commit c8173f26908886f7b02f7f88a7a2aed9498839da

Author: Panu Matilainen <pmatilai@redhat.com>

Date:   Tue Apr 1 10:42:49 2008 +0300

    NSS support

diff --git a/Makefile.am b/Makefile.am

index 0495836..4c68c4c 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -10,14 +10,14 @@ EXTRA_DIST = CHANGES ChangeLog CREDITS Doxyheader GROUPS README.amiga INSTALL \

 	po/*.in po/*.po po/rpm.pot \

 	rpm.magic rpmpopt-$(VERSION) rpmqv.c 

-SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_BEECRYPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .

+SUBDIRS = po misc @WITH_ZLIB_SUBDIR@ @WITH_ELFUTILS_SUBDIR@ @WITH_MAGIC_SUBDIR@ @WITH_DB_SUBDIR@ @WITH_SQLITE3_SUBDIR@ @WITH_POPT_SUBDIR@ @WITH_NEON_SUBDIR@ lua rpmio rpmdb lib build @WITH_PYTHON_SUBDIR@ tools scripts doc .

 INCLUDES = \

 	-I$(top_srcdir)/build \

 	-I$(top_srcdir)/lib \

 	-I$(top_srcdir)/rpmdb \

 	-I$(top_srcdir)/rpmio \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

 	-I$(top_srcdir)/misc \

 	@WITH_LIBELF_INCLUDE@ \

@@ -25,7 +25,7 @@ INCLUDES = \

 staticLDFLAGS = @LDFLAGS_STATIC@ @LDFLAGS_NPTL@

-myLDFLAGS = @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@

+myLDFLAGS = @WITH_LIBELF_LIB@

 myLDADD = \

 	$(top_builddir)/lib/librpm.la \

@@ -33,6 +33,7 @@ myLDADD = \

 	$(top_builddir)/rpmio/librpmio.la \

 	@WITH_POPT_LIB@ \

 	@WITH_ZLIB_LIB@ \

+	@WITH_NSS_LIB@ \

 	@LIBMISC@

 rpmbindir = `echo $(bindir) | sed -e s,usr/bin,bin,`

@@ -71,7 +72,7 @@ rpmd.o:	$(top_srcdir)/rpmqv.c

 rpmi_SOURCES =

 #rpmi_LDFLAGS =		$(myLDFLAGS) $(staticLDFLAGS)

-#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@

+#rpmi_LDADD =		rpmi.o $(myLDADD) @WITH_LIBELF_LIB@

 rpmi_LDFLAGS =		$(myLDFLAGS)

 rpmi_LDADD =		rpmi.o $(myLDADD)

 rpmi.o:	$(top_srcdir)/rpmqv.c

@@ -112,7 +113,6 @@ lint:

 		`make -s sources -C lib` \

 		`make -s sources -C rpmdb` \

 		`make -s sources -C rpmio` \

-		`make -s sources -C beecrypt` \

 		`make -s sources -C file/src` \

 		`make -s sources -C popt`

diff --git a/autogen.sh b/autogen.sh

index 27d4118..63bfbe1 100755

--- a/autogen.sh

+++ b/autogen.sh

@@ -48,9 +48,6 @@ fi

 if [ -d zlib ]; then

     (echo "--- zlib"; cd zlib; ./autogen.sh --noconfigure "$@")

 fi

-if [ -d beecrypt ]; then

-    (echo "--- beecrypt"; cd beecrypt; ./autogen.sh --noconfigure "$@")

-fi

 if [ -d elfutils ]; then

     (echo "--- elfutils"; cd elfutils; ./autogen.sh --noconfigure "$@")

 fi

diff --git a/build/Makefile.am b/build/Makefile.am

index 83d2dee..75b41c2 100644

--- a/build/Makefile.am

+++ b/build/Makefile.am

@@ -9,7 +9,7 @@ INCLUDES = -I. \

 	-I$(top_srcdir)/lib \

 	-I$(top_srcdir)/rpmdb \

 	-I$(top_srcdir)/rpmio \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_MAGIC_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

 	@WITH_LIBELF_INCLUDE@ \

diff --git a/configure.ac b/configure.ac

index b004391..c98c86d 100644

--- a/configure.ac

+++ b/configure.ac

@@ -463,34 +463,32 @@ AC_SUBST(WITH_LIBDWARF_INCLUDE)

 AC_SUBST(WITH_LIBDWARF_DEBUGEDIT)

 #=================

-# Check for beecrypt library. Prefer external, otherwise internal.

