls13_cookie_xtn)) {
         ss->ssl3.hs.helloRetry = PR_TRUE;
@@ -8397,7 +8666,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
              * The product policy won't change during the process lifetime.
              * Implemented ("isPresent") shouldn't change for servers.
              */
-            if (!config_match(suite, ss->ssl3.policy, &vrange, ss))
+            if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss))
                 break;
 #else
             if (!suite->enabled)
@@ -8779,7 +9048,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, unsigned int leng
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = { ss->version, ss->version };
-        if (!config_match(suite, ss->ssl3.policy, &vrange, ss)) {
+        if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss)) {
             continue;
         }
         for (i = 0; i + 2 < suite_length; i += 3) {
@@ -8884,6 +9153,7 @@ ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
     SECStatus rv;
     SSL3ProtocolVersion version;
     sslSessionID *sid = ss->sec.ci.sid;
+    const PRUint8 *random;
 
     version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2);
     if (IS_DTLS(ss)) {
@@ -8893,9 +9163,17 @@ ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
     if (rv != SECSuccess) {
         return SECFailure;
     }
-    /* Random already generated in ssl3_HandleClientHello */
-    rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random,
-                          SSL3_RANDOM_LENGTH);
+
+    if (helloRetry) {
+        random = ssl_hello_retry_random;
+    } else {
+        rv = ssl_GenerateServerRandom(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        random = ss->ssl3.hs.server_random;
+    }
+    rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -9368,7 +9646,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length)
                                                  ss->sec.peerCert);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
-            desc = decrypt_error;
+            desc = illegal_parameter;
             goto alert_loser;
         }
 
@@ -9501,6 +9779,23 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
     return pms;
 }
 
+static void
+ssl3_CSwapPK11SymKey(PK11SymKey **x, PK11SymKey **y, PRBool c)
+{
+    uintptr_t mask = (uintptr_t)c;
+    unsigned int i;
+    for (i = 1; i < sizeof(uintptr_t) * 8; i <<= 1) {
+        mask |= mask << i;
+    }
+    uintptr_t x_ptr = (uintptr_t)*x;
+    uintptr_t y_ptr = (uintptr_t)*y;
+    uintptr_t tmp = (x_ptr ^ y_ptr) & mask;
+    x_ptr = x_ptr ^ tmp;
+    y_ptr = y_ptr ^ tmp;
+    *x = (PK11SymKey *)x_ptr;
+    *y = (PK11SymKey *)y_ptr;
+}
+
 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
  * return any indication of failure of the Client Key Exchange message,
  * where that failure is caused by the content of the client's message.
@@ -9521,9 +9816,9 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
 {
     SECStatus rv;
     SECItem enc_pms;
-    PK11SymKey *tmpPms[2] = { NULL, NULL };
-    PK11SlotInfo *slot;
-    int useFauxPms = 0;
+    PK11SymKey *pms = NULL;
+    PK11SymKey *fauxPms = NULL;
+    PK11SlotInfo *slot = NULL;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -9544,11 +9839,6 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
         }
     }
 
-#define currentPms tmpPms[!useFauxPms]
-#define unusedPms tmpPms[useFauxPms]
-#define realPms tmpPms[1]
-#define fauxPms tmpPms[0]
-
     /*
      * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1
      * as we can within the constraints of the PKCS#11 interface.
@@ -9603,40 +9893,33 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
      *  the unwrap.  Rather, it is the mechanism with which the
      *      unwrapped pms will be used.
      */
-    realPms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
-                                   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+    pms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
+                               CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
     /* Temporarily use the PMS if unwrapping the real PMS fails. */
-    useFauxPms |= (realPms == NULL);
+    ssl3_CSwapPK11SymKey(&pms, &fauxPms, pms == NULL);
 
     /* Attempt to derive the MS from the PMS. This is the only way to
      * check the version field in the RSA PMS. If this fails, we
      * then use the faux PMS in place of the PMS. Note that this
      * operation should never fail if we are using the faux PMS
      * since it is correctly formatted. */
-    rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL);
-
-    /* If we succeeded, then select the true PMS and discard the
-     * FPMS. Else, select the FPMS and select the true PMS */
-    useFauxPms |= (rv != SECSuccess);
+    rv = ssl3_ComputeMasterSecret(ss, pms, NULL);
 
-    if (unusedPms) {
-        PK11_FreeSymKey(unusedPms);
-    }
+    /* If we succeeded, then select the true PMS, else select the FPMS. */
+    ssl3_CSwapPK11SymKey(&pms, &fauxPms, (rv != SECSuccess) & (fauxPms != NULL));
 
     /* This step will derive the MS from the PMS, among other things. */
-    rv = ssl3_InitPendingCipherSpecs(ss, currentPms, PR_TRUE);
-    PK11_FreeSymKey(currentPms);
+    rv = ssl3_InitPendingCipherSpecs(ss, pms, PR_TRUE);
+
+    /* Clear both PMS. */
+    PK11_FreeSymKey(pms);
+    PK11_FreeSymKey(fauxPms);
 
     if (rv != SECSuccess) {
         (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
         return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
     }
 
-#undef currentPms
-#undef unusedPms
-#undef realPms
-#undef fauxPms
-
     return SECSuccess;
 }
 
@@ -10429,6 +10712,9 @@ ssl3_AuthCertificate(sslSocket *ss)
                                            PR_TRUE, isServer);
     if (rv != SECSuccess) {
         errCode = PORT_GetError();
+        if (errCode == 0) {
+            errCode = SSL_ERROR_BAD_CERTIFICATE;
+        }
         if (rv != SECWouldBlock) {
             if (ss->handleBadCert) {
                 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
@@ -11252,7 +11538,7 @@ ssl3_FinishHandshake(sslSocket *ss)
 }
 
 SECStatus
-ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
+ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType ct,
                             PRUint32 dtlsSeq,
                             const PRUint8 *b, PRUint32 length)
 {
@@ -11262,7 +11548,7 @@ ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
 
     PRINT_BUF(50, (ss, "Hash handshake message:", b, length));
 
-    hdr[0] = (PRUint8)type;
+    hdr[0] = (PRUint8)ct;
     hdr[1] = (PRUint8)(length >> 16);
     hdr[2] = (PRUint8)(length >> 8);
     hdr[3] = (PRUint8)(length);
@@ -11302,10 +11588,10 @@ ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
 }
 
 SECStatus
-ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
+ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType ct,
                          const PRUint8 *b, PRUint32 length)
 {
-    return ssl_HashHandshakeMessageInt(ss, type, ss->ssl3.hs.recvMessageSeq,
+    return ssl_HashHandshakeMessageInt(ss, ct, ss->ssl3.hs.recvMessageSeq,
                                        b, length);
 }
 
@@ -11885,7 +12171,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
     PRBool isTLS;
     unsigned int good;
     unsigned int ivLen = 0;
-    SSL3ContentType rType;
+    SSLContentType rType;
     SSL3ProtocolVersion rVersion;
     unsigned int minLength;
     unsigned int originalLen = 0;
@@ -11959,7 +12245,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
         return SECFailure;
     }
 
-    rType = (SSL3ContentType)cText->hdr[0];
+    rType = (SSLContentType)cText->hdr[0];
     rVersion = ((SSL3ProtocolVersion)cText->hdr[1] << 8) |
                (SSL3ProtocolVersion)cText->hdr[2];
     if (cipher_def->type == type_aead) {
@@ -12071,7 +12357,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
 }
 
 SECStatus
-ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
+ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
                               DTLSEpoch epoch, sslSequenceNumber seqNum,
                               sslBuffer *databuf)
 {
@@ -12089,20 +12375,20 @@ ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
     ** they return SECFailure or SECWouldBlock.
     */
     switch (rType) {
-        case content_change_cipher_spec:
+        case ssl_ct_change_cipher_spec:
             rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
             break;
-        case content_alert:
+        case ssl_ct_alert:
             rv = ssl3_HandleAlert(ss, databuf);
             break;
-        case content_handshake:
+        case ssl_ct_handshake:
             if (!IS_DTLS(ss)) {
                 rv = ssl3_HandleHandshake(ss, databuf);
             } else {
                 rv = dtls_HandleHandshake(ss, epoch, seqNum, databuf);
             }
             break;
-        case content_ack:
+        case ssl_ct_ack:
             if (IS_DTLS(ss) && tls13_MaybeTls13(ss)) {
                 rv = dtls13_HandleAck(ss, databuf);
                 break;
@@ -12190,7 +12476,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     ssl3CipherSpec *spec = NULL;
     PRUint16 recordSizeLimit;
     PRBool outOfOrderSpec = PR_FALSE;
-    SSL3ContentType rType;
+    SSLContentType rType;
     sslBuffer *plaintext = &ss->gs.buf;
     SSL3AlertDescription alert = internal_error;
     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
@@ -12208,7 +12494,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* We're waiting for another ClientHello, which will appear unencrypted.
      * Use the content type to tell whether this should be discarded. */
     if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr &&
-        cText->hdr[0] == content_application_data) {
+        cText->hdr[0] == ssl_ct_application_data) {
         PORT_Assert(ss->ssl3.hs.ws == wait_client_hello);
         return SECSuccess;
     }
@@ -12269,7 +12555,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* Encrypted application data records could arrive before the handshake
      * completes in DTLS 1.3. These can look like valid TLS 1.2 application_data
      * records in epoch 0, which is never valid. Pretend they didn't decrypt. */
-    if (spec->epoch == 0 && rType == content_application_data) {
+    if (spec->epoch == 0 && rType == ssl_ct_application_data) {
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
         alert = unexpected_message;
         rv = SECFailure;
@@ -12304,7 +12590,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
          * 0-RTT session that is resumed from a session that did negotiate it.
          * We don't care about that corner case right now. */
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-            cText->hdr[0] == content_change_cipher_spec &&
+            cText->hdr[0] == ssl_ct_change_cipher_spec &&
             ss->ssl3.hs.ws != idle_handshake &&
             cText->buf->len == 1 &&
             cText->buf->buf[0] == change_cipher_spec_choice) {
@@ -12364,7 +12650,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* Application data records are processed by the caller of this
     ** function, not by this function.
     */
-    if (rType == content_application_data) {
+    if (rType == ssl_ct_application_data) {
         if (ss->firstHsDone)
             return SECSuccess;
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c
index f8b9a9400..52d5bb515 100644
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -327,16 +327,13 @@ ssl3_HandleECDHClientKeyExchange(sslSocket *ss, PRUint8 *b,
 ** Take an encoded key share and make a public key out of it.
 */
 SECStatus
-ssl_ImportECDHKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
+ssl_ImportECDHKeyShare(SECKEYPublicKey *peerKey,
                        PRUint8 *b, PRUint32 length,
                        const sslNamedGroupDef *ecGroup)
 {
     SECStatus rv;
     SECItem ecPoint = { siBuffer, NULL, 0 };
 
-    PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
-    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
     if (!length) {
         PORT_SetError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
         return SECFailure;
@@ -616,7 +613,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
     peerKey->arena = arena;
 
     /* create public key from point data */
-    rv = ssl_ImportECDHKeyShare(ss, peerKey, ec_point.data, ec_point.len,
+    rv = ssl_ImportECDHKeyShare(peerKey, ec_point.data, ec_point.len,
                                 ecGroup);
     if (rv != SECSuccess) {
         /* error code is set */
diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
index 9b6c719f8..60b5889e7 100644
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -50,6 +50,7 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
     { ssl_tls13_early_data_xtn, &tls13_ServerHandleEarlyDataXtn },
     { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ServerHandlePskModesXtn },
     { ssl_tls13_cookie_xtn, &tls13_ServerHandleCookieXtn },
+    { ssl_tls13_encrypted_sni_xtn, &tls13_ServerHandleEsniXtn },
     { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn },
     { 0, NULL }
 };
@@ -136,6 +137,7 @@ static const sslExtensionBuilder clientHelloSendersTLS[] =
       { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn },
       { ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn },
       { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn },
+      { ssl_tls13_encrypted_sni_xtn, &tls13_ClientSendEsniXtn },
       { ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn },
       /* The pre_shared_key extension MUST be last. */
       { ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn },
@@ -338,8 +340,6 @@ ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length)
             return SECFailure; /* alert already sent */
         }
 
-        SSL_TRC(10, ("%d: SSL3[%d]: parsing extension %d",
-                     SSL_GETPID(), ss->fd, extension_type));
         /* Check whether an extension has been sent multiple times. */
         for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions);
              cursor != &ss->ssl3.hs.remoteExtensions;
@@ -357,6 +357,9 @@ ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length)
             return rv; /* alert already sent */
         }
 
+        SSL_TRC(10, ("%d: SSL3[%d]: parsed extension %d len=%u",
+                     SSL_GETPID(), ss->fd, extension_type, extension_data.len));
+
         extension = PORT_ZNew(TLSExtension);
         if (!extension) {
             return SECFailure;
@@ -409,7 +412,9 @@ ssl_CallExtensionHandler(sslSocket *ss, SSLHandshakeType handshakeMessage,
         /* Find extension_type in table of Hello Extension Handlers. */
         for (; handler->ex_handler != NULL; ++handler) {
             if (handler->ex_type == extension->type) {
-                rv = (*handler->ex_handler)(ss, &ss->xtnData, &extension->data);
+                SECItem tmp = extension->data;
+
+                rv = (*handler->ex_handler)(ss, &ss->xtnData, &tmp);
                 break;
             }
         }
@@ -960,6 +965,8 @@ ssl3_DestroyExtensionData(TLSExtensionData *xtnData)
         xtnData->certReqAuthorities.arena = NULL;
     }
     PORT_Free(xtnData->advertised);
+    ssl_FreeEphemeralKeyPair(xtnData->esniPrivateKey);
+    SECITEM_FreeItem(&xtnData->keyShareExtension, PR_FALSE);
 }
 
 /* Free everything that has been allocated and then reset back to
diff --git a/security/nss/lib/ssl/ssl3ext.h b/security/nss/lib/ssl/ssl3ext.h
index 6d77c7459..d96b4cffe 100644
--- a/security/nss/lib/ssl/ssl3ext.h
+++ b/security/nss/lib/ssl/ssl3ext.h
@@ -11,6 +11,8 @@
 
 #include "sslencode.h"
 
+#define TLS13_ESNI_NONCE_SIZE 16
+
 typedef enum {
     sni_nametype_hostname
 } SNINameType;
@@ -101,6 +103,14 @@ struct TLSExtensionDataStr {
 
     /* The record size limit set by the peer. Our value is kept in ss->opt. */
     PRUint16 recordSizeLimit;
+
+    /* ESNI working state */
+    SECItem keyShareExtension;
+    ssl3CipherSuite esniSuite;
+    sslEphemeralKeyPair *esniPrivateKey;
+    /* Pointer into |ss->esniKeys->keyShares| */
+    TLS13KeyShareEntry *peerEsniShare;
+    PRUint8 esniNonce[TLS13_ESNI_NONCE_SIZE];
 };
 
 typedef struct TLSExtensionStr {
diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c
index d1f286dc3..a2d83fa97 100644
--- a/security/nss/lib/ssl/ssl3exthandle.c
+++ b/security/nss/lib/ssl/ssl3exthandle.c
@@ -15,30 +15,40 @@
 #include "selfencrypt.h"
 #include "ssl3ext.h"
 #include "ssl3exthandle.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
 
+PRBool
+ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url)
+{
+    PRNetAddr netAddr;
+
+    /* must have a hostname */
+    if (!url || !url[0]) {
+        return PR_FALSE;
+    }
+    /* must not be an IPv4 or IPv6 address */
+    if (PR_SUCCESS == PR_StringToNetAddr(url, &netAddr)) {
+        /* is an IP address (v4 or v6) */
+        return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
 /* Format an SNI extension, using the name from the socket's URL,
  * unless that name is a dotted decimal string.
  * Used by client and server.
  */
 SECStatus
-ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
-                             sslBuffer *buf, PRBool *added)
+ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
+                               TLSExtensionData *xtnData,
+                               sslBuffer *buf)
 {
     unsigned int len;
-    PRNetAddr netAddr;
     SECStatus rv;
 
-    /* must have a hostname */
-    if (!ss->url || !ss->url[0]) {
-        return SECSuccess;
-    }
-    /* must not be an IPv4 or IPv6 address */
-    if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
-        /* is an IP address (v4 or v6) */
-        return SECSuccess;
-    }
-    len = PORT_Strlen(ss->url);
+    len = PORT_Strlen(url);
     /* length of server_name_list */
     rv = sslBuffer_AppendNumber(buf, len + 3, 2);
     if (rv != SECSuccess) {
@@ -50,7 +60,33 @@ ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
     /* HostName (length and value) */
-    rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)ss->url, len, 2);
+    rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)url, len, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                             sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+
+    const char *url = ss->url;
+
+    /* We only make an ESNI private key if we are going to
+     * send ESNI. */
+    if (ss->xtnData.esniPrivateKey != NULL) {
+        url = ss->esniKeys->dummySni;
+    }
+
+    if (!ssl_ShouldSendSNIExtension(ss, url)) {
+        return SECSuccess;
+    }
+
+    rv = ssl3_ClientFormatServerNameXtn(ss, url, xtnData, buf);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -59,7 +95,6 @@ ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     return SECSuccess;
 }
 
-/* Handle an incoming SNI extension. */
 SECStatus
 ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
                          SECItem *data)
@@ -72,6 +107,13 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECSuccess; /* ignore extension */
     }
 
+    if (ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_sni_xtn)) {
+        /* If we already have ESNI, make sure we don't overwrite
+         * the value. */
+        PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
+        return SECSuccess;
+    }
+
     /* Server side - consume client data and register server sender. */
     /* do not parse the data if don't have user extension handling function. */
     if (!ss->sniSocketConfig) {
@@ -1174,17 +1216,18 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
                                   &decryptedTicket.len,
                                   decryptedTicket.len);
     if (rv != SECSuccess) {
-        SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
-
-        /* Fail with no ticket if we're not a recipient. Otherwise
-         * it's a hard failure. */
-        if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) {
-            SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-            return SECFailure;
+        /* Ignore decryption failure if we are doing TLS 1.3; that
+         * means the server rejects the client's resumption
+         * attempt. In TLS 1.2, however, it's a hard failure, unless
+         * it's just because we're not the recipient of the ticket. */
+        if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
+            PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) {
+            SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+            return SECSuccess;
         }
 
-        /* We didn't have the right key, so pretend we don't have a
-         * ticket. */
+        SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+        goto loser;
     }
 
     rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
diff --git a/security/nss/lib/ssl/ssl3exthandle.h b/security/nss/lib/ssl/ssl3exthandle.h
index eaf7f0081..3e9b418cf 100644
--- a/security/nss/lib/ssl/ssl3exthandle.h
+++ b/security/nss/lib/ssl/ssl3exthandle.h
@@ -91,6 +91,10 @@ SECStatus ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss,
                                              SECItem *data);
 SECStatus ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
                                           /* out */ SECItem *appToken);
+PRBool ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url);
+SECStatus ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
+                                         TLSExtensionData *xtnData,
+                                         sslBuffer *buf);
 SECStatus ssl3_ClientSendServerNameXtn(const sslSocket *ss,
                                        TLSExtensionData *xtnData,
                                        sslBuffer *buf, PRBool *added);
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index 5ea7cc249..64a1878f7 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -60,8 +60,8 @@ ssl3_isLikelyV3Hello(const unsigned char *buf)
     }
 
     /* Check for a typical V3 record header. */
-    return (PRBool)(buf[0] >= content_change_cipher_spec &&
-                    buf[0] <= content_application_data &&
+    return (PRBool)(buf[0] >= ssl_ct_change_cipher_spec &&
+                    buf[0] <= ssl_ct_application_data &&
                     buf[1] == MSB(SSL_LIBRARY_VERSION_3_0));
 }
 
@@ -314,7 +314,7 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
     contentType = gs->dtlsPacket.buf[gs->dtlsPacketOffset];
     if (dtls_IsLongHeader(ss->version, contentType)) {
         headerLen = 13;
-    } else if (contentType == content_application_data) {
+    } else if (contentType == ssl_ct_application_data) {
         headerLen = 7;
     } else if ((contentType & 0xe0) == 0x20) {
         headerLen = 2;
@@ -463,15 +463,15 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             SSL_DBG(("%d: SSL3[%d]: resuming handshake",
                      SSL_GETPID(), ss->fd));
             PORT_Assert(!IS_DTLS(ss));
-            rv = ssl3_HandleNonApplicationData(ss, content_handshake,
+            rv = ssl3_HandleNonApplicationData(ss, ssl_ct_handshake,
                                                0, 0, &ss->gs.buf);
         } else {
             /* State for SSLv2 client hello support. */
             ssl2Gather ssl2gs = { PR_FALSE, 0 };
             ssl2Gather *ssl2gs_ptr = NULL;
 
-            /* If we're a server and waiting for a client hello, accept v2. */
-            if (ss->sec.isServer && ss->ssl3.hs.ws == wait_client_hello) {
+            if (ss->sec.isServer && ss->opt.enableV2CompatibleHello &&
+                ss->ssl3.hs.ws == wait_client_hello) {
                 ssl2gs_ptr = &ssl2gs;
             }
 
@@ -484,8 +484,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             }
 
             if (!IS_DTLS(ss)) {
-                /* If we're a server waiting for a ClientHello then pass
-                 * ssl2gs to support SSLv2 ClientHello messages. */
+                /* Passing a non-NULL ssl2gs here enables detection of
+                 * SSLv2-compatible ClientHello messages. */
                 rv = ssl3_GatherData(ss, &ss->gs, flags, ssl2gs_ptr);
             } else {
                 rv = dtls_GatherData(ss, &ss->gs, flags);
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
index 8e6cf2745..bfaa10d3f 100644
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -13,10 +13,8 @@
 typedef PRUint16 SSL3ProtocolVersion;
 /* version numbers are defined in sslproto.h */
 
-/* The TLS 1.3 draft version. Used to avoid negotiating
- * between incompatible pre-standard TLS 1.3 drafts.
- * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
-#define TLS_1_3_DRAFT_VERSION 28
+/* DTLS 1.3 is still a draft. */
+#define DTLS_1_3_DRAFT_VERSION 28
 
 typedef PRUint16 ssl3CipherSuite;
 /* The cipher suites are defined in sslproto.h */
@@ -35,15 +33,6 @@ typedef PRUint16 ssl3CipherSuite;
 
 #define MAX_FRAGMENT_LENGTH 16384
 
-typedef enum {
-    content_change_cipher_spec = 20,
-    content_alert = 21,
-    content_handshake = 22,
-    content_application_data = 23,
-    content_alt_handshake = 24,
-    content_ack = 25
-} SSL3ContentType;
-
 typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
 
 typedef enum { alert_warning = 1,
diff --git a/security/nss/lib/ssl/sslcert.c b/security/nss/lib/ssl/sslcert.c
index 1c3ddb0e7..878df761e 100644
--- a/security/nss/lib/ssl/sslcert.c
+++ b/security/nss/lib/ssl/sslcert.c
@@ -436,8 +436,6 @@ ssl_GetCertificateAuthTypes(CERTCertificate *cert, SSLAuthType targetAuthType)
         case SEC_OID_PKCS1_RSA_ENCRYPTION:
             if (cert->keyUsage & KU_DIGITAL_SIGNATURE) {
                 authTypes |= 1 << ssl_auth_rsa_sign;
-                /* This certificate is RSA, assume that it's also PSS. */
-                authTypes |= 1 << ssl_auth_rsa_pss;
             }
 
             if (cert->keyUsage & KU_KEY_ENCIPHERMENT) {
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
index 518a2b887..a4aa27657 100644
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -264,6 +264,10 @@ typedef enum {
     SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR = (SSL_ERROR_BASE + 173),
     SSL_ERROR_RX_MALFORMED_DTLS_ACK = (SSL_ERROR_BASE + 174),
     SSL_ERROR_DH_KEY_TOO_LONG = (SSL_ERROR_BASE + 175),
+    SSL_ERROR_RX_MALFORMED_ESNI_KEYS = (SSL_ERROR_BASE + 176),
+    SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION = (SSL_ERROR_BASE + 177),
+    SSL_ERROR_MISSING_ESNI_EXTENSION = (SSL_ERROR_BASE + 178),
+    SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE = (SSL_ERROR_BASE + 179),
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
diff --git a/security/nss/lib/ssl/sslexp.h b/security/nss/lib/ssl/sslexp.h
index 08654f885..f450e528d 100644
--- a/security/nss/lib/ssl/sslexp.h
+++ b/security/nss/lib/ssl/sslexp.h
@@ -367,6 +367,7 @@ typedef struct SSLResumptionTokenInfoStr {
     PRUint8 *alpnSelection;
     PRUint32 alpnSelectionLen;
     PRUint32 maxEarlyDataSize;
+    PRTime expirationTime; /* added in NSS 3.41 */
 } SSLResumptionTokenInfo;
 
