From fa7edf0811a217f42aa95a30d0aac187e176571b Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@fedoraproject.org>
Date: Jan 25 2008 15:17:21 +0000
Subject: - update to 4.4.2.3-rc1

- merge nss-related patches into one
- change default queryformat to include arch
- resolves (documentation): #159638, #233232, #332271, #350401
- resolves (build): #124300, #140597, #124995, #147383, #220449
- resolves (query): #244236, #323221, #60288
- resolves (general): #223931, #164021, #83006, #205080, #217258, #428979

---

diff --git a/.cvsignore b/.cvsignore
index 9503de7..c1f6d9d 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-rpm-4.4.2.2.tar.gz
+rpm-4.4.2.3-rc1.tar.gz
diff --git a/rpm-4.4.2.2-base64-unsigned-char.patch b/rpm-4.4.2.2-base64-unsigned-char.patch
deleted file mode 100644
index e5c42b4..0000000
--- a/rpm-4.4.2.2-base64-unsigned-char.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-diff -r 39cb695c7c8b rpmio/base64.c
---- a/rpmio/base64.c	Thu Nov 01 10:42:01 2007 +0100
-+++ b/rpmio/base64.c	Wed Nov 14 18:16:51 2007 +0100
-@@ -98,21 +98,20 @@ char *b64encode(const void *data, size_t
- 	return output;
- }
- 
--static int base64_decode_value(char value_in)
--{
--	static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
--	static const char decoding_size = sizeof(decoding);
-+static int base64_decode_value(unsigned char value_in)
-+{
-+	static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
- 	value_in -= 43;
--	if (value_in < 0 || value_in > decoding_size)
-+	if (value_in > sizeof(decoding)/sizeof(int))
- 		return -1;
--	return decoding[(int)value_in];
-+	return decoding[value_in];
- }
- 
- static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out)
- {
- 	const char *codechar = code_in;
- 	char *plainchar = plaintext_out;
--	char fragment;
-+	int fragment;
- 	
- 	*plainchar = 0;
- 	
-@@ -123,38 +122,38 @@ static size_t base64_decode_block(const 
- 			{
- 				return plainchar - plaintext_out;
- 			}
--			fragment = (char)base64_decode_value(*codechar++);
--		} while (fragment < 0);
--		*plainchar    = (fragment & 0x03f) << 2;
--
--		do {
--			if (codechar == code_in+length_in)
--			{
--				return plainchar - plaintext_out;
--			}
--			fragment = (char)base64_decode_value(*codechar++);
--		} while (fragment < 0);
--		*plainchar++ |= (fragment & 0x030) >> 4;
--		*plainchar    = (fragment & 0x00f) << 4;
--
--		do {
--			if (codechar == code_in+length_in)
--			{
--				return plainchar - plaintext_out;
--			}
--			fragment = (char)base64_decode_value(*codechar++);
--		} while (fragment < 0);
--		*plainchar++ |= (fragment & 0x03c) >> 2;
--		*plainchar    = (fragment & 0x003) << 6;
--
--		do {
--			if (codechar == code_in+length_in)
--			{
--				return plainchar - plaintext_out;
--			}
--			fragment = (char)base64_decode_value(*codechar++);
--		} while (fragment < 0);
--		*plainchar++   |= (fragment & 0x03f);
-+			fragment = base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar    = (char)((fragment & 0x03f) << 2);
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++ |= (char)((fragment & 0x030) >> 4);
-+		*plainchar    = (char)((fragment & 0x00f) << 4);
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++ |= (char)((fragment & 0x03c) >> 2);
-+		*plainchar    = (char)((fragment & 0x003) << 6);
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++   |= (char)(fragment & 0x03f);
- 	}
- 	/* control should not reach here */
- 	return plainchar - plaintext_out;
diff --git a/rpm-4.4.2.2-cryptoinit.patch b/rpm-4.4.2.2-cryptoinit.patch
deleted file mode 100644
index 6de7c25..0000000
--- a/rpm-4.4.2.2-cryptoinit.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-diff -up rpm-4.4.2.2/rpmio/digest.c.nss-init rpm-4.4.2.2/rpmio/digest.c
---- rpm-4.4.2.2/rpmio/digest.c.nss-init	2007-11-15 15:00:41.000000000 +0200
-+++ rpm-4.4.2.2/rpmio/digest.c	2007-11-15 15:00:41.000000000 +0200
-@@ -78,9 +78,6 @@ rpmDigestInit(pgpHashAlgo hashalgo, rpmD
-     HASH_HashType type;
-     DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
- 
--    if (NSS_NoDB_Init(NULL) != SECSuccess)
--	return NULL;
--
-     ctx->flags = flags;
- 
-     type = getHashType(hashalgo);
-diff -up rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init rpm-4.4.2.2/rpmio/rpmpgp.h
---- rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init	2007-11-15 15:00:41.000000000 +0200
-+++ rpm-4.4.2.2/rpmio/rpmpgp.h	2007-11-15 15:00:41.000000000 +0200
-@@ -1380,6 +1380,15 @@ unsigned int pgpCRC(const byte *octets, 
- }
- 
- /** \ingroup rpmio
-+ * Perform cryptography initialization.
-+ * It must be called before any cryptography can be used within rpm.
-+ * It's not normally necessary to call it directly as it's called in
-+ * general rpm initialization routines.
-+ * @return		0 on success, -1 on failure
-+ */
-+int rpmInitCrypto(void);
-+
-+/** \ingroup rpmio
-  * Duplicate a digest context.
-  * @param octx		existing digest context
-  * @return		duplicated digest context
-diff -up rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init rpm-4.4.2.2/rpmio/rpmpgp.c
---- rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init	2007-11-15 15:00:41.000000000 +0200
-+++ rpm-4.4.2.2/rpmio/rpmpgp.c	2007-11-15 15:00:41.000000000 +0200
-@@ -17,6 +17,8 @@ static int _debug = 0;
- /*@unchecked@*/
- static int _print = 0;
- 
-+static int _crypto_initialized = 0;
-+
- /*@unchecked@*/ /*@null@*/
- static pgpDig _dig = NULL;
- 
-@@ -1094,7 +1096,6 @@ int pgpPrtPkt(const byte *pkt, unsigned 
- pgpDig pgpNewDig(void)
- {
-     pgpDig dig = xcalloc(1, sizeof(*dig));
--    NSS_NoDB_Init(NULL);
- 
-     return dig;
- }
-@@ -1404,5 +1405,18 @@ char * pgpArmorWrap(int atype, const uns
- 
-     return val;
- }
--
- /*@=boundsread@*/
-+
-+int rpmInitCrypto(void) {
-+    int rc = 0;
-+
-+    if (!_crypto_initialized && NSS_NoDB_Init(NULL) != SECSuccess) {
-+        rc = -1;
-+    } else {
-+        _crypto_initialized = 1;
-+    }
-+
-+    return rc;
-+}
-+
-+
-diff -up rpm-4.4.2.2/tools/debugedit.c.nss-init rpm-4.4.2.2/tools/debugedit.c
---- rpm-4.4.2.2/tools/debugedit.c.nss-init	2007-11-15 15:01:42.000000000 +0200
-+++ rpm-4.4.2.2/tools/debugedit.c	2007-11-15 15:02:23.000000000 +0200
-@@ -1318,6 +1318,8 @@ handle_build_id (DSO *dso, Elf_Data *bui
-   void *digest = NULL;
-   size_t len;
- 
-+  rpmInitCrypto();
-+
-   while (i-- > 0)
-     {
-       algorithm = algorithms[i];
-diff -up rpm-4.4.2.2/lib/rpmrc.c.nss-init rpm-4.4.2.2/lib/rpmrc.c
---- rpm-4.4.2.2/lib/rpmrc.c.nss-init	2007-09-11 09:28:15.000000000 +0300
-+++ rpm-4.4.2.2/lib/rpmrc.c	2007-11-15 15:00:41.000000000 +0200
-@@ -1850,6 +1850,10 @@ static int rpmReadRC(/*@null@*/ const ch
- 
- int rpmReadConfigFiles(const char * file, const char * target)
- {
-+    /* Initialize crypto engine as early as possible */
-+    if (rpmInitCrypto() < 0) {
-+	return -1;
-+    }	
- 
-     /* Preset target macros */
-     /*@-nullstate@*/	/* FIX: target can be NULL */
diff --git a/rpm-4.4.2.2-debugedit-fpc.patch b/rpm-4.4.2.2-debugedit-fpc.patch
deleted file mode 100644
index 0237c2c..0000000
--- a/rpm-4.4.2.2-debugedit-fpc.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff -r f531397e7635 -r 751cf2c7614e tools/debugedit.c
---- a/tools/debugedit.c	Sun Oct 14 12:49:18 2007 +0300
-+++ b/tools/debugedit.c	Thu Oct 18 09:34:54 2007 +0300
-@@ -560,11 +560,16 @@ edit_dwarf2_line (DSO *dso, uint_32 off,
- 	}
-       else
- 	{
--	  memcpy (s, comp_dir, comp_dir_len);
--	  s[comp_dir_len] = '/';
--	  memcpy (s + comp_dir_len + 1, dirt[value], dir_len);
--	  s[comp_dir_len + 1 + dir_len] = '/';
--	  memcpy (s + comp_dir_len + 1 + dir_len + 1, file, file_len + 1);
-+	  char *p = s;
-+	  if (comp_dir_len != 0)
-+	    {
-+	      memcpy (s, comp_dir, comp_dir_len);
-+	      s[comp_dir_len] = '/';
-+	      p += comp_dir_len + 1;
-+	    }
-+	  memcpy (p, dirt[value], dir_len);
-+	  p[dir_len] = '/';
-+	  memcpy (p + dir_len + 1, file, file_len + 1);
- 	}
-       canonicalize_path (s, s);
-       if (list_file_fd != -1)
-@@ -822,6 +827,7 @@ edit_attributes (DSO *dso, unsigned char
- 
- 	  switch (form)
- 	    {
-+	    case DW_FORM_ref_addr: /* ptr_size in DWARF 2, offset in DWARF 3 */
- 	    case DW_FORM_addr:
- 	      ptr += ptr_size;
- 	      break;
-@@ -847,7 +853,6 @@ edit_attributes (DSO *dso, unsigned char
- 	    case DW_FORM_udata:
- 	      read_uleb128 (ptr);
- 	      break;
--	    case DW_FORM_ref_addr:
- 	    case DW_FORM_strp:
- 	      ptr += 4;
- 	      break;
diff --git a/rpm-4.4.2.2-gcc43.patch b/rpm-4.4.2.2-gcc43.patch
deleted file mode 100644
index 20c71c3..0000000
--- a/rpm-4.4.2.2-gcc43.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff -up rpm-4.4.2.2/tools/debugedit.c.gcc43 rpm-4.4.2.2/tools/debugedit.c
---- rpm-4.4.2.2/tools/debugedit.c.gcc43	2008-01-04 08:57:09.000000000 +0200
-+++ rpm-4.4.2.2/tools/debugedit.c	2008-01-04 08:58:40.000000000 +0200
-@@ -1353,12 +1353,6 @@ handle_build_id (DSO *dso, Elf_Data *bui
-      or Elf64 object, only that we are consistent in what bits feed the
-      hash so it comes out the same for the same file contents.  */
-   {
--    inline void process (const void *data, size_t size);
--    inline void process (const void *data, size_t size)
--    {
--      rpmDigestUpdate(ctx, data, size);
--    }
--
-     union
-     {
-       GElf_Ehdr ehdr;
-@@ -1387,7 +1381,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
- 	  goto bad;
- 	if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL)
- 	  goto bad;
--	process (x.d_buf, x.d_size);
-+	rpmDigestUpdate(ctx, x.d_buf, x.d_size);
-       }
- 
-     x.d_type = ELF_T_SHDR;
-@@ -1399,14 +1393,14 @@ handle_build_id (DSO *dso, Elf_Data *bui
- 	  u.shdr.sh_offset = 0;
- 	  if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL)
- 	    goto bad;
--	  process (x.d_buf, x.d_size);
-+	  rpmDigestUpdate(ctx, x.d_buf, x.d_size);
- 
- 	  if (u.shdr.sh_type != SHT_NOBITS)
- 	    {
- 	      Elf_Data *d = elf_rawdata (dso->scn[i], NULL);
- 	      if (d == NULL)
- 		goto bad;
--	      process (d->d_buf, d->d_size);
-+	      rpmDigestUpdate(ctx, d->d_buf, d->d_size);
- 	    }
- 	}
-   }
diff --git a/rpm-4.4.2.2-no-targetreset.patch b/rpm-4.4.2.2-no-targetreset.patch
deleted file mode 100644
index 94a7bfa..0000000
--- a/rpm-4.4.2.2-no-targetreset.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Don't reset target when reading included rpmrc's. Doesn't seem to break
-anything and fixes rhbz#232429...
-
-diff -up rpm-4.4.2.2/lib/rpmrc.c.noreset rpm-4.4.2.2/lib/rpmrc.c
---- rpm-4.4.2.2/lib/rpmrc.c.noreset	2008-01-11 10:30:12.000000000 +0200
-+++ rpm-4.4.2.2/lib/rpmrc.c	2008-01-11 10:15:27.000000000 +0200
-@@ -641,7 +641,9 @@ static int doReadRC( /*@killref@*/ FD_t 
- 		while (*se && !xisspace(*se)) se++;
- 		if (*se != '\0') *se++ = '\0';
- 
-+#if 0
- 		rpmRebuildTargetVars(NULL, NULL);
-+#endif
- 
- 		fn = rpmGetPath(s, NULL);
- 		if (fn == NULL || *fn == '\0') {
diff --git a/rpm-4.4.2.2-nonutf-comment.patch b/rpm-4.4.2.2-nonutf-comment.patch
deleted file mode 100644
index 174b621..0000000
--- a/rpm-4.4.2.2-nonutf-comment.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-changeset:   6180:aa5086a15540
-user:        Ralf Corsépius <corsepiu@fedoraproject.org>
-date:        Wed Oct 10 08:37:35 2007 +0200
-files:       build.c
-description:
-Kick out polish comment.
-(transplanted from 6b4e7092bfc65ed7a95f4be20b86db814c6d999c)
-
-
-diff -r 48dd32feaef5 -r aa5086a15540 build.c
---- a/build.c	Tue Oct 09 15:47:15 2007 +0300
-+++ b/build.c	Wed Oct 10 08:37:35 2007 +0200
-@@ -49,11 +49,6 @@ static int checkSpec(rpmts ts, Header h)
-     return rc;
- }
- 
--/*
-- * Kurwa, durni ameryka?ce sobe zawsze my?l?, ?e ca?y ?wiat m�wi po
-- * angielsku...
-- */
--/* XXX this is still a dumb test but at least it's i18n aware */
- /**
-  */
- static int isSpecFile(const char * specfile)
-
diff --git a/rpm-4.4.2.2-nss.patch b/rpm-4.4.2.2-nss.patch
deleted file mode 100644
index 50ed30e..0000000
--- a/rpm-4.4.2.2-nss.patch
+++ /dev/null
@@ -1,1843 +0,0 @@
-diff -r ec9e6c427068 Makefile.am
---- a/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -10,14 +10,14 @@ EXTRA_DIST = CHANGES ChangeLog CREDITS D
- 	po/*.in po/*.po po/rpm.pot \
- 	rpm.magic rpmpopt-$(VERSION) rpmqv.c 
- 
--SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_BEECRYPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .
-+SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .
- 
- INCLUDES = \
- 	-I$(top_srcdir)/build \
- 	-I$(top_srcdir)/lib \
- 	-I$(top_srcdir)/rpmdb \
- 	-I$(top_srcdir)/rpmio \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	-I$(top_srcdir)/misc \
- 	@WITH_LIBELF_INCLUDE@ \
-@@ -25,7 +25,7 @@ INCLUDES = \
- 
- staticLDFLAGS = @LDFLAGS_STATIC@ @LDFLAGS_NPTL@
- 
--myLDFLAGS = @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@
-+myLDFLAGS = @WITH_LIBELF_LIB@
- 
- myLDADD = \
- 	$(top_builddir)/lib/librpm.la \
-@@ -33,6 +33,7 @@ myLDADD = \
- 	$(top_builddir)/rpmio/librpmio.la \
- 	@WITH_POPT_LIB@ \
- 	@WITH_ZLIB_LIB@ \
-+	@WITH_NSS_LIB@ \
- 	@LIBMISC@
- 
- rpmbindir = `echo $(bindir) | sed -e s,usr/bin,bin,`
-@@ -71,7 +72,7 @@ rpmd.o:	$(top_srcdir)/rpmqv.c
- 
- rpmi_SOURCES =
- #rpmi_LDFLAGS =		$(myLDFLAGS) $(staticLDFLAGS)
--#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@
-+#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@
- rpmi_LDFLAGS =		$(myLDFLAGS)
- rpmi_LDADD =		rpmi.o $(myLDADD)
- rpmi.o:	$(top_srcdir)/rpmqv.c
-@@ -112,7 +113,6 @@ lint:
- 		`make -s sources -C lib` \
- 		`make -s sources -C rpmdb` \
- 		`make -s sources -C rpmio` \
--		`make -s sources -C beecrypt` \
- 		`make -s sources -C file/src` \
- 		`make -s sources -C popt`
- 
-diff -r ec9e6c427068 autogen.sh
---- a/autogen.sh	Wed Oct 24 16:02:51 2007 +0300
-+++ b/autogen.sh	Thu Nov 01 10:56:58 2007 +0100
-@@ -48,9 +48,6 @@ if [ -d zlib ]; then
- if [ -d zlib ]; then
-     (echo "--- zlib"; cd zlib; ./autogen.sh --noconfigure "$@")
- fi
--if [ -d beecrypt ]; then
--    (echo "--- beecrypt"; cd beecrypt; ./autogen.sh --noconfigure "$@")
--fi
- if [ -d elfutils ]; then
-     (echo "--- elfutils"; cd elfutils; ./autogen.sh --noconfigure "$@")
- fi
-diff -r ec9e6c427068 build/Makefile.am
---- a/build/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/build/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -9,7 +9,7 @@ INCLUDES = -I. \
- 	-I$(top_srcdir)/lib \
- 	-I$(top_srcdir)/rpmdb \
- 	-I$(top_srcdir)/rpmio \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_MAGIC_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	@WITH_LIBELF_INCLUDE@ \
-diff -r ec9e6c427068 configure.ac
---- a/configure.ac	Wed Oct 24 16:02:51 2007 +0300
-+++ b/configure.ac	Thu Nov 01 10:56:58 2007 +0100
-@@ -463,34 +463,32 @@ AC_SUBST(WITH_LIBDWARF_DEBUGEDIT)
- AC_SUBST(WITH_LIBDWARF_DEBUGEDIT)
- 
- #=================
--# Check for beecrypt library. Prefer external, otherwise internal.
--WITH_BEECRYPT_SUBDIR=
--WITH_BEECRYPT_INCLUDE=
--WITH_BEECRYPT_LIB=
--AC_CHECK_HEADER([beecrypt/beecrypt.h], [
--  AC_CHECK_LIB(beecrypt, mpfprintln, [
--    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])
--    AC_CHECK_HEADER([beecrypt/api.h], [
--      AC_DEFINE(HAVE_BEECRYPT_API_H, 1, [Define to 1 if you have the <beecrypt/api.h> header file.])
--    ])
--    WITH_BEECRYPT_INCLUDE="-I${includedir}/beecrypt"
--    WITH_BEECRYPT_LIB="-lbeecrypt"
-+# Check for NSS library.
-+WITH_NSS_INCLUDE=
-+WITH_NSS_LIB=
-+check=`pkg-config --version 2>/dev/null`
-+if test -n "$check"; then
-+  addlib=$(pkg-config --libs nss | sed 's/-lsmime3//;s/-lssl3//')
-+  addcppflags=$(pkg-config --cflags nss)
-+else
-+# Without pkg-config, we'll kludge in some defaults
-+  addlib="-lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
-+  addcppflags="-I/usr/include/nss3 -I/usr/include/nspr4"
-+fi
-+save_CPPFLAGS="$CPPFLAGS"
-+CPPFLAGS="$save_CPPFLAGS $addcppflags"
-+AC_CHECK_HEADER([nss3/nss.h], [
-+  AC_CHECK_LIB(nss3, NSS_NoDB_Init, [
-+    AC_DEFINE(HAVE_LIBNSS, 1, [Define to 1 if you have the 'NSS' library (-lnss3).])
-+    WITH_NSS_INCLUDE="$addcppflags"
-+    WITH_NSS_LIB="$addlib"
-   ])
- ],[
--  if test -d beecrypt ; then
--    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])
--    WITH_BEECRYPT_SUBDIR=beecrypt
--    WITH_BEECRYPT_INCLUDE="-I\${top_srcdir}/${WITH_BEECRYPT_SUBDIR}"
--    WITH_BEECRYPT_LIB="\${top_builddir}/${WITH_BEECRYPT_SUBDIR}/libbeecrypt.la"
--  fi
--
--   if test -z "${WITH_BEECRYPT_LIB}" ; then
--       AC_MSG_ERROR([rpm requires beecrypt]) 
--   fi
--])
--AC_SUBST(WITH_BEECRYPT_SUBDIR)
--AC_SUBST(WITH_BEECRYPT_INCLUDE)
--AC_SUBST(WITH_BEECRYPT_LIB)
-+  AC_MSG_ERROR([rpm requires NSS]) 
-+])
-+CPPFLAGS="$save_CPPFLAGS"
-+AC_SUBST(WITH_NSS_INCLUDE)
-+AC_SUBST(WITH_NSS_LIB)
- 
- #=================
- # Check for neon library. Prefer external, otherwise internal.