-WITH_BEECRYPT_SUBDIR=

-WITH_BEECRYPT_INCLUDE=

-WITH_BEECRYPT_LIB=

-AC_CHECK_HEADER([beecrypt/beecrypt.h], [

-  AC_CHECK_LIB(beecrypt, mpfprintln, [

-    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])

-    AC_CHECK_HEADER([beecrypt/api.h], [

-      AC_DEFINE(HAVE_BEECRYPT_API_H, 1, [Define to 1 if you have the <beecrypt/api.h> header file.])

-    ])

-    WITH_BEECRYPT_INCLUDE="-I${includedir}/beecrypt"

-    WITH_BEECRYPT_LIB="-lbeecrypt"

+# Check for NSS library.

+WITH_NSS_INCLUDE=

+WITH_NSS_LIB=

+check=`pkg-config --version 2>/dev/null`

+if test -n "$check"; then

+  addlib=$(pkg-config --libs nss | sed 's/-lsmime3//;s/-lssl3//')

+  addcppflags=$(pkg-config --cflags nss)

+else

+# Without pkg-config, we'll kludge in some defaults

+  addlib="-lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"

+  addcppflags="-I/usr/include/nss3 -I/usr/include/nspr4"

+fi

+save_CPPFLAGS="$CPPFLAGS"

+CPPFLAGS="$save_CPPFLAGS $addcppflags"

+AC_CHECK_HEADER([nss3/nss.h], [

+  AC_CHECK_LIB(nss3, NSS_NoDB_Init, [

+    AC_DEFINE(HAVE_LIBNSS, 1, [Define to 1 if you have the 'NSS' library (-lnss3).])

+    WITH_NSS_INCLUDE="$addcppflags"

+    WITH_NSS_LIB="$addlib"

   ])

 ],[

-  if test -d beecrypt ; then

-    AC_DEFINE(HAVE_LIBBEECRYPT, 1, [Define to 1 if you have the 'beecrypt' library (-lbeecrypt).])

-    WITH_BEECRYPT_SUBDIR=beecrypt

-    WITH_BEECRYPT_INCLUDE="-I\${top_srcdir}/${WITH_BEECRYPT_SUBDIR}"

-    WITH_BEECRYPT_LIB="\${top_builddir}/${WITH_BEECRYPT_SUBDIR}/libbeecrypt.la"

-  fi

-

-   if test -z "${WITH_BEECRYPT_LIB}" ; then

-       AC_MSG_ERROR([rpm requires beecrypt]) 

-   fi

+  AC_MSG_ERROR([rpm requires NSS]) 

 ])

-AC_SUBST(WITH_BEECRYPT_SUBDIR)

-AC_SUBST(WITH_BEECRYPT_INCLUDE)

-AC_SUBST(WITH_BEECRYPT_LIB)

+CPPFLAGS="$save_CPPFLAGS"

+AC_SUBST(WITH_NSS_INCLUDE)

+AC_SUBST(WITH_NSS_LIB)

 #=================

 # Check for neon library. Prefer external, otherwise internal.

diff --git a/lib/Makefile.am b/lib/Makefile.am

index d433b75..fe761da 100644

--- a/lib/Makefile.am

+++ b/lib/Makefile.am

@@ -9,7 +9,7 @@ INCLUDES = -I. \

 	-I$(top_srcdir)/build \

 	-I$(top_srcdir)/rpmdb \

 	-I$(top_srcdir)/rpmio \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

 	-I$(top_srcdir)/misc \

 	@INCPATH@

diff --git a/lib/formats.c b/lib/formats.c

index 59f953a..e4354ff 100644

--- a/lib/formats.c

+++ b/lib/formats.c

@@ -210,23 +210,17 @@ static /*@only@*/ char * base64Format(int_32 type, const void * data,

 	int lc;

 	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */

 	size_t ns = element;

-	size_t nt = ((ns + 2) / 3) * 4;

+	size_t nt = 0;

 /*@-boundswrite@*/

-	/*@-globs@*/

-	/* Add additional bytes necessary for eol string(s). */

-	if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {

-	    lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;

-        if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)

-            ++lc;

-	    nt += lc * strlen(b64encode_eolstr);

+	if ((enc = b64encode(data, ns, -1)) != NULL) {

+		nt = strlen(enc);