 /*
@@ -452,8 +453,65 @@ typedef SECStatus(PR_CALLBACK *SSLResumptionTokenCallback)(
                          (PRFileDesc * _fd, PRUint32 _size), \
                          (fd, size))
 
-/* Deprecated experimental APIs */
+/* Set the ESNI key pair on a socket (server side)
+ *
+ * fd -- the socket
+ * record/recordLen -- the encoded DNS record (not base64)
+ *
+ * Important: the suites that are advertised in the record must
+ * be configured on, or this call will fail.
+ */
+#define SSL_SetESNIKeyPair(fd,                                              \
+                           privKey, record, recordLen)                      \
+    SSL_EXPERIMENTAL_API("SSL_SetESNIKeyPair",                              \
+                         (PRFileDesc * _fd,                                 \
+                          SECKEYPrivateKey * _privKey,                      \
+                          const PRUint8 *_record, unsigned int _recordLen), \
+                         (fd, privKey,                                      \
+                          record, recordLen))
 
+/* Set the ESNI keys on a client
+ *
+ * fd -- the socket
+ * ensikeys/esniKeysLen -- the ESNI key structure (not base64)
+ * dummyESNI -- the dummy ESNI to use (if any)
+ */
+#define SSL_EnableESNI(fd, esniKeys, esniKeysLen, dummySNI) \
+    SSL_EXPERIMENTAL_API("SSL_EnableESNI",                  \
+                         (PRFileDesc * _fd,                 \
+                          const PRUint8 *_esniKeys,         \
+                          unsigned int _esniKeysLen,        \
+                          const char *_dummySNI),           \
+                         (fd, esniKeys, esniKeysLen, dummySNI))
+
+/*
+ * Generate an encoded ESNIKeys structure (presumably server side).
+ *
+ * cipherSuites -- the cipher suites that can be used
+ * cipherSuitesCount -- the number of suites in cipherSuites
+ * group -- the named group this key corresponds to
+ * pubKey -- the public key for the key pair
+ * pad -- the length to pad to
+ * notBefore/notAfter -- validity range
+ * out/outlen/maxlen -- where to output the data
+ */
+#define SSL_EncodeESNIKeys(cipherSuites, cipherSuiteCount,          \
+                           group, pubKey, pad, notBefore, notAfter, \
+                           out, outlen, maxlen)                     \
+    SSL_EXPERIMENTAL_API("SSL_EncodeESNIKeys",                      \
+                         (PRUint16 * _cipherSuites,                 \
+                          unsigned int _cipherSuiteCount,           \
+                          SSLNamedGroup _group,                     \
+                          SECKEYPublicKey *_pubKey,                 \
+                          PRUint16 _pad,                            \
+                          PRUint64 _notBefore, PRUint64 _notAfter,  \
+                          PRUint8 *_out, unsigned int *_outlen,     \
+                          unsigned int _maxlen),                    \
+                         (cipherSuites, cipherSuiteCount,           \
+                          group, pubKey, pad, notBefore, notAfter,  \
+                          out, outlen, maxlen))
+
+/* Deprecated experimental APIs */
 #define SSL_UseAltServerHelloType(fd, enable) SSL_DEPRECATED_EXPERIMENTAL_API
 
 SEC_END_PROTOS
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index a2209e90a..35240d2fb 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -36,6 +36,10 @@
 
 typedef struct sslSocketStr sslSocket;
 typedef struct sslNamedGroupDefStr sslNamedGroupDef;
+typedef struct sslEsniKeysStr sslEsniKeys;
+typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair;
+typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry;
+
 #include "sslencode.h"
 #include "sslexp.h"
 #include "ssl3ext.h"
@@ -230,7 +234,7 @@ typedef struct {
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
 
 /* MAX_SIGNATURE_SCHEMES allows for all the values we support. */
-#define MAX_SIGNATURE_SCHEMES 15
+#define MAX_SIGNATURE_SCHEMES 18
 
 typedef struct sslOptionsStr {
     /* If SSL_SetNextProtoNego has been called, then this contains the
@@ -266,6 +270,8 @@ typedef struct sslOptionsStr {
     unsigned int enable0RttData : 1;
     unsigned int enableTls13CompatMode : 1;
     unsigned int enableDtlsShortHeader : 1;
+    unsigned int enableHelloDowngradeCheck : 1;
+    unsigned int enableV2CompatibleHello : 1;
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -552,16 +558,16 @@ typedef SECStatus (*sslRestartTarget)(sslSocket *);
 typedef struct DTLSQueuedMessageStr {
     PRCList link;           /* The linked list link */
     ssl3CipherSpec *cwSpec; /* The cipher spec to use, null for none */
-    SSL3ContentType type;   /* The message type */
+    SSLContentType type;    /* The message type */
     unsigned char *data;    /* The data */
     PRUint16 len;           /* The data length */
 } DTLSQueuedMessage;
 
-typedef struct TLS13KeyShareEntryStr {
+struct TLS13KeyShareEntryStr {
     PRCList link;                  /* The linked list link */
     const sslNamedGroupDef *group; /* The group for the entry */
     SECItem key_exchange;          /* The share itself */
-} TLS13KeyShareEntry;
+};
 
 typedef struct TLS13EarlyDataStr {
     PRCList link; /* The linked list link */
@@ -803,11 +809,11 @@ struct sslKeyPairStr {
     PRInt32 refCount; /* use PR_Atomic calls for this. */
 };
 
-typedef struct {
+struct sslEphemeralKeyPairStr {
     PRCList link;
     const sslNamedGroupDef *group;
     sslKeyPair *keys;
-} sslEphemeralKeyPair;
+};
 
 struct ssl3DHParamsStr {
     SSLNamedGroup name;
@@ -1064,6 +1070,10 @@ struct sslSocketStr {
 
     /* Whether we are doing stream or datagram mode */
     SSLProtocolVariant protocolVariant;
+
+    /* The information from the ESNI keys record
+     * (also the private key for the server). */
+    sslEsniKeys *esniKeys;
 };
 
 struct sslSelfEncryptKeysStr {
@@ -1168,11 +1178,13 @@ extern int ssl_Do1stHandshake(sslSocket *ss);
 
 extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket *ss, PK11SymKey *secret,
                                              PRBool derive);
+extern void ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial);
 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
                                    const char *peerID, const char *urlSvrName);
 extern void ssl_FreeSID(sslSessionID *sid);
 extern void ssl_DestroySID(sslSessionID *sid, PRBool freeIt);
+extern sslSessionID *ssl_ReferenceSID(sslSessionID *sid);
 
 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
                                     int len, int flags);
@@ -1215,7 +1227,7 @@ SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
 extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss);
 
 extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec,
-                               SSL3ContentType type,
+                               SSLContentType type,
                                const PRUint8 *pIn, PRInt32 nIn,
                                PRInt32 flags);
 
@@ -1387,7 +1399,7 @@ SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
  * input into the SSL3 machinery from the actualy network reading code
  */
 SECStatus ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cipher);
-SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
+SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
                                         DTLSEpoch epoch,
                                         sslSequenceNumber seqNum,
                                         sslBuffer *databuf);
@@ -1497,7 +1509,7 @@ extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
                                                   sslKeyPair *serverKeys);
 extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
 extern SECStatus ssl_ImportECDHKeyShare(
-    sslSocket *ss, SECKEYPublicKey *peerKey,
+    SECKEYPublicKey *peerKey,
     PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve);
 
 extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
@@ -1562,6 +1574,12 @@ extern void ssl_FreePRSocket(PRFileDesc *fd);
  * various ciphers */
 extern unsigned int ssl3_config_match_init(sslSocket *);
 
+/* Return PR_TRUE if suite is usable.  This if the suite is permitted by policy,
+ * enabled, has a certificate (as needed), has a viable key agreement method, is
+ * usable with the negotiated TLS version, and is otherwise usable. */
+PRBool ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
+                         const SSLVersionRange *vrange, const sslSocket *ss);
+
 /* calls for accessing wrapping keys across processes. */
 extern SECStatus
 ssl_GetWrappingKey(unsigned int symWrapMechIndex, unsigned int wrapKeyIndex,
@@ -1591,6 +1609,8 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
 extern SECStatus ssl_FreeSessionCacheLocks(void);
 
 CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
+SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites,
+                                         PRUint16 version, PRUint16 *suitep);
 SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
                                     PRBool initHashes);
 SECStatus ssl3_InitHandshakeHashes(sslSocket *ss);
@@ -1638,8 +1658,12 @@ PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss,
 SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid,
                                PK11SymKey *secret);
 const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite);
+const ssl3CipherSuiteCfg *ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite,
+                                                   const ssl3CipherSuiteCfg *suites);
+
 SECStatus ssl3_SelectServerCert(sslSocket *ss);
 SECStatus ssl_PickSignatureScheme(sslSocket *ss,
+                                  CERTCertificate *cert,
                                   SECKEYPublicKey *pubKey,
                                   SECKEYPrivateKey *privKey,
                                   const SSLSignatureScheme *peerSchemes,
@@ -1647,11 +1671,11 @@ SECStatus ssl_PickSignatureScheme(sslSocket *ss,
                                   PRBool requireSha1);
 SECOidTag ssl3_HashTypeToOID(SSLHashType hashType);
 SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
-KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme);
+SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme);
 
 SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
 SECStatus ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
-                                 SSL3ContentType contentType, sslBuffer *wrBuf,
+                                 SSLContentType contentType, sslBuffer *wrBuf,
                                  PRBool *needsLength);
 
 /* Pull in DTLS functions */
@@ -1703,7 +1727,7 @@ void ssl_Trace(const char *format, ...);
 void ssl_CacheExternalToken(sslSocket *ss);
 SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTicket,
                                     PRUint32 encodedTicketLen);
-PRBool ssl_IsResumptionTokenValid(sslSocket *ss);
+PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
 
 /* Remove when stable. */
 
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
index f79c23fc7..f8fb5d50f 100644
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -234,9 +234,20 @@ ssl_FreeLockedSID(sslSessionID *sid)
 void
 ssl_FreeSID(sslSessionID *sid)
 {
+    if (sid) {
+        LOCK_CACHE;
+        ssl_FreeLockedSID(sid);
+        UNLOCK_CACHE;
+    }
+}
+
+sslSessionID *
+ssl_ReferenceSID(sslSessionID *sid)
+{
     LOCK_CACHE;
-    ssl_FreeLockedSID(sid);
+    sid->references++;
     UNLOCK_CACHE;
+    return sid;
 }
 
 /************************************************************************/
@@ -704,10 +715,9 @@ ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedToken,
 }
 
 PRBool
-ssl_IsResumptionTokenValid(sslSocket *ss)
+ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid)
 {
     PORT_Assert(ss);
-    sslSessionID *sid = ss->sec.ci.sid;
     PORT_Assert(sid);
 
     // Check that the ticket didn't expire.
@@ -1093,10 +1103,12 @@ ssl_CacheExternalToken(sslSocket *ss)
     PRINT_BUF(40, (ss, "SSL: encoded resumption token",
                    SSL_BUFFER_BASE(&encodedToken),
                    SSL_BUFFER_LEN(&encodedToken)));
-    ss->resumptionTokenCallback(ss->fd, SSL_BUFFER_BASE(&encodedToken),
-                                SSL_BUFFER_LEN(&encodedToken),
-                                ss->resumptionTokenContext);
-
+    SECStatus rv = ss->resumptionTokenCallback(
+        ss->fd, SSL_BUFFER_BASE(&encodedToken), SSL_BUFFER_LEN(&encodedToken),
+        ss->resumptionTokenContext);
+    if (rv == SECSuccess) {
+        sid->cached = in_external_cache;
+    }
     sslBuffer_Clear(&encodedToken);
 }
 
@@ -1200,17 +1212,23 @@ ssl3_SetSIDSessionTicket(sslSessionID *sid,
     PORT_Assert(newSessionTicket->ticket.data);
     PORT_Assert(newSessionTicket->ticket.len != 0);
 
-    /* if sid->u.ssl3.lock, we are updating an existing entry that is already
-     * cached or was once cached, so we need to acquire and release the write
-     * lock. Otherwise, this is a new session that isn't shared with anything
-     * yet, so no locking is needed.
+    /* If this is in the client cache, we are updating an existing entry that is
+     * already cached or was once cached, so we need to acquire and release the
+     * write lock. Otherwise, this is a new session that isn't shared with
+     * anything yet, so no locking is needed.
      */
     if (sid->u.ssl3.lock) {
+        PORT_Assert(sid->cached == in_client_cache);
         PR_RWLock_Wlock(sid->u.ssl3.lock);
-        if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
-            SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
-                             PR_FALSE);
-        }
+    }
+    /* If this was in the client cache, then we might have to free the old
+     * ticket.  In TLS 1.3, we might get a replacement ticket if the server
+     * sends more than one ticket. */
+    if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
+        PORT_Assert(sid->cached == in_client_cache ||
+                    sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
+        SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
+                         PR_FALSE);
     }
 
     PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
index a1d389214..c011b66a1 100644
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -685,23 +685,6 @@ ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
 }
 
 /*
- * The TLS 1.2 RFC 5246, Section 7.2.1 says:
- *
- *     Unless some other fatal alert has been transmitted, each party is
- *     required to send a close_notify alert before closing the write side
- *     of the connection.  The other party MUST respond with a close_notify
- *     alert of its own and close down the connection immediately,
- *     discarding any pending writes.  It is not required for the initiator
- *     of the close to wait for the responding close_notify alert before
- *     closing the read side of the connection.
- *
- * The second sentence requires that we send a close_notify alert when we
- * have received a close_notify alert.  In practice, all SSL implementations
- * close the socket immediately after sending a close_notify alert (which is
- * allowed by the third sentence), so responding with a close_notify alert
- * would result in a write failure with the ECONNRESET error.  This is why
- * we don't respond with a close_notify alert.
- *
  * Also, in the unlikely event that the TCP pipe is full and the peer stops
  * reading, the SSL3_SendAlert call in ssl_SecureClose and ssl_SecureShutdown
  * may block indefinitely in blocking mode, and may fail (without retrying)
@@ -714,8 +697,7 @@ ssl_SecureClose(sslSocket *ss)
     int rv;
 
     if (!(ss->shutdownHow & ssl_SHUTDOWN_SEND) &&
-        ss->firstHsDone &&
-        !ss->recvdCloseNotify) {
+        ss->firstHsDone) {
 
         /* We don't want the final alert to be Nagle delayed. */
         if (!ss->delayDisabled) {
@@ -744,8 +726,7 @@ ssl_SecureShutdown(sslSocket *ss, int nsprHow)
 
     if ((sslHow & ssl_SHUTDOWN_SEND) != 0 &&
         !(ss->shutdownHow & ssl_SHUTDOWN_SEND) &&
-        ss->firstHsDone &&
-        !ss->recvdCloseNotify) {
+        ss->firstHsDone) {
 
         (void)SSL3_SendAlert(ss, alert_warning, close_notify);
     }
@@ -936,6 +917,25 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
             firstClientWrite = ss->ssl3.hs.ws == idle_handshake;
             ssl_ReleaseSSL3HandshakeLock(ss);
         }
+        /* Allow the server to send 0.5 RTT data in TLS 1.3. Requesting a
+         * certificate implies that the server might condition its sending on
+         * client authentication, so force servers that do that to wait.
+         *
+         * What might not be obvious here is that this allows 0.5 RTT when doing
+         * PSK-based resumption.  As a result, 0.5 RTT is always enabled when
+         * early data is accepted.
+         *
+         * This check might be more conservative than absolutely necessary.
+         * It's possible that allowing 0.5 RTT data when the server requests,
+         * but does not require client authentication is safe because we can
+         * expect the server to check for a client certificate properly. */
+        if (ss->sec.isServer &&
+            ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+            !tls13_ShouldRequestClientAuth(ss)) {
+            ssl_GetSSL3HandshakeLock(ss);
+            allowEarlySend = TLS13_IN_HS_STATE(ss, wait_finished);
+            ssl_ReleaseSSL3HandshakeLock(ss);
+        }
         if (!allowEarlySend && ss->handshake) {
             rv = ssl_Do1stHandshake(ss);
         }
@@ -971,7 +971,7 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
          * 1-RTT later.
          */
         ssl_GetSpecReadLock(ss);
-        len = tls13_LimitEarlyData(ss, content_application_data, len);
+        len = tls13_LimitEarlyData(ss, ssl_ct_application_data, len);
         ssl_ReleaseSpecReadLock(ss);
     }
 
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 33595ffae..ae904e29b 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -18,6 +18,8 @@
 #include "private/pprio.h"
 #include "nss.h"
 #include "pk11pqg.h"
+#include "pk11pub.h"
+#include "tls13esni.h"
 
 static const sslSocketOps ssl_default_ops = { /* No SSL. */
                                               ssl_DefConnect,
@@ -82,7 +84,9 @@ static sslOptions ssl_defaults = {
     .requireDHENamedGroups = PR_FALSE,
     .enable0RttData = PR_FALSE,
     .enableTls13CompatMode = PR_FALSE,
-    .enableDtlsShortHeader = PR_FALSE
+    .enableDtlsShortHeader = PR_FALSE,
+    .enableHelloDowngradeCheck = PR_FALSE,
+    .enableV2CompatibleHello = PR_FALSE
 };
 
 /*
@@ -359,6 +363,13 @@ ssl_DupSocket(sslSocket *os)
         ss->resumptionTokenCallback = os->resumptionTokenCallback;
         ss->resumptionTokenContext = os->resumptionTokenContext;
 
+        if (os->esniKeys) {
+            ss->esniKeys = tls13_CopyESNIKeys(os->esniKeys);
+            if (!ss->esniKeys) {
+                goto loser;
+            }
+        }
+
         /* Create security data */
         rv = ssl_CopySecurityInfo(ss, os);
         if (rv != SECSuccess) {
@@ -444,6 +455,8 @@ ssl_DestroySocketContents(sslSocket *ss)
 
     ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL);
     ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL);
+
+    tls13_DestroyESNIKeys(ss->esniKeys);
 }
 
 /*
@@ -821,6 +834,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
             ss->opt.enableDtlsShortHeader = val;
             break;
 
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            ss->opt.enableHelloDowngradeCheck = val;
+            break;
+
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            ss->opt.enableV2CompatibleHello = val;
+            break;
+
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -963,6 +984,12 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
         case SSL_ENABLE_DTLS_SHORT_HEADER:
             val = ss->opt.enableDtlsShortHeader;
             break;
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            val = ss->opt.enableHelloDowngradeCheck;
+            break;
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            val = ss->opt.enableV2CompatibleHello;
+            break;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -1089,6 +1116,12 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
         case SSL_ENABLE_DTLS_SHORT_HEADER:
             val = ssl_defaults.enableDtlsShortHeader;
             break;
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            val = ssl_defaults.enableHelloDowngradeCheck;
+            break;
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            val = ssl_defaults.enableV2CompatibleHello;
+            break;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -1284,6 +1317,14 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
             ssl_defaults.enableDtlsShortHeader = val;
             break;
 
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            ssl_defaults.enableHelloDowngradeCheck = val;
+            break;
+
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            ssl_defaults.enableV2CompatibleHello = val;
+            break;
+
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             return SECFailure;
@@ -3742,6 +3783,10 @@ ssl_GetKeyPairRef(sslKeyPair *keyPair)
 void
 ssl_FreeKeyPair(sslKeyPair *keyPair)
 {
+    if (!keyPair) {
+        return;
+    }
+
     PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount);
     if (!newCount) {
         SECKEY_DestroyPrivateKey(keyPair->privKey);
@@ -3801,6 +3846,10 @@ ssl_CopyEphemeralKeyPair(sslEphemeralKeyPair *keyPair)
 void
 ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair)
 {
+    if (!keyPair) {
+        return;
+    }
+
     ssl_FreeKeyPair(keyPair->keys);
     PR_REMOVE_LINK(&keyPair->link);
     PORT_Free(keyPair);
@@ -3908,6 +3957,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
     PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake);
     dtls_InitTimers(ss);
 
+    ss->esniKeys = NULL;
+
     if (makeLocks) {
         rv = ssl_MakeLocks(ss);
         if (rv != SECSuccess)
@@ -3984,6 +4035,9 @@ struct {
     EXP(SetResumptionToken),
     EXP(GetResumptionTokenInfo),
     EXP(DestroyResumptionTokenInfo),
+    EXP(SetESNIKeyPair),
+    EXP(EncodeESNIKeys),
+    EXP(EnableESNI),
 #endif
     { "", NULL }
 };
@@ -4049,6 +4103,7 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
                           unsigned int len)
 {
     sslSocket *ss = ssl_FindSocket(fd);
+    sslSessionID *sid = NULL;
 
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken",
@@ -4062,7 +4117,7 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
     if (ss->firstHsDone || ss->ssl3.hs.ws != idle_handshake ||
         ss->sec.isServer || len == 0 || !token) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        goto done;
+        goto loser;
     }
 
     // We override any previously set session.
@@ -4073,41 +4128,44 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
 
     PRINT_BUF(50, (ss, "incoming resumption token", token, len));
 
-    ss->sec.ci.sid = ssl3_NewSessionID(ss, PR_FALSE);
-    if (!ss->sec.ci.sid) {
-        goto done;
+    sid = ssl3_NewSessionID(ss, PR_FALSE);
+    if (!sid) {
+        goto loser;
     }
 
     /* Populate NewSessionTicket values */
-    SECStatus rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len);
+    SECStatus rv = ssl_DecodeResumptionToken(sid, token, len);
     if (rv != SECSuccess) {
         // If decoding fails, we assume the token is bad.
         PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR);
-        ssl_FreeSID(ss->sec.ci.sid);
-        ss->sec.ci.sid = NULL;
-        goto done;
+        goto loser;
     }
 
-    // Make sure that the token is valid.
-    if (!ssl_IsResumptionTokenValid(ss)) {
-        ssl_FreeSID(ss->sec.ci.sid);
-        ss->sec.ci.sid = NULL;
+    // Make sure that the token is currently usable.
+    if (!ssl_IsResumptionTokenUsable(ss, sid)) {
         PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR);
-        goto done;
+        goto loser;
     }
 
+    // Generate a new random session ID for this ticket.
+    rv = PK11_GenerateRandom(sid->u.ssl3.sessionID, SSL3_SESSIONID_BYTES);
+    if (rv != SECSuccess) {
+        goto loser; // Code set by PK11_GenerateRandom.
+    }
+    sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
     /* Use the sid->cached as marker that this is from an external cache and
      * we don't have to look up anything in the NSS internal cache. */
-    ss->sec.ci.sid->cached = in_external_cache;
-    // This has to be 2 to not free this in sendClientHello.
-    ss->sec.ci.sid->references = 2;
-    ss->sec.ci.sid->lastAccessTime = ssl_TimeSec();
+    sid->cached = in_external_cache;
+    sid->lastAccessTime = ssl_TimeSec();
+
+    ss->sec.ci.sid = sid;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
     return SECSuccess;
 