-diff -r ec9e6c427068 lib/Makefile.am
---- a/lib/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -9,7 +9,7 @@ INCLUDES = -I. \
- 	-I$(top_srcdir)/build \
- 	-I$(top_srcdir)/rpmdb \
- 	-I$(top_srcdir)/rpmio \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	-I$(top_srcdir)/misc \
- 	@INCPATH@
-diff -r ec9e6c427068 lib/formats.c
---- a/lib/formats.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/formats.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -210,23 +210,17 @@ static /*@only@*/ char * base64Format(in
- 	int lc;
- 	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */
- 	size_t ns = element;
--	size_t nt = ((ns + 2) / 3) * 4;
-+	size_t nt = 0;
- 
- /*@-boundswrite@*/
--	/*@-globs@*/
--	/* Add additional bytes necessary for eol string(s). */
--	if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
--	    lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
--        if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
--            ++lc;
--	    nt += lc * strlen(b64encode_eolstr);
-+	if ((enc = b64encode(data, ns, -1)) != NULL) {
-+		nt = strlen(enc);
- 	}
--	/*@=globs@*/
- 
- 	val = t = xmalloc(nt + padding + 1);
- 
- 	*t = '\0';
--	if ((enc = b64encode(data, ns)) != NULL) {
-+	if (enc != NULL) {
- 	    t = stpcpy(t, enc);
- 	    enc = _free(enc);
- 	}
-@@ -310,16 +304,13 @@ static /*@only@*/ char * xmlFormat(int_3
- 	xtag = "string";
- 	break;
-     case RPM_BIN_TYPE:
--    {	int cpl = b64encode_chars_per_line;
--/*@-mods@*/
--	b64encode_chars_per_line = 0;
--/*@=mods@*/
--/*@-formatconst@*/
--	s = base64Format(type, data, formatPrefix, padding, element);
--/*@=formatconst@*/
--/*@-mods@*/
--	b64encode_chars_per_line = cpl;
--/*@=mods@*/
-+    {	
-+	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */
-+	size_t ns = element;
-+    	if ((s = b64encode(data, ns, 0)) == NULL) {
-+    		/* XXX proper error handling would be better. */
-+    		s = xcalloc(1, padding + (ns / 3) * 4 + 1);
-+    	}
- 	xtag = "base64";
-     }	break;
-     case RPM_CHAR_TYPE:
-diff -r ec9e6c427068 lib/package.c
---- a/lib/package.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/package.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -1008,11 +1008,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t 
- 		fddig->hashctx = NULL;
- 		/*@switchbreak@*/ break;
- 	    case PGPHASHALGO_SHA1:
--#if HAVE_BEECRYPT_API_H
- 	    case PGPHASHALGO_SHA256:
- 	    case PGPHASHALGO_SHA384:
- 	    case PGPHASHALGO_SHA512:
--#endif
- 		dig->sha1ctx = fddig->hashctx;
- 		fddig->hashctx = NULL;
- 		/*@switchbreak@*/ break;
-diff -r ec9e6c427068 lib/rpmchecksig.c
---- a/lib/rpmchecksig.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/rpmchecksig.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -447,7 +447,7 @@ rpmRC rpmcliImportPubkey(const rpmts ts,
-     if (rpmtsOpenDB(ts, (O_RDWR|O_CREAT)))
- 	return RPMRC_FAIL;
- 
--    if ((enc = b64encode(pkt, pktlen)) == NULL)
-+    if ((enc = b64encode(pkt, pktlen, -1)) == NULL)
- 	goto exit;
- 
-     dig = pgpNewDig();
-@@ -698,11 +698,9 @@ assert(dig->md5ctx == NULL);
- 	    fddig->hashctx = NULL;
- 	    /*@switchbreak@*/ break;
- 	case PGPHASHALGO_SHA1:
--#if HAVE_BEECRYPT_API_H
- 	case PGPHASHALGO_SHA256:
- 	case PGPHASHALGO_SHA384:
- 	case PGPHASHALGO_SHA512:
--#endif
- assert(dig->sha1ctx == NULL);
- 	    dig->sha1ctx = fddig->hashctx;
- 	    fddig->hashctx = NULL;
-diff -r ec9e6c427068 lib/rpmts.c
---- a/lib/rpmts.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/rpmts.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -4,7 +4,7 @@
-  */
- #include "system.h"
- 
--#include "rpmio_internal.h"	/* XXX for pgp and beecrypt */
-+#include "rpmio_internal.h"	/* XXX for pgp */
- #include <rpmlib.h>
- #include <rpmmacro.h>		/* XXX rpmtsOpenDB() needs rpmGetPath */
- 
-diff -r ec9e6c427068 lib/signature.c
---- a/lib/signature.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/lib/signature.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -1215,9 +1215,10 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
-     int_32 sigtag = rpmtsSigtag(ts);
-     pgpDig dig = rpmtsDig(ts);
-     pgpDigParams sigp = rpmtsSignature(ts);
--    const char * prefix = NULL;
-+    SECOidTag sigalg;
-     rpmRC res = RPMRC_OK;
-     int xx;
-+    SECItem digest;
- 
-     *t = '\0';
-     if (dig != NULL && dig->hdrmd5ctx == md5ctx)
-@@ -1248,43 +1249,40 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
-     switch (sigp->hash_algo) {
-     case PGPHASHALGO_MD5:
- 	t = stpcpy(t, " RSA/MD5");
--	prefix = "3020300c06082a864886f70d020505000410";
-+	sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
- 	break;
-     case PGPHASHALGO_SHA1:
- 	t = stpcpy(t, " RSA/SHA1");
--	prefix = "3021300906052b0e03021a05000414";
-+	sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
- 	break;
-     case PGPHASHALGO_RIPEMD160:
- 	res = RPMRC_NOKEY;
--	prefix = NULL;
- 	break;
-     case PGPHASHALGO_MD2:
- 	t = stpcpy(t, " RSA/MD2");
--	prefix = "3020300c06082a864886f70d020205000410";
-+	sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
- 	break;
-     case PGPHASHALGO_TIGER192:
- 	res = RPMRC_NOKEY;
--	prefix = NULL;
- 	break;
-     case PGPHASHALGO_HAVAL_5_160:
- 	res = RPMRC_NOKEY;
--	prefix = NULL;
- 	break;
-     case PGPHASHALGO_SHA256:
- 	t = stpcpy(t, " RSA/SHA256");
--	prefix = "3031300d060960864801650304020105000420";
-+	sigalg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
- 	break;
-     case PGPHASHALGO_SHA384:
- 	t = stpcpy(t, " RSA/SHA384");
--	prefix = "3041300d060960864801650304020205000430";
-+	sigalg = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
- 	break;
-     case PGPHASHALGO_SHA512:
- 	t = stpcpy(t, " RSA/SHA512");
--	prefix = "3051300d060960864801650304020305000440";
-+	sigalg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
- 	break;
-     default:
- 	res = RPMRC_NOKEY;
--	prefix = NULL;
-+	sigalg = SEC_OID_UNKNOWN;
- 	break;
-     }
- 
-@@ -1295,8 +1293,6 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
- 
-     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
-     {	DIGEST_CTX ctx = rpmDigestDup(md5ctx);
--	byte signhash16[2];
--	const char * s;
- 
- 	if (sigp->hash != NULL)
- 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
-@@ -1313,40 +1309,18 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
- 	}
- #endif
- 
--	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 1);
-+	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 0);
- 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
- 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */
- 
- 	/* Compare leading 16 bits of digest for quick check. */
--	s = dig->md5;
--	signhash16[0] = (nibble(s[0]) << 4) | nibble(s[1]);
--	signhash16[1] = (nibble(s[2]) << 4) | nibble(s[3]);
--	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
-+	if (memcmp(dig->md5, sigp->signhash16, 2)) {
- 	    res = RPMRC_FAIL;
- 	    goto exit;
- 	}
--    }
--
--    /* Generate RSA modulus parameter. */
--    {	unsigned int nbits = MP_WORDS_TO_BITS(dig->c.size);
--	unsigned int nb = (nbits + 7) >> 3;
--	const char * hexstr;
--	char * tt;
--
--assert(prefix != NULL);
--	hexstr = tt = xmalloc(2 * nb + 1);
--	memset(tt, 'f', (2 * nb));
--	tt[0] = '0'; tt[1] = '0';
--	tt[2] = '0'; tt[3] = '1';
--	tt += (2 * nb) - strlen(prefix) - strlen(dig->md5) - 2;
--	*tt++ = '0'; *tt++ = '0';
--	tt = stpcpy(tt, prefix);
--	tt = stpcpy(tt, dig->md5);
--
--	mpnzero(&dig->rsahm);	(void) mpnsethex(&dig->rsahm, hexstr);
--
--	hexstr = _free(hexstr);
--
-+	digest.type = siBuffer;
-+	digest.data = dig->md5;
-+	digest.len = dig->md5len;
-     }
- 
-     /* Retrieve the matching public key. */
-@@ -1355,12 +1329,7 @@ assert(prefix != NULL);
- 	goto exit;
- 
-     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
--#if HAVE_BEECRYPT_API_H
--    xx = rsavrfy(&dig->rsa_pk.n, &dig->rsa_pk.e, &dig->c, &dig->rsahm);
--#else
--    xx = rsavrfy(&dig->rsa_pk, &dig->rsahm, &dig->c);
--#endif
--    if (xx)
-+    if (VFY_VerifyDigest(&digest, dig->rsa, dig->rsasig, sigalg, NULL) == SECSuccess)
- 	res = RPMRC_OK;
-     else
- 	res = RPMRC_FAIL;
-@@ -1401,6 +1370,7 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
-     pgpDigParams sigp = rpmtsSignature(ts);
-     rpmRC res;
-     int xx;
-+    SECItem digest;
- 
-     *t = '\0';
-     if (dig != NULL && dig->hdrsha1ctx == sha1ctx)
-@@ -1428,7 +1398,6 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
- 
-     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
-     {	DIGEST_CTX ctx = rpmDigestDup(sha1ctx);
--	byte signhash16[2];
- 
- 	if (sigp->hash != NULL)
- 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
-@@ -1442,19 +1411,18 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
- 	    memcpy(trailer+2, &nb, sizeof(nb));
- 	    xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
- 	}
--	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 1);
-+	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
- 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
- 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */
- 
--	mpnzero(&dig->hm);	(void) mpnsethex(&dig->hm, dig->sha1);
--
- 	/* Compare leading 16 bits of digest for quick check. */
--	signhash16[0] = (*dig->hm.data >> 24) & 0xff;
--	signhash16[1] = (*dig->hm.data >> 16) & 0xff;
--	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
-+	if (memcmp(dig->sha1, sigp->signhash16, 2)) {
- 	    res = RPMRC_FAIL;
- 	    goto exit;
- 	}
-+	digest.type = siBuffer;
-+	digest.data = dig->sha1;
-+	digest.len = dig->sha1len;
-     }
- 
-     /* Retrieve the matching public key. */
-@@ -1463,8 +1431,8 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
- 	goto exit;
- 
-     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
--    if (dsavrfy(&dig->p, &dig->q, &dig->g,
--		&dig->hm, &dig->y, &dig->r, &dig->s))
-+    if (VFY_VerifyDigest(&digest, dig->dsa, dig->dsasig,
-+    		SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL) == SECSuccess)
- 	res = RPMRC_OK;
-     else
- 	res = RPMRC_FAIL;
-diff -r ec9e6c427068 python/Makefile.am
---- a/python/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/python/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -17,7 +17,7 @@ INCLUDES = -I. \
- 	-I$(top_srcdir)/rpmdb \
- 	-I$(top_srcdir)/rpmio \
- 	@WITH_LIBELF_INCLUDE@ \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	-I$(top_srcdir)/misc \
- 	-I$(pyincdir) \
-@@ -42,7 +42,7 @@ rpm_LTLIBRARIES = _rpmmodule.la
- rpm_LTLIBRARIES = _rpmmodule.la
- 
- _rpmmodule_la_LDFLAGS = $(mylibs) $(LIBS) -module -avoid-version
--_rpmmodule_la_LIBADD =  @WITH_BEECRYPT_LIB@
-+_rpmmodule_la_LIBADD =  @WITH_NSS_LIB@
- 
- _rpmmodule_la_SOURCES = rpmmodule.c header-py.c \
- 		       rpmal-py.c rpmds-py.c rpmdb-py.c rpmfd-py.c rpmfts-py.c \
-diff -r ec9e6c427068 rpmdb/Makefile.am
---- a/rpmdb/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmdb/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -9,7 +9,7 @@ INCLUDES = -I. \
- 	-I$(top_srcdir)/build \
- 	-I$(top_srcdir)/lib \
- 	-I$(top_srcdir)/rpmio \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	-I$(top_srcdir)/misc \
- 	@WITH_SQLITE3_INCLUDE@ \
-diff -r ec9e6c427068 rpmio/Makefile.am
---- a/rpmio/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -10,7 +10,7 @@ EXTRA_PROGRAMS = tax tdigest tdir tfts t
- 
- INCLUDES = -I. \
- 	-I$(top_srcdir) \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_NEON_INCLUDE@ \
- 	@WITH_LUA_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
-@@ -19,23 +19,21 @@ INCLUDES = -I. \
- 
- pkgincdir = $(pkgincludedir)
- pkginc_HEADERS = \
--	argv.h fts.h rpmdav.h \
-+	argv.h base64.h fts.h rpmdav.h \
- 	rpmio.h rpmurl.h rpmmacro.h rpmlog.h rpmmessages.h rpmerr.h rpmpgp.h \
- 	rpmsq.h rpmsw.h ugid.h
- noinst_HEADERS = rpmio_internal.h rpmlua.h rpmhook.h
--
--BEECRYPTLOBJS = $(shell test X"@WITH_BEECRYPT_SUBDIR@" != X && cat $(top_builddir)/@WITH_BEECTYPT_SUBDIR@/listobjs)
- 
- LDFLAGS = -L$(RPM_BUILD_ROOT)$(usrlibdir) -L$(DESTDIR)$(usrlibdir)
- 
- usrlibdir = $(libdir)@MARK64@
- usrlib_LTLIBRARIES = librpmio.la
- librpmio_la_SOURCES = \
--	argv.c digest.c fts.c macro.c rpmdav.c \
-+	argv.c base64.c digest.c fts.c macro.c rpmdav.c \
- 	rpmhook.c rpmio.c rpmlog.c rpmlua.c rpmmalloc.c \
- 	rpmpgp.c rpmrpc.c rpmsq.c rpmsw.c strcasecmp.c stubs.c url.c ugid.c
- librpmio_la_LDFLAGS = -release 4.4 $(LDFLAGS) \
--	@WITH_BEECRYPT_LIB@ \
-+	@WITH_NSS_LIB@ \
- 	@WITH_NEON_LIB@ \
- 	@WITH_LUA_LIB@ \
- 	@WITH_MAGIC_LIB@ \
-@@ -44,22 +42,10 @@ librpmio_la_LIBADD = # $(BEECRYPTLOBJS)
- librpmio_la_LIBADD = # $(BEECRYPTLOBJS)
- librpmio_la_DEPENDENCIES = # .created
- 
--.created:
--	if test X"@WITH_BEECRYPT_SUBDIR@" != X; then \
--	${MAKE} -C $(top_builddir)/@WITH_BEECRYPT_SUBDIR@ listobjs ; \
--	for lo in $(BEECRYPTLOBJS); do \
--	  [ -f $$lo ] || $(LN_S) $(top_builddir)/@WITH_BEECRYPT_SUBDIR@/$$lo $$lo ; \
--	done \
--	fi
--	touch $@
--
--clean-local:
--	rm -f $(BEECRYPTLOBJS) *.o .created
--
- #BUILT_SOURCES = rpmio.lcd
- 
- rpmio.lcd: Makefile.am ${librpmio_la_SOURCES} ${pkginc_HEADERS} ${noinst_HEADERS}
--	-lclint -load ../beecrypt/beecrypt.lcd $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null
-+	-lclint -load $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null
- 
- .PHONY:	sources
- sources:
-@@ -105,7 +91,6 @@ tinv_LDADD = librpmio.la $(top_builddir)
- tinv_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la
- 
- tkey_SOURCES = tkey.c
--tkey_LDFLAGS = @LDFLAGS_STATIC@
- tkey_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la
- 
- tring_SOURCES = tring.c
-diff -r ec9e6c427068 rpmio/base64.c
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ b/rpmio/base64.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -0,0 +1,254 @@
-+/* base64 encoder/decoder based on public domain implementation
-+ * by Chris Venter */
-+
-+#include <arpa/inet.h>
-+#include <stdlib.h>
-+#include "base64.h"
-+
-+static char base64_encode_value(char value_in)
-+{
-+	static const char encoding[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-+	if (value_in > 63) return '=';
-+	return encoding[(int)value_in];
-+}
-+
-+static char *base64_encode_block(const char *plaintext_in, int length_in, char *codechar)
-+{
-+	const char *plainchar = plaintext_in;
-+	const char *const plaintextend = plaintext_in + length_in;
-+	char result;
-+	char fragment;
-+	
-+	while (1) {
-+		if (plainchar == plaintextend) {
-+			return codechar;
-+		}
-+		fragment = *plainchar++;
-+		result = (fragment & 0x0fc) >> 2;
-+		*codechar++ = base64_encode_value(result);
-+		result = (fragment & 0x003) << 4;
-+		if (plainchar == plaintextend)
-+		{
-+			*codechar++ = base64_encode_value(result);
-+			*codechar++ = '=';
-+			*codechar++ = '=';
-+			return codechar;
-+		}
-+		fragment = *plainchar++;
-+		result |= (fragment & 0x0f0) >> 4;
-+		*codechar++ = base64_encode_value(result);
-+		result = (fragment & 0x00f) << 2;
-+		if (plainchar == plaintextend)
-+		{
-+			*codechar++ = base64_encode_value(result);
-+			*codechar++ = '=';
-+			return codechar;
-+		}
-+		fragment = *plainchar++;
-+		result |= (fragment & 0x0c0) >> 6;
-+		*codechar++ = base64_encode_value(result);
-+		result  = (fragment & 0x03f) >> 0;
-+		*codechar++ = base64_encode_value(result);
-+	}
-+	/* control should not reach here */
-+	return codechar;
-+}
-+
-+#define BASE64_DEFAULT_LINE_LENGTH 64
-+
-+char *b64encode(const void *data, size_t len, int linelen)
-+{
-+	size_t encodedlen;
-+	const char *dataptr = data;
-+	char *output;
-+	char *outptr;
-+	
-+	if (data == NULL)
-+		return NULL;
-+
-+	if (linelen < 0)
-+		linelen = BASE64_DEFAULT_LINE_LENGTH;
-+
-+	linelen /= 4;
-+	encodedlen = ((len + 2) / 3) * 4;
-+	if (linelen > 0) {
-+		encodedlen += encodedlen/(linelen * 4) + 1;
-+	}
-+	++encodedlen; /* for zero termination */
-+
-+	output = malloc(encodedlen);
-+	if (output == NULL)
-+		return NULL;
-+		
-+	outptr = output;	
-+	while (len > 0) {
-+		if (linelen > 0 && len > linelen * 3) {
-+			outptr = base64_encode_block(dataptr, linelen * 3, outptr);
-+			len -= linelen * 3;
-+			dataptr += linelen * 3;
-+		} else {
-+			outptr = base64_encode_block(dataptr, len, outptr);
-+			len = 0;
-+		}
-+		if (linelen > 0) {
-+			*outptr++ = '\n';
-+		}
-+	}
-+	*outptr = '\0';
-+	return output;
-+}
-+
-+static int base64_decode_value(char value_in)
-+{
-+	static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
-+	static const char decoding_size = sizeof(decoding);
-+	value_in -= 43;
-+	if (value_in < 0 || value_in > decoding_size)
-+		return -1;
-+	return decoding[(int)value_in];
-+}
-+
-+static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out)
-+{
-+	const char *codechar = code_in;
-+	char *plainchar = plaintext_out;
-+	char fragment;
-+	
-+	*plainchar = 0;
-+	
-+	while (1)
-+	{
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = (char)base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar    = (fragment & 0x03f) << 2;
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = (char)base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++ |= (fragment & 0x030) >> 4;
-+		*plainchar    = (fragment & 0x00f) << 4;
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = (char)base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++ |= (fragment & 0x03c) >> 2;
-+		*plainchar    = (fragment & 0x003) << 6;
-+
-+		do {
-+			if (codechar == code_in+length_in)
-+			{
-+				return plainchar - plaintext_out;
-+			}
-+			fragment = (char)base64_decode_value(*codechar++);
-+		} while (fragment < 0);
-+		*plainchar++   |= (fragment & 0x03f);
-+	}
-+	/* control should not reach here */
-+	return plainchar - plaintext_out;
-+}
-+
-+int b64decode(const char *in, void **out, size_t *outlen)
-+{
-+	size_t outcnt = 0;
-+	const char *inptr = in;
-+
-+	*out = NULL;
-+
-+	if (in == NULL) {
-+		return 1;
-+	}
-+	
-+	while (*inptr != '\0') {
-+		/* assume all ASCII control chars as whitespace */
-+		if (*inptr > 32) {
-+			if (base64_decode_value(*inptr) != -1) {
-+				++outcnt;
-+			} else {
-+				return 3;
-+			}
-+		}
-+		++inptr;
-+	}
-+	
-+	if (outcnt % 4 != 0)
-+		return 2;
-+	
-+	outcnt = (outcnt / 4) * 3;
-+	
-+	*out = malloc(outcnt + 1); /* base64_decode_block can write one extra character */
-+	
-+	if (*out == NULL)
-+		return 4;
-+	
-+	*outlen = base64_decode_block(in, inptr - in, *out);
-+
-+	return 0;
-+}
-+
-+#define CRC24_INIT 0xb704ce
-+#define CRC24_POLY 0x1864cfb
-+
-+char *b64crc(const unsigned char *data, size_t len)
-+{
-+	uint32_t crc = CRC24_INIT;
-+	int i;
-+
-+	while (len--) {
-+		crc ^= (*data++) << 16;
-+		for (i = 0; i < 8; i++) {
-+			crc <<= 1;
-+			if (crc & 0x1000000)
-+				crc ^= CRC24_POLY;
-+		}
-+	}
-+	crc = htonl(crc & 0xffffff);
-+	data = (unsigned char *)&crc;
-+	++data;
-+	return b64encode(data, 3, 0);
-+}
-+
-+#ifdef BASE64_TEST
-+#include <stdio.h>
-+#include <string.h>
-+
-+int main(int argc, char *argv[]) 
-+{
-+	static char tst[]="wtrt8122čLýáj\x20s ~ýhž\t4\x02šjjmBvž^%$RTš#á.íěj\x1hčýčŤc+";
-+	char *encoded;
-+	void *decoded;
-+	size_t size;
-+	int err;
-+	printf("Original: %lu\n%s\n", sizeof(tst)-1, tst);
-+	encoded = b64encode(tst, sizeof(tst)-1, 64);
-+	printf("Encoded: %lu\n%s\n", strlen(encoded), encoded);
-+	if ((err = b64decode(encoded, &decoded, &size)) != 0) {
-+		fprintf(stderr, "Error in decode: %d\n", err);
-+		return 1;
-+	}
-+	printf("Decoded:\n%.*s\n", (int)size, (char *)decoded);
-+	if (size != sizeof(tst)-1) {
-+		fprintf(stderr, "Size differs orig: %lu new: %lu\n", sizeof(tst)-1, size);
-+		return 1;
-+	}
-+	if (memcmp(tst, decoded, size) != 0) {
-+		fprintf(stderr, "Decoded data differs.\n");
-+		return 1;
-+	}
-+	fprintf(stderr, "OK\n");
-+	return 0;
-+}
-+#endif
-+
-diff -r ec9e6c427068 rpmio/base64.h
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ b/rpmio/base64.h	Thu Nov 01 10:56:58 2007 +0100
-@@ -0,0 +1,29 @@
-+/* base64 encoder/decoder based on public domain implementation
-+ * by Chris Venter */
-+
-+#include <sys/types.h>
-+
-+/* returns malloced base64 encoded string
-+ * lines are split with \n characters to be nearest lower multiple of linelen
-+ * if linelen/4 == 0 lines are not split
-+ * if linelen < 0 default line length (64) is used
-+ * the returned string is empty when len == 0
-+ * returns NULL on failures
-+ */
-+char *b64encode(const void *data, size_t len, int linelen);
-+
-+/* decodes from zero terminated base64 encoded string to a newly malloced buffer
-+ * ignores whitespace characters in the input string
-+ * return values:
-+ *  0 - OK
-+ *  1 - input is NULL
-+ *  2 - invalid length
-+ *  3 - invalid characters on input
-+ *  4 - malloc failed
-+ */
-+int b64decode(const char *in, void **out, size_t *outlen);
-+
-+/* counts CRC24 and base64 encodes it in a malloced string
-+ * returns NULL on failures
-+ */
-+char *b64crc(const unsigned char *data, size_t len);
-diff -r ec9e6c427068 rpmio/digest.c