 	}

-	/*@=globs@*/

 	val = t = xmalloc(nt + padding + 1);

 	*t = '\0';

-	if ((enc = b64encode(data, ns)) != NULL) {

+	if (enc != NULL) {

 	    t = stpcpy(t, enc);

 	    enc = _free(enc);

 	}

@@ -310,16 +304,13 @@ static /*@only@*/ char * xmlFormat(int_32 type, const void * data,

 	xtag = "string";

 	break;

     case RPM_BIN_TYPE:

-    {	int cpl = b64encode_chars_per_line;

-/*@-mods@*/

-	b64encode_chars_per_line = 0;

-/*@=mods@*/

-/*@-formatconst@*/

-	s = base64Format(type, data, formatPrefix, padding, element);

-/*@=formatconst@*/

-/*@-mods@*/

-	b64encode_chars_per_line = cpl;

-/*@=mods@*/

+    {	

+	/* XXX HACK ALERT: element field abused as no. bytes of binary data. */

+	size_t ns = element;

+    	if ((s = b64encode(data, ns, 0)) == NULL) {

+    		/* XXX proper error handling would be better. */

+    		s = xcalloc(1, padding + (ns / 3) * 4 + 1);

+    	}

 	xtag = "base64";

     }	break;

     case RPM_CHAR_TYPE:

diff --git a/lib/package.c b/lib/package.c

index 09571b0..8458b02 100644

--- a/lib/package.c

+++ b/lib/package.c

@@ -1008,11 +1008,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)

 		fddig->hashctx = NULL;

 		/*@switchbreak@*/ break;

 	    case PGPHASHALGO_SHA1:

-#if HAVE_BEECRYPT_API_H

 	    case PGPHASHALGO_SHA256:

 	    case PGPHASHALGO_SHA384:

 	    case PGPHASHALGO_SHA512:

-#endif

 		dig->sha1ctx = fddig->hashctx;

 		fddig->hashctx = NULL;

 		/*@switchbreak@*/ break;

diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c

index b4d377e..83b2d2e 100644

--- a/lib/rpmchecksig.c

+++ b/lib/rpmchecksig.c

@@ -447,7 +447,7 @@ rpmRC rpmcliImportPubkey(const rpmts ts, const unsigned char * pkt, ssize_t pktl

     if (rpmtsOpenDB(ts, (O_RDWR|O_CREAT)))

 	return RPMRC_FAIL;

-    if ((enc = b64encode(pkt, pktlen)) == NULL)

+    if ((enc = b64encode(pkt, pktlen, -1)) == NULL)

 	goto exit;

     dig = pgpNewDig();

@@ -698,11 +698,9 @@ assert(dig->md5ctx == NULL);

 	    fddig->hashctx = NULL;

 	    /*@switchbreak@*/ break;

 	case PGPHASHALGO_SHA1:

-#if HAVE_BEECRYPT_API_H

 	case PGPHASHALGO_SHA256:

 	case PGPHASHALGO_SHA384:

 	case PGPHASHALGO_SHA512:

-#endif

 assert(dig->sha1ctx == NULL);

 	    dig->sha1ctx = fddig->hashctx;

 	    fddig->hashctx = NULL;

diff --git a/lib/rpmrc.c b/lib/rpmrc.c

index d402a1e..07e604a 100644

--- a/lib/rpmrc.c

+++ b/lib/rpmrc.c

@@ -1884,6 +1884,10 @@ int rpmReadConfigFiles(const char * file, const char * target)

     /* Reset umask to its default umask(2) value. */

     mode = umask(mode);

+    /* Initialize crypto engine as early as possible */

+    if (rpmInitCrypto() < 0) {

+	return -1;

+    }	

     /* Preset target macros */

     /*@-nullstate@*/	/* FIX: target can be NULL */

     rpmRebuildTargetVars(&target, NULL);

diff --git a/lib/rpmts.c b/lib/rpmts.c

index ef791c6..8423957 100644

--- a/lib/rpmts.c

+++ b/lib/rpmts.c

@@ -4,7 +4,7 @@

  */

 #include "system.h"