-done:
+loser:
+    ssl_FreeSID(sid);
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
@@ -4164,6 +4222,7 @@ SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen,
     } else {
         token.maxEarlyDataSize = 0;
     }
+    token.expirationTime = sid.expirationTime;
 
     token.length = PR_MIN(sizeof(SSLResumptionTokenInfo), len);
     PORT_Memcpy(tokenOut, &token, token.length);
diff --git a/security/nss/lib/ssl/sslspec.c b/security/nss/lib/ssl/sslspec.c
index 7833eeab6..f2e72a4ec 100644
--- a/security/nss/lib/ssl/sslspec.c
+++ b/security/nss/lib/ssl/sslspec.c
@@ -203,7 +203,7 @@ ssl_CipherSpecAddRef(ssl3CipherSpec *spec)
                  SSL_GETPID(), SPEC_DIR(spec), spec, spec->refCt));
 }
 
-static void
+void
 ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial)
 {
     PK11_FreeSymKey(keyMaterial->key);
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
index bb1bec7a3..bd32a6e18 100644
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -35,6 +35,14 @@ typedef enum {
     ssl_hs_message_hash = 254, /* Not a real message. */
 } SSLHandshakeType;
 
+typedef enum {
+    ssl_ct_change_cipher_spec = 20,
+    ssl_ct_alert = 21,
+    ssl_ct_handshake = 22,
+    ssl_ct_application_data = 23,
+    ssl_ct_ack = 25
+} SSLContentType;
+
 typedef struct SSL3StatisticsStr {
     /* statistics from ssl3_SendClientHello (sch) */
     long sch_sid_cache_hits;
@@ -446,7 +454,8 @@ typedef enum {
     ssl_tls13_key_share_xtn = 51,
     ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
     ssl_renegotiation_info_xtn = 0xff01,
-    ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */
+    ssl_tls13_short_header_xtn = 0xff03, /* Deprecated. */
+    ssl_tls13_encrypted_sni_xtn = 0xffce,
 } SSLExtensionType;
 
 /* This is the old name for the supported_groups extensions. */
diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c
index 4d9170fb0..461cd2eb9 100644
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -21,6 +21,7 @@
 #include "tls13hkdf.h"
 #include "tls13con.h"
 #include "tls13err.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h"
 #include "tls13hashstate.h"
 
@@ -117,6 +118,7 @@ const char kHkdfLabelFinishedSecret[] = "finished";
 const char kHkdfLabelResumptionMasterSecret[] = "res master";
 const char kHkdfLabelExporterMasterSecret[] = "exp master";
 const char kHkdfLabelResumption[] = "resumption";
+const char kHkdfLabelTrafficUpdate[] = "traffic upd";
 const char kHkdfPurposeKey[] = "key";
 const char kHkdfPurposeIv[] = "iv";
 
@@ -132,21 +134,6 @@ const char keylogLabelExporterSecret[] = "EXPORTER_SECRET";
 PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=
                  SSL_LIBRARY_VERSION_TLS_1_3);
 
-/* Use this instead of FATAL_ERROR when no alert shall be sent. */
-#define LOG_ERROR(ss, prError)                                                     \
-    do {                                                                           \
-        SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
-                    SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
-        PORT_SetError(prError);                                                    \
-    } while (0)
-
-/* Log an error and generate an alert because something is irreparably wrong. */
-#define FATAL_ERROR(ss, prError, desc)       \
-    do {                                     \
-        LOG_ERROR(ss, prError);              \
-        tls13_FatalError(ss, prError, desc); \
-    } while (0)
-
 void
 tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc)
 {
@@ -354,16 +341,16 @@ tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes,
 }
 
 SECStatus
-tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
+tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef,
+                     sslEphemeralKeyPair **keyPair)
 {
     SECStatus rv;
-    sslEphemeralKeyPair *keyPair = NULL;
     const ssl3DHParams *params;
 
     PORT_Assert(groupDef);
     switch (groupDef->keaType) {
         case ssl_kea_ecdh:
-            rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair);
+            rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, keyPair);
             if (rv != SECSuccess) {
                 return SECFailure;
             }
@@ -371,7 +358,7 @@ tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
         case ssl_kea_dh:
             params = ssl_GetDHEParams(groupDef);
             PORT_Assert(params->name != ssl_grp_ffdhe_custom);
-            rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair);
+            rv = ssl_CreateDHEKeyPair(groupDef, params, keyPair);
             if (rv != SECSuccess) {
                 return SECFailure;
             }
@@ -382,11 +369,24 @@ tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
             return SECFailure;
     }
 
-    PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
     return rv;
 }
 
 SECStatus
+tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
+{
+    sslEphemeralKeyPair *keyPair = NULL;
+    SECStatus rv;
+
+    rv = tls13_CreateKeyShare(ss, groupDef, &keyPair);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
+    return SECSuccess;
+}
+
+SECStatus
 SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count)
 {
     sslSocket *ss = ssl_FindSocket(fd);
@@ -413,20 +413,26 @@ tls13_SetupClientHello(sslSocket *ss)
     NewSessionTicket *session_ticket = NULL;
     sslSessionID *sid = ss->sec.ci.sid;
     unsigned int numShares = 0;
+    SECStatus rv;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
 
+    /* Do encrypted SNI. This may create a key share as a side effect. */
+    rv = tls13_ClientSetupESNI(ss);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
     /* Select the first enabled group.
      * TODO(ekr@rtfm.com): be smarter about offering the group
      * that the other side negotiated if we are resuming. */
     for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
-        SECStatus rv;
         if (!ss->namedGroupPreferences[i]) {
             continue;
         }
-        rv = tls13_CreateKeyShare(ss, ss->namedGroupPreferences[i]);
+        rv = tls13_AddKeyShare(ss, ss->namedGroupPreferences[i]);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -455,8 +461,6 @@ tls13_SetupClientHello(sslSocket *ss)
     }
 
     if (ss->statelessResume) {
-        SECStatus rv;
-
         PORT_Assert(ss->sec.ci.sid);
         rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid);
         if (rv != SECSuccess) {
@@ -486,7 +490,7 @@ tls13_SetupClientHello(sslSocket *ss)
 }
 
 static SECStatus
-tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
+tls13_ImportDHEKeyShare(SECKEYPublicKey *peerKey,
                         PRUint8 *b, PRUint32 length,
                         SECKEYPublicKey *pubKey)
 {
@@ -517,16 +521,20 @@ tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
     return SECSuccess;
 }
 
-static SECStatus
+SECStatus
 tls13_HandleKeyShare(sslSocket *ss,
                      TLS13KeyShareEntry *entry,
-                     sslKeyPair *keyPair)
+                     sslKeyPair *keyPair,
+                     SSLHashType hash,
+                     PK11SymKey **out)
 {
     PORTCheapArenaPool arena;
     SECKEYPublicKey *peerKey;
     CK_MECHANISM_TYPE mechanism;
     PRErrorCode errorCode;
+    PK11SymKey *key;
     SECStatus rv;
+    int keySize = 0;
 
     PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
     peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey);
@@ -539,18 +547,19 @@ tls13_HandleKeyShare(sslSocket *ss,
 
     switch (entry->group->keaType) {
         case ssl_kea_ecdh:
-            rv = ssl_ImportECDHKeyShare(ss, peerKey,
+            rv = ssl_ImportECDHKeyShare(peerKey,
                                         entry->key_exchange.data,
                                         entry->key_exchange.len,
                                         entry->group);
             mechanism = CKM_ECDH1_DERIVE;
             break;
         case ssl_kea_dh:
-            rv = tls13_ImportDHEKeyShare(ss, peerKey,
+            rv = tls13_ImportDHEKeyShare(peerKey,
                                          entry->key_exchange.data,
                                          entry->key_exchange.len,
                                          keyPair->pubKey);
             mechanism = CKM_DH_PKCS_DERIVE;
+            keySize = peerKey->u.dh.publicValue.len;
             break;
         default:
             PORT_Assert(0);
@@ -560,13 +569,14 @@ tls13_HandleKeyShare(sslSocket *ss,
         goto loser;
     }
 
-    ss->ssl3.hs.dheSecret = PK11_PubDeriveWithKDF(
+    key = PK11_PubDeriveWithKDF(
         keyPair->privKey, peerKey, PR_FALSE, NULL, NULL, mechanism,
-        tls13_GetHkdfMechanism(ss), CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
-    if (!ss->ssl3.hs.dheSecret) {
+        tls13_GetHkdfMechanismForHash(hash), CKA_DERIVE, keySize, CKD_NULL, NULL, NULL);
+    if (!key) {
         ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE);
         goto loser;
     }
+    *out = key;
     PORT_DestroyCheapArena(&arena);
     return SECSuccess;
 
@@ -603,8 +613,8 @@ tls13_UpdateTrafficKeys(sslSocket *ss, CipherSpecDirection direction)
     secret = tls13_TrafficSecretRef(ss, direction);
     rv = tls13_HkdfExpandLabel(*secret, tls13_GetHash(ss),
                                NULL, 0,
-                               kHkdfLabelApplicationTrafficSecret,
-                               strlen(kHkdfLabelApplicationTrafficSecret),
+                               kHkdfLabelTrafficUpdate,
+                               strlen(kHkdfLabelTrafficUpdate),
                                tls13_GetHmacMechanism(ss),
                                tls13_GetHashSize(ss),
                                &updatedSecret);
@@ -1417,30 +1427,6 @@ tls13_NegotiateKeyExchange(sslSocket *ss,
     return SECSuccess;
 }
 
-SSLAuthType
-ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
-{
-    switch (scheme) {
-        case ssl_sig_rsa_pkcs1_sha1:
-        case ssl_sig_rsa_pkcs1_sha256:
-        case ssl_sig_rsa_pkcs1_sha384:
-        case ssl_sig_rsa_pkcs1_sha512:
-        /* We report PSS signatures as being just RSA signatures. */
-        case ssl_sig_rsa_pss_rsae_sha256:
-        case ssl_sig_rsa_pss_rsae_sha384:
-        case ssl_sig_rsa_pss_rsae_sha512:
-            return ssl_auth_rsa_sign;
-        case ssl_sig_ecdsa_secp256r1_sha256:
-        case ssl_sig_ecdsa_secp384r1_sha384:
-        case ssl_sig_ecdsa_secp521r1_sha512:
-        case ssl_sig_ecdsa_sha1:
-            return ssl_auth_ecdsa;
-        default:
-            PORT_Assert(0);
-    }
-    return ssl_auth_null;
-}
-
 SECStatus
 tls13_SelectServerCert(sslSocket *ss)
 {
@@ -1469,6 +1455,7 @@ tls13_SelectServerCert(sslSocket *ss)
         }
 
         rv = ssl_PickSignatureScheme(ss,
+                                     cert->serverCert,
                                      cert->serverKeyPair->pubKey,
                                      cert->serverKeyPair->privKey,
                                      ss->xtnData.sigSchemes,
@@ -2047,7 +2034,7 @@ tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare)
     tls13_SetKeyExchangeType(ss, peerShare->group);
 
     /* Generate our key */
-    rv = tls13_CreateKeyShare(ss, peerShare->group);
+    rv = tls13_AddKeyShare(ss, peerShare->group);
     if (rv != SECSuccess) {
         return rv;
     }
@@ -2067,7 +2054,9 @@ tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare)
         return SECFailure; /* Error code set already. */
     }
 
-    rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys);
+    rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys,
+                              tls13_GetHash(ss),
+                              &ss->ssl3.hs.dheSecret);
     return rv; /* Error code set already. */
 }
 
@@ -2334,6 +2323,13 @@ tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
     return SECSuccess;
 }
 
+PRBool
+tls13_ShouldRequestClientAuth(sslSocket *ss)
+{
+    return ss->opt.requestCertificate &&
+           ss->ssl3.hs.kea_def->authKeyType != ssl_auth_psk;
+}
+
 static SECStatus
 tls13_SendEncryptedServerSequence(sslSocket *ss)
 {
@@ -2365,7 +2361,7 @@ tls13_SendEncryptedServerSequence(sslSocket *ss)
         return SECFailure; /* error code is set. */
     }
 
-    if (ss->opt.requestCertificate) {
+    if (tls13_ShouldRequestClientAuth(ss)) {
         rv = tls13_SendCertificateRequest(ss);
         if (rv != SECSuccess) {
             return SECFailure; /* error code is set. */
@@ -2484,9 +2480,11 @@ tls13_SendServerHelloSequence(sslSocket *ss)
             LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
-        TLS13_SET_HS_STATE(ss,
-                           ss->opt.requestCertificate ? wait_client_cert
-                                                      : wait_finished);
+        if (tls13_ShouldRequestClientAuth(ss)) {
+            TLS13_SET_HS_STATE(ss, wait_client_cert);
+        } else {
+            TLS13_SET_HS_STATE(ss, wait_finished);
+        }
     }
 
     ss->ssl3.hs.serverHelloTime = ssl_TimeUsec();
@@ -2512,6 +2510,7 @@ tls13_HandleServerHelloPart2(sslSocket *ss)
     }
 
     if (ss->statelessResume) {
+        PORT_Assert(sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
         if (tls13_GetHash(ss) !=
             tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite)) {
             FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO,
@@ -2657,7 +2656,9 @@ tls13_HandleServerKeyShare(sslSocket *ss)
 
     PORT_Assert(ssl_NamedGroupEnabled(ss, entry->group));
 
-    rv = tls13_HandleKeyShare(ss, entry, keyPair->keys);
+    rv = tls13_HandleKeyShare(ss, entry, keyPair->keys,
+                              tls13_GetHash(ss),
+                              &ss->ssl3.hs.dheSecret);
     if (rv != SECSuccess)
         return SECFailure; /* Error code set by caller. */
 
@@ -3213,6 +3214,21 @@ tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec)
                  SSL_GETPID(), ss->fd, spec, spec->recordVersion));
 }
 
+SSLAEADCipher
+tls13_GetAead(const ssl3BulkCipherDef *cipherDef)
+{
+    switch (cipherDef->calg) {
+        case ssl_calg_aes_gcm:
+            return tls13_AESGCM;
+        case ssl_calg_chacha20:
+            return tls13_ChaCha20Poly1305;
+        default:
+            PORT_Assert(PR_FALSE);
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return NULL;
+    }
+}
+
 static SECStatus
 tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
 {
@@ -3236,16 +3252,9 @@ tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
                 SSL_GETPID(), ss->fd, suite));
 
     spec->cipherDef = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite));
-    switch (spec->cipherDef->calg) {
-        case ssl_calg_aes_gcm:
-            spec->aead = tls13_AESGCM;
-            break;
-        case ssl_calg_chacha20:
-            spec->aead = tls13_ChaCha20Poly1305;
-            break;
-        default:
-            PORT_Assert(0);
-            return SECFailure;
+    spec->aead = tls13_GetAead(spec->cipherDef);
+    if (!spec->aead) {
+        return SECFailure;
     }
 
     if (spec->epoch == TrafficKeyEarlyApplicationData) {
@@ -3427,9 +3436,31 @@ loser:
     return SECFailure;
 }
 
+TLS13KeyShareEntry *
+tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o)
+{
+    TLS13KeyShareEntry *n;
+
+    PORT_Assert(o);
+    n = PORT_ZNew(TLS13KeyShareEntry);
+    if (!n) {
+        return NULL;
+    }
+
+    if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) {
+        PORT_Free(n);
+        return NULL;
+    }
+    n->group = o->group;
+    return n;
+}
+
 void
 tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer)
 {
+    if (!offer) {
+        return;
+    }
     SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE);
     PORT_ZFree(offer, sizeof(*offer));
 }
@@ -3550,7 +3581,7 @@ tls13_AESGCM(ssl3KeyMaterial *keys,
     CK_GCM_PARAMS gcmParams;
     unsigned char nonce[12];
 
-    PORT_Assert(additionalDataLen > 8);
+    PORT_Assert(additionalDataLen >= 8);
     memset(&gcmParams, 0, sizeof(gcmParams));
     gcmParams.pIv = nonce;
     gcmParams.ulIvLen = sizeof(nonce);
@@ -3627,7 +3658,23 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
         ss->xtnData.nextProto.data = NULL;
         ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT;
     }
-    rv = ssl3_HandleExtensions(ss, &b, &length, ssl_hs_encrypted_extensions);
+
+    rv = ssl3_ParseExtensions(ss, &b, &length);
+    if (rv != SECSuccess) {
+        return SECFailure; /* Error code set below */
+    }
+
+    /* If we sent ESNI, check the nonce. */
+    if (ss->xtnData.esniPrivateKey) {
+        PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_sni_xtn));
+        rv = tls13_ClientCheckEsniXtn(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+    }
+
+    /* Handle the rest of the extensions. */
+    rv = ssl3_HandleParsedExtensions(ss, ssl_hs_encrypted_extensions);
     if (rv != SECSuccess) {
         return SECFailure; /* Error code set below */
     }
@@ -4025,6 +4072,7 @@ tls13_ComputeFinished(sslSocket *ss, PK11SymKey *baseKey,
 
     PK11_FreeSymKey(secret);
     PK11_DestroyContext(hmacCtx, PR_TRUE);
+    PRINT_BUF(50, (ss, "finished value", output, outputLenUint));
     return SECSuccess;
 
 abort:
@@ -4189,7 +4237,7 @@ tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length)
         return SECFailure;
     }
 
-    if (!ss->opt.requestCertificate &&
+    if (!tls13_ShouldRequestClientAuth(ss) &&
         (ss->ssl3.hs.zeroRttState != ssl_0rtt_done)) {
         dtls_ReceivedFirstMessageInFlight(ss);
     }
@@ -4679,7 +4727,8 @@ tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length)
 
         /* Replace a previous session ticket when
          * we receive a second NewSessionTicket message. */
-        if (ss->sec.ci.sid->cached == in_client_cache) {
+        if (ss->sec.ci.sid->cached == in_client_cache ||
+            ss->sec.ci.sid->cached == in_external_cache) {
             /* Create a new session ID. */
             sslSessionID *sid = ssl3_NewSessionID(ss, PR_FALSE);
             if (!sid) {
@@ -4758,7 +4807,8 @@ static const struct {
     { ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
     { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
                                             hello_retry_request) },
-    { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }
+    { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) },
+    { ssl_tls13_encrypted_sni_xtn, _M2(client_hello, encrypted_extensions) }
 };
 
 tls13ExtensionStatus
@@ -4834,11 +4884,11 @@ tls13_FormatAdditionalData(
 }
 
 PRInt32
-tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend)
+tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend)
 {
     PRInt32 reduced;
 
-    PORT_Assert(type == content_application_data);
+    PORT_Assert(type == ssl_ct_application_data);
     PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
     PORT_Assert(!ss->firstHsDone);
     if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) {
@@ -4858,7 +4908,7 @@ tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend)
 SECStatus
 tls13_ProtectRecord(sslSocket *ss,
                     ssl3CipherSpec *cwSpec,
-                    SSL3ContentType type,
+                    SSLContentType type,
                     const PRUint8 *pIn,
                     PRUint32 contentLen,
                     sslBuffer *wrBuf)
@@ -4899,7 +4949,7 @@ tls13_ProtectRecord(sslSocket *ss,
         *(SSL_BUFFER_NEXT(wrBuf) + contentLen) = type;
 
         /* Create the header (ugly that we have to do it twice). */
-        rv = ssl_InsertRecordHeader(ss, cwSpec, content_application_data,
+        rv = ssl_InsertRecordHeader(ss, cwSpec, ssl_ct_application_data,
                                     &buf, &needsLength);
         if (rv != SECSuccess) {
             return SECFailure;
@@ -4951,7 +5001,7 @@ tls13_UnprotectRecord(sslSocket *ss,
                       ssl3CipherSpec *spec,
                       SSL3Ciphertext *cText,
                       sslBuffer *plaintext,
-                      SSL3ContentType *innerType,
+                      SSLContentType *innerType,
                       SSL3AlertDescription *alert)
 {
     const ssl3BulkCipherDef *cipher_def = spec->cipherDef;
@@ -4966,26 +5016,26 @@ tls13_UnprotectRecord(sslSocket *ss,
                 SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase,
                 cText->seqNum, cText->buf->len));
 
-    /* We can perform this test in variable time because the record's total
-     * length and the ciphersuite are both public knowledge. */
-    if (cText->buf->len < cipher_def->tag_size) {
-        SSL_TRC(3,
-                ("%d: TLS13[%d]: record too short to contain valid AEAD data",
-                 SSL_GETPID(), ss->fd));
-        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-        return SECFailure;
-    }
-
     /* Verify that the content type is right, even though we overwrite it.
      * Also allow the DTLS short header in TLS 1.3. */
-    if (!(cText->hdr[0] == content_application_data ||
+    if (!(cText->hdr[0] == ssl_ct_application_data ||
           (IS_DTLS(ss) &&
            ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
            (cText->hdr[0] & 0xe0) == 0x20))) {
         SSL_TRC(3,
                 ("%d: TLS13[%d]: record has invalid exterior type=%2.2x",
                  SSL_GETPID(), ss->fd, cText->hdr[0]));
-        /* Do we need a better error here? */
+        PORT_SetError(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
+        *alert = unexpected_message;
+        return SECFailure;
+    }
+
+    /* We can perform this test in variable time because the record's total
+     * length and the ciphersuite are both public knowledge. */
+    if (cText->buf->len < cipher_def->tag_size) {
+        SSL_TRC(3,
+                ("%d: TLS13[%d]: record too short to contain valid AEAD data",
+                 SSL_GETPID(), ss->fd));
         PORT_SetError(SSL_ERROR_BAD_MAC_READ);
         return SECFailure;
     }
@@ -5054,12 +5104,12 @@ tls13_UnprotectRecord(sslSocket *ss,
     }
 
     /* Record the type. */
-    *innerType = (SSL3ContentType)plaintext->buf[plaintext->len - 1];
+    *innerType = (SSLContentType)plaintext->buf[plaintext->len - 1];
     --plaintext->len;
 
     /* Check that we haven't received too much 0-RTT data. */
     if (spec->epoch == TrafficKeyEarlyApplicationData &&
-        *innerType == content_application_data) {
+        *innerType == ssl_ct_application_data) {
         if (plaintext->len > spec->earlyDataRemaining) {
             *alert = unexpected_message;
             PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA);
@@ -5242,9 +5292,11 @@ tls13_HandleEndOfEarlyData(sslSocket *ss, PRUint8 *b, PRUint32 length)
     }
 
     ss->ssl3.hs.zeroRttState = ssl_0rtt_done;
-    TLS13_SET_HS_STATE(ss,
-                       ss->opt.requestCertificate ? wait_client_cert
-                                                  : wait_finished);
+    if (tls13_ShouldRequestClientAuth(ss)) {
+        TLS13_SET_HS_STATE(ss, wait_client_cert);
+    } else {
+        TLS13_SET_HS_STATE(ss, wait_finished);
+    }
     return SECSuccess;
 }
 
@@ -5283,11 +5335,12 @@ tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf)
 }
 
 PRUint16
-tls13_EncodeDraftVersion(SSL3ProtocolVersion version)
+tls13_EncodeDraftVersion(SSL3ProtocolVersion version, SSLProtocolVariant variant)
 {
-#ifdef TLS_1_3_DRAFT_VERSION
-    if (version == SSL_LIBRARY_VERSION_TLS_1_3) {
-        return 0x7f00 | TLS_1_3_DRAFT_VERSION;
+#ifdef DTLS_1_3_DRAFT_VERSION
+    if (version == SSL_LIBRARY_VERSION_TLS_1_3 &&
+        variant == ssl_variant_datagram) {
+        return 0x7f00 | DTLS_1_3_DRAFT_VERSION;
     }
 #endif
     return (PRUint16)version;
@@ -5297,7 +5350,6 @@ SECStatus
 tls13_ClientReadSupportedVersion(sslSocket *ss)
 {
     PRUint32 temp;
-    SSL3ProtocolVersion v;
     TLSExtension *versionExtension;
     SECItem it;
     SECStatus rv;
@@ -5319,29 +5371,15 @@ tls13_ClientReadSupportedVersion(sslSocket *ss)
         FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
         return SECFailure;
     }
-    v = (SSL3ProtocolVersion)temp;
 