---- a/rpmio/digest.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/digest.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -19,16 +19,7 @@
-  */
- struct DIGEST_CTX_s {
-     rpmDigestFlags flags;	/*!< Bit(s) to control digest operation. */
--    uint32_t datalen;		/*!< No. bytes in block of plaintext data. */
--    uint32_t paramlen;		/*!< No. bytes of digest parameters. */
--    uint32_t digestlen;		/*!< No. bytes of digest. */
--    void * param;		/*!< Digest parameters. */
--    int (*Reset) (void * param)
--	/*@modifies param @*/;	/*!< Digest initialize. */
--    int (*Update) (void * param, const byte * data, size_t size)
--	/*@modifies param @*/;	/*!< Digest transform. */
--    int (*Digest) (void * param, /*@out@*/ byte * digest)
--	/*@modifies param, digest @*/;	/*!< Digest finish. */
-+    HASHContext *hashctx;	/*!< Internal NSS hash context. */
- };
- 
- /*@-boundsread@*/
-@@ -37,115 +28,101 @@ rpmDigestDup(DIGEST_CTX octx)
- {
-     DIGEST_CTX nctx;
-     nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx));
--    nctx->param = memcpy(xcalloc(1, nctx->paramlen), octx->param, nctx->paramlen);
-+    nctx->hashctx = HASH_Clone(octx->hashctx);
-+    if (nctx->hashctx == NULL) {
-+    	fprintf(stderr, "HASH_Clone failed\n");
-+    	exit(EXIT_FAILURE);  /* FIX: callers do not bother checking error return */
-+    }
-     return nctx;
- }
- /*@=boundsread@*/
- 
--DIGEST_CTX
--rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
-+static HASH_HashType
-+getHashType(pgpHashAlgo hashalgo)
- {
--    DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
--    int xx;
--
--    ctx->flags = flags;
--
-     switch (hashalgo) {
-     case PGPHASHALGO_MD5:
--	ctx->digestlen = 16;
--	ctx->datalen = 64;
--/*@-sizeoftype@*/ /* FIX: union, not void pointer */
--	ctx->paramlen = sizeof(md5Param);
--/*@=sizeoftype@*/
--	ctx->param = xcalloc(1, ctx->paramlen);
--/*@-type@*/ /* FIX: cast? */
--	ctx->Reset = (void *) md5Reset;
--	ctx->Update = (void *) md5Update;
--	ctx->Digest = (void *) md5Digest;
--/*@=type@*/
-+	return HASH_AlgMD5;
- 	break;
-     case PGPHASHALGO_SHA1:
--	ctx->digestlen = 20;
--	ctx->datalen = 64;
--/*@-sizeoftype@*/ /* FIX: union, not void pointer */
--	ctx->paramlen = sizeof(sha1Param);
--/*@=sizeoftype@*/
--	ctx->param = xcalloc(1, ctx->paramlen);
--/*@-type@*/ /* FIX: cast? */
--	ctx->Reset = (void *) sha1Reset;
--	ctx->Update = (void *) sha1Update;
--	ctx->Digest = (void *) sha1Digest;
--/*@=type@*/
-+	return HASH_AlgSHA1;
- 	break;
--#if HAVE_BEECRYPT_API_H
-     case PGPHASHALGO_SHA256:
--	ctx->digestlen = 32;
--	ctx->datalen = 64;
--/*@-sizeoftype@*/ /* FIX: union, not void pointer */
--	ctx->paramlen = sizeof(sha256Param);
--/*@=sizeoftype@*/
--	ctx->param = xcalloc(1, ctx->paramlen);
--/*@-type@*/ /* FIX: cast? */
--	ctx->Reset = (void *) sha256Reset;
--	ctx->Update = (void *) sha256Update;
--	ctx->Digest = (void *) sha256Digest;
--/*@=type@*/
-+	return HASH_AlgSHA256;
- 	break;
-     case PGPHASHALGO_SHA384:
--	ctx->digestlen = 48;
--	ctx->datalen = 128;
--/*@-sizeoftype@*/ /* FIX: union, not void pointer */
--	ctx->paramlen = sizeof(sha384Param);
--/*@=sizeoftype@*/
--	ctx->param = xcalloc(1, ctx->paramlen);
--/*@-type@*/ /* FIX: cast? */
--	ctx->Reset = (void *) sha384Reset;
--	ctx->Update = (void *) sha384Update;
--	ctx->Digest = (void *) sha384Digest;
--/*@=type@*/
-+	return HASH_AlgSHA384;
- 	break;
-     case PGPHASHALGO_SHA512:
--	ctx->digestlen = 64;
--	ctx->datalen = 128;
--/*@-sizeoftype@*/ /* FIX: union, not void pointer */
--	ctx->paramlen = sizeof(sha512Param);
--/*@=sizeoftype@*/
--	ctx->param = xcalloc(1, ctx->paramlen);
--/*@-type@*/ /* FIX: cast? */
--	ctx->Reset = (void *) sha512Reset;
--	ctx->Update = (void *) sha512Update;
--	ctx->Digest = (void *) sha512Digest;
--/*@=type@*/
-+	return HASH_AlgSHA512;
- 	break;
--#endif
-     case PGPHASHALGO_RIPEMD160:
-     case PGPHASHALGO_MD2:
-     case PGPHASHALGO_TIGER192:
-     case PGPHASHALGO_HAVAL_5_160:
-     default:
-+	return HASH_AlgNULL;
-+	/*@notreached@*/ break;
-+    }
-+}
-+
-+size_t
-+rpmDigestLength(pgpHashAlgo hashalgo)
-+{
-+    return HASH_ResultLen(getHashType(hashalgo));
-+}
-+
-+DIGEST_CTX
-+rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
-+{
-+    HASH_HashType type;
-+    DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
-+
-+    if (NSS_NoDB_Init(NULL) != SECSuccess)
-+	return NULL;
-+
-+    ctx->flags = flags;
-+
-+    type = getHashType(hashalgo);
-+    if (type == HASH_AlgNULL) {
- 	free(ctx);
- 	return NULL;
--	/*@notreached@*/ break;
-     }
- 
--/*@-boundsread@*/
--    xx = (*ctx->Reset) (ctx->param);
--/*@=boundsread@*/
-+    ctx->hashctx = HASH_Create(type);
-+    if (ctx->hashctx == NULL) {
-+    	free(ctx);
-+    	return NULL;
-+    }
- 
--DPRINTF((stderr, "*** Init(%x) ctx %p param %p\n", flags, ctx, ctx->param));
-+    HASH_Begin(ctx->hashctx);
-+    
-+DPRINTF((stderr, "*** Init(%x) ctx %p hashctx %p\n", flags, ctx, ctx->hashctx));
-     return ctx;
- }
- 
--/*@-mustmod@*/ /* LCL: ctx->param may be modified, but ctx is abstract @*/
-+/*@-mustmod@*/ /* LCL: ctx->hashctx may be modified, but ctx is abstract @*/
- int
- rpmDigestUpdate(DIGEST_CTX ctx, const void * data, size_t len)
- {
-+    unsigned int partlen;
-+    const unsigned char *ptr = data;
-+
-     if (ctx == NULL)
- 	return -1;
- 
--DPRINTF((stderr, "*** Update(%p,%p,%d) param %p \"%s\"\n", ctx, data, len, ctx->param, ((char *)data)));
-+DPRINTF((stderr, "*** Update(%p,%p,%d) hashctx %p \"%s\"\n", ctx, data, len, ctx->hashctx, ((char *)data)));
- /*@-boundsread@*/
--    return (*ctx->Update) (ctx->param, data, len);
-+   partlen = ~(unsigned int)0xFF;
-+   while (len > 0) {
-+   	if (len < partlen) {
-+   		partlen = (unsigned int)len;
-+   	}
-+	HASH_Update(ctx->hashctx, ptr, partlen);
-+	ptr += partlen;
-+	len -= partlen;
-+   }
-+   return 0;
- /*@=boundsread@*/
- }
- /*@=mustmod@*/
-@@ -154,35 +131,37 @@ int
- int
- rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii)
- {
--    byte * digest;
-+    unsigned char * digest;
-     char * t;
-     int i;
-+    unsigned int digestlen;
- 
-     if (ctx == NULL)
- 	return -1;
--    digest = xmalloc(ctx->digestlen);
-+    digestlen = HASH_ResultLenContext(ctx->hashctx);
-+    digest = xmalloc(digestlen);
- 
--DPRINTF((stderr, "*** Final(%p,%p,%p,%d) param %p digest %p\n", ctx, datap, lenp, asAscii, ctx->param, digest));
--/*@-noeffectuncon@*/ /* FIX: check rc */
--    (void) (*ctx->Digest) (ctx->param, digest);
-+DPRINTF((stderr, "*** Final(%p,%p,%p,%d) hashctx %p digest %p\n", ctx, datap, lenp, asAscii, ctx->hashctx, digest));
-+/*@-noeffectuncon@*/
-+    HASH_End(ctx->hashctx, digest, &digestlen, digestlen);
- /*@=noeffectuncon@*/
- 
-     /* Return final digest. */
- /*@-branchstate@*/
-     if (!asAscii) {
--	if (lenp) *lenp = ctx->digestlen;
-+	if (lenp) *lenp = digestlen;
- 	if (datap) {
- 	    *datap = digest;
- 	    digest = NULL;
- 	}
-     } else {
--	if (lenp) *lenp = (2*ctx->digestlen) + 1;
-+	if (lenp) *lenp = (2*digestlen) + 1;
- 	if (datap) {
- 	    const byte * s = (const byte *) digest;
- 	    static const char hex[] = "0123456789abcdef";
- 
--	    *datap = t = xmalloc((2*ctx->digestlen) + 1);
--	    for (i = 0 ; i < ctx->digestlen; i++) {
-+	    *datap = t = xmalloc((2*digestlen) + 1);
-+	    for (i = 0 ; i < digestlen; i++) {
- 		*t++ = hex[ (unsigned)((*s >> 4) & 0x0f) ];
- 		*t++ = hex[ (unsigned)((*s++   ) & 0x0f) ];
- 	    }
-@@ -191,11 +170,10 @@ DPRINTF((stderr, "*** Final(%p,%p,%p,%d)
-     }
- /*@=branchstate@*/
-     if (digest) {
--	memset(digest, 0, ctx->digestlen);	/* In case it's sensitive */
-+	memset(digest, 0, digestlen);	/* In case it's sensitive */
- 	free(digest);
-     }
--    memset(ctx->param, 0, ctx->paramlen);	/* In case it's sensitive */
--    free(ctx->param);
-+    HASH_Destroy(ctx->hashctx);
-     memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
-     free(ctx);
-     return 0;
-diff -r ec9e6c427068 rpmio/rpmio_internal.h
---- a/rpmio/rpmio_internal.h	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/rpmio_internal.h	Thu Nov 01 10:56:58 2007 +0100
-@@ -9,30 +9,14 @@
- #include <rpmio.h>
- #include <rpmurl.h>
- 
--#if HAVE_BEECRYPT_API_H
--#include <api.h>
--#else
--#include <beecrypt.api.h>
--#endif
--
- #include <rpmpgp.h>
- #include <rpmsw.h>
--
--/* Drag in the beecrypt includes. */
--#include <beecrypt.h>
- #include <base64.h>
--#include <dsa.h>
--#include <endianness.h>
--#include <md5.h>
--#include <mp.h>
--#include <rsa.h>
--#include <rsapk.h>
--#include <sha1.h>
--#if HAVE_BEECRYPT_API_H
--#include <sha256.h>
--#include <sha384.h>
--#include <sha512.h>
--#endif
-+
-+#include "nss.h"
-+#include "sechash.h"
-+#include "keyhi.h"
-+#include "cryptohi.h"
- 
- /** \ingroup rpmio
-  * Values parsed from OpenPGP signature/pubkey packet(s).
-@@ -85,20 +69,13 @@ struct pgpDig_s {
-     void * md5;			/*!< (rsa) V3 signature hash. */
-     size_t md5len;		/*!< (rsa) V3 signature hash length. */
- 
--    /* DSA parameters. */
--    mpbarrett p;
--    mpbarrett q;
--    mpnumber g;
--    mpnumber y;
--    mpnumber hm;
--    mpnumber r;
--    mpnumber s;
--
--    /* RSA parameters. */
--    rsapk rsa_pk;
--    mpnumber m;
--    mpnumber c;
--    mpnumber rsahm;
-+    /* DSA parameters */
-+    SECKEYPublicKey *dsa;
-+    SECItem *dsasig;
-+
-+    /* RSA parameters */
-+    SECKEYPublicKey *rsa;
-+    SECItem *rsasig;
- };
- 
- /** \ingroup rpmio
-diff -r ec9e6c427068 rpmio/rpmpgp.c
---- a/rpmio/rpmpgp.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/rpmpgp.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -260,38 +260,100 @@ const char * pgpMpiHex(const byte *p)
- /**
-  * @return		0 on success
-  */
--static int pgpHexSet(const char * pre, int lbits,
--		/*@out@*/ mpnumber * mpn, const byte * p, const byte * pend)
-+static int pgpMpiSet(const char * pre, int lbits,
-+		/*@out@*/ void *dest, const byte * p, const byte * pend)
- 	/*@globals fileSystem @*/
--	/*@modifies mpn, fileSystem @*/
-+	/*@modifies dest, fileSystem @*/
- {
-     unsigned int mbits = pgpMpiBits(p);
-     unsigned int nbits;
-     unsigned int nbytes;
--    char * t;
-+    char *t = dest;
-     unsigned int ix;
- 
-     if ((p + ((mbits+7) >> 3)) > pend)
- 	return 1;
- 
-+    if (mbits > lbits)
-+	return 1;
-+
-     nbits = (lbits > mbits ? lbits : mbits);
-     nbytes = ((nbits + 7) >> 3);
--    t = xmalloc(2*nbytes+1);
--    ix = 2 * ((nbits - mbits) >> 3);
-+    ix = (nbits - mbits) >> 3;
- 
- if (_debug)
--fprintf(stderr, "*** mbits %u nbits %u nbytes %u t %p[%d] ix %u\n", mbits, nbits, nbytes, t, (2*nbytes+1), ix);
--    if (ix > 0) memset(t, (int)'0', ix);
--    strcpy(t+ix, pgpMpiHex(p));
-+fprintf(stderr, "*** mbits %u nbits %u nbytes %u ix %u\n", mbits, nbits, nbytes, ix);
-+    if (ix > 0) memset(t, '\0', ix);
-+    memcpy(t+ix, p+2, nbytes-ix);
- if (_debug)
--fprintf(stderr, "*** %s %s\n", pre, t);
--    (void) mpnsethex(mpn, t);
--    t = _free(t);
--if (_debug && _print)
--fprintf(stderr, "\t %s ", pre), mpfprintln(stderr, mpn->size, mpn->data);
-+fprintf(stderr, "*** %s %s\n", pre, pgpHexStr(dest, nbytes));
-+
-     return 0;
- }
-+
-+/**
-+ * @return		NULL on error
-+ */
-+static SECItem *pgpMpiItem(PRArenaPool *arena, /*@out@*/ SECItem *item, const byte *p)
-+	/*@globals fileSystem @*/
-+	/*@modifies dest, fileSystem @*/
-+{
-+    unsigned int nbytes = pgpMpiLen(p)-2;
-+
-+    if (item == NULL) {
-+    	if ((item=SECITEM_AllocItem(arena, item, nbytes)) == NULL)
-+    	    return item;
-+    } else {
-+    	if (arena != NULL)
-+    	    item->data = PORT_ArenaGrow(arena, item->data, item->len, nbytes);
-+    	else
-+    	    item->data = PORT_Realloc(item->data, nbytes);
-+    	
-+    	if (item->data == NULL) {
-+    	    if (arena == NULL)
-+    		SECITEM_FreeItem(item, PR_TRUE);
-+    	    return NULL;
-+    	}
-+    }
-+
-+    memcpy(item->data, p+2, nbytes);
-+    item->len = nbytes;
-+    return item;
-+}
- /*@=boundswrite@*/
-+
-+static SECKEYPublicKey *pgpNewPublicKey(KeyType type)
-+{
-+    PRArenaPool *arena;
-+    SECKEYPublicKey *key;
-+    
-+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-+    if (arena == NULL)
-+	return NULL;
-+    
-+    key = PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-+    
-+    if (key == NULL) {
-+	PORT_FreeArena(arena, PR_FALSE);
-+	return NULL;
-+    }
-+    
-+    key->keyType = type;
-+    key->pkcs11ID = CK_INVALID_HANDLE;
-+    key->pkcs11Slot = NULL;
-+    key->arena = arena;
-+    return key;
-+}
-+
-+static SECKEYPublicKey *pgpNewRSAKey(void)
-+{
-+    return pgpNewPublicKey(rsaKey);
-+}
-+
-+static SECKEYPublicKey *pgpNewDSAKey(void)
-+{
-+    return pgpNewPublicKey(dsaKey);
-+}
- 
- int pgpPrtSubType(const byte *h, unsigned int hlen, pgpSigType sigtype)
- {
-@@ -407,6 +469,10 @@ static const char * pgpSigDSA[] = {
- };
- /*@=varuse =readonlytrans @*/
- 
-+#ifndef DSA_SUBPRIME_LEN
-+#define DSA_SUBPRIME_LEN 20
-+#endif
-+
- static int pgpPrtSigParams(/*@unused@*/ pgpTag tag, byte pubkey_algo, byte sigtype,
- 		const byte *p, const byte *h, unsigned int hlen)
- 	/*@globals fileSystem @*/
-@@ -414,7 +480,13 @@ static int pgpPrtSigParams(/*@unused@*/ 
- {
-     const byte * pend = h + hlen;
-     int i;
--
-+    SECItem dsaraw;
-+    unsigned char dsabuf[2*DSA_SUBPRIME_LEN];
-+
-+    dsaraw.type = 0;
-+    dsaraw.data = dsabuf;
-+    dsaraw.len = sizeof(dsabuf);
-+    
-     for (i = 0; p < pend; i++, p += pgpMpiLen(p)) {
- 	if (pubkey_algo == PGPPUBKEYALGO_RSA) {
- 	    if (i >= 1) break;
-@@ -423,9 +495,9 @@ static int pgpPrtSigParams(/*@unused@*/ 
- 	    {
- 		switch (i) {
- 		case 0:		/* m**d */
--		    (void) mpnsethex(&_dig->c, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t  m**d = "),  mpfprintln(stderr, _dig->c.size, _dig->c.data);
-+		    _dig->rsasig = pgpMpiItem(NULL, _dig->rsasig, p);
-+		    if (_dig->rsasig == NULL)
-+			return 1;
- 		    /*@switchbreak@*/ break;
- 		default:
- 		    /*@switchbreak@*/ break;
-@@ -440,11 +512,21 @@ fprintf(stderr, "\t  m**d = "),  mpfprin
- 		int xx;
- 		xx = 0;
- 		switch (i) {
--		case 0:		/* r */
--		    xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->r, p, pend);
-+		case 0:
-+		    memset(dsaraw.data, '\0', 2*DSA_SUBPRIME_LEN);
-+				/* r */
-+		    xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data, p, pend);
- 		    /*@switchbreak@*/ break;
- 		case 1:		/* s */
--		    xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->s, p, pend);
-+		    xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data + DSA_SUBPRIME_LEN, p, pend);
-+		    if (_dig->dsasig != NULL)
-+		    	SECITEM_FreeItem(_dig->dsasig, PR_FALSE);
-+		    else if ((_dig->dsasig=SECITEM_AllocItem(NULL, NULL, 0)) == NULL) {
-+		        xx = 1;
-+		        /*@switchbreak@*/ break;
-+		    }
-+		    if (DSAU_EncodeDerSig(_dig->dsasig, &dsaraw) != SECSuccess)
-+		    	xx = 1;
- 		    /*@switchbreak@*/ break;
- 		default:
- 		    xx = 1;
-@@ -629,16 +711,17 @@ static const byte * pgpPrtPubkeyParams(b
- 	if (pubkey_algo == PGPPUBKEYALGO_RSA) {
- 	    if (i >= 2) break;
- 	    if (_dig) {
-+		if (_dig->rsa == NULL) {
-+		    _dig->rsa = pgpNewRSAKey();
-+		    if (_dig->rsa == NULL)
-+			break; /* error abort? */
-+		}
- 		switch (i) {
- 		case 0:		/* n */
--		    (void) mpbsethex(&_dig->rsa_pk.n, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     n = "),  mpfprintln(stderr, _dig->rsa_pk.n.size, _dig->rsa_pk.n.modl);
-+		    pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.modulus, p);
- 		    /*@switchbreak@*/ break;
- 		case 1:		/* e */
--		    (void) mpnsethex(&_dig->rsa_pk.e, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     e = "),  mpfprintln(stderr, _dig->rsa_pk.e.size, _dig->rsa_pk.e.data);
-+		    pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.publicExponent, p);
- 		    /*@switchbreak@*/ break;
- 		default:
- 		    /*@switchbreak@*/ break;
-@@ -648,26 +731,23 @@ fprintf(stderr, "\t     e = "),  mpfprin
- 	} else if (pubkey_algo == PGPPUBKEYALGO_DSA) {
- 	    if (i >= 4) break;
- 	    if (_dig) {
-+		if (_dig->dsa == NULL) {
-+		    _dig->dsa = pgpNewDSAKey();
-+		    if (_dig->dsa == NULL)
-+			break; /* error abort? */
-+		}
- 		switch (i) {
- 		case 0:		/* p */
--		    (void) mpbsethex(&_dig->p, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     p = "),  mpfprintln(stderr, _dig->p.size, _dig->p.modl);
-+		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.prime, p);
- 		    /*@switchbreak@*/ break;
- 		case 1:		/* q */
--		    (void) mpbsethex(&_dig->q, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     q = "),  mpfprintln(stderr, _dig->q.size, _dig->q.modl);
-+		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.subPrime, p);
- 		    /*@switchbreak@*/ break;
- 		case 2:		/* g */
--		    (void) mpnsethex(&_dig->g, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     g = "),  mpfprintln(stderr, _dig->g.size, _dig->g.data);
-+		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.base, p);
- 		    /*@switchbreak@*/ break;
- 		case 3:		/* y */
--		    (void) mpnsethex(&_dig->y, pgpMpiHex(p));
--if (_debug && _print)
--fprintf(stderr, "\t     y = "),  mpfprintln(stderr, _dig->y.size, _dig->y.data);
-+		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.publicValue, p);
- 		    /*@switchbreak@*/ break;
- 		default:
- 		    /*@switchbreak@*/ break;
-@@ -1014,6 +1094,8 @@ pgpDig pgpNewDig(void)
- pgpDig pgpNewDig(void)
- {
-     pgpDig dig = xcalloc(1, sizeof(*dig));
-+    NSS_NoDB_Init(NULL);
-+
-     return dig;
- }
- 
-@@ -1038,14 +1120,27 @@ void pgpCleanDig(pgpDig dig)
- 
- 	dig->md5 = _free(dig->md5);
- 	dig->sha1 = _free(dig->sha1);
--	mpnfree(&dig->hm);
--	mpnfree(&dig->r);
--	mpnfree(&dig->s);
--
--	(void) rsapkFree(&dig->rsa_pk);
--	mpnfree(&dig->m);
--	mpnfree(&dig->c);
--	mpnfree(&dig->rsahm);
-+
-+	if (dig->dsa != NULL) {
-+	    SECKEY_DestroyPublicKey(dig->dsa);
-+	    dig->dsa = NULL;
-+	}
-+
-+	if (dig->dsasig != NULL) {
-+	    SECITEM_ZfreeItem(dig->dsasig, PR_TRUE);
-+	    dig->dsasig = NULL;
-+	}
-+
-+	if (dig->rsa != NULL) {
-+	    SECKEY_DestroyPublicKey(dig->rsa);
-+	    dig->rsa = NULL;
-+	}
-+
-+	if (dig->rsasig != NULL) {
-+	    SECITEM_ZfreeItem(dig->rsasig, PR_TRUE);
-+	    dig->rsasig = NULL;
-+	}
-+
-     }
- /*@-nullstate@*/
-     return;
-@@ -1072,14 +1167,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ 
- 	    (void) rpmDigestFinal(dig->sha1ctx, NULL, NULL, 0);
- 	/*@=branchstate@*/
- 	dig->sha1ctx = NULL;
--
--	mpbfree(&dig->p);
--	mpbfree(&dig->q);
--	mpnfree(&dig->g);
--	mpnfree(&dig->y);
--	mpnfree(&dig->hm);
--	mpnfree(&dig->r);
--	mpnfree(&dig->s);
- 
- #ifdef	NOTYET
- 	/*@-branchstate@*/
-@@ -1094,12 +1181,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ 
- 	    (void) rpmDigestFinal(dig->md5ctx, NULL, NULL, 0);
- 	/*@=branchstate@*/
- 	dig->md5ctx = NULL;
--
--	mpbfree(&dig->rsa_pk.n);
--	mpnfree(&dig->rsa_pk.e);
--	mpnfree(&dig->m);
--	mpnfree(&dig->c);
--	mpnfree(&dig->hm);
- 
- 	dig = _free(dig);
-     }
-@@ -1286,20 +1367,13 @@ char * pgpArmorWrap(int atype, const uns
- {
-     const char * enc;
-     char * t;
--    size_t nt;
-+    size_t nt = 0;
-     char * val;
--    int lc;
--
--    nt = ((ns + 2) / 3) * 4;
--    /*@-globs@*/
--    /* Add additional bytes necessary for eol string(s). */
--    if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
--	lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
--       if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
--        ++lc;
--	nt += lc * strlen(b64encode_eolstr);
--    }
--    /*@=globs@*/
-+
-+    enc = b64encode(s, ns, -1);
-+    if (enc != NULL) {
-+    	nt = strlen(enc);
-+    }
- 
-     nt += 512;	/* XXX slop for armor and crc */
- 
-@@ -1311,9 +1385,9 @@ char * pgpArmorWrap(int atype, const uns
-     /*@-globs@*/
-     t = stpcpy( stpcpy(t, "-----\nVersion: rpm-"), VERSION);
-     /*@=globs@*/
--    t = stpcpy(t, " (beecrypt-4.1.2)\n\n");
--
--    if ((enc = b64encode(s, ns)) != NULL) {
-+    t = stpcpy(t, " (NSS-3)\n\n");
-+
-+    if (enc != NULL) {
- 	t = stpcpy(t, enc);
- 	enc = _free(enc);
- 	if ((enc = b64crc(s, ns)) != NULL) {
-diff -r ec9e6c427068 rpmio/rpmpgp.h
---- a/rpmio/rpmpgp.h	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/rpmpgp.h	Thu Nov 01 10:56:58 2007 +0100
-@@ -12,11 +12,7 @@
- 
- #include <string.h>
- 
--#if !defined(_BEECRYPT_API_H)
--/*@-redef@*/
- typedef unsigned char byte;
--/*@=redef@*/
--#endif	/* _BEECRYPT_API_H */
- 
- /**
-  */
-@@ -1393,6 +1389,15 @@ DIGEST_CTX rpmDigestDup(DIGEST_CTX octx)
- 	/*@*/;
- 
- /** \ingroup rpmio
-+ * Obtain digest length in bytes.
-+ * @param hashalgo	type of digest
-+ * @return		digest length
-+ */
-+/*@only@*/ /*@null@*/
-+size_t rpmDigestLength(pgpHashAlgo hashalgo)
-+	/*@*/;
-+
-+/** \ingroup rpmio
-  * Initialize digest.