-#include "rpmio_internal.h"	/* XXX for pgp and beecrypt */

+#include "rpmio_internal.h"	/* XXX for pgp */

 #include <rpmlib.h>

 #include <rpmmacro.h>		/* XXX rpmtsOpenDB() needs rpmGetPath */

diff --git a/lib/signature.c b/lib/signature.c

index 5617e32..0db1349 100644

--- a/lib/signature.c

+++ b/lib/signature.c

@@ -1215,9 +1215,10 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t,

     int_32 sigtag = rpmtsSigtag(ts);

     pgpDig dig = rpmtsDig(ts);

     pgpDigParams sigp = rpmtsSignature(ts);

-    const char * prefix = NULL;

+    SECOidTag sigalg;

     rpmRC res = RPMRC_OK;

     int xx;

+    SECItem digest;

     *t = '\0';

     if (dig != NULL && dig->hdrmd5ctx == md5ctx)

@@ -1248,43 +1249,40 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t,

     switch (sigp->hash_algo) {

     case PGPHASHALGO_MD5:

 	t = stpcpy(t, " RSA/MD5");

-	prefix = "3020300c06082a864886f70d020505000410";

+	sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;

 	break;

     case PGPHASHALGO_SHA1:

 	t = stpcpy(t, " RSA/SHA1");

-	prefix = "3021300906052b0e03021a05000414";

+	sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;

 	break;

     case PGPHASHALGO_RIPEMD160:

 	res = RPMRC_NOKEY;

-	prefix = NULL;

 	break;

     case PGPHASHALGO_MD2:

 	t = stpcpy(t, " RSA/MD2");

-	prefix = "3020300c06082a864886f70d020205000410";

+	sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;

 	break;

     case PGPHASHALGO_TIGER192:

 	res = RPMRC_NOKEY;

-	prefix = NULL;

 	break;

     case PGPHASHALGO_HAVAL_5_160:

 	res = RPMRC_NOKEY;

-	prefix = NULL;

 	break;

     case PGPHASHALGO_SHA256:

 	t = stpcpy(t, " RSA/SHA256");

-	prefix = "3031300d060960864801650304020105000420";

+	sigalg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;

 	break;

     case PGPHASHALGO_SHA384:

 	t = stpcpy(t, " RSA/SHA384");

-	prefix = "3041300d060960864801650304020205000430";

+	sigalg = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;

 	break;

     case PGPHASHALGO_SHA512:

 	t = stpcpy(t, " RSA/SHA512");

-	prefix = "3051300d060960864801650304020305000440";

+	sigalg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;

 	break;

     default:

 	res = RPMRC_NOKEY;

-	prefix = NULL;

+	sigalg = SEC_OID_UNKNOWN;

 	break;

     }

@@ -1295,8 +1293,6 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t,

     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);

     {	DIGEST_CTX ctx = rpmDigestDup(md5ctx);

-	byte signhash16[2];

-	const char * s;

 	if (sigp->hash != NULL)

 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);

@@ -1313,40 +1309,18 @@ verifyRSASignature(rpmts ts, /*@out@*/ char * t,

 	}

 #endif

-	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 1);

+	xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 0);

 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);

 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */

 	/* Compare leading 16 bits of digest for quick check. */

-	s = dig->md5;

-	signhash16[0] = (nibble(s[0]) << 4) | nibble(s[1]);

-	signhash16[1] = (nibble(s[2]) << 4) | nibble(s[3]);

-	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {

+	if (memcmp(dig->md5, sigp->signhash16, 2)) {

 	    res = RPMRC_FAIL;

 	    goto exit;

 	}

-    }

-

-    /* Generate RSA modulus parameter. */

-    {	unsigned int nbits = MP_WORDS_TO_BITS(dig->c.size);

-	unsigned int nb = (nbits + 7) >> 3;

-	const char * hexstr;

-	char * tt;

-

-assert(prefix != NULL);

-	hexstr = tt = xmalloc(2 * nb + 1);

-	memset(tt, 'f', (2 * nb));

-	tt[0] = '0'; tt[1] = '0';

-	tt[2] = '0'; tt[3] = '1';

-	tt += (2 * nb) - strlen(prefix) - strlen(dig->md5) - 2;

-	*tt++ = '0'; *tt++ = '0';

-	tt = stpcpy(tt, prefix);

-	tt = stpcpy(tt, dig->md5);

-

-	mpnzero(&dig->rsahm);	(void) mpnsethex(&dig->rsahm, hexstr);

-

-	hexstr = _free(hexstr);

-

+	digest.type = siBuffer;

+	digest.data = dig->md5;

+	digest.len = dig->md5len;