-    /* You cannot negotiate < TLS 1.3 with supported_versions. */
-    if (v < SSL_LIBRARY_VERSION_TLS_1_3) {
+    if (temp != tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3,
+                                         ss->protocolVariant)) {
+        /* You cannot negotiate < TLS 1.3 with supported_versions. */
         FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
         return SECFailure;
     }
 
-#ifdef TLS_1_3_DRAFT_VERSION
-    if (temp == SSL_LIBRARY_VERSION_TLS_1_3) {
-        FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version);
-        return SECFailure;
-    }
-    if (temp == tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3)) {
-        v = SSL_LIBRARY_VERSION_TLS_1_3;
-    } else {
-        v = (SSL3ProtocolVersion)temp;
-    }
-#else
-    v = (SSL3ProtocolVersion)temp;
-#endif
-
-    ss->version = v;
+    ss->version = SSL_LIBRARY_VERSION_TLS_1_3;
     return SECSuccess;
 }
 
@@ -5365,7 +5403,7 @@ tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions)
         return SECFailure;
     }
     for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
-        PRUint16 wire = tls13_EncodeDraftVersion(version);
+        PRUint16 wire = tls13_EncodeDraftVersion(version, ss->protocolVariant);
         unsigned long offset;
 
         for (offset = 0; offset < versions.len; offset += 2) {
diff --git a/security/nss/lib/ssl/tls13con.h b/security/nss/lib/ssl/tls13con.h
index f35b20023..f3b2cb390 100644
--- a/security/nss/lib/ssl/tls13con.h
+++ b/security/nss/lib/ssl/tls13con.h
@@ -28,7 +28,7 @@ typedef enum {
 SECStatus tls13_UnprotectRecord(
     sslSocket *ss, ssl3CipherSpec *spec,
     SSL3Ciphertext *cText, sslBuffer *plaintext,
-    SSL3ContentType *innerType,
+    SSLContentType *innerType,
     SSL3AlertDescription *alert);
 
 #if defined(WIN32)
@@ -64,7 +64,7 @@ void tls13_FatalError(sslSocket *ss, PRErrorCode prError,
                       SSL3AlertDescription desc);
 SECStatus tls13_SetupClientHello(sslSocket *ss);
 SECStatus tls13_MaybeDo0RTTHandshake(sslSocket *ss);
-PRInt32 tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend);
+PRInt32 tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend);
 PRBool tls13_AllowPskCipher(const sslSocket *ss,
                             const ssl3CipherSuiteDef *cipher_def);
 PRBool tls13_PskSuiteEnabled(sslSocket *ss);
@@ -85,26 +85,36 @@ SECStatus tls13_ConstructHelloRetryRequest(sslSocket *ss,
                                            sslBuffer *buffer);
 SECStatus tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *b,
                                         PRUint32 length);
+SECStatus tls13_HandleKeyShare(sslSocket *ss,
+                               TLS13KeyShareEntry *entry,
+                               sslKeyPair *keyPair,
+                               SSLHashType hash,
+                               PK11SymKey **out);
+TLS13KeyShareEntry *tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o);
 void tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *entry);
 void tls13_DestroyKeyShares(PRCList *list);
-SECStatus tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef);
+SECStatus tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef,
+                               sslEphemeralKeyPair **keyPair);
+SECStatus tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef);
 void tls13_DestroyEarlyData(PRCList *list);
 SECStatus tls13_SetAlertCipherSpec(sslSocket *ss);
 tls13ExtensionStatus tls13_ExtensionStatus(PRUint16 extension,
                                            SSLHandshakeType message);
 SECStatus tls13_ProtectRecord(sslSocket *ss,
                               ssl3CipherSpec *cwSpec,
-                              SSL3ContentType type,
+                              SSLContentType type,
                               const PRUint8 *pIn,
                               PRUint32 contentLen,
                               sslBuffer *wrBuf);
 PRInt32 tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len);
 SECStatus tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf);
 PRBool tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid);
-PRUint16 tls13_EncodeDraftVersion(SSL3ProtocolVersion version);
+PRUint16 tls13_EncodeDraftVersion(SSL3ProtocolVersion version,
+                                  SSLProtocolVariant variant);
 SECStatus tls13_ClientReadSupportedVersion(sslSocket *ss);
 SECStatus tls13_NegotiateVersion(sslSocket *ss,
                                  const TLSExtension *supported_versions);
+PRBool tls13_ShouldRequestClientAuth(sslSocket *ss);
 
 PRBool tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid);
 void tls13_AntiReplayRollover(PRTime now);
@@ -119,6 +129,22 @@ SECStatus tls13_SendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request,
                               PRBool buffer);
 SECStatus SSLExp_KeyUpdate(PRFileDesc *fd, PRBool requestUpdate);
 PRBool tls13_MaybeTls13(sslSocket *ss);
+SSLAEADCipher tls13_GetAead(const ssl3BulkCipherDef *cipherDef);
 void tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec);
 
+/* Use this instead of FATAL_ERROR when no alert shall be sent. */
+#define LOG_ERROR(ss, prError)                                                     \
+    do {                                                                           \
+        SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
+                    SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
+        PORT_SetError(prError);                                                    \
+    } while (0)
+
+/* Log an error and generate an alert because something is irreparably wrong. */
+#define FATAL_ERROR(ss, prError, desc)       \
+    do {                                     \
+        LOG_ERROR(ss, prError);              \
+        tls13_FatalError(ss, prError, desc); \
+    } while (0)
+
 #endif /* __tls13con_h_ */
diff --git a/security/nss/lib/ssl/tls13esni.c b/security/nss/lib/ssl/tls13esni.c
new file mode 100644
index 000000000..e2328769b
--- /dev/null
+++ b/security/nss/lib/ssl/tls13esni.c
@@ -0,0 +1,844 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#define TLS13_ESNI_VERSION 0xff01
+
+/*
+ *  struct {
+ *      uint16 version;
+ *      uint8 checksum[4];
+ *      KeyShareEntry keys<4..2^16-1>;
+ *      CipherSuite cipher_suites<2..2^16-2>;
+ *      uint16 padded_length;
+ *      uint64 not_before;
+ *      uint64 not_after;
+ *      Extension extensions<0..2^16-1>;
+ *  } ESNIKeys;
+ */
+#include "nss.h"
+#include "pk11func.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "sslimpl.h"
+#include "ssl3exthandle.h"
+#include "tls13esni.h"
+#include "tls13exthandle.h"
+#include "tls13hkdf.h"
+
+const char kHkdfPurposeEsniKey[] = "esni key";
+const char kHkdfPurposeEsniIv[] = "esni iv";
+
+void
+tls13_DestroyESNIKeys(sslEsniKeys *keys)
+{
+    if (!keys) {
+        return;
+    }
+    SECITEM_FreeItem(&keys->data, PR_FALSE);
+    PORT_Free((void *)keys->dummySni);
+    tls13_DestroyKeyShares(&keys->keyShares);
+    ssl_FreeEphemeralKeyPair(keys->privKey);
+    SECITEM_FreeItem(&keys->suites, PR_FALSE);
+    PORT_ZFree(keys, sizeof(sslEsniKeys));
+}
+
+sslEsniKeys *
+tls13_CopyESNIKeys(sslEsniKeys *okeys)
+{
+    sslEsniKeys *nkeys;
+    SECStatus rv;
+
+    PORT_Assert(okeys);
+
+    nkeys = PORT_ZNew(sslEsniKeys);
+    if (!nkeys) {
+        return NULL;
+    }
+    PR_INIT_CLIST(&nkeys->keyShares);
+    rv = SECITEM_CopyItem(NULL, &nkeys->data, &okeys->data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (okeys->dummySni) {
+        nkeys->dummySni = PORT_Strdup(okeys->dummySni);
+        if (!nkeys->dummySni) {
+            goto loser;
+        }
+    }
+    for (PRCList *cur_p = PR_LIST_HEAD(&okeys->keyShares);
+         cur_p != &okeys->keyShares;
+         cur_p = PR_NEXT_LINK(cur_p)) {
+        TLS13KeyShareEntry *copy = tls13_CopyKeyShareEntry(
+            (TLS13KeyShareEntry *)cur_p);
+        if (!copy) {
+            goto loser;
+        }
+        PR_APPEND_LINK(&copy->link, &nkeys->keyShares);
+    }
+    if (okeys->privKey) {
+        nkeys->privKey = ssl_CopyEphemeralKeyPair(okeys->privKey);
+        if (!nkeys->privKey) {
+            goto loser;
+        }
+    }
+    rv = SECITEM_CopyItem(NULL, &nkeys->suites, &okeys->suites);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    nkeys->paddedLength = okeys->paddedLength;
+    nkeys->notBefore = okeys->notBefore;
+    nkeys->notAfter = okeys->notAfter;
+    return nkeys;
+
+loser:
+    tls13_DestroyESNIKeys(nkeys);
+    return NULL;
+}
+
+/* Checksum is a 4-byte array. */
+static SECStatus
+tls13_ComputeESNIKeysChecksum(const PRUint8 *buf, unsigned int len,
+                              PRUint8 *checksum)
+{
+    SECItem copy;
+    SECStatus rv;
+    PRUint8 sha256[32];
+
+    rv = SECITEM_MakeItem(NULL, &copy, buf, len);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Stomp the checksum. */
+    PORT_Memset(copy.data + 2, 0, 4);
+
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(ssl_hash_sha256),
+                      sha256,
+                      copy.data, copy.len);
+    SECITEM_FreeItem(&copy, PR_FALSE);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    PORT_Memcpy(checksum, sha256, 4);
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_DecodeESNIKeys(SECItem *data, sslEsniKeys **keysp)
+{
+    SECStatus rv;
+    sslReadBuffer tmp;
+    PRUint64 tmpn;
+    sslEsniKeys *keys;
+    PRUint8 checksum[4];
+    sslReader rdr = SSL_READER(data->data, data->len);
+
+    rv = sslRead_ReadNumber(&rdr, 2, &tmpn);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    if (tmpn != TLS13_ESNI_VERSION) {
+        PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+        return SECFailure;
+    }
+    keys = PORT_ZNew(sslEsniKeys);
+    if (!keys) {
+        return SECFailure;
+    }
+    PR_INIT_CLIST(&keys->keyShares);
+
+    /* Make a copy. */
+    rv = SECITEM_CopyItem(NULL, &keys->data, data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeysChecksum(data->data, data->len, checksum);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Read and check checksum. */
+    rv = sslRead_Read(&rdr, 4, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (0 != NSS_SecureMemcmp(tmp.buf, checksum, 4)) {
+        goto loser;
+    }
+
+    /* Parse the key shares. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    sslReader rdr2 = SSL_READER(tmp.buf, tmp.len);
+    while (SSL_READER_REMAINING(&rdr2)) {
+        TLS13KeyShareEntry *ks = NULL;
+
+        rv = tls13_DecodeKeyShareEntry(&rdr2, &ks);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+
+        if (ks) {
+            PR_APPEND_LINK(&ks->link, &keys->keyShares);
+        }
+    }
+
+    /* Parse cipher suites. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* This can't be odd. */
+    if (tmp.len & 1) {
+        goto loser;
+    }
+    rv = SECITEM_MakeItem(NULL, &keys->suites, (PRUint8 *)tmp.buf, tmp.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Padded Length */
+    rv = sslRead_ReadNumber(&rdr, 2, &tmpn);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keys->paddedLength = (PRUint16)tmpn;
+
+    /* Not Before */
+    rv = sslRead_ReadNumber(&rdr, 8, &keys->notBefore);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Not After */
+    rv = sslRead_ReadNumber(&rdr, 8, &keys->notAfter);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Extensions, which we ignore. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that this is empty. */
+    if (SSL_READER_REMAINING(&rdr) > 0) {
+        goto loser;
+    }
+
+    *keysp = keys;
+    return SECSuccess;
+
+loser:
+    tls13_DestroyESNIKeys(keys);
+    PORT_SetError(SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+
+    return SECFailure;
+}
+
+/* Encode an ESNI keys structure. We only allow one key
+ * share. */
+SECStatus
+SSLExp_EncodeESNIKeys(PRUint16 *cipherSuites, unsigned int cipherSuiteCount,
+                      SSLNamedGroup group, SECKEYPublicKey *pubKey,
+                      PRUint16 pad, PRUint64 notBefore, PRUint64 notAfter,
+                      PRUint8 *out, unsigned int *outlen, unsigned int maxlen)
+{
+    unsigned int savedOffset;
+    SECStatus rv;
+    sslBuffer b = SSL_BUFFER_EMPTY;
+
+    rv = sslBuffer_AppendNumber(&b, TLS13_ESNI_VERSION, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = sslBuffer_Skip(&b, 4, &savedOffset);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Length of vector. */
+    rv = sslBuffer_AppendNumber(
+        &b, tls13_SizeOfKeyShareEntry(pubKey), 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Our one key share. */
+    rv = tls13_EncodeKeyShareEntry(&b, group, pubKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Cipher suites. */
+    rv = sslBuffer_AppendNumber(&b, cipherSuiteCount * 2, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    for (unsigned int i = 0; i < cipherSuiteCount; i++) {
+        rv = sslBuffer_AppendNumber(&b, cipherSuites[i], 2);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+    }
+
+    /* Padding Length. Fixed for now. */
+    rv = sslBuffer_AppendNumber(&b, pad, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Start time. */
+    rv = sslBuffer_AppendNumber(&b, notBefore, 8);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* End time. */
+    rv = sslBuffer_AppendNumber(&b, notAfter, 8);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* No extensions. */
+    rv = sslBuffer_AppendNumber(&b, 0, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeysChecksum(SSL_BUFFER_BASE(&b),
+                                       SSL_BUFFER_LEN(&b),
+                                       SSL_BUFFER_BASE(&b) + 2);
+    if (rv != SECSuccess) {
+        PORT_Assert(PR_FALSE);
+        goto loser;
+    }
+
+    if (SSL_BUFFER_LEN(&b) > maxlen) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    PORT_Memcpy(out, SSL_BUFFER_BASE(&b), SSL_BUFFER_LEN(&b));
+    *outlen = SSL_BUFFER_LEN(&b);
+
+    sslBuffer_Clear(&b);
+    return SECSuccess;
+loser:
+    sslBuffer_Clear(&b);
+    return SECFailure;
+}
+
+SECStatus
+SSLExp_SetESNIKeyPair(PRFileDesc *fd,
+                      SECKEYPrivateKey *privKey,
+                      const PRUint8 *record, unsigned int recordLen)
+{
+    sslSocket *ss;
+    SECStatus rv;
+    sslEsniKeys *keys = NULL;
+    SECKEYPublicKey *pubKey = NULL;
+    SECItem data = { siBuffer, CONST_CAST(PRUint8, record), recordLen };
+    PLArenaPool *arena = NULL;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in %s",
+                 SSL_GETPID(), fd, __FUNCTION__));
+        return SECFailure;
+    }
+
+    rv = tls13_DecodeESNIKeys(&data, &keys);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Check the cipher suites. */
+    (void)ssl3_config_match_init(ss);
+    /* Make sure the cipher suite is OK. */
+    SSLVersionRange vrange = { SSL_LIBRARY_VERSION_TLS_1_3,
+                               SSL_LIBRARY_VERSION_TLS_1_3 };
+
+    sslReader csrdr = SSL_READER(keys->suites.data,
+                                 keys->suites.len);
+    while (SSL_READER_REMAINING(&csrdr)) {
+        PRUint64 asuite;
+
+        rv = sslRead_ReadNumber(&csrdr, 2, &asuite);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        const ssl3CipherSuiteCfg *suiteCfg =
+            ssl_LookupCipherSuiteCfg(asuite, ss->cipherSuites);
+        if (!ssl3_config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
+            /* Illegal suite. */
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            goto loser;
+        }
+    }
+
+    if (PR_CLIST_IS_EMPTY(&keys->keyShares)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    if (PR_PREV_LINK(&keys->keyShares) != PR_NEXT_LINK(&keys->keyShares)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    TLS13KeyShareEntry *entry = (TLS13KeyShareEntry *)PR_LIST_HEAD(
+        &keys->keyShares);
+    if (entry->group->keaType != ssl_kea_ecdh) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        goto loser;
+    }
+    pubKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    if (!pubKey) {
+        goto loser;
+    }
+    pubKey->arena = arena;
+    arena = NULL; /* From here, this will be destroyed with the pubkey. */
+    /* Dummy PKCS11 values because this key isn't on a slot. */
+    pubKey->pkcs11Slot = NULL;
+    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+    rv = ssl_ImportECDHKeyShare(pubKey,
+                                entry->key_exchange.data,
+                                entry->key_exchange.len,
+                                entry->group);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    privKey = SECKEY_CopyPrivateKey(privKey);
+    if (!privKey) {
+        goto loser;
+    }
+    keys->privKey = ssl_NewEphemeralKeyPair(entry->group, privKey, pubKey);
+    if (!keys->privKey) {
+        goto loser;
+    }
+    pubKey = NULL;
+    ss->esniKeys = keys;
+    return SECSuccess;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    SECKEY_DestroyPublicKey(pubKey);
+    tls13_DestroyESNIKeys(keys);
+    return SECFailure;
+}
+
+SECStatus
+SSLExp_EnableESNI(PRFileDesc *fd,
+                  const PRUint8 *esniKeys,
+                  unsigned int esniKeysLen,
+                  const char *dummySNI)
+{
+    sslSocket *ss;
+    sslEsniKeys *keys = NULL;
+    SECItem data = { siBuffer, CONST_CAST(PRUint8, esniKeys), esniKeysLen };
+    SECStatus rv;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in %s",
+                 SSL_GETPID(), fd, __FUNCTION__));
+        return SECFailure;
+    }
+
+    rv = tls13_DecodeESNIKeys(&data, &keys);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    if (dummySNI) {
+        keys->dummySni = PORT_Strdup(dummySNI);
+        if (!keys->dummySni) {
+            tls13_DestroyESNIKeys(keys);
+            return SECFailure;
+        }
+    }
+
+    /* Delete in case it was set before. */
+    tls13_DestroyESNIKeys(ss->esniKeys);
+    ss->esniKeys = keys;
+
+    return SECSuccess;
+}
+
+/*
+ * struct {
+ *     opaque record_digest<0..2^16-1>;
+ *     KeyShareEntry esni_key_share;
+ *     Random client_hello_random;
+ * } ESNIContents;
+ */
+SECStatus
+tls13_ComputeESNIKeys(const sslSocket *ss,
+                      TLS13KeyShareEntry *entry,
+                      sslKeyPair *keyPair,
+                      const ssl3CipherSuiteDef *suite,
+                      const PRUint8 *esniKeysHash,
+                      const PRUint8 *keyShareBuf,
+                      unsigned int keyShareBufLen,
+                      const PRUint8 *clientRandom,
+                      ssl3KeyMaterial *keyMat)
+{
+    PK11SymKey *Z = NULL;
+    PK11SymKey *Zx = NULL;
+    SECStatus ret = SECFailure;
+    PRUint8 esniContentsBuf[256]; /* Just big enough. */
+    sslBuffer esniContents = SSL_BUFFER(esniContentsBuf);
+    PRUint8 hash[64];
+    const ssl3BulkCipherDef *cipherDef = ssl_GetBulkCipherDef(suite);
+    size_t keySize = cipherDef->key_size;
+    size_t ivSize = cipherDef->iv_size +
+                    cipherDef->explicit_nonce_size; /* This isn't always going to
+                                                     * work, but it does for
+                                                     * AES-GCM */
+    unsigned int hashSize = tls13_GetHashSizeForHash(suite->prf_hash);
+    SECStatus rv;
+
+    rv = tls13_HandleKeyShare(CONST_CAST(sslSocket, ss), entry, keyPair,
+                              suite->prf_hash, &Z);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = tls13_HkdfExtract(NULL, Z, suite->prf_hash, &Zx);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Encode ESNIContents. */
+    rv = sslBuffer_AppendVariable(&esniContents,
+                                  esniKeysHash, hashSize, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = sslBuffer_Append(&esniContents, keyShareBuf, keyShareBufLen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = sslBuffer_Append(&esniContents, clientRandom, SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    PORT_Assert(hashSize <= sizeof(hash));
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suite->prf_hash),
+                      hash,
+                      SSL_BUFFER_BASE(&esniContents),
+                      SSL_BUFFER_LEN(&esniContents));
+    ;
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_HkdfExpandLabel(Zx, suite->prf_hash,
+                               hash, hashSize,
+                               kHkdfPurposeEsniKey, strlen(kHkdfPurposeEsniKey),
+                               ssl3_Alg2Mech(cipherDef->calg),
+                               keySize,
+                               &keyMat->key);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = tls13_HkdfExpandLabelRaw(Zx, suite->prf_hash,
+                                  hash, hashSize,
+                                  kHkdfPurposeEsniIv, strlen(kHkdfPurposeEsniIv),
+                                  keyMat->iv, ivSize);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    ret = SECSuccess;
+
+loser:
+    PK11_FreeSymKey(Z);
+    PK11_FreeSymKey(Zx);
+    return ret;
+}
+
+/* Set up ESNI. This generates a private key as a side effect. */
+SECStatus
+tls13_ClientSetupESNI(sslSocket *ss)
+{
+    ssl3CipherSuite suite;
+    sslEphemeralKeyPair *keyPair;
+    size_t i;
+    PRCList *cur;
+    SECStatus rv;
+    TLS13KeyShareEntry *share;
+    const sslNamedGroupDef *group = NULL;
+    PRTime now = PR_Now() / PR_USEC_PER_SEC;
+
+    if (!ss->esniKeys) {
+        return SECSuccess;
+    }
+
+    if ((ss->esniKeys->notBefore > now) || (ss->esniKeys->notAfter < now)) {
+        return SECSuccess;
+    }
+
+    /* If we're not sending SNI, don't send ESNI. */
+    if (!ssl_ShouldSendSNIExtension(ss, ss->url)) {
+        return SECSuccess;
+    }
+
+    /* Pick the group. */
+    for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
+        for (cur = PR_NEXT_LINK(&ss->esniKeys->keyShares);
+             cur != &ss->esniKeys->keyShares;
+             cur = PR_NEXT_LINK(cur)) {
+            if (!ss->namedGroupPreferences[i]) {
+                continue;
+            }
+            share = (TLS13KeyShareEntry *)cur;
+            if (share->group->name == ss->namedGroupPreferences[i]->name) {
+                group = ss->namedGroupPreferences[i];
+                break;
+            }
+        }
+    }
+
+    if (!group) {
+        /* No compatible group. */
+        return SECSuccess;
+    }
+
+    rv = ssl3_NegotiateCipherSuiteInner(ss, &ss->esniKeys->suites,
+                                        SSL_LIBRARY_VERSION_TLS_1_3, &suite);
+    if (rv != SECSuccess) {
+        return SECSuccess;
+    }
+
+    rv = tls13_CreateKeyShare(ss, group, &keyPair);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    ss->xtnData.esniPrivateKey = keyPair;
+    ss->xtnData.esniSuite = suite;
+    ss->xtnData.peerEsniShare = share;
+
+    return SECSuccess;
+}
+
+/*
+ * struct {
+ *     CipherSuite suite;
+ *     KeyShareEntry key_share;
+ *     opaque record_digest<0..2^16-1>;
+ *     opaque encrypted_sni<0..2^16-1>;
+ * } ClientEncryptedSNI;
+ *
+ * struct {
+ *     ServerNameList sni;
+ *     opaque zeros[ESNIKeys.padded_length - length(sni)];
+ * } PaddedServerNameList;
+ *
+ * struct {
+ *     uint8 nonce[16];
+ *     PaddedServerNameList realSNI;
+ * } ClientESNIInner;
+ */
+SECStatus
+tls13_FormatEsniAADInput(sslBuffer *aadInput,
+                         PRUint8 *keyShare, unsigned int keyShareLen)
+{
+    SECStatus rv;
+
+    /* 8 bytes of 0 for the sequence number. */
+    rv = sslBuffer_AppendNumber(aadInput, 0, 8);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Key share. */
+    PORT_Assert(keyShareLen > 0);
+    rv = sslBuffer_Append(aadInput, keyShare, keyShareLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_ServerGetEsniAEAD(const sslSocket *ss, PRUint64 suite,
+                        const ssl3CipherSuiteDef **suiteDefp,
+                        SSLAEADCipher *aeadp)
+{
+    SECStatus rv;
+    const ssl3CipherSuiteDef *suiteDef;
+    SSLAEADCipher aead;
+
+    /* Check against the suite list for ESNI */
+    PRBool csMatch = PR_FALSE;
+    sslReader csrdr = SSL_READER(ss->esniKeys->suites.data,
+                                 ss->esniKeys->suites.len);
+    while (SSL_READER_REMAINING(&csrdr)) {
+        PRUint64 asuite;
+
+        rv = sslRead_ReadNumber(&csrdr, 2, &asuite);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        if (asuite == suite) {
+            csMatch = PR_TRUE;
+            break;
+        }
+    }
+    if (!csMatch) {
+        return SECFailure;
+    }
+
+    suiteDef = ssl_LookupCipherSuiteDef(suite);
+    PORT_Assert(suiteDef);
+    if (!suiteDef) {
+        return SECFailure;
+    }
+    aead = tls13_GetAead(ssl_GetBulkCipherDef(suiteDef));
+    if (!aead) {
+        return SECFailure;
+    }
+
+    *suiteDefp = suiteDef;
+    *aeadp = aead;
+    return SECSuccess;
+}
+
+SECStatus
+tls13_ServerDecryptEsniXtn(const sslSocket *ss, PRUint8 *in, unsigned int inLen,
+                           PRUint8 *out, int *outLen, int maxLen)
+{
+    sslReader rdr = SSL_READER(in, inLen);
+    PRUint64 suite;
+    const ssl3CipherSuiteDef *suiteDef;
+    SSLAEADCipher aead = NULL;
+    TLSExtension *keyShareExtension;
+    TLS13KeyShareEntry *entry = NULL;
+    ssl3KeyMaterial keyMat = { NULL };
+
+    sslBuffer aadInput = SSL_BUFFER_EMPTY;
+    const PRUint8 *keyShareBuf;
+    sslReadBuffer buf;
+    unsigned int keyShareBufLen;
+    PRUint8 hash[64];
+    SECStatus rv;
+
+    /* Read the cipher suite. */
+    rv = sslRead_ReadNumber(&rdr, 2, &suite);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Find the AEAD */
+    rv = tls13_ServerGetEsniAEAD(ss, suite, &suiteDef, &aead);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Note where the KeyShare starts. */
+    keyShareBuf = SSL_READER_CURRENT(&rdr);
+    rv = tls13_DecodeKeyShareEntry(&rdr, &entry);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keyShareBufLen = SSL_READER_CURRENT(&rdr) - keyShareBuf;
+    if (!entry || entry->group->name != ss->esniKeys->privKey->group->name) {
+        goto loser;
+    }
+
+    /* The hash of the ESNIKeys structure. */
+    rv = sslRead_ReadVariable(&rdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that the hash matches. */
+    unsigned int hashLen = tls13_GetHashSizeForHash(suiteDef->prf_hash);
+    PORT_Assert(hashLen <= sizeof(hash));
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suiteDef->prf_hash),
+                      hash,
+                      ss->esniKeys->data.data, ss->esniKeys->data.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (buf.len != hashLen) {
+        /* This is malformed. */
+        goto loser;
+    }
+    if (0 != NSS_SecureMemcmp(hash, buf.buf, hashLen)) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeys(ss, entry,
+                               ss->esniKeys->privKey->keys,
+                               suiteDef,
+                               hash, keyShareBuf, keyShareBufLen,
+                               ((sslSocket *)ss)->ssl3.hs.client_random,
+                               &keyMat);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Read the ciphertext. */
+    rv = sslRead_ReadVariable(&rdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that this is empty. */
+    if (SSL_READER_REMAINING(&rdr) > 0) {
+        goto loser;
+    }
+
+    /* Find the key share extension. */
+    keyShareExtension = ssl3_FindExtension(CONST_CAST(sslSocket, ss),
+                                           ssl_tls13_key_share_xtn);
+    if (!keyShareExtension) {
+        goto loser;
+    }
+    rv = tls13_FormatEsniAADInput(&aadInput,
+                                  keyShareExtension->data.data,
+                                  keyShareExtension->data.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = aead(&keyMat, PR_TRUE /* Decrypt */,
+              out, outLen, maxLen,
+              buf.buf, buf.len,
+              SSL_BUFFER_BASE(&aadInput),
+              SSL_BUFFER_LEN(&aadInput));
+    sslBuffer_Clear(&aadInput);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    ssl_DestroyKeyMaterial(&keyMat);
+    tls13_DestroyKeyShareEntry(entry);
+    return SECSuccess;
+
+loser:
+    FATAL_ERROR(CONST_CAST(sslSocket, ss), SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+    ssl_DestroyKeyMaterial(&keyMat); /* Safe because zeroed. */
+    if (entry) {
+        tls13_DestroyKeyShareEntry(entry);
+    }
+    return SECFailure;
+}
diff --git a/security/nss/lib/ssl/tls13esni.h b/security/nss/lib/ssl/tls13esni.h
new file mode 100644
index 000000000..6c52c9952
--- /dev/null
+++ b/security/nss/lib/ssl/tls13esni.h
@@ -0,0 +1,51 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is PRIVATE to SSL.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __tls13esni_h_
+#define __tls13esni_h_
+
+struct sslEsniKeysStr {
+    SECItem data; /* The encoded record. */
+    sslEphemeralKeyPair *privKey;
+    const char *dummySni;
+    PRCList keyShares; /* List of TLS13KeyShareEntry */
+    SECItem suites;
+    PRUint16 paddedLength;
+    PRUint64 notBefore;
+    PRUint64 notAfter;
+};
+
+SECStatus SSLExp_SetESNIKeyPair(PRFileDesc *fd,
+                                SECKEYPrivateKey *privKey,
+                                const PRUint8 *record, unsigned int recordLen);
+
+SECStatus SSLExp_EnableESNI(PRFileDesc *fd, const PRUint8 *esniKeys,
+                            unsigned int esniKeysLen, const char *dummySNI);
+SECStatus SSLExp_EncodeESNIKeys(PRUint16 *cipherSuites, unsigned int cipherSuiteCount,
+                                SSLNamedGroup group, SECKEYPublicKey *pubKey,
+                                PRUint16 pad, PRUint64 notBefore, PRUint64 notAfter,
+                                PRUint8 *out, unsigned int *outlen, unsigned int maxlen);
+sslEsniKeys *tls13_CopyESNIKeys(sslEsniKeys *okeys);
+void tls13_DestroyESNIKeys(sslEsniKeys *keys);
+SECStatus tls13_ClientSetupESNI(sslSocket *ss);
+SECStatus tls13_ComputeESNIKeys(const sslSocket *ss,
+                                TLS13KeyShareEntry *entry,
+                                sslKeyPair *keyPair,
+                                const ssl3CipherSuiteDef *suite,
+                                const PRUint8 *esniKeysHash,
+                                const PRUint8 *keyShareBuf,
+                                unsigned int keyShareBufLen,
+                                const PRUint8 *clientRandom,
+                                ssl3KeyMaterial *keyMat);
+SECStatus tls13_FormatEsniAADInput(sslBuffer *aadInput,
+                                   PRUint8 *keyShare, unsigned int keyShareLen);
+
+SECStatus tls13_ServerDecryptEsniXtn(const sslSocket *ss, PRUint8 *in, unsigned int inLen,
+                                     PRUint8 *out, int *outLen, int maxLen);
+
+#endif
diff --git a/security/nss/lib/ssl/tls13exthandle.c b/security/nss/lib/ssl/tls13exthandle.c
index 1ab8a8e59..8ed18f69c 100644
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -12,6 +12,7 @@
 #include "pk11pub.h"
 #include "ssl3ext.h"
 #include "ssl3exthandle.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h"
 