-  * Set bit count to 0 and buffer to mysterious initialization constants.
-  * @param hashalgo	type of digest
-diff -r ec9e6c427068 rpmio/tkey.c
---- a/rpmio/tkey.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/rpmio/tkey.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -31,7 +31,7 @@ fprintf(stderr, "*** sig is\n%s\n", sig)
- 	return rc;
-     }
- 
--    if ((enc = b64encode(dec, declen)) == NULL) {
-+    if ((enc = b64encode(dec, declen, -1)) == NULL) {
- 	fprintf(stderr, "*** b64encode failed\n");
- 	return rc;
-     }
-@@ -51,52 +51,40 @@ fprintf(stderr, "??? %5d %02x != %02x '%
-     return rc;
- }
- 
--/* FIPS-186 test vectors. */
--static const char * fips_p = "8df2a494492276aa3d25759bb06869cbeac0d83afb8d0cf7cbb8324f0d7882e5d0762fc5b7210eafc2e9adac32ab7aac49693dfbf83724c2ec0736ee31c80291";
--static const char * fips_q = "c773218c737ec8ee993b4f2ded30f48edace915f";
--static const char * fips_g = "626d027839ea0a13413163a55b4cb500299d5522956cefcb3bff10f399ce2c2e71cb9de5fa24babf58e5b79521925c9cc42e9f6f464b088cc572af53e6d78802";
--
--static const char * fips_hm = "a9993e364706816aba3e25717850c26c9cd0d89d";
--
--static const char * fips_y = "19131871d75b1612a819f29d78d1b0d7346f7aa77bb62a859bfd6c5675da9d212d3a36ef1672ef660b8c7c255cc0ec74858fba33f44c06699630a76b030ee333";
--
--static const char * fips_r = "8bac1ab66410435cb7181f95b16ab97c92b341c0";
--static const char * fips_s = "41e2345f1f56df2458f426d155b4ba2db6dcd8c8";
--
- /* Secret key */
--static const char * jbjSecretDSA = "
--lQFvBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR
--zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy
--AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm
--qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv
--Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT
--2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh
--1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL/8DAwJUAllw1pdZ
--WmBIoAvRiv7kE6hWfeCvZzdBVgrHYrp8ceUa3OdulGfYw/0sIzpEU0FfZmFjdG9y
--OgAA30gJ4JMFKVfthnDCHHL+O8lNxykKBmrgVPLClue0KUplZmYgSm9obnNvbiAo
--QVJTIE4zTlBRKSA8amJqQHJlZGhhdC5jb20+iFcEExECABcFAju6XHwFCwcKAwQD
--FQMCAxYCAQIXgAAKCRCB0qVW2I6DmQU6AJ490bVWZuM4yCOh8MWj6qApCr1/gwCf
--f3+QgXFXAeTyPtMmReyWxThABtE=
-+static const char * jbjSecretDSA = "\n\
-+lQFvBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR\n\
-+zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy\n\
-+AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm\n\
-+qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv\n\
-+Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT\n\
-+2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh\n\
-+1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL/8DAwJUAllw1pdZ\n\
-+WmBIoAvRiv7kE6hWfeCvZzdBVgrHYrp8ceUa3OdulGfYw/0sIzpEU0FfZmFjdG9y\n\
-+OgAA30gJ4JMFKVfthnDCHHL+O8lNxykKBmrgVPLClue0KUplZmYgSm9obnNvbiAo\n\
-+QVJTIE4zTlBRKSA8amJqQHJlZGhhdC5jb20+iFcEExECABcFAju6XHwFCwcKAwQD\n\
-+FQMCAxYCAQIXgAAKCRCB0qVW2I6DmQU6AJ490bVWZuM4yCOh8MWj6qApCr1/gwCf\n\
-+f3+QgXFXAeTyPtMmReyWxThABtE=\n\
- ";
- 
- /* Public key */
--static const char * jbjPublicDSA = "
--mQFCBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR
--zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy
--AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm
--qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv
--Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT
--2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh
--1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL7QpSmVmZiBKb2hu
--c29uIChBUlMgTjNOUFEpIDxqYmpAcmVkaGF0LmNvbT6IVwQTEQIAFwUCO7pcfAUL
--BwoDBAMVAwIDFgIBAheAAAoJEIHSpVbYjoOZBToAn3TXaAI+bhg51EeyaiFip/6W
--OVwBAJ44rTtNsgZBQxXISjB64CWxl4VaWQ==
-+static const char * jbjPublicDSA = "\n\
-+mQFCBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR\n\
-+zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy\n\
-+AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm\n\
-+qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv\n\
-+Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT\n\
-+2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh\n\
-+1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL7QpSmVmZiBKb2hu\n\
-+c29uIChBUlMgTjNOUFEpIDxqYmpAcmVkaGF0LmNvbT6IVwQTEQIAFwUCO7pcfAUL\n\
-+BwoDBAMVAwIDFgIBAheAAAoJEIHSpVbYjoOZBToAn3TXaAI+bhg51EeyaiFip/6W\n\
-+OVwBAJ44rTtNsgZBQxXISjB64CWxl4VaWQ==\n\
- ";
- 
- /* Signature */
--static const char * abcSignatureDSA = "
--iD8DBQA7vII+gdKlVtiOg5kRAvg4AJ0fV3gDBADobAnK2HOkV88bfmFMEgCeNysO
--nP3dWWJnp0Pnbor7pIob4Dk=
-+static const char * abcSignatureDSA = "\n\
-+iD8DBQA7vII+gdKlVtiOg5kRAvg4AJ0fV3gDBADobAnK2HOkV88bfmFMEgCeNysO\n\
-+nP3dWWJnp0Pnbor7pIob4Dk=\n\
- ";
- 
- int
-@@ -107,28 +95,6 @@ main (int argc, char *argv[])
-     int rc;
- 
-     dig = pgpNewDig();
--
--    mpbzero(&dig->p);	mpbsethex(&dig->p, fips_p);
--    mpbzero(&dig->q);	mpbsethex(&dig->q, fips_q);
--    mpnzero(&dig->g);	mpnsethex(&dig->g, fips_g);
--    mpnzero(&dig->y);	mpnsethex(&dig->y, fips_y);
--    mpnzero(&dig->r);	mpnsethex(&dig->r, fips_r);
--    mpnzero(&dig->s);	mpnsethex(&dig->s, fips_s);
--    mpnzero(&dig->hm);	mpnsethex(&dig->hm, fips_hm);
--
--    rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
--		&dig->y, &dig->r, &dig->s);
--
--fprintf(stderr, "=============================== DSA FIPS-186-1: rc %d\n", rc);
--
--    mpbfree(&dig->p);
--    mpbfree(&dig->q);
--    mpnfree(&dig->g);
--    mpnfree(&dig->y);
--
--    mpnfree(&dig->hm);
--    mpnfree(&dig->r);
--    mpnfree(&dig->s);
- 
- fprintf(stderr, "=============================== GPG Secret Key\n");
-     if ((rc = doit(jbjSecretDSA, dig, printing)) != 0)
-@@ -144,39 +110,33 @@ fprintf(stderr, "=======================
- 
-     {	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
- 	struct pgpDigParams_s * dsig = &dig->signature;
--	const char * digest = NULL;
-+	void *digest = NULL;
- 	size_t digestlen = 0;
- 	const char * txt = "abc";
-+	SECItem digitem;
- 	
- 	rpmDigestUpdate(ctx, txt, strlen(txt));
- 	rpmDigestUpdate(ctx, dsig->hash, dsig->hashlen);
--	rpmDigestFinal(ctx, (void **)&digest, &digestlen, 1);
-+	rpmDigestFinal(ctx, &digest, &digestlen, 0);
- 
--	mpnzero(&dig->hm); mpnsethex(&dig->hm, digest);
-+fprintf(stderr, "\n    hm = [ 160]: %s\n\n", pgpHexStr(digest, digestlen));
-+	digitem.type = siBuffer;
-+	digitem.data = digest;
-+	digitem.len = digestlen;
- 
--fprintf(stderr, "\n    hm = [ 160]: %s\n\n", digest);
-+	rc = VFY_VerifyDigest(&digitem, dig->dsa, dig->dsasig, SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL);
- 
- 	if (digest) {
--	    free((void *)digest);
-+	    free(digest);
- 	    digest = NULL;
- 	}
-     }
- 
--    rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
--		&dig->y, &dig->r, &dig->s);
- 
- fprintf(stderr, "=============================== DSA verify: rc %d\n", rc);
--
--    mpbfree(&dig->p);
--    mpbfree(&dig->q);
--    mpnfree(&dig->g);
--    mpnfree(&dig->y);
--
--    mpnfree(&dig->hm);
--    mpnfree(&dig->r);
--    mpnfree(&dig->s);
- 
-     dig = pgpFreeDig(dig);
- 
-     return rc;
- }
-+
-diff -r ec9e6c427068 tools/Makefile.am
---- a/tools/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
-+++ b/tools/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
-@@ -8,7 +8,7 @@ INCLUDES = -I. \
- 	-I$(top_srcdir)/lib \
- 	-I$(top_srcdir)/rpmdb \
- 	-I$(top_srcdir)/rpmio \
--	@WITH_BEECRYPT_INCLUDE@ \
-+	@WITH_NSS_INCLUDE@ \
- 	@WITH_POPT_INCLUDE@ \
- 	@WITH_LIBELF_INCLUDE@ \
- 	@WITH_LIBDWARF_INCLUDE@ \
-@@ -36,10 +36,10 @@ convertdb1_SOURCES =	convertdb1.c
- convertdb1_SOURCES =	convertdb1.c
- 
- debugedit_SOURCES =	debugedit.c hashtab.c
--#debugedit_LDADD =	@LDFLAGS_STATIC@ \
--debugedit_LDADD =	\
-+debugedit_CFLAGS = 	$(INCLUDES)
-+#debugedit_LDFLAGS =	$(staticLDFLAGS)
-+debugedit_LDADD =	$(top_builddir)/rpmio/librpmio.la \
- 	@WITH_LIBELF_LIB@ \
--	@WITH_BEECRYPT_LIB@ \
- 	@WITH_POPT_LIB@
- 
- javadeps_SOURCES =	javadeps.c
-diff -r ec9e6c427068 tools/debugedit.c
---- a/tools/debugedit.c	Wed Oct 24 16:02:51 2007 +0300
-+++ b/tools/debugedit.c	Thu Nov 01 10:56:58 2007 +0100
-@@ -36,8 +36,8 @@
- #include <gelf.h>
- #include <dwarf.h>
- 
--#include <beecrypt/beecrypt.h>
--
-+#include <rpmio.h>
-+#include <rpmpgp.h>
- #include "hashtab.h"
- 
- #define DW_TAG_partial_unit 0x3c
-@@ -1304,22 +1304,27 @@ error_out:
-   return NULL;
- }
- 
-+static const pgpHashAlgo algorithms[] = { PGPHASHALGO_MD5,
-+  PGPHASHALGO_SHA1, PGPHASHALGO_SHA256, PGPHASHALGO_SHA384, PGPHASHALGO_SHA512 };
-+
- /* Compute a fresh build ID bit-string from the editted file contents.  */
- static void
- handle_build_id (DSO *dso, Elf_Data *build_id,
- 		 size_t build_id_offset, size_t build_id_size)
- {
--  hashFunctionContext ctx;
--  const hashFunction *hf = NULL;
--  int i = hashFunctionCount ();
-+  DIGEST_CTX ctx;
-+  pgpHashAlgo algorithm;
-+  int i = sizeof(algorithms)/sizeof(algorithms[0]);
-+  void *digest = NULL;
-+  size_t len;
- 
-   while (i-- > 0)
-     {
--      hf = hashFunctionGet (i);
--      if (hf != NULL && hf->digestsize == build_id_size)
-+      algorithm = algorithms[i];
-+      if (rpmDigestLength(algorithm) == build_id_size)
- 	break;
-     }
--  if (hf == NULL)
-+  if (i < 0)
-     {
-       fprintf (stderr, "Cannot handle %Zu-byte build ID\n", build_id_size);
-       exit (1);
-@@ -1335,7 +1340,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
-   /* Clear the old bits so they do not affect the new hash.  */
-   memset ((char *) build_id->d_buf + build_id_offset, 0, build_id_size);
- 
--  hashFunctionContextInit (&ctx, hf);
-+  ctx = rpmDigestInit(algorithm, 0);
- 
-   /* Slurp the relevant header bits and section contents and feed them
-      into the hash function.  The only bits we ignore are the offset
-@@ -1349,8 +1354,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
-     inline void process (const void *data, size_t size);
-     inline void process (const void *data, size_t size)
-     {
--      memchunk chunk = { .data = (void *) data, .size = size };
--      hashFunctionContextUpdateMC (&ctx, &chunk);
-+      rpmDigestUpdate(ctx, data, size);
-     }
- 
-     union
-@@ -1405,22 +1409,17 @@ handle_build_id (DSO *dso, Elf_Data *bui
- 	}
-   }
- 
--  hashFunctionContextDigest (&ctx, (byte *) build_id->d_buf + build_id_offset);
--  hashFunctionContextFree (&ctx);
-+  rpmDigestFinal(ctx, &digest, &len, 0);
-+  memcpy((unsigned char *)build_id->d_buf + build_id_offset, digest, build_id_size);
-+  free(digest);
- 
-   elf_flagdata (build_id, ELF_C_SET, ELF_F_DIRTY);
- 
-   /* Now format the build ID bits in hex to print out.  */
-   {
--    const unsigned char * id = build_id->d_buf + build_id_offset;
-+    const byte * id = (byte *)build_id->d_buf + build_id_offset;
-     char hex[build_id_size * 2 + 1];
--    int n = snprintf (hex, 3, "%02" PRIx8, id[0]);
--    assert (n == 2);
--    for (i = 1; i < build_id_size; ++i)
--      {
--	n = snprintf (&hex[i * 2], 3, "%02" PRIx8, id[i]);
--	assert (n == 2);
--      }
-+    pgpHexCvt(hex, id, build_id_size);
-     puts (hex);
-   }
- }
diff --git a/rpm-4.4.2.2-osgideps.patch b/rpm-4.4.2.2-osgideps.patch
deleted file mode 100644
index 877fee4..0000000
--- a/rpm-4.4.2.2-osgideps.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-changeset:   6184:9de21aa6bd62
-tag:         tip
-user:        Panu Matilainen <pmatilai@redhat.com>
-date:        Thu Sep 06 08:19:03 2007 +0300
-files:       scripts/Makefile.am scripts/osgideps.pl
-description:
-Add OSGi dependency extractor script from Kyu Lee
-(transplanted from 838c8ccfcf2619369e76bdca375721e049052dc8)
-
-
-diff -r 358dd9d838a6 -r 9de21aa6bd62 scripts/Makefile.am
---- a/scripts/Makefile.am	Thu Oct 11 14:14:00 2007 +0300
-+++ b/scripts/Makefile.am	Thu Sep 06 08:19:03 2007 +0300
-@@ -21,7 +21,7 @@ EXTRA_DIST = \
- 	sql.prov sql.req tcl.req tgpg trpm u_pkg.sh \
- 	vpkg-provides.sh vpkg-provides2.sh \
- 	macros.perl* macros.python* \
--	macros.php* find-*.php find-php-* mono-find*
-+	macros.php* find-*.php find-php-* mono-find* osgideps.pl
- 
- installprefix = $(DESTDIR)
- 
-@@ -38,7 +38,7 @@ config_SCRIPTS = \
- 	cpanflute cpanflute2 Specfile.pm find-provides.perl \
- 	find-requires.perl freshen.sh get_magic.pl getpo.sh http.req \
- 	magic.prov magic.req perldeps.pl perl.prov perl.req pythondeps.sh \
--	mono-find-requires mono-find-provides \
-+	mono-find-requires mono-find-provides osgideps.pl \
- 	rpmdb_loadcvt rpmdiff rpmdiff.cgi \
- 	rpm.daily rpm.log rpm.xinetd rpm2cpio.sh \
- 	sql.prov sql.req tcl.req tgpg trpm u_pkg.sh \
-diff -r 358dd9d838a6 -r 9de21aa6bd62 scripts/osgideps.pl
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ b/scripts/osgideps.pl	Thu Sep 06 08:19:03 2007 +0300
-@@ -0,0 +1,161 @@
-+#!/usr/bin/perl
-+
-+
-+use Cwd;
-+use Getopt::Long;
-+
-+
-+$cdir = getcwd();
-+$TEMPDIR="/tmp";
-+$MANIFEST_NAME="META-INF/MANIFEST.MF";
-+
-+
-+# prepare temporary directory
-+if (! (-d $TEMPDIR)) {
-+        if (($_ = `mkdir $TEMPDIR`) != 0) {exit 1;}
-+        elsif (! (-w $TEMPDIR) && (-x $TEMPDIR)) {exit 1;}
-+}
-+
-+# parse options
-+my ($show_provides, $show_requires);
-+
-+my $result = GetOptions("provides" => \$show_provides,
-+			"requires" => \$show_requires);
-+
-+exit(1) if (not $result);
-+
-+
-+
-+@allfiles = <STDIN>;
-+
-+if ($show_provides) {
-+	do_provides(@allfiles);
-+}
-+
-+if ($show_requires) {
-+	do_requires(@allfiles);
-+}
-+
-+
-+exit(0);
-+
-+
-+
-+sub do_provides {
-+
-+
-+foreach $jar (@_) {
-+
-+next if -f $jar && -r $jar;
-+ $jar =~ s/[^[:print:]]//g;
-+        # if this jar contains MANIFEST.MF file
-+        if (`jar tf $jar | grep -e \^$MANIFEST_NAME` eq "$MANIFEST_NAME\n") {
-+                # extract MANIFEST.MF file from jar to temporary directory
-+                chdir $TEMPDIR;
-+                `jar xf $cdir/$jar $MANIFEST_NAME`;
-+                open(MANIFEST, "$MANIFEST_NAME");
-+                my $bundleName = "";
-+                my $bundleVersion = "";
-+                # parse bundle name and version
-+                while(<MANIFEST>) {
-+                        # get rid of non-print chars (some manifest files contain weird chars
-+                        s/[^[:print]]//g;
-+                        if (m/(^Bundle-SymbolicName: )((\w|\.)+)(\;*)(.*\n)/) {
-+                                $bundleName = $2;
-+                        }
-+                        if (m/(^Bundle-Version: )(.*)/) {
-+                                $bundleVersion = $2;
-+                        }
-+                }
-+                # skip this jar if no bundle name exists
-+                if (! $bundleName eq "") {
-+                        if (! $bundleVersion eq "") {
-+                                print "osgi(".$bundleName.") = ".$bundleVersion."\n";
-+                        } else {
-+                                print "osgi(".$bundleName.")\n";
-+                        }
-+                }
-+                chdir $cdir;
-+        }
-+	
-+}
-+
-+}
-+
-+
-+sub do_requires {
-+
-+foreach $jar (@_) {
-+next if -f $jar && -r $jar;
-+$jar =~ s/[^[:print:]]//g;
-+        if (`jar tf $jar | grep -e \^$MANIFEST_NAME` eq "$MANIFEST_NAME\n") {
-+                chdir $TEMPDIR;
-+                `jar xf $cdir/$jar $MANIFEST_NAME`;
-+                open(MANIFEST, "$MANIFEST_NAME") or die;
-+                my %reqcomp = ();
-+                while(<MANIFEST>) {
-+                        if (m/(^(Require-Bundle|Import-Package): )(.*)$/) {
-+                                my $reqlist = "$3"."\n";
-+                                while(<MANIFEST>) {
-+                                        if (m/^[[:upper:]][[:alpha:]]+-[[:upper:]][[:alpha:]]+: .*/) {
-+                                                $len = length $_;
-+                                                seek MANIFEST, $len*-1 , 1;
-+                                                last;
-+                                        }
-+                                        $reqlist.="$_";
-+                                }
-+                                push @requirelist,  parseReqString($reqlist);
-+                        }
-+
-+                }
-+                chdir $cdir;
-+	}
-+
-+}
-+
-+$list = "";
-+for $require (@requirelist) {
-+        $list .= "osgi(".$require->{NAME}.")".$require->{VERSION}."\n";
-+}
-+#$abc = `echo \"$list\"|grep -e \^osgi\\(.*\\)| sort|uniq`;
-+print $list;
-+
-+}
-+
-+sub parseReqString {
-+        my $reqstr = $_[0];
-+        my @return;
-+        $reqstr =~ s/ //g;
-+        $reqstr =~ s/\n//g;
-+        $reqstr =~ s/[^[:print:]]//g;
-+        $reqstr =~ s/("[[:alnum:]|\-|\_|\.|\(|\)|\[|\]]+)(,)([[:alnum:]|\-|\_|\.|\(|\)|\[|\]]+")/$1 $3/g;
-+        @reqcomp = split /,/g, $reqstr;
-+        foreach $reqelement (@reqcomp) {
-+                @reqelementfrmnt = split /;/g, $reqelement;
-+                $name="";
-+                $version="";
-+                $name = $reqelementfrmnt[0];
-+                for $i (1 .. $#reqelementfrmnt) {
-+                        if ($reqelementfrmnt[$i] =~ m/(^(bundle-|)version=")(.*)(")/){
-+                                $version = $3;
-+                                last;
-+                        }
-+                }
-+                $version = parseVersion($version);
-+                push @return, { NAME=>"$name", VERSION=>"$version"};
-+        }
-+
-+        return @return;
-+}
-+
-+sub parseVersion {
-+        my $ver = $_[0];
-+        if ($ver eq "") { return "";}
-+        if ($ver =~ m/(^[\[|\(])(.+)\ (.+)([\]|\)]$)/) {
-+                ($1 eq "\[") ? return " <= $2" : return " < $2";
-+        } else {
-+                return " = $ver";
-+        }
-+        return $ver;
-+}
-+
-
diff --git a/rpm-4.4.2.2-problem-nevra.patch b/rpm-4.4.2.2-problem-nevra.patch
deleted file mode 100644
index 84a3bfa..0000000
--- a/rpm-4.4.2.2-problem-nevra.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-changeset:   6194:fe6fc6dc7b98
-tag:         tip
-user:        Panu Matilainen <pmatilai@redhat.com>
-date:        Wed Oct 24 10:31:42 2007 +0300
-summary:     Use NEVRA, not NEVR everywhere for rpmProblems
-
-diff -r cc2abc150d64 -r fe6fc6dc7b98 lib/rpmfi.c
---- a/lib/rpmfi.c	Wed Oct 24 09:50:13 2007 +0300
-+++ b/lib/rpmfi.c	Wed Oct 24 10:31:42 2007 +0300
-@@ -815,7 +815,7 @@ assert(p != NULL);
- 	    if (j == numValid && !allowBadRelocate && actions) {
- 		rpmps ps = rpmtsProblems(ts);
- 		rpmpsAppend(ps, RPMPROB_BADRELOCATE,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			relocations[i].oldPath, NULL, NULL, 0);
- 		ps = rpmpsFree(ps);
- 	    }
-diff -r cc2abc150d64 -r fe6fc6dc7b98 lib/rpmts.c
---- a/lib/rpmts.c	Wed Oct 24 09:50:13 2007 +0300
-+++ b/lib/rpmts.c	Wed Oct 24 10:31:42 2007 +0300
-@@ -1356,14 +1356,14 @@ void rpmtsCheckDSIProblems(const rpmts t
- 
- 	if (dsi->bavail >= 0 && adj_fs_blocks(dsi->bneeded) > dsi->bavail) {
- 	    rpmpsAppend(ps, RPMPROB_DISKSPACE,
--			rpmteNEVR(te), rpmteKey(te),
-+			rpmteNEVRA(te), rpmteKey(te),
- 			ts->filesystems[i], NULL, NULL,
-  	   (adj_fs_blocks(dsi->bneeded) - dsi->bavail) * dsi->bsize);
- 	}
- 
- 	if (dsi->iavail >= 0 && adj_fs_blocks(dsi->ineeded) > dsi->iavail) {
- 	    rpmpsAppend(ps, RPMPROB_DISKNODES,
--			rpmteNEVR(te), rpmteKey(te),
-+			rpmteNEVRA(te), rpmteKey(te),
- 			ts->filesystems[i], NULL, NULL,
-  	    (adj_fs_blocks(dsi->ineeded) - dsi->iavail));
- 	}
-diff -r cc2abc150d64 -r fe6fc6dc7b98 lib/transaction.c
---- a/lib/transaction.c	Wed Oct 24 09:50:13 2007 +0300
-+++ b/lib/transaction.c	Wed Oct 24 10:31:42 2007 +0300
-@@ -138,7 +138,7 @@ static int handleInstInstalledFiles(cons
- 	mi = rpmtsInitIterator(ts, RPMDBI_PACKAGES,
- 			&shared->otherPkg, sizeof(shared->otherPkg));
- 	while ((h = rpmdbNextIterator(mi)) != NULL) {
--	    altNEVR = hGetNEVR(h, NULL);
-+	    altNEVR = hGetNEVRA(h, NULL);
- 	    otherFi = rpmfiNew(ts, h, RPMTAG_BASENAMES, scareMem);
- 	    break;
- 	}
-@@ -214,7 +214,7 @@ static int handleInstInstalledFiles(cons
- 
- 	    if (rConflicts) {
- 		rpmpsAppend(ps, RPMPROB_FILE_CONFLICT,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			rpmfiDN(fi), rpmfiBN(fi),
- 			altNEVR,
- 			0);
-@@ -603,9 +603,9 @@ assert(otherFi != NULL);
- 
- 		if (rConflicts) {
- 		    rpmpsAppend(ps, RPMPROB_NEW_FILE_CONFLICT,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			fn, NULL,
--			rpmteNEVR(otherFi->te),
-+			rpmteNEVRA(otherFi->te),
- 			0);
- 		}
- 	    }
-@@ -703,9 +703,9 @@ static int ensureOlder(rpmts ts,
- 
-     if (rc == 0) {
- 	rpmps ps = rpmtsProblems(ts);
--	const char * altNEVR = hGetNEVR(h, NULL);
-+	const char * altNEVR = hGetNEVRA(h, NULL);
- 	rpmpsAppend(ps, RPMPROB_OLDPACKAGE,
--		rpmteNEVR(p), rpmteKey(p),
-+		rpmteNEVRA(p), rpmteKey(p),
- 		NULL, NULL,
- 		altNEVR,
- 		0);
-@@ -1508,14 +1508,14 @@ rpmMessage(RPMMESS_DEBUG, _("sanity chec
- 	if (!(rpmtsFilterFlags(ts) & RPMPROB_FILTER_IGNOREARCH) && !tscolor)
- 	    if (!archOkay(rpmteA(p)))
- 		rpmpsAppend(ps, RPMPROB_BADARCH,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			rpmteA(p), NULL,
- 			NULL, 0);
- 
- 	if (!(rpmtsFilterFlags(ts) & RPMPROB_FILTER_IGNOREOS))
- 	    if (!osOkay(rpmteO(p)))
- 		rpmpsAppend(ps, RPMPROB_BADOS,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			rpmteO(p), NULL,
- 			NULL, 0);
- 
-@@ -1544,7 +1544,7 @@ rpmMessage(RPMMESS_DEBUG, _("sanity chec
- 
- 	    while (rpmdbNextIterator(mi) != NULL) {
- 		rpmpsAppend(ps, RPMPROB_PKG_INSTALLED,
--			rpmteNEVR(p), rpmteKey(p),
-+			rpmteNEVRA(p), rpmteKey(p),
- 			NULL, NULL,
- 			NULL, 0);
- 		/*@innerbreak@*/ break;
-
diff --git a/rpm-4.4.2.2-pyproblem.patch b/rpm-4.4.2.2-pyproblem.patch
deleted file mode 100644
index b9f942c..0000000
--- a/rpm-4.4.2.2-pyproblem.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-changeset:   6193:cc2abc150d64
-tag:         tip
-user:        Panu Matilainen <pmatilai@redhat.com>
-date:        Wed Oct 24 09:50:13 2007 +0300
-summary:     Don't mess up problem pkgNEVR in python ts.check() (rhbz#349091)
-
-diff -r 751cf2c7614e -r cc2abc150d64 python/rpmts-py.c
---- a/python/rpmts-py.c	Thu Oct 18 09:34:54 2007 +0300
-+++ b/python/rpmts-py.c	Wed Oct 24 09:50:13 2007 +0300
-@@ -439,7 +439,7 @@ fprintf(stderr, "*** rpmts_Check(%p) ts 
- 	    if (p->type == RPMPROB_BADRELOCATE)
- 		continue;
- 
--	    byName = p->pkgNEVR;
-+	    byName = strdup(p->pkgNEVR);
- 	    if ((byArch= strrchr(byName, '.')) != NULL)
- 		*byArch++ = '\0';
- 	    if ((byRelease = strrchr(byName, '-')) != NULL)
-@@ -475,6 +475,7 @@ fprintf(stderr, "*** rpmts_Check(%p) ts 
- #endif
- 	    PyList_Append(list, (PyObject *) cf);
- 	    Py_DECREF(cf);
-+	    free(byName);
- 	}
- 
- 	ps = rpmpsFree(ps);
-
diff --git a/rpm-4.4.2.2-secondary-arch-macros.patch b/rpm-4.4.2.2-secondary-arch-macros.patch
deleted file mode 100644
index 0083c6f..0000000
--- a/rpm-4.4.2.2-secondary-arch-macros.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Hackery to get secondary arch macros included on x86_64...