     }

     /* Retrieve the matching public key. */

@@ -1355,12 +1329,7 @@ assert(prefix != NULL);

 	goto exit;

     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);

-#if HAVE_BEECRYPT_API_H

-    xx = rsavrfy(&dig->rsa_pk.n, &dig->rsa_pk.e, &dig->c, &dig->rsahm);

-#else

-    xx = rsavrfy(&dig->rsa_pk, &dig->rsahm, &dig->c);

-#endif

-    if (xx)

+    if (VFY_VerifyDigest(&digest, dig->rsa, dig->rsasig, sigalg, NULL) == SECSuccess)

 	res = RPMRC_OK;

     else

 	res = RPMRC_FAIL;

@@ -1401,6 +1370,7 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t,

     pgpDigParams sigp = rpmtsSignature(ts);

     rpmRC res;

     int xx;

+    SECItem digest;

     *t = '\0';

     if (dig != NULL && dig->hdrsha1ctx == sha1ctx)

@@ -1428,7 +1398,6 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t,

     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);

     {	DIGEST_CTX ctx = rpmDigestDup(sha1ctx);

-	byte signhash16[2];

 	if (sigp->hash != NULL)

 	    xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);

@@ -1442,19 +1411,18 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t,

 	    memcpy(trailer+2, &nb, sizeof(nb));

 	    xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));

 	}

-	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 1);

+	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);

 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);

 	rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;	/* XXX one too many */

-	mpnzero(&dig->hm);	(void) mpnsethex(&dig->hm, dig->sha1);

-

 	/* Compare leading 16 bits of digest for quick check. */

-	signhash16[0] = (*dig->hm.data >> 24) & 0xff;

-	signhash16[1] = (*dig->hm.data >> 16) & 0xff;

-	if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {

+	if (memcmp(dig->sha1, sigp->signhash16, 2)) {

 	    res = RPMRC_FAIL;

 	    goto exit;

 	}

+	digest.type = siBuffer;

+	digest.data = dig->sha1;

+	digest.len = dig->sha1len;

     }

     /* Retrieve the matching public key. */

@@ -1463,8 +1431,8 @@ verifyDSASignature(rpmts ts, /*@out@*/ char * t,

 	goto exit;

     (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);

-    if (dsavrfy(&dig->p, &dig->q, &dig->g,

-		&dig->hm, &dig->y, &dig->r, &dig->s))

+    if (VFY_VerifyDigest(&digest, dig->dsa, dig->dsasig,

+    		SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL) == SECSuccess)

 	res = RPMRC_OK;

     else

 	res = RPMRC_FAIL;

diff --git a/python/Makefile.am b/python/Makefile.am

index 1b8c83a..c1da992 100644

--- a/python/Makefile.am

+++ b/python/Makefile.am

@@ -17,7 +17,7 @@ INCLUDES = -I. \

 	-I$(top_srcdir)/rpmdb \

 	-I$(top_srcdir)/rpmio \

 	@WITH_LIBELF_INCLUDE@ \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

 	-I$(top_srcdir)/misc \

 	-I$(pyincdir) \

@@ -42,7 +42,7 @@ rpmdir = $(pylibdir)/site-packages/rpm

 rpm_LTLIBRARIES = _rpmmodule.la

 _rpmmodule_la_LDFLAGS = $(mylibs) $(LIBS) -module -avoid-version

-_rpmmodule_la_LIBADD =  @WITH_BEECRYPT_LIB@

+_rpmmodule_la_LIBADD =  @WITH_NSS_LIB@

 _rpmmodule_la_SOURCES = rpmmodule.c header-py.c \

 		       rpmal-py.c rpmds-py.c rpmdb-py.c rpmfd-py.c rpmfts-py.c \

diff --git a/rpmdb/Makefile.am b/rpmdb/Makefile.am

index 0f017f9..2393dd7 100644

--- a/rpmdb/Makefile.am

+++ b/rpmdb/Makefile.am

@@ -9,7 +9,7 @@ INCLUDES = -I. \

 	-I$(top_srcdir)/build \

 	-I$(top_srcdir)/lib \

 	-I$(top_srcdir)/rpmio \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

 	-I$(top_srcdir)/misc \

 	@WITH_SQLITE3_INCLUDE@ \

diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am

index 2d26dcc..44e4096 100644

--- a/rpmio/Makefile.am

+++ b/rpmio/Makefile.am

@@ -10,7 +10,7 @@ EXTRA_PROGRAMS = tax tdigest tdir tfts tget thkp tput tglob tinv tkey tring trpm