 SECStatus
@@ -71,7 +72,7 @@ tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
  *
  *     opaque point <1..2^8-1>;
  */
-static PRUint32
+PRUint32
 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
 {
     /* Size = NamedGroup(2) + length(2) + opaque<?> share */
@@ -86,14 +87,14 @@ tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
     return 0;
 }
 
-static SECStatus
-tls13_EncodeKeyShareEntry(sslBuffer *buf, const sslEphemeralKeyPair *keyPair)
+SECStatus
+tls13_EncodeKeyShareEntry(sslBuffer *buf, SSLNamedGroup group,
+                          SECKEYPublicKey *pubKey)
 {
     SECStatus rv;
-    SECKEYPublicKey *pubKey = keyPair->keys->pubKey;
     unsigned int size = tls13_SizeOfKeyShareEntry(pubKey);
 
-    rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2);
+    rv = sslBuffer_AppendNumber(buf, group, 2);
     if (rv != SECSuccess)
         return rv;
     rv = sslBuffer_AppendNumber(buf, size - 4, 2);
@@ -123,6 +124,7 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 {
     SECStatus rv;
     PRCList *cursor;
+    unsigned int extStart;
     unsigned int lengthOffset;
 
     if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
@@ -134,6 +136,8 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn",
                 SSL_GETPID(), ss->fd));
 
+    extStart = SSL_BUFFER_LEN(buf);
+
     /* Save the offset to the length. */
     rv = sslBuffer_Skip(buf, 2, &lengthOffset);
     if (rv != SECSuccess) {
@@ -144,7 +148,9 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
          cursor != &ss->ephemeralKeyPairs;
          cursor = PR_NEXT_LINK(cursor)) {
         sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor;
-        rv = tls13_EncodeKeyShareEntry(buf, keyPair);
+        rv = tls13_EncodeKeyShareEntry(buf,
+                                       keyPair->group->name,
+                                       keyPair->keys->pubKey);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -154,50 +160,62 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
 
+    rv = SECITEM_MakeItem(NULL, &xtnData->keyShareExtension,
+                          SSL_BUFFER_BASE(buf) + extStart,
+                          SSL_BUFFER_LEN(buf) - extStart);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
     *added = PR_TRUE;
     return SECSuccess;
 }
 
-static SECStatus
-tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
+SECStatus
+tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp)
 {
     SECStatus rv;
-    PRUint32 group;
+    PRUint64 group;
     const sslNamedGroupDef *groupDef;
     TLS13KeyShareEntry *ks = NULL;
-    SECItem share = { siBuffer, NULL, 0 };
+    sslReadBuffer share;
 
-    rv = ssl3_ExtConsumeHandshakeNumber(ss, &group, 2, &data->data, &data->len);
+    rv = sslRead_ReadNumber(rdr, 2, &group);
     if (rv != SECSuccess) {
-        PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         goto loser;
     }
     groupDef = ssl_LookupNamedGroup(group);
-    rv = ssl3_ExtConsumeHandshakeVariable(ss, &share, 2, &data->data,
-                                          &data->len);
+    rv = sslRead_ReadVariable(rdr, 2, &share);
     if (rv != SECSuccess) {
         goto loser;
     }
+
+    /* This has to happen here because we want to consume
+     * the entire entry even if the group is unknown
+     * or disabled. */
     /* If the group is disabled, continue. */
     if (!groupDef) {
         return SECSuccess;
     }
 
     ks = PORT_ZNew(TLS13KeyShareEntry);
-    if (!ks)
+    if (!ks) {
         goto loser;
+    }
     ks->group = groupDef;
 
-    rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share);
-    if (rv != SECSuccess)
+    rv = SECITEM_MakeItem(NULL, &ks->key_exchange,
+                          share.buf, share.len);
+    if (rv != SECSuccess) {
         goto loser;
+    }
 
-    PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
+    *ksp = ks;
     return SECSuccess;
 
 loser:
-    if (ks)
-        tls13_DestroyKeyShareEntry(ks);
+    tls13_DestroyKeyShareEntry(ks);
+
     return SECFailure;
 }
 /* Handle an incoming KeyShare extension at the client and copy to
@@ -209,6 +227,7 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 {
     SECStatus rv;
     PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
+    TLS13KeyShareEntry *ks = NULL;
 
     PORT_Assert(!ss->sec.isServer);
 
@@ -221,16 +240,20 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
                 SSL_GETPID(), ss->fd));
 
-    rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
-    if (rv != SECSuccess) {
+    sslReader rdr = SSL_READER(data->data, data->len);
+    rv = tls13_DecodeKeyShareEntry(&rdr, &ks);
+    if ((rv != SECSuccess) || !ks) {
+        ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         return SECFailure;
     }
 
-    if (data->len) {
+    if (SSL_READER_REMAINING(&rdr)) {
+        tls13_DestroyKeyShareEntry(ks);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         return SECFailure;
     }
+    PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
 
     return SECSuccess;
 }
@@ -273,7 +296,7 @@ tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData,
     ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss));
 
     /* And replace with our new share. */
-    rv = tls13_CreateKeyShare(CONST_CAST(sslSocket, ss), group);
+    rv = tls13_AddKeyShare(CONST_CAST(sslSocket, ss), group);
     if (rv != SECSuccess) {
         ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
         PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
@@ -315,12 +338,24 @@ tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         goto loser;
     }
 
-    while (data->len) {
-        rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
-        if (rv != SECSuccess)
+    sslReader rdr = SSL_READER(data->data, data->len);
+    while (SSL_READER_REMAINING(&rdr)) {
+        TLS13KeyShareEntry *ks = NULL;
+        rv = tls13_DecodeKeyShareEntry(&rdr, &ks);
+        if (rv != SECSuccess) {
+            PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
             goto loser;
+        }
+        if (ks) {
+            /* |ks| == NULL if this is an unknown group. */
+            PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
+        }
     }
 
+    /* Keep track of negotiated extensions. */
+    xtnData->negotiated[xtnData->numNegotiated++] =
+        ssl_tls13_key_share_xtn;
+
     return SECSuccess;
 
 loser:
@@ -342,7 +377,8 @@ tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 
     keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
 
-    rv = tls13_EncodeKeyShareEntry(buf, keyPair);
+    rv = tls13_EncodeKeyShareEntry(buf, keyPair->group->name,
+                                   keyPair->keys->pubKey);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -396,6 +432,7 @@ tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     xtnData->lastXtnOffset = buf->len - 4;
 
     PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
+    PORT_Assert(ss->sec.ci.sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
 
     /* Send a single ticket identity. */
     session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket;
@@ -751,7 +788,9 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
     }
 
     for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
-        rv = sslBuffer_AppendNumber(buf, tls13_EncodeDraftVersion(version), 2);
+        PRUint16 wire = tls13_EncodeDraftVersion(version,
+                                                 ss->protocolVariant);
+        rv = sslBuffer_AppendNumber(buf, wire, 2);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -779,8 +818,9 @@ tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
     SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension",
                 SSL_GETPID(), ss->fd));
 
-    rv = sslBuffer_AppendNumber(
-        buf, tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3), 2);
+    PRUint16 ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3,
+                                            ss->protocolVariant);
+    rv = sslBuffer_AppendNumber(buf, ver, 2);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -1056,3 +1096,276 @@ tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     *added = PR_TRUE;
     return SECSuccess;
 }
+
+SECStatus
+tls13_ClientSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                        sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+    PRUint8 sniBuf[1024];
+    PRUint8 hash[64];
+    sslBuffer sni = SSL_BUFFER(sniBuf);
+    const ssl3CipherSuiteDef *suiteDef;
+    ssl3KeyMaterial keyMat;
+    SSLAEADCipher aead;
+    PRUint8 outBuf[1024];
+    int outLen;
+    unsigned int sniStart;
+    unsigned int sniLen;
+    sslBuffer aadInput = SSL_BUFFER_EMPTY;
+    unsigned int keyShareBufStart;
+    unsigned int keyShareBufLen;
+
+    PORT_Memset(&keyMat, 0, sizeof(keyMat));
+
+    if (!ss->xtnData.esniPrivateKey) {
+        return SECSuccess;
+    }
+
+    /* nonce */
+    rv = PK11_GenerateRandom(
+        (unsigned char *)xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    rv = sslBuffer_Append(&sni, xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* sni */
+    sniStart = SSL_BUFFER_LEN(&sni);
+    rv = ssl3_ClientFormatServerNameXtn(ss, ss->url, xtnData, &sni);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    sniLen = SSL_BUFFER_LEN(&sni) - sniStart;
+    /* Padding. */
+    if (ss->esniKeys->paddedLength > sniLen) {
+        unsigned int paddingRequired = ss->esniKeys->paddedLength - sniLen;
+        while (paddingRequired--) {
+            rv = sslBuffer_AppendNumber(&sni, 0, 1);
+            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+        }
+    }
+
+    suiteDef = ssl_LookupCipherSuiteDef(xtnData->esniSuite);
+    PORT_Assert(suiteDef);
+    if (!suiteDef) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    aead = tls13_GetAead(ssl_GetBulkCipherDef(suiteDef));
+    if (!aead) {
+        return SECFailure;
+    }
+
+    /* Format the first part of the extension so we have the
+     * encoded KeyShareEntry. */
+    rv = sslBuffer_AppendNumber(buf, xtnData->esniSuite, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    keyShareBufStart = SSL_BUFFER_LEN(buf);
+    rv = tls13_EncodeKeyShareEntry(buf,
+                                   xtnData->esniPrivateKey->group->name,
+                                   xtnData->esniPrivateKey->keys->pubKey);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    keyShareBufLen = SSL_BUFFER_LEN(buf) - keyShareBufStart;
+
+    if (tls13_GetHashSizeForHash(suiteDef->prf_hash) > sizeof(hash)) {
+        PORT_Assert(PR_FALSE);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suiteDef->prf_hash),
+                      hash,
+                      ss->esniKeys->data.data,
+                      ss->esniKeys->data.len);
+    if (rv != SECSuccess) {
+        PORT_Assert(PR_FALSE);
+        return SECFailure;
+    }
+
+    rv = sslBuffer_AppendVariable(buf, hash,
+                                  tls13_GetHashSizeForHash(suiteDef->prf_hash), 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Compute the ESNI keys. */
+    rv = tls13_ComputeESNIKeys(ss, xtnData->peerEsniShare,
+                               xtnData->esniPrivateKey->keys,
+                               suiteDef,
+                               hash,
+                               SSL_BUFFER_BASE(buf) + keyShareBufStart,
+                               keyShareBufLen,
+                               CONST_CAST(PRUint8, ss->ssl3.hs.client_random),
+                               &keyMat);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    rv = tls13_FormatEsniAADInput(&aadInput,
+                                  xtnData->keyShareExtension.data,
+                                  xtnData->keyShareExtension.len);
+    if (rv != SECSuccess) {
+        ssl_DestroyKeyMaterial(&keyMat);
+        return SECFailure;
+    }
+    /* Now encrypt. */
+    rv = aead(&keyMat, PR_FALSE /* Encrypt */,
+              outBuf, &outLen, sizeof(outBuf),
+              SSL_BUFFER_BASE(&sni),
+              SSL_BUFFER_LEN(&sni),
+              SSL_BUFFER_BASE(&aadInput),
+              SSL_BUFFER_LEN(&aadInput));
+    ssl_DestroyKeyMaterial(&keyMat);
+    sslBuffer_Clear(&aadInput);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Encode the rest. */
+    rv = sslBuffer_AppendVariable(buf, outBuf, outLen, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    *added = PR_TRUE;
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_ServerSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                        sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+
+    rv = sslBuffer_Append(buf, xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    *added = PR_TRUE;
+    return SECSuccess;
+}
+
+SECStatus
+tls13_ServerHandleEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                          SECItem *data)
+{
+    sslReadBuffer buf;
+    PRUint8 *plainText = NULL;
+    int ptLen;
+    SECStatus rv;
+
+    /* If we are doing < TLS 1.3, then ignore this. */
+    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+        return SECSuccess;
+    }
+
+    if (!ss->esniKeys) {
+        /* Apparently we used to be configured for ESNI, but
+         * no longer. This violates the spec, or the client is
+         * broken. */
+        return SECFailure;
+    }
+
+    plainText = PORT_ZAlloc(data->len);
+    if (!plainText) {
+        return SECFailure;
+    }
+    rv = tls13_ServerDecryptEsniXtn(ss, data->data, data->len,
+                                    plainText, &ptLen, data->len);
+    if (rv) {
+        goto loser;
+    }
+
+    /* Read out the interior extension. */
+    sslReader sniRdr = SSL_READER(plainText, ptLen);
+
+    rv = sslRead_Read(&sniRdr, sizeof(xtnData->esniNonce), &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Memcpy(xtnData->esniNonce, buf.buf, sizeof(xtnData->esniNonce));
+
+    /* We need to capture the whole block with the length. */
+    SECItem sniItem = { siBuffer, (unsigned char *)SSL_READER_CURRENT(&sniRdr), 0 };
+    rv = sslRead_ReadVariable(&sniRdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    sniItem.len = buf.len + 2;
+
+    /* Check the padding. Note we don't need to do this in constant time
+     * because it's inside the AEAD boundary. */
+    /* TODO(ekr@rtfm.com): check that the padding is the right length. */
+    PRUint64 tmp;
+    while (SSL_READER_REMAINING(&sniRdr)) {
+        rv = sslRead_ReadNumber(&sniRdr, 1, &tmp);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        if (tmp != 0) {
+            goto loser;
+        }
+    }
+
+    rv = ssl3_HandleServerNameXtn(ss, xtnData, &sniItem);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = ssl3_RegisterExtensionSender(ss, xtnData,
+                                      ssl_tls13_encrypted_sni_xtn,
+                                      tls13_ServerSendEsniXtn);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Keep track of negotiated extensions. */
+    xtnData->negotiated[xtnData->numNegotiated++] =
+        ssl_tls13_encrypted_sni_xtn;
+
+    PORT_ZFree(plainText, data->len);
+    return SECSuccess;
+loser:
+    PORT_ZFree(plainText, data->len);
+    return SECFailure;
+}
+
+/* Function to check the extension. We don't install a handler here
+ * because we need to check for the presence of the extension as
+ * well and it's easier to do it in one place. */
+SECStatus
+tls13_ClientCheckEsniXtn(sslSocket *ss)
+{
+    TLSExtension *esniExtension =
+        ssl3_FindExtension(ss, ssl_tls13_encrypted_sni_xtn);
+    if (!esniExtension) {
+        FATAL_ERROR(ss, SSL_ERROR_MISSING_ESNI_EXTENSION, missing_extension);
+        return SECFailure;
+    }
+
+    if (esniExtension->data.len != sizeof(ss->xtnData.esniNonce)) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+        return SECFailure;
+    }
+
+    if (0 != NSS_SecureMemcmp(esniExtension->data.data,
+                              ss->xtnData.esniNonce,
+                              sizeof(ss->xtnData.esniNonce))) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/tls13exthandle.h b/security/nss/lib/ssl/tls13exthandle.h
index edce94d83..dd64b44ff 100644
--- a/security/nss/lib/ssl/tls13exthandle.h
+++ b/security/nss/lib/ssl/tls13exthandle.h
@@ -84,5 +84,14 @@ SECStatus tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss,
 SECStatus tls13_ServerSendHrrCookieXtn(const sslSocket *ss,
                                        TLSExtensionData *xtnData,
                                        sslBuffer *buf, PRBool *added);
+SECStatus tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp);
+PRUint32 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey);
+SECStatus tls13_EncodeKeyShareEntry(sslBuffer *buf, SSLNamedGroup group,
+                                    SECKEYPublicKey *pubKey);
+SECStatus tls13_ClientSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                                  sslBuffer *buf, PRBool *added);
+SECStatus tls13_ServerHandleEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                                    SECItem *data);
+SECStatus tls13_ClientCheckEsniXtn(sslSocket *ss);
 