-
-diff -r 8004da6eac95 installplatform
---- a/installplatform	Thu Nov 08 15:59:45 2007 +0200
-+++ b/installplatform	Mon Nov 12 16:16:31 2007 +0200
-@@ -20,7 +20,7 @@ E_O_F
- 
- RPM="./rpm --rcfile=$TEMPRC --macros=$MACROS"
- 
--canonarch_sed='s_i.86_i386_;s_pentium[34]_i386_;s_athlon_i386_;s_sparc[^-]*_sparc_;s_alpha[^-]*_alpha_;s_arm[^-]*_arm_;s_\(powerpc\|ppc\)[^-]*_ppc_'
-+canonarch_sed='s_i.86_i386_;s_pentium[34]_i386_;s_athlon_i386_;s_sparc[^-]*_sparc_;s_alpha[^-]*_alpha_;s_arm[^-]*_arm_;s_\(powerpc\|ppc\)[^-]*_ppc_;s,\(ia32e\|amd64\),x86_64,'
- arch="`$RPM --eval '%{_arch}'|sed -e "$canonarch_sed"`"
- VENDOR="`$RPM --eval '%{_vendor}'`"
- OS="`$RPM --eval '%{_os}'`"
-@@ -35,7 +35,7 @@ case "$arch" in
-   sparc*) SUBSTS='s_sparc\(64\|64v\|v9v\|v9\)_sparc_ s_sparc64_sparcv9_;s_sparc\([^v]\|$\)_sparcv9\1_ s_sparcv9_sparc64_;s_sparc\([^6]\|$\)_sparc64\1_' ;;
-   powerpc*|ppc*) SUBSTS='s_ppc64_ppc_ s_ppc\([^6ip]\|$\)_ppc64\1_ s_ppc\([^6ip]\|$\)_ppciseries_ s_ppc\([^6ip]\|$\)_ppcpseries_ s_ppc\([^6ip]\|$\)_ppc64iseries_ s_ppc\([^6ip]\|$\)_ppc64pseries_' ;;
-   s390*) SUBSTS='s_s390x_s390_ s_s390\([^x]\|$\)_s390x\1_' ;;
--  x86_64|amd64|ia32e) SUBSTS='s,x86_64,x86_64, s,x86_64,ia32e, s,x86_64,amd64,' ;;
-+  x86_64|amd64|ia32e) SUBSTS='s,x86_64,x86_64, s,x86_64,ia32e, s,x86_64,amd64, s,x86_64,i386, s,x86_64,i486, s,x86_64,i586, s,x86_64,i686, s,x86_64,pentium3, s,x86_64,pentium4, s,x86_64,athlon,' ;;
-   *) SUBSTS=y___ ;;
- esac
- 
-@@ -102,9 +102,11 @@ for SUBST in $SUBSTS ; do
-     ;;
-   esac
- 
-+  CANONARCH="`echo $ARCH|sed -e "$canonarch_sed"`"
-+
-   cat $PLATFORM \
-   | sed -e "s,@RPMRC_OPTFLAGS@,$RPMRC_OPTFLAGS," \
--	-e "s,@RPMRC_ARCH@,$ARCH," \
-+	-e "s,$arch,$CANONARCH," \
- 	-e "s,@RPMRC_GNU@,$RPMRC_GNU," \
- 	-e "s,@LIB@,$LIB," \
- 	-e "s,@ARCH_INSTALL_POST@,$ARCH_INSTALL_POST," \
diff --git a/rpm-4.4.2.3-nss.patch b/rpm-4.4.2.3-nss.patch
new file mode 100644
index 0000000..3d52b67
--- /dev/null
+++ b/rpm-4.4.2.3-nss.patch
@@ -0,0 +1,2085 @@
+diff -r ec9e6c427068 Makefile.am
+--- a/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -10,14 +10,14 @@ EXTRA_DIST = CHANGES ChangeLog CREDITS D
+ 	po/*.in po/*.po po/rpm.pot \
+ 	rpm.magic rpmpopt-$(VERSION) rpmqv.c 
+ 
+-SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_BEECRYPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .
++SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .
+ 
+ INCLUDES = \
+ 	-I$(top_srcdir)/build \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/rpmdb \
+ 	-I$(top_srcdir)/rpmio \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	-I$(top_srcdir)/misc \
+ 	@WITH_LIBELF_INCLUDE@ \
+@@ -25,7 +25,7 @@ INCLUDES = \
+ 
+ staticLDFLAGS = @LDFLAGS_STATIC@ @LDFLAGS_NPTL@
+ 
+-myLDFLAGS = @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@
++myLDFLAGS = @WITH_LIBELF_LIB@
+ 
+ myLDADD = \
+ 	$(top_builddir)/lib/librpm.la \
+@@ -33,6 +33,7 @@ myLDADD = \
+ 	$(top_builddir)/rpmio/librpmio.la \
+ 	@WITH_POPT_LIB@ \
+ 	@WITH_ZLIB_LIB@ \
++	@WITH_NSS_LIB@ \
+ 	@LIBMISC@
+ 
+ rpmbindir = `echo $(bindir) | sed -e s,usr/bin,bin,`
+@@ -71,7 +72,7 @@ rpmd.o:	$(top_srcdir)/rpmqv.c
+ 
+ rpmi_SOURCES =
+ #rpmi_LDFLAGS =		$(myLDFLAGS) $(staticLDFLAGS)
+-#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@
++#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@
+ rpmi_LDFLAGS =		$(myLDFLAGS)
+ rpmi_LDADD =		rpmi.o $(myLDADD)
+ rpmi.o:	$(top_srcdir)/rpmqv.c
+@@ -112,7 +113,6 @@ lint:
+ 		`make -s sources -C lib` \
+ 		`make -s sources -C rpmdb` \
+ 		`make -s sources -C rpmio` \
+-		`make -s sources -C beecrypt` \
+ 		`make -s sources -C file/src` \
+ 		`make -s sources -C popt`
+ 
+diff -r ec9e6c427068 autogen.sh
+--- a/autogen.sh	Wed Oct 24 16:02:51 2007 +0300
++++ b/autogen.sh	Thu Nov 01 10:56:58 2007 +0100
+@@ -48,9 +48,6 @@ if [ -d zlib ]; then
+ if [ -d zlib ]; then
+     (echo "--- zlib"; cd zlib; ./autogen.sh --noconfigure "$@")
+ fi
+-if [ -d beecrypt ]; then
+-    (echo "--- beecrypt"; cd beecrypt; ./autogen.sh --noconfigure "$@")
+-fi
+ if [ -d elfutils ]; then
+     (echo "--- elfutils"; cd elfutils; ./autogen.sh --noconfigure "$@")
+ fi
+diff -r ec9e6c427068 build/Makefile.am
+--- a/build/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/build/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -9,7 +9,7 @@ INCLUDES = -I. \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/rpmdb \
+ 	-I$(top_srcdir)/rpmio \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_MAGIC_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	@WITH_LIBELF_INCLUDE@ \
+diff -r ec9e6c427068 configure.ac
+--- a/configure.ac	Wed Oct 24 16:02:51 2007 +0300
++++ b/configure.ac	Thu Nov 01 10:56:58 2007 +0100
+@@ -463,34 +463,32 @@ AC_SUBST(WITH_LIBDWARF_DEBUGEDIT)
+ AC_SUBST(WITH_LIBDWARF_DEBUGEDIT)
+ 
+ #=================
+-# Check for beecrypt library. Prefer external, otherwise internal.
+-WITH_BEECRYPT_SUBDIR=
+-WITH_BEECRYPT_INCLUDE=
+-WITH_BEECRYPT_LIB=
+-AC_CHECK_HEADER([beecrypt/beecrypt.h], [
+-  AC_CHECK_LIB(beecrypt, mpfprintln, [
+-    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])
+-    AC_CHECK_HEADER([beecrypt/api.h], [
+-      AC_DEFINE(HAVE_BEECRYPT_API_H, 1, [Define to 1 if you have the <beecrypt/api.h> header file.])
+-    ])
+-    WITH_BEECRYPT_INCLUDE="-I${includedir}/beecrypt"
+-    WITH_BEECRYPT_LIB="-lbeecrypt"
++# Check for NSS library.
++WITH_NSS_INCLUDE=
++WITH_NSS_LIB=
++check=`pkg-config --version 2>/dev/null`
++if test -n "$check"; then
++  addlib=$(pkg-config --libs nss | sed 's/-lsmime3//;s/-lssl3//')
++  addcppflags=$(pkg-config --cflags nss)
++else
++# Without pkg-config, we'll kludge in some defaults
++  addlib="-lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
++  addcppflags="-I/usr/include/nss3 -I/usr/include/nspr4"
++fi
++save_CPPFLAGS="$CPPFLAGS"
++CPPFLAGS="$save_CPPFLAGS $addcppflags"
++AC_CHECK_HEADER([nss3/nss.h], [
++  AC_CHECK_LIB(nss3, NSS_NoDB_Init, [
++    AC_DEFINE(HAVE_LIBNSS, 1, [Define to 1 if you have the 'NSS' library (-lnss3).])
++    WITH_NSS_INCLUDE="$addcppflags"
++    WITH_NSS_LIB="$addlib"
+   ])
+ ],[
+-  if test -d beecrypt ; then
+-    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])
+-    WITH_BEECRYPT_SUBDIR=beecrypt
+-    WITH_BEECRYPT_INCLUDE="-I\${top_srcdir}/${WITH_BEECRYPT_SUBDIR}"
+-    WITH_BEECRYPT_LIB="\${top_builddir}/${WITH_BEECRYPT_SUBDIR}/libbeecrypt.la"
+-  fi
+-
+-   if test -z "${WITH_BEECRYPT_LIB}" ; then
+-       AC_MSG_ERROR([rpm requires beecrypt]) 
+-   fi
+-])
+-AC_SUBST(WITH_BEECRYPT_SUBDIR)
+-AC_SUBST(WITH_BEECRYPT_INCLUDE)
+-AC_SUBST(WITH_BEECRYPT_LIB)
++  AC_MSG_ERROR([rpm requires NSS]) 
++])
++CPPFLAGS="$save_CPPFLAGS"
++AC_SUBST(WITH_NSS_INCLUDE)
++AC_SUBST(WITH_NSS_LIB)
+ 
+ #=================
+ # Check for neon library. Prefer external, otherwise internal.
+diff -r ec9e6c427068 lib/Makefile.am
+--- a/lib/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -9,7 +9,7 @@ INCLUDES = -I. \
+ 	-I$(top_srcdir)/build \
+ 	-I$(top_srcdir)/rpmdb \
+ 	-I$(top_srcdir)/rpmio \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	-I$(top_srcdir)/misc \
+ 	@INCPATH@
+diff -r ec9e6c427068 lib/formats.c
+--- a/lib/formats.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/formats.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -210,23 +210,17 @@ static /*@only@*/ char * base64Format(in
+ 	int lc;
+ 	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */
+ 	size_t ns = element;
+-	size_t nt = ((ns + 2) / 3) * 4;
++	size_t nt = 0;
+ 
+ /*@-boundswrite@*/
+-	/*@-globs@*/
+-	/* Add additional bytes necessary for eol string(s). */
+-	if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
+-	    lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
+-        if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
+-            ++lc;
+-	    nt += lc * strlen(b64encode_eolstr);
++	if ((enc = b64encode(data, ns, -1)) != NULL) {
++		nt = strlen(enc);
+ 	}
+-	/*@=globs@*/
+ 
+ 	val = t = xmalloc(nt + padding + 1);
+ 
+ 	*t = '\0';
+-	if ((enc = b64encode(data, ns)) != NULL) {
++	if (enc != NULL) {
+ 	    t = stpcpy(t, enc);
+ 	    enc = _free(enc);
+ 	}
+@@ -310,16 +304,13 @@ static /*@only@*/ char * xmlFormat(int_3
+ 	xtag = "string";
+ 	break;
+     case RPM_BIN_TYPE:
+-    {	int cpl = b64encode_chars_per_line;
+-/*@-mods@*/
+-	b64encode_chars_per_line = 0;
+-/*@=mods@*/
+-/*@-formatconst@*/
+-	s = base64Format(type, data, formatPrefix, padding, element);
+-/*@=formatconst@*/
+-/*@-mods@*/
+-	b64encode_chars_per_line = cpl;
+-/*@=mods@*/
++    {	
++	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */
++	size_t ns = element;
++    	if ((s = b64encode(data, ns, 0)) == NULL) {
++    		/* XXX proper error handling would be better. */
++    		s = xcalloc(1, padding + (ns / 3) * 4 + 1);
++    	}
+ 	xtag = "base64";
+     }	break;
+     case RPM_CHAR_TYPE:
+diff -r ec9e6c427068 lib/package.c
+--- a/lib/package.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/package.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -1008,11 +1008,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t 
+ 		fddig->hashctx = NULL;
+ 		/*@switchbreak@*/ break;
+ 	    case PGPHASHALGO_SHA1:
+-#if HAVE_BEECRYPT_API_H
+ 	    case PGPHASHALGO_SHA256:
+ 	    case PGPHASHALGO_SHA384:
+ 	    case PGPHASHALGO_SHA512:
+-#endif
+ 		dig->sha1ctx = fddig->hashctx;
+ 		fddig->hashctx = NULL;
+ 		/*@switchbreak@*/ break;
+diff -r ec9e6c427068 lib/rpmchecksig.c
+--- a/lib/rpmchecksig.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/rpmchecksig.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -447,7 +447,7 @@ rpmRC rpmcliImportPubkey(const rpmts ts,
+     if (rpmtsOpenDB(ts, (O_RDWR|O_CREAT)))
+ 	return RPMRC_FAIL;
+ 
+-    if ((enc = b64encode(pkt, pktlen)) == NULL)
++    if ((enc = b64encode(pkt, pktlen, -1)) == NULL)
+ 	goto exit;
+ 
+     dig = pgpNewDig();
+@@ -698,11 +698,9 @@ assert(dig->md5ctx == NULL);
+ 	    fddig->hashctx = NULL;
+ 	    /*@switchbreak@*/ break;
+ 	case PGPHASHALGO_SHA1:
+-#if HAVE_BEECRYPT_API_H
+ 	case PGPHASHALGO_SHA256:
+ 	case PGPHASHALGO_SHA384:
+ 	case PGPHASHALGO_SHA512:
+-#endif
+ assert(dig->sha1ctx == NULL);
+ 	    dig->sha1ctx = fddig->hashctx;
+ 	    fddig->hashctx = NULL;
+diff -r ec9e6c427068 lib/rpmts.c
+--- a/lib/rpmts.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/rpmts.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -4,7 +4,7 @@
+  */
+ #include "system.h"
+ 
+-#include "rpmio_internal.h"	/* XXX for pgp and beecrypt */
++#include "rpmio_internal.h"	/* XXX for pgp */
+ #include <rpmlib.h>
+ #include <rpmmacro.h>		/* XXX rpmtsOpenDB() needs rpmGetPath */
+ 
+diff -r ec9e6c427068 lib/signature.c
+--- a/lib/signature.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/lib/signature.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -1215,9 +1215,10 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
+     int_32 sigtag = rpmtsSigtag(ts);
+     pgpDig dig = rpmtsDig(ts);
+     pgpDigParams sigp = rpmtsSignature(ts);
+-    const char * prefix = NULL;
++    SECOidTag sigalg;
+     rpmRC res = RPMRC_OK;
+     int xx;
++    SECItem digest;
+ 
+     *t = '\0';
+     if (dig != NULL && dig->hdrmd5ctx == md5ctx)
+@@ -1248,43 +1249,40 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
+     switch (sigp->hash_algo) {
+     case PGPHASHALGO_MD5:
+ 	t = stpcpy(t, " RSA/MD5");
+-	prefix = "3020300c06082a864886f70d020505000410";
++	sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+ 	break;
+     case PGPHASHALGO_SHA1:
+ 	t = stpcpy(t, " RSA/SHA1");
+-	prefix = "3021300906052b0e03021a05000414";
++	sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+ 	break;
+     case PGPHASHALGO_RIPEMD160:
+ 	res = RPMRC_NOKEY;
+-	prefix = NULL;
+ 	break;
+     case PGPHASHALGO_MD2:
+ 	t = stpcpy(t, " RSA/MD2");
+-	prefix = "3020300c06082a864886f70d020205000410";
++	sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+ 	break;
+     case PGPHASHALGO_TIGER192:
+ 	res = RPMRC_NOKEY;
+-	prefix = NULL;
+ 	break;
+     case PGPHASHALGO_HAVAL_5_160:
+ 	res = RPMRC_NOKEY;
+-	prefix = NULL;
+ 	break;
+     case PGPHASHALGO_SHA256:
+ 	t = stpcpy(t, " RSA/SHA256");
+-	prefix = "3031300d060960864801650304020105000420";
++	sigalg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+ 	break;
+     case PGPHASHALGO_SHA384:
+ 	t = stpcpy(t, " RSA/SHA384");
+-	prefix = "3041300d060960864801650304020205000430";
++	sigalg = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+ 	break;
+     case PGPHASHALGO_SHA512:
+ 	t = stpcpy(t, " RSA/SHA512");
+-	prefix = "3051300d060960864801650304020305000440";
++	sigalg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+ 	break;
+     default:
+ 	res = RPMRC_NOKEY;
+-	prefix = NULL;
++	sigalg = SEC_OID_UNKNOWN;
+ 	break;
+     }
+ 
+@@ -1295,8 +1293,6 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
+ 
+     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
+     {	DIGEST_CTX ctx = rpmDigestDup(md5ctx);
+-	byte signhash16[2];
+-	const char * s;
+ 
+ 	if (sigp->hash != NULL)
+ 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
+@@ -1313,40 +1309,18 @@ verifyRSASignature(rpmts ts, /*@out@*/ c
+ 	}
+ #endif
+ 
+-	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 1);
++	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 0);
+ 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
+ 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */
+ 
+ 	/* Compare leading 16 bits of digest for quick check. */
+-	s = dig->md5;
+-	signhash16[0] = (nibble(s[0]) << 4) | nibble(s[1]);
+-	signhash16[1] = (nibble(s[2]) << 4) | nibble(s[3]);
+-	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
++	if (memcmp(dig->md5, sigp->signhash16, 2)) {
+ 	    res = RPMRC_FAIL;
+ 	    goto exit;
+ 	}
+-    }
+-
+-    /* Generate RSA modulus parameter. */
+-    {	unsigned int nbits = MP_WORDS_TO_BITS(dig->c.size);
+-	unsigned int nb = (nbits + 7) >> 3;
+-	const char * hexstr;
+-	char * tt;
+-
+-assert(prefix != NULL);
+-	hexstr = tt = xmalloc(2 * nb + 1);
+-	memset(tt, 'f', (2 * nb));
+-	tt[0] = '0'; tt[1] = '0';
+-	tt[2] = '0'; tt[3] = '1';
+-	tt += (2 * nb) - strlen(prefix) - strlen(dig->md5) - 2;
+-	*tt++ = '0'; *tt++ = '0';
+-	tt = stpcpy(tt, prefix);
+-	tt = stpcpy(tt, dig->md5);
+-
+-	mpnzero(&dig->rsahm);	(void) mpnsethex(&dig->rsahm, hexstr);
+-
+-	hexstr = _free(hexstr);
+-
++	digest.type = siBuffer;
++	digest.data = dig->md5;
++	digest.len = dig->md5len;
+     }
+ 
+     /* Retrieve the matching public key. */
+@@ -1355,12 +1329,7 @@ assert(prefix != NULL);
+ 	goto exit;
+ 
+     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
+-#if HAVE_BEECRYPT_API_H
+-    xx = rsavrfy(&dig->rsa_pk.n, &dig->rsa_pk.e, &dig->c, &dig->rsahm);
+-#else
+-    xx = rsavrfy(&dig->rsa_pk, &dig->rsahm, &dig->c);
+-#endif
+-    if (xx)
++    if (VFY_VerifyDigest(&digest, dig->rsa, dig->rsasig, sigalg, NULL) == SECSuccess)
+ 	res = RPMRC_OK;
+     else
+ 	res = RPMRC_FAIL;
+@@ -1401,6 +1370,7 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
+     pgpDigParams sigp = rpmtsSignature(ts);
+     rpmRC res;
+     int xx;
++    SECItem digest;
+ 
+     *t = '\0';
+     if (dig != NULL && dig->hdrsha1ctx == sha1ctx)
+@@ -1428,7 +1398,6 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
+ 
+     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
+     {	DIGEST_CTX ctx = rpmDigestDup(sha1ctx);
+-	byte signhash16[2];
+ 
+ 	if (sigp->hash != NULL)
+ 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
+@@ -1442,19 +1411,18 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
+ 	    memcpy(trailer+2, &nb, sizeof(nb));
+ 	    xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
+ 	}
+-	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 1);
++	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
+ 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
+ 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */
+ 
+-	mpnzero(&dig->hm);	(void) mpnsethex(&dig->hm, dig->sha1);
+-
+ 	/* Compare leading 16 bits of digest for quick check. */
+-	signhash16[0] = (*dig->hm.data >> 24) & 0xff;
+-	signhash16[1] = (*dig->hm.data >> 16) & 0xff;
+-	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
++	if (memcmp(dig->sha1, sigp->signhash16, 2)) {
+ 	    res = RPMRC_FAIL;
+ 	    goto exit;
+ 	}
++	digest.type = siBuffer;
++	digest.data = dig->sha1;
++	digest.len = dig->sha1len;
+     }
+ 
+     /* Retrieve the matching public key. */
+@@ -1463,8 +1431,8 @@ verifyDSASignature(rpmts ts, /*@out@*/ c
+ 	goto exit;
+ 
+     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
+-    if (dsavrfy(&dig->p, &dig->q, &dig->g,
+-		&dig->hm, &dig->y, &dig->r, &dig->s))
++    if (VFY_VerifyDigest(&digest, dig->dsa, dig->dsasig,
++    		SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL) == SECSuccess)
+ 	res = RPMRC_OK;
+     else
+ 	res = RPMRC_FAIL;
+diff -r ec9e6c427068 python/Makefile.am
+--- a/python/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/python/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -17,7 +17,7 @@ INCLUDES = -I. \
+ 	-I$(top_srcdir)/rpmdb \
+ 	-I$(top_srcdir)/rpmio \
+ 	@WITH_LIBELF_INCLUDE@ \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	-I$(top_srcdir)/misc \
+ 	-I$(pyincdir) \
+@@ -42,7 +42,7 @@ rpm_LTLIBRARIES = _rpmmodule.la
+ rpm_LTLIBRARIES = _rpmmodule.la
+ 
+ _rpmmodule_la_LDFLAGS = $(mylibs) $(LIBS) -module -avoid-version
+-_rpmmodule_la_LIBADD =  @WITH_BEECRYPT_LIB@
++_rpmmodule_la_LIBADD =  @WITH_NSS_LIB@
+ 
+ _rpmmodule_la_SOURCES = rpmmodule.c header-py.c \
+ 		       rpmal-py.c rpmds-py.c rpmdb-py.c rpmfd-py.c rpmfts-py.c \
+diff -r ec9e6c427068 rpmdb/Makefile.am
+--- a/rpmdb/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmdb/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -9,7 +9,7 @@ INCLUDES = -I. \
+ 	-I$(top_srcdir)/build \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/rpmio \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	-I$(top_srcdir)/misc \
+ 	@WITH_SQLITE3_INCLUDE@ \
+diff -r ec9e6c427068 rpmio/Makefile.am
+--- a/rpmio/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -10,7 +10,7 @@ EXTRA_PROGRAMS = tax tdigest tdir tfts t
+ 
+ INCLUDES = -I. \
+ 	-I$(top_srcdir) \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_NEON_INCLUDE@ \