 INCLUDES = -I. \

 	-I$(top_srcdir) \

-	@WITH_BEECRYPT_INCLUDE@ \

+	@WITH_NSS_INCLUDE@ \

 	@WITH_NEON_INCLUDE@ \

 	@WITH_LUA_INCLUDE@ \

 	@WITH_POPT_INCLUDE@ \

@@ -19,23 +19,21 @@ INCLUDES = -I. \

 pkgincdir = $(pkgincludedir)

 pkginc_HEADERS = \

-	argv.h fts.h rpmdav.h \

+	argv.h base64.h fts.h rpmdav.h \

 	rpmio.h rpmurl.h rpmmacro.h rpmlog.h rpmmessages.h rpmerr.h rpmpgp.h \

 	rpmsq.h rpmsw.h ugid.h

 noinst_HEADERS = rpmio_internal.h rpmlua.h rpmhook.h

-BEECRYPTLOBJS = $(shell test X"@WITH_BEECRYPT_SUBDIR@" != X && cat $(top_builddir)/@WITH_BEECTYPT_SUBDIR@/listobjs)

-

 LDFLAGS = -L$(RPM_BUILD_ROOT)$(usrlibdir) -L$(DESTDIR)$(usrlibdir)

 usrlibdir = $(libdir)@MARK64@

 usrlib_LTLIBRARIES = librpmio.la

 librpmio_la_SOURCES = \

-	argv.c digest.c fts.c macro.c rpmdav.c \

+	argv.c base64.c digest.c fts.c macro.c rpmdav.c \

 	rpmhook.c rpmio.c rpmlog.c rpmlua.c rpmmalloc.c \

 	rpmpgp.c rpmrpc.c rpmsq.c rpmsw.c strcasecmp.c stubs.c url.c ugid.c

 librpmio_la_LDFLAGS = -release 4.4 $(LDFLAGS) \

-	@WITH_BEECRYPT_LIB@ \

+	@WITH_NSS_LIB@ \

 	@WITH_NEON_LIB@ \

 	@WITH_LUA_LIB@ \

 	@WITH_MAGIC_LIB@ \

@@ -44,22 +42,10 @@ librpmio_la_LDFLAGS = -release 4.4 $(LDFLAGS) \

 librpmio_la_LIBADD = # $(BEECRYPTLOBJS)

 librpmio_la_DEPENDENCIES = # .created

-.created:

-	if test X"@WITH_BEECRYPT_SUBDIR@" != X; then \

-	${MAKE} -C $(top_builddir)/@WITH_BEECRYPT_SUBDIR@ listobjs ; \

-	for lo in $(BEECRYPTLOBJS); do \

-	  [ -f $$lo ] || $(LN_S) $(top_builddir)/@WITH_BEECRYPT_SUBDIR@/$$lo $$lo ; \

-	done \

-	fi

-	touch $@

-

-clean-local:

-	rm -f $(BEECRYPTLOBJS) *.o .created

-

 #BUILT_SOURCES = rpmio.lcd

 rpmio.lcd: Makefile.am ${librpmio_la_SOURCES} ${pkginc_HEADERS} ${noinst_HEADERS}

-	-lclint -load ../beecrypt/beecrypt.lcd $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null

+	-lclint -load $(DEFS) $(INCLUDES) $(librpmio_la_SOURCES) -dump $@ 2>/dev/null

 .PHONY:	sources

 sources:

@@ -105,7 +91,6 @@ tinv_LDFLAGS = @LDFLAGS_STATIC@

 tinv_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la

 tkey_SOURCES = tkey.c

-tkey_LDFLAGS = @LDFLAGS_STATIC@

 tkey_LDADD = librpmio.la $(top_builddir)/popt/libpopt.la

 tring_SOURCES = tring.c

diff --git a/rpmio/base64.c b/rpmio/base64.c

new file mode 100644

index 0000000..b11b381

--- /dev/null

+++ b/rpmio/base64.c

@@ -0,0 +1,253 @@

+/* base64 encoder/decoder based on public domain implementation

+ * by Chris Venter */

+

+#include <arpa/inet.h>

+#include <stdlib.h>

+#include "base64.h"

+

+static char base64_encode_value(char value_in)

+{

+	static const char encoding[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

+	if (value_in > 63) return '=';

+	return encoding[(int)value_in];