 #endif
diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def
index 26e438ba6..8c233f7d3 100644
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -328,3 +328,9 @@ SECITEM_MakeItem;
 ;+    local:
 ;+       *;
 ;+};
+;+NSSUTIL_3.39 {         # NSS Utilities 3.39 release
+;+    global:
+NSSUTIL_AddNSSFlagToModuleSpec;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 2749abaa1..62511eafe 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,9 +19,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.38"
+#define NSSUTIL_VERSION "3.41"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 38
+#define NSSUTIL_VMINOR 41
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
diff --git a/security/nss/lib/util/pkcs11p.h b/security/nss/lib/util/pkcs11p.h
index 2e904ee50..1c9201350 100644
--- a/security/nss/lib/util/pkcs11p.h
+++ b/security/nss/lib/util/pkcs11p.h
@@ -13,7 +13,10 @@
  * though it's still needed. put in a central file to help merging..
  */
 
-#if defined(_WIN32)
+#if defined(_WIN32) || defined(_WINDOWS)
+#ifdef __clang__
+#pragma clang diagnostic ignored "-Wpragma-pack"
+#endif
 #ifdef _MSC_VER
 #pragma warning(disable : 4103)
 #endif
diff --git a/security/nss/lib/util/pkcs11u.h b/security/nss/lib/util/pkcs11u.h
index be949bcd4..64ec2fdb5 100644
--- a/security/nss/lib/util/pkcs11u.h
+++ b/security/nss/lib/util/pkcs11u.h
@@ -11,7 +11,10 @@
  * reset any packing set by pkcs11p.h
  */
 
-#if defined(_WIN32)
+#if defined(_WIN32) || defined(_WINDOWS)
+#ifdef __clang__
+#pragma clang diagnostic ignored "-Wpragma-pack"
+#endif
 #ifdef _MSC_VER
 #pragma warning(disable : 4103)
 #endif
diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c
index 94b00171e..c29521080 100644
--- a/security/nss/lib/util/pkcs11uri.c
+++ b/security/nss/lib/util/pkcs11uri.c
@@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string)
     const char *p = string;
     SECStatus ret;
 
-    if (strncmp("pkcs11:", p, 7) != 0) {
+    if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) {
         return NULL;
     }
     p += 7;
diff --git a/security/nss/lib/util/pkcs1sig.c b/security/nss/lib/util/pkcs1sig.c
index 502119aa5..68588c7f8 100644
--- a/security/nss/lib/util/pkcs1sig.c
+++ b/security/nss/lib/util/pkcs1sig.c
@@ -15,13 +15,6 @@ struct pkcs1PrefixStr {
     PRUint8 *data;
 };
 
-typedef struct pkcs1PrefixesStr pkcs1Prefixes;
-struct pkcs1PrefixesStr {
-    unsigned int digestLen;
-    pkcs1Prefix prefixWithParams;
-    pkcs1Prefix prefixWithoutParams;
-};
-
 /* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on
  * the possible prefix encodings as explained below.
  */
@@ -101,9 +94,8 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
                            PRBool unsafeAllowMissingParameters)
 {
     SECOidData *hashOid;
-    pkcs1Prefixes pp;
-    const pkcs1Prefix *expectedPrefix;
-    SECStatus rv, rv2, rv3;
+    pkcs1Prefix prefix;
+    SECStatus rv;
 
     if (!digest || !digest->data ||
         !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
@@ -117,17 +109,9 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
         return SECFailure;
     }
 
-    pp.digestLen = digest->len;
-    pp.prefixWithParams.data = NULL;
-    pp.prefixWithoutParams.data = NULL;
+    prefix.data = NULL;
 
-    rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
-    rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
-
-    rv = SECSuccess;
-    if (rv2 != SECSuccess || rv3 != SECSuccess) {
-        rv = SECFailure;
-    }
+    rv = encodePrefix(hashOid, digest->len, &prefix, PR_TRUE);
 
     if (rv == SECSuccess) {
         /* We don't attempt to avoid timing attacks on these comparisons because
@@ -135,34 +119,39 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
          * operation.
          */
 
-        if (dataRecoveredFromSignature->len ==
-            pp.prefixWithParams.len + pp.digestLen) {
-            expectedPrefix = &pp.prefixWithParams;
-        } else if (unsafeAllowMissingParameters &&
-                   dataRecoveredFromSignature->len ==
-                       pp.prefixWithoutParams.len + pp.digestLen) {
-            expectedPrefix = &pp.prefixWithoutParams;
-        } else {
-            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-            rv = SECFailure;
+        if (dataRecoveredFromSignature->len != prefix.len + digest->len) {
+            PRBool lengthMismatch = PR_TRUE;
+#ifdef NSS_PKCS1_AllowMissingParameters
+            if (unsafeAllowMissingParameters) {
+                if (prefix.data) {
+                    PORT_Free(prefix.data);
+                    prefix.data = NULL;
+                }
+                rv = encodePrefix(hashOid, digest->len, &prefix, PR_FALSE);
+                if (rv != SECSuccess ||
+                    dataRecoveredFromSignature->len == prefix.len + digest->len) {
+                    lengthMismatch = PR_FALSE;
+                }
+            }
+#endif
+            if (lengthMismatch) {
+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                rv = SECFailure;
+            }
         }
     }
 
     if (rv == SECSuccess) {
-        if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
-                   expectedPrefix->len) ||
-            memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
-                   digest->data, digest->len)) {
+        if (memcmp(dataRecoveredFromSignature->data, prefix.data, prefix.len) ||
+            memcmp(dataRecoveredFromSignature->data + prefix.len, digest->data,
+                   digest->len)) {
             PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
             rv = SECFailure;
         }
     }
 
-    if (pp.prefixWithParams.data) {
-        PORT_Free(pp.prefixWithParams.data);
-    }
-    if (pp.prefixWithoutParams.data) {
-        PORT_Free(pp.prefixWithoutParams.data);
+    if (prefix.data) {
+        PORT_Free(prefix.data);
     }
 
     return rv;
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
index dbc35807d..1b487d193 100644
--- a/security/nss/lib/util/secder.h
+++ b/security/nss/lib/util/secder.h
@@ -34,6 +34,9 @@ SEC_BEGIN_PROTOS
 extern SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
                             void *src);
 
+/*
+** This function is deprecated.
+*/
 extern SECStatus DER_Lengths(SECItem *item, int *header_len_p,
                              PRUint32 *contents_len_p);
 
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index 1e505a9af..cd6996178 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -76,10 +76,10 @@ loser:
 }
 
 SECStatus
-SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, unsigned char *data,
+SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, const unsigned char *data,
                  unsigned int len)
 {
-    SECItem it = { siBuffer, data, len };
+    SECItem it = { siBuffer, (unsigned char *)data, len };
 
     return SECITEM_CopyItem(arena, dest, &it);
 }
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
index 4fb123938..f7a8241b5 100644
--- a/security/nss/lib/util/secitem.h
+++ b/security/nss/lib/util/secitem.h
@@ -41,7 +41,7 @@ extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
  * always siBuffer.
  */
 extern SECStatus SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest,
-                                  unsigned char *data, unsigned int len);
+                                  const unsigned char *data, unsigned int len);
 
 /*
 ** This is a legacy function containing bugs. It doesn't update item->len,
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index a05621c59..06b0cbcc4 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -122,7 +122,9 @@ const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING;
 
 #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
 
-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
+#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
+
+#define PKIX INTERNET_SECURITY_MECH, 0x07
 #define PKIX_CERT_EXTENSIONS PKIX, 1
 #define PKIX_POLICY_QUALIFIERS PKIX, 2
 #define PKIX_KEY_USAGE PKIX, 3
@@ -360,6 +362,7 @@ CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
 CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
 
 CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
+CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
 
 CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
 CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
@@ -454,8 +457,13 @@ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
 CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
 CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
 CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
+/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
+CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
 CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
 
+CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
+CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
+
 /* OIDs for Netscape defined algorithms */
 CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
 
@@ -1754,6 +1762,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
        "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
     ODE(SEC_OID_TLS13_KEA_ANY,
         "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+    OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
+       "Any Extended Key Usage",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(pkixExtendedKeyUsageIPsecIKE,
+       SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
+       "IPsec IKE Certificate",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(ipsecIKEEnd,
+       SEC_OID_IPSEC_IKE_END,
+       "IPsec IKE End",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(ipsecIKEIntermediate,
+       SEC_OID_IPSEC_IKE_INTERMEDIATE,
+       "IPsec IKE Intermediate",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
 };
 
 /* PRIVATE EXTENDED SECOID Table
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index 0a40f29fd..c77aeb19f 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -494,6 +494,11 @@ typedef enum {
 
     SEC_OID_TLS13_KEA_ANY = 356,
 
+    SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
+    SEC_OID_IPSEC_IKE_END = 359,
+    SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
+
     SEC_OID_TOTAL
 } SECOidTag;
 
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
index e5bd4c1bb..ae979ebad 100644
--- a/security/nss/lib/util/secport.c
+++ b/security/nss/lib/util/secport.c
@@ -199,9 +199,6 @@ PORT_Strdup(const char *str)
 void
 PORT_SetError(int value)
 {
-#ifdef DEBUG_jp96085
-    PORT_Assert(value != SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-#endif
     PR_SetError(value, 0);
     return;
 }
diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c
index e7435bfcc..f9b807f7e 100644
--- a/security/nss/lib/util/utilpars.c
+++ b/security/nss/lib/util/utilpars.c
@@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters,
     return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL);
 }
 
+/************************************************************************
+ * add a single flag to the Flags= section inside the spec's NSS= section */
+char *
+NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag)
+{
+    const char *prefix = "flags=";
+    const size_t prefixLen = strlen(prefix);
+    char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL;
+    char *nss2 = NULL, *result = NULL;
+    SECStatus rv;
+
+    rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, &param, &nss, &conf);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+
+    if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) {
+        /* It's already there, nothing to do! */
+        PORT_Free(lib);
+        PORT_Free(name);
+        PORT_Free(param);
+        PORT_Free(nss);
+        PORT_Free(conf);
+        return PORT_Strdup(spec);
+    }
+
+    if (!nss || !strlen(nss)) {
+        nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1);
+        PORT_Strcpy(nss2, prefix);
+        PORT_Strcat(nss2, addFlag);
+    } else {
+        const char *iNss = nss;
+        PRBool alreadyAdded = PR_FALSE;
+        size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */
+        nss2 = PORT_Alloc(maxSize);
+        *nss2 = 0;
+        while (*iNss) {
+            iNss = NSSUTIL_ArgStrip(iNss);
+            if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) {
+                /* We found an existing Flags= section. */
+                char *oldFlags;
+                const char *valPtr;
+                int valSize;
+                valPtr = iNss + prefixLen;
+                oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize);
+                iNss = valPtr + valSize;
+                PORT_Strcat(nss2, prefix);
+                PORT_Strcat(nss2, oldFlags);
+                PORT_Strcat(nss2, ",");
+                PORT_Strcat(nss2, addFlag);
+                PORT_Strcat(nss2, " ");
+                PORT_Free(oldFlags);
+                alreadyAdded = PR_TRUE;
+                iNss = NSSUTIL_ArgStrip(iNss);
+                PORT_Strcat(nss2, iNss); /* remainder of input */
+                break;
+            } else {
+                /* Append this other name=value pair and continue. */
+                const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss);
+                PORT_Strncat(nss2, iNss, (startOfNext - iNss));
+                if (nss2[strlen(nss2) - 1] != ' ') {
+                    PORT_Strcat(nss2, " ");
+                }
+                iNss = startOfNext;
+            }
+            iNss = NSSUTIL_ArgStrip(iNss);
+        }
+        if (!alreadyAdded) {
+            /* nss wasn't empty, and it didn't contain a Flags section. We can
+             * assume that other content from nss has already been added to
+             * nss2, which means we already have a trailing space separator. */
+            PORT_Strcat(nss2, prefix);
+            PORT_Strcat(nss2, addFlag);
+        }
+    }
+
+    result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf);
+    PORT_Free(lib);
+    PORT_Free(name);
+    PORT_Free(param);
+    PORT_Free(nss);
+    PORT_Free(nss2);
+    PORT_Free(conf);
+    return result;
+}
+
 #define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
 /******************************************************************************
  * Parse the cipher flags from the NSS parameter
diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h
index 1b0b1ff1c..289fdca97 100644
--- a/security/nss/lib/util/utilpars.h
+++ b/security/nss/lib/util/utilpars.h
@@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName,
                            char *parameters, char *NSS);
 char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName,
                              char *parameters, char *NSS, char *config);
+char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag);
 void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,
                                  const char *cipherList);
 char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
diff --git a/security/nss/mach b/security/nss/mach
index 715f1a9e3..178cfeb74 100644
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -10,13 +10,32 @@
 
 import sys
 import argparse
+import fnmatch
 import subprocess
 import os
 import platform
+import tempfile
+
 from hashlib import sha256
 
+DEVNULL = open(os.devnull, 'wb')
 cwd = os.path.dirname(os.path.abspath(__file__))
 
+def run_tests(test, cycles="standard", env={}, silent=False):
+    domsuf = os.getenv('DOMSUF', "localdomain")
+    host = os.getenv('HOST', "localhost")
+    env = env.copy()
+    env.update({
+        "NSS_TESTS": test,
+        "NSS_CYCLES": cycles,
+        "DOMSUF": domsuf,
+        "HOST": host
+    })
+    os_env = os.environ
+    os_env.update(env)
+    command = cwd + "/tests/all.sh"
+    stdout = stderr = DEVNULL if silent else None
+    subprocess.check_call(command, env=os_env, stdout=stdout, stderr=stderr)
 
 class cfAction(argparse.Action):
     docker_command = ["docker"]
@@ -103,7 +122,7 @@ class cfAction(argparse.Action):
         files = []
         if os.path.exists(os.path.join(cwd, '.hg')):
             st = subprocess.Popen(['hg', 'status', '-m', '-a'],
-                                  cwd=cwd, stdout=subprocess.PIPE)
+                                  cwd=cwd, stdout=subprocess.PIPE, universal_newlines=True)
             for line in iter(st.stdout.readline, ''):
                 files += [line[2:].rstrip()]
         elif os.path.exists(os.path.join(cwd, '.git')):
@@ -127,29 +146,63 @@ class cfAction(argparse.Action):
 class buildAction(argparse.Action):
 
     def __call__(self, parser, args, values, option_string=None):
-        cwd = os.path.dirname(os.path.abspath(__file__))
         subprocess.check_call([cwd + "/build.sh"] + values)
 
 
 class testAction(argparse.Action):
 
-    def runTest(self, test, cycles="standard"):
-        cwd = os.path.dirname(os.path.abspath(__file__))
-        domsuf = os.getenv('DOMSUF', "localdomain")
-        host = os.getenv('HOST', "localhost")
+    def __call__(self, parser, args, values, option_string=None):
+        run_tests(values)
+
+
+class covAction(argparse.Action):
+
+    def runSslGtests(self, outdir):
         env = {
-            "NSS_TESTS": test,
-            "NSS_CYCLES": cycles,
-            "DOMSUF": domsuf,
-            "HOST": host
+            "GTESTFILTER": "*", # Prevent parallel test runs.
+            "ASAN_OPTIONS": "coverage=1:coverage_dir=" + outdir
         }
-        os_env = os.environ
-        os_env.update(env)
-        command = cwd + "/tests/all.sh"
-        subprocess.check_call(command, env=os_env)
+
+        run_tests("ssl_gtests", env=env, silent=True)
+
+    def findSanCovFile(self, outdir):
+        for file in os.listdir(outdir):
+            if fnmatch.fnmatch(file, 'ssl_gtest.*.sancov'):
+                return os.path.join(outdir, file)
+
+        return None
 
     def __call__(self, parser, args, values, option_string=None):
-        self.runTest(values)
+        outdir = args.outdir
+        print("Output directory: " + outdir)
+
+        print("\nBuild with coverage sanitizers...\n")
+        sancov_args = "edge,no-prune,trace-pc-guard,trace-cmp"
+        subprocess.check_call([
+            os.path.join(cwd, "build.sh"), "-c", "--clang", "--asan",
+            "--sancov=" + sancov_args
+        ])
+
+        print("\nRun ssl_gtests to get a coverage report...")
+        self.runSslGtests(outdir)
+        print("Done.")
+
+        sancov_file = self.findSanCovFile(outdir)
+        if not sancov_file:
+            print("Couldn't find .sancov file.")
+            sys.exit(1)
+
+        symcov_file = os.path.join(outdir, "ssl_gtest.symcov")
+        out = open(symcov_file, 'wb')
+        subprocess.check_call([
+            "sancov",
+            "-blacklist=" + os.path.join(cwd, ".sancov-blacklist"),
+            "-symbolize", sancov_file,
+            os.path.join(cwd, "../dist/Debug/bin/ssl_gtest")
+        ], stdout=out)
+        out.close()
+
+        print("\nCoverage report: " + symcov_file)
 
 
 class commandsAction(argparse.Action):
@@ -194,11 +247,21 @@ def parse_arguments():
     tests = [
         "cipher", "lowhash", "chains", "cert", "dbtests", "tools", "fips",
         "sdr", "crmf", "smime", "ssl", "ocsp", "merge", "pkits", "ec",
-        "gtests", "ssl_gtests"
+        "gtests", "ssl_gtests", "bogo", "interop", "policy"
     ]
     parser_test.add_argument(
         'test', choices=tests, help="Available tests", action=testAction)
 
+    parser_cov = subparsers.add_parser(
+        'coverage', help='Generate coverage report')
+    cov_modules = ["ssl_gtests"]
+    parser_cov.add_argument(
+        '--outdir', help='Output directory for coverage report data.',
+        default=tempfile.mkdtemp())
+    parser_cov.add_argument(
+        'module', choices=cov_modules, help="Available coverage modules",
+        action=covAction)
+
     parser_commands = subparsers.add_parser(
         'mach-commands',
         help="list commands")
diff --git a/security/nss/nss-tool/common/util.h b/security/nss/nss-tool/common/util.h
index 58fb05839..e7076336b 100644
--- a/security/nss/nss-tool/common/util.h
+++ b/security/nss/nss-tool/common/util.h
@@ -6,7 +6,7 @@
 #define util_h__
 
 #include "nspr.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include <secmodt.h>
 #include <string>
diff --git a/security/nss/nss-tool/db/dbtool.cc b/security/nss/nss-tool/db/dbtool.cc
index 8c369cf05..5cd1f5608 100644
--- a/security/nss/nss-tool/db/dbtool.cc
+++ b/security/nss/nss-tool/db/dbtool.cc
@@ -4,7 +4,7 @@
 
 #include "dbtool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <iomanip>
diff --git a/security/nss/nss-tool/digest/digesttool.cc b/security/nss/nss-tool/digest/digesttool.cc
index 08c3e3ba7..5efe6390c 100644
--- a/security/nss/nss-tool/digest/digesttool.cc
+++ b/security/nss/nss-tool/digest/digesttool.cc
@@ -4,7 +4,7 @@
 
 #include "digesttool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <algorithm>
diff --git a/security/nss/nss-tool/enc/enctool.h b/security/nss/nss-tool/enc/enctool.h
index 5a6a5a164..f2296bb26 100644
--- a/security/nss/nss-tool/enc/enctool.h
+++ b/security/nss/nss-tool/enc/enctool.h
@@ -8,8 +8,8 @@
 #include <string>
 #include <vector>
 #include "argparse.h"
+#include "nss_scoped_ptrs.h"
 #include "prerror.h"
-#include "scoped_ptrs.h"
 #include "tool.h"
 