+ 	@WITH_LUA_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+@@ -19,23 +19,21 @@ INCLUDES = -I. \
+ 
+ pkgincdir = $(pkgincludedir)
+ pkginc_HEADERS = \
+-	argv.h fts.h rpmdav.h \
++	argv.h base64.h fts.h rpmdav.h \
+ 	rpmio.h rpmurl.h rpmmacro.h rpmlog.h rpmmessages.h rpmerr.h rpmpgp.h \
+ 	rpmsq.h rpmsw.h ugid.h
+ noinst_HEADERS = rpmio_internal.h rpmlua.h rpmhook.h
+-
+-BEECRYPTLOBJS = $(shell test X"@WITH_BEECRYPT_SUBDIR@" != X && cat $(top_builddir)/@WITH_BEECTYPT_SUBDIR@/listobjs)
+ 
+ LDFLAGS = -L$(RPM_BUILD_ROOT)$(usrlibdir) -L$(DESTDIR)$(usrlibdir)
+ 
+ usrlibdir = $(libdir)@MARK64@
+ usrlib_LTLIBRARIES = librpmio.la
+ librpmio_la_SOURCES = \
+-	argv.c digest.c fts.c macro.c rpmdav.c \
++	argv.c base64.c digest.c fts.c macro.c rpmdav.c \
+ 	rpmhook.c rpmio.c rpmlog.c rpmlua.c rpmmalloc.c \
+ 	rpmpgp.c rpmrpc.c rpmsq.c rpmsw.c strcasecmp.c stubs.c url.c ugid.c
+ librpmio_la_LDFLAGS = -release 4.4 $(LDFLAGS) \
+-	@WITH_BEECRYPT_LIB@ \
++	@WITH_NSS_LIB@ \
+ 	@WITH_NEON_LIB@ \
+ 	@WITH_LUA_LIB@ \
+ 	@WITH_MAGIC_LIB@ \
+@@ -44,22 +42,10 @@ librpmio_la_LIBADD = # $(BEECRYPTLOBJS)
+ librpmio_la_LIBADD = # $(BEECRYPTLOBJS)
+ librpmio_la_DEPENDENCIES = # .created
+ 
+-.created:
+-	if test X"@WITH_BEECRYPT_SUBDIR@" != X; then \
+-	${MAKE} -C $(top_builddir)/@WITH_BEECRYPT_SUBDIR@ listobjs ; \
+-	for lo in $(BEECRYPTLOBJS); do \
+-	  [ -f $$lo ] || $(LN_S) $(top_builddir)/@WITH_BEECRYPT_SUBDIR@/$$lo $$lo ; \
+-	done \
+-	fi
+-	touch $@
+-
+-clean-local:
+-	rm -f $(BEECRYPTLOBJS) *.o .created
+-
+ #BUILT_SOURCES = rpmio.lcd
+ 
+ rpmio.lcd: Makefile.am ${librpmio_la_SOURCES} ${pkginc_HEADERS} ${noinst_HEADERS}
+-	-lclint -load ../beecrypt/beecrypt.lcd $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null
++	-lclint -load $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null
+ 
+ .PHONY:	sources
+ sources:
+@@ -105,7 +91,6 @@ tinv_LDADD = librpmio.la $(top_builddir)
+ tinv_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la
+ 
+ tkey_SOURCES = tkey.c
+-tkey_LDFLAGS = @LDFLAGS_STATIC@
+ tkey_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la
+ 
+ tring_SOURCES = tring.c
+diff -r ec9e6c427068 rpmio/base64.c
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/rpmio/base64.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -0,0 +1,254 @@
++/* base64 encoder/decoder based on public domain implementation
++ * by Chris Venter */
++
++#include <arpa/inet.h>
++#include <stdlib.h>
++#include "base64.h"
++
++static char base64_encode_value(char value_in)
++{
++	static const char encoding[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
++	if (value_in > 63) return '=';
++	return encoding[(int)value_in];
++}
++
++static char *base64_encode_block(const char *plaintext_in, int length_in, char *codechar)
++{
++	const char *plainchar = plaintext_in;
++	const char *const plaintextend = plaintext_in + length_in;
++	char result;
++	char fragment;
++	
++	while (1) {
++		if (plainchar == plaintextend) {
++			return codechar;
++		}
++		fragment = *plainchar++;
++		result = (fragment & 0x0fc) >> 2;
++		*codechar++ = base64_encode_value(result);
++		result = (fragment & 0x003) << 4;
++		if (plainchar == plaintextend)
++		{
++			*codechar++ = base64_encode_value(result);
++			*codechar++ = '=';
++			*codechar++ = '=';
++			return codechar;
++		}
++		fragment = *plainchar++;
++		result |= (fragment & 0x0f0) >> 4;
++		*codechar++ = base64_encode_value(result);
++		result = (fragment & 0x00f) << 2;
++		if (plainchar == plaintextend)
++		{
++			*codechar++ = base64_encode_value(result);
++			*codechar++ = '=';
++			return codechar;
++		}
++		fragment = *plainchar++;
++		result |= (fragment & 0x0c0) >> 6;
++		*codechar++ = base64_encode_value(result);
++		result  = (fragment & 0x03f) >> 0;
++		*codechar++ = base64_encode_value(result);
++	}
++	/* control should not reach here */
++	return codechar;
++}
++
++#define BASE64_DEFAULT_LINE_LENGTH 64
++
++char *b64encode(const void *data, size_t len, int linelen)
++{
++	size_t encodedlen;
++	const char *dataptr = data;
++	char *output;
++	char *outptr;
++	
++	if (data == NULL)
++		return NULL;
++
++	if (linelen < 0)
++		linelen = BASE64_DEFAULT_LINE_LENGTH;
++
++	linelen /= 4;
++	encodedlen = ((len + 2) / 3) * 4;
++	if (linelen > 0) {
++		encodedlen += encodedlen/(linelen * 4) + 1;
++	}
++	++encodedlen; /* for zero termination */
++
++	output = malloc(encodedlen);
++	if (output == NULL)
++		return NULL;
++		
++	outptr = output;	
++	while (len > 0) {
++		if (linelen > 0 && len > linelen * 3) {
++			outptr = base64_encode_block(dataptr, linelen * 3, outptr);
++			len -= linelen * 3;
++			dataptr += linelen * 3;
++		} else {
++			outptr = base64_encode_block(dataptr, len, outptr);
++			len = 0;
++		}
++		if (linelen > 0) {
++			*outptr++ = '\n';
++		}
++	}
++	*outptr = '\0';
++	return output;
++}
++
++static int base64_decode_value(char value_in)
++{
++	static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
++	static const char decoding_size = sizeof(decoding);
++	value_in -= 43;
++	if (value_in < 0 || value_in > decoding_size)
++		return -1;
++	return decoding[(int)value_in];
++}
++
++static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out)
++{
++	const char *codechar = code_in;
++	char *plainchar = plaintext_out;
++	char fragment;
++	
++	*plainchar = 0;
++	
++	while (1)
++	{
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = (char)base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar    = (fragment & 0x03f) << 2;
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = (char)base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++ |= (fragment & 0x030) >> 4;
++		*plainchar    = (fragment & 0x00f) << 4;
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = (char)base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++ |= (fragment & 0x03c) >> 2;
++		*plainchar    = (fragment & 0x003) << 6;
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = (char)base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++   |= (fragment & 0x03f);
++	}
++	/* control should not reach here */
++	return plainchar - plaintext_out;
++}
++
++int b64decode(const char *in, void **out, size_t *outlen)
++{
++	size_t outcnt = 0;
++	const char *inptr = in;
++
++	*out = NULL;
++
++	if (in == NULL) {
++		return 1;
++	}
++	
++	while (*inptr != '\0') {
++		/* assume all ASCII control chars as whitespace */
++		if (*inptr > 32) {
++			if (base64_decode_value(*inptr) != -1) {
++				++outcnt;
++			} else {
++				return 3;
++			}
++		}
++		++inptr;
++	}
++	
++	if (outcnt % 4 != 0)
++		return 2;
++	
++	outcnt = (outcnt / 4) * 3;
++	
++	*out = malloc(outcnt + 1); /* base64_decode_block can write one extra character */
++	
++	if (*out == NULL)
++		return 4;
++	
++	*outlen = base64_decode_block(in, inptr - in, *out);
++
++	return 0;
++}
++
++#define CRC24_INIT 0xb704ce
++#define CRC24_POLY 0x1864cfb
++
++char *b64crc(const unsigned char *data, size_t len)
++{
++	uint32_t crc = CRC24_INIT;
++	int i;
++
++	while (len--) {
++		crc ^= (*data++) << 16;
++		for (i = 0; i < 8; i++) {
++			crc <<= 1;
++			if (crc & 0x1000000)
++				crc ^= CRC24_POLY;
++		}
++	}
++	crc = htonl(crc & 0xffffff);
++	data = (unsigned char *)&crc;
++	++data;
++	return b64encode(data, 3, 0);
++}
++
++#ifdef BASE64_TEST
++#include <stdio.h>
++#include <string.h>
++
++int main(int argc, char *argv[]) 
++{
++	static char tst[]="wtrt8122čLýáj\x20s ~ýhž\t4\x02šjjmBvž^%$RTš#á.íěj\x1hčýčŤc+";
++	char *encoded;
++	void *decoded;
++	size_t size;
++	int err;
++	printf("Original: %lu\n%s\n", sizeof(tst)-1, tst);
++	encoded = b64encode(tst, sizeof(tst)-1, 64);
++	printf("Encoded: %lu\n%s\n", strlen(encoded), encoded);
++	if ((err = b64decode(encoded, &decoded, &size)) != 0) {
++		fprintf(stderr, "Error in decode: %d\n", err);
++		return 1;
++	}
++	printf("Decoded:\n%.*s\n", (int)size, (char *)decoded);
++	if (size != sizeof(tst)-1) {
++		fprintf(stderr, "Size differs orig: %lu new: %lu\n", sizeof(tst)-1, size);
++		return 1;
++	}
++	if (memcmp(tst, decoded, size) != 0) {
++		fprintf(stderr, "Decoded data differs.\n");
++		return 1;
++	}
++	fprintf(stderr, "OK\n");
++	return 0;
++}
++#endif
++
+diff -r ec9e6c427068 rpmio/base64.h
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/rpmio/base64.h	Thu Nov 01 10:56:58 2007 +0100
+@@ -0,0 +1,29 @@
++/* base64 encoder/decoder based on public domain implementation
++ * by Chris Venter */
++
++#include <sys/types.h>
++
++/* returns malloced base64 encoded string
++ * lines are split with \n characters to be nearest lower multiple of linelen
++ * if linelen/4 == 0 lines are not split
++ * if linelen < 0 default line length (64) is used
++ * the returned string is empty when len == 0
++ * returns NULL on failures
++ */
++char *b64encode(const void *data, size_t len, int linelen);
++
++/* decodes from zero terminated base64 encoded string to a newly malloced buffer
++ * ignores whitespace characters in the input string
++ * return values:
++ *  0 - OK
++ *  1 - input is NULL
++ *  2 - invalid length
++ *  3 - invalid characters on input
++ *  4 - malloc failed
++ */
++int b64decode(const char *in, void **out, size_t *outlen);
++
++/* counts CRC24 and base64 encodes it in a malloced string
++ * returns NULL on failures
++ */
++char *b64crc(const unsigned char *data, size_t len);
+diff -r ec9e6c427068 rpmio/digest.c
+--- a/rpmio/digest.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/digest.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -19,16 +19,7 @@
+  */
+ struct DIGEST_CTX_s {
+     rpmDigestFlags flags;	/*!< Bit(s) to control digest operation. */
+-    uint32_t datalen;		/*!< No. bytes in block of plaintext data. */
+-    uint32_t paramlen;		/*!< No. bytes of digest parameters. */
+-    uint32_t digestlen;		/*!< No. bytes of digest. */
+-    void * param;		/*!< Digest parameters. */
+-    int (*Reset) (void * param)
+-	/*@modifies param @*/;	/*!< Digest initialize. */
+-    int (*Update) (void * param, const byte * data, size_t size)
+-	/*@modifies param @*/;	/*!< Digest transform. */
+-    int (*Digest) (void * param, /*@out@*/ byte * digest)
+-	/*@modifies param, digest @*/;	/*!< Digest finish. */
++    HASHContext *hashctx;	/*!< Internal NSS hash context. */
+ };
+ 
+ /*@-boundsread@*/
+@@ -37,115 +28,101 @@ rpmDigestDup(DIGEST_CTX octx)
+ {
+     DIGEST_CTX nctx;
+     nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx));
+-    nctx->param = memcpy(xcalloc(1, nctx->paramlen), octx->param, nctx->paramlen);
++    nctx->hashctx = HASH_Clone(octx->hashctx);
++    if (nctx->hashctx == NULL) {
++    	fprintf(stderr, "HASH_Clone failed\n");
++    	exit(EXIT_FAILURE);  /* FIX: callers do not bother checking error return */
++    }
+     return nctx;
+ }
+ /*@=boundsread@*/
+ 
+-DIGEST_CTX
+-rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
++static HASH_HashType
++getHashType(pgpHashAlgo hashalgo)
+ {
+-    DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
+-    int xx;
+-
+-    ctx->flags = flags;
+-
+     switch (hashalgo) {
+     case PGPHASHALGO_MD5:
+-	ctx->digestlen = 16;
+-	ctx->datalen = 64;
+-/*@-sizeoftype@*/ /* FIX: union, not void pointer */
+-	ctx->paramlen = sizeof(md5Param);
+-/*@=sizeoftype@*/
+-	ctx->param = xcalloc(1, ctx->paramlen);
+-/*@-type@*/ /* FIX: cast? */
+-	ctx->Reset = (void *) md5Reset;
+-	ctx->Update = (void *) md5Update;
+-	ctx->Digest = (void *) md5Digest;
+-/*@=type@*/
++	return HASH_AlgMD5;
+ 	break;
+     case PGPHASHALGO_SHA1:
+-	ctx->digestlen = 20;
+-	ctx->datalen = 64;
+-/*@-sizeoftype@*/ /* FIX: union, not void pointer */
+-	ctx->paramlen = sizeof(sha1Param);
+-/*@=sizeoftype@*/
+-	ctx->param = xcalloc(1, ctx->paramlen);
+-/*@-type@*/ /* FIX: cast? */
+-	ctx->Reset = (void *) sha1Reset;
+-	ctx->Update = (void *) sha1Update;
+-	ctx->Digest = (void *) sha1Digest;
+-/*@=type@*/
++	return HASH_AlgSHA1;
+ 	break;
+-#if HAVE_BEECRYPT_API_H
+     case PGPHASHALGO_SHA256:
+-	ctx->digestlen = 32;
+-	ctx->datalen = 64;
+-/*@-sizeoftype@*/ /* FIX: union, not void pointer */
+-	ctx->paramlen = sizeof(sha256Param);
+-/*@=sizeoftype@*/
+-	ctx->param = xcalloc(1, ctx->paramlen);
+-/*@-type@*/ /* FIX: cast? */
+-	ctx->Reset = (void *) sha256Reset;
+-	ctx->Update = (void *) sha256Update;
+-	ctx->Digest = (void *) sha256Digest;
+-/*@=type@*/
++	return HASH_AlgSHA256;
+ 	break;
+     case PGPHASHALGO_SHA384:
+-	ctx->digestlen = 48;
+-	ctx->datalen = 128;
+-/*@-sizeoftype@*/ /* FIX: union, not void pointer */
+-	ctx->paramlen = sizeof(sha384Param);
+-/*@=sizeoftype@*/
+-	ctx->param = xcalloc(1, ctx->paramlen);
+-/*@-type@*/ /* FIX: cast? */
+-	ctx->Reset = (void *) sha384Reset;
+-	ctx->Update = (void *) sha384Update;
+-	ctx->Digest = (void *) sha384Digest;
+-/*@=type@*/
++	return HASH_AlgSHA384;
+ 	break;
+     case PGPHASHALGO_SHA512:
+-	ctx->digestlen = 64;
+-	ctx->datalen = 128;
+-/*@-sizeoftype@*/ /* FIX: union, not void pointer */
+-	ctx->paramlen = sizeof(sha512Param);
+-/*@=sizeoftype@*/
+-	ctx->param = xcalloc(1, ctx->paramlen);
+-/*@-type@*/ /* FIX: cast? */
+-	ctx->Reset = (void *) sha512Reset;
+-	ctx->Update = (void *) sha512Update;
+-	ctx->Digest = (void *) sha512Digest;
+-/*@=type@*/
++	return HASH_AlgSHA512;
+ 	break;
+-#endif
+     case PGPHASHALGO_RIPEMD160:
+     case PGPHASHALGO_MD2:
+     case PGPHASHALGO_TIGER192:
+     case PGPHASHALGO_HAVAL_5_160:
+     default:
++	return HASH_AlgNULL;
++	/*@notreached@*/ break;
++    }
++}
++
++size_t
++rpmDigestLength(pgpHashAlgo hashalgo)
++{
++    return HASH_ResultLen(getHashType(hashalgo));
++}
++
++DIGEST_CTX
++rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
++{
++    HASH_HashType type;
++    DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
++
++    if (NSS_NoDB_Init(NULL) != SECSuccess)
++	return NULL;
++
++    ctx->flags = flags;
++
++    type = getHashType(hashalgo);
++    if (type == HASH_AlgNULL) {
+ 	free(ctx);
+ 	return NULL;
+-	/*@notreached@*/ break;
+     }
+ 
+-/*@-boundsread@*/
+-    xx = (*ctx->Reset) (ctx->param);
+-/*@=boundsread@*/
++    ctx->hashctx = HASH_Create(type);
++    if (ctx->hashctx == NULL) {
++    	free(ctx);
++    	return NULL;
++    }
+ 
+-DPRINTF((stderr, "*** Init(%x) ctx %p param %p\n", flags, ctx, ctx->param));
++    HASH_Begin(ctx->hashctx);
++    
++DPRINTF((stderr, "*** Init(%x) ctx %p hashctx %p\n", flags, ctx, ctx->hashctx));
+     return ctx;
+ }
+ 
+-/*@-mustmod@*/ /* LCL: ctx->param may be modified, but ctx is abstract @*/
++/*@-mustmod@*/ /* LCL: ctx->hashctx may be modified, but ctx is abstract @*/
+ int
+ rpmDigestUpdate(DIGEST_CTX ctx, const void * data, size_t len)
+ {
++    unsigned int partlen;
++    const unsigned char *ptr = data;
++
+     if (ctx == NULL)
+ 	return -1;
+ 
+-DPRINTF((stderr, "*** Update(%p,%p,%d) param %p \"%s\"\n", ctx, data, len, ctx->param, ((char *)data)));
++DPRINTF((stderr, "*** Update(%p,%p,%d) hashctx %p \"%s\"\n", ctx, data, len, ctx->hashctx, ((char *)data)));
+ /*@-boundsread@*/
+-    return (*ctx->Update) (ctx->param, data, len);
++   partlen = ~(unsigned int)0xFF;
++   while (len > 0) {
++   	if (len < partlen) {
++   		partlen = (unsigned int)len;
++   	}
++	HASH_Update(ctx->hashctx, ptr, partlen);
++	ptr += partlen;
++	len -= partlen;
++   }
++   return 0;
+ /*@=boundsread@*/
+ }
+ /*@=mustmod@*/
+@@ -154,35 +131,37 @@ int
+ int
+ rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii)
+ {
+-    byte * digest;
++    unsigned char * digest;
+     char * t;
+     int i;
++    unsigned int digestlen;
+ 
+     if (ctx == NULL)
+ 	return -1;
+-    digest = xmalloc(ctx->digestlen);
++    digestlen = HASH_ResultLenContext(ctx->hashctx);
++    digest = xmalloc(digestlen);
+ 
+-DPRINTF((stderr, "*** Final(%p,%p,%p,%d) param %p digest %p\n", ctx, datap, lenp, asAscii, ctx->param, digest));
+-/*@-noeffectuncon@*/ /* FIX: check rc */
+-    (void) (*ctx->Digest) (ctx->param, digest);
++DPRINTF((stderr, "*** Final(%p,%p,%p,%d) hashctx %p digest %p\n", ctx, datap, lenp, asAscii, ctx->hashctx, digest));
++/*@-noeffectuncon@*/
++    HASH_End(ctx->hashctx, digest, &digestlen, digestlen);
+ /*@=noeffectuncon@*/
+ 
+     /* Return final digest. */
+ /*@-branchstate@*/
+     if (!asAscii) {
+-	if (lenp) *lenp = ctx->digestlen;
++	if (lenp) *lenp = digestlen;
+ 	if (datap) {
+ 	    *datap = digest;
+ 	    digest = NULL;
+ 	}
+     } else {
+-	if (lenp) *lenp = (2*ctx->digestlen) + 1;
++	if (lenp) *lenp = (2*digestlen) + 1;
+ 	if (datap) {
+ 	    const byte * s = (const byte *) digest;
+ 	    static const char hex[] = "0123456789abcdef";
+ 
+-	    *datap = t = xmalloc((2*ctx->digestlen) + 1);
+-	    for (i = 0 ; i < ctx->digestlen; i++) {
++	    *datap = t = xmalloc((2*digestlen) + 1);
++	    for (i = 0 ; i < digestlen; i++) {
+ 		*t++ = hex[ (unsigned)((*s >> 4) & 0x0f) ];
+ 		*t++ = hex[ (unsigned)((*s++   ) & 0x0f) ];
+ 	    }
+@@ -191,11 +170,10 @@ DPRINTF((stderr, "*** Final(%p,%p,%p,%d)
+     }
+ /*@=branchstate@*/
+     if (digest) {
+-	memset(digest, 0, ctx->digestlen);	/* In case it's sensitive */
++	memset(digest, 0, digestlen);	/* In case it's sensitive */
+ 	free(digest);
+     }
+-    memset(ctx->param, 0, ctx->paramlen);	/* In case it's sensitive */
+-    free(ctx->param);
++    HASH_Destroy(ctx->hashctx);
+     memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
+     free(ctx);
+     return 0;
+diff -r ec9e6c427068 rpmio/rpmio_internal.h
+--- a/rpmio/rpmio_internal.h	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/rpmio_internal.h	Thu Nov 01 10:56:58 2007 +0100
+@@ -9,30 +9,14 @@
+ #include <rpmio.h>
+ #include <rpmurl.h>
+ 
+-#if HAVE_BEECRYPT_API_H
+-#include <api.h>
+-#else
+-#include <beecrypt.api.h>
+-#endif
+-
+ #include <rpmpgp.h>
+ #include <rpmsw.h>
+-
+-/* Drag in the beecrypt includes. */
+-#include <beecrypt.h>
+ #include <base64.h>
+-#include <dsa.h>
+-#include <endianness.h>
+-#include <md5.h>
+-#include <mp.h>
+-#include <rsa.h>
+-#include <rsapk.h>
+-#include <sha1.h>
+-#if HAVE_BEECRYPT_API_H
+-#include <sha256.h>
+-#include <sha384.h>
+-#include <sha512.h>
+-#endif
++
++#include "nss.h"
++#include "sechash.h"
++#include "keyhi.h"
++#include "cryptohi.h"
+ 
+ /** \ingroup rpmio
+  * Values parsed from OpenPGP signature/pubkey packet(s).