+}

+

+static char *base64_encode_block(const char *plaintext_in, int length_in, char *codechar)

+{

+	const char *plainchar = plaintext_in;

+	const char *const plaintextend = plaintext_in + length_in;

+	char result;

+	char fragment;

+	

+	while (1) {

+		if (plainchar == plaintextend) {

+			return codechar;

+		}

+		fragment = *plainchar++;

+		result = (fragment & 0x0fc) >> 2;

+		*codechar++ = base64_encode_value(result);

+		result = (fragment & 0x003) << 4;

+		if (plainchar == plaintextend)

+		{

+			*codechar++ = base64_encode_value(result);

+			*codechar++ = '=';

+			*codechar++ = '=';

+			return codechar;

+		}

+		fragment = *plainchar++;

+		result |= (fragment & 0x0f0) >> 4;

+		*codechar++ = base64_encode_value(result);

+		result = (fragment & 0x00f) << 2;

+		if (plainchar == plaintextend)

+		{

+			*codechar++ = base64_encode_value(result);

+			*codechar++ = '=';

+			return codechar;

+		}

+		fragment = *plainchar++;

+		result |= (fragment & 0x0c0) >> 6;

+		*codechar++ = base64_encode_value(result);

+		result  = (fragment & 0x03f) >> 0;

+		*codechar++ = base64_encode_value(result);

+	}

+	/* control should not reach here */

+	return codechar;

+}

+

+#define BASE64_DEFAULT_LINE_LENGTH 64

+

+char *b64encode(const void *data, size_t len, int linelen)

+{

+	size_t encodedlen;

+	const char *dataptr = data;

+	char *output;

+	char *outptr;

+	

+	if (data == NULL)

+		return NULL;

+

+	if (linelen < 0)

+		linelen = BASE64_DEFAULT_LINE_LENGTH;

+

+	linelen /= 4;

+	encodedlen = ((len + 2) / 3) * 4;

+	if (linelen > 0) {

+		encodedlen += encodedlen/(linelen * 4) + 1;

+	}

+	++encodedlen; /* for zero termination */

+

+	output = malloc(encodedlen);

+	if (output == NULL)

+		return NULL;

+		

+	outptr = output;	

+	while (len > 0) {

+		if (linelen > 0 && len > linelen * 3) {

+			outptr = base64_encode_block(dataptr, linelen * 3, outptr);

+			len -= linelen * 3;

+			dataptr += linelen * 3;

+		} else {

+			outptr = base64_encode_block(dataptr, len, outptr);

+			len = 0;

+		}

+		if (linelen > 0) {

+			*outptr++ = '\n';

+		}

+	}

+	*outptr = '\0';

+	return output;

+}

+

+static int base64_decode_value(unsigned char value_in)

+{

+	static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};

+	value_in -= 43;

+	if (value_in > sizeof(decoding)/sizeof(int))

+		return -1;

+	return decoding[value_in];

+}

+

+static size_t base64_decode_block(const char *code_in, const size_t length_in, char *plaintext_out)

+{

+	const char *codechar = code_in;

+	char *plainchar = plaintext_out;

+	int fragment;

+	

+	*plainchar = 0;

+	

+	while (1)

+	{

+		do {

+			if (codechar == code_in+length_in)

+			{

+				return plainchar - plaintext_out;

+			}

+			fragment = base64_decode_value(*codechar++);

+		} while (fragment < 0);

+		*plainchar    = (char)((fragment & 0x03f) << 2);

+

+		do {

+			if (codechar == code_in+length_in)

+			{

+				return plainchar - plaintext_out;

+			}

+			fragment = base64_decode_value(*codechar++);

+		} while (fragment < 0);

+		*plainchar++ |= (char)((fragment & 0x030) >> 4);

+		*plainchar    = (char)((fragment & 0x00f) << 4);

+

+		do {

+			if (codechar == code_in+length_in)

+			{

+				return plainchar - plaintext_out;

+			}

+			fragment = base64_decode_value(*codechar++);

+		} while (fragment < 0);

+		*plainchar++ |= (char)((fragment & 0x03c) >> 2);

+		*plainchar    = (char)((fragment & 0x003) << 6);

+

+		do {

+			if (codechar == code_in+length_in)

+			{

+				return plainchar - plaintext_out;

+			}

+			fragment = base64_decode_value(*codechar++);

+		} while (fragment < 0);