 class EncTool : public Tool {
diff --git a/security/nss/nss.gyp b/security/nss/nss.gyp
index 36b0dd974..18fa92f12 100644
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -5,115 +5,133 @@
   'includes': [
     'coreconf/config.gypi'
   ],
-  'targets': [
-    {
-      'target_name': 'nss_libs',
-      'type': 'none',
-      'dependencies': [
-        'lib/ckfw/builtins/builtins.gyp:nssckbi',
-        'lib/freebl/freebl.gyp:freebl3',
-        'lib/softoken/softoken.gyp:softokn3',
-      ],
-      'conditions': [
-        [ 'moz_fold_libs==0', {
-          'dependencies': [
-            'lib/nss/nss.gyp:nss3',
-            'lib/smime/smime.gyp:smime3',
-            'lib/sqlite/sqlite.gyp:sqlite3',
-            'lib/ssl/ssl.gyp:ssl3',
-            'lib/util/util.gyp:nssutil3',
-          ],
-        }],
-        [ 'OS=="linux"', {
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/freebl/freebl.gyp:freeblpriv3',
-            'lib/sysinit/sysinit.gyp:nsssysinit',
+            'lib/ckfw/builtins/builtins.gyp:nssckbi',
+            'lib/freebl/freebl.gyp:freebl3',
+            'lib/softoken/softoken.gyp:softokn3',
           ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+          'conditions': [
+            [ 'moz_fold_libs==0', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3',
+                'lib/smime/smime.gyp:smime3',
+                'lib/sqlite/sqlite.gyp:sqlite3',
+                'lib/ssl/ssl.gyp:ssl3',
+                'lib/util/util.gyp:nssutil3',
+              ],
+            }],
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/freebl/freebl.gyp:freeblpriv3',
+                'lib/sysinit/sysinit.gyp:nsssysinit',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+              ],
+            }],
           ],
-        }],
-      ],
-    },
-    {
-      'target_name': 'nss_static_libs',
-      'type': 'none',
-      'dependencies': [
-        'cmd/lib/lib.gyp:sectool',
-        'lib/base/base.gyp:nssb',
-        'lib/certdb/certdb.gyp:certdb',
-        'lib/certhigh/certhigh.gyp:certhi',
-        'lib/ckfw/ckfw.gyp:nssckfw',
-        'lib/crmf/crmf.gyp:crmf',
-        'lib/cryptohi/cryptohi.gyp:cryptohi',
-        'lib/dev/dev.gyp:nssdev',
-        'lib/freebl/freebl.gyp:freebl',
-        'lib/jar/jar.gyp:jar',
-        'lib/nss/nss.gyp:nss_static',
-        'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
-        'lib/pkcs12/pkcs12.gyp:pkcs12',
-        'lib/pkcs7/pkcs7.gyp:pkcs7',
-        'lib/pki/pki.gyp:nsspki',
-        'lib/smime/smime.gyp:smime',
-        'lib/softoken/softoken.gyp:softokn',
-        'lib/ssl/ssl.gyp:ssl',
-        'lib/util/util.gyp:nssutil',
-        'lib/libpkix/libpkix.gyp:libpkix',
-      ],
-      'conditions': [
-        [ 'OS=="linux"', {
+        },
+        {
+          'target_name': 'nss_static_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/sysinit/sysinit.gyp:nsssysinit_static',
+            'cmd/lib/lib.gyp:sectool',
+            'lib/base/base.gyp:nssb',
+            'lib/certdb/certdb.gyp:certdb',
+            'lib/certhigh/certhigh.gyp:certhi',
+            'lib/ckfw/ckfw.gyp:nssckfw',
+            'lib/crmf/crmf.gyp:crmf',
+            'lib/cryptohi/cryptohi.gyp:cryptohi',
+            'lib/dev/dev.gyp:nssdev',
+            'lib/freebl/freebl.gyp:freebl',
+            'lib/jar/jar.gyp:jar',
+            'lib/libpkix/libpkix.gyp:libpkix',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+            'lib/nss/nss.gyp:nss_static',
+            'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+            'lib/pkcs12/pkcs12.gyp:pkcs12',
+            'lib/pkcs7/pkcs7.gyp:pkcs7',
+            'lib/pki/pki.gyp:nsspki',
+            'lib/smime/smime.gyp:smime',
+            'lib/softoken/softoken.gyp:softokn',
+            'lib/ssl/ssl.gyp:ssl',
+            'lib/util/util.gyp:nssutil',
           ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/dbm/src/src.gyp:dbm',
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+          'conditions': [
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/sysinit/sysinit.gyp:nsssysinit_static',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/dbm/src/src.gyp:dbm',
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+              ],
+            }],
+            [ 'use_system_sqlite==0', {
+              'dependencies': [
+                'lib/sqlite/sqlite.gyp:sqlite',
+              ],
+            }],
+            [ 'moz_fold_libs==1', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3_static',
+                'lib/smime/smime.gyp:smime3_static',
+              ],
+            }],
           ],
-        }],
-        [ 'use_system_sqlite==0', {
+        },
+        {
+          'target_name': 'nss_cmds',
+          'type': 'none',
           'dependencies': [
-            'lib/sqlite/sqlite.gyp:sqlite',
+            'cmd/certutil/certutil.gyp:certutil',
+            'cmd/modutil/modutil.gyp:modutil',
+            'cmd/pk12util/pk12util.gyp:pk12util',
+            'cmd/shlibsign/shlibsign.gyp:shlibsign',
           ],
-        }],
-        [ 'moz_fold_libs==1', {
-          'dependencies': [
-            'lib/nss/nss.gyp:nss3_static',
-            'lib/smime/smime.gyp:smime3_static',
+          'conditions': [
+            [ 'mozilla_client==0', {
+              'dependencies': [
+                'cmd/crlutil/crlutil.gyp:crlutil',
+                'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
+                'cmd/signtool/signtool.gyp:signtool',
+                'cmd/signver/signver.gyp:signver',
+                'cmd/smimetools/smimetools.gyp:cmsutil',
+                'cmd/ssltap/ssltap.gyp:ssltap',
+                'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
+                'nss-tool/nss_tool.gyp:nss',
+                'nss-tool/nss_tool.gyp:hw-support',
+              ],
+            }],
           ],
-        }],
-      ],
-    },
-    {
-      'target_name': 'nss_cmds',
-      'type': 'none',
-      'dependencies': [
-        'cmd/certutil/certutil.gyp:certutil',
-        'cmd/modutil/modutil.gyp:modutil',
-        'cmd/pk12util/pk12util.gyp:pk12util',
-        'cmd/shlibsign/shlibsign.gyp:shlibsign',
+        },
       ],
-      'conditions': [
-        [ 'mozilla_client==0', {
+    }, { # else, i.e. mozpkix_only==1
+      # Build only mozpkix.
+      'targets': [
+        {
+          'target_name': 'nss_mozpkix_libs',
+          'type': 'none',
           'dependencies': [
-            'cmd/crlutil/crlutil.gyp:crlutil',
-            'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
-            'cmd/signtool/signtool.gyp:signtool',
-            'cmd/signver/signver.gyp:signver',
-            'cmd/smimetools/smimetools.gyp:cmsutil',
-            'cmd/ssltap/ssltap.gyp:ssltap',
-            'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
-            'nss-tool/nss_tool.gyp:nss',
-            'nss-tool/nss_tool.gyp:hw-support',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
           ],
-        }],
+        },
       ],
-    },
-  ],
-  'conditions': [
+    }],
     [ 'disable_tests==0', {
       'targets': [
         {
@@ -135,6 +153,7 @@
             'cmd/listsuites/listsuites.gyp:listsuites',
             'cmd/makepqg/makepqg.gyp:makepqg',
             'cmd/multinit/multinit.gyp:multinit',
+            'cmd/nss-policy-check/nss-policy-check.gyp:nss-policy-check',
             'cmd/ocspclnt/ocspclnt.gyp:ocspclnt',
             'cmd/ocspresp/ocspresp.gyp:ocspresp',
             'cmd/oidcalc/oidcalc.gyp:oidcalc',
@@ -169,11 +188,12 @@
             'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:blake2b_gtest',
+            'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
+            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
-            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
           ],
           'conditions': [
             [ 'OS=="linux"', {
diff --git a/security/nss/readme.md b/security/nss/readme.md
index 17b99e805..67eca19fb 100644
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -97,7 +97,7 @@ e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory
 and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`.  The
 following tests are available:
 
-    cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo
+    cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
 
 To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run
 only the standard cycle.
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index f8a777fb3..5ad0b522e 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -37,10 +37,13 @@
 #   memleak.sh   - memory leak testing (optional)
 #   ssl_gtests.sh- Gtest based unit tests for ssl
 #   gtests.sh    - Gtest based unit tests for everything else
+#   policy.sh    - Crypto Policy tests
 #   bogo.sh      - Bogo interop tests (disabled by default)
 #                  https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
 #   interop.sh   - Interoperability tests (disabled by default)
 #                  https://github.com/ekr/tls_interop
+#   tlsfuzzer.sh - tlsfuzzer interop tests (disabled by default)
+#                  https://github.com/tomato42/tlsfuzzer/
 #
 # NSS testing is now devided to 4 cycles:
 # ---------------------------------------
@@ -300,7 +303,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
     RUN_FIPS="fips"
 fi
 
-tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy"
 # Don't run chains tests when we have a gyp build.
 if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
   tests="$tests chains"
@@ -315,7 +318,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
 fi
 NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
 
-nss_ssl_run="cov auth stapling stress"
+nss_ssl_run="cov auth stapling signed_cert_timestamps stress scheme"
 NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
 
 # NOTE:
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
index 4fccb845b..e3e9c32df 100755
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -25,7 +25,7 @@ bogo_init()
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
-    git -C "$BORING" checkout -q ec55dc15d3a39e5f1a58bfd79148729f38f6acb4
+    git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
   fi
 
   SCRIPTNAME="bogo.sh"
@@ -39,9 +39,9 @@ bogo_cleanup()
   . common/cleanup.sh
 }
 
-cd ../
-cwd=$(cd $(dirname $0); pwd -P)
-SOURCE_DIR="$cwd"/..
+cd "$(dirname "$0")"
+cwd=$(pwd -P)
+SOURCE_DIR="$(cd "$cwd"/../..; pwd -P)"
 bogo_init
 (cd "$BORING"/ssl/test/runner;
  GOPATH="$cwd" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
diff --git a/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
new file mode 100644
index 000000000..f0e8d24d6
--- /dev/null
+++ b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 34006efd1..b74de9be5 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -448,6 +448,27 @@ cert_add_cert()
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
 
+	echo "Importing RSA-PSS server certificate"
+	pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
+	# Let's get the key ID of the imported private key.
+	KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+		grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
+
+	CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
+	-z "${R_NOISE_FILE}" -o req 2>&1
+
+	CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
+	NEWSERIAL=`expr ${CERTSERIAL} + 30000`
+	certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+	      -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+	CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
+	certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	      -i "${CERTNAME}-rsa-pss.cert" 2>&1
+	cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
+
     return 0
 }
 
@@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
   certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
 }
 
+cert_test_token_uri()
+{
+  echo "$SCRIPTNAME: specify token with PKCS#11 URI"
+
+  CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
+  BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
+
+  CU_ACTION="List keys in NSS Certificate DB"
+  certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
+
+  # This token shouldn't have any keys
+  CU_ACTION="List keys in NSS Builtin Objects"
+  RETEXPECTED=255
+  certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
+  RETEXPECTED=0
+}
+
 check_sign_algo()
 {
   certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
@@ -2475,6 +2513,29 @@ EOF
   RETEXPECTED=0
 }
 
+cert_test_orphan_key_delete()
+{
+  CU_ACTION="Create orphan key in serverdir"
+  certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+  # Let's get the key ID of the first orphan key.
+  # The output of certutil -K (list keys) isn't well formatted.
+  # The initial <key-number> part may or may not contain white space, which
+  # makes the use of awk to filter the column unreliable.
+  # To fix that, we remove the initial <number> field using sed, then select the
+  # column that contains the key ID.
+  ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+          sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+  CU_ACTION="Delete orphan key"
+  certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
+  # Ensure that the key is removed
+  certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
+  RET=$?
+  if [ "$RET" -eq 0 ]; then
+    html_failed "Deleting orphan key ($RET)"
+    cert_log "ERROR: Deleting orphan key failed $RET"
+  fi
+}
+
 cert_test_orphan_key_reuse()
 {
   CU_ACTION="Create orphan key in serverdir"
@@ -2500,6 +2561,43 @@ cert_test_orphan_key_reuse()
   fi
 }
 
+cert_test_rsapss_policy()
+{
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  CERTNAME="TestUser-rsa-pss-policy"
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA
+  # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert"
+  certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Verify $CERTNAME's Cert"
+  certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+  CU_ACTION="Verify $CERTNAME's Cert with Policy"
+  cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig
+  cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++
+library=
+name=Policy
+config="disallow=SHA1"
+++EOF++
+  RETEXPECTED=255
+  certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+  RETEXPECTED=0
+  cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt
+}
+
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
@@ -2519,6 +2617,7 @@ cert_all_CA
 cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
+cert_test_orphan_key_delete
 cert_test_orphan_key_reuse
 cert_smime_client
 IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
@@ -2534,6 +2633,10 @@ cert_test_password
 cert_test_distrust
 cert_test_ocspresp
 cert_test_rsapss
+if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+  cert_test_rsapss_policy
+fi
+cert_test_token_uri
 
 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
     cert_crl_ssl
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
index 4c3fa57a0..32c7ef54c 100755
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -51,13 +51,13 @@ is_httpserv_alive()
 wait_for_httpserv()
 {
   echo "trying to connect to httpserv at `date`"
-  echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
-  ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+  echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+  ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
   if [ $? -ne 0 ]; then
       sleep 5
       echo "retrying to connect to httpserv at `date`"
-      echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
-      ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+      echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+      ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
       if [ $? -ne 0 ]; then
           html_failed "Waiting for Server"
       fi
@@ -352,6 +352,12 @@ create_cert_req()
 -1
 y
 "
+    else
+        CA_FLAG="-2"
+        EXT_DATA="n
+-1
+y
+"
     fi
 
     process_crldp
@@ -974,8 +980,8 @@ check_ocsp()
     OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
     OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
 
-    echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
-    tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+    echo "tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+    tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
     return $?
 }
 
@@ -1258,6 +1264,12 @@ process_scenario()
     rm ${AIA_FILES}
 }
 
+# process ipsec.cfg separately
+chains_ipsec()
+{
+    process_scenario "ipsec.cfg"
+}
+
 # process ocspd.cfg separately
 chains_ocspd()
 {
@@ -1279,6 +1291,7 @@ chains_main()
     do
         [ `echo ${LINE} | cut -b 1` != "#" ] || continue
 
+	[ ${LINE} != 'ipsec.cfg' ] || continue
 	[ ${LINE} != 'ocspd.cfg' ] || continue
 	[ ${LINE} != 'method.cfg' ] || continue
 
@@ -1292,6 +1305,7 @@ chains_init
 VERIFY_CLASSIC_ENGINE_TOO=
 chains_ocspd
 VERIFY_CLASSIC_ENGINE_TOO=1
+chains_ipsec
 chains_run_httpserv get
 chains_method
 chains_stop_httpserv
diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg
new file mode 100644
index 000000000..811bf9c09
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ipsec.cfg
@@ -0,0 +1,61 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario IPsec
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+
+entity NoKU
+  type EE
+  issuer CA1
+
+entity DigSig
+  type EE
+  issuer CA1
+    ku digitalSignature
+
+entity NonRep
+  type EE
+  issuer CA1
+    ku nonRepudiation
+
+entity DigSigNonRepAndExtra
+  type EE
+  issuer CA1
+    ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+
+entity NoMatch
+  type EE
+  issuer CA1
+    ku keyEncipherment,dataEncipherment,keyAgreement
+
+db All
+
+import Root::C,,
+import CA1:Root:
+
+verify NoKU:CA1
+  usage 12
+  result pass
+
+verify DigSig:CA1
+  usage 12
+  result pass
+
+verify NonRep:CA1
+  usage 12
+  result pass
+
+verify DigSigNonRepAndExtra:CA1
+  usage 12
+  result pass
+
+verify NoMatch:CA1
+  usage 12
+  result fail
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
index d2a8c7143..305443fc3 100644
--- a/security/nss/tests/chains/scenarios/realcerts.cfg
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -21,7 +21,7 @@ verify TestUser51:x
   result pass
 
 verify PayPalEE:x
-  policy OID.2.16.840.1.114412.1.1 
+  policy OID.2.16.840.1.114412.2.1 
   result pass
 
 verify BrAirWaysBadSig:x
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
index d26c3f92e..4eafd9c8d 100644
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -22,3 +22,4 @@ ocsp.cfg
 crldp.cfg
 trustanchors.cfg
 nameconstraints.cfg
+ipsec.cfg
diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh
new file mode 100644
index 000000000..2b5cef840
--- /dev/null
+++ b/security/nss/tests/common/certsetup.sh
@@ -0,0 +1,57 @@
+# Generate input to certutil
+certscript() {
+  ca=n
+  while [ $# -gt 0 ]; do
+    case $1 in
+      sign) echo 0 ;;
+      kex) echo 2 ;;
+      ca) echo 5;echo 6;ca=y ;;
+    esac; shift
+  done;
+  echo 9
+  echo n
+  echo $ca
+  echo
+  echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+  name=$1
+  type=$2
+
+  # defaults
+  type_args=()
+  trust=',,'
+  sign=(-x)
+  sighash=(-Z SHA256)
+
+  case $type in
+    dsa) type_args=(-g 1024) ;;
+    rsa) type_args=(-g 1024) ;;
+    rsa2048) type_args=(-g 2048);type=rsa ;;
+    rsa8192) type_args=(-g 8192);type=rsa ;;
+    rsapss) type_args=(-g 1024 --pss);type=rsa ;;
+    rsapss384) type_args=(-g 1024 --pss);type=rsa;sighash=(-Z SHA384) ;;
+    rsapss512) type_args=(-g 2048 --pss);type=rsa;sighash=(-Z SHA512) ;;
+    rsapss_noparam) type_args=(-g 2048 --pss);type=rsa;sighash=() ;;
+    p256) type_args=(-q nistp256);type=ec ;;
+    p384) type_args=(-q secp384r1);type=ec ;;
+    p521) type_args=(-q secp521r1);type=ec ;;
+    rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;;
+    rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;;
+    rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;;
+    rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;;
+    rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
+    ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
+  esac
+  shift 2
+  counter=$(($counter + 1))
+  certscript $@ | ${BINDIR}/certutil -S \
+    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
+    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
+  html_msg $? 0 "create certificate: $@"
+}
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index 6aa22af8d..2896f1321 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -356,40 +356,34 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
 
 #HOST and DOMSUF are needed for the server cert
 
-    DOMAINNAME=`which domainname`
-    if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+    if [ -z "$DOMSUF" ] && hash domainname 2>/dev/null; then
         DOMSUF=`domainname`
     fi
+    # hostname -d and domainname both return (none) if hostname doesn't
+    # include a dot.  Pretend we didn't get an answer.
+    if [ "$DOMSUF" = "(none)" ]; then
+        DOMSUF=
+    fi
 
-    case $HOST in
+    if [ -z "$HOST" ]; then
+        HOST=`uname -n`
+    fi
+    case "$HOST" in
         *\.*)
-            if [ -z "${DOMSUF}" ]; then
-                DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+            if [ -z "$DOMSUF" ]; then
+                DOMSUF="${HOST#*.}"
             fi
-            HOST=`echo $HOST | sed -e "s/\..*//"`
+            HOST="${HOST%%.*}"
             ;;
         ?*)
             ;;
         *)
-            HOST=`uname -n`
-            case $HOST in
-                *\.*)
-                    if [ -z "${DOMSUF}" ]; then
-                        DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
-                    fi
-                    HOST=`echo $HOST | sed -e "s/\..*//"`
-                    ;;
-                ?*)
-                    ;;
-                *)
-                    echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
-                    exit 1 #does not need to be Exit, very early in script
-                    ;;
-            esac
+            echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+            exit 1 #does not need to be Exit, very early in script
             ;;
     esac
 
-    if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
+    if [ -z "$DOMSUF" -a "$OS_ARCH" != "Android" ]; then
         echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
         exit 1 #does not need to be Exit, very early in script
     fi
@@ -397,8 +391,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
 #HOSTADDR was a workaround for the dist. stress test, and is probably
 #not needed anymore (purpose: be able to use IP address for the server
 #cert instead of PC name which was not in the DNS because of dyn IP address
-    if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
-        if [ -z "${DOMSUF}" ]; then
+    if [ "$USE_IP" != "TRUE" ] ; then
+        if [ -z "$DOMSUF" ]; then
             HOSTADDR=${HOST}
         else
             HOSTADDR=${HOST}.${DOMSUF}
@@ -595,7 +589,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
         P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
         P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
         P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
-	P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
+        P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
     fi
 
     R_PWFILE=../tests.pw
diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh
index 50c8bb3c1..18737c726 100644
--- a/security/nss/tests/interop/interop.sh
+++ b/security/nss/tests/interop/interop.sh
@@ -24,8 +24,8 @@ interop_init()
   cd "${HOSTDIR}/interop"
   INTEROP=${INTEROP:=tls_interop}
   if [ ! -d "$INTEROP" ]; then
-    git clone -q https://github.com/ttaubert/tls-interop "$INTEROP"
-    git -C "$INTEROP" checkout -q d07b28ac32b390dea1c9bcca5c56716247d23e5e
+    git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
+    git -C "$INTEROP" checkout -q c00685aa953c49f1e844e614746aadc783e81b19
   fi
   INTEROP=$(cd "$INTEROP";pwd -P)
 
@@ -33,9 +33,34 @@ interop_init()
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
-    git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+    git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
   fi
   BORING=$(cd "$BORING";pwd -P)
+  mkdir "$BORING/build"
+  cd "$BORING/build"
+  
+  # Build boring explicitly with gcc because it fails on builds where 
+  # CC=clang-5.0, for example on asan-builds.
+  export CC=gcc
+  cmake ..
+  make -j$(nproc)
+
+  # Check out and build OpenSSL. 
+  # Build with "enable-external-tests" to include the shim in the build. 
+  cd "${HOSTDIR}"
+  OSSL=${OSSL:=openssl}
+  if [ ! -d "$OSSL" ]; then
+    git clone -q https://github.com/openssl/openssl.git "$OSSL"
+    git -C "$OSSL" checkout -q 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff
+  fi
+  OSSL=$(cd "$OSSL";pwd -P)
+  cd "$OSSL"
+  ./config enable-external-tests
+  make -j$(nproc)
+
+  #Some filenames in the OpenSSL repository contain "core".
+  #This prevents false positive "core file detected" errors.
+  detect_core
 
   SCRIPTNAME="interop.sh"
   html_head "interop test"
@@ -56,21 +81,26 @@ interop_run()
   server=$3
 
   (cd "$INTEROP";
-   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json $4 $5 ) 2>interop-${test_name}.errors | tee interop-${test_name}.log
   RESULT=${PIPESTATUS[0]}
-  html_msg "${RESULT}" 0 "Interop" "Run successfully"
+  html_msg "${RESULT}" 0 "Interop ${test_name}" "Run successfully"
   if [ $RESULT -ne 0 ]; then
     cat interop-${test_name}.errors
     cat interop-${test_name}.log
   fi
   grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
-  html_msg $? 1 "Interop" "No failures"
+  html_msg $? 1 "Interop ${test_name}" "No failures"
 }
 
 cd "$(dirname "$0")"
-SOURCE_DIR="$PWD"/../..
 interop_init
 NSS_SHIM="$BINDIR"/nss_bogo_shim
 BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
+OSSL_SHIM="$OSSL"/test/ossl_shim/ossl_shim
+export LD_LIBRARY_PATH="$LD_LIBRARY_PATH":"$OSSL"
 interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
+interop_run "bssl_nss" ${BORING_SHIM} ${NSS_SHIM}
+interop_run "nss_bssl" ${NSS_SHIM} ${BORING_SHIM} "--client-writes-first"
+interop_run "ossl_nss" ${OSSL_SHIM} ${NSS_SHIM} "--force-IPv4"
+interop_run "nss_ossl" ${NSS_SHIM} ${OSSL_SHIM} "--client-writes-first" "--force-IPv4"
 interop_cleanup
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
index d71fbb501..aef408676 100644
--- a/security/nss/tests/libpkix/certs/PayPalEE.cert
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
index 07e025def..dd14c1b21 100644
--- a/security/nss/tests/libpkix/certs/PayPalICA.cert
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
index 78d6185c3..624c6466d 100644
--- a/security/nss/tests/libpkix/vfychain_test.lst
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -1,4 +1,4 @@
 # Status | Leaf Cert | Policies | Others(undef)
 0 TestUser50 undef
 0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
+0 PayPalEE OID.2.16.840.1.114412.2.1
diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt
new file mode 100644
index 000000000..9a8c0cd1b
--- /dev/null
+++ b/security/nss/tests/policy/crypto-policy.txt
@@ -0,0 +1,19 @@
+# col 1: expected return value of nss-policy-check
+# col 2: policy config statement, using _ instead of space
+# col 3: an extended regular expression, expected to match the output
+# col 4: description of the test
+#
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
+0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
+2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
+2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
+2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
+1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
+1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
+1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
+1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
+1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions
+1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions
diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh
new file mode 100644
index 000000000..228c982a5
--- /dev/null
+++ b/security/nss/tests/policy/policy.sh
@@ -0,0 +1,58 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/policy/policy.sh
+#
+# Script to test NSS crypto policy code
+#
+########################################################################
+
+ignore_blank_lines()
+{
+  LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
+}
+
+policy_run_tests()
+{
+  html_head "CRYPTO-POLICY"
+
+  POLICY_INPUT=${QADIR}/policy/crypto-policy.txt
+
+  ignore_blank_lines ${POLICY_INPUT} | \
+  while read value policy match testname
+  do
+    echo "$SCRIPTNAME: running \"$testname\" ----------------------------"
+    policy=`echo ${policy} | sed -e 's;_; ;g'`
+    match=`echo ${match} | sed -e 's;_; ;g'`
+    POLICY_FILE="${TMP}/nss-policy"
+
+    echo "$SCRIPTNAME: policy: \"$policy\""
+
+    cat > "$POLICY_FILE" << ++EOF++
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+++EOF++
+    echo "config=\"${policy}\"" >> "$POLICY_FILE"
+    echo "" >> "$POLICY_FILE"
+
+    nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1
+    ret=$?
+    cat ${TMP}/$HOST.tmp.$$
+
+    html_msg $ret $value "\"${testname}\"" \
+        "produced a returncode of $ret, expected is $value"
+
+    egrep "${match}" ${TMP}/$HOST.tmp.$$
+    ret=$?
+    html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
+
+  done
+}
+
+policy_run_tests
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index 9a63bd997..c1730d8d7 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -64,9 +64,9 @@ ssl_init()
     PORT=$(($PORT + $padd))
   fi
   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
-  nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls"
+  nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls scheme"
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
-  
+
   # Test case files
   SSLCOV=${QADIR}/ssl/sslcov.txt
   SSLAUTH=${QADIR}/ssl/sslauth.txt
@@ -210,24 +210,28 @@ start_selfserv()
   if [ -n "$testname" ] ; then
       echo "$SCRIPTNAME: $testname ----"
   fi
-  sparam=`echo $sparam | sed -e 's;_; ;g'`
-  if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+  if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
   else
       ECC_OPTIONS=""
   fi
+  if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
+      RSA_OPTIONS="-n ${HOSTADDR}"
+  else
+      RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
+  fi
   echo "selfserv starting at `date`"
-  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
-  echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
+  echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
   echo "         -V ssl3:tls1.2 $verbose -H 1 &"
   if [ ${fileout} -eq 1 ]; then
-      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
                > ${SERVEROUTFILE} 2>&1 &
       RET=$?
   else
-      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
       RET=$?
   fi
 
@@ -270,9 +274,8 @@ ssl_cov()
   html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES # Launch the server
 
   VMIN="ssl3"
   VMAX="tls1.1"
@@ -283,6 +286,13 @@ ssl_cov()
       echo "${testname}" | grep "EXPORT" > /dev/null
       EXP=$?
 