+@@ -85,20 +69,13 @@ struct pgpDig_s {
+     void * md5;			/*!< (rsa) V3 signature hash. */
+     size_t md5len;		/*!< (rsa) V3 signature hash length. */
+ 
+-    /* DSA parameters. */
+-    mpbarrett p;
+-    mpbarrett q;
+-    mpnumber g;
+-    mpnumber y;
+-    mpnumber hm;
+-    mpnumber r;
+-    mpnumber s;
+-
+-    /* RSA parameters. */
+-    rsapk rsa_pk;
+-    mpnumber m;
+-    mpnumber c;
+-    mpnumber rsahm;
++    /* DSA parameters */
++    SECKEYPublicKey *dsa;
++    SECItem *dsasig;
++
++    /* RSA parameters */
++    SECKEYPublicKey *rsa;
++    SECItem *rsasig;
+ };
+ 
+ /** \ingroup rpmio
+diff -r ec9e6c427068 rpmio/rpmpgp.c
+--- a/rpmio/rpmpgp.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/rpmpgp.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -260,38 +260,100 @@ const char * pgpMpiHex(const byte *p)
+ /**
+  * @return		0 on success
+  */
+-static int pgpHexSet(const char * pre, int lbits,
+-		/*@out@*/ mpnumber * mpn, const byte * p, const byte * pend)
++static int pgpMpiSet(const char * pre, int lbits,
++		/*@out@*/ void *dest, const byte * p, const byte * pend)
+ 	/*@globals fileSystem @*/
+-	/*@modifies mpn, fileSystem @*/
++	/*@modifies dest, fileSystem @*/
+ {
+     unsigned int mbits = pgpMpiBits(p);
+     unsigned int nbits;
+     unsigned int nbytes;
+-    char * t;
++    char *t = dest;
+     unsigned int ix;
+ 
+     if ((p + ((mbits+7) >> 3)) > pend)
+ 	return 1;
+ 
++    if (mbits > lbits)
++	return 1;
++
+     nbits = (lbits > mbits ? lbits : mbits);
+     nbytes = ((nbits + 7) >> 3);
+-    t = xmalloc(2*nbytes+1);
+-    ix = 2 * ((nbits - mbits) >> 3);
++    ix = (nbits - mbits) >> 3;
+ 
+ if (_debug)
+-fprintf(stderr, "*** mbits %u nbits %u nbytes %u t %p[%d] ix %u\n", mbits, nbits, nbytes, t, (2*nbytes+1), ix);
+-    if (ix > 0) memset(t, (int)'0', ix);
+-    strcpy(t+ix, pgpMpiHex(p));
++fprintf(stderr, "*** mbits %u nbits %u nbytes %u ix %u\n", mbits, nbits, nbytes, ix);
++    if (ix > 0) memset(t, '\0', ix);
++    memcpy(t+ix, p+2, nbytes-ix);
+ if (_debug)
+-fprintf(stderr, "*** %s %s\n", pre, t);
+-    (void) mpnsethex(mpn, t);
+-    t = _free(t);
+-if (_debug && _print)
+-fprintf(stderr, "\t %s ", pre), mpfprintln(stderr, mpn->size, mpn->data);
++fprintf(stderr, "*** %s %s\n", pre, pgpHexStr(dest, nbytes));
++
+     return 0;
+ }
++
++/**
++ * @return		NULL on error
++ */
++static SECItem *pgpMpiItem(PRArenaPool *arena, /*@out@*/ SECItem *item, const byte *p)
++	/*@globals fileSystem @*/
++	/*@modifies dest, fileSystem @*/
++{
++    unsigned int nbytes = pgpMpiLen(p)-2;
++
++    if (item == NULL) {
++    	if ((item=SECITEM_AllocItem(arena, item, nbytes)) == NULL)
++    	    return item;
++    } else {
++    	if (arena != NULL)
++    	    item->data = PORT_ArenaGrow(arena, item->data, item->len, nbytes);
++    	else
++    	    item->data = PORT_Realloc(item->data, nbytes);
++    	
++    	if (item->data == NULL) {
++    	    if (arena == NULL)
++    		SECITEM_FreeItem(item, PR_TRUE);
++    	    return NULL;
++    	}
++    }
++
++    memcpy(item->data, p+2, nbytes);
++    item->len = nbytes;
++    return item;
++}
+ /*@=boundswrite@*/
++
++static SECKEYPublicKey *pgpNewPublicKey(KeyType type)
++{
++    PRArenaPool *arena;
++    SECKEYPublicKey *key;
++    
++    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++    if (arena == NULL)
++	return NULL;
++    
++    key = PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
++    
++    if (key == NULL) {
++	PORT_FreeArena(arena, PR_FALSE);
++	return NULL;
++    }
++    
++    key->keyType = type;
++    key->pkcs11ID = CK_INVALID_HANDLE;
++    key->pkcs11Slot = NULL;
++    key->arena = arena;
++    return key;
++}
++
++static SECKEYPublicKey *pgpNewRSAKey(void)
++{
++    return pgpNewPublicKey(rsaKey);
++}
++
++static SECKEYPublicKey *pgpNewDSAKey(void)
++{
++    return pgpNewPublicKey(dsaKey);
++}
+ 
+ int pgpPrtSubType(const byte *h, unsigned int hlen, pgpSigType sigtype)
+ {
+@@ -407,6 +469,10 @@ static const char * pgpSigDSA[] = {
+ };
+ /*@=varuse =readonlytrans @*/
+ 
++#ifndef DSA_SUBPRIME_LEN
++#define DSA_SUBPRIME_LEN 20
++#endif
++
+ static int pgpPrtSigParams(/*@unused@*/ pgpTag tag, byte pubkey_algo, byte sigtype,
+ 		const byte *p, const byte *h, unsigned int hlen)
+ 	/*@globals fileSystem @*/
+@@ -414,7 +480,13 @@ static int pgpPrtSigParams(/*@unused@*/ 
+ {
+     const byte * pend = h + hlen;
+     int i;
+-
++    SECItem dsaraw;
++    unsigned char dsabuf[2*DSA_SUBPRIME_LEN];
++
++    dsaraw.type = 0;
++    dsaraw.data = dsabuf;
++    dsaraw.len = sizeof(dsabuf);
++    
+     for (i = 0; p < pend; i++, p += pgpMpiLen(p)) {
+ 	if (pubkey_algo == PGPPUBKEYALGO_RSA) {
+ 	    if (i >= 1) break;
+@@ -423,9 +495,9 @@ static int pgpPrtSigParams(/*@unused@*/ 
+ 	    {
+ 		switch (i) {
+ 		case 0:		/* m**d */
+-		    (void) mpnsethex(&_dig->c, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t  m**d = "),  mpfprintln(stderr, _dig->c.size, _dig->c.data);
++		    _dig->rsasig = pgpMpiItem(NULL, _dig->rsasig, p);
++		    if (_dig->rsasig == NULL)
++			return 1;
+ 		    /*@switchbreak@*/ break;
+ 		default:
+ 		    /*@switchbreak@*/ break;
+@@ -440,11 +512,21 @@ fprintf(stderr, "\t  m**d = "),  mpfprin
+ 		int xx;
+ 		xx = 0;
+ 		switch (i) {
+-		case 0:		/* r */
+-		    xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->r, p, pend);
++		case 0:
++		    memset(dsaraw.data, '\0', 2*DSA_SUBPRIME_LEN);
++				/* r */
++		    xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data, p, pend);
+ 		    /*@switchbreak@*/ break;
+ 		case 1:		/* s */
+-		    xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->s, p, pend);
++		    xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data + DSA_SUBPRIME_LEN, p, pend);
++		    if (_dig->dsasig != NULL)
++		    	SECITEM_FreeItem(_dig->dsasig, PR_FALSE);
++		    else if ((_dig->dsasig=SECITEM_AllocItem(NULL, NULL, 0)) == NULL) {
++		        xx = 1;
++		        /*@switchbreak@*/ break;
++		    }
++		    if (DSAU_EncodeDerSig(_dig->dsasig, &dsaraw) != SECSuccess)
++		    	xx = 1;
+ 		    /*@switchbreak@*/ break;
+ 		default:
+ 		    xx = 1;
+@@ -629,16 +711,17 @@ static const byte * pgpPrtPubkeyParams(b
+ 	if (pubkey_algo == PGPPUBKEYALGO_RSA) {
+ 	    if (i >= 2) break;
+ 	    if (_dig) {
++		if (_dig->rsa == NULL) {
++		    _dig->rsa = pgpNewRSAKey();
++		    if (_dig->rsa == NULL)
++			break; /* error abort? */
++		}
+ 		switch (i) {
+ 		case 0:		/* n */
+-		    (void) mpbsethex(&_dig->rsa_pk.n, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     n = "),  mpfprintln(stderr, _dig->rsa_pk.n.size, _dig->rsa_pk.n.modl);
++		    pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.modulus, p);
+ 		    /*@switchbreak@*/ break;
+ 		case 1:		/* e */
+-		    (void) mpnsethex(&_dig->rsa_pk.e, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     e = "),  mpfprintln(stderr, _dig->rsa_pk.e.size, _dig->rsa_pk.e.data);
++		    pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.publicExponent, p);
+ 		    /*@switchbreak@*/ break;
+ 		default:
+ 		    /*@switchbreak@*/ break;
+@@ -648,26 +731,23 @@ fprintf(stderr, "\t     e = "),  mpfprin
+ 	} else if (pubkey_algo == PGPPUBKEYALGO_DSA) {
+ 	    if (i >= 4) break;
+ 	    if (_dig) {
++		if (_dig->dsa == NULL) {
++		    _dig->dsa = pgpNewDSAKey();
++		    if (_dig->dsa == NULL)
++			break; /* error abort? */
++		}
+ 		switch (i) {
+ 		case 0:		/* p */
+-		    (void) mpbsethex(&_dig->p, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     p = "),  mpfprintln(stderr, _dig->p.size, _dig->p.modl);
++		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.prime, p);
+ 		    /*@switchbreak@*/ break;
+ 		case 1:		/* q */
+-		    (void) mpbsethex(&_dig->q, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     q = "),  mpfprintln(stderr, _dig->q.size, _dig->q.modl);
++		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.subPrime, p);
+ 		    /*@switchbreak@*/ break;
+ 		case 2:		/* g */
+-		    (void) mpnsethex(&_dig->g, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     g = "),  mpfprintln(stderr, _dig->g.size, _dig->g.data);
++		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.base, p);
+ 		    /*@switchbreak@*/ break;
+ 		case 3:		/* y */
+-		    (void) mpnsethex(&_dig->y, pgpMpiHex(p));
+-if (_debug && _print)
+-fprintf(stderr, "\t     y = "),  mpfprintln(stderr, _dig->y.size, _dig->y.data);
++		    pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.publicValue, p);
+ 		    /*@switchbreak@*/ break;
+ 		default:
+ 		    /*@switchbreak@*/ break;
+@@ -1014,6 +1094,8 @@ pgpDig pgpNewDig(void)
+ pgpDig pgpNewDig(void)
+ {
+     pgpDig dig = xcalloc(1, sizeof(*dig));
++    NSS_NoDB_Init(NULL);
++
+     return dig;
+ }
+ 
+@@ -1038,14 +1120,27 @@ void pgpCleanDig(pgpDig dig)
+ 
+ 	dig->md5 = _free(dig->md5);
+ 	dig->sha1 = _free(dig->sha1);
+-	mpnfree(&dig->hm);
+-	mpnfree(&dig->r);
+-	mpnfree(&dig->s);
+-
+-	(void) rsapkFree(&dig->rsa_pk);
+-	mpnfree(&dig->m);
+-	mpnfree(&dig->c);
+-	mpnfree(&dig->rsahm);
++
++	if (dig->dsa != NULL) {
++	    SECKEY_DestroyPublicKey(dig->dsa);
++	    dig->dsa = NULL;
++	}
++
++	if (dig->dsasig != NULL) {
++	    SECITEM_ZfreeItem(dig->dsasig, PR_TRUE);
++	    dig->dsasig = NULL;
++	}
++
++	if (dig->rsa != NULL) {
++	    SECKEY_DestroyPublicKey(dig->rsa);
++	    dig->rsa = NULL;
++	}
++
++	if (dig->rsasig != NULL) {
++	    SECITEM_ZfreeItem(dig->rsasig, PR_TRUE);
++	    dig->rsasig = NULL;
++	}
++
+     }
+ /*@-nullstate@*/
+     return;
+@@ -1072,14 +1167,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ 
+ 	    (void) rpmDigestFinal(dig->sha1ctx, NULL, NULL, 0);
+ 	/*@=branchstate@*/
+ 	dig->sha1ctx = NULL;
+-
+-	mpbfree(&dig->p);
+-	mpbfree(&dig->q);
+-	mpnfree(&dig->g);
+-	mpnfree(&dig->y);
+-	mpnfree(&dig->hm);
+-	mpnfree(&dig->r);
+-	mpnfree(&dig->s);
+ 
+ #ifdef	NOTYET
+ 	/*@-branchstate@*/
+@@ -1094,12 +1181,6 @@ pgpDig pgpFreeDig(/*@only@*/ /*@null@*/ 
+ 	    (void) rpmDigestFinal(dig->md5ctx, NULL, NULL, 0);
+ 	/*@=branchstate@*/
+ 	dig->md5ctx = NULL;
+-
+-	mpbfree(&dig->rsa_pk.n);
+-	mpnfree(&dig->rsa_pk.e);
+-	mpnfree(&dig->m);
+-	mpnfree(&dig->c);
+-	mpnfree(&dig->hm);
+ 
+ 	dig = _free(dig);
+     }
+@@ -1286,20 +1367,13 @@ char * pgpArmorWrap(int atype, const uns
+ {
+     const char * enc;
+     char * t;
+-    size_t nt;
++    size_t nt = 0;
+     char * val;
+-    int lc;
+-
+-    nt = ((ns + 2) / 3) * 4;
+-    /*@-globs@*/
+-    /* Add additional bytes necessary for eol string(s). */
+-    if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
+-	lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
+-       if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
+-        ++lc;
+-	nt += lc * strlen(b64encode_eolstr);
+-    }
+-    /*@=globs@*/
++
++    enc = b64encode(s, ns, -1);
++    if (enc != NULL) {
++    	nt = strlen(enc);
++    }
+ 
+     nt += 512;	/* XXX slop for armor and crc */
+ 
+@@ -1311,9 +1385,9 @@ char * pgpArmorWrap(int atype, const uns
+     /*@-globs@*/
+     t = stpcpy( stpcpy(t, "-----\nVersion: rpm-"), VERSION);
+     /*@=globs@*/
+-    t = stpcpy(t, " (beecrypt-4.1.2)\n\n");
+-
+-    if ((enc = b64encode(s, ns)) != NULL) {
++    t = stpcpy(t, " (NSS-3)\n\n");
++
++    if (enc != NULL) {
+ 	t = stpcpy(t, enc);
+ 	enc = _free(enc);
+ 	if ((enc = b64crc(s, ns)) != NULL) {
+diff -r ec9e6c427068 rpmio/rpmpgp.h
+--- a/rpmio/rpmpgp.h	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/rpmpgp.h	Thu Nov 01 10:56:58 2007 +0100
+@@ -12,11 +12,7 @@
+ 
+ #include <string.h>
+ 
+-#if !defined(_BEECRYPT_API_H)
+-/*@-redef@*/
+ typedef unsigned char byte;
+-/*@=redef@*/
+-#endif	/* _BEECRYPT_API_H */
+ 
+ /**
+  */
+@@ -1393,6 +1389,15 @@ DIGEST_CTX rpmDigestDup(DIGEST_CTX octx)
+ 	/*@*/;
+ 
+ /** \ingroup rpmio
++ * Obtain digest length in bytes.
++ * @param hashalgo	type of digest
++ * @return		digest length
++ */
++/*@only@*/ /*@null@*/
++size_t rpmDigestLength(pgpHashAlgo hashalgo)
++	/*@*/;
++
++/** \ingroup rpmio
+  * Initialize digest.
+  * Set bit count to 0 and buffer to mysterious initialization constants.