+		*plainchar++   |= (char)(fragment & 0x03f);

+	}

+	/* control should not reach here */

+	return plainchar - plaintext_out;

+}

+

+int b64decode(const char *in, void **out, size_t *outlen)

+{

+	size_t outcnt = 0;

+	const char *inptr = in;

+

+	*out = NULL;

+

+	if (in == NULL) {

+		return 1;

+	}

+	

+	while (*inptr != '\0') {

+		/* assume all ASCII control chars as whitespace */

+		if (*inptr > 32) {

+			if (base64_decode_value(*inptr) != -1) {

+				++outcnt;

+			} else {

+				return 3;

+			}

+		}

+		++inptr;

+	}

+	

+	if (outcnt % 4 != 0)

+		return 2;

+	

+	outcnt = (outcnt / 4) * 3;

+	

+	*out = malloc(outcnt + 1); /* base64_decode_block can write one extra character */

+	

+	if (*out == NULL)

+		return 4;

+	

+	*outlen = base64_decode_block(in, inptr - in, *out);

+

+	return 0;

+}

+

+#define CRC24_INIT 0xb704ce

+#define CRC24_POLY 0x1864cfb

+

+char *b64crc(const unsigned char *data, size_t len)

+{

+	uint32_t crc = CRC24_INIT;

+	int i;

+

+	while (len--) {

+		crc ^= (*data++) << 16;

+		for (i = 0; i < 8; i++) {

+			crc <<= 1;

+			if (crc & 0x1000000)

+				crc ^= CRC24_POLY;

+		}

+	}

+	crc = htonl(crc & 0xffffff);

+	data = (unsigned char *)&crc;

+	++data;

+	return b64encode(data, 3, 0);

+}

+

+#ifdef BASE64_TEST

+#include <stdio.h>

+#include <string.h>

+

+int main(int argc, char *argv[]) 

+{

+	static char tst[]="wtrt8122čLýáj\x20s ~ýhž\t4\x02šjjmBvž^%$RTš#á.íěj\x1hčýčŤc+";

+	char *encoded;

+	void *decoded;

+	size_t size;

+	int err;

+	printf("Original: %lu\n%s\n", sizeof(tst)-1, tst);

+	encoded = b64encode(tst, sizeof(tst)-1, 64);

+	printf("Encoded: %lu\n%s\n", strlen(encoded), encoded);

+	if ((err = b64decode(encoded, &decoded, &size)) != 0) {

+		fprintf(stderr, "Error in decode: %d\n", err);

+		return 1;

+	}

+	printf("Decoded:\n%.*s\n", (int)size, (char *)decoded);

+	if (size != sizeof(tst)-1) {

+		fprintf(stderr, "Size differs orig: %lu new: %lu\n", sizeof(tst)-1, size);

+		return 1;

+	}

+	if (memcmp(tst, decoded, size) != 0) {

+		fprintf(stderr, "Decoded data differs.\n");

+		return 1;

+	}

+	fprintf(stderr, "OK\n");

+	return 0;

+}

+#endif

+

diff --git a/rpmio/base64.h b/rpmio/base64.h

new file mode 100644

index 0000000..79ae0b6

--- /dev/null

+++ b/rpmio/base64.h

@@ -0,0 +1,29 @@

+/* base64 encoder/decoder based on public domain implementation

+ * by Chris Venter */

+

+#include <sys/types.h>

+

+/* returns malloced base64 encoded string

+ * lines are split with \n characters to be nearest lower multiple of linelen

+ * if linelen/4 == 0 lines are not split

+ * if linelen < 0 default line length (64) is used

+ * the returned string is empty when len == 0

+ * returns NULL on failures

+ */

+char *b64encode(const void *data, size_t len, int linelen);

+

+/* decodes from zero terminated base64 encoded string to a newly malloced buffer

+ * ignores whitespace characters in the input string

+ * return values:

+ *  0 - OK

+ *  1 - input is NULL

+ *  2 - invalid length

+ *  3 - invalid characters on input

+ *  4 - malloc failed

+ */

+int b64decode(const char *in, void **out, size_t *outlen);

+

+/* counts CRC24 and base64 encodes it in a malloced string

+ * returns NULL on failures

+ */

+char *b64crc(const unsigned char *data, size_t len);

diff --git a/rpmio/digest.c b/rpmio/digest.c

index 5b4cde8..894cf82 100644

--- a/rpmio/digest.c