+      # RSA-PSS tests are handled in a separate function
+      case $testname in
+        *RSA-PSS)
+          continue
+          ;;
+      esac
+
       echo "$SCRIPTNAME: running $testname ----------------------------"
       VMAX="ssl3"
       if [ "$testmax" = "TLS10" ]; then
@@ -313,6 +323,58 @@ ssl_cov()
   html "</TABLE><BR>"
 }
 
+ssl_cov_rsa_pss()
+{
+  #verbose="-v"
+  html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+  testname=""
+
+  if [ "$NORM_EXT" = "Extended Test" ] ; then
+      echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
+      return 0
+  fi
+
+  RSA_PSS_CERT=1
+  NO_ECC_CERTS=1
+  start_selfserv $CIPHER_SUITES
+  RSA_PSS_CERT=0
+  NO_ECC_CERTS=0
+
+  VMIN="tls1.2"
+  VMAX="tls1.2"
+
+  ignore_blank_lines ${SSLCOV} | \
+  while read ectype testmax param testname
+  do
+      case $testname in
+        *RSA-PSS)
+          ;;
+        *)
+          continue
+          ;;
+      esac
+
+      echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
+
+      echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+      echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+      rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+      ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+              -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+              >${TMP}/$HOST.tmp.$$  2>&1
+      ret=$?
+      cat ${TMP}/$HOST.tmp.$$
+      rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+      html_msg $ret 0 "${testname}" \
+               "produced a returncode of $ret, expected is 0"
+  done
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+
 ############################## ssl_auth ################################
 # local shell function to perform SSL  Client Authentication tests
 ########################################################################
@@ -337,7 +399,7 @@ ssl_auth()
               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
-          start_selfserv
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
 
           echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
           echo "        ${cparam}  < ${REQUEST_FILE}"
@@ -370,15 +432,15 @@ ssl_stapling_sub()
     value=$3
 
     if [ "$NORM_EXT" = "Extended Test" ] ; then
-	# these tests use the ext_client directory for tstclnt,
-	# which doesn't contain the required "TestCA" for server cert
-	# verification, I don't know if it would be OK to add it...
-	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-	return 0
+        # these tests use the ext_client directory for tstclnt,
+        # which doesn't contain the required "TestCA" for server cert
+        # verification, I don't know if it would be OK to add it...
+        echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+        return 0
     fi
     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-	return 0
+        return 0
     fi
 
     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -395,8 +457,8 @@ ssl_stapling_sub()
     echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
     ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-	    -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
-	    >${TMP}/$HOST.tmp.$$  2>&1
+            -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+            >${TMP}/$HOST.tmp.$$  2>&1
     ret=$?
     cat ${TMP}/$HOST.tmp.$$
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
@@ -405,7 +467,7 @@ ssl_stapling_sub()
     # (see commands in ssl_auth
 
     html_msg $ret $value "${testname}" \
-	    "produced a returncode of $ret, expected is $value"
+            "produced a returncode of $ret, expected is $value"
     kill_selfserv
 
     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -419,15 +481,15 @@ ssl_stapling_stress()
     value=0
 
     if [ "$NORM_EXT" = "Extended Test" ] ; then
-	# these tests use the ext_client directory for tstclnt,
-	# which doesn't contain the required "TestCA" for server cert
-	# verification, I don't know if it would be OK to add it...
-	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-	return 0
+        # these tests use the ext_client directory for tstclnt,
+        # which doesn't contain the required "TestCA" for server cert
+        # verification, I don't know if it would be OK to add it...
+        echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+        return 0
     fi
     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-	return 0
+        return 0
     fi
 
     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -443,13 +505,13 @@ ssl_stapling_stress()
     echo "         -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
     echo "strsclnt started at `date`"
     ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
-	    -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+            -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
     ret=$?
 
     echo "strsclnt completed at `date`"
     html_msg $ret $value \
-	    "${testname}" \
-	    "produced a returncode of $ret, expected is $value."
+            "${testname}" \
+            "produced a returncode of $ret, expected is $value."
     kill_selfserv
 
     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -556,7 +618,7 @@ ssl_stress()
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
 
-          start_selfserv
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
 
           if [ "`uname -n`" = "sjsu" ] ; then
               echo "debugging disapering selfserv... ps -ef | grep selfserv"
@@ -610,56 +672,56 @@ ssl_crl_ssl()
     if [ "$ectype" = "SNI" ]; then
         continue
     else
-	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
-	pwd=`echo $cparam | grep nss`
-	user=`echo $cparam | grep TestUser`
-	_cparam=$cparam
-	case $servarg in
-	    1) if [ -z "$pwd" -o -z "$user" ]; then
+        servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+        pwd=`echo $cparam | grep nss`
+        user=`echo $cparam | grep TestUser`
+        _cparam=$cparam
+        case $servarg in
+            1) if [ -z "$pwd" -o -z "$user" ]; then
                  rev_modvalue=0
                else
-	         rev_modvalue=254
+                 rev_modvalue=254
                fi
                ;;
-	    2) rev_modvalue=254 ;;
-	    3) if [ -z "$pwd" -o -z "$user" ]; then
-		rev_modvalue=0
-		else
-		rev_modvalue=1
-		fi
-		;;
-	    4) rev_modvalue=1 ;;
-	esac
-	TEMP_NUM=0
-	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
-	  do
-	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
-	  TEMP_NUM=`expr $TEMP_NUM + 1`
-	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
-	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
-	  start_selfserv
-
-	  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
-	  echo "        ${cparam}  < ${REQUEST_FILE}"
-	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-	      -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
-	      >${TMP}/$HOST.tmp.$$  2>&1
-	  ret=$?
-	  cat ${TMP}/$HOST.tmp.$$
-	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
-	      modvalue=$rev_modvalue
+            2) rev_modvalue=254 ;;
+            3) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=1
+                fi
+                ;;
+            4) rev_modvalue=1 ;;
+        esac
+        TEMP_NUM=0
+        while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+          do
+          CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+          TEMP_NUM=`expr $TEMP_NUM + 1`
+          USER_NICKNAME="TestUser${CURR_SER_NUM}"
+          cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
+
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+          echo "        ${cparam}  < ${REQUEST_FILE}"
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+              -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+              >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+              modvalue=$rev_modvalue
               testAddMsg="revoked"
-	  else
+          else
               testAddMsg="not revoked"
-	      modvalue=$value
-	  fi
+              modvalue=$value
+          fi
 
-	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
-		"produced a returncode of $ret, expected is $modvalue"
-	  kill_selfserv
-	done
+          html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+                "produced a returncode of $ret, expected is $modvalue"
+          kill_selfserv
+        done
     fi
   done
 
@@ -702,7 +764,6 @@ ssl_policy()
   html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -712,7 +773,7 @@ ssl_policy()
   echo "Saving pkcs11.txt"
   cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES
 
   ignore_blank_lines ${SSLPOLICY} | \
   while read value ectype testmax param policy testname
@@ -775,7 +836,6 @@ ssl_policy_listsuites()
   html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -815,7 +875,6 @@ ssl_policy_selfserv()
   html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
@@ -828,7 +887,7 @@ ssl_policy_selfserv()
   # Disallow RSA in key exchange explicitly
   setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES
 
   VMIN="ssl3"
   VMAX="tls1.2"
@@ -956,7 +1015,7 @@ _EOF_REQUEST_
              -p ../tests.pw.928
         ret=$?
         if [ "$ret" -eq 0 ]; then
-	    html_passed "${CU_ACTION}"
+            html_passed "${CU_ACTION}"
             return 1
         fi
         start_selfserv
@@ -984,8 +1043,7 @@ ssl_crl_cache()
   echo $?
   while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
     do
-    sparam=$SERV_ARG
-    start_selfserv
+    start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'`
     exec < ${SSLAUTH_TMP}
     while read ectype value sparam cparam testname
       do
@@ -1013,7 +1071,7 @@ ssl_crl_cache()
                 fi
                 ;;
             4) rev_modvalue=1 ;;
-	  esac
+          esac
         TEMP_NUM=0
         LOADED_GRP=1
         while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
@@ -1030,7 +1088,7 @@ ssl_crl_cache()
             echo "        ${cparam}  < ${REQUEST_FILE}"
             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
             ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-	        -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+                -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
                 >${TMP}/$HOST.tmp.$$  2>&1
             ret=$?
             cat ${TMP}/$HOST.tmp.$$
@@ -1069,7 +1127,7 @@ ssl_crl_cache()
         # Restart selfserv to roll back to two initial group 1 crls
         # TestCA CRL and TestCA-ec CRL
         kill_selfserv
-        start_selfserv
+        start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
       fi
     done
     kill_selfserv
@@ -1106,22 +1164,66 @@ ssl_dtls()
                 -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 &
 
     PID=$!
-    
+
     sleep 1
-    
+
     echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
     echo "        -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}"
     ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 
+            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1
     ret=$?
     html_msg $ret $value "${testname}" \
              "produced a returncode of $ret, expected is $value"
 
     kill ${PID}
-    
+
   html "</TABLE><BR>"
 }
 
+############################ ssl_scheme ###################################
+# local shell function to test tstclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme()
+{
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+        return 0
+    fi
+
+    html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+    NO_ECC_CERTS=1
+    schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+    for sscheme in "${schemes[@]}"; do
+        for cscheme in "${schemes[@]}"; do
+            testname="ssl_scheme server='$sscheme' client='$cscheme'"
+            echo "${testname}"
+
+            start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+            echo "        -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE}"
+            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+                        -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE} 2>&1
+            ret=$?
+            # If both schemes include just one option and those options don't
+            # match, then the test should fail; otherwise, assume that it works.
+            if [ "${cscheme#*,}" = "$cscheme" -a \
+                 "${sscheme#*,}" = "$sscheme" -a \
+                 "$cscheme" != "$sscheme" ]; then
+                expected=254
+            else
+                expected=0
+            fi
+            html_msg $ret $expected "${testname}" \
+                     "produced a returncode of $ret, expected is $expected"
+            kill_selfserv
+        done
+    done
+    NO_ECC_CERTS=0
+
+    html "</TABLE><BR>"
+}
 
 ############################## ssl_cleanup #############################
 # local shell function to finish this script (no exit since it might be
@@ -1152,6 +1254,7 @@ ssl_run()
             ;;
         "cov")
             ssl_cov
+            ssl_cov_rsa_pss
             ;;
         "auth")
             ssl_auth
@@ -1162,6 +1265,9 @@ ssl_run()
         "dtls")
             ssl_dtls
             ;;
+        "scheme")
+            ssl_scheme
+            ;;
          esac
     done
 }
@@ -1182,9 +1288,9 @@ ssl_run_all()
     # in FIPS mode, so cope with that. Note there's also semicolon in here
     # but it doesn't need escaping/quoting; the shell copes.
     if [ "${CLIENT_MODE}" = "fips" ]; then
-	USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
+        USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
     else
-	USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
+        USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
     fi
     NORM_EXT=""
     cd ${CLIENTDIR}
@@ -1346,4 +1452,3 @@ ssl_run_tests()
 ssl_init
 ssl_run_tests
 ssl_cleanup
-
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
index 1eb7f47de..93f247b96 100644
--- a/security/nss/tests/ssl/sslcov.txt
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -141,3 +141,8 @@
    ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# Test against server with RSA-PSS server certificate
+#
+   ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
+   ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
index a87eedad7..44794f10f 100644
--- a/security/nss/tests/ssl/sslstress.txt
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -12,9 +12,6 @@
   noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
   noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
   noECC     0      -u        -V_ssl3:tls1.2_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
-  noECC     0      -z        -V_ssl3:tls1.2_-c_1000_-C_c_-z            Stress TLS  RC4 128 with MD5 (compression)
-  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
-  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
   SNI       0      -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
 
 #
@@ -24,10 +21,6 @@
   noECC     0      -r_-r     -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login)
   noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
   noECC     0      -r_-r_-u  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
-  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
-  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
-  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
-  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
   SNI       0   -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
   SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
 
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index eef77f16f..6c088d8a6 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -19,55 +19,6 @@
 #
 ########################################################################
 
-# Generate input to certutil
-certscript() {
-  ca=n
-  while [ $# -gt 0 ]; do
-    case $1 in
-      sign) echo 0 ;;
-      kex) echo 2 ;;
-      ca) echo 5;echo 6;ca=y ;;
-    esac; shift
-  done;
-  echo 9
-  echo n
-  echo $ca
-  echo
-  echo n
-}
-
-# $1: name
-# $2: type
-# $3+: usages: sign or kex
-make_cert() {
-  name=$1
-  type=$2
-  unset type_args trust sign
-  case $type in
-    dsa) type_args='-g 1024' ;;
-    rsa) type_args='-g 1024' ;;
-    rsa2048) type_args='-g 2048';type=rsa ;;
-    rsa8192) type_args='-g 8192';type=rsa ;;
-    rsapss) type_args='-g 1024 --pss';type=rsa ;;
-    p256) type_args='-q nistp256';type=ec ;;
-    p384) type_args='-q secp384r1';type=ec ;;
-    p521) type_args='-q secp521r1';type=ec ;;
-    rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
-    rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
-    rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
-    rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
-    rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
-    ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
-  esac
-  shift 2
-  counter=$(($counter + 1))
-  certscript $@ | ${BINDIR}/certutil -S \
-    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
-    -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \
-    -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2
-  html_msg $? 0 "create certificate: $@"
-}
-
 ssl_gtest_certs() {
   mkdir -p "${SSLGTESTDIR}"
   cd "${SSLGTESTDIR}"
@@ -80,6 +31,10 @@ ssl_gtest_certs() {
   ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
   html_msg $? 0 "create ssl_gtest database"
 
+  pushd "${QADIR}"
+  . common/certsetup.sh
+  popd
+
   counter=0
   make_cert client rsa sign
   make_cert rsa rsa sign kex
@@ -87,6 +42,9 @@ ssl_gtest_certs() {
   make_cert rsa8192 rsa8192 sign kex
   make_cert rsa_sign rsa sign
   make_cert rsa_pss rsapss sign
+  make_cert rsa_pss384 rsapss384 sign
+  make_cert rsa_pss512 rsapss512 sign
+  make_cert rsa_pss_noparam rsapss_noparam sign
   make_cert rsa_decrypt rsa kex
   make_cert ecdsa256 p256 sign
   make_cert ecdsa384 p384 sign
diff --git a/security/nss/tests/tlsfuzzer/config.json.in b/security/nss/tests/tlsfuzzer/config.json.in
new file mode 100644
index 000000000..051bae2be
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/config.json.in
@@ -0,0 +1,166 @@
+[
+    {
+        "server_command": [
+            "@SELFSERV@", "-w", "nss", "-d", "@SERVERDIR@",
+            "-V", "tls1.0:", "-H", "1",
+            "-n", "rsa",
+            "-n", "rsa-pss",
+	    "-J", "rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256",
+            "-u", "-Z", "-p", "@PORT@"
+        ],
+        "server_hostname": "@HOSTADDR@",
+        "server_port": @PORT@,
+        "tests" : [
+            {
+                "name" : "test-tls13-conversation.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-count-tickets.py",
+                "arguments": [
+                    "-p", "@PORT@", "-t", "1"
+                ]
+            },
+            {
+                "name" : "test-tls13-dhe-shared-secret-padding.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "TLS 1.3 with x448"
+                ]
+            },
+            {
+                "name" : "test-tls13-empty-alert.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-ffdhe-sanity.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-finished.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment" : "https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-0rtt-garbage.py",
+                "comment": "the disabled test timeouts because of https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie",
+                    "-e", "undecryptable record later in handshake together with early_data"
+                ]
+            },
+            {
+                "name" : "test-tls13-hrr.py",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie"
+                ]
+            },
+            {
+                "name" : "test-tls13-legacy-version.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-nociphers.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-pkcs-signature.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1489997",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "rsa_pkcs1_sha256 signature",
+                    "-e", "rsa_pkcs1_sha384 signature",
+                    "-e", "rsa_pkcs1_sha512 signature"
+                ]
+            },
+            {
+                "name" : "test-tls13-rsa-signatures.py",
+		"comment": "selfserv can be set up to use multiple certs, but only one for each auth type",
+                "arguments": [
+                    "-p", "@PORT@", "-b",
+		    "-e", "tls13 signature rsa_pss_pss_sha384",
+		    "-e", "tls13 signature rsa_pss_pss_sha512"
+                ]
+            },
+            {
+                "name" : "test-tls13-rsapss-signatures.py",
+		"comment": "selfserv can be set up to use multiple certs, but only one to each auth type",
+                "arguments": [
+                    "-p", "@PORT@", "-b",
+		    "-e", "tls13 signature rsa_pss_pss_sha384",
+		    "-e", "tls13 signature rsa_pss_pss_sha512"
+                ]
+            },
+            {
+                "name" : "test-tls13-record-padding.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-session-resumption.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-signature-algorithms.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-unrecognised-groups.py",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie"
+                ]
+            },
+            {
+                "name" : "test-tls13-version-negotiation.py",
+                "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "SSL 2.0 ClientHello with TLS 1.3 version and TLS 1.3 only ciphersuites"
+                ]
+            },
+            {
+                "name" : "test-tls13-zero-length-data.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-dhe-no-shared-secret-padding.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 0)"
+                ]
+            }
+        ]
+    }
+]
diff --git a/security/nss/tests/tlsfuzzer/tlsfuzzer.sh b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
new file mode 100644
index 000000000..ecc146c24
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/tlsfuzzer/tlsfuzzer.sh
+#
+# Script to drive the ssl tlsfuzzer interop unit tests
+#
+########################################################################
+
+tlsfuzzer_certs()
+{
+  PROFILEDIR=`pwd`
+
+  ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+  html_msg $? 0 "create tlsfuzzer database"
+
+  pushd "${QADIR}"
+  . common/certsetup.sh
+  popd
+
+  counter=0
+  make_cert rsa rsa2048 sign kex
+  make_cert rsa-pss rsapss sign kex
+}
+
+tlsfuzzer_init()
+{
+  SCRIPTNAME="tlsfuzzer.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+    cd ../common
+    . ./init.sh
+  fi
+
+  mkdir -p "${HOSTDIR}/tlsfuzzer"
+  pushd "${HOSTDIR}/tlsfuzzer"
+  tlsfuzzer_certs
+
+  TLSFUZZER=${TLSFUZZER:=tlsfuzzer}
+  if [ ! -d "$TLSFUZZER" ]; then
+    # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags
+    git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER"
+    git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6
+
+    # We could use tlslite-ng from pip, but the pip command installed
+    # on TC is too old to support --pre
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/tomato42/tlslite-ng/ v0.8.0-alpha18 tlslite-ng
+
+    pushd "$TLSFUZZER"
+    ln -s ../tlslite-ng/tlslite tlslite
+    popd
+
+    # Install tlslite-ng dependencies
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/warner/python-ecdsa master python-ecdsa
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/benjaminp/six master six
+
+    pushd "$TLSFUZZER"
+    ln -s ../python-ecdsa/src/ecdsa ecdsa
+    ln -s ../six/six.py .
+    popd
+  fi
+
+  # Find usable port
+  PORT=${PORT-8443}
+  while true; do
+    "${BINDIR}/selfserv" -w nss -d "${HOSTDIR}/tlsfuzzer" -n rsa \
+			 -p "${PORT}" -i selfserv.pid &
+    [ -f selfserv.pid ] || sleep 5
+    if [ -f selfserv.pid ]; then
+      kill $(cat selfserv.pid)
+      wait $(cat selfserv.pid)
+      rm -f selfserv.pid
+      break
+    fi
+    PORT=$(($PORT + 1))
+  done
+
+  sed -e "s|@PORT@|${PORT}|g" \
+      -e "s|@SELFSERV@|${BINDIR}/selfserv|g" \
+      -e "s|@SERVERDIR@|${HOSTDIR}/tlsfuzzer|g" \
+      -e "s|@HOSTADDR@|${HOSTADDR}|g" \
+      ${QADIR}/tlsfuzzer/config.json.in > ${TLSFUZZER}/config.json
+  popd
+
+  SCRIPTNAME="tlsfuzzer.sh"
+  html_head "tlsfuzzer test"
+}
+
+tlsfuzzer_cleanup()
+{
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+tlsfuzzer_run_tests()
+{
+  pushd "${HOSTDIR}/tlsfuzzer/${TLSFUZZER}"
+  PYTHONPATH=. python tests/scripts_retention.py config.json "${BINDIR}/selfserv"
+  html_msg $? 0 "tlsfuzzer" "Run successfully"
+  popd
+}
+
+cd "$(dirname "$0")"
+tlsfuzzer_init
+tlsfuzzer_run_tests
+tlsfuzzer_cleanup
diff --git a/toolkit/library/dummydll/dummydll.cpp b/toolkit/library/dummydll/dummydll.cpp
deleted file mode 100644
index 5e1c04bd3..000000000
--- a/toolkit/library/dummydll/dummydll.cpp
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <windows.h>
-
-BOOL WINAPI DllMain(
-  HANDLE hModule,
-  DWORD dwReason,
-  LPVOID lpvReserved
-)
-{
-  if (dwReason == DLL_PROCESS_ATTACH) {
-    ::DisableThreadLibraryCalls((HMODULE)hModule);
-  }
-  return TRUE;
-}
diff --git a/toolkit/library/dummydll/moz.build b/toolkit/library/dummydll/moz.build
deleted file mode 100644
index 01a0ddba8..000000000
--- a/toolkit/library/dummydll/moz.build
+++ /dev/null
@@ -1,19 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Bug 1294650 - populate our install with a shim dll to work around a
-# 3rd party code injection crash.
-
-SOURCES += [
-    'dummydll.cpp',
-]
-
-if CONFIG['CPU_ARCH'] == 'x86_64':
-  GeckoSharedLibrary('qipcap64')
-else:
-  GeckoSharedLibrary('qipcap')
-
-NO_VISIBILITY_FLAGS = True
diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
index 624f8f54d..5191b5a21 100644
--- a/toolkit/library/moz.build
+++ b/toolkit/library/moz.build
@@ -106,9 +106,6 @@ if CONFIG['OS_ARCH'] == 'WINNT' and not CONFIG['GNU_CC']:
 
 DIRS += ['gtest']
 
-if CONFIG['OS_ARCH'] == 'WINNT':
-  DIRS += ['dummydll']
-
 # js needs to come after xul for now, because it is an archive and its content
 # is discarded when it comes first.
 USE_LIBS += [
diff --git a/toolkit/toolkit.mozbuild b/toolkit/toolkit.mozbuild
index b4aebbef0..da4e7cd85 100644
--- a/toolkit/toolkit.mozbuild
+++ b/toolkit/toolkit.mozbuild
@@ -58,15 +58,6 @@ if CONFIG['MOZ_WEBRTC']:
         '/media/mtransport',
     ]
 
-if CONFIG['MOZ_OMX_PLUGIN']:
-    DIRS += [
-        '/media/omx-plugin/lib/ics/libutils',
-        '/media/omx-plugin/lib/ics/libstagefright',
-        '/media/omx-plugin/lib/ics/libvideoeditorplayer',
-        '/media/omx-plugin',
-        '/media/omx-plugin/kk',
-    ]
-
 if CONFIG['ENABLE_TESTS']:
     DIRS += ['/testing/specialpowers']