+  * @param hashalgo	type of digest
+diff -r ec9e6c427068 rpmio/tkey.c
+--- a/rpmio/tkey.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/rpmio/tkey.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -31,7 +31,7 @@ fprintf(stderr, "*** sig is\n%s\n", sig)
+ 	return rc;
+     }
+ 
+-    if ((enc = b64encode(dec, declen)) == NULL) {
++    if ((enc = b64encode(dec, declen, -1)) == NULL) {
+ 	fprintf(stderr, "*** b64encode failed\n");
+ 	return rc;
+     }
+@@ -51,52 +51,40 @@ fprintf(stderr, "??? %5d %02x != %02x '%
+     return rc;
+ }
+ 
+-/* FIPS-186 test vectors. */
+-static const char * fips_p = "8df2a494492276aa3d25759bb06869cbeac0d83afb8d0cf7cbb8324f0d7882e5d0762fc5b7210eafc2e9adac32ab7aac49693dfbf83724c2ec0736ee31c80291";
+-static const char * fips_q = "c773218c737ec8ee993b4f2ded30f48edace915f";
+-static const char * fips_g = "626d027839ea0a13413163a55b4cb500299d5522956cefcb3bff10f399ce2c2e71cb9de5fa24babf58e5b79521925c9cc42e9f6f464b088cc572af53e6d78802";
+-
+-static const char * fips_hm = "a9993e364706816aba3e25717850c26c9cd0d89d";
+-
+-static const char * fips_y = "19131871d75b1612a819f29d78d1b0d7346f7aa77bb62a859bfd6c5675da9d212d3a36ef1672ef660b8c7c255cc0ec74858fba33f44c06699630a76b030ee333";
+-
+-static const char * fips_r = "8bac1ab66410435cb7181f95b16ab97c92b341c0";
+-static const char * fips_s = "41e2345f1f56df2458f426d155b4ba2db6dcd8c8";
+-
+ /* Secret key */
+-static const char * jbjSecretDSA = "
+-lQFvBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR
+-zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy
+-AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm
+-qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv
+-Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT
+-2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh
+-1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL/8DAwJUAllw1pdZ
+-WmBIoAvRiv7kE6hWfeCvZzdBVgrHYrp8ceUa3OdulGfYw/0sIzpEU0FfZmFjdG9y
+-OgAA30gJ4JMFKVfthnDCHHL+O8lNxykKBmrgVPLClue0KUplZmYgSm9obnNvbiAo
+-QVJTIE4zTlBRKSA8amJqQHJlZGhhdC5jb20+iFcEExECABcFAju6XHwFCwcKAwQD
+-FQMCAxYCAQIXgAAKCRCB0qVW2I6DmQU6AJ490bVWZuM4yCOh8MWj6qApCr1/gwCf
+-f3+QgXFXAeTyPtMmReyWxThABtE=
++static const char * jbjSecretDSA = "\n\
++lQFvBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR\n\
++zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy\n\
++AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm\n\
++qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv\n\
++Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT\n\
++2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh\n\
++1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL/8DAwJUAllw1pdZ\n\
++WmBIoAvRiv7kE6hWfeCvZzdBVgrHYrp8ceUa3OdulGfYw/0sIzpEU0FfZmFjdG9y\n\
++OgAA30gJ4JMFKVfthnDCHHL+O8lNxykKBmrgVPLClue0KUplZmYgSm9obnNvbiAo\n\
++QVJTIE4zTlBRKSA8amJqQHJlZGhhdC5jb20+iFcEExECABcFAju6XHwFCwcKAwQD\n\
++FQMCAxYCAQIXgAAKCRCB0qVW2I6DmQU6AJ490bVWZuM4yCOh8MWj6qApCr1/gwCf\n\
++f3+QgXFXAeTyPtMmReyWxThABtE=\n\
+ ";
+ 
+ /* Public key */
+-static const char * jbjPublicDSA = "
+-mQFCBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR
+-zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy
+-AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm
+-qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv
+-Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT
+-2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh
+-1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL7QpSmVmZiBKb2hu
+-c29uIChBUlMgTjNOUFEpIDxqYmpAcmVkaGF0LmNvbT6IVwQTEQIAFwUCO7pcfAUL
+-BwoDBAMVAwIDFgIBAheAAAoJEIHSpVbYjoOZBToAn3TXaAI+bhg51EeyaiFip/6W
+-OVwBAJ44rTtNsgZBQxXISjB64CWxl4VaWQ==
++static const char * jbjPublicDSA = "\n\
++mQFCBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR\n\
++zCFCan4lO1ipmoAipyN2A6ZX0HWOcWdYlWz2adxA7l8JNiZTzkemA562xwex2wLy\n\
++AQWVTtRN6jv0LccAoN4UWZkIvkT6tV918sEvDEggGARxAv9190RhrDq/GMqd+AHm\n\
++qWrRkrBRHDUBBL2fYEuU3gFekYrW5CDIN6s3Mcq/yUsvwHl7bwmoqbf2qabbyfnv\n\
++Y66ETOPKLcw67ggcptHXHcwlvpfJmHKpjK+ByzgauPXXbRAC+gKDjzXL0kAQxjmT\n\
++2D+16O4vI8Emlx2JVcGLlq/aWhspvQWIzN6PytA3iKZ6uzesrM7yXmqzgodZUsJh\n\
++1wwl/0K5OIJn/oD41UayU8RXNER8SzDYvDYsJymFRwE1s58lL7QpSmVmZiBKb2hu\n\
++c29uIChBUlMgTjNOUFEpIDxqYmpAcmVkaGF0LmNvbT6IVwQTEQIAFwUCO7pcfAUL\n\
++BwoDBAMVAwIDFgIBAheAAAoJEIHSpVbYjoOZBToAn3TXaAI+bhg51EeyaiFip/6W\n\
++OVwBAJ44rTtNsgZBQxXISjB64CWxl4VaWQ==\n\
+ ";
+ 
+ /* Signature */
+-static const char * abcSignatureDSA = "
+-iD8DBQA7vII+gdKlVtiOg5kRAvg4AJ0fV3gDBADobAnK2HOkV88bfmFMEgCeNysO
+-nP3dWWJnp0Pnbor7pIob4Dk=
++static const char * abcSignatureDSA = "\n\
++iD8DBQA7vII+gdKlVtiOg5kRAvg4AJ0fV3gDBADobAnK2HOkV88bfmFMEgCeNysO\n\
++nP3dWWJnp0Pnbor7pIob4Dk=\n\
+ ";
+ 
+ int
+@@ -107,28 +95,6 @@ main (int argc, char *argv[])
+     int rc;
+ 
+     dig = pgpNewDig();
+-
+-    mpbzero(&dig->p);	mpbsethex(&dig->p, fips_p);
+-    mpbzero(&dig->q);	mpbsethex(&dig->q, fips_q);
+-    mpnzero(&dig->g);	mpnsethex(&dig->g, fips_g);
+-    mpnzero(&dig->y);	mpnsethex(&dig->y, fips_y);
+-    mpnzero(&dig->r);	mpnsethex(&dig->r, fips_r);
+-    mpnzero(&dig->s);	mpnsethex(&dig->s, fips_s);
+-    mpnzero(&dig->hm);	mpnsethex(&dig->hm, fips_hm);
+-
+-    rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
+-		&dig->y, &dig->r, &dig->s);
+-
+-fprintf(stderr, "=============================== DSA FIPS-186-1: rc %d\n", rc);
+-
+-    mpbfree(&dig->p);
+-    mpbfree(&dig->q);
+-    mpnfree(&dig->g);
+-    mpnfree(&dig->y);
+-
+-    mpnfree(&dig->hm);
+-    mpnfree(&dig->r);
+-    mpnfree(&dig->s);
+ 
+ fprintf(stderr, "=============================== GPG Secret Key\n");
+     if ((rc = doit(jbjSecretDSA, dig, printing)) != 0)
+@@ -144,39 +110,33 @@ fprintf(stderr, "=======================
+ 
+     {	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
+ 	struct pgpDigParams_s * dsig = &dig->signature;
+-	const char * digest = NULL;
++	void *digest = NULL;
+ 	size_t digestlen = 0;
+ 	const char * txt = "abc";
++	SECItem digitem;
+ 	
+ 	rpmDigestUpdate(ctx, txt, strlen(txt));
+ 	rpmDigestUpdate(ctx, dsig->hash, dsig->hashlen);
+-	rpmDigestFinal(ctx, (void **)&digest, &digestlen, 1);
++	rpmDigestFinal(ctx, &digest, &digestlen, 0);
+ 
+-	mpnzero(&dig->hm); mpnsethex(&dig->hm, digest);
++fprintf(stderr, "\n    hm = [ 160]: %s\n\n", pgpHexStr(digest, digestlen));
++	digitem.type = siBuffer;
++	digitem.data = digest;
++	digitem.len = digestlen;
+ 
+-fprintf(stderr, "\n    hm = [ 160]: %s\n\n", digest);
++	rc = VFY_VerifyDigest(&digitem, dig->dsa, dig->dsasig, SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL);
+ 
+ 	if (digest) {
+-	    free((void *)digest);
++	    free(digest);
+ 	    digest = NULL;
+ 	}
+     }
+ 
+-    rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
+-		&dig->y, &dig->r, &dig->s);
+ 
+ fprintf(stderr, "=============================== DSA verify: rc %d\n", rc);
+-
+-    mpbfree(&dig->p);
+-    mpbfree(&dig->q);
+-    mpnfree(&dig->g);
+-    mpnfree(&dig->y);
+-
+-    mpnfree(&dig->hm);
+-    mpnfree(&dig->r);
+-    mpnfree(&dig->s);
+ 
+     dig = pgpFreeDig(dig);
+ 
+     return rc;
+ }
++
+diff -r ec9e6c427068 tools/Makefile.am
+--- a/tools/Makefile.am	Wed Oct 24 16:02:51 2007 +0300
++++ b/tools/Makefile.am	Thu Nov 01 10:56:58 2007 +0100
+@@ -8,7 +8,7 @@ INCLUDES = -I. \
+ 	-I$(top_srcdir)/lib \
+ 	-I$(top_srcdir)/rpmdb \
+ 	-I$(top_srcdir)/rpmio \
+-	@WITH_BEECRYPT_INCLUDE@ \
++	@WITH_NSS_INCLUDE@ \
+ 	@WITH_POPT_INCLUDE@ \
+ 	@WITH_LIBELF_INCLUDE@ \
+ 	@WITH_LIBDWARF_INCLUDE@ \
+@@ -36,10 +36,10 @@ convertdb1_SOURCES =	convertdb1.c
+ convertdb1_SOURCES =	convertdb1.c
+ 
+ debugedit_SOURCES =	debugedit.c hashtab.c
+-#debugedit_LDADD =	@LDFLAGS_STATIC@ \
+-debugedit_LDADD =	\
++debugedit_CFLAGS = 	$(INCLUDES)
++#debugedit_LDFLAGS =	$(staticLDFLAGS)
++debugedit_LDADD =	$(top_builddir)/rpmio/librpmio.la \
+ 	@WITH_LIBELF_LIB@ \
+-	@WITH_BEECRYPT_LIB@ \
+ 	@WITH_POPT_LIB@
+ 
+ javadeps_SOURCES =	javadeps.c
+diff -r ec9e6c427068 tools/debugedit.c
+--- a/tools/debugedit.c	Wed Oct 24 16:02:51 2007 +0300
++++ b/tools/debugedit.c	Thu Nov 01 10:56:58 2007 +0100
+@@ -36,8 +36,8 @@
+ #include <gelf.h>
+ #include <dwarf.h>
+ 
+-#include <beecrypt/beecrypt.h>
+-
++#include <rpmio.h>
++#include <rpmpgp.h>
+ #include "hashtab.h"
+ 
+ #define DW_TAG_partial_unit 0x3c
+@@ -1304,22 +1304,27 @@ error_out:
+   return NULL;
+ }
+ 
++static const pgpHashAlgo algorithms[] = { PGPHASHALGO_MD5,
++  PGPHASHALGO_SHA1, PGPHASHALGO_SHA256, PGPHASHALGO_SHA384, PGPHASHALGO_SHA512 };
++
+ /* Compute a fresh build ID bit-string from the editted file contents.  */
+ static void
+ handle_build_id (DSO *dso, Elf_Data *build_id,
+ 		 size_t build_id_offset, size_t build_id_size)
+ {
+-  hashFunctionContext ctx;
+-  const hashFunction *hf = NULL;
+-  int i = hashFunctionCount ();
++  DIGEST_CTX ctx;
++  pgpHashAlgo algorithm;
++  int i = sizeof(algorithms)/sizeof(algorithms[0]);
++  void *digest = NULL;
++  size_t len;
+ 
+   while (i-- > 0)
+     {
+-      hf = hashFunctionGet (i);
+-      if (hf != NULL && hf->digestsize == build_id_size)
++      algorithm = algorithms[i];
++      if (rpmDigestLength(algorithm) == build_id_size)
+ 	break;
+     }
+-  if (hf == NULL)
++  if (i < 0)
+     {
+       fprintf (stderr, "Cannot handle %Zu-byte build ID\n", build_id_size);
+       exit (1);
+@@ -1335,7 +1340,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
+   /* Clear the old bits so they do not affect the new hash.  */
+   memset ((char *) build_id->d_buf + build_id_offset, 0, build_id_size);
+ 
+-  hashFunctionContextInit (&ctx, hf);
++  ctx = rpmDigestInit(algorithm, 0);
+ 
+   /* Slurp the relevant header bits and section contents and feed them
+      into the hash function.  The only bits we ignore are the offset
+@@ -1349,8 +1354,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
+     inline void process (const void *data, size_t size);
+     inline void process (const void *data, size_t size)
+     {
+-      memchunk chunk = { .data = (void *) data, .size = size };
+-      hashFunctionContextUpdateMC (&ctx, &chunk);
++      rpmDigestUpdate(ctx, data, size);
+     }
+ 
+     union
+@@ -1405,22 +1409,17 @@ handle_build_id (DSO *dso, Elf_Data *bui
+ 	}
+   }
+ 
+-  hashFunctionContextDigest (&ctx, (byte *) build_id->d_buf + build_id_offset);
+-  hashFunctionContextFree (&ctx);
++  rpmDigestFinal(ctx, &digest, &len, 0);
++  memcpy((unsigned char *)build_id->d_buf + build_id_offset, digest, build_id_size);
++  free(digest);
+ 
+   elf_flagdata (build_id, ELF_C_SET, ELF_F_DIRTY);
+ 
+   /* Now format the build ID bits in hex to print out.  */
+   {
+-    const unsigned char * id = build_id->d_buf + build_id_offset;
++    const byte * id = (byte *)build_id->d_buf + build_id_offset;
+     char hex[build_id_size * 2 + 1];
+-    int n = snprintf (hex, 3, "%02" PRIx8, id[0]);
+-    assert (n == 2);
+-    for (i = 1; i < build_id_size; ++i)
+-      {
+-	n = snprintf (&hex[i * 2], 3, "%02" PRIx8, id[i]);
+-	assert (n == 2);
+-      }
++    pgpHexCvt(hex, id, build_id_size);
+     puts (hex);
+   }
+ }
+diff -r 39cb695c7c8b rpmio/base64.c
+--- a/rpmio/base64.c	Thu Nov 01 10:42:01 2007 +0100
++++ b/rpmio/base64.c	Wed Nov 14 18:16:51 2007 +0100
+@@ -98,21 +98,20 @@ char *b64encode(const void *data, size_t
+ 	return output;
+ }
+ 
+-static int base64_decode_value(char value_in)
+-{
+-	static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+-	static const char decoding_size = sizeof(decoding);
++static int base64_decode_value(unsigned char value_in)
++{
++	static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+ 	value_in -= 43;
+-	if (value_in < 0 || value_in > decoding_size)
++	if (value_in > sizeof(decoding)/sizeof(int))
+ 		return -1;
+-	return decoding[(int)value_in];
++	return decoding[value_in];
+ }
+ 
+ static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out)
+ {
+ 	const char *codechar = code_in;
+ 	char *plainchar = plaintext_out;
+-	char fragment;
++	int fragment;
+ 	
+ 	*plainchar = 0;
+ 	
+@@ -123,38 +122,38 @@ static size_t base64_decode_block(const 
+ 			{
+ 				return plainchar - plaintext_out;
+ 			}
+-			fragment = (char)base64_decode_value(*codechar++);
+-		} while (fragment < 0);
+-		*plainchar    = (fragment & 0x03f) << 2;
+-
+-		do {
+-			if (codechar == code_in+length_in)
+-			{
+-				return plainchar - plaintext_out;
+-			}
+-			fragment = (char)base64_decode_value(*codechar++);
+-		} while (fragment < 0);
+-		*plainchar++ |= (fragment & 0x030) >> 4;
+-		*plainchar    = (fragment & 0x00f) << 4;
+-
+-		do {
+-			if (codechar == code_in+length_in)
+-			{
+-				return plainchar - plaintext_out;
+-			}
+-			fragment = (char)base64_decode_value(*codechar++);
+-		} while (fragment < 0);
+-		*plainchar++ |= (fragment & 0x03c) >> 2;
+-		*plainchar    = (fragment & 0x003) << 6;
+-
+-		do {
+-			if (codechar == code_in+length_in)
+-			{
+-				return plainchar - plaintext_out;
+-			}
+-			fragment = (char)base64_decode_value(*codechar++);
+-		} while (fragment < 0);
+-		*plainchar++   |= (fragment & 0x03f);
++			fragment = base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar    = (char)((fragment & 0x03f) << 2);
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++ |= (char)((fragment & 0x030) >> 4);
++		*plainchar    = (char)((fragment & 0x00f) << 4);
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++ |= (char)((fragment & 0x03c) >> 2);
++		*plainchar    = (char)((fragment & 0x003) << 6);
++
++		do {
++			if (codechar == code_in+length_in)
++			{
++				return plainchar - plaintext_out;
++			}
++			fragment = base64_decode_value(*codechar++);
++		} while (fragment < 0);
++		*plainchar++   |= (char)(fragment & 0x03f);
+ 	}
+ 	/* control should not reach here */
+ 	return plainchar - plaintext_out;
+diff -up rpm-4.4.2.2/rpmio/digest.c.nss-init rpm-4.4.2.2/rpmio/digest.c
+--- rpm-4.4.2.2/rpmio/digest.c.nss-init	2007-11-15 15:00:41.000000000 +0200
++++ rpm-4.4.2.2/rpmio/digest.c	2007-11-15 15:00:41.000000000 +0200
+@@ -78,9 +78,6 @@ rpmDigestInit(pgpHashAlgo hashalgo, rpmD
+     HASH_HashType type;
+     DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
+ 
+-    if (NSS_NoDB_Init(NULL) != SECSuccess)
+-	return NULL;
+-
+     ctx->flags = flags;
+ 
+     type = getHashType(hashalgo);
+diff -up rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init rpm-4.4.2.2/rpmio/rpmpgp.h
+--- rpm-4.4.2.2/rpmio/rpmpgp.h.nss-init	2007-11-15 15:00:41.000000000 +0200
++++ rpm-4.4.2.2/rpmio/rpmpgp.h	2007-11-15 15:00:41.000000000 +0200
+@@ -1380,6 +1380,15 @@ unsigned int pgpCRC(const byte *octets, 
+ }
+ 
+ /** \ingroup rpmio
++ * Perform cryptography initialization.
++ * It must be called before any cryptography can be used within rpm.
++ * It's not normally necessary to call it directly as it's called in
++ * general rpm initialization routines.
++ * @return		0 on success, -1 on failure
++ */
++int rpmInitCrypto(void);
++
++/** \ingroup rpmio
+  * Duplicate a digest context.
+  * @param octx		existing digest context
+  * @return		duplicated digest context
+diff -up rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init rpm-4.4.2.2/rpmio/rpmpgp.c
+--- rpm-4.4.2.2/rpmio/rpmpgp.c.nss-init	2007-11-15 15:00:41.000000000 +0200
++++ rpm-4.4.2.2/rpmio/rpmpgp.c	2007-11-15 15:00:41.000000000 +0200
+@@ -17,6 +17,8 @@ static int _debug = 0;
+ /*@unchecked@*/
+ static int _print = 0;
+ 
++static int _crypto_initialized = 0;
++
+ /*@unchecked@*/ /*@null@*/
+ static pgpDig _dig = NULL;
+ 
+@@ -1094,7 +1096,6 @@ int pgpPrtPkt(const byte *pkt, unsigned 
+ pgpDig pgpNewDig(void)
+ {
+     pgpDig dig = xcalloc(1, sizeof(*dig));
+-    NSS_NoDB_Init(NULL);
+ 
+     return dig;
+ }
+@@ -1404,5 +1405,18 @@ char * pgpArmorWrap(int atype, const uns
+ 
+     return val;
+ }
+-
+ /*@=boundsread@*/
++
++int rpmInitCrypto(void) {
++    int rc = 0;
++
++    if (!_crypto_initialized && NSS_NoDB_Init(NULL) != SECSuccess) {
++        rc = -1;
++    } else {
++        _crypto_initialized = 1;
++    }
++
++    return rc;
++}
++
++
+diff -up rpm-4.4.2.2/tools/debugedit.c.nss-init rpm-4.4.2.2/tools/debugedit.c
+--- rpm-4.4.2.2/tools/debugedit.c.nss-init	2007-11-15 15:01:42.000000000 +0200
++++ rpm-4.4.2.2/tools/debugedit.c	2007-11-15 15:02:23.000000000 +0200
+@@ -1318,6 +1318,8 @@ handle_build_id (DSO *dso, Elf_Data *bui
+   void *digest = NULL;
+   size_t len;
+ 
++  rpmInitCrypto();
++
+   while (i-- > 0)
+     {
+       algorithm = algorithms[i];
+diff -up rpm-4.4.2.2/lib/rpmrc.c.nss-init rpm-4.4.2.2/lib/rpmrc.c
+--- rpm-4.4.2.2/lib/rpmrc.c.nss-init	2007-09-11 09:28:15.000000000 +0300
++++ rpm-4.4.2.2/lib/rpmrc.c	2007-11-15 15:00:41.000000000 +0200
+@@ -1850,6 +1850,10 @@ static int rpmReadRC(/*@null@*/ const ch
+ 
+ int rpmReadConfigFiles(const char * file, const char * target)
+ {
++    /* Initialize crypto engine as early as possible */
++    if (rpmInitCrypto() < 0) {
++	return -1;
++    }	
+ 
+     /* Preset target macros */
+     /*@-nullstate@*/	/* FIX: target can be NULL */
+diff -up rpm-4.4.2.2/tools/debugedit.c.gcc43 rpm-4.4.2.2/tools/debugedit.c
+--- rpm-4.4.2.2/tools/debugedit.c.gcc43	2008-01-04 08:57:09.000000000 +0200
++++ rpm-4.4.2.2/tools/debugedit.c	2008-01-04 08:58:40.000000000 +0200
+@@ -1353,12 +1353,6 @@ handle_build_id (DSO *dso, Elf_Data *bui
+      or Elf64 object, only that we are consistent in what bits feed the
+      hash so it comes out the same for the same file contents.  */
+   {
+-    inline void process (const void *data, size_t size);
+-    inline void process (const void *data, size_t size)
+-    {
+-      rpmDigestUpdate(ctx, data, size);
+-    }
+-
+     union
+     {
+       GElf_Ehdr ehdr;
+@@ -1387,7 +1381,7 @@ handle_build_id (DSO *dso, Elf_Data *bui
+ 	  goto bad;
+ 	if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL)
+ 	  goto bad;
+-	process (x.d_buf, x.d_size);
++	rpmDigestUpdate(ctx, x.d_buf, x.d_size);
+       }
+ 
+     x.d_type = ELF_T_SHDR;
+@@ -1399,14 +1393,14 @@ handle_build_id (DSO *dso, Elf_Data *bui
+ 	  u.shdr.sh_offset = 0;
+ 	  if (elf64_xlatetom (&x, &x, dso->ehdr.e_ident[EI_DATA]) == NULL)
+ 	    goto bad;
+-	  process (x.d_buf, x.d_size);
++	  rpmDigestUpdate(ctx, x.d_buf, x.d_size);
+ 
+ 	  if (u.shdr.sh_type != SHT_NOBITS)
+ 	    {
+ 	      Elf_Data *d = elf_rawdata (dso->scn[i], NULL);
+ 	      if (d == NULL)
+ 		goto bad;
+-	      process (d->d_buf, d->d_size);
++	      rpmDigestUpdate(ctx, d->d_buf, d->d_size);
+ 	    }
+ 	}
+   }
diff --git a/rpm-4.4.2.3-queryformat-arch.patch b/rpm-4.4.2.3-queryformat-arch.patch
new file mode 100644
index 0000000..4bbbaee
--- /dev/null
+++ b/rpm-4.4.2.3-queryformat-arch.patch
@@ -0,0 +1,12 @@
+diff -up rpm-4.4.2.3-rc1/macros.in.qfmt rpm-4.4.2.3-rc1/macros.in
+--- rpm-4.4.2.3-rc1/macros.in.qfmt	2008-01-25 16:52:39.000000000 +0200
++++ rpm-4.4.2.3-rc1/macros.in	2008-01-25 16:57:31.000000000 +0200
+@@ -791,7 +791,7 @@ print (t)\
+ # Default headerSprintf() output format string for rpm -qa
+ #
+ # XXX	Note: escaped %% for use in headerSprintf()
+-%_query_all_fmt		%%{name}-%%{version}-%%{release}
++%_query_all_fmt		%%{name}-%%{version}-%%{release}%%|arch?{.%%{arch}}:{}|
+ 
+ #
+ # Default path to the file used for transaction fcmtl lock.
diff --git a/rpm.spec b/rpm.spec
index 14abd72..0775861 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -5,11 +5,11 @@
 
 Summary: The RPM package management system
 Name: rpm
-Version: 4.4.2.2
-Release: 13%{?dist}
+Version: 4.4.2.3
+Release: 0.1.rc1
 Group: System Environment/Base
 Url: http://www.rpm.org/
-Source: http://rpm.org/releases/rpm-4.4.x/%{name}-%{version}.tar.gz
+Source: http://rpm.org/releases/rpm-4.4.x/%{name}-%{version}-rc1.tar.gz
 Patch1: rpm-4.4.1-prereq.patch
 Patch2: rpm-4.4.2-ghost-conflicts.patch
 Patch3: rpm-4.4.2-trust.patch
@@ -17,19 +17,10 @@ Patch4: rpm-4.4.2.2-devel-autodep.patch
 Patch5: rpm-4.4.2-rpmfc-skip.patch
 Patch6: rpm-4.4.2.2-matchpathcon.patch
 Patch7: rpm-4.4.2.1-no-popt.patch
-Patch8: rpm-4.4.2.2-nonutf-comment.patch
-Patch9: rpm-4.4.2.2-osgideps.patch
-Patch10: rpm-4.4.2.2-debugedit-fpc.patch
-Patch11: rpm-4.4.2.2-pyproblem.patch
-Patch12: rpm-4.4.2.2-problem-nevra.patch
-Patch13: rpm-4.4.2.2-nss.patch
-Patch14: rpm-4.4.2.2-base64-unsigned-char.patch
-Patch15: rpm-4.4.2.2-cryptoinit.patch
-Patch16: rpm-4.4.2.2-gcc43.patch
-Patch17: rpm-4.4.2.2-secondary-arch-macros.patch
-Patch18: rpm-4.4.2.2-no-targetreset.patch
-Patch19: rpm-4.4.2.2-pkgconfig-path.patch
-Patch20: rpm-4.4.2.2-autofoo.patch
+Patch8: rpm-4.4.2.3-nss.patch
+Patch9: rpm-4.4.2.2-autofoo.patch
+Patch10: rpm-4.4.2.2-pkgconfig-path.patch
+Patch11: rpm-4.4.2.3-queryformat-arch.patch
 
 # XXX Beware, this is one murky license, partially GPL/LGPL dual-licensed
 # and several different components with their own licenses included...
@@ -41,9 +32,6 @@ Requires: popt >= 1.10.2.1
 Requires: crontabs
 Requires: logrotate
 
-# XXX temporary
-Source2: find-debuginfo.sh
-
 # XXX for autoreconf due to popt removal
 BuildRequires: autoconf automake libtool
 # XXX generally assumed to be installed but make it explicit as rpm
@@ -143,7 +131,7 @@ that will manipulate RPM packages and databases.
 %endif
 
 %prep
-%setup -q -n %{name}-%{version}
+%setup -q -n %{name}-%{version}-rc1
 %patch1 -p1 -b .prereq
 %patch2 -p1 -b .ghostconflicts
 %patch3 -p1 -b .trust
@@ -151,19 +139,10 @@ that will manipulate RPM packages and databases.
 %patch5 -p1 -b .fcskip
 %patch6 -p1 -b .matchpathcon
 %patch7 -p1 -b .no-popt
-%patch8 -p1 -b .nonutf-comment
-%patch9 -p1 -b .osgideps
-%patch10 -p1 -b .debugedit-fpc
-%patch11 -p1 -b .pyproblem
-%patch12 -p1 -b .problem-nevra
-%patch13 -p1 -b .nss
-%patch14 -p1 -b .base64
-%patch15 -p1 -b .nss-init
-%patch16 -p1 -b .gcc43
-%patch17 -p1 -b .archmacros
-%patch18 -p1 -b .notargetreset
-%patch19 -p1 -b .pkgconfig-path
-%patch20 -p1 -b .autofoo
+%patch8 -p1 -b .nss
+%patch9 -p1 -b .autofoo
+%patch10 -p1 -b .pkgconfig-path
+%patch11 -p1 -b .qfmt-arch
 
 # force external popt
 rm -rf popt/
@@ -171,9 +150,6 @@ rm -rf popt/
 # XXX for popt removal 
 autoreconf
 
-# new buildid-aware debuginfo 
-cp -f %{SOURCE2} scripts/find-debuginfo.sh
-
 %build
 
 # XXX pull in updated config.guess and config.sub as done by %%configure
@@ -418,6 +394,15 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 25 2008 Panu Matilainen <pmatilai@redhat.com> 4.4.2.3-0.1.rc1
+- update to 4.4.2.3-rc1 
+- merge nss-related patches into one
+- change default queryformat to include arch 
+- resolves (documentation): #159638, #233232, #332271, #350401
+- resolves (build): #124300, #140597, #124995, #147383, #220449
+- resolves (query): #244236, #323221, #60288
+- resolves (general): #223931, #164021, #83006, #205080, #217258, #428979
+
 * Fri Jan 11 2008 Panu Matilainen <pmatilai@redhat.com> 4.4.2.2-13
 - lose the useless rpm user+group, use root:root like everything else
 - install x86 arch macros on x86_64 (#194123)
diff --git a/sources b/sources
index c825d89..fc1ce6e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-15faa7ebd9791ade1a2f8181821ac259  rpm-4.4.2.2.tar.gz
+b3614e3f01195af2bc9af57d50e2be5c  rpm-4.4.2.3-rc1.tar.gz